From e2a1f1925cf3f903e28c4d8dba1ad027f0e7d531 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Tue, 16 Sep 2025 09:22:31 +0200
Subject: [PATCH 01/50] fix password reset grpc sending unparsed user agent
 (#1546)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Filip Ślęzak <fslezak@teonite.com>
---
 .../defguard_core/src/grpc/password_reset.rs  | 20 ++++++++++---------
 crates/defguard_core/src/grpc/utils.rs        |  3 ++-
 crates/defguard_core/src/handlers/mail.rs     |  8 ++++----
 crates/defguard_core/src/handlers/user.rs     |  4 ++--
 crates/defguard_core/src/headers.rs           |  3 ++-
 crates/defguard_core/templates/base.tera      |  2 +-
 6 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/crates/defguard_core/src/grpc/password_reset.rs b/crates/defguard_core/src/grpc/password_reset.rs
index 6af863a8e8..0403857e59 100644
--- a/crates/defguard_core/src/grpc/password_reset.rs
+++ b/crates/defguard_core/src/grpc/password_reset.rs
@@ -18,6 +18,7 @@ use crate::{
         mail::{send_password_reset_email, send_password_reset_success_email},
         user::check_password_strength,
     },
+    headers::get_device_info,
     mail::Mail,
     server_config,
 };
@@ -99,13 +100,14 @@ impl PasswordResetServer {
         debug!("Starting password reset request");
 
         let ip_address;
-        let user_agent;
+        let device_info;
         if let Some(ref info) = req_device_info {
             ip_address = info.ip_address.clone();
-            user_agent = info.user_agent.clone().unwrap_or_default();
+            let agent = info.user_agent.clone().unwrap_or_default();
+            device_info = get_device_info(&agent);
         } else {
             ip_address = String::new();
-            user_agent = String::new();
+            device_info = String::new();
         }
 
         let email = request.email;
@@ -152,14 +154,13 @@ impl PasswordResetServer {
             error!("Failed to commit transaction");
             Status::internal("unexpected error")
         })?;
-
         send_password_reset_email(
             &user,
             &self.mail_tx,
             config.enrollment_url.clone(),
             &enrollment.id,
             Some(&ip_address),
-            Some(&user_agent),
+            Some(&device_info),
         )?;
 
         info!(
@@ -255,13 +256,14 @@ impl PasswordResetServer {
         let enrollment = self.validate_session(request.token.as_ref()).await?;
 
         let ip_address;
-        let user_agent;
+        let device_info;
         if let Some(ref info) = req_device_info {
             ip_address = info.ip_address.clone();
-            user_agent = info.user_agent.clone().unwrap_or_default();
+            let agent = info.user_agent.clone().unwrap_or_default();
+            device_info = get_device_info(&agent);
         } else {
             ip_address = String::new();
-            user_agent = String::new();
+            device_info = String::new();
         }
 
         if let Err(err) = check_password_strength(&request.password) {
@@ -302,7 +304,7 @@ impl PasswordResetServer {
             &user,
             &self.mail_tx,
             Some(&ip_address),
-            Some(&user_agent),
+            Some(&device_info),
         )?;
 
         // Prepare event context and push the event
diff --git a/crates/defguard_core/src/grpc/utils.rs b/crates/defguard_core/src/grpc/utils.rs
index 226abbb117..0e5772d574 100644
--- a/crates/defguard_core/src/grpc/utils.rs
+++ b/crates/defguard_core/src/grpc/utils.rs
@@ -216,6 +216,7 @@ pub(crate) fn parse_client_info(info: &Option<DeviceInfo>) -> Result<(IpAddr, St
         msg
     })?;
     let user_agent = info.user_agent.clone().unwrap_or_else(String::new);
+    let escaped_agent = tera::escape_html(&user_agent);
 
-    Ok((ip, user_agent))
+    Ok((ip, escaped_agent))
 }
diff --git a/crates/defguard_core/src/handlers/mail.rs b/crates/defguard_core/src/handlers/mail.rs
index 67aa52cddd..a50ff1989a 100644
--- a/crates/defguard_core/src/handlers/mail.rs
+++ b/crates/defguard_core/src/handlers/mail.rs
@@ -39,8 +39,8 @@ static EMAIL_MFA_CODE_EMAIL_SUBJECT: &str = "Your Multi-Factor Authentication Co
 static GATEWAY_DISCONNECTED: &str = "Defguard: Gateway disconnected";
 static GATEWAY_RECONNECTED: &str = "Defguard: Gateway reconnected";
 
-pub static EMAIL_PASSOWRD_RESET_START_SUBJECT: &str = "Defguard: Password reset";
-pub static EMAIL_PASSOWRD_RESET_SUCCESS_SUBJECT: &str = "Defguard: Password reset success";
+pub static EMAIL_PASSWORD_RESET_START_SUBJECT: &str = "Defguard: Password reset";
+pub static EMAIL_PASSWORD_RESET_SUCCESS_SUBJECT: &str = "Defguard: Password reset success";
 
 #[derive(Clone, Deserialize)]
 pub struct TestMail {
@@ -461,7 +461,7 @@ pub fn send_password_reset_email(
 
     let mail = Mail {
         to: user.email.clone(),
-        subject: EMAIL_PASSOWRD_RESET_START_SUBJECT.into(),
+        subject: EMAIL_PASSWORD_RESET_START_SUBJECT.into(),
         content: templates::email_password_reset_mail(service_url, token, ip_address, device_info)?,
         attachments: Vec::new(),
         result_tx: None,
@@ -491,7 +491,7 @@ pub fn send_password_reset_success_email(
 
     let mail = Mail {
         to: user.email.clone(),
-        subject: EMAIL_PASSOWRD_RESET_SUCCESS_SUBJECT.into(),
+        subject: EMAIL_PASSWORD_RESET_SUCCESS_SUBJECT.into(),
         content: templates::email_password_reset_success_mail(ip_address, device_info)?,
         attachments: Vec::new(),
         result_tx: None,
diff --git a/crates/defguard_core/src/handlers/user.rs b/crates/defguard_core/src/handlers/user.rs
index 909d109439..ecb90446e9 100644
--- a/crates/defguard_core/src/handlers/user.rs
+++ b/crates/defguard_core/src/handlers/user.rs
@@ -8,7 +8,7 @@ use serde_json::json;
 
 use super::{
     AddUserData, ApiResponse, ApiResult, PasswordChange, PasswordChangeSelf,
-    StartEnrollmentRequest, Username, mail::EMAIL_PASSOWRD_RESET_START_SUBJECT,
+    StartEnrollmentRequest, Username, mail::EMAIL_PASSWORD_RESET_START_SUBJECT,
     user_for_admin_or_self,
 };
 use crate::{
@@ -1086,7 +1086,7 @@ pub async fn reset_password(
 
         let mail = Mail {
             to: user.email.clone(),
-            subject: EMAIL_PASSOWRD_RESET_START_SUBJECT.into(),
+            subject: EMAIL_PASSWORD_RESET_START_SUBJECT.into(),
             content: templates::email_password_reset_mail(
                 config.enrollment_url.clone(),
                 enrollment.id.clone().as_str(),
diff --git a/crates/defguard_core/src/headers.rs b/crates/defguard_core/src/headers.rs
index c9b1bd796d..95c090a9b8 100644
--- a/crates/defguard_core/src/headers.rs
+++ b/crates/defguard_core/src/headers.rs
@@ -24,7 +24,8 @@ pub(crate) static USER_AGENT_PARSER: LazyLock<UserAgentParser> = LazyLock::new(|
 
 #[must_use]
 pub(crate) fn get_device_info(user_agent: &str) -> String {
-    let client = USER_AGENT_PARSER.parse(user_agent);
+    let escaped = tera::escape_html(user_agent);
+    let client = USER_AGENT_PARSER.parse(&escaped);
     get_user_agent_device(&client)
 }
 
diff --git a/crates/defguard_core/templates/base.tera b/crates/defguard_core/templates/base.tera
index 181fee1de2..10b0f07e41 100644
--- a/crates/defguard_core/templates/base.tera
+++ b/crates/defguard_core/templates/base.tera
@@ -261,7 +261,7 @@
                                     {% endif %}
                                     {% if device_type %}
                                       <p style="margin: auto;">
-                                        <span>Device type:</span> {{ device_type | safe }}
+                                        <span>Device type:</span> {{ device_type }}
                                       </p>
                                     {% endif %}
                                   </div>

From bdc6cabd94a171076cbb7962ddf003e70ac74733 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Wed, 17 Sep 2025 09:19:35 +0200
Subject: [PATCH 02/50] Fixes pentest issue DG25-10 from 2025-09-02 (#1579)

* validate phone number during enrollment
* also check phone numbers in core API endpoints
---
 crates/defguard_core/Cargo.toml             |  1 +
 crates/defguard_core/src/db/models/mod.rs   |  2 +-
 crates/defguard_core/src/grpc/enrollment.rs | 15 +++++++
 crates/defguard_core/src/handlers/user.rs   | 29 ++++++++++++-
 crates/defguard_core/src/lib.rs             | 45 ++++++++++++++++++++-
 5 files changed, 89 insertions(+), 3 deletions(-)

diff --git a/crates/defguard_core/Cargo.toml b/crates/defguard_core/Cargo.toml
index acd2a5d78c..10083cf94f 100644
--- a/crates/defguard_core/Cargo.toml
+++ b/crates/defguard_core/Cargo.toml
@@ -84,6 +84,7 @@ strum_macros = { workspace = true }
 bytes = { workspace = true }
 ed25519-dalek = { version = "2.2", features = ["rand_core"] }
 tower = "0.5"
+regex = "1.10"
 
 [dev-dependencies]
 bytes = "1.6"
diff --git a/crates/defguard_core/src/db/models/mod.rs b/crates/defguard_core/src/db/models/mod.rs
index 265c027f6b..083645bff4 100644
--- a/crates/defguard_core/src/db/models/mod.rs
+++ b/crates/defguard_core/src/db/models/mod.rs
@@ -143,7 +143,7 @@ impl UserInfo {
     ///
     /// Return `true` if groups were changed, `false` otherwise.
     pub(crate) async fn handle_user_groups(
-        &mut self,
+        &self,
         transaction: &mut PgConnection,
         user: &mut User<Id>,
     ) -> Result<GroupDiff, SqlxError> {
diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index 4490c08582..743be635a4 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -48,6 +48,7 @@ use crate::{
         user::check_password_strength,
     },
     headers::get_device_info,
+    is_valid_phone_number,
     mail::Mail,
     server_config,
     templates::{self, TemplateLocation},
@@ -343,6 +344,19 @@ impl EnrollmentServer {
         Ok(())
     }
 
+    fn validate_activated_user(&self, request: &ActivateUserRequest) -> Result<(), Status> {
+        if let Some(ref phone_number) = request.phone_number {
+            if !is_valid_phone_number(phone_number) {
+                return Err(Status::new(
+                    tonic::Code::InvalidArgument,
+                    "invalid phone number",
+                ));
+            }
+        }
+
+        Ok(())
+    }
+
     #[instrument(skip_all)]
     pub async fn activate_user(
         &self,
@@ -351,6 +365,7 @@ impl EnrollmentServer {
     ) -> Result<(), Status> {
         debug!("Activating user account: {request:?}");
         let enrollment = self.validate_session(request.token.as_ref()).await?;
+        self.validate_activated_user(&request)?;
 
         let ip_address;
         let device_info;
diff --git a/crates/defguard_core/src/handlers/user.rs b/crates/defguard_core/src/handlers/user.rs
index ecb90446e9..785bb46d74 100644
--- a/crates/defguard_core/src/handlers/user.rs
+++ b/crates/defguard_core/src/handlers/user.rs
@@ -31,6 +31,7 @@ use crate::{
     },
     error::WebError,
     events::{ApiEvent, ApiEventType, ApiRequestContext},
+    is_valid_phone_number,
     mail::Mail,
     server_config, templates,
 };
@@ -280,6 +281,7 @@ pub async fn add_user(
             status: StatusCode::BAD_REQUEST,
         });
     }
+
     // check if email doesn't already exist
     if User::find_by_email(&appstate.pool, &user_data.email)
         .await?
@@ -291,6 +293,18 @@ pub async fn add_user(
             status: StatusCode::BAD_REQUEST,
         });
     }
+
+    // check phone number
+    if let Some(ref phone) = user_data.phone {
+        if !is_valid_phone_number(phone) {
+            debug!("Invalid phone number for new user {username}: {phone}");
+            return Ok(ApiResponse {
+                json: json!({}),
+                status: StatusCode::BAD_REQUEST,
+            });
+        }
+    }
+
     let password = match &user_data.password {
         Some(password) => {
             // check password strength
@@ -645,11 +659,12 @@ pub async fn modify_user(
     context: ApiRequestContext,
     State(appstate): State<AppState>,
     Path(username): Path<String>,
-    Json(mut user_info): Json<UserInfo>,
+    Json(user_info): Json<UserInfo>,
 ) -> ApiResult {
     debug!("User {} updating user {username}", session.user.username);
     let mut user = user_for_admin_or_self(&appstate.pool, &session, &username).await?;
     let groups_before = UserInfo::from_user(&appstate.pool, &user).await?.groups;
+
     // store user before mods
     let before = user.clone();
     let old_username = user.username.clone();
@@ -660,6 +675,18 @@ pub async fn modify_user(
             status: StatusCode::BAD_REQUEST,
         });
     }
+
+    // check phone number
+    if let Some(ref phone) = user_info.phone {
+        if !is_valid_phone_number(phone) {
+            debug!("Invalid phone number for user {username}: {phone}");
+            return Ok(ApiResponse {
+                json: json!({}),
+                status: StatusCode::BAD_REQUEST,
+            });
+        }
+    }
+
     let status_changing = user_info.is_active != user.is_active;
 
     let mut transaction = appstate.pool.begin().await?;
diff --git a/crates/defguard_core/src/lib.rs b/crates/defguard_core/src/lib.rs
index 68f82136ff..f6abd4ca90 100644
--- a/crates/defguard_core/src/lib.rs
+++ b/crates/defguard_core/src/lib.rs
@@ -3,7 +3,7 @@
 #![allow(clippy::result_large_err)]
 use std::{
     net::{IpAddr, Ipv4Addr, SocketAddr},
-    sync::{Arc, Mutex, OnceLock, RwLock},
+    sync::{Arc, LazyLock, Mutex, OnceLock, RwLock},
 };
 
 use crate::version::IncompatibleComponents;
@@ -60,6 +60,7 @@ use handlers::{
     yubikey::{delete_yubikey, rename_yubikey},
 };
 use ipnetwork::IpNetwork;
+use regex::Regex;
 use secrecy::ExposeSecret;
 use semver::Version;
 use sqlx::PgPool;
@@ -193,6 +194,11 @@ pub(crate) fn server_config() -> &'static DefGuardConfig {
         .expect("Server configuration not set yet")
 }
 
+static PHONE_NUMBER_REGEX: LazyLock<Regex> = LazyLock::new(|| {
+    Regex::new(r"^(\+?\d{1,3}\s?)?(\(\d{1,3}\)|\d{1,3})[-\s]?\d{1,4}[-\s]?\d{1,4}?$")
+        .expect("Failed to parse phone number regex")
+});
+
 // WireGuard key length in bytes.
 pub(crate) const KEY_LENGTH: usize = 32;
 
@@ -964,3 +970,40 @@ where
             .join(",")
     }
 }
+
+pub(crate) fn is_valid_phone_number(number: &str) -> bool {
+    PHONE_NUMBER_REGEX.is_match(number)
+}
+
+#[cfg(test)]
+mod test {
+
+    use super::is_valid_phone_number;
+
+    #[test]
+    fn test_is_valid_phone_number_dg25_10() {
+        let valid_numbers = &[
+            "+48 (91) 123-456",
+            "123 456 7890",
+            "+1 (202) 555-0173",
+            "91-1234-5678",
+            "(22) 567 890",
+        ];
+        for number in valid_numbers {
+            assert!(is_valid_phone_number(number));
+        }
+
+        let invalid_numbers = &[
+            "4*4",
+            "+48  123456789",
+            "123-456-789-0000",
+            "(+48) 123 456",
+            "202.555.0173",
+            "(12345) 6789",
+            "+48 (91) 123-456 000 111",
+        ];
+        for number in invalid_numbers {
+            assert!(!is_valid_phone_number(number));
+        }
+    }
+}

From 8f96c05e8bdaf7d750e81fad5da3f060401445f2 Mon Sep 17 00:00:00 2001
From: Adam <adam@defguard.net>
Date: Wed, 17 Sep 2025 11:30:49 +0200
Subject: [PATCH 03/50] Do not display sensitive data from protos (#1580)

---
 Cargo.lock                                    | 218 +++++++++++-------
 crates/defguard/src/main.rs                   |   2 +-
 crates/defguard_core/build.rs                 |  18 +-
 crates/defguard_core/src/auth/mod.rs          |   7 +-
 crates/defguard_core/src/grpc/enrollment.rs   |   5 +-
 crates/defguard_core/src/grpc/mod.rs          |   8 +-
 .../defguard_core/src/grpc/password_reset.rs  |   2 +-
 crates/defguard_core/src/version.rs           |   4 +-
 8 files changed, 162 insertions(+), 102 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 57464586f5..f4c4ff4e17 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -569,9 +569,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.36"
+version = "1.2.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5252b3d2648e5eedbc1a6f501e3c795e07025c1e93bbf8bbdd6eef7f447a6d54"
+checksum = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -1765,7 +1765,7 @@ dependencies = [
  "js-sys",
  "libc",
  "r-efi",
- "wasi 0.14.5+wasi-0.2.4",
+ "wasi 0.14.7+wasi-0.2.4",
  "wasm-bindgen",
 ]
 
@@ -1845,7 +1845,7 @@ dependencies = [
  "futures-core",
  "futures-sink",
  "http",
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "slab",
  "tokio",
  "tokio-util",
@@ -2031,9 +2031,9 @@ dependencies = [
 
 [[package]]
 name = "humantime"
-version = "2.2.0"
+version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b112acc8b3adf4b107a8ec20977da0273a8c386765a3ec0229bd500a1443f9f"
+checksum = "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424"
 
 [[package]]
 name = "hyper"
@@ -2106,9 +2106,9 @@ dependencies = [
 
 [[package]]
 name = "hyper-util"
-version = "0.1.16"
+version = "0.1.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d9b05277c7e8da2c93a568989bb6207bef0112e8d17df7a6eda4a3cf143bc5e"
+checksum = "3c6995591a8f1380fcb4ba966a252a4b29188d51d2b89e3a252f5305be65aea8"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -2132,9 +2132,9 @@ dependencies = [
 
 [[package]]
 name = "iana-time-zone"
-version = "0.1.63"
+version = "0.1.64"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8"
+checksum = "33e57f83510bb73707521ebaffa789ec8caf86f9657cad665b092b581d40e9fb"
 dependencies = [
  "android_system_properties",
  "core-foundation-sys",
@@ -2305,13 +2305,14 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.11.1"
+version = "2.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "206a8042aec68fa4a62e8d3f7aa4ceb508177d9324faf261e1959e495b7a1921"
+checksum = "92119844f513ffa41556430369ab02c295a3578af21cf945caa3e9e0c2481ac3"
 dependencies = [
  "equivalent",
  "hashbrown 0.15.5",
  "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -2401,9 +2402,9 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.78"
+version = "0.3.79"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c0b063578492ceec17683ef2f8c5e89121fbd0b172cbc280635ab7567db2738"
+checksum = "6247da8b8658ad4e73a186e747fcc5fc2a29f979d6fe6269127fdb5fd08298d0"
 dependencies = [
  "once_cell",
  "wasm-bindgen",
@@ -2561,9 +2562,9 @@ checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de"
 
 [[package]]
 name = "libredox"
-version = "0.1.9"
+version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "391290121bad3d37fbddad76d8f5d1c1c314cfc646d143d7e07a3086ddff0ce3"
+checksum = "416f7e718bdb06000964960ffa43b4335ad4012ae8b99060261aa4a8088d5ccb"
 dependencies = [
  "bitflags 2.9.4",
  "libc",
@@ -3211,9 +3212,9 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 
 [[package]]
 name = "pest"
-version = "2.8.1"
+version = "2.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1db05f56d34358a8b1066f67cbb203ee3e7ed2ba674a6263a1d5ec6db2204323"
+checksum = "21e0a3a33733faeaf8651dfee72dd0f388f0c8e5ad496a3478fa5a922f49cfa8"
 dependencies = [
  "memchr",
  "thiserror 2.0.16",
@@ -3222,9 +3223,9 @@ dependencies = [
 
 [[package]]
 name = "pest_derive"
-version = "2.8.1"
+version = "2.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb056d9e8ea77922845ec74a1c4e8fb17e7c218cc4fc11a15c5d25e189aa40bc"
+checksum = "bc58706f770acb1dbd0973e6530a3cff4746fb721207feb3a8a6064cd0b6c663"
 dependencies = [
  "pest",
  "pest_generator",
@@ -3232,9 +3233,9 @@ dependencies = [
 
 [[package]]
 name = "pest_generator"
-version = "2.8.1"
+version = "2.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87e404e638f781eb3202dc82db6760c8ae8a1eeef7fb3fa8264b2ef280504966"
+checksum = "6d4f36811dfe07f7b8573462465d5cb8965fffc2e71ae377a33aecf14c2c9a2f"
 dependencies = [
  "pest",
  "pest_meta",
@@ -3245,9 +3246,9 @@ dependencies = [
 
 [[package]]
 name = "pest_meta"
-version = "2.8.1"
+version = "2.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edd1101f170f5903fde0914f899bb503d9ff5271d7ba76bbb70bea63690cc0d5"
+checksum = "42919b05089acbd0a5dcd5405fb304d17d1053847b81163d09c4ad18ce8e8420"
 dependencies = [
  "pest",
  "sha2",
@@ -3260,7 +3261,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3672b37090dbd86368a4145bc067582552b29c27377cad4e0a306c97f9bd7772"
 dependencies = [
  "fixedbitset",
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
 ]
 
 [[package]]
@@ -3430,12 +3431,12 @@ checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
 
 [[package]]
 name = "plist"
-version = "1.7.4"
+version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3af6b589e163c5a788fab00ce0c0366f6efbb9959c2f9874b224936af7fce7e1"
+checksum = "740ebea15c5d1428f910cd1a5f52cebf8d25006245ed8ade92702f4943d91e07"
 dependencies = [
  "base64 0.22.1",
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "quick-xml",
  "serde",
  "time",
@@ -3498,9 +3499,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro-crate"
-version = "3.3.0"
+version = "3.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edce586971a4dfaa28950c6f18ed55e0406c1ab88bbce2c6f6293a7aaba73d35"
+checksum = "219cb19e96be00ab2e37d6e299658a0cfa83e52429179969b0f0121b4ac46983"
 dependencies = [
  "toml_edit",
 ]
@@ -4061,9 +4062,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.4"
+version = "0.103.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a17884ae0c1b773f1ccd2bd4a8c72f16da897310a98b0e84bf349ad5ead92fc"
+checksum = "8572f3c2cb9934231157b45499fc41e1f58c589fdfb81a844ba873265e80f8eb"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -4193,19 +4194,21 @@ dependencies = [
 
 [[package]]
 name = "semver"
-version = "1.0.26"
+version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
 dependencies = [
  "serde",
+ "serde_core",
 ]
 
 [[package]]
 name = "serde"
-version = "1.0.219"
+version = "1.0.225"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
+checksum = "fd6c24dee235d0da097043389623fb913daddf92c76e9f5a1db88607a0bcbd1d"
 dependencies = [
+ "serde_core",
  "serde_derive",
 ]
 
@@ -4221,11 +4224,12 @@ dependencies = [
 
 [[package]]
 name = "serde_bytes"
-version = "0.11.17"
+version = "0.11.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8437fd221bde2d4ca316d61b90e337e9e702b3820b87d63caa9ba6c02bd06d96"
+checksum = "a5d440709e79d88e51ac01c4b72fc6cb7314017bb7da9eeff678aa94c10e3ea8"
 dependencies = [
  "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -4238,11 +4242,20 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serde_core"
+version = "1.0.225"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "659356f9a0cb1e529b24c01e43ad2bdf520ec4ceaf83047b83ddcc2251f96383"
+dependencies = [
+ "serde_derive",
+]
+
 [[package]]
 name = "serde_derive"
-version = "1.0.219"
+version = "1.0.225"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
+checksum = "0ea936adf78b1f766949a4977b91d2f5595825bd6ec079aa9543ad2685fc4516"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4251,37 +4264,39 @@ dependencies = [
 
 [[package]]
 name = "serde_html_form"
-version = "0.2.7"
+version = "0.2.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d2de91cf02bbc07cde38891769ccd5d4f073d22a40683aa4bc7a95781aaa2c4"
+checksum = "b2f2d7ff8a2140333718bb329f5c40fc5f0865b84c426183ce14c97d2ab8154f"
 dependencies = [
  "form_urlencoded",
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "itoa",
  "ryu",
- "serde",
+ "serde_core",
 ]
 
 [[package]]
 name = "serde_json"
-version = "1.0.143"
+version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d401abef1d108fbd9cbaebc3e46611f4b1021f714a0597a71f41ee463f5f4a5a"
+checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
  "itoa",
  "memchr",
  "ryu",
  "serde",
+ "serde_core",
 ]
 
 [[package]]
 name = "serde_path_to_error"
-version = "0.1.17"
+version = "0.1.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "59fab13f937fa393d08645bf3a84bdfe86e296747b506ada67bb15f10f218b2a"
+checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457"
 dependencies = [
  "itoa",
  "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -4326,7 +4341,7 @@ dependencies = [
  "chrono",
  "hex",
  "indexmap 1.9.3",
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "schemars 0.9.0",
  "schemars 1.0.4",
  "serde",
@@ -4354,7 +4369,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "itoa",
  "ryu",
  "serde",
@@ -4604,7 +4619,7 @@ dependencies = [
  "futures-util",
  "hashbrown 0.15.5",
  "hashlink",
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "ipnetwork",
  "log",
  "memchr",
@@ -5180,18 +5195,31 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "0.6.11"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c"
+checksum = "a197c0ec7d131bfc6f7e82c8442ba1595aeab35da7adbf05b6b73cd06a16b6be"
+dependencies = [
+ "serde_core",
+]
 
 [[package]]
 name = "toml_edit"
-version = "0.22.27"
+version = "0.23.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
+checksum = "c2ad0b7ae9cfeef5605163839cb9221f453399f15cfb5c10be9885fcf56611f9"
 dependencies = [
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "toml_datetime",
+ "toml_parser",
+ "winnow",
+]
+
+[[package]]
+name = "toml_parser"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b551886f449aa90d4fe2bdaa9f4a2577ad2dde302c61ecf262d80b116db95c10"
+dependencies = [
  "winnow",
 ]
 
@@ -5299,7 +5327,7 @@ checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
 dependencies = [
  "futures-core",
  "futures-util",
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "pin-project-lite",
  "slab",
  "sync_wrapper",
@@ -5617,7 +5645,7 @@ version = "5.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fcc29c80c21c31608227e0912b2d7fddba57ad76b606890627ba8ee7964e993"
 dependencies = [
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "serde",
  "serde_json",
  "utoipa-gen",
@@ -5757,18 +5785,18 @@ checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
 
 [[package]]
 name = "wasi"
-version = "0.14.5+wasi-0.2.4"
+version = "0.14.7+wasi-0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4494f6290a82f5fe584817a676a34b9d6763e8d9d18204009fb31dceca98fd4"
+checksum = "883478de20367e224c0090af9cf5f9fa85bed63a95c1abf3afc5c083ebc06e8c"
 dependencies = [
  "wasip2",
 ]
 
 [[package]]
 name = "wasip2"
-version = "1.0.0+wasi-0.2.4"
+version = "1.0.1+wasi-0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03fa2761397e5bd52002cd7e73110c71af2109aca4e521a9f40473fe685b0a24"
+checksum = "0562428422c63773dad2c345a1882263bbf4d65cf3f42e90921f787ef5ad58e7"
 dependencies = [
  "wit-bindgen",
 ]
@@ -5781,9 +5809,9 @@ checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.101"
+version = "0.2.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e14915cadd45b529bb8d1f343c4ed0ac1de926144b746e2710f9cd05df6603b"
+checksum = "4ad224d2776649cfb4f4471124f8176e54c1cca67a88108e30a0cd98b90e7ad3"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -5794,9 +5822,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.101"
+version = "0.2.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e28d1ba982ca7923fd01448d5c30c6864d0a14109560296a162f80f305fb93bb"
+checksum = "3a1364104bdcd3c03f22b16a3b1c9620891469f5e9f09bc38b2db121e593e732"
 dependencies = [
  "bumpalo",
  "log",
@@ -5808,9 +5836,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.51"
+version = "0.4.52"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ca85039a9b469b38336411d6d6ced91f3fc87109a2a27b0c197663f5144dffe"
+checksum = "9c0a08ecf5d99d5604a6666a70b3cde6ab7cc6142f5e641a8ef48fc744ce8854"
 dependencies = [
  "cfg-if",
  "js-sys",
@@ -5821,9 +5849,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.101"
+version = "0.2.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7c3d463ae3eff775b0c45df9da45d68837702ac35af998361e2c84e7c5ec1b0d"
+checksum = "0d7ab4ca3e367bb1ed84ddbd83cc6e41e115f8337ed047239578210214e36c76"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -5831,9 +5859,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.101"
+version = "0.2.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7bb4ce89b08211f923caf51d527662b75bdc9c9c7aab40f86dcb9fb85ac552aa"
+checksum = "4a518014843a19e2dbbd0ed5dfb6b99b23fb886b14e6192a00803a3e14c552b0"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5844,9 +5872,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.101"
+version = "0.2.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f143854a3b13752c6950862c906306adb27c7e839f7414cec8fea35beab624c1"
+checksum = "255eb0aa4cc2eea3662a00c2bbd66e93911b7361d5e0fcd62385acfd7e15dcee"
 dependencies = [
  "unicode-ident",
 ]
@@ -5866,9 +5894,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.78"
+version = "0.3.79"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77e4b637749ff0d92b8fad63aa1f7cff3cbe125fd49c175cd6345e7272638b12"
+checksum = "50462a022f46851b81d5441d1a6f5bac0b21a1d72d64bd4906fbdd4bf7230ec7"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -6015,15 +6043,15 @@ dependencies = [
 
 [[package]]
 name = "windows-core"
-version = "0.61.2"
+version = "0.62.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3"
+checksum = "57fe7168f7de578d2d8a05b07fd61870d2e73b4020e9f49aa00da8471723497c"
 dependencies = [
  "windows-implement",
  "windows-interface",
- "windows-link 0.1.3",
- "windows-result",
- "windows-strings",
+ "windows-link 0.2.0",
+ "windows-result 0.4.0",
+ "windows-strings 0.5.0",
 ]
 
 [[package]]
@@ -6067,8 +6095,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b8a9ed28765efc97bbc954883f4e6796c33a06546ebafacbabee9696967499e"
 dependencies = [
  "windows-link 0.1.3",
- "windows-result",
- "windows-strings",
+ "windows-result 0.3.4",
+ "windows-strings 0.4.2",
 ]
 
 [[package]]
@@ -6080,6 +6108,15 @@ dependencies = [
  "windows-link 0.1.3",
 ]
 
+[[package]]
+name = "windows-result"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7084dcc306f89883455a206237404d3eaf961e5bd7e0f312f7c91f57eb44167f"
+dependencies = [
+ "windows-link 0.2.0",
+]
+
 [[package]]
 name = "windows-strings"
 version = "0.4.2"
@@ -6089,6 +6126,15 @@ dependencies = [
  "windows-link 0.1.3",
 ]
 
+[[package]]
+name = "windows-strings"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7218c655a553b0bed4426cf54b20d7ba363ef543b52d515b3e48d7fd55318dda"
+dependencies = [
+ "windows-link 0.2.0",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.48.0"
@@ -6331,9 +6377,9 @@ dependencies = [
 
 [[package]]
 name = "wit-bindgen"
-version = "0.45.1"
+version = "0.46.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c573471f125075647d03df72e026074b7203790d41351cd6edc96f46bcccd36"
+checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59"
 
 [[package]]
 name = "writeable"
@@ -6515,7 +6561,7 @@ dependencies = [
  "arbitrary",
  "crc32fast",
  "flate2",
- "indexmap 2.11.1",
+ "indexmap 2.11.3",
  "memchr",
  "zopfli",
 ]
diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index 84a176a73d..d59c944b97 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -109,7 +109,7 @@ async fn main() -> Result<(), anyhow::Error> {
     let gateway_state = Arc::new(Mutex::new(GatewayMap::new()));
     let client_state = Arc::new(Mutex::new(ClientMap::new()));
 
-    let incompatible_components: Arc<RwLock<IncompatibleComponents>> = Default::default();
+    let incompatible_components: Arc<RwLock<IncompatibleComponents>> = Arc::default();
 
     // initialize admin user
     User::init_admin_user(&pool, config.default_admin_password.expose_secret()).await?;
diff --git a/crates/defguard_core/build.rs b/crates/defguard_core/build.rs
index a4c2030a96..9551d43add 100644
--- a/crates/defguard_core/build.rs
+++ b/crates/defguard_core/build.rs
@@ -6,9 +6,25 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     Emitter::default().add_instructions(&git2)?.emit()?;
 
     tonic_prost_build::configure()
+        // These types contain sensitive data.
+        .skip_debug([
+            "ActivateUserRequest",
+            "AuthInfoResponse",
+            "AuthenticateRequest",
+            "AuthenticateResponse",
+            "ClientMfaFinishResponse",
+            "CodeMfaSetupStartResponse",
+            "CodeMfaSetupFinishResponse",
+            "CoreRequest",
+            "CoreResponse",
+            "DeviceConfigResponse",
+            "InstanceInfoResponse",
+            "NewDevice",
+            "PasswordResetRequest",
+        ])
         .protoc_arg("--experimental_allow_proto3_optional")
         .type_attribute(
-            "license.LicenseLimits",
+            "LicenseLimits",
             "#[derive(serde::Serialize, serde::Deserialize)]",
         )
         .compile_protos(
diff --git a/crates/defguard_core/src/auth/mod.rs b/crates/defguard_core/src/auth/mod.rs
index b0fd990e20..41b01e2fd4 100644
--- a/crates/defguard_core/src/auth/mod.rs
+++ b/crates/defguard_core/src/auth/mod.rs
@@ -422,11 +422,10 @@ where
                                         &client,
                                         &oauth2token,
                                     )));
-                                } else {
-                                    return Err(WebError::Authorization(
-                                        "OAuth2 client not found".into(),
-                                    ));
                                 }
+                                return Err(WebError::Authorization(
+                                    "OAuth2 client not found".into(),
+                                ));
                             }
                         }
                         Ok(None) => {
diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index 743be635a4..3947b1dc66 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -363,7 +363,7 @@ impl EnrollmentServer {
         request: ActivateUserRequest,
         req_device_info: Option<super::proto::proxy::DeviceInfo>,
     ) -> Result<(), Status> {
-        debug!("Activating user account: {request:?}");
+        debug!("Activating user account");
         let enrollment = self.validate_session(request.token.as_ref()).await?;
         self.validate_activated_user(&request)?;
 
@@ -486,7 +486,7 @@ impl EnrollmentServer {
         request: NewDevice,
         req_device_info: Option<super::proto::proxy::DeviceInfo>,
     ) -> Result<DeviceConfigResponse, Status> {
-        debug!("Adding new user device: {request:?}");
+        debug!("Adding new user device");
         let enrollment_token = self.validate_session(request.token.as_ref()).await?;
 
         // fetch related users
@@ -855,7 +855,6 @@ impl EnrollmentServer {
             ),
             token: Some(token.token),
         };
-        debug!("{response:?}.");
 
         // Prepare event context and push the event
         let (ip, user_agent) = parse_client_info(&req_device_info).map_err(Status::internal)?;
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
index c414f078f3..cf32efd637 100644
--- a/crates/defguard_core/src/grpc/mod.rs
+++ b/crates/defguard_core/src/grpc/mod.rs
@@ -162,8 +162,7 @@ async fn handle_proxy_message_loop(
                 break 'message;
             }
             Ok(Some(received)) => {
-                info!("Received message from proxy.");
-                debug!("Received the following message from proxy: {received:?}");
+                debug!("Received message from proxy; ID={}", received.id);
                 let payload = match received.payload {
                     // rpc CodeMfaSetupStart return (CodeMfaSetupStartResponse)
                     Some(core_request::Payload::CodeMfaSetupStart(request)) => {
@@ -192,7 +191,7 @@ async fn handle_proxy_message_loop(
                                 Some(core_response::Payload::CodeMfaSetupFinishResponse(response))
                             }
                             Err(err) => {
-                                error!("Register mfa finish error {err}");
+                                error!("Register MFA finish error {err}");
                                 Some(core_response::Payload::CoreError(err.into()))
                             }
                         }
@@ -650,9 +649,8 @@ pub async fn run_grpc_bidi_stream(
             // Sleep before trying to reconnect
             sleep(TEN_SECS).await;
             continue;
-        } else {
-            IncompatibleComponents::remove_proxy(&incompatible_components);
         }
+        IncompatibleComponents::remove_proxy(&incompatible_components);
 
         info!("Connected to proxy at {}", endpoint.uri());
         let mut resp_stream = response.into_inner();
diff --git a/crates/defguard_core/src/grpc/password_reset.rs b/crates/defguard_core/src/grpc/password_reset.rs
index 0403857e59..69e2a9b555 100644
--- a/crates/defguard_core/src/grpc/password_reset.rs
+++ b/crates/defguard_core/src/grpc/password_reset.rs
@@ -252,7 +252,7 @@ impl PasswordResetServer {
         request: PasswordResetRequest,
         req_device_info: Option<DeviceInfo>,
     ) -> Result<(), Status> {
-        debug!("Starting password reset: {request:?}");
+        debug!("Starting password reset");
         let enrollment = self.validate_session(request.token.as_ref()).await?;
 
         let ip_address;
diff --git a/crates/defguard_core/src/version.rs b/crates/defguard_core/src/version.rs
index c4eda787d1..5285e2e2eb 100644
--- a/crates/defguard_core/src/version.rs
+++ b/crates/defguard_core/src/version.rs
@@ -229,6 +229,7 @@ impl Hash for IncompatibleGatewayData {
 }
 
 impl IncompatibleGatewayData {
+    #[must_use]
     pub fn new(
         version: Option<Version>,
         hostname: Option<String>,
@@ -238,8 +239,8 @@ impl IncompatibleGatewayData {
         Self {
             version,
             hostname,
-            created,
             network_id,
+            created,
         }
     }
 
@@ -276,6 +277,7 @@ impl PartialEq for IncompatibleProxyData {
 impl Eq for IncompatibleProxyData {}
 
 impl IncompatibleProxyData {
+    #[must_use]
     pub fn new(version: Option<Version>) -> Self {
         let created = Utc::now().naive_utc();
         Self { version, created }

From 99e451e99cd2c855c9ddd124afe2f94ac421146f Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Wed, 17 Sep 2025 14:27:36 +0200
Subject: [PATCH 04/50] Don't send empty strings when phone number is not
 provided (#1583)

* don't send empty strings when phone number is not providecleand
* use zod trim() instead of trimObjectStrings helper
---
 .../ProfileDetailsForm/ProfileDetailsForm.tsx |  7 +++---
 .../components/AddUserForm/AddUserForm.tsx    | 23 ++++++++++---------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/web/src/pages/users/UserProfile/ProfileDetails/ProfileDetailsForm/ProfileDetailsForm.tsx b/web/src/pages/users/UserProfile/ProfileDetails/ProfileDetailsForm/ProfileDetailsForm.tsx
index eb84d88e64..16e3ad5242 100644
--- a/web/src/pages/users/UserProfile/ProfileDetails/ProfileDetailsForm/ProfileDetailsForm.tsx
+++ b/web/src/pages/users/UserProfile/ProfileDetails/ProfileDetailsForm/ProfileDetailsForm.tsx
@@ -34,8 +34,8 @@ import { QueryKeys } from '../../../../../shared/queries';
 import type { OAuth2AuthorizedApps } from '../../../../../shared/types';
 import { invalidateMultipleQueries } from '../../../../../shared/utils/invalidateMultipleQueries';
 import { omitNull } from '../../../../../shared/utils/omitNull';
+import { removeEmptyStrings } from '../../../../../shared/utils/removeEmptyStrings';
 import { titleCase } from '../../../../../shared/utils/titleCase';
-import { trimObjectStrings } from '../../../../../shared/utils/trimObjectStrings';
 import { ProfileDetailsFormAppsField } from './ProfileDetailsFormAppsField';
 
 interface Inputs {
@@ -189,16 +189,15 @@ export const ProfileDetailsForm = () => {
   }, [LL.userPage.userDetails.fields.status]);
 
   const onValidSubmit: SubmitHandler<FormFields> = (values) => {
-    values = trimObjectStrings(values);
     if (userProfile?.user) {
       setUserProfile({ loading: true });
       mutate({
         username: userProfile.user.username,
-        data: {
+        data: removeEmptyStrings({
           ...userProfile.user,
           ...values,
           totp_enabled: userProfile.user.totp_enabled,
-        },
+        }),
       });
     }
   };
diff --git a/web/src/pages/users/UsersOverview/modals/AddUserModal/components/AddUserForm/AddUserForm.tsx b/web/src/pages/users/UsersOverview/modals/AddUserModal/components/AddUserForm/AddUserForm.tsx
index fc0954ac18..3d26891584 100644
--- a/web/src/pages/users/UsersOverview/modals/AddUserModal/components/AddUserForm/AddUserForm.tsx
+++ b/web/src/pages/users/UsersOverview/modals/AddUserModal/components/AddUserForm/AddUserForm.tsx
@@ -28,7 +28,7 @@ import {
 } from '../../../../../../../shared/patterns';
 import { QueryKeys } from '../../../../../../../shared/queries';
 import { invalidateMultipleQueries } from '../../../../../../../shared/utils/invalidateMultipleQueries';
-import { trimObjectStrings } from '../../../../../../../shared/utils/trimObjectStrings';
+import { removeEmptyStrings } from '../../../../../../../shared/utils/removeEmptyStrings';
 import { passwordValidator } from '../../../../../../../shared/validators/password';
 import { useAddUserModal } from '../../hooks/useAddUserModal';
 
@@ -58,6 +58,7 @@ export const AddUserForm = () => {
         .object({
           username: z
             .string()
+            .trim()
             .min(1, LL.form.error.minimumLength())
             .max(64, LL.form.error.maximumLength())
             .regex(patternSafeUsernameCharacters, LL.form.error.forbiddenCharacter()),
@@ -74,9 +75,9 @@ export const AddUserForm = () => {
               }
               return true;
             }, LL.modals.addUser.form.error.emailReserved()),
-          last_name: z.string().min(1, LL.form.error.required()),
-          first_name: z.string().min(1, LL.form.error.required()),
-          phone: z.string(),
+          last_name: z.string().trim().min(1, LL.form.error.required()),
+          first_name: z.string().trim().min(1, LL.form.error.required()),
+          phone: z.string().trim(),
           enable_enrollment: z.boolean(),
         })
         .superRefine((val, ctx) => {
@@ -187,23 +188,23 @@ export const AddUserForm = () => {
   });
 
   const onSubmit: SubmitHandler<FormFields> = (data) => {
-    const trimmed = trimObjectStrings(data);
-    if (reservedUserNames.current.includes(trimmed.username)) {
+    const clean = removeEmptyStrings(data);
+    if (reservedUserNames.current.includes(clean.username)) {
       void trigger('username', { shouldFocus: true });
     } else {
-      usernameAvailable(trimmed.username)
+      usernameAvailable(clean.username)
         .then(() => {
           setCheckingUsername(false);
-          if (trimmed.enable_enrollment) {
-            const userData = omit(trimmed, ['password', 'enable_enrollment']);
+          if (clean.enable_enrollment) {
+            const userData = omit(clean, ['password', 'enable_enrollment']);
             addUserMutation.mutate(userData);
           } else {
-            addUserMutation.mutate(omit(trimmed, ['enable_enrollment']));
+            addUserMutation.mutate(omit(clean, ['enable_enrollment']));
           }
         })
         .catch(() => {
           setCheckingUsername(false);
-          reservedUserNames.current = [...reservedUserNames.current, trimmed.username];
+          reservedUserNames.current = [...reservedUserNames.current, clean.username];
           void trigger('username', { shouldFocus: true });
         });
     }

From 0910c8cd73863085f0c4277e744cfca9499b1a83 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Thu, 18 Sep 2025 08:25:54 +0200
Subject: [PATCH 05/50] Fixes pentest issue DG25-17 from 2025-09-02 (#1581)

* fix open redirect pentest issue
* add tests and handling of get requests, allow redirects if url is allowed for the client
* compare the whole url, not just domain
* cargo clippy fixes
* wip fix openid flow tests
* fix panic in the contains_redirect_url method
* cleanup eprintln statements
* bring back the other openid flow test
* state-based fallback url in openid test
---
 .../src/db/models/oauth2client.rs             |  20 ++
 .../defguard_core/src/handlers/openid_flow.rs |  54 ++--
 .../tests/integration/api/openid.rs           | 280 +++++++++++++++++-
 3 files changed, 314 insertions(+), 40 deletions(-)

diff --git a/crates/defguard_core/src/db/models/oauth2client.rs b/crates/defguard_core/src/db/models/oauth2client.rs
index ce3561e601..0adea97e73 100644
--- a/crates/defguard_core/src/db/models/oauth2client.rs
+++ b/crates/defguard_core/src/db/models/oauth2client.rs
@@ -1,4 +1,5 @@
 use model_derive::Model;
+use reqwest::Url;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query_as};
 
 use super::NewOpenIDClient;
@@ -101,6 +102,25 @@ impl OAuth2Client<Id> {
         .fetch_optional(pool)
         .await
     }
+
+    /// Checks if `url` matches client config (ignoring trailing slashes)
+    pub(crate) fn contains_redirect_url(&self, url: &str) -> bool {
+        let parsed_redirect_uris: Vec<String> = self
+            .redirect_uri
+            .iter()
+            .map(|uri| uri.trim_end_matches('/').into())
+            .collect();
+
+        // extract origin from url
+        let Ok(url) = Url::parse(url) else {
+            return false;
+        };
+        let url = url.origin().ascii_serialization();
+
+        !url.split(' ')
+            .map(|uri| uri.trim_end_matches('/'))
+            .all(|uri| !parsed_redirect_uris.iter().any(|u| u == uri))
+    }
 }
 
 // Safe to show for not privileged users
diff --git a/crates/defguard_core/src/handlers/openid_flow.rs b/crates/defguard_core/src/handlers/openid_flow.rs
index dce8b6d569..818ce14f07 100644
--- a/crates/defguard_core/src/handlers/openid_flow.rs
+++ b/crates/defguard_core/src/handlers/openid_flow.rs
@@ -271,18 +271,7 @@ impl AuthenticationRequest {
 
         // assume `client_id` is the same here and in `oauth2client`
 
-        // check `redirect_uri` matches client config (ignoring trailing slashes)
-        let parsed_redirect_uris: Vec<String> = oauth2client
-            .redirect_uri
-            .iter()
-            .map(|uri| uri.trim_end_matches('/').into())
-            .collect();
-        if self
-            .redirect_uri
-            .split(' ')
-            .map(|uri| uri.trim_end_matches('/'))
-            .all(|uri| !parsed_redirect_uris.iter().any(|u| u == uri))
-        {
+        if !oauth2client.contains_redirect_url(&self.redirect_uri) {
             error!(
                 "Invalid redirect_uri for client {}: {} not in [{}]",
                 oauth2client.name,
@@ -392,9 +381,11 @@ pub async fn authorization(
     private_cookies: PrivateCookieJar,
 ) -> Result<(StatusCode, HeaderMap, PrivateCookieJar), WebError> {
     let error;
+    let mut is_redirect_allowed = false;
     if let Some(oauth2client) =
         OAuth2Client::find_by_client_id(&appstate.pool, &data.client_id).await?
     {
+        is_redirect_allowed = oauth2client.contains_redirect_url(&data.redirect_uri);
         match data.validate_for_client(&oauth2client) {
             Ok(()) => {
                 match &data.prompt {
@@ -516,9 +507,12 @@ pub async fn authorization(
         error = CoreAuthErrorResponseType::UnauthorizedClient;
     }
 
-    let mut url =
-        Url::parse(&data.redirect_uri).map_err(|_| WebError::Http(StatusCode::BAD_REQUEST))?;
-
+    let mut url = if is_redirect_allowed {
+        Url::parse(&data.redirect_uri).map_err(|_| WebError::Http(StatusCode::BAD_REQUEST))?
+    } else {
+        // Don't allow open redirects (DG25-17)
+        server_config().url.clone()
+    };
     {
         let mut query_pairs = url.query_pairs_mut();
         query_pairs.append_pair("error", error.as_ref());
@@ -552,13 +546,13 @@ pub async fn secure_authorization(
     Query(data): Query<AuthenticationRequest>,
     private_cookies: PrivateCookieJar,
 ) -> Result<(StatusCode, HeaderMap, PrivateCookieJar), WebError> {
-    let mut url =
-        Url::parse(&data.redirect_uri).map_err(|_| WebError::Http(StatusCode::BAD_REQUEST))?;
     let error;
-    if data.allow {
-        if let Some(oauth2client) =
-            OAuth2Client::find_by_client_id(&appstate.pool, &data.client_id).await?
-        {
+    let mut is_redirect_allowed = false;
+    if let Some(oauth2client) =
+        OAuth2Client::find_by_client_id(&appstate.pool, &data.client_id).await?
+    {
+        is_redirect_allowed = oauth2client.contains_redirect_url(&data.redirect_uri);
+        if data.allow {
             match data.validate_for_client(&oauth2client) {
                 Ok(()) => {
                     if OAuth2AuthorizedApp::find_by_user_and_oauth2client_id(
@@ -602,20 +596,26 @@ pub async fn secure_authorization(
                 }
             }
         } else {
-            error!(
-                "User {} tried to log in with non-existent OIDC client id {}",
+            info!(
+                "User {} denied OIDC login with app id {}",
                 session_info.user.username, data.client_id
             );
-            error = CoreAuthErrorResponseType::UnauthorizedClient;
+            error = CoreAuthErrorResponseType::AccessDenied;
         }
     } else {
-        info!(
-            "User {} denied OIDC login with app id {}",
+        error!(
+            "User {} tried to log in with non-existent OIDC client id {}",
             session_info.user.username, data.client_id
         );
-        error = CoreAuthErrorResponseType::AccessDenied;
+        error = CoreAuthErrorResponseType::UnauthorizedClient;
     }
 
+    let mut url = if is_redirect_allowed {
+        Url::parse(&data.redirect_uri).map_err(|_| WebError::Http(StatusCode::BAD_REQUEST))?
+    } else {
+        // Don't allow open redirects (DG25-17)
+        server_config().url.clone()
+    };
     {
         let mut query_pairs = url.query_pairs_mut();
         query_pairs.append_pair("error", error.as_ref());
diff --git a/crates/defguard_core/tests/integration/api/openid.rs b/crates/defguard_core/tests/integration/api/openid.rs
index 7b701bba14..4aae97eaf8 100644
--- a/crates/defguard_core/tests/integration/api/openid.rs
+++ b/crates/defguard_core/tests/integration/api/openid.rs
@@ -19,13 +19,15 @@ use openidconnect::{
     http::Method,
 };
 use reqwest::{
-    StatusCode,
+    StatusCode, Url,
     header::{AUTHORIZATION, CONTENT_TYPE, HeaderName, USER_AGENT},
 };
 use rsa::RsaPrivateKey;
 use serde::Deserialize;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
+use crate::api::common::client::TestResponse;
+
 use super::common::{
     client::TestClient, make_client, make_client_with_state, make_test_client, setup_pool,
 };
@@ -101,13 +103,13 @@ async fn test_openid_client(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let (client, state) = make_client_with_state(pool).await;
     let auth = Auth::new("admin", "pass123");
     let response = client.post("/api/v1/auth").json(&auth).send().await;
     assert_eq!(response.status(), StatusCode::OK);
     let openid_client = NewOpenIDClient {
         name: "Test".into(),
-        redirect_uri: vec!["http://localhost:3000/".into()],
+        redirect_uri: vec!["http://localhost:3000/".into(), "http://safe.net".into()],
         scope: vec!["openid".into()],
         enabled: true,
     };
@@ -251,6 +253,13 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
     let response = client.post("/api/v1/auth").json(&auth).send().await;
     assert_eq!(response.status(), StatusCode::OK);
 
+    let fallback_url = state
+        .config
+        .url
+        .to_string()
+        .trim_end_matches('/')
+        .to_string();
+
     // check code cannot be reused
     let response = client
         .post("/api/v1/oauth/token")
@@ -286,34 +295,91 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
         .unwrap()
         .to_str()
         .unwrap();
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert!(location.starts_with(&fallback_url));
     assert!(location.contains("error"));
 
-    // test wrong invalid uri
+    // test invalid redirect uri
     let response = client
-        .post(
+        .post(format!(
             "/api/v1/oauth/authorize?\
             response_type=code&\
-            client_id=1&\
+            client_id={}&\
             redirect_uri=http%3A%2F%example%3A3000%2F&\
             scope=openid&\
             state=ABCDEF&\
             nonce=blabla",
-        )
+            openid_client.client_id
+        ))
         .send()
         .await;
-    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert!(location.starts_with(&fallback_url));
+
+    // test non-whitelisted uri
+    let response = client
+        .post(format!(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id={}&\
+            redirect_uri=http%3A%2F%2Fexample%3A3000%3Fvalue1=one%26value2=two&\
+            scope=openid&\
+            state=ABCDEF&\
+            nonce=blabla",
+            openid_client.client_id
+        ))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    let location = response
+        .headers()
+        .get("Location")
+        .unwrap()
+        .to_str()
+        .unwrap();
+    assert!(location.starts_with(&fallback_url));
+    assert!(location.contains("error=access_denied"));
+
+    // test whitelisted uri, invalid scope
+    let response = client
+        .post(format!(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id={}&\
+            redirect_uri=http://safe.net%3Fvalue1=one%26value2=two&\
+            scope=profile&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+            openid_client.client_id
+        ))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    let location = response
+        .headers()
+        .get("Location")
+        .unwrap()
+        .to_str()
+        .unwrap();
+    assert!(location.starts_with("http://safe.net"));
+    assert!(location.contains("error=invalid_scope"));
+    assert!(location.contains("value1=one"));
+    assert!(location.contains("value2=two"));
 
     // test wrong redirect uri
     let response = client
-        .post(
+        .post(format!(
             "/api/v1/oauth/authorize?\
             response_type=code&\
-            client_id=1&\
+            client_id={}&\
             redirect_uri=http%3A%2F%2Fexample%3A3000%3Fvalue1=one%26value2=two&\
             scope=openid&\
             state=ABCDEF&\
+            allow=true&\
             nonce=blabla",
-        )
+            openid_client.client_id
+        ))
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::FOUND);
@@ -323,9 +389,8 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
         .unwrap()
         .to_str()
         .unwrap();
+    assert!(location.starts_with(&fallback_url));
     assert!(location.contains("error=access_denied"));
-    assert!(location.contains("value1="));
-    assert!(location.contains("value2="));
 
     // test allow false
     let response = client
@@ -349,6 +414,7 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
         .unwrap()
         .to_str()
         .unwrap();
+    assert!(location.starts_with("http://localhost:3000"));
     assert!(location.contains("error=access_denied"));
 }
 
@@ -763,6 +829,194 @@ async fn dg25_23_test_openid_client_scope_change_clears_authorizations(
     );
 }
 
+#[sqlx::test]
+async fn dg25_17_test_openid_open_redirects(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+    let (client, state) = make_client_with_state(pool).await;
+    let _admin = User::find_by_username(&state.pool, "admin")
+        .await
+        .unwrap()
+        .unwrap();
+
+    // Authenticate admin
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // Create OAuth2 client
+    let oauth2client = NewOpenIDClient {
+        name: "Test Client".into(),
+        redirect_uri: vec!["http://localhost:3000/".into(), "http://safe.net/".into()],
+        scope: vec!["openid".into(), "email".into()],
+        enabled: true,
+    };
+
+    let response = client
+        .post("/api/v1/oauth")
+        .json(&oauth2client)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+    let oauth2client: OAuth2Client<Id> = response.json().await;
+
+    fn redirect_url(response: &TestResponse) -> String {
+        Url::parse(
+            response
+                .headers()
+                .get(reqwest::header::LOCATION)
+                .unwrap()
+                .to_str()
+                .unwrap(),
+        )
+        .unwrap()
+        .origin()
+        .ascii_serialization()
+    }
+
+    let fallback_url = state
+        .config
+        .url
+        .to_string()
+        .trim_end_matches('/')
+        .to_string();
+
+    // Try to authorize with allowed redirect url - invalid client id
+    let response = client
+        .post(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id=xxx&\
+            redirect_uri=http://localhost:3000&\
+            scope=openid email&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+        )
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(redirect_url(&response), fallback_url,);
+
+    let response = client
+        .get(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id=xxx&\
+            redirect_uri=http://localhost:3000&\
+            scope=openid email&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+        )
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(redirect_url(&response), fallback_url);
+
+    // Try to authorize with forbidden redirect url - invalid client id
+    let response = client
+        .post(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id=xxx&\
+            redirect_uri=http://isec.pl&\
+            scope=openid email&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+        )
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(redirect_url(&response), fallback_url);
+
+    let response = client
+        .get(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id=xxx&\
+            redirect_uri=http://isec.pl&\
+            scope=openid email&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+        )
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(redirect_url(&response), fallback_url);
+
+    // Try to authorize with forbidden redirect url - invalid scope
+    let response = client
+        .post(format!(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id={}&\
+            redirect_uri=http://isec.pl&\
+            scope=profile&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+            oauth2client.client_id
+        ))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(redirect_url(&response), fallback_url);
+
+    let response = client
+        .get(format!(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id={}&\
+            redirect_uri=http://isec.pl&\
+            scope=profile&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+            oauth2client.client_id
+        ))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(redirect_url(&response), fallback_url);
+
+    // Same with allowed redirect_uri
+    let response = client
+        .post(format!(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id={}&\
+            redirect_uri=http://safe.net&\
+            scope=profile&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+            oauth2client.client_id
+        ))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(redirect_url(&response), "http://safe.net",);
+
+    let response = client
+        .get(format!(
+            "/api/v1/oauth/authorize?\
+            response_type=code&\
+            client_id={}&\
+            redirect_uri=http://safe.net&\
+            scope=profile&\
+            state=ABCDEF&\
+            allow=true&\
+            nonce=blabla",
+            oauth2client.client_id
+        ))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(redirect_url(&response), "http://safe.net",);
+}
+
 #[sqlx::test]
 async fn dg25_22_test_respect_openid_scope_in_userinfo(
     _: PgPoolOptions,

From bf0db2b0df8b0a3549c6053d571ca164df3af4f1 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Thu, 18 Sep 2025 08:27:14 +0200
Subject: [PATCH 06/50] ensure openid client names don't contain HTML (#1587)

---
 Cargo.lock                                    | 187 ++++++++++++++++++
 crates/defguard_core/Cargo.toml               |   1 +
 .../src/handlers/openid_clients.rs            |  20 ++
 .../tests/integration/api/openid.rs           |  68 +++++++
 4 files changed, 276 insertions(+)

diff --git a/Cargo.lock b/Cargo.lock
index f4c4ff4e17..574a08e36d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -89,6 +89,19 @@ version = "0.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 
+[[package]]
+name = "ammonia"
+version = "4.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6b346764dd0814805de8abf899fe03065bcee69bb1a4771c785817e39f3978f"
+dependencies = [
+ "cssparser",
+ "html5ever",
+ "maplit",
+ "tendril",
+ "url",
+]
+
 [[package]]
 name = "android_system_properties"
 version = "0.1.5"
@@ -921,6 +934,29 @@ dependencies = [
  "typenum",
 ]
 
+[[package]]
+name = "cssparser"
+version = "0.35.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e901edd733a1472f944a45116df3f846f54d37e67e68640ac8bb69689aca2aa"
+dependencies = [
+ "cssparser-macros",
+ "dtoa-short",
+ "itoa",
+ "phf",
+ "smallvec",
+]
+
+[[package]]
+name = "cssparser-macros"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13b588ba4ac1a99f7f2964d24b3d896ddc6bf847ee3855dbd4366f058cfcd331"
+dependencies = [
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "ctr"
 version = "0.9.2"
@@ -1044,6 +1080,7 @@ dependencies = [
 name = "defguard_core"
 version = "1.5.0"
 dependencies = [
+ "ammonia",
  "anyhow",
  "argon2",
  "axum",
@@ -1358,6 +1395,21 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "dtoa"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6add3b8cff394282be81f3fc1a0605db594ed69890078ca6e2cab1c408bcf04"
+
+[[package]]
+name = "dtoa-short"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd1511a7b6a56299bd043a9c167a6d2bfb37bf84a6dfceaba651168adfb43c87"
+dependencies = [
+ "dtoa",
+]
+
 [[package]]
 name = "dyn-clone"
 version = "1.0.20"
@@ -1622,6 +1674,16 @@ version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c"
 
+[[package]]
+name = "futf"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df420e2e84819663797d1ec6544b13c5be84629e7bb00dc960d6917db2987843"
+dependencies = [
+ "mac",
+ "new_debug_unreachable",
+]
+
 [[package]]
 name = "futures"
 version = "0.3.31"
@@ -1968,6 +2030,17 @@ dependencies = [
  "windows-link 0.1.3",
 ]
 
+[[package]]
+name = "html5ever"
+version = "0.35.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55d958c2f74b664487a2035fe1dadb032c48718a03b63f3ab0b8537db8549ed4"
+dependencies = [
+ "log",
+ "markup5ever",
+ "match_token",
+]
+
 [[package]]
 name = "http"
 version = "1.3.1"
@@ -2642,6 +2715,40 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
 
+[[package]]
+name = "mac"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c41e0c4fef86961ac6d6f8a82609f55f31b05e4fce149ac5710e439df7619ba4"
+
+[[package]]
+name = "maplit"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d"
+
+[[package]]
+name = "markup5ever"
+version = "0.35.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "311fe69c934650f8f19652b3946075f0fc41ad8757dbb68f1ca14e7900ecc1c3"
+dependencies = [
+ "log",
+ "tendril",
+ "web_atoms",
+]
+
+[[package]]
+name = "match_token"
+version = "0.35.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac84fd3f360fcc43dc5f5d186f02a94192761a080e8bc58621ad4d12296a58cf"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "matchers"
 version = "0.2.0"
@@ -2761,6 +2868,12 @@ dependencies = [
  "tempfile",
 ]
 
+[[package]]
+name = "new_debug_unreachable"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "650eef8c711430f1a879fdd01d4745a7deea475becfb90269c06775983bbf086"
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -3338,6 +3451,7 @@ version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fd6780a80ae0c52cc120a26a1a42c1ae51b247a253e4e06113d23d2c2edd078"
 dependencies = [
+ "phf_macros",
  "phf_shared",
 ]
 
@@ -3361,6 +3475,19 @@ dependencies = [
  "rand 0.8.5",
 ]
 
+[[package]]
+name = "phf_macros"
+version = "0.11.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f84ac04429c13a7ff43785d75ad27569f2951ce0ffd30a3321230db2fc727216"
+dependencies = [
+ "phf_generator",
+ "phf_shared",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "phf_shared"
 version = "0.11.3"
@@ -3478,6 +3605,12 @@ dependencies = [
  "zerocopy",
 ]
 
+[[package]]
+name = "precomputed-hash"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c"
+
 [[package]]
 name = "prettyplease"
 version = "0.2.37"
@@ -4846,6 +4979,31 @@ dependencies = [
  "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "string_cache"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf776ba3fa74f83bf4b63c3dcbbf82173db2632ed8452cb2d891d33f459de70f"
+dependencies = [
+ "new_debug_unreachable",
+ "parking_lot",
+ "phf_shared",
+ "precomputed-hash",
+ "serde",
+]
+
+[[package]]
+name = "string_cache_codegen"
+version = "0.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c711928715f1fe0fe509c53b43e993a9a557babc2d0a3567d0a3006f1ac931a0"
+dependencies = [
+ "phf_generator",
+ "phf_shared",
+ "proc-macro2",
+ "quote",
+]
+
 [[package]]
 name = "stringprep"
 version = "0.1.5"
@@ -4981,6 +5139,17 @@ dependencies = [
  "windows-sys 0.61.0",
 ]
 
+[[package]]
+name = "tendril"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d24a120c5fc464a3458240ee02c299ebcb9d67b5249c8848b09d639dca8d7bb0"
+dependencies = [
+ "futf",
+ "mac",
+ "utf-8",
+]
+
 [[package]]
 name = "tera"
 version = "1.20.0"
@@ -5627,6 +5796,12 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "utf-8"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
+
 [[package]]
 name = "utf8_iter"
 version = "1.0.4"
@@ -5912,6 +6087,18 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "web_atoms"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57ffde1dc01240bdf9992e3205668b235e59421fd085e8a317ed98da0178d414"
+dependencies = [
+ "phf",
+ "phf_codegen",
+ "string_cache",
+ "string_cache_codegen",
+]
+
 [[package]]
 name = "webauthn-attestation-ca"
 version = "0.5.2"
diff --git a/crates/defguard_core/Cargo.toml b/crates/defguard_core/Cargo.toml
index 10083cf94f..3ee6c10de5 100644
--- a/crates/defguard_core/Cargo.toml
+++ b/crates/defguard_core/Cargo.toml
@@ -85,6 +85,7 @@ bytes = { workspace = true }
 ed25519-dalek = { version = "2.2", features = ["rand_core"] }
 tower = "0.5"
 regex = "1.10"
+ammonia = "4.1.1"
 
 [dev-dependencies]
 bytes = "1.6"
diff --git a/crates/defguard_core/src/handlers/openid_clients.rs b/crates/defguard_core/src/handlers/openid_clients.rs
index cc6a0bd52e..e0a911590d 100644
--- a/crates/defguard_core/src/handlers/openid_clients.rs
+++ b/crates/defguard_core/src/handlers/openid_clients.rs
@@ -26,6 +26,16 @@ pub async fn add_openid_client(
         "User {} adding OpenID client {}",
         session.user.username, data.name
     );
+    if ammonia::is_html(&data.name) {
+        warn!(
+            "User {} attempted to create openid client with name containing HTML: {}",
+            session.user.username, data.name
+        );
+        return Ok(ApiResponse {
+            json: json!({"msg": "invalid name"}),
+            status: StatusCode::BAD_REQUEST,
+        });
+    }
     let client = OAuth2Client::from_new(data).save(&appstate.pool).await?;
     info!(
         "User {} added OpenID client {}",
@@ -89,6 +99,16 @@ pub async fn change_openid_client(
         "User {} updating OpenID client {client_id}...",
         session.user.username
     );
+    if ammonia::is_html(&data.name) {
+        warn!(
+            "User {} attempted to edit openid client with name containing HTML: {}",
+            session.user.username, data.name
+        );
+        return Ok(ApiResponse {
+            json: json!({"msg": "invalid name"}),
+            status: StatusCode::BAD_REQUEST,
+        });
+    }
     let mut transaction = appstate.pool.begin().await?;
     let status = match OAuth2Client::find_by_client_id(&mut *transaction, &client_id).await? {
         Some(mut client) => {
diff --git a/crates/defguard_core/tests/integration/api/openid.rs b/crates/defguard_core/tests/integration/api/openid.rs
index 4aae97eaf8..ec2ba54daf 100644
--- a/crates/defguard_core/tests/integration/api/openid.rs
+++ b/crates/defguard_core/tests/integration/api/openid.rs
@@ -1197,6 +1197,74 @@ async fn dg25_22_test_respect_openid_scope_in_userinfo(
     assert!(claims.phone_number().is_none());
 }
 
+#[sqlx::test]
+async fn dg25_21_test_openid_html_injection(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+
+    let client = make_client(pool).await;
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    let invalid_names = &[
+        "Test <a href=\"isec.pl\">Click</a>",
+        "Test <a href=\"isec.pl\">Click",
+        "Test <script>alert('xss')</script>",
+        "Test <script>alert('xss')",
+        "Test <img src=x onerror=alert(1)>",
+        "Test <a href=\"javascript:alert(1)\">here</a>",
+        "Test <svg onload=\"alert(1)\"></svg>",
+    ];
+
+    // ensure creation of openid client with name containing HTML is forbidden
+    for name in invalid_names {
+        let openid_client = NewOpenIDClient {
+            name: name.to_string(),
+            redirect_uri: vec!["http://localhost:3000/".into()],
+            scope: vec!["openid".into()],
+            enabled: true,
+        };
+        let response = client
+            .post("/api/v1/oauth")
+            .json(&openid_client)
+            .send()
+            .await;
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    }
+
+    // create valid openid client
+    let openid_client = NewOpenIDClient {
+        name: "Test".to_string(),
+        redirect_uri: vec!["http://localhost:3000/".into()],
+        scope: vec!["openid".into()],
+        enabled: true,
+    };
+    let response = client
+        .post("/api/v1/oauth")
+        .json(&openid_client)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+    let valid_openid_client: OAuth2Client<Id> = response.json().await;
+    assert_eq!(valid_openid_client.name, "Test");
+
+    // ensure edits of openid client with name containing HTML are forbidden
+    for name in invalid_names {
+        let openid_client = NewOpenIDClient {
+            name: name.to_string(),
+            redirect_uri: vec!["http://localhost:3000/".into()],
+            scope: vec!["openid".into()],
+            enabled: true,
+        };
+        let response = client
+            .put(format!("/api/v1/oauth/{}", valid_openid_client.client_id))
+            .json(&openid_client)
+            .send()
+            .await;
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    }
+}
+
 #[sqlx::test]
 async fn test_openid_flow_new_login_mail(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;

From 56040c23a560dc27cd2ff9c83470295c9917fba7 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Thu, 18 Sep 2025 08:27:58 +0200
Subject: [PATCH 07/50] ensure login responses don't allow login enumeration
 (#1588)

---
 crates/defguard_core/src/error.rs             |  2 +
 crates/defguard_core/src/handlers/auth.rs     |  8 +--
 crates/defguard_core/src/handlers/mod.rs      |  1 +
 .../tests/integration/api/auth.rs             | 53 +++++++++++++++++++
 .../tests/integration/api/common/client.rs    |  1 -
 5 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/crates/defguard_core/src/error.rs b/crates/defguard_core/src/error.rs
index cea003dcc2..bcd9e7f250 100644
--- a/crates/defguard_core/src/error.rs
+++ b/crates/defguard_core/src/error.rs
@@ -42,6 +42,8 @@ pub enum WebError {
     Deserialization(String),
     #[error("Authorization error: {0}")]
     Authorization(String),
+    #[error("Authentication error")]
+    Authentication,
     #[error("Forbidden error: {0}")]
     Forbidden(String),
     #[error("Database error: {0}")]
diff --git a/crates/defguard_core/src/handlers/auth.rs b/crates/defguard_core/src/handlers/auth.rs
index 4e629ee746..752297662e 100644
--- a/crates/defguard_core/src/handlers/auth.rs
+++ b/crates/defguard_core/src/handlers/auth.rs
@@ -177,7 +177,7 @@ pub(crate) async fn authenticate(
                                 ),
                             }),
                         })?;
-                            return Err(WebError::Authorization(ldap_err.to_string()));
+                            return Err(WebError::Authentication);
                         }
                     }
                 } else {
@@ -196,7 +196,7 @@ pub(crate) async fn authenticate(
                             ),
                         }),
                     })?;
-                    return Err(WebError::Authorization(err.to_string()));
+                    return Err(WebError::Authentication);
                 }
             }
         }
@@ -208,7 +208,7 @@ pub(crate) async fn authenticate(
             Err(err) => {
                 info!("Failed to authenticate user {username_or_email} with LDAP: {err}");
                 log_failed_login_attempt(&appstate.failed_logins, &username_or_email);
-                return Err(WebError::Authorization(err.to_string()));
+                return Err(WebError::Authentication);
             }
         }
     };
@@ -216,7 +216,7 @@ pub(crate) async fn authenticate(
     // check if user account is active
     if !user.is_active {
         info!("Failed to authenticate user {username_or_email}: user is disabled");
-        return Err(WebError::Authorization("user not found".into()));
+        return Err(WebError::Authentication);
     }
 
     let (session, user_info, mfa_info) = create_session(
diff --git a/crates/defguard_core/src/handlers/mod.rs b/crates/defguard_core/src/handlers/mod.rs
index b088716a37..58999f837d 100644
--- a/crates/defguard_core/src/handlers/mod.rs
+++ b/crates/defguard_core/src/handlers/mod.rs
@@ -80,6 +80,7 @@ impl From<WebError> for ApiResponse {
                 error!(msg);
                 ApiResponse::new(json!({ "msg": msg }), StatusCode::UNAUTHORIZED)
             }
+            WebError::Authentication => ApiResponse::new(json!({}), StatusCode::UNAUTHORIZED),
             WebError::Forbidden(msg) => {
                 error!(msg);
                 ApiResponse::new(json!({ "msg": msg }), StatusCode::FORBIDDEN)
diff --git a/crates/defguard_core/tests/integration/api/auth.rs b/crates/defguard_core/tests/integration/api/auth.rs
index f7150b9a36..e47b7e2285 100644
--- a/crates/defguard_core/tests/integration/api/auth.rs
+++ b/crates/defguard_core/tests/integration/api/auth.rs
@@ -20,6 +20,8 @@ use totp_lite::{Sha1, totp_custom};
 use webauthn_authenticator_rs::{WebauthnAuthenticator, prelude::Url, softpasskey::SoftPasskey};
 use webauthn_rs::prelude::{CreationChallengeResponse, RequestChallengeResponse};
 
+use crate::api::common::client::TestResponse;
+
 use super::common::{
     X_FORWARDED_FOR, fetch_user_details, make_client, make_client_with_db, make_client_with_state,
     make_test_client, setup_pool,
@@ -98,6 +100,57 @@ async fn test_login_bruteforce(_: PgPoolOptions, options: PgConnectOptions) {
     }
 }
 
+#[sqlx::test]
+async fn dg25_21_test_login_enumeration(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+
+    let client = make_client(pool).await;
+
+    let user_auth = Auth::new("hpotter", "pass123");
+    let admin_auth = Auth::new("admin", "pass123");
+
+    let response = client.post("/api/v1/auth").json(&admin_auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    let response = client.post("/api/v1/auth").json(&user_auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    async fn responses_eq(response1: TestResponse, response2: TestResponse) -> bool {
+        // omit date header
+        let mut headers1 = response1.headers().clone();
+        headers1.remove("date");
+        let mut headers2 = response2.headers().clone();
+        headers2.remove("date");
+        let headers = headers1 == headers2;
+
+        let status = response1.status() == response2.status();
+        let body = response1.bytes().await == response2.bytes().await;
+
+        status && headers && body
+    }
+
+    // regular user
+    let user_auth = Auth::new("hpotter", "invalid");
+    let response_existing_user = client.post("/api/v1/auth").json(&user_auth).send().await;
+    let user_auth = Auth::new("nothpotter", "invalid");
+    let response_nonexisting_user = client.post("/api/v1/auth").json(&user_auth).send().await;
+    assert!(responses_eq(response_existing_user, response_nonexisting_user).await);
+
+    // admin user
+    let user_auth = Auth::new("admin", "invalid");
+    let response_existing_user = client.post("/api/v1/auth").json(&user_auth).send().await;
+    let user_auth = Auth::new("notadmin", "invalid");
+    let response_nonexisting_user = client.post("/api/v1/auth").json(&user_auth).send().await;
+    assert!(responses_eq(response_existing_user, response_nonexisting_user).await);
+
+    // response for admin = response for regular user
+    let user_auth = Auth::new("admin", "invalid");
+    let response_existing_user = client.post("/api/v1/auth").json(&user_auth).send().await;
+    let user_auth = Auth::new("hpotter", "invalid");
+    let response_nonexisting_user = client.post("/api/v1/auth").json(&user_auth).send().await;
+    assert!(responses_eq(response_existing_user, response_nonexisting_user).await);
+}
+
 #[sqlx::test]
 async fn test_login_disabled(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
diff --git a/crates/defguard_core/tests/integration/api/common/client.rs b/crates/defguard_core/tests/integration/api/common/client.rs
index 61a45135dc..9f86a6f613 100644
--- a/crates/defguard_core/tests/integration/api/common/client.rs
+++ b/crates/defguard_core/tests/integration/api/common/client.rs
@@ -177,7 +177,6 @@ impl RequestBuilder {
 /// non-panicking versions or the complete `Response` API use `into_inner()` or
 /// `as_ref()`.
 #[derive(Debug)]
-
 pub struct TestResponse {
     response: reqwest::Response,
 }

From cd6e40c5943e7c9babb806fa5aa9e4c6f960a9d9 Mon Sep 17 00:00:00 2001
From: Adam <adam@defguard.net>
Date: Thu, 18 Sep 2025 11:30:03 +0200
Subject: [PATCH 08/50] Fixes pentest issue DG25-24 from 2025-09-02 (#1585)

---
 ...35ad0e24e4855aa42cdceab2712f8c8dbef4.json} |  4 +-
 Cargo.lock                                    | 36 +++----
 .../defguard_core/src/db/models/auth_code.rs  | 63 ++++++++----
 .../src/db/models/oauth2client.rs             | 48 ++++++---
 .../defguard_core/src/handlers/openid_flow.rs | 60 ++++++------
 .../tests/integration/api/common/client.rs    |  1 -
 .../tests/integration/api/mod.rs              |  2 +
 .../tests/integration/api/openid.rs           | 98 ++++++++++---------
 .../tests/integration/api/user.rs             |  7 +-
 9 files changed, 184 insertions(+), 135 deletions(-)
 rename .sqlx/{query-321ce9355db39c3d93d8b915ba7888357f5403c2e9e97fa17e502223bbcc918a.json => query-27f3c5ea4443993df10ea337195635ad0e24e4855aa42cdceab2712f8c8dbef4.json} (82%)

diff --git a/.sqlx/query-321ce9355db39c3d93d8b915ba7888357f5403c2e9e97fa17e502223bbcc918a.json b/.sqlx/query-27f3c5ea4443993df10ea337195635ad0e24e4855aa42cdceab2712f8c8dbef4.json
similarity index 82%
rename from .sqlx/query-321ce9355db39c3d93d8b915ba7888357f5403c2e9e97fa17e502223bbcc918a.json
rename to .sqlx/query-27f3c5ea4443993df10ea337195635ad0e24e4855aa42cdceab2712f8c8dbef4.json
index c4bb584637..00ccd67e94 100644
--- a/.sqlx/query-321ce9355db39c3d93d8b915ba7888357f5403c2e9e97fa17e502223bbcc918a.json
+++ b/.sqlx/query-27f3c5ea4443993df10ea337195635ad0e24e4855aa42cdceab2712f8c8dbef4.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, user_id, client_id, code, redirect_uri, scope, auth_time, nonce, code_challenge FROM authorization_code WHERE code = $1",
+  "query": "DELETE FROM authorization_code WHERE code = $1 RETURNING id, user_id, client_id, code, redirect_uri, scope, auth_time, nonce, code_challenge",
   "describe": {
     "columns": [
       {
@@ -66,5 +66,5 @@
       true
     ]
   },
-  "hash": "321ce9355db39c3d93d8b915ba7888357f5403c2e9e97fa17e502223bbcc918a"
+  "hash": "27f3c5ea4443993df10ea337195635ad0e24e4855aa42cdceab2712f8c8dbef4"
 }
diff --git a/Cargo.lock b/Cargo.lock
index 574a08e36d..7215fcceea 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2475,9 +2475,9 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.79"
+version = "0.3.80"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6247da8b8658ad4e73a186e747fcc5fc2a29f979d6fe6269127fdb5fd08298d0"
+checksum = "852f13bec5eba4ba9afbeb93fd7c13fe56147f055939ae21c43a29a0ecb2702e"
 dependencies = [
  "once_cell",
  "wasm-bindgen",
@@ -5329,9 +5329,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.26.2"
+version = "0.26.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b"
+checksum = "05f63835928ca123f1bef57abbcd23bb2ba0ac9ae1235f1e65bda0d06e7786bd"
 dependencies = [
  "rustls",
  "tokio",
@@ -5984,9 +5984,9 @@ checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.102"
+version = "0.2.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ad224d2776649cfb4f4471124f8176e54c1cca67a88108e30a0cd98b90e7ad3"
+checksum = "ab10a69fbd0a177f5f649ad4d8d3305499c42bab9aef2f7ff592d0ec8f833819"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -5997,9 +5997,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.102"
+version = "0.2.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a1364104bdcd3c03f22b16a3b1c9620891469f5e9f09bc38b2db121e593e732"
+checksum = "0bb702423545a6007bbc368fde243ba47ca275e549c8a28617f56f6ba53b1d1c"
 dependencies = [
  "bumpalo",
  "log",
@@ -6011,9 +6011,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.52"
+version = "0.4.53"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c0a08ecf5d99d5604a6666a70b3cde6ab7cc6142f5e641a8ef48fc744ce8854"
+checksum = "a0b221ff421256839509adbb55998214a70d829d3a28c69b4a6672e9d2a42f67"
 dependencies = [
  "cfg-if",
  "js-sys",
@@ -6024,9 +6024,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.102"
+version = "0.2.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d7ab4ca3e367bb1ed84ddbd83cc6e41e115f8337ed047239578210214e36c76"
+checksum = "fc65f4f411d91494355917b605e1480033152658d71f722a90647f56a70c88a0"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -6034,9 +6034,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.102"
+version = "0.2.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a518014843a19e2dbbd0ed5dfb6b99b23fb886b14e6192a00803a3e14c552b0"
+checksum = "ffc003a991398a8ee604a401e194b6b3a39677b3173d6e74495eb51b82e99a32"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6047,9 +6047,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.102"
+version = "0.2.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "255eb0aa4cc2eea3662a00c2bbd66e93911b7361d5e0fcd62385acfd7e15dcee"
+checksum = "293c37f4efa430ca14db3721dfbe48d8c33308096bd44d80ebaa775ab71ba1cf"
 dependencies = [
  "unicode-ident",
 ]
@@ -6069,9 +6069,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.79"
+version = "0.3.80"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "50462a022f46851b81d5441d1a6f5bac0b21a1d72d64bd4906fbdd4bf7230ec7"
+checksum = "fbe734895e869dc429d78c4b433f8d17d95f8d05317440b4fad5ab2d33e596dc"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
diff --git a/crates/defguard_core/src/db/models/auth_code.rs b/crates/defguard_core/src/db/models/auth_code.rs
index 6b2fd73b53..5cf60f13dd 100644
--- a/crates/defguard_core/src/db/models/auth_code.rs
+++ b/crates/defguard_core/src/db/models/auth_code.rs
@@ -1,29 +1,30 @@
 use chrono::Utc;
 use model_derive::Model;
-use sqlx::{Error as SqlxError, PgPool, query_as};
+use sqlx::{PgExecutor, query_as};
 
 use crate::{
     db::{Id, NoId},
     random::gen_alphanumeric,
 };
 
-#[derive(Model, Clone)]
+#[derive(Model)]
 #[table(authorization_code)]
-pub struct AuthCode<I = NoId> {
+pub(crate) struct AuthCode<I = NoId> {
+    #[allow(dead_code)]
     id: I,
-    pub user_id: Id,
-    pub client_id: String,
-    pub code: String,
-    pub redirect_uri: String,
-    pub scope: String,
-    pub auth_time: i64,
-    pub nonce: Option<String>,
-    pub code_challenge: Option<String>,
+    pub(crate) user_id: Id,
+    pub(crate) client_id: String,
+    pub(crate) code: String,
+    pub(crate) redirect_uri: String,
+    pub(crate) scope: String,
+    pub(crate) auth_time: i64,
+    pub(crate) nonce: Option<String>,
+    pub(crate) code_challenge: Option<String>,
 }
 
 impl AuthCode {
     #[must_use]
-    pub fn new(
+    pub(crate) fn new(
         user_id: Id,
         client_id: String,
         redirect_uri: String,
@@ -46,21 +47,41 @@ impl AuthCode {
     }
 }
 
+impl From<AuthCode<Id>> for AuthCode<NoId> {
+    fn from(value: AuthCode<Id>) -> Self {
+        Self {
+            id: NoId,
+            user_id: value.user_id,
+            client_id: value.client_id,
+            code: value.code,
+            redirect_uri: value.redirect_uri,
+            scope: value.scope,
+            auth_time: value.auth_time,
+            nonce: value.nonce,
+            code_challenge: value.code_challenge,
+        }
+    }
+}
+
 impl AuthCode<Id> {
     /// Find by code.
-    pub async fn find_code(pool: &PgPool, code: &str) -> Result<Option<Self>, SqlxError> {
+    /// If found, delete `AuthCode` from the database right away, so it can't be reused.
+    pub(crate) async fn find_code<'e, E>(
+        executor: E,
+        code: &str,
+    ) -> Result<Option<AuthCode<NoId>>, sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
         query_as!(
             Self,
-            "SELECT id, user_id, client_id, code, redirect_uri, scope, auth_time, nonce, \
-            code_challenge FROM authorization_code WHERE code = $1",
+            "DELETE FROM authorization_code WHERE code = $1 \
+            RETURNING id, user_id, client_id, code, redirect_uri, scope, auth_time, nonce, \
+            code_challenge",
             code
         )
-        .fetch_optional(pool)
+        .fetch_optional(executor)
         .await
-    }
-
-    // Remove a used authorization_code
-    pub async fn consume(self, pool: &PgPool) -> Result<(), SqlxError> {
-        self.delete(pool).await
+        .map(|inner_option| inner_option.map(Into::into))
     }
 }
diff --git a/crates/defguard_core/src/db/models/oauth2client.rs b/crates/defguard_core/src/db/models/oauth2client.rs
index 0adea97e73..4a886c23d7 100644
--- a/crates/defguard_core/src/db/models/oauth2client.rs
+++ b/crates/defguard_core/src/db/models/oauth2client.rs
@@ -1,5 +1,4 @@
 use model_derive::Model;
-use reqwest::Url;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query_as};
 
 use super::NewOpenIDClient;
@@ -103,23 +102,17 @@ impl OAuth2Client<Id> {
         .await
     }
 
-    /// Checks if `url` matches client config (ignoring trailing slashes)
+    /// Checks if `url` matches client config (ignoring trailing slashes).
     pub(crate) fn contains_redirect_url(&self, url: &str) -> bool {
-        let parsed_redirect_uris: Vec<String> = self
-            .redirect_uri
-            .iter()
-            .map(|uri| uri.trim_end_matches('/').into())
-            .collect();
+        let url_trimmed = url.trim_end_matches('/');
 
-        // extract origin from url
-        let Ok(url) = Url::parse(url) else {
-            return false;
-        };
-        let url = url.origin().ascii_serialization();
+        for redirect in &self.redirect_uri {
+            if url_trimmed == redirect.trim_end_matches('/') {
+                return true;
+            }
+        }
 
-        !url.split(' ')
-            .map(|uri| uri.trim_end_matches('/'))
-            .all(|uri| !parsed_redirect_uris.iter().any(|u| u == uri))
+        false
     }
 }
 
@@ -140,3 +133,28 @@ impl From<OAuth2Client<Id>> for OAuth2ClientSafe {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_contains_redirect_url() {
+        let oauth2client = OAuth2Client {
+            id: 1,
+            client_id: String::new(),
+            client_secret: String::new(),
+            redirect_uri: vec![
+                String::from("http://localhost/"),
+                String::from("http://safe.net/"),
+            ],
+            scope: Vec::new(),
+            name: String::new(),
+            enabled: true,
+        };
+        assert!(oauth2client.contains_redirect_url("http://safe.net"));
+        assert!(oauth2client.contains_redirect_url("http://localhost"));
+        assert!(!oauth2client.contains_redirect_url("http://safe.net/api"));
+        assert!(!oauth2client.contains_redirect_url("http://nonexistent:8000"));
+    }
+}
diff --git a/crates/defguard_core/src/handlers/openid_flow.rs b/crates/defguard_core/src/handlers/openid_flow.rs
index 818ce14f07..823066ede9 100644
--- a/crates/defguard_core/src/handlers/openid_flow.rs
+++ b/crates/defguard_core/src/handlers/openid_flow.rs
@@ -43,7 +43,7 @@ use crate::{
     appstate::AppState,
     auth::{AccessUserInfo, SessionInfo, UserClaims},
     db::{
-        Id, OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User,
+        Id, NoId, OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User,
         models::{auth_code::AuthCode, oauth2client::OAuth2Client},
     },
     error::WebError,
@@ -324,7 +324,7 @@ async fn generate_auth_code_redirect(
         if let Some(state) = data.state {
             query_pairs.append_pair("state", &state);
         }
-    };
+    }
 
     Ok(url.to_string())
 }
@@ -396,7 +396,7 @@ pub async fn authorization(
                         );
                         // FIXME: do not panic
                         return Ok(redirect_to(
-                            format!("/consent?{}", serde_urlencoded::to_string(data).unwrap(),),
+                            format!("/consent?{}", serde_urlencoded::to_string(data).unwrap()),
                             private_cookies,
                         ));
                     }
@@ -412,7 +412,8 @@ pub async fn authorization(
                                 // If session expired return login
                                 if session.expired() {
                                     info!(
-                                        "Session {} for user id {} has expired, redirecting to login",
+                                        "Session {} for user id {} has expired, redirecting to \
+                                        login",
                                         session.id, session.user_id
                                     );
                                     let _result = session.delete(&appstate.pool).await;
@@ -427,8 +428,9 @@ pub async fn authorization(
 
                                     user.verify_mfa_state(&appstate.pool).await?;
 
-                                    // Session exists even if user hasn't completed MFA verification yet,
-                                    // thus we need to check if MFA is enabled and the verification is done.
+                                    // Session exists even if user hasn't completed MFA verification
+                                    // yet, thus we need to check if MFA is enabled and the
+                                    // verification is done.
                                     if user.mfa_enabled
                                         && session.state != SessionState::MultiFactorVerified
                                     {
@@ -439,8 +441,9 @@ pub async fn authorization(
                                         return Ok(login_redirect(&data, private_cookies));
                                     }
 
-                                    // If session is present check if app is in user authorized apps.
-                                    // If yes return auth code and state else redirect to consent form.
+                                    // If session is present check if app is in user authorized
+                                    // apps. If yes, return auth code and state else redirect to
+                                    // consent form.
                                     if let Some(app) =
                                         OAuth2AuthorizedApp::find_by_user_and_oauth2client_id(
                                             &appstate.pool,
@@ -450,7 +453,8 @@ pub async fn authorization(
                                         .await?
                                     {
                                         info!(
-                                            "OAuth client id {} authorized by user id {}, returning auth code",
+                                            "OAuth client id {} authorized by user id {}, \
+                                            returning auth code",
                                             app.oauth2client_id, session.user_id
                                         );
                                         let private_cookies = private_cookies
@@ -465,7 +469,8 @@ pub async fn authorization(
                                     } else {
                                         // If authorized app not found redirect to consent form
                                         info!(
-                                            "OAuth client id {} not yet authorized by user id {}, redirecting to consent form",
+                                            "OAuth client id {} not yet authorized by user id {}, \
+                                            redirecting to consent form",
                                             oauth2client.id, session.user_id
                                         );
                                         Ok(redirect_to(
@@ -478,7 +483,7 @@ pub async fn authorization(
                                     }
                                 }
                             } else {
-                                // If session is not present in db redirect to login
+                                // If session is not present in database, redirect to login.
                                 info!(
                                     "Session {} not found, redirecting to login page",
                                     session_cookie.value()
@@ -532,7 +537,7 @@ pub struct GroupClaims {
 
 impl AdditionalClaims for GroupClaims {}
 
-pub async fn get_group_claims(pool: &PgPool, user: &User<Id>) -> Result<GroupClaims, WebError> {
+async fn get_group_claims(pool: &PgPool, user: &User<Id>) -> Result<GroupClaims, WebError> {
     let groups = user.member_of_names(pool).await?;
     Ok(GroupClaims {
         groups: Some(groups),
@@ -663,7 +668,7 @@ impl TokenRequest {
 
     fn authorization_code_flow<T>(
         &self,
-        auth_code: &AuthCode<Id>,
+        auth_code: &AuthCode<NoId>,
         token: &OAuth2Token,
         claims: StandardClaims<CoreGenderClaim>,
         base_url: &Url,
@@ -794,20 +799,16 @@ pub async fn token(
 
             // for logging
             let form_client_id = match &form.client_id {
-                Some(id) => id.clone(),
-                None => String::from("N/A"),
+                Some(id) => id,
+                None => "N/A",
             };
 
             if let Some(code) = &form.code {
-                if let Some(stored_auth_code) = AuthCode::find_code(&appstate.pool, code).await? {
-                    // copy data before removing used token
-                    let auth_code = stored_auth_code.clone();
-                    // remove authorization_code from DB so it cannot be reused
-                    debug!(
-                        "Removing used authorization_code {code}, client_id `{}`",
-                        form_client_id
-                    );
-                    stored_auth_code.consume(&appstate.pool).await?;
+                // Look for `AuthCode`. If found, it will be deleted from the database to avoid
+                // concurrent requests that might return multiple tokens for the same code.
+                // This addresses DG25-24 and conforms to RFC 6749.
+                if let Some(auth_code) = AuthCode::find_code(&appstate.pool, code).await? {
+                    debug!("Consumed authorization_code {code}, client_id `{form_client_id}`");
                     if let Some(client) = oauth2client.or(form.oauth2client(&appstate.pool).await) {
                         if let Some(user) =
                             User::find_by_id(&appstate.pool, auth_code.user_id).await?
@@ -824,7 +825,7 @@ pub async fn token(
                                     "Issuing new token for user {} client {}",
                                     user.username, client.name
                                 );
-                                // Remove existing token in case same client asks for new token
+                                // Remove existing token in case the same client asks for new token.
                                 if let Some(token) = OAuth2Token::find_by_authorized_app_id(
                                     &appstate.pool,
                                     authorized_app.id,
@@ -867,8 +868,8 @@ pub async fn token(
                                     }
                                     Err(err) => {
                                         error!(
-                                            "Error issuing new token for user {} client {}: {}",
-                                            user.username, client.name, err
+                                            "Error issuing new token for user {} client {}: {err}",
+                                            user.username, client.name
                                         );
                                         let response =
                                             StandardErrorResponse::<CoreErrorResponseType>::new(
@@ -882,7 +883,8 @@ pub async fn token(
                                 }
                             }
                             error!(
-                                "Can't issue token - authorized app not found for user {}, client {}",
+                                "Can't issue token - authorized app not found for user {}, client \
+                                {}",
                                 user.username, client.name
                             );
                         } else {
@@ -895,7 +897,7 @@ pub async fn token(
                     error!("OAuth auth code not found");
                 }
             } else {
-                error!("No code provided in request for client id `{form_client_id}`",);
+                error!("No code provided in request for client id `{form_client_id}`");
             }
         }
         "refresh_token" => {
diff --git a/crates/defguard_core/tests/integration/api/common/client.rs b/crates/defguard_core/tests/integration/api/common/client.rs
index 9f86a6f613..9292b31a3e 100644
--- a/crates/defguard_core/tests/integration/api/common/client.rs
+++ b/crates/defguard_core/tests/integration/api/common/client.rs
@@ -176,7 +176,6 @@ impl RequestBuilder {
 /// This is conventient for tests where panics are what you want. For access to
 /// non-panicking versions or the complete `Response` API use `into_inner()` or
 /// `as_ref()`.
-#[derive(Debug)]
 pub struct TestResponse {
     response: reqwest::Response,
 }
diff --git a/crates/defguard_core/tests/integration/api/mod.rs b/crates/defguard_core/tests/integration/api/mod.rs
index 4891501678..218ff73cf8 100644
--- a/crates/defguard_core/tests/integration/api/mod.rs
+++ b/crates/defguard_core/tests/integration/api/mod.rs
@@ -19,3 +19,5 @@ mod wireguard_network_devices;
 mod wireguard_network_import;
 mod wireguard_network_stats;
 mod worker;
+
+const TEST_SERVER_URL: &str = "http://localhost:3000/";
diff --git a/crates/defguard_core/tests/integration/api/openid.rs b/crates/defguard_core/tests/integration/api/openid.rs
index ec2ba54daf..1a3882d4c2 100644
--- a/crates/defguard_core/tests/integration/api/openid.rs
+++ b/crates/defguard_core/tests/integration/api/openid.rs
@@ -20,16 +20,18 @@ use openidconnect::{
 };
 use reqwest::{
     StatusCode, Url,
-    header::{AUTHORIZATION, CONTENT_TYPE, HeaderName, USER_AGENT},
+    header::{AUTHORIZATION, CONTENT_TYPE, HeaderName, LOCATION, USER_AGENT},
 };
 use rsa::RsaPrivateKey;
 use serde::Deserialize;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
-use crate::api::common::client::TestResponse;
-
-use super::common::{
-    client::TestClient, make_client, make_client_with_state, make_test_client, setup_pool,
+use super::{
+    TEST_SERVER_URL,
+    common::{
+        client::{TestClient, TestResponse},
+        make_client, make_client_with_state, make_test_client, setup_pool,
+    },
 };
 
 #[derive(Deserialize)]
@@ -50,7 +52,7 @@ async fn test_openid_client(_: PgPoolOptions, options: PgConnectOptions) {
 
     let mut openid_client = NewOpenIDClient {
         name: "Test".into(),
-        redirect_uri: vec!["http://localhost:3000/".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into()],
         scope: vec!["openid".into()],
         enabled: true,
     };
@@ -109,7 +111,7 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
     assert_eq!(response.status(), StatusCode::OK);
     let openid_client = NewOpenIDClient {
         name: "Test".into(),
-        redirect_uri: vec!["http://localhost:3000/".into(), "http://safe.net".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into(), "http://safe.net".into()],
         scope: vec!["openid".into()],
         enabled: true,
     };
@@ -127,6 +129,7 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
     let response = client.get("/api/v1/oauth").send().await;
     assert_eq!(response.status(), StatusCode::OK);
 
+    // Try invalid request for `response_type = code id_token token`.
     let response = client
         .post(format!(
             "/api/v1/oauth/authorize?\
@@ -149,6 +152,7 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
         .unwrap();
     assert!(location.contains("error=invalid_request"));
 
+    // Try invalid request for `response_type = id_token`.
     let response = client
         .post(format!(
             "/api/v1/oauth/authorize?\
@@ -195,11 +199,11 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
         .to_str()
         .unwrap();
     let (location, query) = location.split_once('?').unwrap();
-    assert_eq!(location, "http://localhost:3000/");
+    assert_eq!(location, TEST_SERVER_URL);
     let auth_response: AuthenticationResponse = serde_qs::from_str(query).unwrap();
     assert_eq!(auth_response.state, "ABCDEF");
 
-    // exchange wrong code for token should fail
+    // Exchanging a wrong code for a token should fail.
     let response = client
         .post("/api/v1/oauth/token")
         .header(CONTENT_TYPE, "application/x-www-form-urlencoded")
@@ -215,23 +219,33 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
         .await;
     assert_eq!(response.status(), StatusCode::BAD_REQUEST);
 
-    // exchange correct code for token
+    // Exchange correct code for a token.
+    let token_body = format!(
+        "grant_type=authorization_code&\
+        code={}&\
+        redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&\
+        client_id={}&\
+        client_secret={}",
+        auth_response.code, openid_client.client_id, openid_client.client_secret
+    );
     let response = client
         .post("/api/v1/oauth/token")
         .header(CONTENT_TYPE, "application/x-www-form-urlencoded")
-        .body(format!(
-            "grant_type=authorization_code&\
-            code={}&\
-            redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&\
-            client_id={}&\
-            client_secret={}",
-            auth_response.code, openid_client.client_id, openid_client.client_secret
-        ))
+        .body(token_body.clone())
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::OK);
 
-    // make sure access token cannot be used to manage defguard server itself
+    // Try to get another authentication code for the same code.
+    let another_response = client
+        .post("/api/v1/oauth/token")
+        .header(CONTENT_TYPE, "application/x-www-form-urlencoded")
+        .body(token_body)
+        .send()
+        .await;
+    assert_eq!(another_response.status(), StatusCode::BAD_REQUEST);
+
+    // Make sure access token cannot be used to manage Defguard server itself.
     client.post("/api/v1/auth/logout").send().await;
     let token_response: CoreTokenResponse = response.json().await;
     let bearer = format!("Bearer {}", token_response.access_token().secret());
@@ -249,7 +263,6 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
     assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
 
     // log back in
-    let auth = Auth::new("admin", "pass123");
     let response = client.post("/api/v1/auth").json(&auth).send().await;
     assert_eq!(response.status(), StatusCode::OK);
 
@@ -346,7 +359,7 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
             "/api/v1/oauth/authorize?\
             response_type=code&\
             client_id={}&\
-            redirect_uri=http://safe.net%3Fvalue1=one%26value2=two&\
+            redirect_uri=http://safe.net&\
             scope=profile&\
             state=ABCDEF&\
             allow=true&\
@@ -364,8 +377,6 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
         .unwrap();
     assert!(location.starts_with("http://safe.net"));
     assert!(location.contains("error=invalid_scope"));
-    assert!(location.contains("value1=one"));
-    assert!(location.contains("value2=two"));
 
     // test wrong redirect uri
     let response = client
@@ -414,7 +425,7 @@ async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
         .unwrap()
         .to_str()
         .unwrap();
-    assert!(location.starts_with("http://localhost:3000"));
+    assert!(location.starts_with(TEST_SERVER_URL));
     assert!(location.contains("error=access_denied"));
 }
 
@@ -696,7 +707,7 @@ async fn dg25_23_test_openid_client_scope_change_clears_authorizations(
     // Create OAuth2 client with initial scopes
     let oauth2client = NewOpenIDClient {
         name: "Test Client".into(),
-        redirect_uri: vec!["http://localhost:3000/".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into()],
         scope: vec!["openid".into(), "email".into()],
         enabled: true,
     };
@@ -743,7 +754,7 @@ async fn dg25_23_test_openid_client_scope_change_clears_authorizations(
     // Update the client with different scopes
     let updated_client = NewOpenIDClient {
         name: "Test Client".into(),
-        redirect_uri: vec!["http://localhost:3000/".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into()],
         scope: vec!["openid".into(), "profile".into()], // Changed from email to profile
         enabled: true,
     };
@@ -803,7 +814,7 @@ async fn dg25_23_test_openid_client_scope_change_clears_authorizations(
     // Update the client without changing scopes (only name)
     let same_scope_update = NewOpenIDClient {
         name: "Test Client Updated Name".into(),
-        redirect_uri: vec!["http://localhost:3000/".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into()],
         scope: vec!["openid".into(), "profile".into()], // Same scopes
         enabled: true,
     };
@@ -846,7 +857,7 @@ async fn dg25_17_test_openid_open_redirects(_: PgPoolOptions, options: PgConnect
     // Create OAuth2 client
     let oauth2client = NewOpenIDClient {
         name: "Test Client".into(),
-        redirect_uri: vec!["http://localhost:3000/".into(), "http://safe.net/".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into(), "http://safe.net/".into()],
         scope: vec!["openid".into(), "email".into()],
         enabled: true,
     };
@@ -860,17 +871,10 @@ async fn dg25_17_test_openid_open_redirects(_: PgPoolOptions, options: PgConnect
     let oauth2client: OAuth2Client<Id> = response.json().await;
 
     fn redirect_url(response: &TestResponse) -> String {
-        Url::parse(
-            response
-                .headers()
-                .get(reqwest::header::LOCATION)
-                .unwrap()
-                .to_str()
-                .unwrap(),
-        )
-        .unwrap()
-        .origin()
-        .ascii_serialization()
+        Url::parse(response.headers().get(LOCATION).unwrap().to_str().unwrap())
+            .unwrap()
+            .origin()
+            .ascii_serialization()
     }
 
     let fallback_url = state
@@ -895,7 +899,7 @@ async fn dg25_17_test_openid_open_redirects(_: PgPoolOptions, options: PgConnect
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::FOUND);
-    assert_eq!(redirect_url(&response), fallback_url,);
+    assert_eq!(redirect_url(&response), fallback_url);
 
     let response = client
         .get(
@@ -997,7 +1001,7 @@ async fn dg25_17_test_openid_open_redirects(_: PgPoolOptions, options: PgConnect
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::FOUND);
-    assert_eq!(redirect_url(&response), "http://safe.net",);
+    assert_eq!(redirect_url(&response), "http://safe.net");
 
     let response = client
         .get(format!(
@@ -1014,7 +1018,7 @@ async fn dg25_17_test_openid_open_redirects(_: PgPoolOptions, options: PgConnect
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::FOUND);
-    assert_eq!(redirect_url(&response), "http://safe.net",);
+    assert_eq!(redirect_url(&response), "http://safe.net");
 }
 
 #[sqlx::test]
@@ -1220,7 +1224,7 @@ async fn dg25_21_test_openid_html_injection(_: PgPoolOptions, options: PgConnect
     for name in invalid_names {
         let openid_client = NewOpenIDClient {
             name: name.to_string(),
-            redirect_uri: vec!["http://localhost:3000/".into()],
+            redirect_uri: vec![TEST_SERVER_URL.into()],
             scope: vec!["openid".into()],
             enabled: true,
         };
@@ -1235,7 +1239,7 @@ async fn dg25_21_test_openid_html_injection(_: PgPoolOptions, options: PgConnect
     // create valid openid client
     let openid_client = NewOpenIDClient {
         name: "Test".to_string(),
-        redirect_uri: vec!["http://localhost:3000/".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into()],
         scope: vec!["openid".into()],
         enabled: true,
     };
@@ -1252,7 +1256,7 @@ async fn dg25_21_test_openid_html_injection(_: PgPoolOptions, options: PgConnect
     for name in invalid_names {
         let openid_client = NewOpenIDClient {
             name: name.to_string(),
-            redirect_uri: vec!["http://localhost:3000/".into()],
+            redirect_uri: vec![TEST_SERVER_URL.into()],
             scope: vec!["openid".into()],
             enabled: true,
         };
@@ -1283,7 +1287,7 @@ async fn test_openid_flow_new_login_mail(_: PgPoolOptions, options: PgConnectOpt
     assert_eq!(response.status(), StatusCode::OK);
     let openid_client = NewOpenIDClient {
         name: "Test".into(),
-        redirect_uri: vec!["http://localhost:3000/".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into()],
         scope: vec!["openid".into()],
         enabled: true,
     };
@@ -1324,7 +1328,7 @@ async fn test_openid_flow_new_login_mail(_: PgPoolOptions, options: PgConnectOpt
         .to_str()
         .unwrap();
     let (location, query) = location.split_once('?').unwrap();
-    assert_eq!(location, "http://localhost:3000/");
+    assert_eq!(location, TEST_SERVER_URL);
     let auth_response: AuthenticationResponse = serde_qs::from_str(query).unwrap();
     assert_eq!(auth_response.state, "ABCDEF");
 
diff --git a/crates/defguard_core/tests/integration/api/user.rs b/crates/defguard_core/tests/integration/api/user.rs
index a2c6307e59..197eea3afc 100644
--- a/crates/defguard_core/tests/integration/api/user.rs
+++ b/crates/defguard_core/tests/integration/api/user.rs
@@ -9,7 +9,10 @@ use reqwest::{StatusCode, header::USER_AGENT};
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 use tokio_stream::{self as stream, StreamExt};
 
-use super::common::{fetch_user_details, make_client, make_network, make_test_client, setup_pool};
+use super::{
+    TEST_SERVER_URL,
+    common::{fetch_user_details, make_client, make_network, make_test_client, setup_pool},
+};
 
 #[sqlx::test]
 async fn test_authenticate(_: PgPoolOptions, options: PgConnectOptions) {
@@ -399,7 +402,7 @@ async fn test_user_unregister_authorized_app(_: PgPoolOptions, options: PgConnec
     assert_eq!(response.status(), StatusCode::OK);
     let openid_client = NewOpenIDClient {
         name: "Test".into(),
-        redirect_uri: vec!["http://localhost:3000/".into()],
+        redirect_uri: vec![TEST_SERVER_URL.into()],
         scope: vec!["openid".into()],
         enabled: true,
     };

From 858a17e652d7c441e8426db3075f21aa765c906b Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Fri, 19 Sep 2025 08:24:54 +0200
Subject: [PATCH 09/50] put mail handler into a separate crate (#1590)

* put random & secret modules into a common crate

* move DB setup code to common crate

* move version to common crate

* move id types to common crate

* move AuthCode model into common crate

* move auth key model

* move biometric auth model

* move device login model

* remove unnecessary feature flags

* move global value macro

* move model error

* move server config

* move hex module

* move protos to a separate crate

* put mailer into a separate crate

* update query data

* remove commented out code

* add new crates

* update flake inputs

* move AsCsv trait

* fix failing test

* move claims struct
---
 ...6a96461ecb5edf023ab88d71f9887fc0f2f2.json} |   6 +-
 Cargo.lock                                    |  73 ++++++++++++-
 Cargo.toml                                    |  13 ++-
 crates/defguard/Cargo.toml                    |   2 +
 crates/defguard/src/main.rs                   |  20 ++--
 crates/defguard_common/Cargo.toml             |  39 +++++++
 crates/defguard_common/build.rs               |  10 ++
 crates/defguard_common/src/auth/claims.rs     |  98 +++++++++++++++++
 crates/defguard_common/src/auth/mod.rs        |   1 +
 .../src/config.rs                             |  13 ++-
 crates/defguard_common/src/csv.rs             |  17 +++
 crates/defguard_common/src/db/mod.rs          |  47 ++++++++
 .../src/db/models/auth_code.rs                |  22 ++--
 .../src/db/models/authentication_key.rs       |   9 +-
 .../src/db/models/biometric_auth.rs           |  15 +--
 .../src/db/models/device_login.rs             |   6 +-
 .../src/db/models/error.rs                    |   0
 crates/defguard_common/src/db/models/mod.rs   |  15 +++
 .../src/db/models/settings.rs                 |  28 +++--
 crates/defguard_common/src/db/models/user.rs  |  30 ++++++
 .../src/globals.rs                            |   0
 .../src/hex.rs                                |   0
 crates/defguard_common/src/lib.rs             |  11 ++
 .../src/random.rs                             |   4 +-
 .../src/secret.rs                             |   0
 crates/defguard_core/Cargo.toml               |  29 ++---
 crates/defguard_core/build.rs                 |  41 +------
 crates/defguard_core/src/appstate.rs          |   4 +-
 crates/defguard_core/src/auth/mod.rs          | 101 +-----------------
 crates/defguard_core/src/db/mod.rs            |  42 +-------
 .../src/db/models/activity_log/metadata.rs    |  30 +++---
 .../src/db/models/activity_log/mod.rs         |   2 +-
 crates/defguard_core/src/db/models/device.rs  |  17 +--
 .../defguard_core/src/db/models/enrollment.rs |  52 ++++-----
 crates/defguard_core/src/db/models/group.rs   |   6 +-
 crates/defguard_core/src/db/models/mod.rs     |  25 ++---
 .../src/db/models/oauth2authorizedapp.rs      |   2 +-
 .../src/db/models/oauth2client.rs             |   6 +-
 .../src/db/models/oauth2token.rs              |   3 +-
 .../src/db/models/polling_token.rs            |   6 +-
 crates/defguard_core/src/db/models/session.rs |  12 ++-
 crates/defguard_core/src/db/models/user.rs    |  78 ++++----------
 .../defguard_core/src/db/models/webauthn.rs   |   3 +-
 crates/defguard_core/src/db/models/webhook.rs |   2 +-
 .../defguard_core/src/db/models/wireguard.rs  |  23 ++--
 .../src/db/models/wireguard_peer_stats.rs     |   2 +-
 crates/defguard_core/src/db/models/yubikey.rs |   2 +-
 .../activity_log_stream/http_stream.rs        |   8 +-
 .../src/enterprise/db/models/acl.rs           |   6 +-
 .../src/enterprise/db/models/acl/tests.rs     |   3 +-
 .../db/models/activity_log_stream.rs          |   4 +-
 .../src/enterprise/db/models/api_tokens.rs    |   2 +-
 .../enterprise/db/models/openid_provider.rs   |   2 +-
 .../src/enterprise/db/models/snat.rs          |   6 +-
 .../src/enterprise/directory_sync/mod.rs      |   3 +-
 .../src/enterprise/directory_sync/tests.rs    |  17 +--
 .../src/enterprise/firewall/mod.rs            |  13 +--
 .../src/enterprise/firewall/tests.rs          |  12 +--
 .../src/enterprise/grpc/desktop_client_mfa.rs |   2 +-
 .../src/enterprise/grpc/polling.rs            |   9 +-
 .../src/enterprise/handlers/acl.rs            |   2 +-
 .../handlers/activity_log_stream.rs           |   2 +-
 .../src/enterprise/handlers/api_tokens.rs     |   2 +-
 .../src/enterprise/handlers/openid_login.rs   |  10 +-
 .../enterprise/handlers/openid_providers.rs   |  12 +--
 .../src/enterprise/ldap/client.rs             |   6 +-
 .../defguard_core/src/enterprise/ldap/hash.rs |   3 +-
 .../defguard_core/src/enterprise/ldap/mod.rs  |  29 +++--
 .../src/enterprise/ldap/model.rs              |   7 +-
 .../defguard_core/src/enterprise/ldap/sync.rs |  30 ++----
 .../src/enterprise/ldap/tests.rs              |   7 +-
 .../src/enterprise/ldap/utils.rs              |   3 +-
 .../defguard_core/src/enterprise/license.rs   |   8 +-
 crates/defguard_core/src/enterprise/limits.rs |   3 +-
 .../src/enterprise/snat/handlers.rs           |   3 +-
 crates/defguard_core/src/error.rs             |   8 +-
 crates/defguard_core/src/events.rs            |  28 ++---
 crates/defguard_core/src/grpc/auth.rs         |   9 +-
 crates/defguard_core/src/grpc/client_mfa.rs   |  27 ++---
 crates/defguard_core/src/grpc/enrollment.rs   |  98 ++++++++---------
 .../src/grpc/gateway/client_state.rs          |   3 +-
 crates/defguard_core/src/grpc/gateway/map.rs  |   3 +-
 crates/defguard_core/src/grpc/gateway/mod.rs  |  17 +--
 .../defguard_core/src/grpc/gateway/state.rs   |   4 +-
 crates/defguard_core/src/grpc/interceptor.rs  |   6 +-
 crates/defguard_core/src/grpc/mod.rs          |  81 ++++----------
 .../defguard_core/src/grpc/password_reset.rs  |  10 +-
 crates/defguard_core/src/grpc/utils.rs        |  17 +--
 crates/defguard_core/src/grpc/worker.rs       |  12 +--
 .../src/handlers/activity_log.rs              |   7 +-
 crates/defguard_core/src/handlers/app_info.rs |   4 +-
 crates/defguard_core/src/handlers/auth.rs     |  22 ++--
 crates/defguard_core/src/handlers/group.rs    |   3 +-
 crates/defguard_core/src/handlers/mail.rs     |  25 +++--
 crates/defguard_core/src/handlers/mod.rs      |   9 +-
 .../src/handlers/network_devices.rs           |   6 +-
 .../defguard_core/src/handlers/openid_flow.rs |   7 +-
 crates/defguard_core/src/handlers/settings.rs |  19 ++--
 .../src/handlers/ssh_authorized_keys.rs       |   9 +-
 crates/defguard_core/src/handlers/user.rs     |   5 +-
 .../defguard_core/src/handlers/wireguard.rs   |   6 +-
 crates/defguard_core/src/handlers/worker.rs   |   3 +-
 crates/defguard_core/src/headers.rs           |  14 +--
 crates/defguard_core/src/lib.rs               |  65 +++--------
 crates/defguard_core/src/support.rs           |   7 +-
 crates/defguard_core/src/updates.rs           |   8 +-
 crates/defguard_core/src/utility_thread.rs    |   3 +-
 crates/defguard_core/src/wg_config.rs         |   2 +-
 .../src/wireguard_peer_disconnect.rs          |   4 +-
 .../tests/integration/api/acl.rs              |  11 +-
 .../tests/integration/api/auth.rs             |   5 +-
 .../tests/integration/api/common/mod.rs       |  16 +--
 .../tests/integration/api/forward_auth.rs     |   3 +-
 .../tests/integration/api/oauth.rs            |   3 +-
 .../tests/integration/api/openid.rs           |   3 +-
 .../tests/integration/api/openid_login.rs     |   2 +-
 .../tests/integration/api/settings.rs         |   6 +-
 .../tests/integration/api/snat.rs             |   2 +-
 .../tests/integration/api/user.rs             |   3 +-
 .../tests/integration/api/webhook.rs          |   6 +-
 .../tests/integration/api/wireguard.rs        |   4 +-
 .../api/wireguard_network_allowed_groups.rs   |   4 +-
 .../api/wireguard_network_devices.rs          |   3 +-
 .../api/wireguard_network_stats.rs            |  16 ++-
 .../defguard_core/tests/integration/common.rs |   3 +-
 .../integration/grpc/common/mock_gateway.rs   |  10 +-
 .../tests/integration/grpc/common/mod.rs      |   5 +-
 .../tests/integration/grpc/gateway.rs         |  17 ++-
 crates/defguard_event_logger/Cargo.toml       |  17 +--
 crates/defguard_event_logger/src/lib.rs       |  38 ++++---
 crates/defguard_event_logger/src/message.rs   |   8 +-
 crates/defguard_event_router/Cargo.toml       |   1 +
 crates/defguard_event_router/src/lib.rs       |   2 +-
 crates/defguard_mail/Cargo.toml               |  26 +++++
 .../src/mail.rs => defguard_mail/src/lib.rs}  |   4 +-
 .../src/templates.rs                          |  62 ++++++-----
 .../templates/base.tera                       |   0
 .../templates/macros.tera                     |   0
 .../templates/mail_desktop_start.tera         |   0
 .../templates/mail_email_mfa_activation.tera  |   0
 .../templates/mail_email_mfa_code.tera        |   0
 .../mail_enrollment_admin_notification.tera   |   0
 .../templates/mail_enrollment_start.tera      |   0
 .../templates/mail_enrollment_welcome.tera    |   0
 .../templates/mail_gateway_disconnected.tera  |   0
 .../templates/mail_gateway_reconnected.tera   |   0
 .../templates/mail_mfa_configured.tera        |   0
 .../templates/mail_new_device_added.tera      |   0
 .../templates/mail_new_device_login.tera      |   0
 .../templates/mail_new_device_ocid_login.tera |   0
 .../templates/mail_password_reset_start.tera  |   0
 .../mail_password_reset_success.tera          |   0
 .../templates/mail_support_data.tera          |   0
 .../templates/mail_test.tera                  |   0
 crates/defguard_proto/Cargo.toml              |  17 +++
 crates/defguard_proto/build.rs                |  37 +++++++
 crates/defguard_proto/src/lib.rs              |  66 ++++++++++++
 deny.toml                                     |   9 ++
 flake.lock                                    |  12 +--
 159 files changed, 1186 insertions(+), 967 deletions(-)
 rename .sqlx/{query-7ddef79c85c3e85b979d5a8a5e50660bcae531c2b8342ae2feffea7454450f10.json => query-4a1fba6c990265bc278d4e1534f06a96461ecb5edf023ab88d71f9887fc0f2f2.json} (94%)
 create mode 100644 crates/defguard_common/Cargo.toml
 create mode 100644 crates/defguard_common/build.rs
 create mode 100644 crates/defguard_common/src/auth/claims.rs
 create mode 100644 crates/defguard_common/src/auth/mod.rs
 rename crates/{defguard_core => defguard_common}/src/config.rs (97%)
 create mode 100644 crates/defguard_common/src/csv.rs
 create mode 100644 crates/defguard_common/src/db/mod.rs
 rename crates/{defguard_core => defguard_common}/src/db/models/auth_code.rs (82%)
 rename crates/{defguard_core => defguard_common}/src/db/models/authentication_key.rs (94%)
 rename crates/{defguard_core => defguard_common}/src/db/models/biometric_auth.rs (95%)
 rename crates/{defguard_core => defguard_common}/src/db/models/device_login.rs (93%)
 rename crates/{defguard_core => defguard_common}/src/db/models/error.rs (100%)
 create mode 100644 crates/defguard_common/src/db/models/mod.rs
 rename crates/{defguard_core => defguard_common}/src/db/models/settings.rs (95%)
 create mode 100644 crates/defguard_common/src/db/models/user.rs
 rename crates/{defguard_core => defguard_common}/src/globals.rs (100%)
 rename crates/{defguard_core => defguard_common}/src/hex.rs (100%)
 create mode 100644 crates/defguard_common/src/lib.rs
 rename crates/{defguard_core => defguard_common}/src/random.rs (77%)
 rename crates/{defguard_core => defguard_common}/src/secret.rs (100%)
 create mode 100644 crates/defguard_mail/Cargo.toml
 rename crates/{defguard_core/src/mail.rs => defguard_mail/src/lib.rs} (98%)
 rename crates/{defguard_core => defguard_mail}/src/templates.rs (93%)
 rename crates/{defguard_core => defguard_mail}/templates/base.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/macros.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_desktop_start.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_email_mfa_activation.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_email_mfa_code.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_enrollment_admin_notification.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_enrollment_start.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_enrollment_welcome.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_gateway_disconnected.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_gateway_reconnected.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_mfa_configured.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_new_device_added.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_new_device_login.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_new_device_ocid_login.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_password_reset_start.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_password_reset_success.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_support_data.tera (100%)
 rename crates/{defguard_core => defguard_mail}/templates/mail_test.tera (100%)
 create mode 100644 crates/defguard_proto/Cargo.toml
 create mode 100644 crates/defguard_proto/build.rs
 create mode 100644 crates/defguard_proto/src/lib.rs

diff --git a/.sqlx/query-7ddef79c85c3e85b979d5a8a5e50660bcae531c2b8342ae2feffea7454450f10.json b/.sqlx/query-4a1fba6c990265bc278d4e1534f06a96461ecb5edf023ab88d71f9887fc0f2f2.json
similarity index 94%
rename from .sqlx/query-7ddef79c85c3e85b979d5a8a5e50660bcae531c2b8342ae2feffea7454450f10.json
rename to .sqlx/query-4a1fba6c990265bc278d4e1534f06a96461ecb5edf023ab88d71f9887fc0f2f2.json
index 9f60163eac..fa1068e52b 100644
--- a/.sqlx/query-7ddef79c85c3e85b979d5a8a5e50660bcae531c2b8342ae2feffea7454450f10.json
+++ b/.sqlx/query-4a1fba6c990265bc278d4e1534f06a96461ecb5edf023ab88d71f9887fc0f2f2.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT openid_enabled, wireguard_enabled, webhooks_enabled, worker_enabled, challenge_template, instance_name, main_logo_url, nav_logo_url, smtp_server, smtp_port, smtp_encryption \"smtp_encryption: _\", smtp_user, smtp_password \"smtp_password?: SecretStringWrapper\", smtp_sender, enrollment_vpn_step_optional, enrollment_welcome_message, enrollment_welcome_email, enrollment_welcome_email_subject, enrollment_use_welcome_message_as_email, uuid, ldap_url, ldap_bind_username, ldap_bind_password \"ldap_bind_password?: SecretStringWrapper\", ldap_group_search_base, ldap_user_search_base, ldap_user_obj_class, ldap_group_obj_class, ldap_username_attr, ldap_groupname_attr, ldap_group_member_attr, ldap_member_attr, openid_create_account, license, gateway_disconnect_notifications_enabled, ldap_use_starttls, ldap_tls_verify_cert, gateway_disconnect_notifications_inactivity_threshold, gateway_disconnect_notifications_reconnect_notification_enabled, ldap_sync_status \"ldap_sync_status: SyncStatus\", ldap_enabled, ldap_sync_enabled, ldap_is_authoritative, ldap_sync_interval, ldap_user_auxiliary_obj_classes, ldap_uses_ad, ldap_user_rdn_attr, ldap_sync_groups, openid_username_handling \"openid_username_handling: OpenidUsernameHandling\" FROM \"settings\" WHERE id = 1",
+  "query": "SELECT openid_enabled, wireguard_enabled, webhooks_enabled, worker_enabled, challenge_template, instance_name, main_logo_url, nav_logo_url, smtp_server, smtp_port, smtp_encryption \"smtp_encryption: _\", smtp_user, smtp_password \"smtp_password?: SecretStringWrapper\", smtp_sender, enrollment_vpn_step_optional, enrollment_welcome_message, enrollment_welcome_email, enrollment_welcome_email_subject, enrollment_use_welcome_message_as_email, uuid, ldap_url, ldap_bind_username, ldap_bind_password \"ldap_bind_password?: SecretStringWrapper\", ldap_group_search_base, ldap_user_search_base, ldap_user_obj_class, ldap_group_obj_class, ldap_username_attr, ldap_groupname_attr, ldap_group_member_attr, ldap_member_attr, openid_create_account, license, gateway_disconnect_notifications_enabled, ldap_use_starttls, ldap_tls_verify_cert, gateway_disconnect_notifications_inactivity_threshold, gateway_disconnect_notifications_reconnect_notification_enabled, ldap_sync_status \"ldap_sync_status: LdapSyncStatus\", ldap_enabled, ldap_sync_enabled, ldap_is_authoritative, ldap_sync_interval, ldap_user_auxiliary_obj_classes, ldap_uses_ad, ldap_user_rdn_attr, ldap_sync_groups, openid_username_handling \"openid_username_handling: OpenidUsernameHandling\" FROM \"settings\" WHERE id = 1",
   "describe": {
     "columns": [
       {
@@ -206,7 +206,7 @@
       },
       {
         "ordinal": 38,
-        "name": "ldap_sync_status: SyncStatus",
+        "name": "ldap_sync_status: LdapSyncStatus",
         "type_info": {
           "Custom": {
             "name": "ldap_sync_status",
@@ -330,5 +330,5 @@
       false
     ]
   },
-  "hash": "7ddef79c85c3e85b979d5a8a5e50660bcae531c2b8342ae2feffea7454450f10"
+  "hash": "4a1fba6c990265bc278d4e1534f06a96461ecb5edf023ab88d71f9887fc0f2f2"
 }
diff --git a/Cargo.lock b/Cargo.lock
index 7215fcceea..913382c6d9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1066,9 +1066,11 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "bytes",
+ "defguard_common",
  "defguard_core",
  "defguard_event_logger",
  "defguard_event_router",
+ "defguard_mail",
  "defguard_version",
  "dotenvy",
  "secrecy",
@@ -1077,8 +1079,38 @@ dependencies = [
 ]
 
 [[package]]
-name = "defguard_core"
+name = "defguard_common"
 version = "1.5.0"
+dependencies = [
+ "anyhow",
+ "base64 0.22.1",
+ "chrono",
+ "clap",
+ "ed25519-dalek",
+ "humantime",
+ "ipnetwork",
+ "jsonwebtoken",
+ "matches",
+ "model_derive",
+ "openidconnect",
+ "rand 0.8.5",
+ "reqwest",
+ "rsa",
+ "secrecy",
+ "serde",
+ "sqlx",
+ "struct-patch",
+ "thiserror 2.0.16",
+ "tonic",
+ "tracing",
+ "utoipa",
+ "uuid",
+ "vergen-git2",
+]
+
+[[package]]
+name = "defguard_core"
+version = "0.0.0"
 dependencies = [
  "ammonia",
  "anyhow",
@@ -1091,10 +1123,11 @@ dependencies = [
  "bytes",
  "chrono",
  "claims",
- "clap",
+ "defguard_common",
+ "defguard_mail",
+ "defguard_proto",
  "defguard_version",
  "defguard_web_ui",
- "ed25519-dalek",
  "humantime",
  "hyper-util",
  "ipnetwork",
@@ -1110,7 +1143,6 @@ dependencies = [
  "paste",
  "pgp",
  "prost",
- "pulldown-cmark",
  "rand 0.8.5",
  "regex",
  "reqwest",
@@ -1149,7 +1181,6 @@ dependencies = [
  "utoipa",
  "utoipa-swagger-ui",
  "uuid",
- "vergen-git2",
  "webauthn-authenticator-rs",
  "webauthn-rs",
  "webauthn-rs-proto",
@@ -1162,6 +1193,7 @@ version = "0.0.0"
 dependencies = [
  "bytes",
  "chrono",
+ "defguard_common",
  "defguard_core",
  "serde_json",
  "sqlx",
@@ -1176,11 +1208,42 @@ version = "0.0.0"
 dependencies = [
  "defguard_core",
  "defguard_event_logger",
+ "defguard_mail",
  "thiserror 2.0.16",
  "tokio",
  "tracing",
 ]
 
+[[package]]
+name = "defguard_mail"
+version = "0.0.0"
+dependencies = [
+ "chrono",
+ "claims",
+ "defguard_common",
+ "lettre",
+ "pulldown-cmark",
+ "reqwest",
+ "serde",
+ "serde_json",
+ "sqlx",
+ "tera",
+ "thiserror 2.0.16",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "defguard_proto"
+version = "0.0.0"
+dependencies = [
+ "prost",
+ "serde",
+ "tonic",
+ "tonic-prost",
+ "tonic-prost-build",
+]
+
 [[package]]
 name = "defguard_version"
 version = "0.0.0"
diff --git a/Cargo.toml b/Cargo.toml
index d6405991da..513ecf7cf7 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,9 +11,12 @@ resolver = "2"
 
 [workspace.dependencies]
 # internal crates
-defguard_core = { path = "./crates/defguard_core", version = "1.5.0" }
+defguard_common = { path = "./crates/defguard_common", version = "1.5.0" }
+defguard_core = { path = "./crates/defguard_core", version = "0.0.0" }
 defguard_event_logger = { path = "./crates/defguard_event_logger", version = "0.0.0" }
 defguard_event_router = { path = "./crates/defguard_event_router", version = "0.0.0" }
+defguard_mail = { path = "./crates/defguard_mail", version = "0.0.0" }
+defguard_proto = { path = "./crates/defguard_proto", version = "0.0.0" }
 defguard_version = { path = "./crates/defguard_version", version = "0.0.0" }
 defguard_web_ui = { path = "./crates/defguard_web_ui", version = "0.0.0" }
 model_derive = { path = "./crates/model_derive", version = "0.0.0" }
@@ -35,6 +38,7 @@ chrono = { version = "0.4", default-features = false, features = [
     "clock",
     "serde",
 ] }
+claims = "0.8"
 clap = { version = "4.5", features = ["derive", "env"] }
 humantime = "2.1"
 # match version used by sqlx
@@ -43,10 +47,15 @@ jsonwebkey = { version = "0.3", features = ["pkcs-convert"] }
 jsonwebtoken = "9.3"
 ldap3 = { version = "0.11", default-features = false, features = ["tls"] }
 lettre = { version = "0.11", features = ["tokio1-native-tls"] }
+matches = "0.1"
 md4 = "0.10"
+openidconnect = { version = "4.0", default-features = false, features = [
+    "reqwest",
+] }
 parse_link_header = "0.4"
 paste = "1.0"
 pgp = { version = "0.16", default-features = false }
+prost = "0.14"
 pulldown-cmark = "0.13"
 # match version used by sqlx
 rand = "0.8"
@@ -93,6 +102,8 @@ tonic = { version = "0.14", features = [
     "tls-ring",
 ] }
 tonic-health = "0.14"
+tonic-prost = "0.14"
+tonic-prost-build = "0.14"
 totp-lite = { version = "2.0" }
 tower-http = { version = "0.6", features = ["fs", "trace", "set-header"] }
 tracing = "0.1"
diff --git a/crates/defguard/Cargo.toml b/crates/defguard/Cargo.toml
index a9837db037..8399bb0ae5 100644
--- a/crates/defguard/Cargo.toml
+++ b/crates/defguard/Cargo.toml
@@ -9,9 +9,11 @@ rust-version.workspace = true
 
 [dependencies]
 # internal crates
+defguard_common = { workspace = true }
 defguard_core = { workspace = true }
 defguard_event_router = { workspace = true }
 defguard_event_logger = { workspace = true }
+defguard_mail = { workspace = true }
 defguard_version = { workspace = true }
 
 # external dependencies
diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index d59c944b97..3c7576a2ee 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -4,14 +4,17 @@ use std::{
 };
 
 use bytes::Bytes;
-use defguard_core::{
-    SERVER_CONFIG, VERSION,
-    auth::failed_login::FailedLoginMap,
-    config::{Command, DefGuardConfig},
+use defguard_common::{
+    VERSION,
+    config::{Command, DefGuardConfig, SERVER_CONFIG},
     db::{
-        AppEvent, GatewayEvent, Settings, User, init_db,
-        models::settings::initialize_current_settings,
+        init_db,
+        models::{Settings, settings::initialize_current_settings},
     },
+};
+use defguard_core::{
+    auth::failed_login::FailedLoginMap,
+    db::{AppEvent, GatewayEvent, User},
     enterprise::{
         activity_log_stream::activity_log_stream_manager::run_activity_log_stream_manager,
         license::{License, run_periodic_license_check, set_cached_license},
@@ -23,9 +26,7 @@ use defguard_core::{
         gateway::{client_state::ClientMap, map::GatewayMap},
         run_grpc_bidi_stream, run_grpc_server,
     },
-    init_dev_env, init_vpn_location,
-    mail::{Mail, run_mail_handler},
-    run_web_server,
+    init_dev_env, init_vpn_location, run_web_server,
     utility_thread::run_utility_thread,
     version::IncompatibleComponents,
     wireguard_peer_disconnect::run_periodic_peer_disconnect,
@@ -33,6 +34,7 @@ use defguard_core::{
 };
 use defguard_event_logger::{message::EventLoggerMessage, run_event_logger};
 use defguard_event_router::{RouterReceiverSet, run_event_router};
+use defguard_mail::{Mail, run_mail_handler};
 use secrecy::ExposeSecret;
 use tokio::sync::{broadcast, mpsc::unbounded_channel};
 
diff --git a/crates/defguard_common/Cargo.toml b/crates/defguard_common/Cargo.toml
new file mode 100644
index 0000000000..e035598ecf
--- /dev/null
+++ b/crates/defguard_common/Cargo.toml
@@ -0,0 +1,39 @@
+[package]
+name = "defguard_common"
+version = "1.5.0"
+edition.workspace = true
+license-file.workspace = true
+homepage.workspace = true
+repository.workspace = true
+rust-version.workspace = true
+
+[dependencies]
+model_derive.workspace = true
+
+anyhow.workspace = true
+base64.workspace = true
+chrono.workspace = true
+clap.workspace = true
+ed25519-dalek = { version = "2.2", features = ["rand_core"] }
+humantime.workspace = true
+ipnetwork.workspace = true
+jsonwebtoken.workspace = true
+openidconnect.workspace = true
+rand.workspace = true
+reqwest.workspace = true
+rsa.workspace = true
+secrecy.workspace = true
+serde.workspace = true
+sqlx.workspace = true
+struct-patch.workspace = true
+thiserror.workspace = true
+tonic.workspace = true
+tracing.workspace = true
+utoipa.workspace = true
+uuid.workspace = true
+
+[dev-dependencies]
+matches.workspace = true
+
+[build-dependencies]
+vergen-git2 = { version = "1.0", features = ["build"] }
diff --git a/crates/defguard_common/build.rs b/crates/defguard_common/build.rs
new file mode 100644
index 0000000000..d1e71d8bbe
--- /dev/null
+++ b/crates/defguard_common/build.rs
@@ -0,0 +1,10 @@
+use vergen_git2::{Emitter, Git2Builder};
+
+fn main() -> Result<(), Box<dyn std::error::Error>> {
+    // set VERGEN_GIT_SHA env variable based on git commit hash
+    let git2 = Git2Builder::default().branch(true).sha(true).build()?;
+    Emitter::default().add_instructions(&git2)?.emit()?;
+
+    println!("cargo:rerun-if-changed=../../migrations");
+    Ok(())
+}
diff --git a/crates/defguard_common/src/auth/claims.rs b/crates/defguard_common/src/auth/claims.rs
new file mode 100644
index 0000000000..bca84e18e7
--- /dev/null
+++ b/crates/defguard_common/src/auth/claims.rs
@@ -0,0 +1,98 @@
+use std::{
+    env,
+    time::{Duration, SystemTime},
+};
+
+use jsonwebtoken::{
+    DecodingKey, EncodingKey, Header, Validation, decode, encode, errors::Error as JWTError,
+};
+use serde::{Deserialize, Serialize};
+
+pub static JWT_ISSUER: &str = "DefGuard";
+pub static AUTH_SECRET_ENV: &str = "DEFGUARD_AUTH_SECRET";
+pub static GATEWAY_SECRET_ENV: &str = "DEFGUARD_GATEWAY_SECRET";
+pub static YUBIBRIDGE_SECRET_ENV: &str = "DEFGUARD_YUBIBRIDGE_SECRET";
+
+#[derive(Clone, Copy, Default)]
+pub enum ClaimsType {
+    #[default]
+    Auth,
+    Gateway,
+    YubiBridge,
+    DesktopClient,
+}
+
+/// Standard claims: https://www.iana.org/assignments/jwt/jwt.xhtml
+#[derive(Deserialize, Serialize)]
+pub struct Claims {
+    #[serde(skip_serializing, skip_deserializing)]
+    secret: String,
+    // issuer
+    pub iss: String,
+    // subject
+    pub sub: String,
+    // client identifier
+    pub client_id: String,
+    // expiration time
+    pub exp: u64,
+    // not before
+    pub nbf: u64,
+}
+
+impl Claims {
+    #[must_use]
+    pub fn new(claims_type: ClaimsType, sub: String, client_id: String, duration: u64) -> Self {
+        let now = SystemTime::now();
+        let exp = now
+            .checked_add(Duration::from_secs(duration))
+            .expect("valid time")
+            .duration_since(SystemTime::UNIX_EPOCH)
+            .expect("valid timestamp")
+            .as_secs();
+        let nbf = now
+            .duration_since(SystemTime::UNIX_EPOCH)
+            .expect("valid timestamp")
+            .as_secs();
+        Self {
+            secret: Self::get_secret(claims_type),
+            iss: JWT_ISSUER.to_string(),
+            sub,
+            client_id,
+            exp,
+            nbf,
+        }
+    }
+
+    fn get_secret(claims_type: ClaimsType) -> String {
+        let env_var = match claims_type {
+            ClaimsType::Auth | ClaimsType::DesktopClient => AUTH_SECRET_ENV,
+            ClaimsType::Gateway => GATEWAY_SECRET_ENV,
+            ClaimsType::YubiBridge => YUBIBRIDGE_SECRET_ENV,
+        };
+        env::var(env_var).unwrap_or_default()
+    }
+
+    /// Convert claims to JWT.
+    pub fn to_jwt(&self) -> Result<String, JWTError> {
+        encode(
+            &Header::default(),
+            self,
+            &EncodingKey::from_secret(self.secret.as_bytes()),
+        )
+    }
+
+    /// Verify JWT and, if successful, convert it to claims.
+    pub fn from_jwt(claims_type: ClaimsType, token: &str) -> Result<Self, JWTError> {
+        let secret = Self::get_secret(claims_type);
+        let mut validation = Validation::default();
+        validation.validate_nbf = true;
+        validation.set_issuer(&[JWT_ISSUER]);
+        validation.set_required_spec_claims(&["iss", "sub", "exp", "nbf"]);
+        decode::<Self>(
+            token,
+            &DecodingKey::from_secret(secret.as_bytes()),
+            &validation,
+        )
+        .map(|data| data.claims)
+    }
+}
diff --git a/crates/defguard_common/src/auth/mod.rs b/crates/defguard_common/src/auth/mod.rs
new file mode 100644
index 0000000000..c0e708bb12
--- /dev/null
+++ b/crates/defguard_common/src/auth/mod.rs
@@ -0,0 +1 @@
+pub mod claims;
diff --git a/crates/defguard_core/src/config.rs b/crates/defguard_common/src/config.rs
similarity index 97%
rename from crates/defguard_core/src/config.rs
rename to crates/defguard_common/src/config.rs
index e3cf365da5..2549ce610b 100644
--- a/crates/defguard_core/src/config.rs
+++ b/crates/defguard_common/src/config.rs
@@ -1,4 +1,4 @@
-use std::net::IpAddr;
+use std::{net::IpAddr, sync::OnceLock};
 
 use clap::{Args, Parser, Subcommand};
 use humantime::Duration;
@@ -12,6 +12,15 @@ use rsa::{
     traits::PublicKeyParts,
 };
 use secrecy::{ExposeSecret, SecretString};
+use serde::Serialize;
+
+pub static SERVER_CONFIG: OnceLock<DefGuardConfig> = OnceLock::new();
+
+pub fn server_config() -> &'static DefGuardConfig {
+    SERVER_CONFIG
+        .get()
+        .expect("Server configuration not set yet")
+}
 
 #[derive(Clone, Parser, Serialize, Debug)]
 #[command(version)]
@@ -281,7 +290,7 @@ impl DefGuardConfig {
 
     /// Returns configured URL with "auth/callback" appended to the path.
     #[must_use]
-    pub(crate) fn callback_url(&self) -> Url {
+    pub fn callback_url(&self) -> Url {
         let mut url = self.url.clone();
         // Append "auth/callback" to the URL.
         if let Ok(mut path_segments) = url.path_segments_mut() {
diff --git a/crates/defguard_common/src/csv.rs b/crates/defguard_common/src/csv.rs
new file mode 100644
index 0000000000..1695bafaba
--- /dev/null
+++ b/crates/defguard_common/src/csv.rs
@@ -0,0 +1,17 @@
+pub trait AsCsv {
+    fn as_csv(&self) -> String;
+}
+
+impl<T, I> AsCsv for I
+where
+    I: ?Sized + std::iter::IntoIterator<Item = T>,
+    for<'a> &'a I: IntoIterator<Item = &'a T>,
+    T: ToString,
+{
+    fn as_csv(&self) -> String {
+        self.into_iter()
+            .map(ToString::to_string)
+            .collect::<Vec<_>>()
+            .join(",")
+    }
+}
diff --git a/crates/defguard_common/src/db/mod.rs b/crates/defguard_common/src/db/mod.rs
new file mode 100644
index 0000000000..d7ca63d055
--- /dev/null
+++ b/crates/defguard_common/src/db/mod.rs
@@ -0,0 +1,47 @@
+use serde::{Deserialize, Serialize};
+use sqlx::{
+    PgPool,
+    postgres::{PgConnectOptions, PgPoolOptions},
+};
+use tracing::info;
+use utoipa::ToSchema;
+
+pub mod models;
+
+#[derive(Clone, Debug, Deserialize, PartialEq, Serialize, ToSchema, Eq, Default, Hash)]
+pub struct NoId;
+pub type Id = i64;
+
+// helper for easier migration handling with a custom `migration` folder location
+// reference: https://docs.rs/sqlx/latest/sqlx/attr.test.html#automatic-migrations-requires-migrate-feature
+pub static MIGRATOR: sqlx::migrate::Migrator = sqlx::migrate!("../../migrations");
+
+/// Initializes and migrates postgres database. Returns DB pool object.
+pub async fn init_db(host: &str, port: u16, name: &str, user: &str, password: &str) -> PgPool {
+    info!("Initializing DB pool");
+    let opts = PgConnectOptions::new()
+        .host(host)
+        .port(port)
+        .username(user)
+        .password(password)
+        .database(name);
+    let pool = PgPool::connect_with(opts)
+        .await
+        .expect("Database connection failed");
+    MIGRATOR
+        .run(&pool)
+        .await
+        .expect("Cannot run database migrations.");
+    pool
+}
+
+// Helper function to instantiate pool manually as a workaround for issues with `sqlx::test` macro
+// reference: https://github.com/launchbadge/sqlx/issues/2567#issuecomment-2009849261
+pub async fn setup_pool(options: PgConnectOptions) -> PgPool {
+    let pool = PgPoolOptions::new().connect_with(options).await.unwrap();
+    MIGRATOR
+        .run(&pool)
+        .await
+        .expect("Cannot run database migrations.");
+    pool
+}
diff --git a/crates/defguard_core/src/db/models/auth_code.rs b/crates/defguard_common/src/db/models/auth_code.rs
similarity index 82%
rename from crates/defguard_core/src/db/models/auth_code.rs
rename to crates/defguard_common/src/db/models/auth_code.rs
index 5cf60f13dd..b57774c708 100644
--- a/crates/defguard_core/src/db/models/auth_code.rs
+++ b/crates/defguard_common/src/db/models/auth_code.rs
@@ -9,22 +9,22 @@ use crate::{
 
 #[derive(Model)]
 #[table(authorization_code)]
-pub(crate) struct AuthCode<I = NoId> {
+pub struct AuthCode<I = NoId> {
     #[allow(dead_code)]
     id: I,
-    pub(crate) user_id: Id,
-    pub(crate) client_id: String,
-    pub(crate) code: String,
-    pub(crate) redirect_uri: String,
-    pub(crate) scope: String,
-    pub(crate) auth_time: i64,
-    pub(crate) nonce: Option<String>,
-    pub(crate) code_challenge: Option<String>,
+    pub user_id: Id,
+    pub client_id: String,
+    pub code: String,
+    pub redirect_uri: String,
+    pub scope: String,
+    pub auth_time: i64,
+    pub nonce: Option<String>,
+    pub code_challenge: Option<String>,
 }
 
 impl AuthCode {
     #[must_use]
-    pub(crate) fn new(
+    pub fn new(
         user_id: Id,
         client_id: String,
         redirect_uri: String,
@@ -66,7 +66,7 @@ impl From<AuthCode<Id>> for AuthCode<NoId> {
 impl AuthCode<Id> {
     /// Find by code.
     /// If found, delete `AuthCode` from the database right away, so it can't be reused.
-    pub(crate) async fn find_code<'e, E>(
+    pub async fn find_code<'e, E>(
         executor: E,
         code: &str,
     ) -> Result<Option<AuthCode<NoId>>, sqlx::Error>
diff --git a/crates/defguard_core/src/db/models/authentication_key.rs b/crates/defguard_common/src/db/models/authentication_key.rs
similarity index 94%
rename from crates/defguard_core/src/db/models/authentication_key.rs
rename to crates/defguard_common/src/db/models/authentication_key.rs
index 84ddd50183..a1bc189586 100644
--- a/crates/defguard_core/src/db/models/authentication_key.rs
+++ b/crates/defguard_common/src/db/models/authentication_key.rs
@@ -1,6 +1,7 @@
 use std::fmt::Display;
 
 use model_derive::Model;
+use serde::{Deserialize, Serialize};
 use sqlx::{Error as SqlxError, PgExecutor, Type, query_as};
 
 use crate::db::{Id, NoId};
@@ -25,11 +26,11 @@ impl Display for AuthenticationKeyType {
 #[derive(Clone, Debug, Deserialize, Model, Serialize)]
 #[table(authentication_key)]
 pub struct AuthenticationKey<I = NoId> {
-    pub(crate) id: I,
-    pub(crate) yubikey_id: Option<i64>,
+    pub id: I,
+    pub yubikey_id: Option<i64>,
     pub name: Option<String>,
-    pub(crate) user_id: Id,
-    pub(crate) key: String,
+    pub user_id: Id,
+    pub key: String,
     #[model(enum)]
     pub key_type: AuthenticationKeyType,
 }
diff --git a/crates/defguard_core/src/db/models/biometric_auth.rs b/crates/defguard_common/src/db/models/biometric_auth.rs
similarity index 95%
rename from crates/defguard_core/src/db/models/biometric_auth.rs
rename to crates/defguard_common/src/db/models/biometric_auth.rs
index 1ac93a4e7a..8f477b5fc0 100644
--- a/crates/defguard_core/src/db/models/biometric_auth.rs
+++ b/crates/defguard_common/src/db/models/biometric_auth.rs
@@ -57,7 +57,7 @@ impl BiometricAuth {
 }
 
 impl BiometricAuth<Id> {
-    pub(crate) async fn find_by_device_id<'e, E>(
+    pub async fn find_by_device_id<'e, E>(
         executor: E,
         device_id: Id,
     ) -> Result<Option<Self>, sqlx::Error>
@@ -73,7 +73,7 @@ impl BiometricAuth<Id> {
         .await
     }
 
-    pub(crate) async fn verify_owner<'e, E>(
+    pub async fn verify_owner<'e, E>(
         executor: E,
         user_id: Id,
         pub_key: &str,
@@ -91,10 +91,7 @@ impl BiometricAuth<Id> {
         Ok(q_result.is_some())
     }
 
-    pub(crate) async fn find_by_user_id<'e, E>(
-        executor: E,
-        user_id: Id,
-    ) -> Result<Vec<Self>, sqlx::Error>
+    pub async fn find_by_user_id<'e, E>(executor: E, user_id: Id) -> Result<Vec<Self>, sqlx::Error>
     where
         E: PgExecutor<'e>,
     {
@@ -124,6 +121,12 @@ fn decode_pub_key(public_key: &str) -> Result<VerifyingKey, BiometricAuthError>
     Ok(verifying_key)
 }
 
+impl Default for BiometricChallenge {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
 impl BiometricChallenge {
     pub fn new_with_owner(pub_key: &str) -> Result<Self, BiometricAuthError> {
         let _ = decode_pub_key(pub_key)?;
diff --git a/crates/defguard_core/src/db/models/device_login.rs b/crates/defguard_common/src/db/models/device_login.rs
similarity index 93%
rename from crates/defguard_core/src/db/models/device_login.rs
rename to crates/defguard_common/src/db/models/device_login.rs
index e3a8e5b7d6..09b7d52eeb 100644
--- a/crates/defguard_core/src/db/models/device_login.rs
+++ b/crates/defguard_common/src/db/models/device_login.rs
@@ -2,6 +2,7 @@ use std::fmt;
 
 use chrono::{NaiveDateTime, Utc};
 use model_derive::Model;
+use serde::{Deserialize, Serialize};
 use sqlx::{Error as SqlxError, PgPool, query_as};
 
 use crate::db::{Id, NoId};
@@ -34,6 +35,7 @@ impl fmt::Display for DeviceLoginEvent<Id> {
 }
 
 impl DeviceLoginEvent {
+    #[allow(clippy::too_many_arguments)]
     #[must_use]
     pub fn new(
         user_id: Id,
@@ -59,7 +61,7 @@ impl DeviceLoginEvent {
         }
     }
 
-    pub(crate) async fn check_if_device_already_logged_in(
+    pub async fn check_if_device_already_logged_in(
         self,
         pool: &PgPool,
     ) -> Result<Option<DeviceLoginEvent<Id>>, anyhow::Error> {
@@ -72,7 +74,7 @@ impl DeviceLoginEvent {
         }
     }
 
-    pub(crate) async fn find_device_login_event(
+    pub async fn find_device_login_event(
         &self,
         pool: &PgPool,
     ) -> Result<Option<DeviceLoginEvent<Id>>, SqlxError> {
diff --git a/crates/defguard_core/src/db/models/error.rs b/crates/defguard_common/src/db/models/error.rs
similarity index 100%
rename from crates/defguard_core/src/db/models/error.rs
rename to crates/defguard_common/src/db/models/error.rs
diff --git a/crates/defguard_common/src/db/models/mod.rs b/crates/defguard_common/src/db/models/mod.rs
new file mode 100644
index 0000000000..0aa3a601bb
--- /dev/null
+++ b/crates/defguard_common/src/db/models/mod.rs
@@ -0,0 +1,15 @@
+pub mod auth_code;
+pub mod authentication_key;
+pub mod biometric_auth;
+pub mod device_login;
+pub mod error;
+pub mod settings;
+pub mod user;
+
+pub use auth_code::AuthCode;
+pub use authentication_key::{AuthenticationKey, AuthenticationKeyType};
+pub use biometric_auth::{BiometricAuth, BiometricChallenge};
+pub use device_login::DeviceLoginEvent;
+pub use error::ModelError;
+pub use settings::{Settings, SettingsEssentials};
+pub use user::MFAMethod;
diff --git a/crates/defguard_core/src/db/models/settings.rs b/crates/defguard_common/src/db/models/settings.rs
similarity index 95%
rename from crates/defguard_core/src/db/models/settings.rs
rename to crates/defguard_common/src/db/models/settings.rs
index d74ebd49ee..ad900d7831 100644
--- a/crates/defguard_core/src/db/models/settings.rs
+++ b/crates/defguard_common/src/db/models/settings.rs
@@ -1,12 +1,13 @@
 use std::collections::HashMap;
 
+use crate::{global_value, secret::SecretStringWrapper};
+use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, PgPool, Type, query, query_as};
 use struct_patch::Patch;
 use thiserror::Error;
+use tracing::{debug, info, warn};
 use uuid::Uuid;
 
-use crate::{enterprise::ldap::sync::SyncStatus, global_value, secret::SecretStringWrapper};
-
 global_value!(SETTINGS, Option<Settings>, None, set_settings, get_settings);
 
 /// Initializes global `SETTINGS` struct at program startup
@@ -61,6 +62,21 @@ pub enum OpenidUsernameHandling {
     PruneEmailDomain,
 }
 
+#[derive(Clone, Debug, Copy, Eq, PartialEq, Deserialize, Serialize, Default, Type)]
+#[sqlx(type_name = "ldap_sync_status", rename_all = "lowercase")]
+pub enum LdapSyncStatus {
+    InSync,
+    #[default]
+    OutOfSync,
+}
+
+impl LdapSyncStatus {
+    #[must_use]
+    pub fn is_out_of_sync(&self) -> bool {
+        matches!(self, LdapSyncStatus::OutOfSync)
+    }
+}
+
 #[derive(Clone, Debug, Deserialize, PartialEq, Patch, Serialize, Default)]
 #[patch(attribute(derive(Deserialize, Serialize, Debug)))]
 pub struct Settings {
@@ -107,7 +123,7 @@ pub struct Settings {
     pub ldap_member_attr: Option<String>,
     pub ldap_use_starttls: bool,
     pub ldap_tls_verify_cert: bool,
-    pub ldap_sync_status: SyncStatus,
+    pub ldap_sync_status: LdapSyncStatus,
     pub ldap_enabled: bool,
     pub ldap_sync_enabled: bool,
     pub ldap_is_authoritative: bool,
@@ -149,7 +165,7 @@ impl Settings {
             license, gateway_disconnect_notifications_enabled, ldap_use_starttls, \
             ldap_tls_verify_cert, gateway_disconnect_notifications_inactivity_threshold, \
             gateway_disconnect_notifications_reconnect_notification_enabled, \
-            ldap_sync_status \"ldap_sync_status: SyncStatus\", \
+            ldap_sync_status \"ldap_sync_status: LdapSyncStatus\", \
             ldap_enabled, ldap_sync_enabled, ldap_is_authoritative, \
             ldap_sync_interval, ldap_user_auxiliary_obj_classes, ldap_uses_ad, \
             ldap_user_rdn_attr, ldap_sync_groups, \
@@ -270,7 +286,7 @@ impl Settings {
             self.gateway_disconnect_notifications_enabled,
             self.gateway_disconnect_notifications_inactivity_threshold,
             self.gateway_disconnect_notifications_reconnect_notification_enabled,
-            &self.ldap_sync_status as &SyncStatus,
+            &self.ldap_sync_status as &LdapSyncStatus,
             self.ldap_enabled,
             self.ldap_sync_enabled,
             self.ldap_is_authoritative,
@@ -352,7 +368,7 @@ pub struct SettingsEssentials {
 }
 
 impl SettingsEssentials {
-    pub(crate) async fn get_settings_essentials<'e, E>(executor: E) -> Result<Self, sqlx::Error>
+    pub async fn get_settings_essentials<'e, E>(executor: E) -> Result<Self, sqlx::Error>
     where
         E: PgExecutor<'e>,
     {
diff --git a/crates/defguard_common/src/db/models/user.rs b/crates/defguard_common/src/db/models/user.rs
new file mode 100644
index 0000000000..d632bb9483
--- /dev/null
+++ b/crates/defguard_common/src/db/models/user.rs
@@ -0,0 +1,30 @@
+use std::fmt;
+
+use serde::{Deserialize, Serialize};
+use sqlx::Type;
+use utoipa::ToSchema;
+
+#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq, Hash, ToSchema, Type)]
+#[sqlx(type_name = "mfa_method", rename_all = "snake_case")]
+pub enum MFAMethod {
+    None,
+    OneTimePassword,
+    Webauthn,
+    Email,
+}
+
+// Web MFA methods
+impl fmt::Display for MFAMethod {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(
+            f,
+            "{}",
+            match self {
+                MFAMethod::None => "None",
+                MFAMethod::OneTimePassword => "TOTP",
+                MFAMethod::Webauthn => "WebAuthn",
+                MFAMethod::Email => "Email",
+            }
+        )
+    }
+}
diff --git a/crates/defguard_core/src/globals.rs b/crates/defguard_common/src/globals.rs
similarity index 100%
rename from crates/defguard_core/src/globals.rs
rename to crates/defguard_common/src/globals.rs
diff --git a/crates/defguard_core/src/hex.rs b/crates/defguard_common/src/hex.rs
similarity index 100%
rename from crates/defguard_core/src/hex.rs
rename to crates/defguard_common/src/hex.rs
diff --git a/crates/defguard_common/src/lib.rs b/crates/defguard_common/src/lib.rs
new file mode 100644
index 0000000000..c326bfc3c3
--- /dev/null
+++ b/crates/defguard_common/src/lib.rs
@@ -0,0 +1,11 @@
+pub mod auth;
+pub mod config;
+pub mod csv;
+pub mod db;
+pub mod globals;
+pub mod hex;
+pub mod random;
+pub mod secret;
+
+pub const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), "+", env!("VERGEN_GIT_SHA"));
+pub const CARGO_VERSION: &str = env!("CARGO_PKG_VERSION");
diff --git a/crates/defguard_core/src/random.rs b/crates/defguard_common/src/random.rs
similarity index 77%
rename from crates/defguard_core/src/random.rs
rename to crates/defguard_common/src/random.rs
index 30edce4459..ce12448d41 100644
--- a/crates/defguard_core/src/random.rs
+++ b/crates/defguard_common/src/random.rs
@@ -2,7 +2,7 @@ use rand::{Rng, distributions::Alphanumeric, thread_rng};
 
 /// Generate random alphanumeric string.
 #[must_use]
-pub(crate) fn gen_alphanumeric(n: usize) -> String {
+pub fn gen_alphanumeric(n: usize) -> String {
     thread_rng()
         .sample_iter(Alphanumeric)
         .take(n)
@@ -12,6 +12,6 @@ pub(crate) fn gen_alphanumeric(n: usize) -> String {
 
 /// Generate random 20-byte secret for TOTP.
 #[must_use]
-pub(crate) fn gen_totp_secret() -> Vec<u8> {
+pub fn gen_totp_secret() -> Vec<u8> {
     thread_rng().r#gen::<[u8; 20]>().to_vec()
 }
diff --git a/crates/defguard_core/src/secret.rs b/crates/defguard_common/src/secret.rs
similarity index 100%
rename from crates/defguard_core/src/secret.rs
rename to crates/defguard_common/src/secret.rs
diff --git a/crates/defguard_core/Cargo.toml b/crates/defguard_core/Cargo.toml
index 3ee6c10de5..2d57b13188 100644
--- a/crates/defguard_core/Cargo.toml
+++ b/crates/defguard_core/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "defguard_core"
-version = "1.5.0"
+version = "0.0.0"
 edition.workspace = true
 license-file.workspace = true
 homepage.workspace = true
@@ -9,6 +9,9 @@ rust-version.workspace = true
 
 [dependencies]
 # internal crates
+defguard_common = { workspace = true }
+defguard_mail = { workspace = true }
+defguard_proto = { workspace = true }
 defguard_web_ui = { workspace = true }
 defguard_version = { workspace = true }
 model_derive = { workspace = true }
@@ -22,7 +25,6 @@ axum-extra = { workspace = true }
 base32 = { workspace = true }
 base64 = { workspace = true }
 chrono = { workspace = true }
-clap = { workspace = true }
 humantime = { workspace = true }
 # match version used by sqlx
 ipnetwork = { workspace = true }
@@ -31,14 +33,11 @@ jsonwebtoken = { workspace = true }
 ldap3 = { workspace = true }
 lettre = { workspace = true }
 md4 = { workspace = true }
-openidconnect = { version = "4.0", default-features = false, optional = true, features = [
-    "reqwest",
-] }
+openidconnect.workspace = true
 parse_link_header = { workspace = true }
 paste = { workspace = true }
 pgp = { workspace = true }
-prost = "0.14"
-pulldown-cmark = { workspace = true }
+prost.workspace = true
 # match version used by sqlx
 rand = { workspace = true }
 reqwest = { workspace = true }
@@ -65,7 +64,7 @@ tokio-stream = { workspace = true }
 tokio-util = { workspace = true }
 tonic = { workspace = true }
 tonic-health = { workspace = true }
-tonic-prost = "0.14"
+tonic-prost.workspace = true
 totp-lite = { workspace = true }
 tower-http = { workspace = true }
 tracing = { workspace = true }
@@ -82,16 +81,15 @@ x25519-dalek = { workspace = true }
 strum = { workspace = true }
 strum_macros = { workspace = true }
 bytes = { workspace = true }
-ed25519-dalek = { version = "2.2", features = ["rand_core"] }
 tower = "0.5"
 regex = "1.10"
 ammonia = "4.1.1"
 
 [dev-dependencies]
 bytes = "1.6"
-claims = "0.8"
+claims.workspace = true
 hyper-util = "0.1"
-matches = "0.1"
+matches.workspace = true
 regex = "1.10"
 reqwest = { version = "0.12", features = [
     "cookies",
@@ -105,11 +103,4 @@ tower = "0.5"
 webauthn-authenticator-rs = { version = "0.5", features = ["softpasskey"] }
 
 [build-dependencies]
-tonic-prost-build = "0.14"
-vergen-git2 = { version = "1.0", features = ["build"] }
-
-[features]
-default = ["openid", "wireguard", "worker"]
-openid = ["dep:openidconnect"]
-worker = []
-wireguard = []
+tonic-prost-build.workspace = true
diff --git a/crates/defguard_core/build.rs b/crates/defguard_core/build.rs
index 9551d43add..96c212192d 100644
--- a/crates/defguard_core/build.rs
+++ b/crates/defguard_core/build.rs
@@ -1,51 +1,14 @@
-use vergen_git2::{Emitter, Git2Builder};
-
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-    // set VERGEN_GIT_SHA env variable based on git commit hash
-    let git2 = Git2Builder::default().branch(true).sha(true).build()?;
-    Emitter::default().add_instructions(&git2)?.emit()?;
-
     tonic_prost_build::configure()
-        // These types contain sensitive data.
-        .skip_debug([
-            "ActivateUserRequest",
-            "AuthInfoResponse",
-            "AuthenticateRequest",
-            "AuthenticateResponse",
-            "ClientMfaFinishResponse",
-            "CodeMfaSetupStartResponse",
-            "CodeMfaSetupFinishResponse",
-            "CoreRequest",
-            "CoreResponse",
-            "DeviceConfigResponse",
-            "InstanceInfoResponse",
-            "NewDevice",
-            "PasswordResetRequest",
-        ])
         .protoc_arg("--experimental_allow_proto3_optional")
         .type_attribute(
             "LicenseLimits",
             "#[derive(serde::Serialize, serde::Deserialize)]",
         )
         .compile_protos(
-            &[
-                "../../proto/core/auth.proto",
-                "../../proto/core/proxy.proto",
-                "../../proto/worker/worker.proto",
-                "../../proto/wireguard/gateway.proto",
-                "../../proto/enterprise/firewall/firewall.proto",
-                "src/enterprise/proto/license.proto",
-            ],
-            &[
-                "../../proto/core",
-                "../../proto/worker",
-                "../../proto/wireguard",
-                "../../proto/enterprise/firewall",
-                "src/enterprise/proto",
-            ],
+            &["src/enterprise/proto/license.proto"],
+            &["src/enterprise/proto"],
         )?;
-    println!("cargo:rerun-if-changed=../../migrations");
-    println!("cargo:rerun-if-changed=../../proto");
     println!("cargo:rerun-if-changed=src/enterprise");
     Ok(())
 }
diff --git a/crates/defguard_core/src/appstate.rs b/crates/defguard_core/src/appstate.rs
index 3930b72c6a..7483b0b725 100644
--- a/crates/defguard_core/src/appstate.rs
+++ b/crates/defguard_core/src/appstate.rs
@@ -2,6 +2,8 @@ use std::sync::{Arc, Mutex, RwLock};
 
 use axum::extract::FromRef;
 use axum_extra::extract::cookie::Key;
+use defguard_common::config::server_config;
+use defguard_mail::Mail;
 use reqwest::Client;
 use secrecy::ExposeSecret;
 use serde_json::json;
@@ -21,8 +23,6 @@ use crate::{
     error::WebError,
     events::ApiEvent,
     grpc::gateway::{send_multiple_wireguard_events, send_wireguard_event},
-    mail::Mail,
-    server_config,
     version::IncompatibleComponents,
 };
 
diff --git a/crates/defguard_core/src/auth/mod.rs b/crates/defguard_core/src/auth/mod.rs
index 41b01e2fd4..5abf56809f 100644
--- a/crates/defguard_core/src/auth/mod.rs
+++ b/crates/defguard_core/src/auth/mod.rs
@@ -1,10 +1,5 @@
 pub mod failed_login;
 
-use std::{
-    env,
-    time::{Duration, SystemTime},
-};
-
 use axum::{
     extract::{FromRef, FromRequestParts, OptionalFromRequestParts},
     http::{header::AUTHORIZATION, request::Parts},
@@ -15,15 +10,12 @@ use axum_extra::{
     extract::cookie::CookieJar,
     headers::{Authorization, authorization::Bearer},
 };
-use jsonwebtoken::{
-    DecodingKey, EncodingKey, Header, Validation, decode, encode, errors::Error as JWTError,
-};
-use serde::{Deserialize, Serialize};
+use defguard_common::db::Id;
 
 use crate::{
     appstate::AppState,
     db::{
-        Group, Id, OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User,
+        Group, OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User,
         models::{group::Permission, oauth2client::OAuth2Client},
     },
     enterprise::{db::models::api_tokens::ApiToken, is_enterprise_enabled},
@@ -31,98 +23,10 @@ use crate::{
     handlers::SESSION_COOKIE_NAME,
 };
 
-pub static JWT_ISSUER: &str = "DefGuard";
-pub static AUTH_SECRET_ENV: &str = "DEFGUARD_AUTH_SECRET";
-pub static GATEWAY_SECRET_ENV: &str = "DEFGUARD_GATEWAY_SECRET";
-pub static YUBIBRIDGE_SECRET_ENV: &str = "DEFGUARD_YUBIBRIDGE_SECRET";
 pub const TOTP_CODE_VALIDITY_PERIOD: u64 = 30;
 pub const EMAIL_CODE_DIGITS: u32 = 6;
 pub const TOTP_CODE_DIGITS: u32 = 6;
 
-#[derive(Clone, Copy, Default)]
-pub enum ClaimsType {
-    #[default]
-    Auth,
-    Gateway,
-    YubiBridge,
-    DesktopClient,
-}
-
-/// Standard claims: https://www.iana.org/assignments/jwt/jwt.xhtml
-#[derive(Deserialize, Serialize)]
-pub struct Claims {
-    #[serde(skip_serializing, skip_deserializing)]
-    secret: String,
-    // issuer
-    pub iss: String,
-    // subject
-    pub sub: String,
-    // client identifier
-    pub client_id: String,
-    // expiration time
-    pub exp: u64,
-    // not before
-    pub nbf: u64,
-}
-
-impl Claims {
-    #[must_use]
-    pub fn new(claims_type: ClaimsType, sub: String, client_id: String, duration: u64) -> Self {
-        let now = SystemTime::now();
-        let exp = now
-            .checked_add(Duration::from_secs(duration))
-            .expect("valid time")
-            .duration_since(SystemTime::UNIX_EPOCH)
-            .expect("valid timestamp")
-            .as_secs();
-        let nbf = now
-            .duration_since(SystemTime::UNIX_EPOCH)
-            .expect("valid timestamp")
-            .as_secs();
-        Self {
-            secret: Self::get_secret(claims_type),
-            iss: JWT_ISSUER.to_string(),
-            sub,
-            client_id,
-            exp,
-            nbf,
-        }
-    }
-
-    fn get_secret(claims_type: ClaimsType) -> String {
-        let env_var = match claims_type {
-            ClaimsType::Auth | ClaimsType::DesktopClient => AUTH_SECRET_ENV,
-            ClaimsType::Gateway => GATEWAY_SECRET_ENV,
-            ClaimsType::YubiBridge => YUBIBRIDGE_SECRET_ENV,
-        };
-        env::var(env_var).unwrap_or_default()
-    }
-
-    /// Convert claims to JWT.
-    pub fn to_jwt(&self) -> Result<String, JWTError> {
-        encode(
-            &Header::default(),
-            self,
-            &EncodingKey::from_secret(self.secret.as_bytes()),
-        )
-    }
-
-    /// Verify JWT and, if successful, convert it to claims.
-    pub fn from_jwt(claims_type: ClaimsType, token: &str) -> Result<Self, JWTError> {
-        let secret = Self::get_secret(claims_type);
-        let mut validation = Validation::default();
-        validation.validate_nbf = true;
-        validation.set_issuer(&[JWT_ISSUER]);
-        validation.set_required_spec_claims(&["iss", "sub", "exp", "nbf"]);
-        decode::<Self>(
-            token,
-            &DecodingKey::from_secret(secret.as_bytes()),
-            &validation,
-        )
-        .map(|data| data.claims)
-    }
-}
-
 impl<S> FromRequestParts<S> for Session
 where
     S: Send + Sync,
@@ -398,7 +302,6 @@ where
                 None
             }
         }) {
-            // TODO: #[cfg(feature = "openid")]
             match OAuth2Token::find_access_token(&appstate.pool, token).await {
                 Ok(Some(oauth2token)) => {
                     match OAuth2AuthorizedApp::find_by_id(
diff --git a/crates/defguard_core/src/db/mod.rs b/crates/defguard_core/src/db/mod.rs
index 1dcc96ec1c..37bcc961f0 100644
--- a/crates/defguard_core/src/db/mod.rs
+++ b/crates/defguard_core/src/db/mod.rs
@@ -1,33 +1,5 @@
 pub mod models;
 
-use sqlx::postgres::{PgConnectOptions, PgPool, PgPoolOptions};
-use utoipa::ToSchema;
-
-use crate::MIGRATOR;
-
-#[derive(Clone, Debug, Deserialize, PartialEq, Serialize, ToSchema, Eq, Default, Hash)]
-pub struct NoId;
-pub type Id = i64;
-
-/// Initializes and migrates postgres database. Returns DB pool object.
-pub async fn init_db(host: &str, port: u16, name: &str, user: &str, password: &str) -> PgPool {
-    info!("Initializing DB pool");
-    let opts = PgConnectOptions::new()
-        .host(host)
-        .port(port)
-        .username(user)
-        .password(password)
-        .database(name);
-    let pool = PgPool::connect_with(opts)
-        .await
-        .expect("Database connection failed");
-    MIGRATOR
-        .run(&pool)
-        .await
-        .expect("Cannot run database migrations.");
-    pool
-}
-
 pub use models::{
     MFAInfo, UserDetails, UserInfo,
     device::{AddDevice, Device},
@@ -35,21 +7,9 @@ pub use models::{
     oauth2authorizedapp::OAuth2AuthorizedApp,
     oauth2token::OAuth2Token,
     session::{Session, SessionState},
-    settings::Settings,
-    user::{MFAMethod, User},
+    user::User,
     webauthn::WebAuthn,
     webhook::{AppEvent, HWKeyUserData, WebHook},
     wireguard::{GatewayEvent, WireguardNetwork},
     yubikey::YubiKey,
 };
-
-// Helper function to instantiate pool manually as a workaround for issues with `sqlx::test` macro
-// reference: https://github.com/launchbadge/sqlx/issues/2567#issuecomment-2009849261
-pub async fn setup_pool(options: PgConnectOptions) -> PgPool {
-    let pool = PgPoolOptions::new().connect_with(options).await.unwrap();
-    MIGRATOR
-        .run(&pool)
-        .await
-        .expect("Cannot run database migrations.");
-    pool
-}
diff --git a/crates/defguard_core/src/db/models/activity_log/metadata.rs b/crates/defguard_core/src/db/models/activity_log/metadata.rs
index c1c1032cce..e358560fe2 100644
--- a/crates/defguard_core/src/db/models/activity_log/metadata.rs
+++ b/crates/defguard_core/src/db/models/activity_log/metadata.rs
@@ -1,22 +1,22 @@
 use chrono::NaiveDateTime;
+use defguard_common::db::{
+    Id,
+    models::{
+        AuthenticationKey, AuthenticationKeyType, MFAMethod, Settings,
+        settings::{LdapSyncStatus, OpenidUsernameHandling, SmtpEncryption},
+    },
+};
 
 use crate::{
     db::{
-        Device, Group, Id, MFAMethod, Settings, User, WebAuthn, WebHook, WireguardNetwork,
-        models::{
-            authentication_key::{AuthenticationKey, AuthenticationKeyType},
-            oauth2client::OAuth2Client,
-            settings::{OpenidUsernameHandling, SmtpEncryption},
-        },
+        Device, Group, User, WebAuthn, WebHook, WireguardNetwork,
+        models::oauth2client::OAuth2Client,
     },
-    enterprise::{
-        db::models::{
-            activity_log_stream::{ActivityLogStream, ActivityLogStreamType},
-            api_tokens::ApiToken,
-            openid_provider::{DirectorySyncTarget, DirectorySyncUserBehavior, OpenIdProvider},
-            snat::UserSnatBinding,
-        },
-        ldap::sync::SyncStatus,
+    enterprise::db::models::{
+        activity_log_stream::{ActivityLogStream, ActivityLogStreamType},
+        api_tokens::ApiToken,
+        openid_provider::{DirectorySyncTarget, DirectorySyncUserBehavior, OpenIdProvider},
+        snat::UserSnatBinding,
     },
     events::ClientMFAMethod,
 };
@@ -377,7 +377,7 @@ pub struct SettingsNoSecrets {
     pub ldap_member_attr: Option<String>,
     pub ldap_use_starttls: bool,
     pub ldap_tls_verify_cert: bool,
-    pub ldap_sync_status: SyncStatus,
+    pub ldap_sync_status: LdapSyncStatus,
     pub ldap_enabled: bool,
     pub ldap_sync_enabled: bool,
     pub ldap_is_authoritative: bool,
diff --git a/crates/defguard_core/src/db/models/activity_log/mod.rs b/crates/defguard_core/src/db/models/activity_log/mod.rs
index a175e50c2e..62cf59154c 100644
--- a/crates/defguard_core/src/db/models/activity_log/mod.rs
+++ b/crates/defguard_core/src/db/models/activity_log/mod.rs
@@ -3,7 +3,7 @@ use ipnetwork::IpNetwork;
 use model_derive::Model;
 use sqlx::{FromRow, Type};
 
-use crate::db::{Id, NoId};
+use defguard_common::db::{Id, NoId};
 
 pub mod metadata;
 
diff --git a/crates/defguard_core/src/db/models/device.rs b/crates/defguard_core/src/db/models/device.rs
index 8977f70288..00c895ff15 100644
--- a/crates/defguard_core/src/db/models/device.rs
+++ b/crates/defguard_core/src/db/models/device.rs
@@ -4,6 +4,10 @@ use base64::{Engine, prelude::BASE64_STANDARD};
 #[cfg(test)]
 use chrono::NaiveDate;
 use chrono::{NaiveDateTime, Utc};
+use defguard_common::{
+    csv::AsCsv,
+    db::{Id, NoId, models::ModelError},
+};
 use ipnetwork::IpNetwork;
 use model_derive::Model;
 #[cfg(test)]
@@ -19,14 +23,10 @@ use sqlx::{
 use thiserror::Error;
 use utoipa::ToSchema;
 
-use super::{
-    error::ModelError,
-    wireguard::{LocationMfaMode, NetworkAddressError, WIREGUARD_MAX_HANDSHAKE, WireguardNetwork},
-};
-use crate::{
-    AsCsv, KEY_LENGTH,
-    db::{Id, NoId, User},
+use super::wireguard::{
+    LocationMfaMode, NetworkAddressError, WIREGUARD_MAX_HANDSHAKE, WireguardNetwork,
 };
+use crate::{KEY_LENGTH, db::User};
 
 #[derive(Serialize, ToSchema)]
 pub struct DeviceConfig {
@@ -1010,10 +1010,11 @@ mod test {
     use std::str::FromStr;
 
     use claims::{assert_err, assert_ok};
+    use defguard_common::db::setup_pool;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
-    use crate::db::{User, setup_pool};
+    use crate::db::User;
 
     impl Device<Id> {
         /// Create new device and assign IP in a given network
diff --git a/crates/defguard_core/src/db/models/enrollment.rs b/crates/defguard_core/src/db/models/enrollment.rs
index 8204991123..7c9237c3ca 100644
--- a/crates/defguard_core/src/db/models/enrollment.rs
+++ b/crates/defguard_core/src/db/models/enrollment.rs
@@ -1,4 +1,14 @@
 use chrono::{NaiveDateTime, TimeDelta, Utc};
+use defguard_common::{
+    VERSION,
+    config::server_config,
+    db::{Id, models::Settings},
+    random::gen_alphanumeric,
+};
+use defguard_mail::{
+    Mail,
+    templates::{self, TemplateError, safe_tera},
+};
 use reqwest::Url;
 use sqlx::{Error as SqlxError, PgConnection, PgExecutor, PgPool, query, query_as};
 use tera::Context;
@@ -6,15 +16,7 @@ use thiserror::Error;
 use tokio::sync::mpsc::UnboundedSender;
 use tonic::{Code, Status};
 
-use super::{User, settings::Settings};
-use crate::{
-    VERSION,
-    db::Id,
-    mail::Mail,
-    random::gen_alphanumeric,
-    server_config,
-    templates::{self, TemplateError, safe_tera},
-};
+use super::User;
 
 pub static ENROLLMENT_TOKEN_TYPE: &str = "ENROLLMENT";
 pub static PASSWORD_RESET_TOKEN_TYPE: &str = "PASSWORD_RESET";
@@ -356,7 +358,7 @@ impl Token {
 
         // load configured content as template
         let mut tera = safe_tera();
-        tera.add_raw_template("welcome_page", &settings.enrollment_welcome_message()?)?;
+        tera.add_raw_template("welcome_page", &enrollment_welcome_message(&settings)?)?;
 
         let context = self.get_welcome_message_context(&mut *transaction).await?;
 
@@ -374,7 +376,7 @@ impl Token {
 
         // load configured content as template
         let mut tera = safe_tera();
-        tera.add_raw_template("welcome_email", &settings.enrollment_welcome_email()?)?;
+        tera.add_raw_template("welcome_email", &enrollment_welcome_email(&settings)?)?;
 
         let context = self.get_welcome_message_context(&mut *transaction).await?;
         let content = tera.render("welcome_email", &context)?;
@@ -616,21 +618,19 @@ impl User<Id> {
     }
 }
 
-impl Settings {
-    pub fn enrollment_welcome_message(&self) -> Result<String, TokenError> {
-        self.enrollment_welcome_message.clone().ok_or_else(|| {
-            error!("Enrollment welcome message not configured");
-            TokenError::WelcomeMsgNotConfigured
-        })
-    }
+pub fn enrollment_welcome_message(settings: &Settings) -> Result<String, TokenError> {
+    settings.enrollment_welcome_message.clone().ok_or_else(|| {
+        error!("Enrollment welcome message not configured");
+        TokenError::WelcomeMsgNotConfigured
+    })
+}
 
-    pub fn enrollment_welcome_email(&self) -> Result<String, TokenError> {
-        if self.enrollment_use_welcome_message_as_email {
-            return self.enrollment_welcome_message();
-        }
-        self.enrollment_welcome_email.clone().ok_or_else(|| {
-            error!("Enrollment welcome email not configured");
-            TokenError::WelcomeEmailNotConfigured
-        })
+pub fn enrollment_welcome_email(settings: &Settings) -> Result<String, TokenError> {
+    if settings.enrollment_use_welcome_message_as_email {
+        return enrollment_welcome_message(settings);
     }
+    settings.enrollment_welcome_email.clone().ok_or_else(|| {
+        error!("Enrollment welcome email not configured");
+        TokenError::WelcomeEmailNotConfigured
+    })
 }
diff --git a/crates/defguard_core/src/db/models/group.rs b/crates/defguard_core/src/db/models/group.rs
index 6dadfbf904..b9734fd4f6 100644
--- a/crates/defguard_core/src/db/models/group.rs
+++ b/crates/defguard_core/src/db/models/group.rs
@@ -1,10 +1,11 @@
 use std::fmt;
 
+use defguard_common::db::{Id, NoId, models::ModelError};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, FromRow, PgConnection, PgExecutor, query, query_as, query_scalar};
 use utoipa::ToSchema;
 
-use crate::db::{Id, NoId, User, WireguardNetwork, models::error::ModelError};
+use crate::db::{User, WireguardNetwork};
 
 #[derive(Debug)]
 pub enum Permission {
@@ -296,10 +297,11 @@ impl WireguardNetwork<Id> {
 
 #[cfg(test)]
 mod test {
+    use defguard_common::db::setup_pool;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
-    use crate::db::{User, setup_pool};
+    use crate::db::User;
 
     #[sqlx::test]
     async fn test_group(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_core/src/db/models/mod.rs b/crates/defguard_core/src/db/models/mod.rs
index 083645bff4..df2faac41b 100644
--- a/crates/defguard_core/src/db/models/mod.rs
+++ b/crates/defguard_core/src/db/models/mod.rs
@@ -1,22 +1,12 @@
 pub mod activity_log;
-#[cfg(feature = "openid")]
-pub mod auth_code;
-pub mod authentication_key;
-pub mod biometric_auth;
 pub mod device;
-pub mod device_login;
 pub mod enrollment;
-pub mod error;
 pub mod group;
-#[cfg(feature = "openid")]
 pub mod oauth2authorizedapp;
-#[cfg(feature = "openid")]
 pub mod oauth2client;
-#[cfg(feature = "openid")]
 pub mod oauth2token;
 pub mod polling_token;
 pub mod session;
-pub mod settings;
 pub mod user;
 pub mod webauthn;
 pub mod webhook;
@@ -26,17 +16,16 @@ pub mod yubikey;
 
 use std::collections::HashSet;
 
+use defguard_common::db::{
+    Id,
+    models::{BiometricAuth, MFAMethod},
+};
 use sqlx::{Error as SqlxError, PgConnection, PgPool, query_as};
 use utoipa::ToSchema;
 
-use self::{
-    device::UserDevice,
-    user::{MFAMethod, User},
-};
-use super::{Group, Id};
-use crate::db::models::biometric_auth::BiometricAuth;
+use self::{device::UserDevice, user::User};
+use super::Group;
 
-#[cfg(feature = "openid")]
 #[derive(Deserialize, Serialize)]
 pub struct NewOpenIDClient {
     pub name: String,
@@ -283,10 +272,10 @@ impl MFAInfo {
 
 #[cfg(test)]
 mod test {
+    use defguard_common::db::setup_pool;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
-    use crate::db::setup_pool;
 
     #[sqlx::test]
     async fn test_user_info(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_core/src/db/models/oauth2authorizedapp.rs b/crates/defguard_core/src/db/models/oauth2authorizedapp.rs
index 421a93437b..0039265a65 100644
--- a/crates/defguard_core/src/db/models/oauth2authorizedapp.rs
+++ b/crates/defguard_core/src/db/models/oauth2authorizedapp.rs
@@ -1,7 +1,7 @@
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgPool, query_as};
 
-use crate::db::{Id, NoId};
+use defguard_common::db::{Id, NoId};
 
 #[derive(Model)]
 pub struct OAuth2AuthorizedApp<I = NoId> {
diff --git a/crates/defguard_core/src/db/models/oauth2client.rs b/crates/defguard_core/src/db/models/oauth2client.rs
index 4a886c23d7..5b362d22c6 100644
--- a/crates/defguard_core/src/db/models/oauth2client.rs
+++ b/crates/defguard_core/src/db/models/oauth2client.rs
@@ -2,10 +2,8 @@ use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query_as};
 
 use super::NewOpenIDClient;
-use crate::{
-    db::{Id, NoId},
-    random::gen_alphanumeric,
-};
+use defguard_common::db::{Id, NoId};
+use defguard_common::random::gen_alphanumeric;
 
 #[derive(Clone, Debug, Deserialize, Model, Serialize)]
 pub struct OAuth2Client<I = NoId> {
diff --git a/crates/defguard_core/src/db/models/oauth2token.rs b/crates/defguard_core/src/db/models/oauth2token.rs
index 3e183ffb06..abc400d711 100644
--- a/crates/defguard_core/src/db/models/oauth2token.rs
+++ b/crates/defguard_core/src/db/models/oauth2token.rs
@@ -1,8 +1,7 @@
 use chrono::{TimeDelta, Utc};
+use defguard_common::{config::server_config, db::Id, random::gen_alphanumeric};
 use sqlx::{Error as SqlxError, PgPool, query, query_as};
 
-use crate::{db::Id, random::gen_alphanumeric, server_config};
-
 pub struct OAuth2Token {
     pub oauth2authorizedapp_id: Id,
     pub access_token: String,
diff --git a/crates/defguard_core/src/db/models/polling_token.rs b/crates/defguard_core/src/db/models/polling_token.rs
index 59fcaba079..8b19e98dda 100644
--- a/crates/defguard_core/src/db/models/polling_token.rs
+++ b/crates/defguard_core/src/db/models/polling_token.rs
@@ -2,10 +2,8 @@ use chrono::{NaiveDateTime, Utc};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query_as};
 
-use crate::{
-    db::{Id, NoId},
-    random::gen_alphanumeric,
-};
+use defguard_common::db::{Id, NoId};
+use defguard_common::random::gen_alphanumeric;
 
 // Token used for polling requests.
 #[derive(Clone, Debug, Model)]
diff --git a/crates/defguard_core/src/db/models/session.rs b/crates/defguard_core/src/db/models/session.rs
index 8fe3945aa0..52d7a0fd9b 100644
--- a/crates/defguard_core/src/db/models/session.rs
+++ b/crates/defguard_core/src/db/models/session.rs
@@ -1,8 +1,9 @@
 use chrono::{NaiveDateTime, TimeDelta, Utc};
+use defguard_common::{config::server_config, db::Id, random::gen_alphanumeric};
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, Type, query, query_as};
 use webauthn_rs::prelude::{PasskeyAuthentication, PasskeyRegistration};
 
-use crate::{db::Id, random::gen_alphanumeric, server_config};
+use defguard_mail::templates::SessionContext;
 
 #[derive(Clone, PartialEq, Type)]
 #[repr(i16)]
@@ -27,6 +28,15 @@ pub struct Session {
     pub device_info: Option<String>,
 }
 
+impl From<Session> for SessionContext {
+    fn from(value: Session) -> Self {
+        Self {
+            ip_address: value.ip_address,
+            device_info: value.device_info,
+        }
+    }
+}
+
 impl Session {
     #[must_use]
     pub fn new(
diff --git a/crates/defguard_core/src/db/models/user.rs b/crates/defguard_core/src/db/models/user.rs
index d2e02ee1d5..e011a6e3b2 100644
--- a/crates/defguard_core/src/db/models/user.rs
+++ b/crates/defguard_core/src/db/models/user.rs
@@ -8,6 +8,7 @@ use argon2::{
     },
 };
 use axum::http::StatusCode;
+use defguard_mail::templates::UserContext;
 use model_derive::Model;
 #[cfg(test)]
 use rand::{
@@ -17,12 +18,10 @@ use rand::{
 };
 use serde::Serialize;
 use sqlx::{
-    Error as SqlxError, FromRow, PgConnection, PgExecutor, PgPool, Type, query, query_as,
-    query_scalar,
+    Error as SqlxError, FromRow, PgConnection, PgExecutor, PgPool, query, query_as, query_scalar,
 };
 use tokio::sync::broadcast::Sender;
 use totp_lite::{Sha1, totp_custom};
-use utoipa::ToSchema;
 
 use super::{
     MFAInfo, OAuth2AuthorizedAppInfo, SecurityKey,
@@ -32,61 +31,19 @@ use super::{
 };
 use crate::{
     auth::{EMAIL_CODE_DIGITS, TOTP_CODE_DIGITS, TOTP_CODE_VALIDITY_PERIOD},
-    db::{GatewayEvent, Id, NoId, Session, WireguardNetwork, models::group::Permission},
+    db::{GatewayEvent, Session, WireguardNetwork, models::group::Permission},
     enterprise::limits::update_counts,
     error::WebError,
-    grpc::{
-        gateway::{send_multiple_wireguard_events, send_wireguard_event},
-        proto::proxy::MfaMethod,
-    },
+    grpc::gateway::{send_multiple_wireguard_events, send_wireguard_event},
+};
+use defguard_common::{
+    config::server_config,
+    db::{Id, NoId, models::MFAMethod},
     random::{gen_alphanumeric, gen_totp_secret},
-    server_config,
 };
 
 const RECOVERY_CODES_COUNT: usize = 8;
 
-#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq, Hash, ToSchema, Type)]
-#[sqlx(type_name = "mfa_method", rename_all = "snake_case")]
-pub enum MFAMethod {
-    None,
-    OneTimePassword,
-    Webauthn,
-    Email,
-}
-
-// Web MFA methods
-impl fmt::Display for MFAMethod {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(
-            f,
-            "{}",
-            match self {
-                MFAMethod::None => "None",
-                MFAMethod::OneTimePassword => "TOTP",
-                MFAMethod::Webauthn => "WebAuthn",
-                MFAMethod::Email => "Email",
-            }
-        )
-    }
-}
-
-// Client MFA methods
-impl fmt::Display for MfaMethod {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(
-            f,
-            "{}",
-            match self {
-                MfaMethod::Totp => "TOTP",
-                MfaMethod::Email => "Email",
-                MfaMethod::Oidc => "OIDC",
-                MfaMethod::Biometric => "Biometric",
-                MfaMethod::MobileApprove => "MobileApprove",
-            }
-        )
-    }
-}
-
 // User information ready to be sent as part of diagnostic data.
 #[derive(Serialize)]
 pub struct UserDiagnostic {
@@ -202,6 +159,15 @@ fn hash_password(password: &str) -> Result<String, HashError> {
         .to_string())
 }
 
+impl From<User<Id>> for UserContext {
+    fn from(value: User<Id>) -> Self {
+        Self {
+            last_name: value.last_name,
+            first_name: value.first_name,
+        }
+    }
+}
+
 impl User {
     #[must_use]
     pub fn new<S: Into<String>>(
@@ -1308,14 +1274,14 @@ impl Distribution<User<NoId>> for Standard {
 
 #[cfg(test)]
 mod test {
+    use defguard_common::{
+        config::{DefGuardConfig, SERVER_CONFIG},
+        db::setup_pool,
+    };
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
-    use crate::{
-        SERVER_CONFIG,
-        config::DefGuardConfig,
-        db::{models::settings::initialize_current_settings, setup_pool},
-    };
+    use defguard_common::db::models::settings::initialize_current_settings;
 
     #[sqlx::test]
     async fn test_mfa_code(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_core/src/db/models/webauthn.rs b/crates/defguard_core/src/db/models/webauthn.rs
index 64a2c794c9..9b4407d67f 100644
--- a/crates/defguard_core/src/db/models/webauthn.rs
+++ b/crates/defguard_core/src/db/models/webauthn.rs
@@ -2,8 +2,7 @@ use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query, query_as, query_scalar};
 use webauthn_rs::prelude::Passkey;
 
-use super::error::ModelError;
-use crate::db::{Id, NoId};
+use defguard_common::db::{Id, NoId, models::ModelError};
 
 #[derive(Model, Clone, Debug)]
 pub struct WebAuthn<I = NoId> {
diff --git a/crates/defguard_core/src/db/models/webhook.rs b/crates/defguard_core/src/db/models/webhook.rs
index fb7a83dd5b..f45d9831d7 100644
--- a/crates/defguard_core/src/db/models/webhook.rs
+++ b/crates/defguard_core/src/db/models/webhook.rs
@@ -2,7 +2,7 @@ use model_derive::Model;
 use sqlx::{Error as SqlxError, FromRow, PgPool, query_as};
 
 use super::UserInfo;
-use crate::db::{Id, NoId};
+use defguard_common::db::{Id, NoId};
 
 /// App events which triggers webhook action
 #[derive(Debug)]
diff --git a/crates/defguard_core/src/db/models/wireguard.rs b/crates/defguard_core/src/db/models/wireguard.rs
index 4c486ffa30..fef77250f3 100644
--- a/crates/defguard_core/src/db/models/wireguard.rs
+++ b/crates/defguard_core/src/db/models/wireguard.rs
@@ -7,6 +7,11 @@ use std::{
 
 use base64::prelude::{BASE64_STANDARD, Engine};
 use chrono::{NaiveDateTime, TimeDelta, Utc};
+use defguard_common::{
+    auth::claims::{Claims, ClaimsType},
+    csv::AsCsv,
+    db::{Id, NoId, models::ModelError},
+};
 use ipnetwork::{IpNetwork, IpNetworkError, NetworkSize};
 use model_derive::Model;
 use rand::rngs::OsRng;
@@ -24,23 +29,18 @@ use super::{
     device::{
         Device, DeviceError, DeviceInfo, DeviceNetworkInfo, DeviceType, WireguardNetworkDevice,
     },
-    error::ModelError,
     user::User,
     wireguard_peer_stats::WireguardPeerStats,
 };
 use crate::{
-    AsCsv,
-    auth::{Claims, ClaimsType},
-    db::{Id, NoId},
     enterprise::firewall::FirewallError,
-    grpc::{
-        gateway::{Peer, send_multiple_wireguard_events, state::GatewayState},
-        proto::{
-            enterprise::firewall::FirewallConfig, proxy::LocationMfaMode as ProtoLocationMfaMode,
-        },
-    },
+    grpc::gateway::{send_multiple_wireguard_events, state::GatewayState},
     wg_config::ImportedDevice,
 };
+use defguard_proto::{
+    enterprise::firewall::FirewallConfig, gateway::Peer,
+    proxy::LocationMfaMode as ProtoLocationMfaMode,
+};
 
 pub const DEFAULT_KEEPALIVE_INTERVAL: i32 = 25;
 pub const DEFAULT_DISCONNECT_THRESHOLD: i32 = 300;
@@ -1419,11 +1419,12 @@ mod test {
     use std::str::FromStr;
 
     use chrono::{SubsecRound, TimeDelta};
+    use defguard_common::db::setup_pool;
     use matches::assert_matches;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
-    use crate::db::{Group, setup_pool};
+    use crate::db::Group;
 
     #[sqlx::test]
     async fn test_connected_at_reconnection(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_core/src/db/models/wireguard_peer_stats.rs b/crates/defguard_core/src/db/models/wireguard_peer_stats.rs
index 7a2f7322e8..2323584c7d 100644
--- a/crates/defguard_core/src/db/models/wireguard_peer_stats.rs
+++ b/crates/defguard_core/src/db/models/wireguard_peer_stats.rs
@@ -6,7 +6,7 @@ use ipnetwork::IpNetwork;
 use model_derive::Model;
 use sqlx::{PgExecutor, PgPool, query, query_as, query_scalar};
 
-use crate::db::{Id, NoId};
+use defguard_common::db::{Id, NoId};
 
 #[derive(Debug, Deserialize, Model, Serialize)]
 #[table(wireguard_peer_stats)]
diff --git a/crates/defguard_core/src/db/models/yubikey.rs b/crates/defguard_core/src/db/models/yubikey.rs
index 1535297078..0813319334 100644
--- a/crates/defguard_core/src/db/models/yubikey.rs
+++ b/crates/defguard_core/src/db/models/yubikey.rs
@@ -1,7 +1,7 @@
 use model_derive::Model;
 use sqlx::{PgExecutor, query, query_as};
 
-use crate::db::{Id, NoId};
+use defguard_common::db::{Id, NoId};
 
 #[derive(Deserialize, Model, Serialize)]
 pub struct YubiKey<I = NoId> {
diff --git a/crates/defguard_core/src/enterprise/activity_log_stream/http_stream.rs b/crates/defguard_core/src/enterprise/activity_log_stream/http_stream.rs
index d835607f83..64593c021a 100644
--- a/crates/defguard_core/src/enterprise/activity_log_stream/http_stream.rs
+++ b/crates/defguard_core/src/enterprise/activity_log_stream/http_stream.rs
@@ -2,16 +2,14 @@ use std::sync::Arc;
 
 use base64::prelude::{BASE64_STANDARD, Engine};
 use bytes::Bytes;
+use defguard_common::secret::SecretStringWrapper;
 use reqwest::tls;
 use tokio::sync::broadcast::Receiver;
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, error};
 
-use crate::{
-    enterprise::db::models::activity_log_stream::{
-        LogstashHttpActivityLogStream, VectorHttpActivityLogStream,
-    },
-    secret::SecretStringWrapper,
+use crate::enterprise::db::models::activity_log_stream::{
+    LogstashHttpActivityLogStream, VectorHttpActivityLogStream,
 };
 
 /// Spawns an asynchronous task that reads activity log events from the channel and sends them as NDJSON via HTTP.
diff --git a/crates/defguard_core/src/enterprise/db/models/acl.rs b/crates/defguard_core/src/enterprise/db/models/acl.rs
index 60e781b47c..faddd5c08f 100644
--- a/crates/defguard_core/src/enterprise/db/models/acl.rs
+++ b/crates/defguard_core/src/enterprise/db/models/acl.rs
@@ -6,6 +6,7 @@ use std::{
 };
 
 use chrono::NaiveDateTime;
+use defguard_common::db::{Id, NoId};
 use ipnetwork::{IpNetwork, IpNetworkError};
 use model_derive::Model;
 use sqlx::{
@@ -17,10 +18,7 @@ use thiserror::Error;
 use crate::{
     DeviceType,
     appstate::AppState,
-    db::{
-        Device, GatewayEvent, Group, Id, NoId, User, WireguardNetwork,
-        models::wireguard::LocationMfaMode,
-    },
+    db::{Device, GatewayEvent, Group, User, WireguardNetwork, models::wireguard::LocationMfaMode},
     enterprise::{
         firewall::FirewallError,
         handlers::acl::{ApiAclAlias, ApiAclRule, EditAclAlias, EditAclRule},
diff --git a/crates/defguard_core/src/enterprise/db/models/acl/tests.rs b/crates/defguard_core/src/enterprise/db/models/acl/tests.rs
index ca828a4238..becdc26481 100644
--- a/crates/defguard_core/src/enterprise/db/models/acl/tests.rs
+++ b/crates/defguard_core/src/enterprise/db/models/acl/tests.rs
@@ -1,10 +1,11 @@
 use std::ops::Bound;
 
+use defguard_common::db::setup_pool;
 use rand::{Rng, thread_rng};
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
 use super::*;
-use crate::{db::setup_pool, handlers::wireguard::parse_address_list};
+use crate::handlers::wireguard::parse_address_list;
 
 #[sqlx::test]
 async fn test_alias(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs b/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
index 9bfb86676a..2d472bec2c 100644
--- a/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
+++ b/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
@@ -3,9 +3,9 @@ use serde::Serialize;
 use sqlx::{Error as SqlxError, FromRow, PgExecutor, Type, query_as};
 use strum_macros::{Display, EnumString};
 
-use crate::{
+use crate::enterprise::activity_log_stream::error::ActivityLogStreamError;
+use defguard_common::{
     db::{Id, NoId},
-    enterprise::activity_log_stream::error::ActivityLogStreamError,
     secret::SecretStringWrapper,
 };
 
diff --git a/crates/defguard_core/src/enterprise/db/models/api_tokens.rs b/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
index ef1ffebfd4..9e01c7248c 100644
--- a/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
+++ b/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
@@ -2,7 +2,7 @@ use chrono::NaiveDateTime;
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, query_as};
 
-use crate::db::{Id, NoId};
+use defguard_common::db::{Id, NoId};
 
 #[derive(Clone, Debug, Deserialize, Model, Serialize)]
 #[table(api_token)]
diff --git a/crates/defguard_core/src/enterprise/db/models/openid_provider.rs b/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
index 70fa182087..1d6a563268 100644
--- a/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
+++ b/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
@@ -3,7 +3,7 @@ use std::fmt;
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, Type, query, query_as};
 
-use crate::db::{Id, NoId};
+use defguard_common::db::{Id, NoId};
 
 // The behavior when a user is deleted from the directory
 // Keep: Keep the user, despite being deleted from the external provider's directory
diff --git a/crates/defguard_core/src/enterprise/db/models/snat.rs b/crates/defguard_core/src/enterprise/db/models/snat.rs
index 127da55bf9..68b7b71c56 100644
--- a/crates/defguard_core/src/enterprise/db/models/snat.rs
+++ b/crates/defguard_core/src/enterprise/db/models/snat.rs
@@ -5,10 +5,8 @@ use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, query_as};
 use utoipa::ToSchema;
 
-use crate::{
-    db::{Id, NoId},
-    enterprise::snat::error::UserSnatBindingError,
-};
+use crate::enterprise::snat::error::UserSnatBindingError;
+use defguard_common::db::{Id, NoId};
 
 #[derive(Clone, Debug, Deserialize, Model, Serialize, ToSchema)]
 #[table(user_snat_binding)]
diff --git a/crates/defguard_core/src/enterprise/directory_sync/mod.rs b/crates/defguard_core/src/enterprise/directory_sync/mod.rs
index 78e25f8a96..70ddd638ce 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/mod.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/mod.rs
@@ -3,6 +3,7 @@ use std::{
     time::Duration,
 };
 
+use defguard_common::db::Id;
 use paste::paste;
 use reqwest::header::AUTHORIZATION;
 use sqlx::{PgPool, error::Error as SqlxError};
@@ -16,7 +17,7 @@ use super::{
     ldap::utils::ldap_update_users_state,
 };
 use crate::{
-    db::{GatewayEvent, Group, Id, User},
+    db::{GatewayEvent, Group, User},
     enterprise::{
         db::models::openid_provider::DirectorySyncUserBehavior,
         ldap::utils::{ldap_add_users_to_groups, ldap_delete_users, ldap_remove_users_from_groups},
diff --git a/crates/defguard_core/src/enterprise/directory_sync/tests.rs b/crates/defguard_core/src/enterprise/directory_sync/tests.rs
index 54df5c6a2c..d6ae4f4beb 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/tests.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/tests.rs
@@ -2,6 +2,13 @@
 mod test {
     use std::str::FromStr;
 
+    use defguard_common::{
+        config::{DefGuardConfig, SERVER_CONFIG},
+        db::{
+            models::{Settings, settings::initialize_current_settings},
+            setup_pool,
+        },
+    };
     use ipnetwork::IpNetwork;
     use secrecy::ExposeSecret;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
@@ -9,15 +16,9 @@ mod test {
 
     use super::super::*;
     use crate::{
-        SERVER_CONFIG,
-        config::DefGuardConfig,
         db::{
-            Device, Session, SessionState, Settings, WireguardNetwork,
-            models::{
-                device::DeviceType, settings::initialize_current_settings,
-                wireguard::LocationMfaMode,
-            },
-            setup_pool,
+            Device, Session, SessionState, WireguardNetwork,
+            models::{device::DeviceType, wireguard::LocationMfaMode},
         },
         enterprise::db::models::openid_provider::DirectorySyncTarget,
     };
diff --git a/crates/defguard_core/src/enterprise/firewall/mod.rs b/crates/defguard_core/src/enterprise/firewall/mod.rs
index 4611be8acf..a87f9110ac 100644
--- a/crates/defguard_core/src/enterprise/firewall/mod.rs
+++ b/crates/defguard_core/src/enterprise/firewall/mod.rs
@@ -3,6 +3,7 @@ use std::{
     ops::RangeInclusive,
 };
 
+use defguard_common::db::{Id, models::ModelError};
 use ipnetwork::IpNetwork;
 use sqlx::{Error as SqlxError, PgConnection, query_as, query_scalar};
 
@@ -14,16 +15,16 @@ use super::{
     utils::merge_ranges,
 };
 use crate::{
-    db::{Device, Id, User, WireguardNetwork, models::error::ModelError},
+    db::{Device, User, WireguardNetwork},
     enterprise::{
         db::models::{acl::AliasKind, snat::UserSnatBinding},
         is_enterprise_enabled,
     },
-    grpc::proto::enterprise::firewall::{
-        FirewallConfig, FirewallPolicy, FirewallRule, IpAddress, IpRange, IpVersion, Port,
-        PortRange as PortRangeProto, SnatBinding as SnatBindingProto, ip_address::Address,
-        port::Port as PortInner,
-    },
+};
+use defguard_proto::enterprise::firewall::{
+    FirewallConfig, FirewallPolicy, FirewallRule, IpAddress, IpRange, IpVersion, Port,
+    PortRange as PortRangeProto, SnatBinding as SnatBindingProto, ip_address::Address,
+    port::Port as PortInner,
 };
 
 #[derive(Debug, thiserror::Error)]
diff --git a/crates/defguard_core/src/enterprise/firewall/tests.rs b/crates/defguard_core/src/enterprise/firewall/tests.rs
index d286e4a1c2..0785fb85fc 100644
--- a/crates/defguard_core/src/enterprise/firewall/tests.rs
+++ b/crates/defguard_core/src/enterprise/firewall/tests.rs
@@ -1,6 +1,7 @@
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
 
 use chrono::{DateTime, NaiveDateTime};
+use defguard_common::db::{Id, NoId, setup_pool};
 use ipnetwork::{IpNetwork, Ipv6Network};
 use rand::{Rng, thread_rng};
 use sqlx::{
@@ -15,9 +16,8 @@ use super::{
 };
 use crate::{
     db::{
-        Device, Group, Id, NoId, User, WireguardNetwork,
+        Device, Group, User, WireguardNetwork,
         models::device::{DeviceType, WireguardNetworkDevice},
-        setup_pool,
     },
     enterprise::{
         db::models::acl::{
@@ -26,10 +26,10 @@ use crate::{
         },
         firewall::{get_source_addrs, get_source_network_devices},
     },
-    grpc::proto::enterprise::firewall::{
-        FirewallPolicy, IpAddress, IpRange, IpVersion, Port, PortRange as PortRangeProto, Protocol,
-        ip_address::Address, port::Port as PortInner,
-    },
+};
+use defguard_proto::enterprise::firewall::{
+    FirewallPolicy, IpAddress, IpRange, IpVersion, Port, PortRange as PortRangeProto, Protocol,
+    ip_address::Address, port::Port as PortInner,
 };
 
 impl Default for AclRuleDestinationRange<Id> {
diff --git a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
index 069d1fd86d..f48e012554 100644
--- a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
+++ b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
@@ -10,10 +10,10 @@ use crate::{
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, DesktopClientMfaEvent},
     grpc::{
         client_mfa::{ClientLoginSession, ClientMfaServer},
-        proto::proxy::{ClientMfaOidcAuthenticateRequest, DeviceInfo, MfaMethod},
         utils::parse_client_info,
     },
 };
+use defguard_proto::proxy::{ClientMfaOidcAuthenticateRequest, DeviceInfo, MfaMethod};
 
 impl ClientMfaServer {
     #[instrument(skip_all)]
diff --git a/crates/defguard_core/src/enterprise/grpc/polling.rs b/crates/defguard_core/src/enterprise/grpc/polling.rs
index b7c7eacef7..782ca70fab 100644
--- a/crates/defguard_core/src/enterprise/grpc/polling.rs
+++ b/crates/defguard_core/src/enterprise/grpc/polling.rs
@@ -1,14 +1,13 @@
+use defguard_common::db::Id;
 use sqlx::PgPool;
 use tonic::Status;
 
 use crate::{
-    db::{Device, Id, User, models::polling_token::PollingToken},
+    db::{Device, User, models::polling_token::PollingToken},
     enterprise::is_enterprise_enabled,
-    grpc::{
-        proto::proxy::{InstanceInfoRequest, InstanceInfoResponse},
-        utils::build_device_config_response,
-    },
+    grpc::utils::build_device_config_response,
 };
+use defguard_proto::proxy::{InstanceInfoRequest, InstanceInfoResponse};
 
 pub struct PollingServer {
     pool: PgPool,
diff --git a/crates/defguard_core/src/enterprise/handlers/acl.rs b/crates/defguard_core/src/enterprise/handlers/acl.rs
index d2ce367206..953550e1cb 100644
--- a/crates/defguard_core/src/enterprise/handlers/acl.rs
+++ b/crates/defguard_core/src/enterprise/handlers/acl.rs
@@ -4,13 +4,13 @@ use axum::{
     http::StatusCode,
 };
 use chrono::NaiveDateTime;
+use defguard_common::db::Id;
 use serde_json::{Value, json};
 
 use super::LicenseInfo;
 use crate::{
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
-    db::Id,
     enterprise::db::models::acl::{
         AclAlias, AclAliasInfo, AclRule, AclRuleInfo, AliasKind, AliasState, Protocol, RuleState,
     },
diff --git a/crates/defguard_core/src/enterprise/handlers/activity_log_stream.rs b/crates/defguard_core/src/enterprise/handlers/activity_log_stream.rs
index feca06d5b1..f125fddf5e 100644
--- a/crates/defguard_core/src/enterprise/handlers/activity_log_stream.rs
+++ b/crates/defguard_core/src/enterprise/handlers/activity_log_stream.rs
@@ -9,13 +9,13 @@ use super::LicenseInfo;
 use crate::{
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
-    db::{Id, NoId},
     enterprise::db::models::activity_log_stream::{
         ActivityLogStream, ActivityLogStreamConfig, ActivityLogStreamType,
     },
     events::{ApiEvent, ApiEventType, ApiRequestContext},
     handlers::{ApiResponse, ApiResult},
 };
+use defguard_common::db::{Id, NoId};
 
 pub async fn get_activity_log_stream(
     _admin: AdminRole,
diff --git a/crates/defguard_core/src/enterprise/handlers/api_tokens.rs b/crates/defguard_core/src/enterprise/handlers/api_tokens.rs
index d76a3488ea..12132fbc7e 100644
--- a/crates/defguard_core/src/enterprise/handlers/api_tokens.rs
+++ b/crates/defguard_core/src/enterprise/handlers/api_tokens.rs
@@ -15,8 +15,8 @@ use crate::{
     error::WebError,
     events::{ApiEvent, ApiEventType, ApiRequestContext},
     handlers::{ApiResponse, ApiResult, user_for_admin_or_self},
-    random::gen_alphanumeric,
 };
+use defguard_common::random::gen_alphanumeric;
 
 const API_TOKEN_LENGTH: usize = 32;
 
diff --git a/crates/defguard_core/src/enterprise/handlers/openid_login.rs b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
index 0eadebbe0c..2f3743b196 100644
--- a/crates/defguard_core/src/enterprise/handlers/openid_login.rs
+++ b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
@@ -9,6 +9,13 @@ use axum_extra::{
     headers::UserAgent,
 };
 use base64::{Engine, prelude::BASE64_STANDARD};
+use defguard_common::{
+    config::server_config,
+    db::{
+        Id,
+        models::{Settings, settings::OpenidUsernameHandling},
+    },
+};
 use openidconnect::{
     AuthorizationCode, ClientId, ClientSecret, CsrfToken, EndpointMaybeSet, EndpointNotSet,
     EndpointSet, IssuerUrl, Nonce, OAuth2TokenResponse, RedirectUrl, Scope,
@@ -29,7 +36,7 @@ pub(crate) const SELECT_ACCOUNT_SUPPORTED_PROVIDERS: &[&str] = &["Google"];
 use super::LicenseInfo;
 use crate::{
     appstate::AppState,
-    db::{Id, Settings, User, models::settings::OpenidUsernameHandling},
+    db::User,
     enterprise::{
         db::models::openid_provider::OpenIdProvider,
         directory_sync::sync_user_groups_if_configured, ldap::utils::ldap_update_user_state,
@@ -40,7 +47,6 @@ use crate::{
         ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME, auth::create_session,
         user::check_username,
     },
-    server_config,
 };
 
 /// Prune the given username from illegal characters in accordance with the following rules:
diff --git a/crates/defguard_core/src/enterprise/handlers/openid_providers.rs b/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
index 51d300116f..f5bbc3403b 100644
--- a/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
+++ b/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
@@ -3,6 +3,10 @@ use axum::{
     extract::{Path, State},
     http::StatusCode,
 };
+use defguard_common::db::models::{
+    Settings,
+    settings::{OpenidUsernameHandling, update_current_settings},
+};
 use rsa::{RsaPrivateKey, pkcs8::DecodePrivateKey};
 use serde_json::json;
 
@@ -10,13 +14,7 @@ use super::LicenseInfo;
 use crate::{
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
-    db::{
-        Settings, WireguardNetwork,
-        models::{
-            settings::{OpenidUsernameHandling, update_current_settings},
-            wireguard::LocationMfaMode,
-        },
-    },
+    db::{WireguardNetwork, models::wireguard::LocationMfaMode},
     enterprise::{
         db::models::openid_provider::OpenIdProvider, directory_sync::test_directory_sync_connection,
     },
diff --git a/crates/defguard_core/src/enterprise/ldap/client.rs b/crates/defguard_core/src/enterprise/ldap/client.rs
index 6e029ac291..36a5f1b0d9 100644
--- a/crates/defguard_core/src/enterprise/ldap/client.rs
+++ b/crates/defguard_core/src/enterprise/ldap/client.rs
@@ -10,10 +10,8 @@ use ldap3::{
 };
 
 use super::error::LdapError;
-use crate::{
-    db::{Settings, User},
-    enterprise::ldap::model::extract_rdn_value,
-};
+use crate::{db::User, enterprise::ldap::model::extract_rdn_value};
+use defguard_common::db::models::Settings;
 
 impl super::LDAPConnection {
     pub(crate) async fn create() -> Result<super::LDAPConnection, LdapError> {
diff --git a/crates/defguard_core/src/enterprise/ldap/hash.rs b/crates/defguard_core/src/enterprise/ldap/hash.rs
index a5b47dbb8e..ddb6d4c8d6 100644
--- a/crates/defguard_core/src/enterprise/ldap/hash.rs
+++ b/crates/defguard_core/src/enterprise/ldap/hash.rs
@@ -1,4 +1,5 @@
 use base64::Engine;
+use defguard_common::hex::to_lower_hex;
 use md4::Md4;
 use rand::{RngCore, rngs::OsRng};
 use sha1::{
@@ -6,8 +7,6 @@ use sha1::{
     digest::generic_array::{GenericArray, sequence::Concat},
 };
 
-use crate::hex::to_lower_hex;
-
 /// Calculate salted SHA1 hash from given password in SSHA password storage scheme.
 #[must_use]
 pub fn salted_sha1_hash(password: &str) -> String {
diff --git a/crates/defguard_core/src/enterprise/ldap/mod.rs b/crates/defguard_core/src/enterprise/ldap/mod.rs
index c4ab28da63..17152ee73d 100644
--- a/crates/defguard_core/src/enterprise/ldap/mod.rs
+++ b/crates/defguard_core/src/enterprise/ldap/mod.rs
@@ -1,16 +1,23 @@
 use std::{collections::HashSet, future::Future};
 
+use defguard_common::db::{
+    Id,
+    models::{
+        Settings,
+        settings::{LdapSyncStatus, update_current_settings},
+    },
+};
 #[cfg(not(test))]
 use ldap3::Ldap;
 use ldap3::{Mod, SearchEntry, ldap_escape};
 use model::UserObjectClass;
 use rand::Rng;
 use sqlx::PgPool;
-use sync::{SyncStatus, get_ldap_sync_status, is_ldap_desynced, set_ldap_sync_status};
+use sync::{get_ldap_sync_status, is_ldap_desynced, set_ldap_sync_status};
 
 use self::error::LdapError;
 use crate::{
-    db::{self, Id, Settings, User, models::settings::update_current_settings},
+    db::{self, User},
     enterprise::{is_enterprise_enabled, ldap::model::extract_dn_path, limits::update_counts},
 };
 
@@ -36,8 +43,8 @@ pub(crate) async fn do_ldap_sync(pool: &PgPool) -> Result<(), LdapError> {
     // doesn't matter for the sync status if we can't pull changes.
     if !settings.ldap_enabled {
         debug!("LDAP is disabled, not performing LDAP sync");
-        if get_ldap_sync_status() == SyncStatus::InSync {
-            set_ldap_sync_status(SyncStatus::OutOfSync, pool).await?;
+        if get_ldap_sync_status() == LdapSyncStatus::InSync {
+            set_ldap_sync_status(LdapSyncStatus::OutOfSync, pool).await?;
         }
         return Ok(());
     }
@@ -68,16 +75,16 @@ pub(crate) async fn do_ldap_sync(pool: &PgPool) -> Result<(), LdapError> {
     let mut ldap_connection = match LDAPConnection::create().await {
         Ok(connection) => connection,
         Err(err) => {
-            set_ldap_sync_status(SyncStatus::OutOfSync, pool).await?;
+            set_ldap_sync_status(LdapSyncStatus::OutOfSync, pool).await?;
             return Err(err);
         }
     };
 
     if let Err(err) = ldap_connection.sync(pool, is_ldap_desynced()).await {
-        set_ldap_sync_status(SyncStatus::OutOfSync, pool).await?;
+        set_ldap_sync_status(LdapSyncStatus::OutOfSync, pool).await?;
         return Err(err);
     }
-    set_ldap_sync_status(SyncStatus::InSync, pool).await?;
+    set_ldap_sync_status(LdapSyncStatus::InSync, pool).await?;
 
     let _ = update_counts(pool).await;
 
@@ -95,17 +102,17 @@ where
     let settings = Settings::get_current_settings();
     if !is_enterprise_enabled() {
         info!("Enterprise features are disabled, not performing LDAP operation");
-        set_ldap_sync_status(SyncStatus::OutOfSync, pool).await?;
+        set_ldap_sync_status(LdapSyncStatus::OutOfSync, pool).await?;
         return Err(LdapError::EnterpriseDisabled("LDAP".to_string()));
     }
 
     if !settings.ldap_enabled {
         debug!("LDAP is disabled, not performing LDAP operation");
-        set_ldap_sync_status(SyncStatus::OutOfSync, pool).await?;
+        set_ldap_sync_status(LdapSyncStatus::OutOfSync, pool).await?;
         return Err(LdapError::MissingSettings("LDAP is disabled".into()));
     }
 
-    if settings.ldap_sync_enabled && get_ldap_sync_status() == SyncStatus::OutOfSync {
+    if settings.ldap_sync_enabled && get_ldap_sync_status() == LdapSyncStatus::OutOfSync {
         warn!("LDAP is considered to be desynced, not performing LDAP operation");
         return Err(LdapError::Desynced);
     }
@@ -114,7 +121,7 @@ where
         Ok(result) => Ok(result),
         Err(e) => {
             warn!("Encountered an error while performing LDAP operation: {e:?}");
-            if let Err(status_err) = set_ldap_sync_status(SyncStatus::OutOfSync, pool).await {
+            if let Err(status_err) = set_ldap_sync_status(LdapSyncStatus::OutOfSync, pool).await {
                 warn!("Failed to update LDAP sync status: {status_err:?}");
             }
 
diff --git a/crates/defguard_core/src/enterprise/ldap/model.rs b/crates/defguard_core/src/enterprise/ldap/model.rs
index bfb3a20561..79a295732d 100644
--- a/crates/defguard_core/src/enterprise/ldap/model.rs
+++ b/crates/defguard_core/src/enterprise/ldap/model.rs
@@ -1,14 +1,11 @@
 use std::collections::HashSet;
 
+use defguard_common::db::{Id, models::Settings};
 use ldap3::{Mod, SearchEntry};
 use sqlx::{Error as SqlxError, PgExecutor};
 
 use super::{LDAPConfig, error::LdapError};
-use crate::{
-    db::{Id, Settings, User},
-    handlers::user::check_username,
-    hashset,
-};
+use crate::{db::User, handlers::user::check_username, hashset};
 
 pub(crate) enum UserObjectClass {
     SambaSamAccount,
diff --git a/crates/defguard_core/src/enterprise/ldap/sync.rs b/crates/defguard_core/src/enterprise/ldap/sync.rs
index d7a795b6f5..f1dbeb27e1 100644
--- a/crates/defguard_core/src/enterprise/ldap/sync.rs
+++ b/crates/defguard_core/src/enterprise/ldap/sync.rs
@@ -54,11 +54,18 @@
 //!
 use std::collections::{HashMap, HashSet};
 
-use sqlx::{PgConnection, PgPool, Type};
+use defguard_common::db::{
+    Id,
+    models::{
+        Settings,
+        settings::{LdapSyncStatus, update_current_settings},
+    },
+};
+use sqlx::{PgConnection, PgPool};
 
 use super::{LDAPConfig, error::LdapError};
 use crate::{
-    db::{Group, Id, Settings, User, models::settings::update_current_settings},
+    db::{Group, User},
     hashset,
 };
 
@@ -85,28 +92,13 @@ pub enum Authority {
     Defguard,
 }
 
-#[derive(Clone, Debug, Copy, Eq, PartialEq, Deserialize, Serialize, Default, Type)]
-#[sqlx(type_name = "ldap_sync_status", rename_all = "lowercase")]
-pub enum SyncStatus {
-    InSync,
-    #[default]
-    OutOfSync,
-}
-
-impl SyncStatus {
-    #[must_use]
-    pub fn is_out_of_sync(&self) -> bool {
-        matches!(self, SyncStatus::OutOfSync)
-    }
-}
-
 #[must_use]
-pub fn get_ldap_sync_status() -> SyncStatus {
+pub fn get_ldap_sync_status() -> LdapSyncStatus {
     let settings = Settings::get_current_settings();
     settings.ldap_sync_status
 }
 
-pub async fn set_ldap_sync_status(status: SyncStatus, pool: &PgPool) -> Result<(), LdapError> {
+pub async fn set_ldap_sync_status(status: LdapSyncStatus, pool: &PgPool) -> Result<(), LdapError> {
     debug!("Setting LDAP sync status to {status:?}");
     let mut settings = Settings::get_current_settings();
     settings.ldap_sync_status = status;
diff --git a/crates/defguard_core/src/enterprise/ldap/tests.rs b/crates/defguard_core/src/enterprise/ldap/tests.rs
index 8d9d47fe4b..580573c416 100644
--- a/crates/defguard_core/src/enterprise/ldap/tests.rs
+++ b/crates/defguard_core/src/enterprise/ldap/tests.rs
@@ -1,15 +1,12 @@
 use std::collections::HashMap;
 
+use defguard_common::db::{models::settings::initialize_current_settings, setup_pool};
 use ldap3::SearchEntry;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
 use super::*;
 use crate::{
-    db::{
-        Group, User,
-        models::settings::{Settings, initialize_current_settings, update_current_settings},
-        setup_pool,
-    },
+    db::{Group, User},
     enterprise::ldap::{
         model::extract_rdn_value,
         sync::{
diff --git a/crates/defguard_core/src/enterprise/ldap/utils.rs b/crates/defguard_core/src/enterprise/ldap/utils.rs
index d952e8e22f..4ddc7bc8e6 100644
--- a/crates/defguard_core/src/enterprise/ldap/utils.rs
+++ b/crates/defguard_core/src/enterprise/ldap/utils.rs
@@ -3,11 +3,12 @@
 
 use std::collections::{HashMap, HashSet};
 
+use defguard_common::db::Id;
 use sqlx::PgPool;
 
 use super::{LDAPConnection, error::LdapError};
 use crate::{
-    db::{Group, Id, User},
+    db::{Group, User},
     enterprise::ldap::with_ldap_status,
 };
 
diff --git a/crates/defguard_core/src/enterprise/license.rs b/crates/defguard_core/src/enterprise/license.rs
index 420bdac777..ea27ea3aba 100644
--- a/crates/defguard_core/src/enterprise/license.rs
+++ b/crates/defguard_core/src/enterprise/license.rs
@@ -14,12 +14,12 @@ use thiserror::Error;
 use tokio::time::sleep;
 
 use super::limits::Counts;
-use crate::{
+use crate::grpc::proto::enterprise::license::{LicenseKey, LicenseLimits, LicenseMetadata};
+use defguard_common::{
     VERSION,
-    db::{Settings, models::settings::update_current_settings},
+    config::server_config,
+    db::models::{Settings, settings::update_current_settings},
     global_value,
-    grpc::proto::enterprise::license::{LicenseKey, LicenseLimits, LicenseMetadata},
-    server_config,
 };
 
 const LICENSE_SERVER_URL: &str = "https://pkgs.defguard.net/api/license/renew";
diff --git a/crates/defguard_core/src/enterprise/limits.rs b/crates/defguard_core/src/enterprise/limits.rs
index 51a006a682..6e7d0f66b7 100644
--- a/crates/defguard_core/src/enterprise/limits.rs
+++ b/crates/defguard_core/src/enterprise/limits.rs
@@ -1,9 +1,10 @@
+use defguard_common::global_value;
 use sqlx::{PgPool, error::Error as SqlxError, query};
 
 use super::license::License;
 #[cfg(test)]
 use super::license::get_cached_license;
-use crate::{global_value, grpc::proto::enterprise::license::LicenseLimits};
+use crate::grpc::proto::enterprise::license::LicenseLimits;
 
 // Limits for free users
 pub const DEFAULT_USERS_LIMIT: u32 = 5;
diff --git a/crates/defguard_core/src/enterprise/snat/handlers.rs b/crates/defguard_core/src/enterprise/snat/handlers.rs
index 3b9e71adbf..3db0d81760 100644
--- a/crates/defguard_core/src/enterprise/snat/handlers.rs
+++ b/crates/defguard_core/src/enterprise/snat/handlers.rs
@@ -4,6 +4,7 @@ use axum::{
     Json,
     extract::{Path, State},
 };
+use defguard_common::db::Id;
 use reqwest::StatusCode;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
@@ -12,7 +13,7 @@ use utoipa::ToSchema;
 use crate::{
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
-    db::{GatewayEvent, Id, User, WireguardNetwork},
+    db::{GatewayEvent, User, WireguardNetwork},
     enterprise::{
         db::models::snat::UserSnatBinding, handlers::LicenseInfo, snat::error::UserSnatBindingError,
     },
diff --git a/crates/defguard_core/src/error.rs b/crates/defguard_core/src/error.rs
index bcd9e7f250..e58a2f8876 100644
--- a/crates/defguard_core/src/error.rs
+++ b/crates/defguard_core/src/error.rs
@@ -1,4 +1,6 @@
 use axum::http::StatusCode;
+use defguard_common::db::models::{ModelError, settings::SettingsValidationError};
+use defguard_mail::templates::TemplateError;
 use sqlx::error::Error as SqlxError;
 use thiserror::Error;
 use tokio::sync::mpsc::error::SendError;
@@ -6,17 +8,13 @@ use utoipa::ToSchema;
 
 use crate::{
     auth::failed_login::FailedLoginError,
-    db::models::{
-        device::DeviceError, enrollment::TokenError, error::ModelError,
-        settings::SettingsValidationError, wireguard::WireguardNetworkError,
-    },
+    db::models::{device::DeviceError, enrollment::TokenError, wireguard::WireguardNetworkError},
     enterprise::{
         activity_log_stream::error::ActivityLogStreamError, db::models::acl::AclError,
         firewall::FirewallError, ldap::error::LdapError, license::LicenseError,
     },
     events::ApiEvent,
     grpc::gateway::map::GatewayMapError,
-    templates::TemplateError,
 };
 
 /// Represents kinds of error that occurred
diff --git a/crates/defguard_core/src/events.rs b/crates/defguard_core/src/events.rs
index 59c3d9ffcf..68bc260a72 100644
--- a/crates/defguard_core/src/events.rs
+++ b/crates/defguard_core/src/events.rs
@@ -1,19 +1,22 @@
 use std::net::IpAddr;
 
 use chrono::{NaiveDateTime, Utc};
-use serde::Serialize;
+use defguard_common::db::{
+    Id,
+    models::{AuthenticationKey, MFAMethod, Settings},
+};
 
 use crate::{
     db::{
-        Device, Group, Id, MFAMethod, Settings, User, WebAuthn, WebHook, WireguardNetwork,
-        models::{authentication_key::AuthenticationKey, oauth2client::OAuth2Client},
+        Device, Group, User, WebAuthn, WebHook, WireguardNetwork,
+        models::oauth2client::OAuth2Client,
     },
     enterprise::db::models::{
         activity_log_stream::ActivityLogStream, api_tokens::ApiToken,
         openid_provider::OpenIdProvider, snat::UserSnatBinding,
     },
-    grpc::proto::proxy::MfaMethod,
 };
+use defguard_proto::proxy::MfaMethod;
 
 /// Shared context that needs to be added to every API event
 ///
@@ -383,23 +386,6 @@ pub enum PasswordResetEvent {
 
 pub type ClientMFAMethod = MfaMethod;
 
-impl Serialize for ClientMFAMethod {
-    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
-    where
-        S: serde::Serializer,
-    {
-        match *self {
-            MfaMethod::Totp => serializer.serialize_unit_variant("MfaMethod", 0, "Totp"),
-            MfaMethod::Email => serializer.serialize_unit_variant("MfaMethod", 1, "Email"),
-            MfaMethod::Oidc => serializer.serialize_unit_variant("MfaMethod", 2, "Oidc"),
-            MfaMethod::Biometric => serializer.serialize_unit_variant("MfaMethod", 3, "Biometric"),
-            MfaMethod::MobileApprove => {
-                serializer.serialize_unit_variant("MfaMethod", 4, "MobileApprove")
-            }
-        }
-    }
-}
-
 #[derive(Debug)]
 pub enum DesktopClientMfaEvent {
     Connected {
diff --git a/crates/defguard_core/src/grpc/auth.rs b/crates/defguard_core/src/grpc/auth.rs
index 99ebd75608..c8099389f6 100644
--- a/crates/defguard_core/src/grpc/auth.rs
+++ b/crates/defguard_core/src/grpc/auth.rs
@@ -1,20 +1,17 @@
 use std::sync::{Arc, Mutex};
 
+use defguard_common::auth::claims::{Claims, ClaimsType};
+use defguard_proto::auth::{AuthenticateRequest, AuthenticateResponse, auth_service_server};
 use jsonwebtoken::errors::Error as JWTError;
 use sqlx::PgPool;
 use tonic::{Request, Response, Status};
 
 use crate::{
-    auth::{
-        Claims, ClaimsType,
-        failed_login::{FailedLoginMap, check_failed_logins, log_failed_login_attempt},
-    },
+    auth::failed_login::{FailedLoginMap, check_failed_logins, log_failed_login_attempt},
     db::User,
     server_config,
 };
 
-tonic::include_proto!("auth");
-
 pub struct AuthServer {
     pool: PgPool,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
diff --git a/crates/defguard_core/src/grpc/client_mfa.rs b/crates/defguard_core/src/grpc/client_mfa.rs
index f7ac11e548..0f911e853a 100644
--- a/crates/defguard_core/src/grpc/client_mfa.rs
+++ b/crates/defguard_core/src/grpc/client_mfa.rs
@@ -1,6 +1,14 @@
 use std::collections::HashMap;
 
 use chrono::Utc;
+use defguard_common::{
+    auth::claims::{Claims, ClaimsType},
+    db::{
+        Id,
+        models::{BiometricAuth, BiometricChallenge},
+    },
+};
+use defguard_mail::Mail;
 use sqlx::PgPool;
 use thiserror::Error;
 use tokio::sync::{
@@ -9,28 +17,23 @@ use tokio::sync::{
 };
 use tonic::{Code, Status};
 
-use super::proto::proxy::{
-    self, ClientMfaFinishRequest, ClientMfaFinishResponse, ClientMfaStartRequest,
-    ClientMfaStartResponse, MfaMethod,
-};
 use crate::{
-    auth::{Claims, ClaimsType},
     db::{
-        Device, GatewayEvent, Id, User, UserInfo, WireguardNetwork,
+        Device, GatewayEvent, User, UserInfo, WireguardNetwork,
         models::{
-            biometric_auth::{BiometricAuth, BiometricChallenge},
             device::{DeviceInfo, DeviceNetworkInfo, WireguardNetworkDevice},
             wireguard::LocationMfaMode,
         },
     },
     enterprise::{db::models::openid_provider::OpenIdProvider, is_enterprise_enabled},
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, DesktopClientMfaEvent},
-    grpc::{
-        proto::proxy::{ClientMfaTokenValidationRequest, ClientMfaTokenValidationResponse},
-        utils::parse_client_info,
-    },
+    grpc::utils::parse_client_info,
     handlers::mail::send_email_mfa_code_email,
-    mail::Mail,
+};
+use defguard_proto::proxy::{
+    self, ClientMfaFinishRequest, ClientMfaFinishResponse, ClientMfaStartRequest,
+    ClientMfaStartResponse, ClientMfaTokenValidationRequest, ClientMfaTokenValidationResponse,
+    MfaMethod,
 };
 
 const CLIENT_SESSION_TIMEOUT: u64 = 60 * 5; // 10 minutes
diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index 3947b1dc66..f677017868 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -1,5 +1,16 @@
 use std::collections::HashSet;
 
+use defguard_common::{
+    csv::AsCsv,
+    db::{
+        Id,
+        models::{BiometricAuth, MFAMethod, Settings},
+    },
+};
+use defguard_mail::{
+    Mail,
+    templates::{self, TemplateLocation},
+};
 use sqlx::{PgPool, Transaction, query_scalar};
 use tokio::sync::{
     broadcast::Sender,
@@ -7,20 +18,11 @@ use tokio::sync::{
 };
 use tonic::Status;
 
-use super::{
-    InstanceInfo,
-    proto::proxy::{
-        ActivateUserRequest, AdminInfo, Device as ProtoDevice, DeviceConfig as ProtoDeviceConfig,
-        DeviceConfigResponse, EnrollmentStartRequest, EnrollmentStartResponse, ExistingDevice,
-        InitialUserInfo, NewDevice,
-    },
-};
+use super::InstanceInfo;
 use crate::{
-    AsCsv,
     db::{
-        Device, GatewayEvent, Id, MFAMethod, Settings, User, WireguardNetwork,
+        Device, GatewayEvent, User, WireguardNetwork,
         models::{
-            biometric_auth::BiometricAuth,
             device::{DeviceConfig, DeviceInfo, DeviceType},
             enrollment::{ENROLLMENT_TOKEN_TYPE, Token, TokenError},
             polling_token::PollingToken,
@@ -33,14 +35,7 @@ use crate::{
         limits::update_counts,
     },
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, EnrollmentEvent},
-    grpc::{
-        proto::proxy::{
-            CodeMfaSetupFinishRequest, CodeMfaSetupFinishResponse, CodeMfaSetupStartRequest,
-            CodeMfaSetupStartResponse, LocationMfaMode as ProtoLocationMfaMode, MfaMethod,
-            RegisterMobileAuthRequest,
-        },
-        utils::{build_device_config_response, new_polling_token, parse_client_info},
-    },
+    grpc::utils::{build_device_config_response, new_polling_token, parse_client_info},
     handlers::{
         mail::{
             send_email_mfa_activation_email, send_mfa_configured_email, send_new_device_added_email,
@@ -48,10 +43,14 @@ use crate::{
         user::check_password_strength,
     },
     headers::get_device_info,
-    is_valid_phone_number,
-    mail::Mail,
-    server_config,
-    templates::{self, TemplateLocation},
+    is_valid_phone_number, server_config,
+};
+use defguard_proto::proxy::{
+    ActivateUserRequest, AdminInfo, CodeMfaSetupFinishRequest, CodeMfaSetupFinishResponse,
+    CodeMfaSetupStartRequest, CodeMfaSetupStartResponse, Device as ProtoDevice,
+    DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, EnrollmentStartRequest,
+    EnrollmentStartResponse, ExistingDevice, InitialUserInfo,
+    LocationMfaMode as ProtoLocationMfaMode, MfaMethod, NewDevice, RegisterMobileAuthRequest,
 };
 
 pub(super) struct EnrollmentServer {
@@ -131,7 +130,7 @@ impl EnrollmentServer {
     pub async fn start_enrollment(
         &self,
         request: EnrollmentStartRequest,
-        info: Option<super::proto::proxy::DeviceInfo>,
+        info: Option<defguard_proto::proxy::DeviceInfo>,
     ) -> Result<EnrollmentStartResponse, Status> {
         debug!("Starting enrollment session, request: {request:?}");
         // fetch enrollment token
@@ -231,7 +230,7 @@ impl EnrollmentServer {
                 user.username, user.id
             );
             let (username, user_id) = (user.username.clone(), user.id);
-            let user_info = InitialUserInfo::from_user(&self.pool, user)
+            let user_info = initial_info_from_user(&self.pool, user)
                 .await
                 .map_err(|err| {
                     error!(
@@ -264,14 +263,14 @@ impl EnrollmentServer {
             .fetch_one(&self.pool)
             .await
             .map_err(|_| Status::internal("Failed to read data".to_string()))?;
-            let enrollment_settings = super::proto::proxy::EnrollmentSettings {
+            let enrollment_settings = defguard_proto::proxy::EnrollmentSettings {
                 vpn_setup_optional,
                 smtp_configured,
                 only_client_activation: enterprise_settings.only_client_activation,
                 admin_device_management: enterprise_settings.admin_device_management,
                 mfa_required: instance_has_internal_mfa,
             };
-            let response = super::proto::proxy::EnrollmentStartResponse {
+            let response = defguard_proto::proxy::EnrollmentStartResponse {
                 admin: admin_info,
                 user: Some(user_info),
                 deadline_timestamp: session_deadline.and_utc().timestamp(),
@@ -361,7 +360,7 @@ impl EnrollmentServer {
     pub async fn activate_user(
         &self,
         request: ActivateUserRequest,
-        req_device_info: Option<super::proto::proxy::DeviceInfo>,
+        req_device_info: Option<defguard_proto::proxy::DeviceInfo>,
     ) -> Result<(), Status> {
         debug!("Activating user account");
         let enrollment = self.validate_session(request.token.as_ref()).await?;
@@ -484,7 +483,7 @@ impl EnrollmentServer {
     pub async fn create_device(
         &self,
         request: NewDevice,
-        req_device_info: Option<super::proto::proxy::DeviceInfo>,
+        req_device_info: Option<defguard_proto::proxy::DeviceInfo>,
     ) -> Result<DeviceConfigResponse, Status> {
         debug!("Adding new user device");
         let enrollment_token = self.validate_session(request.token.as_ref()).await?;
@@ -1038,24 +1037,25 @@ impl From<User<Id>> for AdminInfo {
     }
 }
 
-impl InitialUserInfo {
-    async fn from_user(pool: &PgPool, user: User<Id>) -> Result<Self, sqlx::Error> {
-        let enrolled = user.is_enrolled();
-        let devices = user.user_devices(pool).await?;
-        let device_names = devices.into_iter().map(|dev| dev.device.name).collect();
-        let is_admin = user.is_admin(pool).await?;
-        Ok(Self {
-            first_name: user.first_name,
-            last_name: user.last_name,
-            login: user.username,
-            email: user.email,
-            phone_number: user.phone,
-            is_active: user.is_active,
-            device_names,
-            enrolled,
-            is_admin,
-        })
-    }
+async fn initial_info_from_user(
+    pool: &PgPool,
+    user: User<Id>,
+) -> Result<InitialUserInfo, sqlx::Error> {
+    let enrolled = user.is_enrolled();
+    let devices = user.user_devices(pool).await?;
+    let device_names = devices.into_iter().map(|dev| dev.device.name).collect();
+    let is_admin = user.is_admin(pool).await?;
+    Ok(InitialUserInfo {
+        first_name: user.first_name,
+        last_name: user.last_name,
+        login: user.username,
+        email: user.email,
+        phone_number: user.phone,
+        is_active: user.is_active,
+        device_names,
+        enrolled,
+        is_admin,
+    })
 }
 
 impl From<DeviceConfig> for ProtoDeviceConfig {
@@ -1143,8 +1143,8 @@ impl Token {
             to: admin.email.clone(),
             subject: "[defguard] User enrollment completed".into(),
             content: templates::enrollment_admin_notification(
-                user,
-                admin,
+                &user.clone().into(),
+                &admin.clone().into(),
                 ip_address,
                 device_info,
             )?,
diff --git a/crates/defguard_core/src/grpc/gateway/client_state.rs b/crates/defguard_core/src/grpc/gateway/client_state.rs
index 76b5439306..1bc49a404c 100644
--- a/crates/defguard_core/src/grpc/gateway/client_state.rs
+++ b/crates/defguard_core/src/grpc/gateway/client_state.rs
@@ -1,11 +1,12 @@
 use std::{collections::HashMap, net::SocketAddr};
 
 use chrono::{NaiveDateTime, TimeDelta, Utc};
+use defguard_common::db::Id;
 use thiserror::Error;
 use tonic::{Code, Status};
 
 use crate::{
-    db::{Device, Id, User, WireguardNetwork, models::wireguard_peer_stats::WireguardPeerStats},
+    db::{Device, User, WireguardNetwork, models::wireguard_peer_stats::WireguardPeerStats},
     events::GrpcRequestContext,
 };
 
diff --git a/crates/defguard_core/src/grpc/gateway/map.rs b/crates/defguard_core/src/grpc/gateway/map.rs
index cef0016cdd..42e665784d 100644
--- a/crates/defguard_core/src/grpc/gateway/map.rs
+++ b/crates/defguard_core/src/grpc/gateway/map.rs
@@ -1,6 +1,7 @@
 use std::collections::HashMap;
 
 use chrono::Utc;
+use defguard_common::db::Id;
 use defguard_version::tracing::VersionInfo;
 use semver::Version;
 use sqlx::PgPool;
@@ -9,7 +10,7 @@ use tokio::sync::mpsc::UnboundedSender;
 use uuid::Uuid;
 
 use super::state::GatewayState;
-use crate::{db::Id, mail::Mail};
+use defguard_mail::Mail;
 
 /// Helper struct used to handle gateway state. Gateways are grouped by network.
 type GatewayHostname = String;
diff --git a/crates/defguard_core/src/grpc/gateway/mod.rs b/crates/defguard_core/src/grpc/gateway/mod.rs
index 39f6fd283d..ca3d668283 100644
--- a/crates/defguard_core/src/grpc/gateway/mod.rs
+++ b/crates/defguard_core/src/grpc/gateway/mod.rs
@@ -7,6 +7,15 @@ use std::{
 
 use chrono::{DateTime, TimeDelta, Utc};
 use client_state::ClientMap;
+use defguard_common::db::{Id, NoId};
+use defguard_mail::Mail;
+use defguard_proto::{
+    enterprise::firewall::FirewallConfig,
+    gateway::{
+        Configuration, ConfigurationRequest, Peer, PeerStats, StatsUpdate, Update,
+        gateway_service_server, stats_update, update,
+    },
+};
 use defguard_version::version_info_from_metadata;
 use semver::Version;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query};
@@ -23,18 +32,12 @@ use tokio_stream::Stream;
 use tonic::{Code, Request, Response, Status, metadata::MetadataMap};
 
 use self::map::GatewayMap;
-use super::proto::enterprise::firewall::FirewallConfig;
-pub use crate::grpc::proto::gateway::{
-    Configuration, ConfigurationRequest, Peer, PeerStats, StatsUpdate, Update,
-    gateway_service_server, stats_update, update,
-};
 use crate::{
     db::{
-        Device, GatewayEvent, Id, NoId, User,
+        Device, GatewayEvent, User,
         models::{wireguard::WireguardNetwork, wireguard_peer_stats::WireguardPeerStats},
     },
     events::{GrpcEvent, GrpcRequestContext},
-    mail::Mail,
 };
 
 pub mod client_state;
diff --git a/crates/defguard_core/src/grpc/gateway/state.rs b/crates/defguard_core/src/grpc/gateway/state.rs
index b44fd21c13..7219c30d16 100644
--- a/crates/defguard_core/src/grpc/gateway/state.rs
+++ b/crates/defguard_core/src/grpc/gateway/state.rs
@@ -1,6 +1,8 @@
 use std::time::Duration;
 
 use chrono::NaiveDateTime;
+use defguard_common::db::{Id, models::Settings};
+use defguard_mail::Mail;
 use defguard_version::{DefguardComponent, tracing::VersionInfo};
 use semver::Version;
 use serde::Serialize;
@@ -11,10 +13,8 @@ use utoipa::ToSchema;
 use uuid::Uuid;
 
 use crate::{
-    db::{Id, Settings},
     grpc::MIN_GATEWAY_VERSION,
     handlers::mail::{send_gateway_disconnected_email, send_gateway_reconnected_email},
-    mail::Mail,
 };
 
 #[derive(Clone, Debug, Serialize, ToSchema)]
diff --git a/crates/defguard_core/src/grpc/interceptor.rs b/crates/defguard_core/src/grpc/interceptor.rs
index 51e8a865d9..9267e12d38 100644
--- a/crates/defguard_core/src/grpc/interceptor.rs
+++ b/crates/defguard_core/src/grpc/interceptor.rs
@@ -1,9 +1,7 @@
+use defguard_common::auth::claims::{Claims, ClaimsType};
 use tonic::{Status, service::Interceptor};
 
-use crate::{
-    auth::{Claims, ClaimsType},
-    grpc::{AUTHORIZATION_HEADER, HOSTNAME_HEADER},
-};
+use crate::grpc::{AUTHORIZATION_HEADER, HOSTNAME_HEADER};
 
 /// Auth interceptor used by gRPC services. Verifies JWT token sent
 /// in gRPC metadata under "authorization" key.
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
index cf32efd637..0882c47fa5 100644
--- a/crates/defguard_core/src/grpc/mod.rs
+++ b/crates/defguard_core/src/grpc/mod.rs
@@ -3,14 +3,18 @@ use std::{
     fs::read_to_string,
     time::{Duration, Instant},
 };
-#[cfg(any(feature = "wireguard", feature = "worker"))]
 use std::{
     net::{IpAddr, Ipv4Addr, SocketAddr},
     sync::{Arc, Mutex, RwLock},
 };
 
 use axum::http::Uri;
-#[cfg(feature = "wireguard")]
+use defguard_common::{
+    VERSION,
+    auth::claims::ClaimsType,
+    db::{Id, models::Settings},
+};
+use defguard_mail::Mail;
 use defguard_version::server::DefguardVersionLayer;
 use defguard_version::{
     ComponentInfo, DefguardComponent, Version, client::ClientVersionInterceptor,
@@ -19,7 +23,6 @@ use defguard_version::{
 use openidconnect::{AuthorizationCode, Nonce, Scope, core::CoreAuthenticationFlow};
 use reqwest::Url;
 use serde::Serialize;
-#[cfg(feature = "worker")]
 use sqlx::PgPool;
 use tokio::{
     sync::{
@@ -30,34 +33,25 @@ use tokio::{
 };
 use tokio_stream::wrappers::UnboundedReceiverStream;
 use tonic::{
-    Code, Status, Streaming,
+    Code, Streaming,
     transport::{
         Certificate, ClientTlsConfig, Endpoint, Identity, Server, ServerTlsConfig, server::Router,
     },
 };
 use tower::ServiceBuilder;
 
-#[cfg(feature = "wireguard")]
-use self::gateway::{GatewayServer, gateway_service_server::GatewayServiceServer};
+use self::gateway::GatewayServer;
 use self::{
-    auth::{AuthServer, auth_service_server::AuthServiceServer},
-    client_mfa::ClientMfaServer,
-    enrollment::EnrollmentServer,
+    auth::AuthServer, client_mfa::ClientMfaServer, enrollment::EnrollmentServer,
     password_reset::PasswordResetServer,
-    proto::proxy::core_response,
-};
-#[cfg(feature = "worker")]
-use self::{
-    interceptor::JwtInterceptor, proto::worker::worker_service_server::WorkerServiceServer,
-    worker::WorkerServer,
 };
-#[cfg(feature = "wireguard")]
+use self::{interceptor::JwtInterceptor, worker::WorkerServer};
+use crate::db::GatewayEvent;
 pub use crate::version::MIN_GATEWAY_VERSION;
 use crate::{
-    VERSION,
     auth::failed_login::FailedLoginMap,
     db::{
-        AppEvent, Id, Settings,
+        AppEvent,
         models::enrollment::{ENROLLMENT_TOKEN_TYPE, Token},
     },
     enterprise::{
@@ -72,53 +66,37 @@ use crate::{
     },
     events::{BidiStreamEvent, GrpcEvent},
     grpc::gateway::{client_state::ClientMap, map::GatewayMap},
-    mail::Mail,
     server_config,
     version::{IncompatibleComponents, IncompatibleProxyData, is_proxy_version_supported},
 };
-#[cfg(feature = "worker")]
-use crate::{auth::ClaimsType, db::GatewayEvent};
 
 static VERSION_ZERO: Version = Version::new(0, 0, 0);
 
 mod auth;
 pub(crate) mod client_mfa;
 pub mod enrollment;
-#[cfg(feature = "wireguard")]
 pub mod gateway;
-#[cfg(any(feature = "wireguard", feature = "worker"))]
 mod interceptor;
 pub mod password_reset;
 pub(crate) mod utils;
-#[cfg(feature = "worker")]
 pub mod worker;
 
 pub mod proto {
-    pub mod proxy {
-        tonic::include_proto!("defguard.proxy");
-    }
-    pub mod gateway {
-        tonic::include_proto!("gateway");
-    }
-    pub mod auth {
-        tonic::include_proto!("auth");
-    }
-    pub mod worker {
-        tonic::include_proto!("worker");
-    }
     pub mod enterprise {
         pub mod license {
             tonic::include_proto!("enterprise.license");
         }
-        pub mod firewall {
-            tonic::include_proto!("enterprise.firewall");
-        }
     }
 }
 
-use proto::proxy::{
-    AuthCallbackResponse, AuthInfoResponse, CoreError, CoreRequest, CoreResponse, core_request,
-    proxy_client::ProxyClient,
+use defguard_proto::{
+    auth::auth_service_server::AuthServiceServer,
+    gateway::gateway_service_server::GatewayServiceServer,
+    proxy::{
+        AuthCallbackResponse, AuthInfoResponse, CoreError, CoreRequest, CoreResponse, core_request,
+        core_response, proxy_client::ProxyClient,
+    },
+    worker::worker_service_server::WorkerServiceServer,
 };
 
 // gRPC header for passing auth token from clients
@@ -129,15 +107,6 @@ pub static HOSTNAME_HEADER: &str = "hostname";
 
 const TEN_SECS: Duration = Duration::from_secs(10);
 
-impl From<Status> for CoreError {
-    fn from(status: Status) -> Self {
-        Self {
-            status_code: status.code().into(),
-            message: status.message().into(),
-        }
-    }
-}
-
 struct ProxyMessageLoopContext<'a> {
     pool: PgPool,
     tx: UnboundedSender<CoreResponse>,
@@ -733,7 +702,6 @@ pub async fn build_grpc_service_router(
 ) -> Result<Router, anyhow::Error> {
     let auth_service = AuthServiceServer::new(AuthServer::new(pool.clone(), failed_logins));
 
-    #[cfg(feature = "worker")]
     let worker_service = WorkerServiceServer::with_interceptor(
         WorkerServer::new(pool.clone(), worker_state),
         JwtInterceptor::new(ClaimsType::YubiBridge),
@@ -750,7 +718,6 @@ pub async fn build_grpc_service_router(
         .add_service(health_service)
         .add_service(auth_service);
 
-    #[cfg(feature = "wireguard")]
     let router = {
         use crate::version::GatewayVersionInterceptor;
 
@@ -777,13 +744,11 @@ pub async fn build_grpc_service_router(
         )
     };
 
-    #[cfg(feature = "worker")]
     let router = router.add_service(worker_service);
 
     Ok(router)
 }
 
-#[cfg(feature = "worker")]
 pub struct Job {
     id: u32,
     first_name: String,
@@ -792,7 +757,6 @@ pub struct Job {
     username: String,
 }
 
-#[cfg(feature = "worker")]
 #[derive(Serialize)]
 pub struct JobResponse {
     pub success: bool,
@@ -802,14 +766,12 @@ pub struct JobResponse {
     pub username: String,
 }
 
-#[cfg(feature = "worker")]
 pub struct WorkerInfo {
     last_seen: Instant,
     ip: IpAddr,
     jobs: Vec<Job>,
 }
 
-#[cfg(feature = "worker")]
 pub struct WorkerState {
     current_job_id: u32,
     workers: HashMap<String, WorkerInfo>,
@@ -817,7 +779,6 @@ pub struct WorkerState {
     webhook_tx: UnboundedSender<AppEvent>,
 }
 
-#[cfg(feature = "worker")]
 #[derive(Deserialize, Serialize)]
 pub struct WorkerDetail {
     id: String,
@@ -862,7 +823,7 @@ impl InstanceInfo {
     }
 }
 
-impl From<InstanceInfo> for proto::proxy::InstanceInfo {
+impl From<InstanceInfo> for defguard_proto::proxy::InstanceInfo {
     fn from(instance: InstanceInfo) -> Self {
         Self {
             name: instance.name,
diff --git a/crates/defguard_core/src/grpc/password_reset.rs b/crates/defguard_core/src/grpc/password_reset.rs
index 69e2a9b555..9049fb449e 100644
--- a/crates/defguard_core/src/grpc/password_reset.rs
+++ b/crates/defguard_core/src/grpc/password_reset.rs
@@ -1,11 +1,8 @@
+use defguard_mail::Mail;
 use sqlx::PgPool;
 use tokio::sync::mpsc::{UnboundedSender, error::SendError};
 use tonic::Status;
 
-use super::proto::proxy::{
-    DeviceInfo, PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest,
-    PasswordResetStartResponse,
-};
 use crate::{
     db::{
         User,
@@ -19,9 +16,12 @@ use crate::{
         user::check_password_strength,
     },
     headers::get_device_info,
-    mail::Mail,
     server_config,
 };
+use defguard_proto::proxy::{
+    DeviceInfo, PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest,
+    PasswordResetStartResponse,
+};
 
 pub(super) struct PasswordResetServer {
     pool: PgPool,
diff --git a/crates/defguard_core/src/grpc/utils.rs b/crates/defguard_core/src/grpc/utils.rs
index 0e5772d574..757b9d9490 100644
--- a/crates/defguard_core/src/grpc/utils.rs
+++ b/crates/defguard_core/src/grpc/utils.rs
@@ -1,16 +1,16 @@
 use std::{net::IpAddr, str::FromStr};
 
+use defguard_common::{
+    csv::AsCsv,
+    db::{Id, models::Settings},
+};
 use sqlx::PgPool;
 use tonic::Status;
 
-use super::{
-    InstanceInfo,
-    proto::proxy::{DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, DeviceInfo},
-};
+use super::InstanceInfo;
 use crate::{
-    AsCsv,
     db::{
-        Device, Id, Settings, User,
+        Device, User,
         models::{
             device::{DeviceType, WireguardNetworkDevice},
             polling_token::PollingToken,
@@ -20,7 +20,10 @@ use crate::{
     enterprise::db::models::{
         enterprise_settings::EnterpriseSettings, openid_provider::OpenIdProvider,
     },
-    grpc::proto::proxy::LocationMfaMode as ProtoLocationMfaMode,
+};
+use defguard_proto::proxy::{
+    DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, DeviceInfo,
+    LocationMfaMode as ProtoLocationMfaMode,
 };
 
 // Create a new token for configuration polling.
diff --git a/crates/defguard_core/src/grpc/worker.rs b/crates/defguard_core/src/grpc/worker.rs
index 2b973fbcaf..c0acfa12ec 100644
--- a/crates/defguard_core/src/grpc/worker.rs
+++ b/crates/defguard_core/src/grpc/worker.rs
@@ -5,19 +5,15 @@ use std::{
     time::Instant,
 };
 
+use defguard_common::db::models::{AuthenticationKey, AuthenticationKeyType};
 use sqlx::{PgPool, query};
 use tokio::sync::mpsc::UnboundedSender;
 use tonic::{Request, Response, Status};
 
 use super::{Job, JobResponse, WorkerDetail, WorkerInfo, WorkerState};
-pub use crate::grpc::proto::worker::JobStatus;
-use crate::{
-    db::{
-        AppEvent, HWKeyUserData, User, YubiKey,
-        models::authentication_key::{AuthenticationKey, AuthenticationKeyType},
-    },
-    grpc::proto::worker::{GetJobResponse, Worker, worker_service_server},
-};
+use crate::db::{AppEvent, HWKeyUserData, User, YubiKey};
+pub use defguard_proto::worker::JobStatus;
+use defguard_proto::worker::{GetJobResponse, Worker, worker_service_server};
 
 impl WorkerInfo {
     /// Create new `Worker` instance.
diff --git a/crates/defguard_core/src/handlers/activity_log.rs b/crates/defguard_core/src/handlers/activity_log.rs
index c14a68fa88..5485d0d8c0 100644
--- a/crates/defguard_core/src/handlers/activity_log.rs
+++ b/crates/defguard_core/src/handlers/activity_log.rs
@@ -3,6 +3,7 @@ use std::fmt::{self, Display, Formatter};
 use axum::extract::State;
 use axum_extra::extract::Query;
 use chrono::{DateTime, NaiveDateTime, Utc};
+use defguard_common::db::Id;
 use ipnetwork::IpNetwork;
 use sqlx::{FromRow, Postgres, QueryBuilder, Type};
 
@@ -10,11 +11,7 @@ use super::{
     DEFAULT_API_PAGE_SIZE,
     pagination::{PaginatedApiResponse, PaginatedApiResult, PaginationMeta, PaginationParams},
 };
-use crate::{
-    appstate::AppState,
-    auth::SessionInfo,
-    db::{Id, models::activity_log::ActivityLogModule},
-};
+use crate::{appstate::AppState, auth::SessionInfo, db::models::activity_log::ActivityLogModule};
 
 #[derive(Debug, Deserialize, Default)]
 pub struct FilterParams {
diff --git a/crates/defguard_core/src/handlers/app_info.rs b/crates/defguard_core/src/handlers/app_info.rs
index bc67e8c17f..e53592f9c8 100644
--- a/crates/defguard_core/src/handlers/app_info.rs
+++ b/crates/defguard_core/src/handlers/app_info.rs
@@ -3,10 +3,9 @@ use serde_json::json;
 
 use super::{ApiResponse, ApiResult};
 use crate::{
-    VERSION,
     appstate::AppState,
     auth::SessionInfo,
-    db::{Settings, WireguardNetwork},
+    db::WireguardNetwork,
     enterprise::{
         db::models::openid_provider::OpenIdProvider,
         is_enterprise_enabled, is_enterprise_free,
@@ -14,6 +13,7 @@ use crate::{
         limits::{LimitsExceeded, get_counts},
     },
 };
+use defguard_common::{VERSION, db::models::Settings};
 
 #[derive(Serialize)]
 struct LicenseInfo {
diff --git a/crates/defguard_core/src/handlers/auth.rs b/crates/defguard_core/src/handlers/auth.rs
index 752297662e..a68f642877 100644
--- a/crates/defguard_core/src/handlers/auth.rs
+++ b/crates/defguard_core/src/handlers/auth.rs
@@ -13,6 +13,11 @@ use axum_extra::{
     },
     headers::UserAgent,
 };
+use defguard_common::db::{
+    Id,
+    models::{MFAMethod, Settings},
+};
+use defguard_mail::Mail;
 use serde_json::json;
 use sqlx::{PgPool, types::Uuid};
 use time::Duration;
@@ -31,7 +36,7 @@ use crate::{
         SessionInfo,
         failed_login::{check_failed_logins, log_failed_login_attempt},
     },
-    db::{Id, MFAInfo, MFAMethod, Session, SessionState, Settings, User, UserInfo, WebAuthn},
+    db::{MFAInfo, Session, SessionState, User, UserInfo, WebAuthn},
     enterprise::ldap::utils::login_through_ldap,
     error::WebError,
     events::{ApiEvent, ApiEventType, ApiRequestContext},
@@ -43,7 +48,6 @@ use crate::{
         user_for_admin_or_self,
     },
     headers::{USER_AGENT_PARSER, check_new_device_login, get_user_agent_device},
-    mail::Mail,
     server_config,
 };
 
@@ -87,7 +91,7 @@ pub(crate) async fn create_session(
             check_new_device_login(
                 pool,
                 mail_tx,
-                &session,
+                &session.clone().into(),
                 user,
                 ip_address.to_string(),
                 login_event_type,
@@ -112,7 +116,7 @@ pub(crate) async fn create_session(
         check_new_device_login(
             pool,
             mail_tx,
-            &session,
+            &session.clone().into(),
             user,
             ip_address.to_string(),
             login_event_type,
@@ -471,7 +475,7 @@ pub async fn webauthn_finish(
         .await?;
     if user.mfa_method == MFAMethod::None {
         send_mfa_configured_email(
-            Some(&session.session),
+            Some(&session.session.into()),
             &user,
             &MFAMethod::Webauthn,
             &appstate.mail_tx,
@@ -640,7 +644,7 @@ pub async fn totp_enable(
         user.enable_totp(&appstate.pool).await?;
         if user.mfa_method == MFAMethod::None {
             send_mfa_configured_email(
-                Some(&session.session),
+                Some(&session.session.into()),
                 &user,
                 &MFAMethod::OneTimePassword,
                 &appstate.mail_tx,
@@ -789,7 +793,7 @@ pub async fn email_mfa_init(session: SessionInfo, State(appstate): State<AppStat
     info!("Generated new email MFA secret for user {}", user.username);
 
     // send email with code
-    send_email_mfa_activation_email(&user, &appstate.mail_tx, Some(&session.session))?;
+    send_email_mfa_activation_email(&user, &appstate.mail_tx, Some(&session.session.into()))?;
 
     Ok(ApiResponse::default())
 }
@@ -808,7 +812,7 @@ pub async fn email_mfa_enable(
         user.enable_email_mfa(&appstate.pool).await?;
         if user.mfa_method == MFAMethod::None {
             send_mfa_configured_email(
-                Some(&session.session),
+                Some(&session.session.into()),
                 &user,
                 &MFAMethod::Email,
                 &appstate.mail_tx,
@@ -857,7 +861,7 @@ pub async fn request_email_mfa_code(
     if let Some(user) = User::find_by_id(&appstate.pool, session.user_id).await? {
         debug!("Sending email MFA code for user {}", user.username);
         if user.email_mfa_enabled {
-            send_email_mfa_code_email(&user, &appstate.mail_tx, Some(&session))?;
+            send_email_mfa_code_email(&user, &appstate.mail_tx, Some(&session.into()))?;
             info!("Sent email MFA code for user {}", user.username);
             Ok(ApiResponse::default())
         } else {
diff --git a/crates/defguard_core/src/handlers/group.rs b/crates/defguard_core/src/handlers/group.rs
index 192c5e8358..a728b4ccc9 100644
--- a/crates/defguard_core/src/handlers/group.rs
+++ b/crates/defguard_core/src/handlers/group.rs
@@ -4,6 +4,7 @@ use axum::{
     extract::{Json, Path, State},
     http::StatusCode,
 };
+use defguard_common::db::Id;
 use serde_json::json;
 use sqlx::query_as;
 use utoipa::ToSchema;
@@ -12,7 +13,7 @@ use super::{ApiResponse, ApiResult, EditGroupInfo, GroupInfo, Username};
 use crate::{
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
-    db::{Group, Id, User, WireguardNetwork, models::group::Permission},
+    db::{Group, User, WireguardNetwork, models::group::Permission},
     enterprise::ldap::utils::{
         ldap_add_user_to_groups, ldap_add_users_to_groups, ldap_delete_group, ldap_modify_group,
         ldap_remove_user_from_groups, ldap_remove_users_from_groups, ldap_update_user_state,
diff --git a/crates/defguard_core/src/handlers/mail.rs b/crates/defguard_core/src/handlers/mail.rs
index a50ff1989a..9a9ce05e8c 100644
--- a/crates/defguard_core/src/handlers/mail.rs
+++ b/crates/defguard_core/src/handlers/mail.rs
@@ -5,6 +5,11 @@ use axum::{
     http::StatusCode,
 };
 use chrono::{NaiveDateTime, Utc};
+use defguard_common::db::{Id, models::MFAMethod};
+use defguard_mail::{
+    Attachment, Mail,
+    templates::{self, SessionContext, TemplateError, TemplateLocation, support_data_mail},
+};
 use lettre::message::header::ContentType;
 use reqwest::Url;
 use serde_json::json;
@@ -18,12 +23,10 @@ use crate::{
     PgPool,
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
-    db::{Id, MFAMethod, Session, User, models::enrollment::TokenError},
+    db::{User, models::enrollment::TokenError},
     error::WebError,
-    mail::{Attachment, Mail},
     server_config,
     support::dump_config,
-    templates::{self, TemplateError, TemplateLocation, support_data_mail},
 };
 
 static TEST_MAIL_SUBJECT: &str = "Defguard email test";
@@ -73,7 +76,7 @@ pub async fn test_mail(
     let mail = Mail {
         to: data.to.clone(),
         subject: TEST_MAIL_SUBJECT.to_string(),
-        content: templates::test_mail(Some(&session.session))?,
+        content: templates::test_mail(Some(&session.session.into()))?,
         attachments: Vec::new(),
         result_tx: Some(tx),
     };
@@ -288,7 +291,7 @@ pub async fn send_gateway_reconnected_email(
 pub async fn send_new_device_login_email(
     user_email: &str,
     mail_tx: &UnboundedSender<Mail>,
-    session: &Session,
+    session: &SessionContext,
     created: NaiveDateTime,
 ) -> Result<(), TemplateError> {
     debug!("User {user_email} new device login mail to {SUPPORT_EMAIL_ADDRESS}");
@@ -319,7 +322,7 @@ pub async fn send_new_device_ocid_login_email(
     user_email: &str,
     oauth2client_name: String,
     mail_tx: &UnboundedSender<Mail>,
-    session: &Session,
+    session: &SessionContext,
 ) -> Result<(), TemplateError> {
     debug!("User {user_email} new device OCID login mail to {SUPPORT_EMAIL_ADDRESS}");
 
@@ -348,7 +351,7 @@ pub async fn send_new_device_ocid_login_email(
 }
 
 pub fn send_mfa_configured_email(
-    session: Option<&Session>,
+    session: Option<&SessionContext>,
     user: &User<Id>,
     mfa_method: &MFAMethod,
     mail_tx: &UnboundedSender<Mail>,
@@ -382,7 +385,7 @@ pub fn send_mfa_configured_email(
 pub fn send_email_mfa_activation_email(
     user: &User<Id>,
     mail_tx: &UnboundedSender<Mail>,
-    session: Option<&Session>,
+    session: Option<&SessionContext>,
 ) -> Result<(), TemplateError> {
     debug!("Sending email MFA activation mail to {}", user.email);
 
@@ -395,7 +398,7 @@ pub fn send_email_mfa_activation_email(
     let mail = Mail {
         to: user.email.clone(),
         subject: EMAIL_MFA_ACTIVATION_EMAIL_SUBJECT.into(),
-        content: templates::email_mfa_activation_mail(user, &code, session)?,
+        content: templates::email_mfa_activation_mail(&user.clone().into(), &code, session)?,
         attachments: Vec::new(),
         result_tx: None,
     };
@@ -417,7 +420,7 @@ pub fn send_email_mfa_activation_email(
 pub fn send_email_mfa_code_email(
     user: &User<Id>,
     mail_tx: &UnboundedSender<Mail>,
-    session: Option<&Session>,
+    session: Option<&SessionContext>,
 ) -> Result<(), TemplateError> {
     debug!("Sending email MFA code mail to {}", user.email);
 
@@ -430,7 +433,7 @@ pub fn send_email_mfa_code_email(
     let mail = Mail {
         to: user.email.clone(),
         subject: EMAIL_MFA_CODE_EMAIL_SUBJECT.into(),
-        content: templates::email_mfa_code_mail(user, &code, session)?,
+        content: templates::email_mfa_code_mail(&user.clone().into(), &code, session)?,
         attachments: Vec::new(),
         result_tx: None,
     };
diff --git a/crates/defguard_core/src/handlers/mod.rs b/crates/defguard_core/src/handlers/mod.rs
index 58999f837d..cbe8263013 100644
--- a/crates/defguard_core/src/handlers/mod.rs
+++ b/crates/defguard_core/src/handlers/mod.rs
@@ -6,17 +6,17 @@ use axum::{
 };
 use axum_client_ip::InsecureClientIp;
 use axum_extra::{TypedHeader, headers::UserAgent};
+use defguard_common::db::{Id, NoId};
 use serde_json::{Value, json};
 use sqlx::PgPool;
 use utoipa::ToSchema;
 use webauthn_rs::prelude::RegisterPublicKeyCredential;
 
-#[cfg(feature = "wireguard")]
 use crate::db::Device;
 use crate::{
     appstate::AppState,
     auth::SessionInfo,
-    db::{Id, NoId, User, UserInfo, WebHook},
+    db::{User, UserInfo, WebHook},
     enterprise::{db::models::acl::AclError, license::LicenseError},
     error::WebError,
     events::ApiRequestContext,
@@ -29,9 +29,7 @@ pub(crate) mod forward_auth;
 pub(crate) mod group;
 pub(crate) mod mail;
 pub mod network_devices;
-#[cfg(feature = "openid")]
 pub(crate) mod openid_clients;
-#[cfg(feature = "openid")]
 pub mod openid_flow;
 pub(crate) mod pagination;
 pub(crate) mod settings;
@@ -40,9 +38,7 @@ pub(crate) mod support;
 pub(crate) mod updates;
 pub(crate) mod user;
 pub(crate) mod webhooks;
-#[cfg(feature = "wireguard")]
 pub mod wireguard;
-#[cfg(feature = "worker")]
 pub mod worker;
 pub(crate) mod yubikey;
 
@@ -439,7 +435,6 @@ pub async fn user_for_admin_or_self(
 
 /// Try to fetch [`Device'] if the device.id is of the currently logged in user, or
 /// the logged in user is an admin.
-#[cfg(feature = "wireguard")]
 pub async fn device_for_admin_or_self<'e, E: sqlx::PgExecutor<'e>>(
     executor: E,
     session: &SessionInfo,
diff --git a/crates/defguard_core/src/handlers/network_devices.rs b/crates/defguard_core/src/handlers/network_devices.rs
index 6f85448f06..b0b1863fd7 100644
--- a/crates/defguard_core/src/handlers/network_devices.rs
+++ b/crates/defguard_core/src/handlers/network_devices.rs
@@ -8,17 +8,18 @@ use axum::{
     http::StatusCode,
 };
 use chrono::NaiveDateTime;
+use defguard_common::{csv::AsCsv, db::Id};
+use defguard_mail::templates::TemplateLocation;
 use ipnetwork::IpNetwork;
 use serde_json::json;
 use sqlx::PgConnection;
 
 use super::{ApiResponse, ApiResult, WebError};
 use crate::{
-    AsCsv,
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
     db::{
-        Device, GatewayEvent, Id, User, WireguardNetwork,
+        Device, GatewayEvent, User, WireguardNetwork,
         models::{
             device::{DeviceConfig, DeviceInfo, DeviceType, WireguardNetworkDevice},
             wireguard::NetworkAddressError,
@@ -28,7 +29,6 @@ use crate::{
     events::{ApiEvent, ApiEventType, ApiRequestContext},
     handlers::mail::send_new_device_added_email,
     server_config,
-    templates::TemplateLocation,
 };
 
 #[derive(Serialize)]
diff --git a/crates/defguard_core/src/handlers/openid_flow.rs b/crates/defguard_core/src/handlers/openid_flow.rs
index 823066ede9..cf907c74c6 100644
--- a/crates/defguard_core/src/handlers/openid_flow.rs
+++ b/crates/defguard_core/src/handlers/openid_flow.rs
@@ -15,6 +15,7 @@ use axum::{
 use axum_extra::extract::cookie::{Cookie, CookieJar, PrivateCookieJar, SameSite};
 use base64::{Engine, prelude::BASE64_STANDARD};
 use chrono::Utc;
+use defguard_common::db::{Id, NoId, models::AuthCode};
 use openidconnect::{
     AccessToken, AdditionalClaims, Audience, AuthUrl, AuthorizationCode,
     EmptyAdditionalProviderMetadata, EmptyExtraTokenFields, EndUserEmail, EndUserFamilyName,
@@ -43,8 +44,8 @@ use crate::{
     appstate::AppState,
     auth::{AccessUserInfo, SessionInfo, UserClaims},
     db::{
-        Id, NoId, OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User,
-        models::{auth_code::AuthCode, oauth2client::OAuth2Client},
+        OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User,
+        models::oauth2client::OAuth2Client,
     },
     error::WebError,
     handlers::{SIGN_IN_COOKIE_NAME, mail::send_new_device_ocid_login_email},
@@ -575,7 +576,7 @@ pub async fn secure_authorization(
                             &session_info.user.email,
                             oauth2client.name.to_string(),
                             &appstate.mail_tx,
-                            &session_info.session,
+                            &session_info.session.into(),
                         )
                         .await?;
                     }
diff --git a/crates/defguard_core/src/handlers/settings.rs b/crates/defguard_core/src/handlers/settings.rs
index ee7485bca9..4e72b70e38 100644
--- a/crates/defguard_core/src/handlers/settings.rs
+++ b/crates/defguard_core/src/handlers/settings.rs
@@ -2,6 +2,10 @@ use axum::{
     extract::{Json, Path, State},
     http::StatusCode,
 };
+use defguard_common::db::models::{
+    Settings, SettingsEssentials,
+    settings::{LdapSyncStatus, SettingsPatch, update_current_settings},
+};
 use serde_json::json;
 use struct_patch::Patch;
 
@@ -9,14 +13,7 @@ use super::{ApiResponse, ApiResult};
 use crate::{
     AppState,
     auth::{AdminRole, SessionInfo},
-    db::{
-        Settings,
-        models::settings::{SettingsEssentials, SettingsPatch, update_current_settings},
-    },
-    enterprise::{
-        ldap::{LDAPConnection, sync::SyncStatus},
-        license::update_cached_license,
-    },
+    enterprise::{ldap::LDAPConnection, license::update_cached_license},
     error::WebError,
     events::{ApiEvent, ApiEventType, ApiRequestContext},
 };
@@ -147,19 +144,19 @@ pub async fn patch_settings(
 
     if let Some(ldap_enabled) = data.ldap_enabled {
         if !ldap_enabled {
-            settings.ldap_sync_status = SyncStatus::OutOfSync;
+            settings.ldap_sync_status = LdapSyncStatus::OutOfSync;
         }
     }
 
     if let Some(ldap_authority) = data.ldap_is_authoritative {
         if settings.ldap_is_authoritative != ldap_authority {
-            settings.ldap_sync_status = SyncStatus::OutOfSync;
+            settings.ldap_sync_status = LdapSyncStatus::OutOfSync;
         }
     }
 
     if let Some(ldap_sync_groups) = &data.ldap_sync_groups {
         if &settings.ldap_sync_groups != ldap_sync_groups {
-            settings.ldap_sync_status = SyncStatus::OutOfSync;
+            settings.ldap_sync_status = LdapSyncStatus::OutOfSync;
         }
     }
 
diff --git a/crates/defguard_core/src/handlers/ssh_authorized_keys.rs b/crates/defguard_core/src/handlers/ssh_authorized_keys.rs
index 91d925453a..8b6be6d37e 100644
--- a/crates/defguard_core/src/handlers/ssh_authorized_keys.rs
+++ b/crates/defguard_core/src/handlers/ssh_authorized_keys.rs
@@ -3,6 +3,10 @@ use axum::{
     extract::{Path, Query, State},
     http::StatusCode,
 };
+use defguard_common::db::{
+    Id,
+    models::{AuthenticationKey, AuthenticationKeyType},
+};
 use serde_json::json;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query};
 use ssh_key::PublicKey;
@@ -11,10 +15,7 @@ use super::{ApiResponse, ApiResult, user_for_admin_or_self};
 use crate::{
     appstate::AppState,
     auth::SessionInfo,
-    db::{
-        Group, Id, User,
-        models::authentication_key::{AuthenticationKey, AuthenticationKeyType},
-    },
+    db::{Group, User},
     error::WebError,
     events::{ApiEvent, ApiEventType, ApiRequestContext},
 };
diff --git a/crates/defguard_core/src/handlers/user.rs b/crates/defguard_core/src/handlers/user.rs
index 785bb46d74..3b0f3316b1 100644
--- a/crates/defguard_core/src/handlers/user.rs
+++ b/crates/defguard_core/src/handlers/user.rs
@@ -4,6 +4,7 @@ use axum::{
     extract::{Json, Path, State},
     http::StatusCode,
 };
+use defguard_mail::{Mail, templates};
 use serde_json::json;
 
 use super::{
@@ -31,9 +32,7 @@ use crate::{
     },
     error::WebError,
     events::{ApiEvent, ApiEventType, ApiRequestContext},
-    is_valid_phone_number,
-    mail::Mail,
-    server_config, templates,
+    is_valid_phone_number, server_config,
 };
 
 /// Verify the given username
diff --git a/crates/defguard_core/src/handlers/wireguard.rs b/crates/defguard_core/src/handlers/wireguard.rs
index 1508bc7cdc..466cc7cb62 100644
--- a/crates/defguard_core/src/handlers/wireguard.rs
+++ b/crates/defguard_core/src/handlers/wireguard.rs
@@ -11,6 +11,8 @@ use axum::{
     http::StatusCode,
 };
 use chrono::{DateTime, NaiveDateTime, TimeDelta, Utc};
+use defguard_common::{csv::AsCsv, db::Id};
+use defguard_mail::templates::TemplateLocation;
 use ipnetwork::IpNetwork;
 use serde_json::{Value, json};
 use sqlx::PgPool;
@@ -19,11 +21,10 @@ use uuid::Uuid;
 
 use super::{ApiResponse, ApiResult, WebError, device_for_admin_or_self, user_for_admin_or_self};
 use crate::{
-    AsCsv,
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
     db::{
-        AddDevice, Device, GatewayEvent, Id, WireguardNetwork,
+        AddDevice, Device, GatewayEvent, WireguardNetwork,
         models::{
             device::{
                 DeviceConfig, DeviceInfo, DeviceNetworkInfo, DeviceType, ModifyDevice,
@@ -45,7 +46,6 @@ use crate::{
     grpc::gateway::map::GatewayMap,
     handlers::mail::send_new_device_added_email,
     server_config,
-    templates::TemplateLocation,
     wg_config::{ImportedDevice, parse_wireguard_config},
 };
 
diff --git a/crates/defguard_core/src/handlers/worker.rs b/crates/defguard_core/src/handlers/worker.rs
index 07f1388e1a..cab88e8989 100644
--- a/crates/defguard_core/src/handlers/worker.rs
+++ b/crates/defguard_core/src/handlers/worker.rs
@@ -4,12 +4,13 @@ use axum::{
     extract::{Extension, Json, Path, State},
     http::StatusCode,
 };
+use defguard_common::auth::claims::{Claims, ClaimsType};
 use serde_json::json;
 
 use super::{ApiResponse, ApiResult};
 use crate::{
     appstate::AppState,
-    auth::{AdminRole, Claims, ClaimsType, SessionInfo},
+    auth::{AdminRole, SessionInfo},
     db::User,
     error::WebError,
     grpc::WorkerState,
diff --git a/crates/defguard_core/src/headers.rs b/crates/defguard_core/src/headers.rs
index 95c090a9b8..cb2fbbbd4c 100644
--- a/crates/defguard_core/src/headers.rs
+++ b/crates/defguard_core/src/headers.rs
@@ -1,16 +1,16 @@
 use std::{borrow::Borrow, sync::LazyLock};
 
 use axum::http::{HeaderName, HeaderValue};
+use defguard_common::db::{Id, models::DeviceLoginEvent};
+use defguard_mail::{
+    Mail,
+    templates::{SessionContext, TemplateError},
+};
 use sqlx::PgPool;
 use tokio::sync::mpsc::UnboundedSender;
 use uaparser::{Client, Parser, UserAgentParser};
 
-use crate::{
-    db::{Id, Session, User, models::device_login::DeviceLoginEvent},
-    handlers::mail::send_new_device_login_email,
-    mail::Mail,
-    templates::TemplateError,
-};
+use crate::{db::User, handlers::mail::send_new_device_login_email};
 
 pub(crate) const CONTENT_SECURITY_POLICY_HEADER_NAME: HeaderName =
     HeaderName::from_static("content-security-policy");
@@ -91,7 +91,7 @@ fn get_user_agent_device_login_data(
 pub(crate) async fn check_new_device_login(
     pool: &PgPool,
     mail_tx: &UnboundedSender<Mail>,
-    session: &Session,
+    session: &SessionContext,
     user: &User<Id>,
     ip_address: String,
     event_type: String,
diff --git a/crates/defguard_core/src/lib.rs b/crates/defguard_core/src/lib.rs
index f6abd4ca90..5e200f2725 100644
--- a/crates/defguard_core/src/lib.rs
+++ b/crates/defguard_core/src/lib.rs
@@ -3,7 +3,7 @@
 #![allow(clippy::result_large_err)]
 use std::{
     net::{IpAddr, Ipv4Addr, SocketAddr},
-    sync::{Arc, LazyLock, Mutex, OnceLock, RwLock},
+    sync::{Arc, LazyLock, Mutex, RwLock},
 };
 
 use crate::version::IncompatibleComponents;
@@ -15,6 +15,13 @@ use axum::{
     serve,
 };
 use db::models::{device::DeviceType, wireguard::LocationMfaMode};
+use defguard_common::{
+    VERSION,
+    auth::claims::{Claims, ClaimsType},
+    config::{DefGuardConfig, InitVpnLocationArgs, server_config},
+    db::init_db,
+};
+use defguard_mail::Mail;
 use defguard_version::server::DefguardVersionLayer;
 use defguard_web_ui::{index, svg, web_asset};
 use enterprise::{
@@ -82,18 +89,15 @@ use utoipa::{
 };
 use utoipa_swagger_ui::SwaggerUi;
 
-#[cfg(feature = "wireguard")]
 use self::handlers::wireguard::{
     add_device, add_user_devices, create_network, create_network_token, delete_device,
     delete_network, devices_stats, download_config, gateway_status, get_device, import_network,
     list_devices, list_networks, list_user_devices, modify_device, modify_network, network_details,
     network_stats, remove_gateway,
 };
-#[cfg(feature = "worker")]
 use self::handlers::worker::{
     create_job, create_worker_token, job_status, list_workers, remove_worker,
 };
-#[cfg(feature = "openid")]
 use self::handlers::{
     openid_clients::{
         add_openid_client, change_openid_client, change_openid_client_state, delete_openid_client,
@@ -105,10 +109,8 @@ use self::handlers::{
 };
 use self::{
     appstate::AppState,
-    auth::{Claims, ClaimsType},
-    config::{DefGuardConfig, InitVpnLocationArgs},
     db::{
-        AppEvent, Device, GatewayEvent, User, WireguardNetwork, init_db,
+        AppEvent, Device, GatewayEvent, User, WireguardNetwork,
         models::wireguard::{DEFAULT_DISCONNECT_THRESHOLD, DEFAULT_KEEPALIVE_INTERVAL},
     },
     handlers::{
@@ -141,9 +143,7 @@ use self::{
             add_webhook, change_enabled, change_webhook, delete_webhook, get_webhook, list_webhooks,
         },
     },
-    mail::Mail,
 };
-#[cfg(any(feature = "openid", feature = "worker"))]
 use self::{
     auth::failed_login::FailedLoginMap,
     db::models::oauth2client::OAuth2Client,
@@ -153,21 +153,14 @@ use self::{
 
 pub mod appstate;
 pub mod auth;
-pub mod config;
 pub mod db;
 pub mod enterprise;
 mod error;
 pub mod events;
-pub mod globals;
 pub mod grpc;
 pub mod handlers;
 pub mod headers;
-pub mod hex;
-pub mod mail;
-pub(crate) mod random;
-pub mod secret;
 pub mod support;
-pub mod templates;
 pub mod updates;
 pub mod utility_thread;
 pub mod version;
@@ -181,19 +174,6 @@ extern crate tracing;
 #[macro_use]
 extern crate serde;
 
-// helper for easier migration handling with a custom `migration` folder location
-// reference: https://docs.rs/sqlx/latest/sqlx/attr.test.html#automatic-migrations-requires-migrate-feature
-pub static MIGRATOR: sqlx::migrate::Migrator = sqlx::migrate!("../../migrations");
-
-pub const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), "+", env!("VERGEN_GIT_SHA"));
-pub static SERVER_CONFIG: OnceLock<DefGuardConfig> = OnceLock::new();
-
-pub(crate) fn server_config() -> &'static DefGuardConfig {
-    SERVER_CONFIG
-        .get()
-        .expect("Server configuration not set yet")
-}
-
 static PHONE_NUMBER_REGEX: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(r"^(\+?\d{1,3}\s?)?(\(\d{1,3}\)|\d{1,3})[-\s]?\d{1,4}[-\s]?\d{1,4}?$")
         .expect("Failed to parse phone number regex")
@@ -543,7 +523,6 @@ pub fn build_webapp(
             ),
     );
 
-    #[cfg(feature = "openid")]
     let webapp = webapp
         .nest(
             "/api/v1/oauth",
@@ -587,7 +566,6 @@ pub fn build_webapp(
             .route("/alias/apply", put(apply_acl_aliases)),
     );
 
-    #[cfg(feature = "wireguard")]
     let webapp = webapp.nest(
         "/api/v1",
         Router::new()
@@ -661,7 +639,6 @@ pub fn build_webapp(
             .layer(Extension(gateway_state)),
     );
 
-    #[cfg(feature = "worker")]
     let webapp = webapp.nest(
         "/api/v1/worker",
         Router::new()
@@ -735,11 +712,12 @@ pub async fn run_web_server(
         incompatible_components,
     );
     info!("Started web services");
+    let server_config = server_config();
     let addr = SocketAddr::new(
-        server_config()
+        server_config
             .http_bind_address
             .unwrap_or(IpAddr::V4(Ipv4Addr::UNSPECIFIED)),
-        server_config().http_port,
+        server_config.http_port,
     );
     let listener = TcpListener::bind(&addr).await?;
     serve(
@@ -836,7 +814,6 @@ pub async fn init_dev_env(config: &DefGuardConfig) {
             .expect("Could not assign IP to device");
     }
 
-    #[cfg(feature = "openid")]
     for app_id in 1..=3 {
         OAuth2Client::new(
             vec![format!("https://app-{app_id}.com")],
@@ -953,24 +930,6 @@ pub async fn init_vpn_location(
     Ok(token)
 }
 
-pub trait AsCsv {
-    fn as_csv(&self) -> String;
-}
-
-impl<T, I> AsCsv for I
-where
-    I: ?Sized + std::iter::IntoIterator<Item = T>,
-    for<'a> &'a I: IntoIterator<Item = &'a T>,
-    T: ToString,
-{
-    fn as_csv(&self) -> String {
-        self.into_iter()
-            .map(ToString::to_string)
-            .collect::<Vec<_>>()
-            .join(",")
-    }
-}
-
 pub(crate) fn is_valid_phone_number(number: &str) -> bool {
     PHONE_NUMBER_REGEX.is_match(number)
 }
diff --git a/crates/defguard_core/src/support.rs b/crates/defguard_core/src/support.rs
index fd2ccfa037..753daa5c5e 100644
--- a/crates/defguard_core/src/support.rs
+++ b/crates/defguard_core/src/support.rs
@@ -5,10 +5,13 @@ use serde_json::{Value, json, value::to_value};
 use sqlx::PgPool;
 
 use crate::{
-    VERSION,
-    db::{Id, Settings, User, WireguardNetwork, models::device::WireguardNetworkDevice},
+    db::{User, WireguardNetwork, models::device::WireguardNetworkDevice},
     server_config,
 };
+use defguard_common::{
+    VERSION,
+    db::{Id, models::Settings},
+};
 
 /// Unwraps the result returning a JSON representation of value or error
 fn unwrap_json<S: Serialize, D: Display>(result: Result<S, D>) -> Value {
diff --git a/crates/defguard_core/src/updates.rs b/crates/defguard_core/src/updates.rs
index 2cbfb96d71..e286c8ea8c 100644
--- a/crates/defguard_core/src/updates.rs
+++ b/crates/defguard_core/src/updates.rs
@@ -1,13 +1,11 @@
 use std::{env, time::Duration};
 
 use chrono::NaiveDate;
+use defguard_common::{CARGO_VERSION, global_value};
 use semver::Version;
 
-use crate::global_value;
-
 const PRODUCT_NAME: &str = "Defguard";
 const UPDATES_URL: &str = "https://pkgs.defguard.net/api/update/check";
-const VERSION: &str = env!("CARGO_PKG_VERSION");
 const REQUEST_TIMEOUT: Duration = Duration::from_secs(10);
 
 #[derive(Deserialize, Debug, Serialize)]
@@ -26,7 +24,7 @@ global_value!(NEW_UPDATE, Option<Update>, None, set_update, get_update);
 async fn fetch_update() -> Result<Update, anyhow::Error> {
     let body = serde_json::json!({
         "product": PRODUCT_NAME,
-        "client_version": VERSION,
+        "client_version": CARGO_VERSION,
         "operating_system": env::consts::OS,
     });
     let response = reqwest::Client::new()
@@ -41,7 +39,7 @@ async fn fetch_update() -> Result<Update, anyhow::Error> {
 pub(crate) async fn do_new_version_check() -> Result<(), anyhow::Error> {
     debug!("Checking for new version of Defguard.");
     let update = fetch_update().await?;
-    let current_version = Version::parse(VERSION)?;
+    let current_version = Version::parse(CARGO_VERSION)?;
     let new_version = Version::parse(&update.version)?;
     if new_version > current_version {
         if update.critical {
diff --git a/crates/defguard_core/src/utility_thread.rs b/crates/defguard_core/src/utility_thread.rs
index 0e608d1275..6533ff71c5 100644
--- a/crates/defguard_core/src/utility_thread.rs
+++ b/crates/defguard_core/src/utility_thread.rs
@@ -1,5 +1,6 @@
 use std::{collections::HashSet, time::Duration};
 
+use defguard_common::db::Id;
 use sqlx::{PgPool, query_as};
 use tokio::{
     sync::broadcast::Sender,
@@ -8,7 +9,7 @@ use tokio::{
 use tracing::Instrument;
 
 use crate::{
-    db::{GatewayEvent, Id, WireguardNetwork},
+    db::{GatewayEvent, WireguardNetwork},
     enterprise::{
         db::models::acl::{AclRule, RuleState},
         directory_sync::{do_directory_sync, get_directory_sync_interval},
diff --git a/crates/defguard_core/src/wg_config.rs b/crates/defguard_core/src/wg_config.rs
index 4dcdc47ff4..2a42ea68dd 100644
--- a/crates/defguard_core/src/wg_config.rs
+++ b/crates/defguard_core/src/wg_config.rs
@@ -171,7 +171,7 @@ pub(crate) fn parse_wireguard_config(
 #[cfg(test)]
 mod test {
     use super::*;
-    use crate::db::NoId;
+    use defguard_common::db::NoId;
 
     #[test]
     fn test_parse_config() {
diff --git a/crates/defguard_core/src/wireguard_peer_disconnect.rs b/crates/defguard_core/src/wireguard_peer_disconnect.rs
index 06be7734d9..537db19a30 100644
--- a/crates/defguard_core/src/wireguard_peer_disconnect.rs
+++ b/crates/defguard_core/src/wireguard_peer_disconnect.rs
@@ -11,6 +11,7 @@ use std::{
 };
 
 use chrono::NaiveDateTime;
+use defguard_common::db::{Id, models::ModelError};
 use sqlx::{Error as SqlxError, PgPool, query_as};
 use thiserror::Error;
 use tokio::{
@@ -23,10 +24,9 @@ use tokio::{
 
 use crate::{
     db::{
-        Device, GatewayEvent, Id, WireguardNetwork,
+        Device, GatewayEvent, WireguardNetwork,
         models::{
             device::{DeviceInfo, DeviceNetworkInfo, DeviceType, WireguardNetworkDevice},
-            error::ModelError,
             wireguard::{LocationMfaMode, WireguardNetworkError},
         },
     },
diff --git a/crates/defguard_core/tests/integration/api/acl.rs b/crates/defguard_core/tests/integration/api/acl.rs
index 9bf2ffad6f..237b573fdd 100644
--- a/crates/defguard_core/tests/integration/api/acl.rs
+++ b/crates/defguard_core/tests/integration/api/acl.rs
@@ -1,10 +1,11 @@
-use defguard_core::{
+use defguard_common::{
     config::DefGuardConfig,
+    db::{Id, models::settings::initialize_current_settings},
+};
+use defguard_core::{
     db::{
-        Device, Group, Id, User, WireguardNetwork,
-        models::{
-            device::DeviceType, settings::initialize_current_settings, wireguard::LocationMfaMode,
-        },
+        Device, Group, User, WireguardNetwork,
+        models::{device::DeviceType, wireguard::LocationMfaMode},
     },
     enterprise::{
         db::models::acl::{AclAlias, AclRule, AliasKind, AliasState, RuleState},
diff --git a/crates/defguard_core/tests/integration/api/auth.rs b/crates/defguard_core/tests/integration/api/auth.rs
index e47b7e2285..7cacd2630d 100644
--- a/crates/defguard_core/tests/integration/api/auth.rs
+++ b/crates/defguard_core/tests/integration/api/auth.rs
@@ -2,11 +2,10 @@ use std::time::SystemTime;
 
 use chrono::DateTime;
 use claims::{assert_err, assert_ok};
+use defguard_common::db::models::{MFAMethod, Settings, settings::update_current_settings};
 use defguard_core::{
     auth::{TOTP_CODE_DIGITS, TOTP_CODE_VALIDITY_PERIOD},
-    db::{
-        MFAInfo, MFAMethod, Settings, User, UserDetails, models::settings::update_current_settings,
-    },
+    db::{MFAInfo, User, UserDetails},
     handlers::{Auth, AuthCode, AuthResponse, AuthTotp},
 };
 use reqwest::{StatusCode, header::USER_AGENT};
diff --git a/crates/defguard_core/tests/integration/api/common/mod.rs b/crates/defguard_core/tests/integration/api/common/mod.rs
index ea5b3393ab..884299aad7 100644
--- a/crates/defguard_core/tests/integration/api/common/mod.rs
+++ b/crates/defguard_core/tests/integration/api/common/mod.rs
@@ -2,22 +2,22 @@ pub(crate) mod client;
 
 use std::sync::{Arc, Mutex};
 
-pub use defguard_core::db::setup_pool;
-use defguard_core::{
+pub use defguard_common::db::setup_pool;
+use defguard_common::{
     VERSION,
+    config::DefGuardConfig,
+    db::{Id, NoId, models::settings::initialize_current_settings},
+};
+use defguard_core::{
     auth::failed_login::FailedLoginMap,
     build_webapp,
-    config::DefGuardConfig,
-    db::{
-        AppEvent, GatewayEvent, Id, NoId, User, UserDetails,
-        models::settings::initialize_current_settings,
-    },
+    db::{AppEvent, GatewayEvent, User, UserDetails},
     enterprise::license::{License, set_cached_license},
     events::ApiEvent,
     grpc::{WorkerState, gateway::map::GatewayMap},
     handlers::Auth,
-    mail::Mail,
 };
+use defguard_mail::Mail;
 use reqwest::{StatusCode, header::HeaderName};
 use semver::Version;
 use serde::de::DeserializeOwned;
diff --git a/crates/defguard_core/tests/integration/api/forward_auth.rs b/crates/defguard_core/tests/integration/api/forward_auth.rs
index 83b97c1ba9..7525383ca0 100644
--- a/crates/defguard_core/tests/integration/api/forward_auth.rs
+++ b/crates/defguard_core/tests/integration/api/forward_auth.rs
@@ -1,4 +1,5 @@
-use defguard_core::{SERVER_CONFIG, handlers::Auth};
+use defguard_common::config::SERVER_CONFIG;
+use defguard_core::handlers::Auth;
 use reqwest::StatusCode;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
diff --git a/crates/defguard_core/tests/integration/api/oauth.rs b/crates/defguard_core/tests/integration/api/oauth.rs
index 06d86dbe3b..4e7329734f 100644
--- a/crates/defguard_core/tests/integration/api/oauth.rs
+++ b/crates/defguard_core/tests/integration/api/oauth.rs
@@ -1,8 +1,9 @@
 use std::borrow::Cow;
 
+use defguard_common::db::Id;
 use defguard_core::{
     db::{
-        Id, OAuth2AuthorizedApp,
+        OAuth2AuthorizedApp,
         models::{
             NewOpenIDClient,
             oauth2client::{OAuth2Client, OAuth2ClientSafe},
diff --git a/crates/defguard_core/tests/integration/api/openid.rs b/crates/defguard_core/tests/integration/api/openid.rs
index 1a3882d4c2..d4052b6e58 100644
--- a/crates/defguard_core/tests/integration/api/openid.rs
+++ b/crates/defguard_core/tests/integration/api/openid.rs
@@ -2,9 +2,10 @@ use std::str::FromStr;
 
 use axum::http::header::ToStrError;
 use claims::assert_err;
+use defguard_common::db::Id;
 use defguard_core::{
     db::{
-        Id, User,
+        User,
         models::{NewOpenIDClient, oauth2client::OAuth2Client},
     },
     handlers::Auth,
diff --git a/crates/defguard_core/tests/integration/api/openid_login.rs b/crates/defguard_core/tests/integration/api/openid_login.rs
index 461f8fa840..b9912eadd2 100644
--- a/crates/defguard_core/tests/integration/api/openid_login.rs
+++ b/crates/defguard_core/tests/integration/api/openid_login.rs
@@ -1,6 +1,6 @@
 use chrono::{Duration, Utc};
+use defguard_common::db::models::settings::OpenidUsernameHandling;
 use defguard_core::{
-    db::models::settings::OpenidUsernameHandling,
     enterprise::{
         db::models::openid_provider::{DirectorySyncTarget, DirectorySyncUserBehavior},
         handlers::openid_providers::AddProviderData,
diff --git a/crates/defguard_core/tests/integration/api/settings.rs b/crates/defguard_core/tests/integration/api/settings.rs
index a832b60eb8..d0859e60d3 100644
--- a/crates/defguard_core/tests/integration/api/settings.rs
+++ b/crates/defguard_core/tests/integration/api/settings.rs
@@ -1,7 +1,5 @@
-use defguard_core::{
-    db::models::settings::{Settings, SettingsPatch},
-    handlers::Auth,
-};
+use defguard_common::db::models::{Settings, settings::SettingsPatch};
+use defguard_core::handlers::Auth;
 use reqwest::StatusCode;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
diff --git a/crates/defguard_core/tests/integration/api/snat.rs b/crates/defguard_core/tests/integration/api/snat.rs
index a396041d4c..01655d9b56 100644
--- a/crates/defguard_core/tests/integration/api/snat.rs
+++ b/crates/defguard_core/tests/integration/api/snat.rs
@@ -1,7 +1,7 @@
 use std::net::IpAddr;
 
+use defguard_common::db::Id;
 use defguard_core::{
-    db::Id,
     enterprise::{
         db::models::snat::UserSnatBinding,
         license::{get_cached_license, set_cached_license},
diff --git a/crates/defguard_core/tests/integration/api/user.rs b/crates/defguard_core/tests/integration/api/user.rs
index 197eea3afc..d7605a5348 100644
--- a/crates/defguard_core/tests/integration/api/user.rs
+++ b/crates/defguard_core/tests/integration/api/user.rs
@@ -1,6 +1,7 @@
+use defguard_common::db::Id;
 use defguard_core::{
     db::{
-        AddDevice, Id, UserInfo,
+        AddDevice, UserInfo,
         models::{NewOpenIDClient, oauth2client::OAuth2Client},
     },
     handlers::{AddUserData, Auth, PasswordChange, PasswordChangeSelf, Username},
diff --git a/crates/defguard_core/tests/integration/api/webhook.rs b/crates/defguard_core/tests/integration/api/webhook.rs
index 326592f3e0..4d420395ac 100644
--- a/crates/defguard_core/tests/integration/api/webhook.rs
+++ b/crates/defguard_core/tests/integration/api/webhook.rs
@@ -1,7 +1,5 @@
-use defguard_core::{
-    db::{Id, NoId, WebHook},
-    handlers::Auth,
-};
+use defguard_common::db::{Id, NoId};
+use defguard_core::{db::WebHook, handlers::Auth};
 use reqwest::StatusCode;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
diff --git a/crates/defguard_core/tests/integration/api/wireguard.rs b/crates/defguard_core/tests/integration/api/wireguard.rs
index becf937611..79625944c0 100644
--- a/crates/defguard_core/tests/integration/api/wireguard.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard.rs
@@ -1,11 +1,11 @@
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
 
+use defguard_common::db::{Id, models::settings::OpenidUsernameHandling};
 use defguard_core::{
     db::{
-        Device, GatewayEvent, Id, WireguardNetwork,
+        Device, GatewayEvent, WireguardNetwork,
         models::{
             device::WireguardNetworkDevice,
-            settings::OpenidUsernameHandling,
             wireguard::{
                 DEFAULT_DISCONNECT_THRESHOLD, DEFAULT_KEEPALIVE_INTERVAL, LocationMfaMode,
             },
diff --git a/crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs b/crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs
index 51ecb04207..3a2f9e15a1 100644
--- a/crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs
@@ -1,9 +1,9 @@
 use std::net::IpAddr;
 
 use claims::assert_err;
+use defguard_common::{csv::AsCsv, db::Id};
 use defguard_core::{
-    AsCsv,
-    db::{Device, GatewayEvent, Group, Id, User, WireguardNetwork, models::device::DeviceType},
+    db::{Device, GatewayEvent, Group, User, WireguardNetwork, models::device::DeviceType},
     handlers::{Auth, wireguard::ImportedNetworkData},
 };
 use matches::assert_matches;
diff --git a/crates/defguard_core/tests/integration/api/wireguard_network_devices.rs b/crates/defguard_core/tests/integration/api/wireguard_network_devices.rs
index ae99878995..f16ed592bd 100644
--- a/crates/defguard_core/tests/integration/api/wireguard_network_devices.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard_network_devices.rs
@@ -1,7 +1,8 @@
 use std::{net::IpAddr, str::FromStr};
 
+use defguard_common::db::Id;
 use defguard_core::{
-    db::{Device, GatewayEvent, Id, WireguardNetwork},
+    db::{Device, GatewayEvent, WireguardNetwork},
     handlers::{Auth, network_devices::AddNetworkDevice},
 };
 use ipnetwork::IpNetwork;
diff --git a/crates/defguard_core/tests/integration/api/wireguard_network_stats.rs b/crates/defguard_core/tests/integration/api/wireguard_network_stats.rs
index 8a02b5c994..5a03e8169b 100644
--- a/crates/defguard_core/tests/integration/api/wireguard_network_stats.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard_network_stats.rs
@@ -1,15 +1,13 @@
 use chrono::{Datelike, Duration, NaiveDate, SubsecRound, Timelike, Utc};
+use defguard_common::db::{Id, NoId};
 use defguard_core::{
-    db::{
-        Id, NoId,
-        models::{
-            device::Device,
-            wireguard::{
-                WireguardDeviceStatsRow, WireguardDeviceTransferRow, WireguardNetworkStats,
-                WireguardUserStatsRow,
-            },
-            wireguard_peer_stats::WireguardPeerStats,
+    db::models::{
+        device::Device,
+        wireguard::{
+            WireguardDeviceStatsRow, WireguardDeviceTransferRow, WireguardNetworkStats,
+            WireguardUserStatsRow,
         },
+        wireguard_peer_stats::WireguardPeerStats,
     },
     handlers::Auth,
 };
diff --git a/crates/defguard_core/tests/integration/common.rs b/crates/defguard_core/tests/integration/common.rs
index d89859fc9c..82d0950925 100644
--- a/crates/defguard_core/tests/integration/common.rs
+++ b/crates/defguard_core/tests/integration/common.rs
@@ -1,6 +1,7 @@
 use std::str::FromStr;
 
-use defguard_core::{SERVER_CONFIG, config::DefGuardConfig, db::User};
+use defguard_common::config::{DefGuardConfig, SERVER_CONFIG};
+use defguard_core::db::User;
 use reqwest::Url;
 use secrecy::ExposeSecret;
 use sqlx::PgPool;
diff --git a/crates/defguard_core/tests/integration/grpc/common/mock_gateway.rs b/crates/defguard_core/tests/integration/grpc/common/mock_gateway.rs
index 5622c399fb..6440f5e8f9 100644
--- a/crates/defguard_core/tests/integration/grpc/common/mock_gateway.rs
+++ b/crates/defguard_core/tests/integration/grpc/common/mock_gateway.rs
@@ -1,11 +1,9 @@
 use std::time::Duration;
 
-use defguard_core::grpc::{
-    AUTHORIZATION_HEADER, HOSTNAME_HEADER,
-    proto::gateway::{
-        Configuration, ConfigurationRequest, StatsUpdate, Update,
-        gateway_service_client::GatewayServiceClient,
-    },
+use defguard_core::grpc::{AUTHORIZATION_HEADER, HOSTNAME_HEADER};
+use defguard_proto::gateway::{
+    Configuration, ConfigurationRequest, StatsUpdate, Update,
+    gateway_service_client::GatewayServiceClient,
 };
 use defguard_version::{Version, client::ClientVersionInterceptor};
 use tokio::{
diff --git a/crates/defguard_core/tests/integration/grpc/common/mod.rs b/crates/defguard_core/tests/integration/grpc/common/mod.rs
index ae5bb98997..96609dbfa7 100644
--- a/crates/defguard_core/tests/integration/grpc/common/mod.rs
+++ b/crates/defguard_core/tests/integration/grpc/common/mod.rs
@@ -1,17 +1,18 @@
 use std::sync::{Arc, Mutex};
 
 use axum::http::Uri;
+use defguard_common::db::models::settings::initialize_current_settings;
 use defguard_core::{
     auth::failed_login::FailedLoginMap,
-    db::{AppEvent, GatewayEvent, models::settings::initialize_current_settings},
+    db::{AppEvent, GatewayEvent},
     enterprise::license::{License, set_cached_license},
     events::GrpcEvent,
     grpc::{
         WorkerState, build_grpc_service_router,
         gateway::{client_state::ClientMap, map::GatewayMap},
     },
-    mail::Mail,
 };
+use defguard_mail::Mail;
 use hyper_util::rt::TokioIo;
 use sqlx::PgPool;
 use tokio::{
diff --git a/crates/defguard_core/tests/integration/grpc/gateway.rs b/crates/defguard_core/tests/integration/grpc/gateway.rs
index d4aba18ee5..8be4c88c31 100644
--- a/crates/defguard_core/tests/integration/grpc/gateway.rs
+++ b/crates/defguard_core/tests/integration/grpc/gateway.rs
@@ -5,25 +5,22 @@ use std::{
 
 use chrono::{Days, Utc};
 use claims::{assert_err_eq, assert_matches};
+use defguard_common::db::{Id, NoId, setup_pool};
 use defguard_core::{
     db::{
-        Device, Id, NoId, User, WireguardNetwork,
+        Device, User, WireguardNetwork,
         models::{
             device::DeviceType, wireguard::LocationMfaMode,
             wireguard_peer_stats::WireguardPeerStats,
         },
-        setup_pool,
     },
     enterprise::{license::set_cached_license, limits::update_counts},
     events::GrpcEvent,
-    grpc::{
-        MIN_GATEWAY_VERSION,
-        gateway::{Configuration, Update, update},
-        proto::{
-            enterprise::firewall::FirewallPolicy,
-            gateway::{PeerStats, StatsUpdate, stats_update::Payload},
-        },
-    },
+    grpc::MIN_GATEWAY_VERSION,
+};
+use defguard_proto::{
+    enterprise::firewall::FirewallPolicy,
+    gateway::{Configuration, PeerStats, StatsUpdate, Update, stats_update::Payload, update},
 };
 use semver::Version;
 use sqlx::{
diff --git a/crates/defguard_event_logger/Cargo.toml b/crates/defguard_event_logger/Cargo.toml
index 871ba70866..4f26e19fb5 100644
--- a/crates/defguard_event_logger/Cargo.toml
+++ b/crates/defguard_event_logger/Cargo.toml
@@ -9,13 +9,14 @@ rust-version.workspace = true
 
 [dependencies]
 # internal crates
-defguard_core = { workspace = true }
+defguard_common.workspace = true
+defguard_core.workspace = true
 
 # external dependencies
-bytes = { workspace = true }
-chrono = { workspace = true }
-serde_json = { workspace = true }
-sqlx = { workspace = true }
-thiserror = { workspace = true }
-tokio = { workspace = true }
-tracing = { workspace = true }
+bytes.workspace = true
+chrono.workspace = true
+serde_json.workspace = true
+sqlx.workspace = true
+thiserror.workspace = true
+tokio.workspace = true
+tracing.workspace = true
diff --git a/crates/defguard_event_logger/src/lib.rs b/crates/defguard_event_logger/src/lib.rs
index 3d04dce4eb..29c6123957 100644
--- a/crates/defguard_event_logger/src/lib.rs
+++ b/crates/defguard_event_logger/src/lib.rs
@@ -1,24 +1,22 @@
 use bytes::Bytes;
-use defguard_core::db::{
-    NoId,
-    models::activity_log::{
-        ActivityLogEvent, ActivityLogModule, EventType,
-        metadata::{
-            ActivityLogStreamMetadata, ActivityLogStreamModifiedMetadata, ApiTokenMetadata,
-            ApiTokenRenamedMetadata, AuthenticationKeyMetadata, AuthenticationKeyRenamedMetadata,
-            ClientConfigurationTokenMetadata, DeviceMetadata, DeviceModifiedMetadata,
-            EnrollmentDeviceAddedMetadata, EnrollmentTokenMetadata, GroupAssignedMetadata,
-            GroupMembersModifiedMetadata, GroupMetadata, GroupModifiedMetadata,
-            GroupsBulkAssignedMetadata, LoginFailedMetadata, MfaLoginFailedMetadata,
-            MfaLoginMetadata, MfaSecurityKeyMetadata, NetworkDeviceMetadata,
-            NetworkDeviceModifiedMetadata, OpenIdAppMetadata, OpenIdAppModifiedMetadata,
-            OpenIdAppStateChangedMetadata, OpenIdProviderMetadata, PasswordChangedByAdminMetadata,
-            PasswordResetMetadata, SettingsUpdateMetadata, UserGroupsModifiedMetadata,
-            UserMetadata, UserMfaDisabledMetadata, UserModifiedMetadata, UserSnatBindingMetadata,
-            UserSnatBindingModifiedMetadata, VpnClientMetadata, VpnClientMfaFailedMetadata,
-            VpnClientMfaMetadata, VpnLocationMetadata, VpnLocationModifiedMetadata,
-            WebHookMetadata, WebHookModifiedMetadata, WebHookStateChangedMetadata,
-        },
+use defguard_common::db::NoId;
+use defguard_core::db::models::activity_log::{
+    ActivityLogEvent, ActivityLogModule, EventType,
+    metadata::{
+        ActivityLogStreamMetadata, ActivityLogStreamModifiedMetadata, ApiTokenMetadata,
+        ApiTokenRenamedMetadata, AuthenticationKeyMetadata, AuthenticationKeyRenamedMetadata,
+        ClientConfigurationTokenMetadata, DeviceMetadata, DeviceModifiedMetadata,
+        EnrollmentDeviceAddedMetadata, EnrollmentTokenMetadata, GroupAssignedMetadata,
+        GroupMembersModifiedMetadata, GroupMetadata, GroupModifiedMetadata,
+        GroupsBulkAssignedMetadata, LoginFailedMetadata, MfaLoginFailedMetadata, MfaLoginMetadata,
+        MfaSecurityKeyMetadata, NetworkDeviceMetadata, NetworkDeviceModifiedMetadata,
+        OpenIdAppMetadata, OpenIdAppModifiedMetadata, OpenIdAppStateChangedMetadata,
+        OpenIdProviderMetadata, PasswordChangedByAdminMetadata, PasswordResetMetadata,
+        SettingsUpdateMetadata, UserGroupsModifiedMetadata, UserMetadata, UserMfaDisabledMetadata,
+        UserModifiedMetadata, UserSnatBindingMetadata, UserSnatBindingModifiedMetadata,
+        VpnClientMetadata, VpnClientMfaFailedMetadata, VpnClientMfaMetadata, VpnLocationMetadata,
+        VpnLocationModifiedMetadata, WebHookMetadata, WebHookModifiedMetadata,
+        WebHookStateChangedMetadata,
     },
 };
 use description::{
diff --git a/crates/defguard_event_logger/src/message.rs b/crates/defguard_event_logger/src/message.rs
index 26b4145689..0dc0eebcda 100644
--- a/crates/defguard_event_logger/src/message.rs
+++ b/crates/defguard_event_logger/src/message.rs
@@ -1,10 +1,14 @@
 use std::net::IpAddr;
 
 use chrono::NaiveDateTime;
+use defguard_common::db::{
+    Id,
+    models::{AuthenticationKey, MFAMethod, Settings},
+};
 use defguard_core::{
     db::{
-        Device, Group, Id, MFAMethod, Settings, User, WebAuthn, WebHook, WireguardNetwork,
-        models::{authentication_key::AuthenticationKey, oauth2client::OAuth2Client},
+        Device, Group, User, WebAuthn, WebHook, WireguardNetwork,
+        models::oauth2client::OAuth2Client,
     },
     enterprise::db::models::{
         activity_log_stream::ActivityLogStream, api_tokens::ApiToken,
diff --git a/crates/defguard_event_router/Cargo.toml b/crates/defguard_event_router/Cargo.toml
index 9641e5bb95..c4c9b3c150 100644
--- a/crates/defguard_event_router/Cargo.toml
+++ b/crates/defguard_event_router/Cargo.toml
@@ -11,6 +11,7 @@ rust-version.workspace = true
 # internal crates
 defguard_core = { workspace = true }
 defguard_event_logger = { workspace = true }
+defguard_mail = { workspace = true }
 
 # external dependencies
 thiserror = { workspace = true }
diff --git a/crates/defguard_event_router/src/lib.rs b/crates/defguard_event_router/src/lib.rs
index 335ca17838..b9633f9f07 100644
--- a/crates/defguard_event_router/src/lib.rs
+++ b/crates/defguard_event_router/src/lib.rs
@@ -22,9 +22,9 @@ use std::sync::Arc;
 use defguard_core::{
     db::GatewayEvent,
     events::{ApiEvent, BidiStreamEvent, GrpcEvent, InternalEvent},
-    mail::Mail,
 };
 use defguard_event_logger::message::{EventContext, EventLoggerMessage, LoggerEvent};
+use defguard_mail::Mail;
 use error::EventRouterError;
 use events::Event;
 use tokio::sync::{
diff --git a/crates/defguard_mail/Cargo.toml b/crates/defguard_mail/Cargo.toml
new file mode 100644
index 0000000000..854671cb2e
--- /dev/null
+++ b/crates/defguard_mail/Cargo.toml
@@ -0,0 +1,26 @@
+[package]
+name = "defguard_mail"
+version = "0.0.0"
+edition.workspace = true
+license-file.workspace = true
+homepage.workspace = true
+repository.workspace = true
+rust-version.workspace = true
+
+[dependencies]
+defguard_common.workspace = true
+
+chrono.workspace = true
+lettre.workspace = true
+pulldown-cmark.workspace = true
+reqwest.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+sqlx.workspace = true
+tera.workspace = true
+thiserror.workspace = true
+tokio.workspace = true
+tracing.workspace = true
+
+[dev-dependencies]
+claims.workspace = true
diff --git a/crates/defguard_core/src/mail.rs b/crates/defguard_mail/src/lib.rs
similarity index 98%
rename from crates/defguard_core/src/mail.rs
rename to crates/defguard_mail/src/lib.rs
index 13ed6c904c..081127548f 100644
--- a/crates/defguard_core/src/mail.rs
+++ b/crates/defguard_mail/src/lib.rs
@@ -1,5 +1,6 @@
 use std::time::Duration;
 
+use defguard_common::db::models::{Settings, settings::SmtpEncryption};
 use lettre::{
     Address, AsyncSmtpTransport, AsyncTransport, Message, Tokio1Executor,
     address::AddressError,
@@ -8,8 +9,9 @@ use lettre::{
 };
 use thiserror::Error;
 use tokio::sync::mpsc::{UnboundedReceiver, UnboundedSender};
+use tracing::{debug, error, info, instrument, warn};
 
-use crate::db::{Settings, models::settings::SmtpEncryption};
+pub mod templates;
 
 const SMTP_TIMEOUT_SECONDS: u64 = 15;
 
diff --git a/crates/defguard_core/src/templates.rs b/crates/defguard_mail/src/templates.rs
similarity index 93%
rename from crates/defguard_core/src/templates.rs
rename to crates/defguard_mail/src/templates.rs
index 0c945ffe47..5fe6b6d6ca 100644
--- a/crates/defguard_core/src/templates.rs
+++ b/crates/defguard_mail/src/templates.rs
@@ -1,16 +1,13 @@
 use std::collections::HashMap;
 
 use chrono::{Datelike, NaiveDateTime, Utc};
+use defguard_common::{VERSION, config::server_config, db::models::user::MFAMethod};
 use reqwest::Url;
+use serde::Serialize;
 use serde_json::Value;
 use tera::{Context, Function, Tera};
 use thiserror::Error;
-
-use crate::{
-    VERSION,
-    db::{Id, MFAMethod, Session, User},
-    server_config,
-};
+use tracing::debug;
 
 static MAIL_BASE: &str = include_str!("../templates/base.tera");
 static MAIL_MACROS: &str = include_str!("../templates/macros.tera");
@@ -56,7 +53,7 @@ impl Function for NoOp {
 
 /// Return a safe instance of Tera, as Tera is vulnerable to `get_env()` function exploit.
 /// See: https://github.com/Keats/tera/issues/677
-pub(crate) fn safe_tera() -> Tera {
+pub fn safe_tera() -> Tera {
     let mut tera = Tera::default();
     let noop = NoOp("get_env");
     tera.register_function(noop.0, noop);
@@ -64,9 +61,19 @@ pub(crate) fn safe_tera() -> Tera {
     tera
 }
 
+pub struct SessionContext {
+    pub ip_address: String,
+    pub device_info: Option<String>,
+}
+
+pub struct UserContext {
+    pub last_name: String,
+    pub first_name: String,
+}
+
 fn get_base_tera(
     external_context: Option<Context>,
-    session: Option<&Session>,
+    session: Option<&SessionContext>,
     ip_address: Option<&str>,
     device_info: Option<&str>,
 ) -> Result<(Tera, Context), TemplateError> {
@@ -99,7 +106,7 @@ fn get_base_tera(
 }
 
 // sends test message when requested during SMTP configuration process
-pub fn test_mail(session: Option<&Session>) -> Result<String, TemplateError> {
+pub fn test_mail(session: Option<&SessionContext>) -> Result<String, TemplateError> {
     let (mut tera, context) = get_base_tera(None, session, None, None)?;
     tera.add_raw_template("mail_test", MAIL_TEST)?;
     Ok(tera.render("mail_test", &context)?)
@@ -169,9 +176,9 @@ pub fn enrollment_welcome_mail(
 }
 
 // notification sent to admin after user completes enrollment
-pub fn enrollment_admin_notification<I>(
-    user: &User<I>,
-    admin: &User<I>,
+pub fn enrollment_admin_notification(
+    user: &UserContext,
+    admin: &UserContext,
     ip_address: &str,
     device_info: Option<&str>,
 ) -> Result<String, TemplateError> {
@@ -221,7 +228,7 @@ pub fn new_device_added_mail(
 }
 
 pub fn mfa_configured_mail(
-    session: Option<&Session>,
+    session: Option<&SessionContext>,
     method: &MFAMethod,
 ) -> Result<String, TemplateError> {
     let (mut tera, mut context) = get_base_tera(None, session, None, None)?;
@@ -233,7 +240,7 @@ pub fn mfa_configured_mail(
 }
 
 pub fn new_device_login_mail(
-    session: &Session,
+    session: &SessionContext,
     created: NaiveDateTime,
 ) -> Result<String, TemplateError> {
     let (mut tera, mut context) = get_base_tera(None, Some(session), None, None)?;
@@ -248,7 +255,7 @@ pub fn new_device_login_mail(
 }
 
 pub fn new_device_ocid_login_mail(
-    session: &Session,
+    session: &SessionContext,
     oauth2client_name: &str,
 ) -> Result<String, TemplateError> {
     let (mut tera, mut context) = get_base_tera(None, Some(session), None, None)?;
@@ -290,9 +297,9 @@ pub fn gateway_reconnected_mail(
 }
 
 pub fn email_mfa_activation_mail(
-    user: &User<Id>,
+    user: &UserContext,
     code: &str,
-    session: Option<&Session>,
+    session: Option<&SessionContext>,
 ) -> Result<String, TemplateError> {
     let (mut tera, mut context) = get_base_tera(None, session, None, None)?;
     let timeout = server_config().mfa_code_timeout;
@@ -306,9 +313,9 @@ pub fn email_mfa_activation_mail(
 }
 
 pub fn email_mfa_code_mail(
-    user: &User<Id>,
+    user: &UserContext,
     code: &str,
-    session: Option<&Session>,
+    session: Option<&SessionContext>,
 ) -> Result<String, TemplateError> {
     let (mut tera, mut context) = get_base_tera(None, session, None, None)?;
     let timeout = server_config().mfa_code_timeout;
@@ -359,9 +366,9 @@ pub fn email_password_reset_success_mail(
 #[cfg(test)]
 mod test {
     use claims::assert_ok;
+    use defguard_common::config::{DefGuardConfig, SERVER_CONFIG};
 
     use super::*;
-    use crate::{SERVER_CONFIG, config::DefGuardConfig};
 
     fn get_welcome_context() -> Context {
         let mut context = Context::new();
@@ -401,7 +408,7 @@ mod test {
 
     #[test]
     fn test_enrollment_start_mail() {
-        let _ = SERVER_CONFIG.set(DefGuardConfig::default());
+        let _ = SERVER_CONFIG.set(DefGuardConfig::new_test_config());
         assert_ok!(enrollment_start_mail(
             Context::new(),
             Url::parse("http://localhost:8080").unwrap(),
@@ -457,14 +464,11 @@ mod test {
 
     #[test]
     fn test_enrollment_admin_notification() {
-        let test_user: User = User::new(
-            "test",
-            Some("1234"),
-            "test_last",
-            "test_first",
-            "test@example.com",
-            Some("99999".into()),
-        );
+        let test_user = UserContext {
+            last_name: "test_last".into(),
+            first_name: "test_first".into(),
+        };
+
         assert_ok!(enrollment_admin_notification(
             &test_user,
             &test_user,
diff --git a/crates/defguard_core/templates/base.tera b/crates/defguard_mail/templates/base.tera
similarity index 100%
rename from crates/defguard_core/templates/base.tera
rename to crates/defguard_mail/templates/base.tera
diff --git a/crates/defguard_core/templates/macros.tera b/crates/defguard_mail/templates/macros.tera
similarity index 100%
rename from crates/defguard_core/templates/macros.tera
rename to crates/defguard_mail/templates/macros.tera
diff --git a/crates/defguard_core/templates/mail_desktop_start.tera b/crates/defguard_mail/templates/mail_desktop_start.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_desktop_start.tera
rename to crates/defguard_mail/templates/mail_desktop_start.tera
diff --git a/crates/defguard_core/templates/mail_email_mfa_activation.tera b/crates/defguard_mail/templates/mail_email_mfa_activation.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_email_mfa_activation.tera
rename to crates/defguard_mail/templates/mail_email_mfa_activation.tera
diff --git a/crates/defguard_core/templates/mail_email_mfa_code.tera b/crates/defguard_mail/templates/mail_email_mfa_code.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_email_mfa_code.tera
rename to crates/defguard_mail/templates/mail_email_mfa_code.tera
diff --git a/crates/defguard_core/templates/mail_enrollment_admin_notification.tera b/crates/defguard_mail/templates/mail_enrollment_admin_notification.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_enrollment_admin_notification.tera
rename to crates/defguard_mail/templates/mail_enrollment_admin_notification.tera
diff --git a/crates/defguard_core/templates/mail_enrollment_start.tera b/crates/defguard_mail/templates/mail_enrollment_start.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_enrollment_start.tera
rename to crates/defguard_mail/templates/mail_enrollment_start.tera
diff --git a/crates/defguard_core/templates/mail_enrollment_welcome.tera b/crates/defguard_mail/templates/mail_enrollment_welcome.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_enrollment_welcome.tera
rename to crates/defguard_mail/templates/mail_enrollment_welcome.tera
diff --git a/crates/defguard_core/templates/mail_gateway_disconnected.tera b/crates/defguard_mail/templates/mail_gateway_disconnected.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_gateway_disconnected.tera
rename to crates/defguard_mail/templates/mail_gateway_disconnected.tera
diff --git a/crates/defguard_core/templates/mail_gateway_reconnected.tera b/crates/defguard_mail/templates/mail_gateway_reconnected.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_gateway_reconnected.tera
rename to crates/defguard_mail/templates/mail_gateway_reconnected.tera
diff --git a/crates/defguard_core/templates/mail_mfa_configured.tera b/crates/defguard_mail/templates/mail_mfa_configured.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_mfa_configured.tera
rename to crates/defguard_mail/templates/mail_mfa_configured.tera
diff --git a/crates/defguard_core/templates/mail_new_device_added.tera b/crates/defguard_mail/templates/mail_new_device_added.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_new_device_added.tera
rename to crates/defguard_mail/templates/mail_new_device_added.tera
diff --git a/crates/defguard_core/templates/mail_new_device_login.tera b/crates/defguard_mail/templates/mail_new_device_login.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_new_device_login.tera
rename to crates/defguard_mail/templates/mail_new_device_login.tera
diff --git a/crates/defguard_core/templates/mail_new_device_ocid_login.tera b/crates/defguard_mail/templates/mail_new_device_ocid_login.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_new_device_ocid_login.tera
rename to crates/defguard_mail/templates/mail_new_device_ocid_login.tera
diff --git a/crates/defguard_core/templates/mail_password_reset_start.tera b/crates/defguard_mail/templates/mail_password_reset_start.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_password_reset_start.tera
rename to crates/defguard_mail/templates/mail_password_reset_start.tera
diff --git a/crates/defguard_core/templates/mail_password_reset_success.tera b/crates/defguard_mail/templates/mail_password_reset_success.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_password_reset_success.tera
rename to crates/defguard_mail/templates/mail_password_reset_success.tera
diff --git a/crates/defguard_core/templates/mail_support_data.tera b/crates/defguard_mail/templates/mail_support_data.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_support_data.tera
rename to crates/defguard_mail/templates/mail_support_data.tera
diff --git a/crates/defguard_core/templates/mail_test.tera b/crates/defguard_mail/templates/mail_test.tera
similarity index 100%
rename from crates/defguard_core/templates/mail_test.tera
rename to crates/defguard_mail/templates/mail_test.tera
diff --git a/crates/defguard_proto/Cargo.toml b/crates/defguard_proto/Cargo.toml
new file mode 100644
index 0000000000..5a749a3eb1
--- /dev/null
+++ b/crates/defguard_proto/Cargo.toml
@@ -0,0 +1,17 @@
+[package]
+name = "defguard_proto"
+version = "0.0.0"
+edition.workspace = true
+license-file.workspace = true
+homepage.workspace = true
+repository.workspace = true
+rust-version.workspace = true
+
+[dependencies]
+prost.workspace = true
+serde.workspace = true
+tonic.workspace = true
+tonic-prost.workspace = true
+
+[build-dependencies]
+tonic-prost-build.workspace = true
diff --git a/crates/defguard_proto/build.rs b/crates/defguard_proto/build.rs
new file mode 100644
index 0000000000..d8584959a6
--- /dev/null
+++ b/crates/defguard_proto/build.rs
@@ -0,0 +1,37 @@
+fn main() -> Result<(), Box<dyn std::error::Error>> {
+    tonic_prost_build::configure()
+        // These types contain sensitive data.
+        .skip_debug([
+            "ActivateUserRequest",
+            "AuthInfoResponse",
+            "AuthenticateRequest",
+            "AuthenticateResponse",
+            "ClientMfaFinishResponse",
+            "CodeMfaSetupStartResponse",
+            "CodeMfaSetupFinishResponse",
+            "CoreRequest",
+            "CoreResponse",
+            "DeviceConfigResponse",
+            "InstanceInfoResponse",
+            "NewDevice",
+            "PasswordResetRequest",
+        ])
+        .protoc_arg("--experimental_allow_proto3_optional")
+        .compile_protos(
+            &[
+                "../../proto/core/auth.proto",
+                "../../proto/core/proxy.proto",
+                "../../proto/worker/worker.proto",
+                "../../proto/wireguard/gateway.proto",
+                "../../proto/enterprise/firewall/firewall.proto",
+            ],
+            &[
+                "../../proto/core",
+                "../../proto/worker",
+                "../../proto/wireguard",
+                "../../proto/enterprise/firewall",
+            ],
+        )?;
+    println!("cargo:rerun-if-changed=../../proto");
+    Ok(())
+}
diff --git a/crates/defguard_proto/src/lib.rs b/crates/defguard_proto/src/lib.rs
new file mode 100644
index 0000000000..b7a38faaaf
--- /dev/null
+++ b/crates/defguard_proto/src/lib.rs
@@ -0,0 +1,66 @@
+use std::fmt;
+
+pub mod proxy {
+    tonic::include_proto!("defguard.proxy");
+}
+pub mod gateway {
+    tonic::include_proto!("gateway");
+}
+pub mod auth {
+    tonic::include_proto!("auth");
+}
+pub mod worker {
+    tonic::include_proto!("worker");
+}
+pub mod enterprise {
+    pub mod firewall {
+        tonic::include_proto!("enterprise.firewall");
+    }
+}
+
+use proxy::{CoreError, MfaMethod};
+use serde::Serialize;
+use tonic::Status;
+
+// Client MFA methods
+impl fmt::Display for MfaMethod {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(
+            f,
+            "{}",
+            match self {
+                MfaMethod::Totp => "TOTP",
+                MfaMethod::Email => "Email",
+                MfaMethod::Oidc => "OIDC",
+                MfaMethod::Biometric => "Biometric",
+                MfaMethod::MobileApprove => "MobileApprove",
+            }
+        )
+    }
+}
+
+impl Serialize for MfaMethod {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        match *self {
+            MfaMethod::Totp => serializer.serialize_unit_variant("MfaMethod", 0, "Totp"),
+            MfaMethod::Email => serializer.serialize_unit_variant("MfaMethod", 1, "Email"),
+            MfaMethod::Oidc => serializer.serialize_unit_variant("MfaMethod", 2, "Oidc"),
+            MfaMethod::Biometric => serializer.serialize_unit_variant("MfaMethod", 3, "Biometric"),
+            MfaMethod::MobileApprove => {
+                serializer.serialize_unit_variant("MfaMethod", 4, "MobileApprove")
+            }
+        }
+    }
+}
+
+impl From<Status> for CoreError {
+    fn from(status: Status) -> Self {
+        Self {
+            status_code: status.code().into(),
+            message: status.message().into(),
+        }
+    }
+}
diff --git a/deny.toml b/deny.toml
index 3e865a910a..d26808d382 100644
--- a/deny.toml
+++ b/deny.toml
@@ -111,9 +111,18 @@ exceptions = [
     { allow = [
         "AGPL-3.0-only",
     ], crate = "defguard" },
+    { allow = [
+        "AGPL-3.0-only",
+    ], crate = "defguard_common" },
     { allow = [
         "AGPL-3.0-only",
     ], crate = "defguard_core" },
+    { allow = [
+        "AGPL-3.0-only",
+    ], crate = "defguard_mail" },
+    { allow = [
+        "AGPL-3.0-only",
+    ], crate = "defguard_proto" },
     { allow = [
         "AGPL-3.0-only",
     ], crate = "defguard_web_ui" },
diff --git a/flake.lock b/flake.lock
index abf59ab737..6b2f9bdad5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1757347588,
-        "narHash": "sha256-tLdkkC6XnsY9EOZW9TlpesTclELy8W7lL2ClL+nma8o=",
+        "lastModified": 1758035966,
+        "narHash": "sha256-qqIJ3yxPiB0ZQTT9//nFGQYn8X/PBoJbofA7hRKZnmE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b599843bad24621dcaa5ab60dac98f9b0eb1cabe",
+        "rev": "8d4ddb19d03c65a36ad8d189d001dc32ffb0306b",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1757471515,
-        "narHash": "sha256-0+rSzNsYindDWjO9VVULKGjXlPsQV6IDjRU5G3SwI9U=",
+        "lastModified": 1758204348,
+        "narHash": "sha256-jkz/NihbcEwy1EHDv/6g0HEqkpyIWCnQ1siGrhHEtFM=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "aecf31120156fe47a7d1992aa814052910178fca",
+        "rev": "067b3536e55341f579385ce8593cdcc9d022972b",
         "type": "github"
       },
       "original": {

From ab4885472cfa4179b089fffb866d8b6a6cad8ea9 Mon Sep 17 00:00:00 2001
From: Adam <adam@defguard.net>
Date: Fri, 19 Sep 2025 10:26:56 +0200
Subject: [PATCH 10/50] Cleanup and revive OpenID login test (#1591)

---
 ...b7d7faff6d6327e279362212cda4960caca0.json} |   4 +-
 Cargo.lock                                    |  54 +--
 crates/defguard_core/src/db/models/user.rs    |  19 +-
 .../src/enterprise/grpc/desktop_client_mfa.rs |   6 +-
 .../src/enterprise/handlers/openid_login.rs   | 161 ++++-----
 .../enterprise/handlers/openid_providers.rs   |  45 ++-
 .../defguard_core/src/enterprise/license.rs   |   2 +-
 crates/defguard_core/src/grpc/client_mfa.rs   |  14 +-
 crates/defguard_core/src/grpc/enrollment.rs   |   4 +-
 crates/defguard_core/src/grpc/interceptor.rs  |   4 +-
 crates/defguard_core/src/grpc/mod.rs          |   2 +-
 crates/defguard_core/src/handlers/auth.rs     |   2 +-
 crates/defguard_core/src/handlers/user.rs     |   8 +-
 .../tests/integration/api/api_tokens.rs       |   4 +-
 .../tests/integration/api/auth.rs             |  14 +-
 .../tests/integration/api/common/mod.rs       |  16 +-
 .../tests/integration/api/openid.rs           |  14 +-
 .../tests/integration/api/openid_login.rs     | 324 +++++++++---------
 .../tests/integration/api/settings.rs         |   4 +-
 .../tests/integration/api/worker.rs           |   6 +-
 .../defguard_core/tests/integration/common.rs |   4 +-
 21 files changed, 370 insertions(+), 341 deletions(-)
 rename .sqlx/{query-796641fb2d79872ae5de64c8b9181e5890a3a122ea5e37ad2fa216c9db47f0a3.json => query-04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0.json} (96%)

diff --git a/.sqlx/query-796641fb2d79872ae5de64c8b9181e5890a3a122ea5e37ad2fa216c9db47f0a3.json b/.sqlx/query-04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0.json
similarity index 96%
rename from .sqlx/query-796641fb2d79872ae5de64c8b9181e5890a3a122ea5e37ad2fa216c9db47f0a3.json
rename to .sqlx/query-04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0.json
index 65b55605ac..7396561c7f 100644
--- a/.sqlx/query-796641fb2d79872ae5de64c8b9181e5890a3a122ea5e37ad2fa216c9db47f0a3.json
+++ b/.sqlx/query-04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE openid_sub = $1 LIMIT 1",
+  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE openid_sub = $1",
   "describe": {
     "columns": [
       {
@@ -144,5 +144,5 @@
       true
     ]
   },
-  "hash": "796641fb2d79872ae5de64c8b9181e5890a3a122ea5e37ad2fa216c9db47f0a3"
+  "hash": "04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0"
 }
diff --git a/Cargo.lock b/Cargo.lock
index 913382c6d9..59e02af7ba 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -582,9 +582,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.37"
+version = "1.2.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44"
+checksum = "80f41ae168f955c12fb8960b057d70d0ca153fb83182b57d86380443527be7e9"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -1653,9 +1653,9 @@ checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
 
 [[package]]
 name = "find-msvc-tools"
-version = "0.1.1"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d"
+checksum = "1ced73b1dacfc750a6db6c0a0c3a3853c8b41997e2e2c563dc90804ae6867959"
 
 [[package]]
 name = "fixedbitset"
@@ -1970,7 +1970,7 @@ dependencies = [
  "futures-core",
  "futures-sink",
  "http",
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "slab",
  "tokio",
  "tokio-util",
@@ -2010,6 +2010,12 @@ dependencies = [
  "foldhash",
 ]
 
+[[package]]
+name = "hashbrown"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
+
 [[package]]
 name = "hashlink"
 version = "0.10.0"
@@ -2441,12 +2447,12 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.11.3"
+version = "2.11.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92119844f513ffa41556430369ab02c295a3578af21cf945caa3e9e0c2481ac3"
+checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
 dependencies = [
  "equivalent",
- "hashbrown 0.15.5",
+ "hashbrown 0.16.0",
  "serde",
  "serde_core",
 ]
@@ -3437,7 +3443,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3672b37090dbd86368a4145bc067582552b29c27377cad4e0a306c97f9bd7772"
 dependencies = [
  "fixedbitset",
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
 ]
 
 [[package]]
@@ -3626,7 +3632,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "740ebea15c5d1428f910cd1a5f52cebf8d25006245ed8ade92702f4943d91e07"
 dependencies = [
  "base64 0.22.1",
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "quick-xml",
  "serde",
  "time",
@@ -4465,7 +4471,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b2f2d7ff8a2140333718bb329f5c40fc5f0865b84c426183ce14c97d2ab8154f"
 dependencies = [
  "form_urlencoded",
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "itoa",
  "ryu",
  "serde_core",
@@ -4537,7 +4543,7 @@ dependencies = [
  "chrono",
  "hex",
  "indexmap 1.9.3",
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "schemars 0.9.0",
  "schemars 1.0.4",
  "serde",
@@ -4565,7 +4571,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "itoa",
  "ryu",
  "serde",
@@ -4815,7 +4821,7 @@ dependencies = [
  "futures-util",
  "hashbrown 0.15.5",
  "hashlink",
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "ipnetwork",
  "log",
  "memchr",
@@ -5427,20 +5433,20 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "0.7.1"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a197c0ec7d131bfc6f7e82c8442ba1595aeab35da7adbf05b6b73cd06a16b6be"
+checksum = "32f1085dec27c2b6632b04c80b3bb1b4300d6495d1e129693bdda7d91e72eec1"
 dependencies = [
  "serde_core",
 ]
 
 [[package]]
 name = "toml_edit"
-version = "0.23.5"
+version = "0.23.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2ad0b7ae9cfeef5605163839cb9221f453399f15cfb5c10be9885fcf56611f9"
+checksum = "f3effe7c0e86fdff4f69cdd2ccc1b96f933e24811c5441d44904e8683e27184b"
 dependencies = [
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "toml_datetime",
  "toml_parser",
  "winnow",
@@ -5448,9 +5454,9 @@ dependencies = [
 
 [[package]]
 name = "toml_parser"
-version = "1.0.2"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b551886f449aa90d4fe2bdaa9f4a2577ad2dde302c61ecf262d80b116db95c10"
+checksum = "4cf893c33be71572e0e9aa6dd15e6677937abd686b066eac3f8cd3531688a627"
 dependencies = [
  "winnow",
 ]
@@ -5559,7 +5565,7 @@ checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
 dependencies = [
  "futures-core",
  "futures-util",
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "pin-project-lite",
  "slab",
  "sync_wrapper",
@@ -5883,7 +5889,7 @@ version = "5.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fcc29c80c21c31608227e0912b2d7fddba57ad76b606890627ba8ee7964e993"
 dependencies = [
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "serde",
  "serde_json",
  "utoipa-gen",
@@ -6811,7 +6817,7 @@ dependencies = [
  "arbitrary",
  "crc32fast",
  "flate2",
- "indexmap 2.11.3",
+ "indexmap 2.11.4",
  "memchr",
  "zopfli",
 ]
diff --git a/crates/defguard_core/src/db/models/user.rs b/crates/defguard_core/src/db/models/user.rs
index e011a6e3b2..6ba075b646 100644
--- a/crates/defguard_core/src/db/models/user.rs
+++ b/crates/defguard_core/src/db/models/user.rs
@@ -823,9 +823,9 @@ impl User<Id> {
     {
         query_as!(
             Self,
-            "SELECT id, username, password_hash, last_name, first_name, email, \
-            phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
+            "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, \
+            totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
+            mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
             from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
             FROM \"user\" WHERE username = $1",
             username
@@ -843,9 +843,10 @@ impl User<Id> {
     {
         query_as!(
             Self,
-            "SELECT id, username, password_hash, last_name, first_name, email, phone, \
-            mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
-            mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, \
+            totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
+            mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, \
+            ldap_pass_randomized, ldap_rdn, ldap_user_path \
             FROM \"user\" WHERE email ILIKE $1",
             email
         )
@@ -853,8 +854,7 @@ impl User<Id> {
         .await
     }
 
-    /// Attempts to find user by username and then by email
-    /// of none is initially found
+    /// Attempts to find user by username and then by email, if none is initially found.
     pub async fn find_by_username_or_email(
         conn: &mut PgConnection,
         username_or_email: &str,
@@ -888,7 +888,6 @@ impl User<Id> {
         .await
     }
 
-    // FIXME: Remove `LIMIT 1` when `openid_sub` is unique.
     pub(crate) async fn find_by_sub<'e, E>(
         executor: E,
         sub: &str,
@@ -902,7 +901,7 @@ impl User<Id> {
             mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
             from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
-            FROM \"user\" WHERE openid_sub = $1 LIMIT 1",
+            FROM \"user\" WHERE openid_sub = $1",
             sub
         )
         .fetch_optional(executor)
diff --git a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
index f48e012554..eeb022224f 100644
--- a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
+++ b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
@@ -76,7 +76,7 @@ impl ClientMfaServer {
 
         let code = AuthorizationCode::new(request.code.clone());
         let url = match Url::parse(&request.callback_url).map_err(|err| {
-            error!("Invalid redirect URL provided: {err:?}");
+            error!("Invalid redirect URL provided: {err}");
             Status::invalid_argument("invalid redirect URL")
         }) {
             Ok(url) => url,
@@ -122,7 +122,7 @@ impl ClientMfaServer {
                 );
             }
             Err(err) => {
-                info!("Failed to verify OIDC code: {err:?}");
+                info!("Failed to verify OIDC code: {err}");
                 self.sessions.remove(&pubkey);
                 self.emit_event(BidiStreamEvent {
                     context,
@@ -131,7 +131,7 @@ impl ClientMfaServer {
                             location: location.clone(),
                             device: device.clone(),
                             method,
-                            message: format!("failed to verify OIDC code: {err:?}"),
+                            message: format!("failed to verify OIDC code: {err}"),
                         },
                     )),
                 })?;
diff --git a/crates/defguard_core/src/enterprise/handlers/openid_login.rs b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
index 2f3743b196..6b506f5223 100644
--- a/crates/defguard_core/src/enterprise/handlers/openid_login.rs
+++ b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
@@ -44,8 +44,9 @@ use crate::{
     },
     error::WebError,
     handlers::{
-        ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME, auth::create_session,
-        user::check_username,
+        ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME,
+        auth::create_session,
+        user::{MAX_USERNAME_CHARS, check_username},
     },
 };
 
@@ -90,8 +91,7 @@ pub fn prune_username(username: &str, handling: OpenidUsernameHandling) -> Strin
         }
     }
 
-    result.truncate(64);
-
+    result.truncate(MAX_USERNAME_CHARS);
     result
 }
 
@@ -101,7 +101,7 @@ fn get_async_http_client() -> Result<reqwest::Client, WebError> {
         .redirect(reqwest::redirect::Policy::none())
         .build()
         .map_err(|err| {
-            error!("Failed to create HTTP client: {err:?}");
+            error!("Failed to create HTTP client: {err}");
             WebError::Http(StatusCode::INTERNAL_SERVER_ERROR)
         })
 }
@@ -109,22 +109,24 @@ fn get_async_http_client() -> Result<reqwest::Client, WebError> {
 async fn get_provider_metadata(url: &str) -> Result<CoreProviderMetadata, WebError> {
     let issuer_url = IssuerUrl::new(url.to_string()).map_err(|err| {
         WebError::BadRequest(format!(
-            "Failed to create issuer URL from the provided URL: {url}. Error details: {err:?}",
+            "Failed to create issuer URL from the provided URL: {url}. Error details: {err}",
         ))
     })?;
     let async_http_client = get_async_http_client()?;
-    // Discover the provider metadata based on a known base issuer URL
-    // The url should be in the form of e.g. https://accounts.google.com
-    // The url shouldn't contain a .well-known part, it will be added automatically
+    // Discover the provider metadata based on a known base issuer URL.
+    // The URL should be in the form of e.g. https://accounts.google.com.
+    // The URL shouldn't contain the ".well-known" part – it will be added automatically.
     match CoreProviderMetadata::discover_async(issuer_url, &async_http_client).await {
         Ok(provider_metadata) => Ok(provider_metadata),
         Err(err) => Err(WebError::Authorization(format!(
-            "Failed to discover provider metadata, make sure the provider's URL is correct: {url}. Error details: {err:?}",
+            "Failed to discover provider metadata, make sure the provider's URL is correct: {url}. \
+            Error details: {err}",
         ))),
     }
 }
 
-/// Build a state with optional embedded data. Useful for passing additional information around the authentication flow.
+/// Build a state with optional embedded data. Useful for passing additional information around the
+/// authentication flow.
 pub(crate) fn build_state(state_data: Option<String>) -> CsrfToken {
     let csrf_token = CsrfToken::new_random();
     if let Some(data) = state_data {
@@ -202,7 +204,7 @@ pub(crate) async fn user_from_claims(
     let token_response = match core_client
         .exchange_code(code)
         .map_err(|err| {
-            error!("Failed to exchange code for ID token: {err:?}");
+            error!("Failed to exchange code for ID token: {err}");
             WebError::Http(StatusCode::INTERNAL_SERVER_ERROR)
         })?
         .request_async(&async_http_client)
@@ -211,7 +213,7 @@ pub(crate) async fn user_from_claims(
         Ok(token) => token,
         Err(err) => {
             return Err(WebError::Authorization(format!(
-                "Failed to exchange code for ID token; OpenID provider error: {err:?}"
+                "Failed to exchange code for ID token; OpenID provider error: {err}"
             )));
         }
     };
@@ -249,7 +251,7 @@ pub(crate) async fn user_from_claims(
             client_id.as_str(),
             audiences
                 .iter()
-                .map(|aud| aud.to_string())
+                .map(|aud| aud.as_str())
                 .collect::<Vec<_>>()
                 .join(", ")
         )));
@@ -260,7 +262,7 @@ pub(crate) async fn user_from_claims(
             audiences
                 .iter()
                 .filter(|&aud| **aud != *client_id)
-                .map(|aud| aud.to_string())
+                .map(|aud| aud.as_str())
                 .collect::<Vec<_>>()
                 .join(", ")
         );
@@ -274,26 +276,6 @@ pub(crate) async fn user_from_claims(
             .to_string(),
     ))?;
 
-    // Try to get the username from the preferred_username claim.
-    // If it's not there, extract it from email.
-    let username = if let Some(username) = token_claims.preferred_username() {
-        debug!("Preferred username {username:?} found in the claims, extracting username from it.");
-        username
-    } else {
-        debug!("Preferred username not found in the claims, extracting from email address.");
-        // Extract the username from the email address
-        let username = email.split('@').next().ok_or(WebError::BadRequest(
-            "Failed to extract username from email address".to_string(),
-        ))?;
-        debug!("Username extracted from email ({email:?}): {username})");
-        username
-    };
-    let settings = Settings::get_current_settings();
-
-    let username = prune_username(username, settings.openid_username_handling);
-    // Check if the username is valid just in case, not everything can be handled by the pruning.
-    check_username(&username)?;
-
     // Get the *sub* claim from the token.
     let sub = token_claims.subject().to_string();
 
@@ -320,7 +302,7 @@ pub(crate) async fn user_from_claims(
                     debug!("User {} tried to log in, but is disabled", user.username);
                     return Err(WebError::Authorization("User is disabled".into()));
                 }
-                // User with the same email already exists, merge the accounts
+                // User with the same email already exists, merge the accounts.
                 info!(
                     "User with email address {} is logging in through OpenID Connect for the \
                     first time and we've found an existing account with the same email \
@@ -331,7 +313,8 @@ pub(crate) async fn user_from_claims(
                 user.save(pool).await?;
                 user
             } else {
-                // Check if the user should be created if they don't exist (default: true)
+                let settings = Settings::get_current_settings();
+                // Check if the user should be created, if doesn't exist (default: true).
                 if !settings.openid_create_account {
                     warn!(
                         "User with email address {} is trying to log in through OpenID Connect \
@@ -346,6 +329,31 @@ pub(crate) async fn user_from_claims(
                     ));
                 }
 
+                // Try to get the username from `preferred_username` claim.
+                // If it's not there, extract it from email.
+                let username = if let Some(username) = token_claims.preferred_username() {
+                    let username = username.as_str();
+                    debug!(
+                        "Preferred username {username} found in the claims. Using the username."
+                    );
+                    username
+                } else {
+                    debug!(
+                        "Preferred username not found in the claims, extracting from email address."
+                    );
+                    // Extract the username from the email address
+                    let username = email.split('@').next().ok_or(WebError::BadRequest(
+                        "Failed to extract username from email address".to_string(),
+                    ))?;
+                    debug!("Username extracted from email ({email:?}): {username})");
+                    username
+                };
+
+                let username = prune_username(username, settings.openid_username_handling);
+                // Check if the username is valid just in case, not everything can be handled by the
+                // pruning.
+                check_username(&username)?;
+
                 info!(
                     "User {username} is logging in through OpenID Connect for the first time and \
                     there is no account with the same email address ({}). Creating a new account.",
@@ -358,11 +366,11 @@ pub(crate) async fn user_from_claims(
                     )));
                 }
 
-                // Extract all necessary information from the token or call the userinfo endpoint
+                // Extract all necessary information from the token or call the userinfo endpoint.
                 let given_name = token_claims
                     .given_name()
-                    // 'None' gets you the default value from a localized claim.
-                    //  Otherwise you would need to pass a locale.
+                    // `None` gets the default value from a localized claim.
+                    // Otherwise, it is required to pass a locale.
                     .and_then(|claim| claim.get(None));
                 let family_name = token_claims.family_name().and_then(|claim| claim.get(None));
                 let phone = token_claims.phone_number();
@@ -378,47 +386,42 @@ pub(crate) async fn user_from_claims(
                     (given_name, family_name, phone)
                 } else {
                     debug!(
-                        "Given name or family name not found in the claims for user {username}, trying to get them \
-                        from the user info endpoint. Current values: given_name: {given_name:?}, family_name: {family_name:?}, phone: {phone:?}"
+                        "Given name or family name not found in the claims for user {username}, \
+                        trying to get them from the user info endpoint. Current values: \
+                        given_name: {given_name:?}, family_name: {family_name:?}, phone: {phone:?}"
                     );
 
                     let async_http_client = get_async_http_client()?;
 
-                    let retrieval_error = "Failed to retrieve given name and family name from provider's userinfo endpoint. \
-                        Make sure you have configured your provider correctly and that you have granted the \
-                        necessary permissions to retrieve such information from the token or the userinfo endpoint.";
+                    let retrieval_error = "Failed to retrieve given name and family name from \
+                        provider's userinfo endpoint. Make sure you have configured your provider \
+                        correctly and that you have granted the necessary permissions to retrieve \
+                        such information from the token or the userinfo endpoint.";
                     userinfo_response = core_client
                         .user_info(access_token.clone(), Some(token_claims.subject().clone()))
-                        .map_err(
-                            |err| {
-                                error!(
-                                    "Failed to get family name and given name from provider's userinfo endpoint, they may not support this. Error details: {err:?}",
-                                );
-
-                                WebError::BadRequest(
-                                    retrieval_error.into(),
-                                )
-                            }
-                        )?
+                        .map_err(|err| {
+                            error!(
+                                "Failed to get family name and given name from provider's \
+                                userinfo endpoint, they may not support this. Error details: {err}"
+                            );
+                            WebError::BadRequest(retrieval_error.into())
+                        })?
                         .request_async(&async_http_client)
                         .await
-                        .map_err(
-                            |err| {
-                                error!(
-                                    "Failed to get family name and given name from provider's userinfo endpoint. Error details: {err:?}",
-                                );
-
-                                WebError::BadRequest(
-                                    retrieval_error.into(),
-                                )
-                            }
-                        )?;
+                        .map_err(|err| {
+                            error!(
+                                "Failed to get family name and given name from provider's userinfo \
+                                endpoint. Error details: {err}",
+                            );
+                            WebError::BadRequest(retrieval_error.into())
+                        })?;
 
                     let claim_error = |claim_name: &str| {
                         format!(
-                            "Failed to retrieve {claim_name} from provider's userinfo endpoint and the ID token. \
-                            Make sure you have configured your provider correctly and that you have \
-                            granted the necessary permissions to retrieve such information from the token or the userinfo endpoint.",
+                            "Failed to retrieve {claim_name} from provider's userinfo endpoint and \
+                            the ID token.  Make sure you have configured your provider correctly \
+                            and that you have granted the necessary permissions to retrieve such \
+                            information from the token or the userinfo endpoint.",
                         )
                     };
                     let given_name = userinfo_response
@@ -432,7 +435,8 @@ pub(crate) async fn user_from_claims(
                     let phone = userinfo_response.phone_number();
 
                     debug!(
-                        "Given name and family name successfully retrieved from the user info endpoint for user {username}."
+                        "Given name and family name successfully retrieved from the user info \
+                        endpoint for user {username}."
                     );
 
                     (given_name, family_name, phone)
@@ -517,10 +521,7 @@ pub(crate) async fn get_auth_info(
         private_cookies,
         ApiResponse {
             json: json!(
-                {
-                    "url": authorize_url,
-                    "button_display_name": provider.display_name
-                }
+                {"url": authorize_url, "button_display_name": provider.display_name}
             ),
             status: StatusCode::OK,
         },
@@ -597,14 +598,16 @@ pub(crate) async fn auth_callback(
         .max_age(max_age);
     let cookies = cookies.add(auth_cookie);
 
-    // The user may not be yet authorized (pre-MFA) but syncing their groups should be fine here, since he already managed to login through the provider.
-    // There is currently no other way to sync the groups for the MFA enabled user logging in through the provider without firing it
-    // on every login attempt, even for standard, non-provider users.
+    // The user may not yet be authorized (pre-MFA), but syncing their groups should be fine here,
+    // since he already managed to login through the provider. Currently, there is no other way to
+    // sync the groups for the MFA enabled user logging in through the provider without firing it on
+    // every login attempt, even for standard, non-provider users.
     if let Err(err) =
         sync_user_groups_if_configured(&user, &appstate.pool, &appstate.wireguard_tx).await
     {
         error!(
-            "Failed to sync user groups for user {} with the directory while the user was trying to login in through an external provider: {err:?}",
+            "Failed to sync user groups for user {} with the directory while the user was trying \
+            to login in through an external provider: {err}",
             user.username
         );
     } else {
diff --git a/crates/defguard_core/src/enterprise/handlers/openid_providers.rs b/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
index f5bbc3403b..565e573913 100644
--- a/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
+++ b/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
@@ -22,7 +22,7 @@ use crate::{
     handlers::{ApiResponse, ApiResult},
 };
 
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Deserialize, Serialize)]
 pub struct AddProviderData {
     pub name: String,
     pub base_url: String,
@@ -45,7 +45,7 @@ pub struct AddProviderData {
     pub jumpcloud_api_key: Option<String>,
 }
 
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Deserialize, Serialize)]
 pub struct DeleteProviderData {
     name: String,
 }
@@ -64,26 +64,29 @@ pub async fn add_openid_provider(
     );
     let current_provider = OpenIdProvider::get_current(&appstate.pool).await?;
 
-    // The key is sent from the frontend only when user explicitly changes it, as we never send it back.
-    // Check if the thing received from the frontend is a valid RSA private key (signaling user intent to change key)
-    // or is it just some empty string or other junk.
+    // The key is sent from the frontend only when user explicitly changes it, as we never send it
+    // back. Check if the thing received from the frontend is a valid RSA private key (signaling
+    // user intent to change key) or is it just some empty string or other junk.
     let private_key = match &provider_data.google_service_account_key {
         Some(key) => {
             if RsaPrivateKey::from_pkcs8_pem(key).is_ok() {
                 debug!(
-                    "User {} provided a valid RSA private key for provider's directory sync, using it",
+                    "User {} provided a valid RSA private key for provider's directory sync. Using \
+                    it.",
                     session.user.username
                 );
                 provider_data.google_service_account_key.clone()
             } else if let Some(provider) = &current_provider {
                 debug!(
-                    "User {} did not provide a valid RSA private key for provider's directory sync or the key did not change, using the existing key",
+                    "User {} did not provide a valid RSA private key for provider's directory sync \
+                    or the key did not change. Using the existing key",
                     session.user.username
                 );
                 provider.google_service_account_key.clone()
             } else {
                 warn!(
-                    "User {} did not provide a valid RSA private key for provider's directory sync",
+                    "User {} did not provide a valid RSA private key for provider's directory \
+                    sync.",
                     session.user.username
                 );
                 None
@@ -96,19 +99,22 @@ pub async fn add_openid_provider(
         Some(key) => {
             if serde_json::from_str::<serde_json::Value>(key).is_ok() {
                 debug!(
-                    "User {} provided a valid JWK private key for provider's Okta directory sync, using it",
+                    "User {} provided a valid JWK private key for provider's Okta directory sync. \
+                    Using it.",
                     session.user.username
                 );
                 provider_data.okta_private_jwk.clone()
             } else if let Some(provider) = &current_provider {
                 debug!(
-                    "User {} did not provide a valid JWK private key for provider's Okta directory sync or the key did not change, using the existing key",
+                    "User {} did not provide a valid JWK private key for provider's Okta directory \
+                    sync or the key did not change. Using the existing key.",
                     session.user.username
                 );
                 provider.okta_private_jwk.clone()
             } else {
                 warn!(
-                    "User {} did not provide a valid JWK private key for provider's Okta directory sync",
+                    "User {} did not provide a valid JWK private key for provider's Okta directory \
+                    sync.",
                     session.user.username
                 );
                 None
@@ -124,7 +130,7 @@ pub async fn add_openid_provider(
 
     let group_match = if let Some(group_match) = provider_data.directory_sync_group_match {
         if group_match.is_empty() {
-            vec![]
+            Vec::new()
         } else {
             group_match
                 .split(',')
@@ -132,7 +138,7 @@ pub async fn add_openid_provider(
                 .collect()
         }
     } else {
-        vec![]
+        Vec::new()
     };
 
     // Currently, we only support one OpenID provider at a time
@@ -188,7 +194,8 @@ pub async fn get_current_openid_provider(
             Ok(ApiResponse {
                 json: json!({
                     "provider": json!(provider),
-                    "settings": json!({ "create_account": settings.openid_create_account, "username_handling": settings.openid_username_handling }),
+                    "settings": json!({"create_account": settings.openid_create_account,
+                        "username_handling": settings.openid_username_handling}),
                 }),
                 status: StatusCode::OK,
             })
@@ -196,7 +203,8 @@ pub async fn get_current_openid_provider(
         None => Ok(ApiResponse {
             json: json!({
                 "provider": null,
-                "settings": json!({ "create_account": settings.openid_create_account, "username_handling": settings.openid_username_handling }),
+                "settings": json!({"create_account": settings.openid_create_account,
+                    "username_handling": settings.openid_username_handling}),
             }),
             status: StatusCode::NO_CONTENT,
         }),
@@ -227,7 +235,8 @@ pub async fn delete_openid_provider(
         // fall back to internal MFA in all relevant locations
         for mut location in locations {
             debug!(
-                "Falling back to internal MFA for {location} because exteral OIDC provider has been removed"
+                "Falling back to internal MFA for {location} because exteral OIDC provider has \
+                been removed"
             );
             location.location_mfa_mode = LocationMfaMode::Internal;
             location.save(&mut *transaction).await?;
@@ -324,7 +333,7 @@ pub async fn test_dirsync_connection(
             session.user.username, err
         );
         return Ok(ApiResponse {
-            json: json!({ "message": err.to_string(), "success": false }),
+            json: json!({"message": err.to_string(), "success": false}),
             status: StatusCode::OK,
         });
     }
@@ -333,7 +342,7 @@ pub async fn test_dirsync_connection(
         session.user.username
     );
     Ok(ApiResponse {
-        json: json!({ "message": "Connection successful", "success": true }),
+        json: json!({"message": "Connection successful", "success": true}),
         status: StatusCode::OK,
     })
 }
diff --git a/crates/defguard_core/src/enterprise/license.rs b/crates/defguard_core/src/enterprise/license.rs
index ea27ea3aba..499839d8cd 100644
--- a/crates/defguard_core/src/enterprise/license.rs
+++ b/crates/defguard_core/src/enterprise/license.rs
@@ -478,7 +478,7 @@ async fn renew_license() -> Result<String, LicenseError> {
                 reqwest::StatusCode::OK => {
                     let response: RefreshRequestResponse = response.json().await.map_err(|err| {
                     error!("Failed to parse the response from the license server while trying to \
-                        renew the license: {err:?}");
+                        renew the license: {err}");
                     LicenseError::LicenseServerError(err.to_string())
                 })?;
                     response.key
diff --git a/crates/defguard_core/src/grpc/client_mfa.rs b/crates/defguard_core/src/grpc/client_mfa.rs
index 0f911e853a..e2b86685b0 100644
--- a/crates/defguard_core/src/grpc/client_mfa.rs
+++ b/crates/defguard_core/src/grpc/client_mfa.rs
@@ -94,7 +94,7 @@ impl ClientMfaServer {
         )
         .to_jwt()
         .map_err(|err| {
-            error!("Failed to generate JWT token: {err:?}");
+            error!("Failed to generate JWT token: {err}");
             Status::internal("unexpected error")
         })
     }
@@ -102,7 +102,7 @@ impl ClientMfaServer {
     /// Validate JWT and extract client pubkey
     pub(crate) fn parse_token(token: &str) -> Result<String, Status> {
         let claims = Claims::from_jwt(ClaimsType::DesktopClient, token).map_err(|err| {
-            error!("Failed to parse JWT token: {err:?}");
+            error!("Failed to parse JWT token: {err}");
             Status::invalid_argument("invalid token")
         })?;
         Ok(claims.client_id)
@@ -166,7 +166,7 @@ impl ClientMfaServer {
 
         user.verify_mfa_state(&self.pool).await.map_err(|err| {
             error!(
-                "Failed to verify MFA state for user {}: {err:?}",
+                "Failed to verify MFA state for user {}: {err}",
                 user.username
             );
             Status::internal("unexpected error")
@@ -252,7 +252,7 @@ impl ClientMfaServer {
                 // send email code
                 send_email_mfa_code_email(&user, &self.mail_tx, None).map_err(|err| {
                     error!(
-                        "Failed to send email MFA code for user {}: {err:?}",
+                        "Failed to send email MFA code for user {}: {err}",
                         user.username
                     );
                     Status::internal("unexpected error")
@@ -269,7 +269,7 @@ impl ClientMfaServer {
                 if OpenIdProvider::get_current(&self.pool)
                     .await
                     .map_err(|err| {
-                        error!("Failed to get current OpenID provider: {err:?}",);
+                        error!("Failed to get current OpenID provider: {err}",);
                         Status::internal("unexpected error")
                     })?
                     .is_none()
@@ -349,7 +349,7 @@ impl ClientMfaServer {
             .get_allowed_groups(&mut conn)
             .await
             .map_err(|err| {
-                error!("Failed to fetch allowed groups for location {location}: {err:?}");
+                error!("Failed to fetch allowed groups for location {location}: {err}");
                 Status::internal("unexpected error")
             })?;
         // if no groups are specified all users are allowed
@@ -607,7 +607,7 @@ impl ClientMfaServer {
             .update(&mut *transaction)
             .await
             .map_err(|err| {
-                error!("Failed to update device network config {network_device:?}: {err:?}");
+                error!("Failed to update device network config {network_device:?}: {err}");
                 Status::internal("unexpected error")
             })?;
 
diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index f677017868..0f857be6a9 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -343,7 +343,7 @@ impl EnrollmentServer {
         Ok(())
     }
 
-    fn validate_activated_user(&self, request: &ActivateUserRequest) -> Result<(), Status> {
+    fn validate_activated_user(request: &ActivateUserRequest) -> Result<(), Status> {
         if let Some(ref phone_number) = request.phone_number {
             if !is_valid_phone_number(phone_number) {
                 return Err(Status::new(
@@ -364,7 +364,7 @@ impl EnrollmentServer {
     ) -> Result<(), Status> {
         debug!("Activating user account");
         let enrollment = self.validate_session(request.token.as_ref()).await?;
-        self.validate_activated_user(&request)?;
+        Self::validate_activated_user(&request)?;
 
         let ip_address;
         let device_info;
diff --git a/crates/defguard_core/src/grpc/interceptor.rs b/crates/defguard_core/src/grpc/interceptor.rs
index 9267e12d38..88acca2b32 100644
--- a/crates/defguard_core/src/grpc/interceptor.rs
+++ b/crates/defguard_core/src/grpc/interceptor.rs
@@ -30,7 +30,7 @@ impl Interceptor for JwtInterceptor {
                 warn!(
                     "Failed to parse authorization header during handling gRPC request from \
                     hostname {hostname}. If you recognize this hostname, there may be an issue \
-                    with the token used for authorization. Cause of the failed parsing: {err:?}"
+                    with the token used for authorization. Cause of the failed parsing: {err}"
                 );
                 Status::unauthenticated("Invalid token")
             })?,
@@ -66,7 +66,7 @@ impl Interceptor for JwtInterceptor {
                 warn!(
                     "Failed to authorize a gRPC request from hostname {hostname}. If you recognize \
                     this hostname, there may be an issue with the token used for authorization. \
-                    Cause of the failed authorization: {err:?}"
+                    Cause of the failed authorization: {err}"
                 );
                 Err(Status::unauthenticated("Invalid token"))
             }
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
index 0882c47fa5..9ef9ae7199 100644
--- a/crates/defguard_core/src/grpc/mod.rs
+++ b/crates/defguard_core/src/grpc/mod.rs
@@ -453,7 +453,7 @@ async fn handle_proxy_message_loop(
                                             error!(
                                                 "Failed to sync user groups for user {} with the \
                                                 directory while the user was logging in through an \
-                                                external provider: {err:?}",
+                                                external provider: {err}",
                                                 user.username,
                                             );
                                         } else {
diff --git a/crates/defguard_core/src/handlers/auth.rs b/crates/defguard_core/src/handlers/auth.rs
index a68f642877..357d68c814 100644
--- a/crates/defguard_core/src/handlers/auth.rs
+++ b/crates/defguard_core/src/handlers/auth.rs
@@ -147,7 +147,7 @@ pub(crate) async fn authenticate(
 
     let settings = Settings::get_current_settings();
 
-    // attempt to find user first by username and then by email
+    // Attempt to find a user: first by username, and then by email.
     let mut conn = appstate.pool.acquire().await?;
     let mut user = if let Some(user) =
         User::find_by_username_or_email(&mut conn, &username_or_email).await?
diff --git a/crates/defguard_core/src/handlers/user.rs b/crates/defguard_core/src/handlers/user.rs
index 3b0f3316b1..5ea0e977d7 100644
--- a/crates/defguard_core/src/handlers/user.rs
+++ b/crates/defguard_core/src/handlers/user.rs
@@ -35,11 +35,15 @@ use crate::{
     is_valid_phone_number, server_config,
 };
 
+/// The maximum length for the commonName (CN) attribute in LDAP schemas is commonly set to 64
+/// characters according to the X.520 standard and many LDAP implementations like Active Directory.
+pub(crate) const MAX_USERNAME_CHARS: usize = 64;
+
 /// Verify the given username
 ///
 /// To enable LDAP sync usernames need to avoid reserved characters.
 /// Username requirements:
-/// - 1 - 64 characters long
+/// - 1 - MAX_USERNAME_CHARS characters long
 /// - lowercase or uppercase latin alphabet letters (A-Z, a-z)
 /// - digits (0-9)
 /// - starts with non-special character
@@ -48,7 +52,7 @@ use crate::{
 pub fn check_username(username: &str) -> Result<(), WebError> {
     // check length
     let length = username.len();
-    if !(1..64).contains(&length) {
+    if !(1..MAX_USERNAME_CHARS).contains(&length) {
         return Err(WebError::Serialization(format!(
             "Username ({username}) has incorrect length"
         )));
diff --git a/crates/defguard_core/tests/integration/api/api_tokens.rs b/crates/defguard_core/tests/integration/api/api_tokens.rs
index d707abe0c8..a692c156c2 100644
--- a/crates/defguard_core/tests/integration/api/api_tokens.rs
+++ b/crates/defguard_core/tests/integration/api/api_tokens.rs
@@ -12,7 +12,7 @@ use serde::Deserialize;
 use serde_json::json;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
-use super::common::{make_client, make_client_with_state, setup_pool};
+use super::common::{make_client, make_test_client, setup_pool};
 use crate::api::common::fetch_user_details;
 
 #[sqlx::test]
@@ -62,7 +62,7 @@ async fn test_normal_user_cannot_access_token_endpoints(
 async fn test_normal_user_cannot_use_token_auth(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
 
     // sidestep API access restrictions by creating a token manually
     let token_string = "test-token-string";
diff --git a/crates/defguard_core/tests/integration/api/auth.rs b/crates/defguard_core/tests/integration/api/auth.rs
index 7cacd2630d..ad43507125 100644
--- a/crates/defguard_core/tests/integration/api/auth.rs
+++ b/crates/defguard_core/tests/integration/api/auth.rs
@@ -22,8 +22,8 @@ use webauthn_rs::prelude::{CreationChallengeResponse, RequestChallengeResponse};
 use crate::api::common::client::TestResponse;
 
 use super::common::{
-    X_FORWARDED_FOR, fetch_user_details, make_client, make_client_with_db, make_client_with_state,
-    make_test_client, setup_pool,
+    X_FORWARDED_FOR, fetch_user_details, make_client, make_client_with_db, make_test_client,
+    setup_pool,
 };
 
 static SESSION_COOKIE_NAME: &str = "defguard_session";
@@ -391,7 +391,7 @@ fn extract_email_code(content: &str) -> &str {
 async fn test_email_mfa(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
     let pool = state.pool;
     let mut mail_rx = state.mail_rx;
 
@@ -537,7 +537,7 @@ async fn test_email_mfa(_: PgPoolOptions, options: PgConnectOptions) {
 async fn dg25_15_test_email_mfa_brute_force(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
     let pool = state.pool;
     let mut mail_rx = state.mail_rx;
 
@@ -603,7 +603,7 @@ async fn test_webauthn(_: PgPoolOptions, options: PgConnectOptions) {
     let (client, pool) = make_client_with_db(pool).await;
 
     let mut authenticator = WebauthnAuthenticator::new(SoftPasskey::new(true));
-    let origin = Url::parse("http://localhost:8000").unwrap();
+    let origin = Url::parse(&client.base_url()).unwrap();
 
     // login
     let auth = Auth::new("hpotter", "pass123");
@@ -722,7 +722,7 @@ async fn test_cannot_skip_security_key_by_adding_yubikey(
     let client = make_client(pool).await;
 
     let mut authenticator = WebauthnAuthenticator::new(SoftPasskey::new(true));
-    let origin = Url::parse("http://localhost:8000").unwrap();
+    let origin = Url::parse(&client.base_url()).unwrap();
 
     // login
     let auth = Auth::new("hpotter", "pass123");
@@ -805,7 +805,7 @@ async fn test_mfa_method_is_updated_when_removing_last_webauthn_passkey(
 
     // WebAuthn registration
     let mut authenticator = WebauthnAuthenticator::new(SoftPasskey::new(true));
-    let origin = Url::parse("http://localhost:8000").unwrap();
+    let origin = Url::parse(&client.base_url()).unwrap();
 
     let response = client.post("/api/v1/auth/webauthn/init").send().await;
     assert_eq!(response.status(), StatusCode::OK);
diff --git a/crates/defguard_core/tests/integration/api/common/mod.rs b/crates/defguard_core/tests/integration/api/common/mod.rs
index 884299aad7..669ecc9649 100644
--- a/crates/defguard_core/tests/integration/api/common/mod.rs
+++ b/crates/defguard_core/tests/integration/api/common/mod.rs
@@ -1,6 +1,9 @@
 pub(crate) mod client;
 
-use std::sync::{Arc, Mutex};
+use std::{
+    net::{IpAddr, Ipv4Addr, SocketAddr},
+    sync::{Arc, Mutex},
+};
 
 pub use defguard_common::db::setup_pool;
 use defguard_common::{
@@ -140,10 +143,12 @@ pub(crate) async fn make_base_client(
 }
 
 pub(crate) async fn make_test_client(pool: PgPool) -> (TestClient, ClientState) {
-    let listener = TcpListener::bind("127.0.0.1:0")
+    let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 0);
+    let listener = TcpListener::bind(addr)
         .await
         .expect("Could not bind ephemeral socket");
-    let config = init_config(None);
+    let port = listener.local_addr().unwrap().port();
+    let config = init_config(Some(&format!("http://localhost:{port}")));
     initialize_users(&pool, &config).await;
     initialize_current_settings(&pool)
         .await
@@ -236,11 +241,6 @@ pub(crate) async fn make_client_with_db(pool: PgPool) -> (TestClient, PgPool) {
     (client, client_state.pool)
 }
 
-pub(crate) async fn make_client_with_state(pool: PgPool) -> (TestClient, ClientState) {
-    let (client, client_state) = make_test_client(pool).await;
-    (client, client_state)
-}
-
 pub(crate) async fn authenticate_admin(client: &TestClient) {
     let auth = Auth::new("admin", "pass123");
     let response = client.post("/api/v1/auth").json(&auth).send().await;
diff --git a/crates/defguard_core/tests/integration/api/openid.rs b/crates/defguard_core/tests/integration/api/openid.rs
index d4052b6e58..0b1699dd29 100644
--- a/crates/defguard_core/tests/integration/api/openid.rs
+++ b/crates/defguard_core/tests/integration/api/openid.rs
@@ -31,7 +31,7 @@ use super::{
     TEST_SERVER_URL,
     common::{
         client::{TestClient, TestResponse},
-        make_client, make_client_with_state, make_test_client, setup_pool,
+        make_client, make_test_client, setup_pool,
     },
 };
 
@@ -106,7 +106,7 @@ async fn test_openid_client(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_openid_flow(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
     let auth = Auth::new("admin", "pass123");
     let response = client.post("/api/v1/auth").json(&auth).send().await;
     assert_eq!(response.status(), StatusCode::OK);
@@ -476,7 +476,7 @@ static FAKE_REDIRECT_URI: &str = "http://test.server.tnt:12345/";
 async fn test_openid_authorization_code(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
     let config = state.config;
 
     let issuer_url = IssuerUrl::from_url(config.url.clone());
@@ -578,7 +578,7 @@ async fn test_openid_authorization_code(_: PgPoolOptions, options: PgConnectOpti
 async fn test_openid_authorization_code_with_pkce(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
     let mut config = state.config;
 
     let mut rng = rand::thread_rng();
@@ -694,7 +694,7 @@ async fn dg25_23_test_openid_client_scope_change_clears_authorizations(
     options: PgConnectOptions,
 ) {
     let pool = setup_pool(options).await;
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
     let admin = User::find_by_username(&state.pool, "admin")
         .await
         .unwrap()
@@ -844,7 +844,7 @@ async fn dg25_23_test_openid_client_scope_change_clears_authorizations(
 #[sqlx::test]
 async fn dg25_17_test_openid_open_redirects(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
     let _admin = User::find_by_username(&state.pool, "admin")
         .await
         .unwrap()
@@ -1029,7 +1029,7 @@ async fn dg25_22_test_respect_openid_scope_in_userinfo(
 ) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
     let mut config = state.config;
 
     let mut admin = User::find_by_username(&state.pool, "admin")
diff --git a/crates/defguard_core/tests/integration/api/openid_login.rs b/crates/defguard_core/tests/integration/api/openid_login.rs
index b9912eadd2..c08353e428 100644
--- a/crates/defguard_core/tests/integration/api/openid_login.rs
+++ b/crates/defguard_core/tests/integration/api/openid_login.rs
@@ -1,6 +1,7 @@
 use chrono::{Duration, Utc};
-use defguard_common::db::models::settings::OpenidUsernameHandling;
+use defguard_common::db::{Id, models::settings::OpenidUsernameHandling};
 use defguard_core::{
+    db::models::{NewOpenIDClient, oauth2client::OAuth2Client},
     enterprise::{
         db::models::openid_provider::{DirectorySyncTarget, DirectorySyncUserBehavior},
         handlers::openid_providers::AddProviderData,
@@ -14,12 +15,6 @@ use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
 use super::common::{exceed_enterprise_limits, make_client, setup_pool};
 
-// Temporarily disabled because of the issue with test_openid_login
-// async fn make_client_with_real_url() -> TestClient {
-//     let (client, _) = make_test_client_with_real_url().await;
-//     client
-// }
-
 #[derive(Deserialize)]
 struct UrlResponse {
     url: String,
@@ -39,6 +34,7 @@ async fn test_openid_providers(_: PgPoolOptions, options: PgConnectOptions) {
 
     let provider_data = AddProviderData {
         name: "test".to_string(),
+        // FIXME: this won't work offline.
         base_url: "https://accounts.google.com".to_string(),
         client_id: "client_id".to_string(),
         client_secret: "client_secret".to_string(),
@@ -71,7 +67,7 @@ async fn test_openid_providers(_: PgPoolOptions, options: PgConnectOptions) {
 
     assert_eq!(response.status(), StatusCode::OK);
 
-    let provider: UrlResponse = response.json().await;
+    let provider = response.json::<UrlResponse>().await;
 
     let url = Url::parse(&provider.url).unwrap();
 
@@ -104,152 +100,166 @@ async fn test_openid_providers(_: PgPoolOptions, options: PgConnectOptions) {
 
 // FIXME: tihs test sometimes fails because of test_openid_providers.
 // The license state is possibly preserved between those two. This requires further research.
-// #[sqlx::test]
-// async fn test_openid_login() {
-//     // Test setup
-//     let client = make_client_with_real_url().await;
-//     let auth = Auth::new("admin", "pass123");
-//     let response = client.post("/api/v1/auth").json(&auth).send().await;
-//     assert_eq!(response.status(), StatusCode::OK);
-//     let url = client.base_url();
-
-//     // Add an OpenID client
-//     let redirect_uri = format!("{}/auth/callback", &url);
-//     let openid_client = NewOpenIDClient {
-//         name: "Defguard".into(),
-//         redirect_uri: vec![redirect_uri],
-//         scope: vec!["openid".into(), "email".into(), "profile".into()],
-//         enabled: true,
-//     };
-//     let response = client
-//         .post("/api/v1/oauth")
-//         .json(&openid_client)
-//         .send()
-//         .await;
-//     assert_eq!(response.status(), StatusCode::CREATED);
-//     let response = client.get("/api/v1/oauth").send().await;
-//     assert_eq!(response.status(), StatusCode::OK);
-//     let openid_clients: Vec<OAuth2Client<Id>> = response.json().await;
-//     assert_eq!(openid_clients.len(), 1);
-//     let openid_client = openid_clients.first().unwrap();
-//     assert_eq!(openid_client.name, "Defguard");
-
-//     // Add the provider (ourselves)
-//     let (secret, id) = (
-//         openid_client.client_secret.clone(),
-//         openid_client.client_id.clone(),
-//     );
-//     let provider_data = AddProviderData::new(
-//         "Custom",
-//         format!("{}/", &url).as_str(),
-//         id.to_string().as_str(),
-//         &secret,
-//         Some("Defguard"),
-//     );
-//     let response = client
-//         .post("/api/v1/openid/provider")
-//         .json(&provider_data)
-//         .send()
-//         .await;
-//     assert_eq!(response.status(), StatusCode::CREATED);
-
-//     // Logout to make sure we start from a clean slate
-//     client.post("/api/v1/auth/logout").send().await;
-
-//     // Get the provider's authorization endpoint (and button display name)
-//     let response = client.get("/api/v1/openid/auth_info").send().await;
-//     assert_eq!(response.status(), StatusCode::OK);
-//     #[derive(Deserialize, Debug)]
-//     struct AuthInfoResponse {
-//         button_display_name: String,
-//         url: Url,
-//     }
-//     let response_body: AuthInfoResponse = response.json().await;
-//     assert_eq!(response_body.button_display_name, "Defguard");
-
-//     // Begin OIDC login at the provider's authorization endpoint
-//     let url = format!(
-//         "{}?{}",
-//         response_body.url.path(),
-//         response_body.url.query().unwrap()
-//     );
-//     let response = client.get(&url).send().await;
-//     assert_eq!(response.status(), StatusCode::FOUND);
-
-//     // A user should now be redirected to the login page
-//     #[derive(Deserialize, Debug)]
-//     struct LoginResponse {
-//         url: String,
-//     }
-//     let response = client.post("/api/v1/auth").json(&auth).send().await;
-//     let login_response: LoginResponse = response.json().await;
-
-//     // During the flow, the user may be first redirected to a consent page, simualte that here
-//     let url = Url::parse(&login_response.url).unwrap();
-//     let path = url.path();
-//     let query = url.query().unwrap();
-//     let url = format!("{}?{}", path, query);
-//     let response = client.get(&url).send().await;
-//     assert_eq!(response.status(), StatusCode::FOUND);
-//     let location = response.headers().get("location").unwrap();
-//     let location = location.to_str().unwrap();
-//     assert!(location.starts_with("/consent"));
-
-//     // Consent to everything by adding the allow=true query parameter and sending a post request this time
-//     let url = Url::parse(&login_response.url).unwrap();
-//     let mut query_pairs = url
-//         .query_pairs()
-//         .into_owned()
-//         .collect::<Vec<(String, String)>>();
-//     query_pairs.push(("allow".to_string(), "true".to_string()));
-//     let pairs = query_pairs
-//         .iter()
-//         .map(|(key, value)| format!("{}={}", key, value))
-//         .collect::<Vec<String>>()
-//         .join("&");
-//     let path = format!("{}?{}", url.path(), pairs);
-//     let response = client.post(&path).send().await;
-//     assert_eq!(response.status(), StatusCode::FOUND);
-
-//     // logout to make sure the session won't be carried over after the callback later
-//     client.post("/api/v1/auth/logout").send().await;
-
-//     // Extract callback data from the response's location header
-//     let location = response.headers().get("location").unwrap();
-//     let location = location.to_str().unwrap();
-//     let url = Url::parse(location).unwrap();
-//     let query_pairs = url
-//         .query_pairs()
-//         .into_owned()
-//         .collect::<Vec<(String, String)>>();
-//     let code = query_pairs
-//         .iter()
-//         .find(|(key, _)| key == "code")
-//         .unwrap()
-//         .1
-//         .clone();
-//     let state = query_pairs
-//         .iter()
-//         .find(|(key, _)| key == "state")
-//         .unwrap()
-//         .1
-//         .clone();
-
-//     // Post the callback with the data inside a json payload
-//     #[derive(Serialize, Debug)]
-//     struct AuthResponse {
-//         code: String,
-//         state: String,
-//     }
-//     let auth_response = AuthResponse { code, state };
-//     let response = client
-//         .post("/api/v1/openid/callback")
-//         .json(&auth_response)
-//         .send()
-//         .await;
-//     assert_eq!(response.status(), StatusCode::OK);
-
-//     // Am I logged in?
-//     let response = client.get("/api/v1/me").send().await;
-//     assert_eq!(response.status(), StatusCode::OK);
-// }
+#[sqlx::test]
+async fn test_openid_login(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+    let client = make_client(pool).await;
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+    let mut url = client.base_url();
+    url.push('/'); // `CoreProviderMetadata::discover_async` expects the slash.
+
+    // Add an OpenID client
+    let redirect_uri = format!("{url}/auth/callback");
+    // let redirect_uri = String::from("http://localhost:8000/auth/callback");
+    let openid_client = NewOpenIDClient {
+        name: "Defguard".into(),
+        redirect_uri: vec![redirect_uri],
+        scope: vec!["openid".into(), "email".into(), "profile".into()],
+        enabled: true,
+    };
+    let response = client
+        .post("/api/v1/oauth")
+        .json(&openid_client)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+    let response = client.get("/api/v1/oauth").send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+    let openid_clients = response.json::<Vec<OAuth2Client<Id>>>().await;
+    assert_eq!(openid_clients.len(), 1);
+    let openid_client = openid_clients.first().unwrap();
+    assert_eq!(openid_client.name, "Defguard");
+
+    // Add the provider (ourselves)
+    let provider_data = AddProviderData {
+        name: "Custom".into(),
+        base_url: url,
+        client_id: openid_client.client_id.clone(),
+        client_secret: openid_client.client_secret.clone(),
+        display_name: Some("Defguard".to_string()),
+        admin_email: None,
+        google_service_account_email: None,
+        google_service_account_key: None,
+        directory_sync_enabled: false,
+        directory_sync_interval: 100,
+        directory_sync_user_behavior: DirectorySyncUserBehavior::Keep.to_string(),
+        directory_sync_admin_behavior: DirectorySyncUserBehavior::Keep.to_string(),
+        directory_sync_target: DirectorySyncTarget::All.to_string(),
+        create_account: false,
+        okta_dirsync_client_id: None,
+        okta_private_jwk: None,
+        directory_sync_group_match: None,
+        username_handling: OpenidUsernameHandling::PruneEmailDomain,
+        jumpcloud_api_key: None,
+    };
+    let response = client
+        .post("/api/v1/openid/provider")
+        .json(&provider_data)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // Logout to make sure we start from a clean slate
+    client.post("/api/v1/auth/logout").send().await;
+
+    // Get the provider's authorization endpoint (and button display name)
+    let response = client.get("/api/v1/openid/auth_info").send().await;
+    assert_eq!(
+        response.status(),
+        StatusCode::OK,
+        "{}",
+        response.text().await
+    );
+
+    #[derive(Deserialize)]
+    struct AuthInfoResponse {
+        button_display_name: String,
+        url: Url,
+    }
+    let response_body = response.json::<AuthInfoResponse>().await;
+    assert_eq!(response_body.button_display_name, "Defguard");
+
+    // Begin OIDC login at the provider's authorization endpoint.
+    let url = format!(
+        "{}?{}",
+        response_body.url.path(),
+        response_body.url.query().unwrap()
+    );
+    let response = client.get(&url).send().await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+
+    // A user should now be redirected to the login page
+    // let response = client.post("/api/v1/auth").json(&auth).send().await;
+    // let login_response = response.json::<UrlResponse>().await;
+
+    // // During the flow, the user may be first redirected to a consent page, simualte that here
+    // let url = Url::parse(&login_response.url).unwrap();
+    // let path = url.path();
+    // let query = url.query().unwrap();
+    // let url = format!("{}?{}", path, query);
+    // let response = client.get(&url).send().await;
+    // assert_eq!(response.status(), StatusCode::FOUND);
+    // let location = response.headers().get("location").unwrap();
+    // let location = location.to_str().unwrap();
+    // assert!(location.starts_with("/consent"));
+
+    // // Consent to everything by adding the allow=true query parameter and sending a post request this time
+    // let url = Url::parse(&login_response.url).unwrap();
+    // let mut query_pairs = url
+    //     .query_pairs()
+    //     .into_owned()
+    //     .collect::<Vec<(String, String)>>();
+    // query_pairs.push(("allow".to_string(), "true".to_string()));
+    // let pairs = query_pairs
+    //     .iter()
+    //     .map(|(key, value)| format!("{key}={value}"))
+    //     .collect::<Vec<String>>()
+    //     .join("&");
+    // let path = format!("{}?{pairs}", url.path());
+    // let response = client.post(&path).send().await;
+    // assert_eq!(response.status(), StatusCode::FOUND);
+
+    // // logout to make sure the session won't be carried over after the callback later
+    // client.post("/api/v1/auth/logout").send().await;
+
+    // // Extract callback data from the response's location header
+    // let location = response.headers().get("location").unwrap();
+    // let location = location.to_str().unwrap();
+    // let url = Url::parse(location).unwrap();
+    // let query_pairs = url
+    //     .query_pairs()
+    //     .into_owned()
+    //     .collect::<Vec<(String, String)>>();
+    // let code = query_pairs
+    //     .iter()
+    //     .find(|(key, _)| key == "code")
+    //     .unwrap()
+    //     .1
+    //     .clone();
+    // let state = query_pairs
+    //     .iter()
+    //     .find(|(key, _)| key == "state")
+    //     .unwrap()
+    //     .1
+    //     .clone();
+
+    // // Post the callback with the data inside a json payload
+    // #[derive(Serialize)]
+    // struct AuthResponse {
+    //     code: String,
+    //     state: String,
+    // }
+    // let auth_response = AuthResponse { code, state };
+    // let response = client
+    //     .post("/api/v1/openid/callback")
+    //     .json(&auth_response)
+    //     .send()
+    //     .await;
+    // assert_eq!(response.status(), StatusCode::OK);
+
+    // // Am I logged in?
+    // let response = client.get("/api/v1/me").send().await;
+    // assert_eq!(response.status(), StatusCode::OK);
+}
diff --git a/crates/defguard_core/tests/integration/api/settings.rs b/crates/defguard_core/tests/integration/api/settings.rs
index d0859e60d3..a55de9a152 100644
--- a/crates/defguard_core/tests/integration/api/settings.rs
+++ b/crates/defguard_core/tests/integration/api/settings.rs
@@ -3,13 +3,13 @@ use defguard_core::handlers::Auth;
 use reqwest::StatusCode;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
-use super::common::{make_client_with_state, setup_pool};
+use super::common::{make_test_client, setup_pool};
 
 #[sqlx::test]
 async fn test_settings(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _client_state) = make_client_with_state(pool).await;
+    let (client, _client_state) = make_test_client(pool).await;
     let auth = Auth::new("admin", "pass123");
     let response = &client.post("/api/v1/auth").json(&auth).send().await;
     assert_eq!(response.status(), StatusCode::OK);
diff --git a/crates/defguard_core/tests/integration/api/worker.rs b/crates/defguard_core/tests/integration/api/worker.rs
index 88833a892d..2439e5d914 100644
--- a/crates/defguard_core/tests/integration/api/worker.rs
+++ b/crates/defguard_core/tests/integration/api/worker.rs
@@ -8,13 +8,13 @@ use defguard_core::{
 use reqwest::StatusCode;
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
-use super::common::{make_client_with_state, setup_pool};
+use super::common::{make_test_client, setup_pool};
 
 #[sqlx::test]
 async fn test_scheduling_worker_jobs(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
 
     // register a fake worker
     {
@@ -167,7 +167,7 @@ async fn test_scheduling_worker_jobs(_: PgPoolOptions, options: PgConnectOptions
 async fn test_worker_management_permissions(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_client_with_state(pool).await;
+    let (client, state) = make_test_client(pool).await;
 
     // add some fake workers
     {
diff --git a/crates/defguard_core/tests/integration/common.rs b/crates/defguard_core/tests/integration/common.rs
index 82d0950925..a5ef802aa2 100644
--- a/crates/defguard_core/tests/integration/common.rs
+++ b/crates/defguard_core/tests/integration/common.rs
@@ -1,5 +1,3 @@
-use std::str::FromStr;
-
 use defguard_common::config::{DefGuardConfig, SERVER_CONFIG};
 use defguard_core::db::User;
 use reqwest::Url;
@@ -11,7 +9,7 @@ use sqlx::PgPool;
 pub(crate) fn init_config(custom_defguard_url: Option<&str>) -> DefGuardConfig {
     let url = custom_defguard_url.unwrap_or("http://localhost:8000");
     let mut config = DefGuardConfig::new_test_config();
-    config.url = Url::from_str(url).unwrap();
+    config.url = Url::parse(url).unwrap();
     let _ = SERVER_CONFIG.set(config.clone());
     config
 }

From 5045ba14552dfaf7c1d611d7ad7260e6eb37eb86 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Fri, 19 Sep 2025 11:29:54 +0200
Subject: [PATCH 11/50] use default subject as fallback (#1593)

---
 .../defguard_common/src/db/models/settings.rs |   2 +-
 crates/defguard_core/src/grpc/enrollment.rs   | 125 +++++++++++++++++-
 2 files changed, 124 insertions(+), 3 deletions(-)

diff --git a/crates/defguard_common/src/db/models/settings.rs b/crates/defguard_common/src/db/models/settings.rs
index ad900d7831..bb987cc1d4 100644
--- a/crates/defguard_common/src/db/models/settings.rs
+++ b/crates/defguard_common/src/db/models/settings.rs
@@ -397,7 +397,7 @@ impl From<Settings> for SettingsEssentials {
     }
 }
 
-mod defaults {
+pub mod defaults {
     pub static WELCOME_MESSAGE: &str = "Dear {{ first_name }} {{ last_name }},
 
 By completing the enrollment process, you now have access to all company systems.
diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index 0f857be6a9..2a744913e8 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -4,7 +4,7 @@ use defguard_common::{
     csv::AsCsv,
     db::{
         Id,
-        models::{BiometricAuth, MFAMethod, Settings},
+        models::{BiometricAuth, MFAMethod, Settings, settings::defaults::WELCOME_EMAIL_SUBJECT},
     },
 };
 use defguard_mail::{
@@ -1108,7 +1108,10 @@ impl Token {
         debug!("Sending welcome mail to {}", user.username);
         let mail = Mail {
             to: user.email.clone(),
-            subject: settings.enrollment_welcome_email_subject.clone().unwrap(),
+            subject: settings
+                .enrollment_welcome_email_subject
+                .clone()
+                .unwrap_or_else(|| WELCOME_EMAIL_SUBJECT.to_string()),
             content: self
                 .get_welcome_email_content(&mut *transaction, ip_address, device_info)
                 .await?,
@@ -1166,3 +1169,121 @@ impl Token {
         }
     }
 }
+
+#[cfg(test)]
+mod test {
+    use defguard_common::{
+        config::{DefGuardConfig, SERVER_CONFIG},
+        db::{
+            models::{
+                Settings,
+                settings::{defaults::WELCOME_EMAIL_SUBJECT, initialize_current_settings},
+            },
+            setup_pool,
+        },
+    };
+    use defguard_mail::Mail;
+    use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
+    use tokio::sync::mpsc::unbounded_channel;
+
+    use crate::db::{
+        User,
+        models::enrollment::{ENROLLMENT_TOKEN_TYPE, Token},
+    };
+
+    #[sqlx::test]
+    async fn dg25_11_test_enrollment_welcome_email(_: PgPoolOptions, options: PgConnectOptions) {
+        let pool = setup_pool(options).await;
+
+        // initialize server config
+        SERVER_CONFIG
+            .set(DefGuardConfig::new_test_config())
+            .unwrap();
+
+        // setup mail channel
+        let (mail_tx, mut mail_rx) = unbounded_channel::<Mail>();
+
+        // setup users
+        let admin = User::new(
+            "test_admin",
+            Some("pass123"),
+            "Test",
+            "Admin",
+            "admin@test.com",
+            None,
+        )
+        .save(&pool)
+        .await
+        .unwrap();
+        let user = User::new(
+            "test_user",
+            Some("pass123"),
+            "Test",
+            "User",
+            "user@test.com",
+            None,
+        )
+        .save(&pool)
+        .await
+        .unwrap();
+
+        // generate enrollment token
+        let token = Token::new(
+            user.id,
+            Some(admin.id),
+            Some(user.email.clone()),
+            10,
+            Some(ENROLLMENT_TOKEN_TYPE.to_string()),
+        );
+
+        // initialize settings
+        Settings::init_defaults(&pool).await.unwrap();
+        initialize_current_settings(&pool).await.unwrap();
+
+        let mut settings = Settings::get(&pool).await.unwrap().unwrap();
+
+        // send welcome email
+        let mut transaction = pool.begin().await.unwrap();
+        token
+            .send_welcome_email(
+                &mut transaction,
+                &mail_tx,
+                &user,
+                &settings,
+                "127.0.0.1",
+                None,
+            )
+            .await
+            .unwrap();
+
+        // check email content
+        let mail = mail_rx.recv().await.unwrap();
+        assert_eq!(mail.to, user.email);
+        assert_eq!(
+            mail.subject,
+            settings.enrollment_welcome_email_subject.unwrap()
+        );
+
+        // set subject to None
+        settings.enrollment_welcome_email_subject = None;
+
+        // send another welcome email
+        let mut transaction = pool.begin().await.unwrap();
+        token
+            .send_welcome_email(
+                &mut transaction,
+                &mail_tx,
+                &user,
+                &settings,
+                "127.0.0.1",
+                None,
+            )
+            .await
+            .unwrap();
+
+        // check email content
+        let mail = mail_rx.recv().await.unwrap();
+        assert_eq!(mail.to, user.email);
+        assert_eq!(mail.subject, WELCOME_EMAIL_SUBJECT);
+    }
+}

From e35129664f33c8dc09e500d13887b1fe4bc82ca0 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 19 Sep 2025 13:29:00 +0200
Subject: [PATCH 12/50] Fixes pentest issue DG25-25 and DG25-20 from 2025-09-02
 (#1574)

---
 ...dde95cf576aee8744697f1acf957e3fdd1552.json |  59 +++++
 Cargo.lock                                    |   5 +-
 crates/defguard_core/src/auth/mod.rs          |  78 +-----
 .../src/db/models/oauth2client.rs             |  20 ++
 .../defguard_core/src/handlers/openid_flow.rs | 112 ++++++++-
 .../tests/integration/api/openid.rs           | 238 ++++++++++++++++++
 crates/defguard_mail/src/templates.rs         |   1 +
 7 files changed, 424 insertions(+), 89 deletions(-)
 create mode 100644 .sqlx/query-ef66255ab254e8d0981226b2e9fdde95cf576aee8744697f1acf957e3fdd1552.json

diff --git a/.sqlx/query-ef66255ab254e8d0981226b2e9fdde95cf576aee8744697f1acf957e3fdd1552.json b/.sqlx/query-ef66255ab254e8d0981226b2e9fdde95cf576aee8744697f1acf957e3fdd1552.json
new file mode 100644
index 0000000000..8b4597bc46
--- /dev/null
+++ b/.sqlx/query-ef66255ab254e8d0981226b2e9fdde95cf576aee8744697f1acf957e3fdd1552.json
@@ -0,0 +1,59 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT c.id, c.client_id, c.client_secret, c.redirect_uri, c.scope, c.name, c.enabled FROM oauth2client c JOIN oauth2authorizedapp a ON a.oauth2client_id = c.id JOIN oauth2token t ON t.oauth2authorizedapp_id = a.id WHERE t.access_token = $1 OR t.refresh_token = $2",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id",
+        "type_info": "Int8"
+      },
+      {
+        "ordinal": 1,
+        "name": "client_id",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 2,
+        "name": "client_secret",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 3,
+        "name": "redirect_uri",
+        "type_info": "TextArray"
+      },
+      {
+        "ordinal": 4,
+        "name": "scope",
+        "type_info": "TextArray"
+      },
+      {
+        "ordinal": 5,
+        "name": "name",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 6,
+        "name": "enabled",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      false,
+      false,
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "ef66255ab254e8d0981226b2e9fdde95cf576aee8744697f1acf957e3fdd1552"
+}
diff --git a/Cargo.lock b/Cargo.lock
index 59e02af7ba..398807a10a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -5292,11 +5292,12 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.43"
+version = "0.3.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83bde6f1ec10e72d583d91623c939f623002284ef622b87de38cfd546cbf2031"
+checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d"
 dependencies = [
  "deranged",
+ "itoa",
  "libc",
  "num-conv",
  "num_threads",
diff --git a/crates/defguard_core/src/auth/mod.rs b/crates/defguard_core/src/auth/mod.rs
index 5abf56809f..462f904fa6 100644
--- a/crates/defguard_core/src/auth/mod.rs
+++ b/crates/defguard_core/src/auth/mod.rs
@@ -2,7 +2,7 @@ pub mod failed_login;
 
 use axum::{
     extract::{FromRef, FromRequestParts, OptionalFromRequestParts},
-    http::{header::AUTHORIZATION, request::Parts},
+    http::request::Parts,
 };
 use axum_client_ip::InsecureClientIp;
 use axum_extra::{
@@ -15,7 +15,7 @@ use defguard_common::db::Id;
 use crate::{
     appstate::AppState,
     db::{
-        Group, OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User,
+        Group, OAuth2Token, Session, SessionState, User,
         models::{group::Permission, oauth2client::OAuth2Client},
     },
     enterprise::{db::models::api_tokens::ApiToken, is_enterprise_enabled},
@@ -279,80 +279,6 @@ impl UserClaims {
     }
 }
 
-// User authenticated by a valid access token
-pub struct AccessUserInfo(pub(crate) UserClaims);
-
-impl<S> FromRequestParts<S> for AccessUserInfo
-where
-    S: Send + Sync,
-    AppState: FromRef<S>,
-{
-    type Rejection = WebError;
-
-    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
-        let appstate = AppState::from_ref(state);
-        if let Some(token) = parts.headers.get(AUTHORIZATION).and_then(|value| {
-            if let Ok(value) = value.to_str() {
-                if value.to_lowercase().starts_with("bearer ") {
-                    value.get(7..)
-                } else {
-                    None
-                }
-            } else {
-                None
-            }
-        }) {
-            match OAuth2Token::find_access_token(&appstate.pool, token).await {
-                Ok(Some(oauth2token)) => {
-                    match OAuth2AuthorizedApp::find_by_id(
-                        &appstate.pool,
-                        oauth2token.oauth2authorizedapp_id,
-                    )
-                    .await
-                    {
-                        Ok(Some(authorized_app)) => {
-                            if let Ok(Some(user)) =
-                                User::find_by_id(&appstate.pool, authorized_app.user_id).await
-                            {
-                                if let Some(client) = OAuth2Client::find_by_id(
-                                    &appstate.pool,
-                                    authorized_app.oauth2client_id,
-                                )
-                                .await?
-                                {
-                                    return Ok(AccessUserInfo(UserClaims::from_user(
-                                        &user,
-                                        &client,
-                                        &oauth2token,
-                                    )));
-                                }
-                                return Err(WebError::Authorization(
-                                    "OAuth2 client not found".into(),
-                                ));
-                            }
-                        }
-                        Ok(None) => {
-                            return Err(WebError::Authorization("Authorized app not found".into()));
-                        }
-
-                        Err(err) => {
-                            return Err(err.into());
-                        }
-                    }
-                }
-                Ok(None) => {
-                    return Err(WebError::Authorization("Invalid token".into()));
-                }
-                Err(err) => {
-                    return Err(err.into());
-                }
-            }
-        }
-
-        Err(WebError::Authorization("Invalid session".into()))
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/crates/defguard_core/src/db/models/oauth2client.rs b/crates/defguard_core/src/db/models/oauth2client.rs
index 5b362d22c6..5f695618b5 100644
--- a/crates/defguard_core/src/db/models/oauth2client.rs
+++ b/crates/defguard_core/src/db/models/oauth2client.rs
@@ -1,6 +1,8 @@
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query_as};
 
+use crate::db::OAuth2Token;
+
 use super::NewOpenIDClient;
 use defguard_common::db::{Id, NoId};
 use defguard_common::random::gen_alphanumeric;
@@ -100,6 +102,24 @@ impl OAuth2Client<Id> {
         .await
     }
 
+    pub(crate) async fn find_by_token(
+        pool: &PgPool,
+        token: &OAuth2Token,
+    ) -> Result<Option<Self>, SqlxError> {
+        query_as!(
+            Self,
+            "SELECT c.id, c.client_id, c.client_secret, c.redirect_uri, c.scope, c.name, c.enabled \
+            FROM oauth2client c \
+            JOIN oauth2authorizedapp a ON a.oauth2client_id = c.id \
+            JOIN oauth2token t ON t.oauth2authorizedapp_id = a.id \
+            WHERE t.access_token = $1 OR t.refresh_token = $2",
+            token.access_token,
+            token.refresh_token
+        )
+        .fetch_optional(pool)
+        .await
+    }
+
     /// Checks if `url` matches client config (ignoring trailing slashes).
     pub(crate) fn contains_redirect_url(&self, url: &str) -> bool {
         let url_trimmed = url.trim_end_matches('/');
diff --git a/crates/defguard_core/src/handlers/openid_flow.rs b/crates/defguard_core/src/handlers/openid_flow.rs
index cf907c74c6..cad6c47f7d 100644
--- a/crates/defguard_core/src/handlers/openid_flow.rs
+++ b/crates/defguard_core/src/handlers/openid_flow.rs
@@ -42,7 +42,7 @@ use time::Duration;
 use super::{ApiResponse, ApiResult, SESSION_COOKIE_NAME};
 use crate::{
     appstate::AppState,
-    auth::{AccessUserInfo, SessionInfo, UserClaims},
+    auth::{SessionInfo, UserClaims},
     db::{
         OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User,
         models::oauth2client::OAuth2Client,
@@ -387,8 +387,11 @@ pub async fn authorization(
         OAuth2Client::find_by_client_id(&appstate.pool, &data.client_id).await?
     {
         is_redirect_allowed = oauth2client.contains_redirect_url(&data.redirect_uri);
-        match data.validate_for_client(&oauth2client) {
-            Ok(()) => {
+        match (
+            oauth2client.enabled,
+            data.validate_for_client(&oauth2client),
+        ) {
+            (true, Ok(())) => {
                 match &data.prompt {
                     Some(s) if s == "consent" => {
                         info!(
@@ -491,7 +494,6 @@ pub async fn authorization(
                                 );
                                 Ok(login_redirect(&data, private_cookies))
                             }
-
                         // If no session cookie provided redirect to login
                         } else {
                             info!("Session cookie not provided, redirecting to login page");
@@ -500,13 +502,17 @@ pub async fn authorization(
                     }
                 }
             }
-            Err(err) => {
+            (true, Err(err)) => {
                 error!(
                     "OIDC login validation failed for client {}: {err:?}",
                     data.client_id
                 );
                 error = err;
             }
+            (false, _) => {
+                error!("OIDC client id {} is disabled", data.client_id);
+                error = CoreAuthErrorResponseType::UnauthorizedClient;
+            }
         }
     } else {
         error!("OIDC client id {} not found", data.client_id);
@@ -559,8 +565,11 @@ pub async fn secure_authorization(
     {
         is_redirect_allowed = oauth2client.contains_redirect_url(&data.redirect_uri);
         if data.allow {
-            match data.validate_for_client(&oauth2client) {
-                Ok(()) => {
+            match (
+                oauth2client.enabled,
+                data.validate_for_client(&oauth2client),
+            ) {
+                (true, Ok(())) => {
                     if OAuth2AuthorizedApp::find_by_user_and_oauth2client_id(
                         &appstate.pool,
                         session_info.user.id,
@@ -593,13 +602,17 @@ pub async fn secure_authorization(
                     );
                     return Ok(redirect_to(location, private_cookies));
                 }
-                Err(err) => {
+                (true, Err(err)) => {
                     info!(
                         "OIDC login validation failed for user {}, client {}",
                         session_info.user.username, oauth2client.name
                     );
                     error = err;
                 }
+                (false, _) => {
+                    error!("OIDC client id {} is disabled", oauth2client.name);
+                    error = CoreAuthErrorResponseType::UnauthorizedClient;
+                }
             }
         } else {
             info!(
@@ -811,6 +824,19 @@ pub async fn token(
                 if let Some(auth_code) = AuthCode::find_code(&appstate.pool, code).await? {
                     debug!("Consumed authorization_code {code}, client_id `{form_client_id}`");
                     if let Some(client) = oauth2client.or(form.oauth2client(&appstate.pool).await) {
+                        if !client.enabled {
+                            error!("OAuth client id `{}` is disabled", client.name);
+                            let response = StandardErrorResponse::<CoreErrorResponseType>::new(
+                                CoreErrorResponseType::UnauthorizedClient,
+                                None,
+                                None,
+                            );
+                            return Ok(ApiResponse {
+                                json: json!(response),
+                                status: StatusCode::BAD_REQUEST,
+                            });
+                        }
+
                         if let Some(user) =
                             User::find_by_id(&appstate.pool, auth_code.user_id).await?
                         {
@@ -907,6 +933,31 @@ pub async fn token(
                 if let Ok(Some(mut token)) =
                     OAuth2Token::find_refresh_token(&appstate.pool, &refresh_token).await
                 {
+                    let Some(client) = OAuth2Client::find_by_token(&appstate.pool, &token).await?
+                    else {
+                        error!("OAuth client not found for provided refresh_token");
+                        let err = CoreErrorResponseType::InvalidClient;
+                        let response =
+                            StandardErrorResponse::<CoreErrorResponseType>::new(err, None, None);
+                        return Ok(ApiResponse {
+                            json: json!(response),
+                            status: StatusCode::BAD_REQUEST,
+                        });
+                    };
+
+                    if !client.enabled {
+                        error!("OAuth client id `{}` is disabled", client.name);
+                        let response = StandardErrorResponse::<CoreErrorResponseType>::new(
+                            CoreErrorResponseType::UnauthorizedClient,
+                            None,
+                            None,
+                        );
+                        return Ok(ApiResponse {
+                            json: json!(response),
+                            status: StatusCode::BAD_REQUEST,
+                        });
+                    }
+
                     token.refresh_and_save(&appstate.pool).await?;
                     let response = TokenRequest::refresh_token_flow(&token);
                     token.save(&appstate.pool).await?;
@@ -928,10 +979,49 @@ pub async fn token(
 }
 
 /// https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
-pub async fn userinfo(user_info: AccessUserInfo) -> ApiResult {
-    let userclaims = StandardClaims::<CoreGenderClaim>::from(&user_info.0);
+pub async fn userinfo(State(appstate): State<AppState>, headers: HeaderMap) -> ApiResult {
+    let Some(token) = headers.get(AUTHORIZATION).and_then(|value| {
+        if let Ok(value) = value.to_str() {
+            if value.to_lowercase().starts_with("bearer ") {
+                value.get(7..)
+            } else {
+                None
+            }
+        } else {
+            None
+        }
+    }) else {
+        return Err(WebError::Authorization("Invalid session".into()));
+    };
+
+    let Some(oauth2token) = OAuth2Token::find_access_token(&appstate.pool, token).await? else {
+        return Err(WebError::Authorization("Invalid token".into()));
+    };
+
+    let Some(authorized_app) =
+        OAuth2AuthorizedApp::find_by_id(&appstate.pool, oauth2token.oauth2authorizedapp_id).await?
+    else {
+        return Err(WebError::Authorization("Authorized app not found".into()));
+    };
+
+    let Some(client) =
+        OAuth2Client::find_by_id(&appstate.pool, authorized_app.oauth2client_id).await?
+    else {
+        return Err(WebError::Authorization("OAuth2 client not found".into()));
+    };
+
+    if !client.enabled {
+        return Err(WebError::Authorization("OAuth2 client is disabled".into()));
+    }
+
+    let Some(user) = User::find_by_id(&appstate.pool, authorized_app.user_id).await? else {
+        return Err(WebError::Authorization("User not found".into()));
+    };
+
+    let user_claims = UserClaims::from_user(&user, &client, &oauth2token);
+
     Ok(ApiResponse {
-        json: json!(userclaims),
+        json: json!(StandardClaims::<CoreGenderClaim>::from(&user_claims)),
         status: StatusCode::OK,
     })
 }
diff --git a/crates/defguard_core/tests/integration/api/openid.rs b/crates/defguard_core/tests/integration/api/openid.rs
index 0b1699dd29..a53a0f0c84 100644
--- a/crates/defguard_core/tests/integration/api/openid.rs
+++ b/crates/defguard_core/tests/integration/api/openid.rs
@@ -574,6 +574,244 @@ async fn test_openid_authorization_code(_: PgPoolOptions, options: PgConnectOpti
     assert!(refresh_response.refresh_token().is_some());
 }
 
+#[sqlx::test]
+async fn dg25_20_test_openid_disabled_client_doesnt_generate_code(
+    _: PgPoolOptions,
+    options: PgConnectOptions,
+) {
+    let pool = setup_pool(options).await;
+
+    let (client, state) = make_test_client(pool).await;
+    let config = state.config;
+
+    let issuer_url = IssuerUrl::from_url(config.url.clone());
+
+    // discover OpenID service
+    let provider_metadata =
+        CoreProviderMetadata::discover_async(issuer_url, &|r| http_client(r, &client))
+            .await
+            .unwrap();
+
+    // create OAuth2 client (initially enabled)
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+    let oauth2client = NewOpenIDClient {
+        name: "My test client".into(),
+        redirect_uri: vec![FAKE_REDIRECT_URI.into()],
+        scope: vec!["openid".into()],
+        enabled: true,
+    };
+    let response = client
+        .post("/api/v1/oauth")
+        .json(&oauth2client)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+    let oauth2client: OAuth2Client<Id> = response.json().await;
+    assert_eq!(oauth2client.name, "My test client");
+    assert_eq!(oauth2client.scope[0], "openid");
+    assert_eq!(oauth2client.client_id.len(), 16);
+    assert_eq!(oauth2client.client_secret.len(), 32);
+
+    let client_id = ClientId::new(oauth2client.client_id.clone());
+    let client_secret = ClientSecret::new(oauth2client.client_secret);
+    let core_client =
+        CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret))
+            .set_redirect_uri(RedirectUrl::new(FAKE_REDIRECT_URI.into()).unwrap());
+    let (authorize_url, _csrf_state, _nonce) = core_client
+        .authorize_url(
+            AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
+            CsrfToken::new_random,
+            Nonce::new_random,
+        )
+        .add_scope(Scope::new("email".to_string()))
+        .add_scope(Scope::new("profile".to_string()))
+        .url();
+    assert_eq!(authorize_url.scheme(), "http");
+    assert_eq!(authorize_url.host_str(), Some("localhost"));
+    assert_eq!(authorize_url.path(), "/api/v1/oauth/authorize");
+
+    // verify that authorization works when client is enabled
+    let uri = format!(
+        "{}?allow=true&{}",
+        authorize_url.path(),
+        authorize_url.query().unwrap()
+    );
+    let response = client.post(uri.clone()).send().await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    let location = response
+        .headers()
+        .get("Location")
+        .unwrap()
+        .to_str()
+        .unwrap();
+    let (location, query) = location.split_once('?').unwrap();
+    assert_eq!(location, FAKE_REDIRECT_URI);
+    let auth_response: AuthenticationResponse = serde_qs::from_str(query).unwrap();
+    // Verify we got a valid authorization code
+    assert!(!auth_response.code.is_empty());
+
+    // Now disable the OAuth2 client
+    let disabled_oauth2client = NewOpenIDClient {
+        name: "My test client".into(),
+        redirect_uri: vec![FAKE_REDIRECT_URI.into()],
+        scope: vec!["openid".into()],
+        enabled: false,
+    };
+    let response = client
+        .put(format!("/api/v1/oauth/{}", oauth2client.client_id))
+        .json(&disabled_oauth2client)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    let response = client.post(uri).send().await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    let location = response
+        .headers()
+        .get("Location")
+        .unwrap()
+        .to_str()
+        .unwrap();
+
+    assert!(location.contains("error=unauthorized_client"));
+}
+
+#[sqlx::test]
+async fn dg25_25_openid_disabled_client_userinfo_fails(
+    _: PgPoolOptions,
+    options: PgConnectOptions,
+) {
+    let pool = setup_pool(options).await;
+
+    let (client, state) = make_test_client(pool).await;
+    let mut config = state.config;
+
+    let mut rng = rand::thread_rng();
+    config.openid_signing_key = RsaPrivateKey::new(&mut rng, 2048).ok();
+
+    let issuer_url = IssuerUrl::from_url(config.url.clone());
+
+    // discover OpenID service
+    let provider_metadata =
+        CoreProviderMetadata::discover_async(issuer_url, &|r| http_client(r, &client))
+            .await
+            .unwrap();
+
+    // create OAuth2 client (initially enabled)
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+    let oauth2client = NewOpenIDClient {
+        name: "My test client".into(),
+        redirect_uri: vec![FAKE_REDIRECT_URI.into()],
+        scope: vec!["openid".into(), "email".into(), "profile".into()],
+        enabled: true,
+    };
+    let response = client
+        .post("/api/v1/oauth")
+        .json(&oauth2client)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+    let oauth2client: OAuth2Client<Id> = response.json().await;
+    assert_eq!(oauth2client.name, "My test client");
+
+    // start the Authorization Code Flow with PKCE
+    let client_id = ClientId::new(oauth2client.client_id.clone());
+    let client_secret = ClientSecret::new(oauth2client.client_secret);
+    let core_client =
+        CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret))
+            .set_redirect_uri(RedirectUrl::new(FAKE_REDIRECT_URI.into()).unwrap());
+    let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+    let (authorize_url, _csrf_state, nonce) = core_client
+        .authorize_url(
+            AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
+            CsrfToken::new_random,
+            Nonce::new_random,
+        )
+        .add_scope(Scope::new("email".to_string()))
+        .add_scope(Scope::new("profile".to_string()))
+        .set_pkce_challenge(pkce_challenge)
+        .url();
+
+    // obtain authorization code while client is enabled
+    let uri = format!(
+        "{}?allow=true&{}",
+        authorize_url.path(),
+        authorize_url.query().unwrap()
+    );
+    let response = client.post(uri).send().await;
+    assert_eq!(response.status(), StatusCode::FOUND);
+    let location = response
+        .headers()
+        .get("Location")
+        .unwrap()
+        .to_str()
+        .unwrap();
+    let (location, query) = location.split_once('?').unwrap();
+    assert_eq!(location, FAKE_REDIRECT_URI);
+    let auth_response: AuthenticationResponse = serde_qs::from_str(query).unwrap();
+
+    // exchange authorization code for token while client is enabled
+    let token_response = core_client
+        .exchange_code(AuthorizationCode::new(auth_response.code.into()))
+        .unwrap()
+        .set_pkce_verifier(pkce_verifier)
+        .request_async(&|r| http_client(r, &client))
+        .await
+        .unwrap();
+
+    // verify id token works while client is enabled
+    let id_token_verifier = core_client.id_token_verifier();
+    let _id_token_claims = token_response
+        .extra_fields()
+        .id_token()
+        .expect("Server did not return an ID token")
+        .claims(&id_token_verifier, &nonce)
+        .unwrap();
+
+    // verify userinfo works while client is enabled
+    let userinfo_claims: UserInfoClaims<EmptyAdditionalClaims, CoreGenderClaim> = core_client
+        .user_info(token_response.access_token().clone(), None)
+        .expect("Missing info endpoint")
+        .request_async(&|r| http_client(r, &client))
+        .await
+        .unwrap();
+
+    // Verify we got valid userinfo
+    assert!(userinfo_claims.email().is_some());
+
+    // Now disable the OAuth2 client
+    let disabled_oauth2client = NewOpenIDClient {
+        name: "My test client".into(),
+        redirect_uri: vec![FAKE_REDIRECT_URI.into()],
+        scope: vec!["openid".into(), "email".into(), "profile".into()],
+        enabled: false,
+    };
+    let response = client
+        .put(format!("/api/v1/oauth/{}", oauth2client.client_id))
+        .json(&disabled_oauth2client)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // Try to access userinfo with disabled client, should fail
+    let userinfo_result: Result<UserInfoClaims<EmptyAdditionalClaims, CoreGenderClaim>, _> =
+        core_client
+            .user_info(token_response.access_token().clone(), None)
+            .expect("Missing info endpoint")
+            .request_async(&|r| http_client(r, &client))
+            .await;
+
+    // The userinfo request should fail when client is disabled
+    assert!(
+        userinfo_result.is_err(),
+        "Userinfo should fail when client is disabled"
+    );
+}
+
 #[sqlx::test]
 async fn test_openid_authorization_code_with_pkce(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
diff --git a/crates/defguard_mail/src/templates.rs b/crates/defguard_mail/src/templates.rs
index 5fe6b6d6ca..b209d8db13 100644
--- a/crates/defguard_mail/src/templates.rs
+++ b/crates/defguard_mail/src/templates.rs
@@ -53,6 +53,7 @@ impl Function for NoOp {
 
 /// Return a safe instance of Tera, as Tera is vulnerable to `get_env()` function exploit.
 /// See: https://github.com/Keats/tera/issues/677
+#[must_use]
 pub fn safe_tera() -> Tera {
     let mut tera = Tera::default();
     let noop = NoOp("get_env");

From 5c54594a178a0b73dd965c031389a3eac0dad7ed Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Mon, 22 Sep 2025 09:34:47 +0200
Subject: [PATCH 13/50] Fixes pentest issue DG25-32 from 2025-09-02 (#1597)

* custom Debug implementation for Settings struct to avoid exposing license key in logs
* cargo update
---
 Cargo.lock                                    | 91 ++++++++++++------
 .../defguard_common/src/db/models/settings.rs | 96 ++++++++++++++++++-
 2 files changed, 157 insertions(+), 30 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 398807a10a..2f4b4890ec 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -91,9 +91,9 @@ checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 
 [[package]]
 name = "ammonia"
-version = "4.1.1"
+version = "4.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d6b346764dd0814805de8abf899fe03065bcee69bb1a4771c785817e39f3978f"
+checksum = "17e913097e1a2124b46746c980134e8c954bc17a6a59bb3fde96f088d126dde6"
 dependencies = [
  "cssparser",
  "html5ever",
@@ -163,9 +163,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.99"
+version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
 
 [[package]]
 name = "arbitrary"
@@ -677,9 +677,9 @@ checksum = "bba18ee93d577a8428902687bcc2b6b45a56b1981a1f6d779731c86cc4c5db18"
 
 [[package]]
 name = "clap"
-version = "4.5.47"
+version = "4.5.48"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7eac00902d9d136acd712710d71823fb8ac8004ca445a89e73a41d45aa712931"
+checksum = "e2134bb3ea021b78629caa971416385309e0131b351b25e01dc16fb54e1b5fae"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -687,9 +687,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.47"
+version = "4.5.48"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ad9bbf750e73b5884fb8a211a9424a1906c1e156724260fdae972f31d70e1d6"
+checksum = "c2ba64afa3c0a6df7fa517765e31314e983f51dda798ffba27b988194fb65dc9"
 dependencies = [
  "anstream",
  "anstyle",
@@ -1016,8 +1016,18 @@ version = "0.20.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
 dependencies = [
- "darling_core",
- "darling_macro",
+ "darling_core 0.20.11",
+ "darling_macro 0.20.11",
+]
+
+[[package]]
+name = "darling"
+version = "0.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9cdf337090841a411e2a7f3deb9187445851f91b309c0c0a29e05f74a00a48c0"
+dependencies = [
+ "darling_core 0.21.3",
+ "darling_macro 0.21.3",
 ]
 
 [[package]]
@@ -1034,13 +1044,38 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "darling_core"
+version = "0.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1247195ecd7e3c85f83c8d2a366e4210d588e802133e1e355180a9870b517ea4"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn",
+]
+
 [[package]]
 name = "darling_macro"
 version = "0.20.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
 dependencies = [
- "darling_core",
+ "darling_core 0.20.11",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81"
+dependencies = [
+ "darling_core 0.21.3",
  "quote",
  "syn",
 ]
@@ -1330,7 +1365,7 @@ version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8"
 dependencies = [
- "darling",
+ "darling 0.20.11",
  "proc-macro2",
  "quote",
  "syn",
@@ -4227,9 +4262,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.31"
+version = "0.23.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0ebcbd2f03de0fc1122ad9bb24b127a5a6cd51d72604a3f3c50ac459762b6cc"
+checksum = "cd3c25631629d034ce7cd9940adc9d45762d46de2b0f57193c4443b92c6d4d40"
 dependencies = [
  "log",
  "once_cell",
@@ -4249,7 +4284,7 @@ dependencies = [
  "openssl-probe",
  "rustls-pki-types",
  "schannel",
- "security-framework 3.4.0",
+ "security-framework 3.5.0",
 ]
 
 [[package]]
@@ -4373,9 +4408,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework"
-version = "3.4.0"
+version = "3.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60b369d18893388b345804dc0007963c99b7d665ae71d275812d828c6f089640"
+checksum = "cc198e42d9b7510827939c9a15f5062a0c913f3371d765977e586d2fe6c16f4a"
 dependencies = [
  "bitflags 2.9.4",
  "core-foundation 0.10.1",
@@ -4406,9 +4441,9 @@ dependencies = [
 
 [[package]]
 name = "serde"
-version = "1.0.225"
+version = "1.0.226"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fd6c24dee235d0da097043389623fb913daddf92c76e9f5a1db88607a0bcbd1d"
+checksum = "0dca6411025b24b60bfa7ec1fe1f8e710ac09782dca409ee8237ba74b51295fd"
 dependencies = [
  "serde_core",
  "serde_derive",
@@ -4446,18 +4481,18 @@ dependencies = [
 
 [[package]]
 name = "serde_core"
-version = "1.0.225"
+version = "1.0.226"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "659356f9a0cb1e529b24c01e43ad2bdf520ec4ceaf83047b83ddcc2251f96383"
+checksum = "ba2ba63999edb9dac981fb34b3e5c0d111a69b0924e253ed29d83f7c99e966a4"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.225"
+version = "1.0.226"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ea936adf78b1f766949a4977b91d2f5595825bd6ec079aa9543ad2685fc4516"
+checksum = "8db53ae22f34573731bafa1db20f04027b2d25e02d8205921b569171699cdb33"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4535,9 +4570,9 @@ dependencies = [
 
 [[package]]
 name = "serde_with"
-version = "3.14.0"
+version = "3.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2c45cd61fefa9db6f254525d46e392b852e0e61d9a1fd36e5bd183450a556d5"
+checksum = "c522100790450cf78eeac1507263d0a350d4d5b30df0c8e1fe051a10c22b376e"
 dependencies = [
  "base64 0.22.1",
  "chrono",
@@ -4555,11 +4590,11 @@ dependencies = [
 
 [[package]]
 name = "serde_with_macros"
-version = "3.14.0"
+version = "3.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "de90945e6565ce0d9a25098082ed4ee4002e047cb59892c318d66821e14bb30f"
+checksum = "327ada00f7d64abaac1e55a6911e90cf665aa051b9a561c7006c157f4633135e"
 dependencies = [
- "darling",
+ "darling 0.21.3",
  "proc-macro2",
  "quote",
  "syn",
diff --git a/crates/defguard_common/src/db/models/settings.rs b/crates/defguard_common/src/db/models/settings.rs
index bb987cc1d4..e2ae4fee63 100644
--- a/crates/defguard_common/src/db/models/settings.rs
+++ b/crates/defguard_common/src/db/models/settings.rs
@@ -1,4 +1,4 @@
-use std::collections::HashMap;
+use std::{collections::HashMap, fmt};
 
 use crate::{global_value, secret::SecretStringWrapper};
 use serde::{Deserialize, Serialize};
@@ -77,7 +77,7 @@ impl LdapSyncStatus {
     }
 }
 
-#[derive(Clone, Debug, Deserialize, PartialEq, Patch, Serialize, Default)]
+#[derive(Clone, Deserialize, PartialEq, Patch, Serialize, Default)]
 #[patch(attribute(derive(Deserialize, Serialize, Debug)))]
 pub struct Settings {
     // Modules
@@ -144,6 +144,85 @@ pub struct Settings {
     pub gateway_disconnect_notifications_reconnect_notification_enabled: bool,
 }
 
+// Implement manually to avoid exposing the license key.
+impl fmt::Debug for Settings {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Settings")
+            .field("openid_enabled", &self.openid_enabled)
+            .field("wireguard_enabled", &self.wireguard_enabled)
+            .field("webhooks_enabled", &self.webhooks_enabled)
+            .field("worker_enabled", &self.worker_enabled)
+            .field("challenge_template", &self.challenge_template)
+            .field("instance_name", &self.instance_name)
+            .field("main_logo_url", &self.main_logo_url)
+            .field("nav_logo_url", &self.nav_logo_url)
+            .field("smtp_server", &self.smtp_server)
+            .field("smtp_port", &self.smtp_port)
+            .field("smtp_encryption", &self.smtp_encryption)
+            .field("smtp_user", &self.smtp_user)
+            .field("smtp_password", &self.smtp_password)
+            .field("smtp_sender", &self.smtp_sender)
+            .field(
+                "enrollment_vpn_step_optional",
+                &self.enrollment_vpn_step_optional,
+            )
+            .field(
+                "enrollment_welcome_message",
+                &self.enrollment_welcome_message,
+            )
+            .field("enrollment_welcome_email", &self.enrollment_welcome_email)
+            .field(
+                "enrollment_welcome_email_subject",
+                &self.enrollment_welcome_email_subject,
+            )
+            .field(
+                "enrollment_use_welcome_message_as_email",
+                &self.enrollment_use_welcome_message_as_email,
+            )
+            .field("uuid", &self.uuid)
+            .field("ldap_url", &self.ldap_url)
+            .field("ldap_bind_username", &self.ldap_bind_username)
+            .field("ldap_bind_password", &self.ldap_bind_password)
+            .field("ldap_group_search_base", &self.ldap_group_search_base)
+            .field("ldap_user_search_base", &self.ldap_user_search_base)
+            .field("ldap_user_obj_class", &self.ldap_user_obj_class)
+            .field("ldap_group_obj_class", &self.ldap_group_obj_class)
+            .field("ldap_username_attr", &self.ldap_username_attr)
+            .field("ldap_groupname_attr", &self.ldap_groupname_attr)
+            .field("ldap_group_member_attr", &self.ldap_group_member_attr)
+            .field("ldap_member_attr", &self.ldap_member_attr)
+            .field("ldap_use_starttls", &self.ldap_use_starttls)
+            .field("ldap_tls_verify_cert", &self.ldap_tls_verify_cert)
+            .field("ldap_sync_status", &self.ldap_sync_status)
+            .field("ldap_enabled", &self.ldap_enabled)
+            .field("ldap_sync_enabled", &self.ldap_sync_enabled)
+            .field("ldap_is_authoritative", &self.ldap_is_authoritative)
+            .field("ldap_uses_ad", &self.ldap_uses_ad)
+            .field("ldap_sync_interval", &self.ldap_sync_interval)
+            .field(
+                "ldap_user_auxiliary_obj_classes",
+                &self.ldap_user_auxiliary_obj_classes,
+            )
+            .field("ldap_user_rdn_attr", &self.ldap_user_rdn_attr)
+            .field("ldap_sync_groups", &self.ldap_sync_groups)
+            .field("openid_create_account", &self.openid_create_account)
+            .field("openid_username_handling", &self.openid_username_handling)
+            .field(
+                "gateway_disconnect_notifications_enabled",
+                &self.gateway_disconnect_notifications_enabled,
+            )
+            .field(
+                "gateway_disconnect_notifications_inactivity_threshold",
+                &self.gateway_disconnect_notifications_inactivity_threshold,
+            )
+            .field(
+                "gateway_disconnect_notifications_reconnect_notification_enabled",
+                &self.gateway_disconnect_notifications_reconnect_notification_enabled,
+            )
+            .finish_non_exhaustive()
+    }
+}
+
 impl Settings {
     pub async fn get<'e, E>(executor: E) -> Result<Option<Self>, sqlx::Error>
     where
@@ -465,4 +544,17 @@ mod test {
         settings.smtp_password = Some(SecretStringWrapper::from_str("hunter2").unwrap());
         assert!(settings.smtp_configured());
     }
+
+    #[test]
+    fn dg25_32_test_dont_expose_license_key() {
+        let key = "0000000000000000";
+        let settings = Settings {
+            license: Some(key.to_string()),
+            ..Default::default()
+        };
+
+        let debug = format!("{settings:?}");
+        assert!(!debug.contains("license"));
+        assert!(!debug.contains(key));
+    }
 }

From 63ed61bfac6f1ce00453c395ac67c7f8a7d6e800 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Mon, 22 Sep 2025 12:29:38 +0200
Subject: [PATCH 14/50] fix document links (#1599)

* fix links in readme

* fix frontend links
---
 README.md                  | 54 ++++++++++++++++++--------------------
 web/src/i18n/en/index.ts   | 12 ++++-----
 web/src/i18n/i18n-types.ts | 24 ++++++++---------
 web/src/i18n/ko/index.ts   |  6 ++---
 web/src/i18n/pl/index.ts   | 10 +++----
 5 files changed, 51 insertions(+), 55 deletions(-)

diff --git a/README.md b/README.md
index 99e5e6a309..a4e0ce6a48 100644
--- a/README.md
+++ b/README.md
@@ -10,17 +10,17 @@
 
 ### Defguard provides Comprehensive Access Control (a complete security platform):
 
-- **[WireGuard® VPN with 2FA/MFA](https://docs.defguard.net/admin-and-features/wireguard/multi-factor-authentication-mfa-2fa/architecture)** - not 2FA to "access application" like most solutions
-    - The only solution with [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
-    - Control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)
-- [ACLs/Firewall Management](https://docs.defguard.net/enterprise/all-enteprise-features/access-control-list) for Linux and FreeBSD/OPNSense
-- [Integrated SSO based on OpenID Connect](https://docs.defguard.net/admin-and-features/openid-connect): 
+- **[WireGuard® VPN with 2FA/MFA](https://docs.defguard.net/in-depth/architecture/architecture)** - not 2FA to "access application" like most solutions
+    - The only solution with [automatic and real-time synchronization](https://docs.defguard.net/features/remote-user-enrollment/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
+    - Control users [ability to manage devices and VPN options](https://docs.defguard.net/features/wireguard/behavior-customization)
+- [ACLs/Firewall Management](https://docs.defguard.net/features/access-control-list) for Linux and FreeBSD/OPNSense
+- [Integrated SSO based on OpenID Connect](https://docs.defguard.net/features/openid-connect): 
     - significant cost saving, simplifying deployment and maintenance
     - enabling features unavailable to VPN platforms relying upon 3rd party SSO integration
-- Already using Google/Microsoft or other OpenID Provider? - [external OpenID provider support](https://docs.defguard.net/enterprise/external-openid-providers)
-- [Two way Active Directory/LDAP synchronization](https://docs.defguard.net/enterprise/all-enteprise-features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization)
-- Only solution with [secure remote user Enrollment & Onboarding](https://docs.defguard.net/help/enrollment)
-- Yubico YubiKey Hardware [security key management and provisioning](https://docs.defguard.net/admin-and-features/yubikey-provisioning)
+- Already using Google/Microsoft or other OpenID Provider? - [external OpenID provider support](https://docs.defguard.net/features/external-openid-providers)
+- [Two way Active Directory/LDAP synchronization](https://docs.defguard.net/features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization)
+- Only solution with [secure remote user Enrollment & Onboarding](https://docs.defguard.net/using-defguard-for-end-users/enrollment)
+- Yubico YubiKey Hardware [security key management and provisioning](https://docs.defguard.net/features/yubikey-provisioning)
 - Secure and robust architecture, featuring components and micro-services seamlessly deployable in diverse network setups (eg. utilizing network segments like Demilitarized Zones, Intranet with no external access, etc), ensuring a secure environment.
 - Enterprise ready (multiple Locations/Gateways/Kubernetes deployment, etc..)
 - Built on WireGuard® protocol which is faster than IPSec, and significantly faster than OpenVPN
@@ -67,8 +67,8 @@ Better quality video can [be viewed here](https://github.com/DefGuard/docs/raw/d
 [Desktop client](https://github.com/DefGuard/client):
 
 - **2FA / Multi-Factor Authentication** with TOTP or email based tokens & WireGuard PSK
-- [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
-- Control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)
+- [automatic and real-time synchronization](https://docs.defguard.net/features/remote-user-enrollment/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
+- Control users [ability to manage devices and VPN options](https://docs.defguard.net/features/wireguard/behavior-customization)
 - Defguard instances as well as **any WireGuard tunnel** - just import your tunnels - one client for all WireGuard connections
 - Secure and remote user enrollment - setting up password, automatically configuring the client for all VPN Locations/Networks
 - Onboarding - displaying custom onboarding messages, with templates, links ...
@@ -79,7 +79,7 @@ Better quality video can [be viewed here](https://github.com/DefGuard/docs/raw/d
 
 ## Quick start
 
-The easiest way to run your own defguard instance is to use Docker and our [one-line install script](https://docs.defguard.net/features/setting-up-your-instance/one-line-install).
+The easiest way to run your own defguard instance is to use Docker and our [one-line install script](https://docs.defguard.net/getting-started/one-line-install).
 Just run the command below in your shell and follow the prompts:
 
 ```bash
@@ -96,7 +96,7 @@ Here is a step-by-step video about this process:
 </p>
 </div>
 
-To learn more about the script and available options please see the [documentation](https://docs.defguard.net/features/setting-up-your-instance/one-line-install).
+To learn more about the script and available options please see the [documentation](https://docs.defguard.net/getting-started/one-line-install).
 
 ### Setup a VPN server in under 5 minutes !?
 
@@ -104,9 +104,9 @@ Just follow [this tutorial](http://bit.ly/defguard-setup)
 
 ## Manual deployment examples
 
-- [Standalone system package based install](https://docs.defguard.net/admin-and-features/setting-up-your-instance/standalone-package-based-installation)
-- Using [Docker Compose](https://docs.defguard.net/features/setting-up-your-instance/docker-compose)
-- Using [Kubernetes](https://docs.defguard.net/features/setting-up-your-instance/kubernetes)
+- [Standalone system package based install](https://docs.defguard.net/deployment-strategies/standalone-package-based-installation)
+- Using [Docker Compose](https://docs.defguard.net/deployment-strategies/docker-compose)
+- Using [Kubernetes](https://docs.defguard.net/deployment-strategies/kubernetes)
 
 ## Roadmap & Development backlog
 
@@ -116,27 +116,23 @@ Just follow [this tutorial](http://bit.ly/defguard-setup)
 
 Here is a [dedicated view for **good first bugs**](https://github.com/orgs/DefGuard/projects/5/views/5)
 
-## Why?
-
-The story and motivation behind defguard [can be found here: https://teonite.com/blog/defguard/](https://teonite.com/blog/defguard/)
-
 ## Features
 
 * Remote Access: [WireGuard® VPN](https://www.wireguard.com/) server with:
-  - [Multi-Factor Authentication](https://docs.defguard.net/help/desktop-client/multi-factor-authentication-mfa-2fa) with TOTP/Email & Pre-Shared Session Keys
+  - [Multi-Factor Authentication](https://docs.defguard.net/features/wireguard/multi-factor-authentication-mfa-2fa) with TOTP/Email & Pre-Shared Session Keys
   - multiple VPN Locations (networks/sites) - with defined access (all users or only Admin group)
   - multiple [Gateways](https://github.com/DefGuard/gateway) for each VPN Location (**high availability/failover**) - supported on a cluster of routers/firewalls for Linux, FreeBSD/PFSense/OPNSense
   - **import your current WireGuard® server configuration (with a wizard!)**
   - **most beautiful [Desktop Client!](https://github.com/defguard/client)** (in our opinion ;-))
   - automatic IP allocation
-  - [automatic and real-time synchronization](https://docs.defguard.net/enterprise/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
-  - control users [ability to manage devices and VPN options](https://docs.defguard.net/enterprise/behavior-customization)
+  - [automatic and real-time synchronization](https://docs.defguard.net/features/remote-user-enrollment/automatic-real-time-desktop-client-configuration) for users' desktop client settings (including all VPNs/locations).
+  - control users [ability to manage devices and VPN options](https://docs.defguard.net/features/wireguard/behavior-customization)
   - kernel (Linux, FreeBSD/OPNSense/PFSense) & userspace WireGuard® support with [our Rust library](https://github.com/defguard/wireguard-rs)
   - dashboard and statistics overview of connected users/devices for admins
   - *defguard is not an official WireGuard® project, and WireGuard is a registered trademark of Jason A. Donenfeld.*
 * Identity & Account Management:
   - SSO based on OpenID Connect](https://openid.net/developers/how-connect-works/)
-  - External SSO: [external OpenID provider support](https://docs.defguard.net/enterprise/external-openid-providers)
+  - External SSO: [external OpenID provider support](https://docs.defguard.net/features/external-openid-providers)
   - [Multi-Factor/2FA](https://en.wikipedia.org/wiki/Multi-factor_authentication) Authentication:
    - [Time-based One-Time Password Algorithm](https://en.wikipedia.org/wiki/Time-based_one-time_password) (TOTP - e.g. Google Authenticator)
    - WebAuthn / FIDO2 - for hardware key authentication support (eg. YubiKey, FaceID, TouchID, ...)
@@ -146,12 +142,12 @@ The story and motivation behind defguard [can be found here: https://teonite.com
   - nice UI to manage users
   - Users **self-service** (besides typical data management, users can revoke access to granted apps, MFA, WireGuard®, etc.)
 * Account Lifecycle Management:
-  - Secure remote (over the Internet) [user enrollment](https://docs.defguard.net/help/remote-user-enrollment) - on public web / Desktop Client
-  - User [onboarding after enrollment](https://docs.defguard.net/help/remote-user-enrollment/user-onboarding-after-enrollment)
-* SSH & GPG public key management in user profile - with [SSH keys authentication for servers](https://docs.defguard.net/admin-and-features/ssh-authentication)
+  - Secure remote (over the Internet) [user enrollment](https://docs.defguard.net/features/remote-user-enrollment) - on public web / Desktop Client
+  - User [onboarding after enrollment](https://docs.defguard.net/features/remote-user-enrollment/user-onboarding-after-enrollment)
+* SSH & GPG public key management in user profile - with [SSH keys authentication for servers](https://docs.defguard.net/features/ssh-authentication)
 * [Yubikey hardware keys](https://www.yubico.com/) provisioning for users by *one click*
-* [Email/SMTP support](https://docs.defguard.net/help/setting-up-smtp-for-email-notifications) for notifications, remote enrollment and onboarding
-* Easy support with [sending debug/support information](https://docs.defguard.net/help/sending-support-info)
+* [Email/SMTP support](https://docs.defguard.net/features/notifications/setting-up-smtp-for-email-notifications) for notifications, remote enrollment and onboarding
+* Easy support with [sending debug/support information](https://docs.defguard.net/support-1/troubleshooting/sending-support-info)
 * Webhooks & REST API
 * Built with [Rust](https://www.rust-lang.org/) for portability, security, and speed
 * [UI Library](https://github.com/defguard/ui) - our beautiful React/TypeScript UI is a collection of React components:
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index 6baa9a6e82..b8a7a44721 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -90,7 +90,7 @@ You can find out more about features like:
 - External SSO
 - Controlling VPN clients behavior
 
-Full enterprise feature list: [https://docs.defguard.net/enterprise/all-enteprise-features](https://docs.defguard.net/enterprise/all-enteprise-features)</br>
+Full enterprise feature list: [https://docs.defguard.net/enterprise/enterprise-features](https://docs.defguard.net/enterprise/enterprise-features)</br>
 Licensing information: [https://docs.defguard.net/enterprise/license](https://docs.defguard.net/enterprise/license)
       `,
       controls: {
@@ -567,7 +567,7 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
           },
           enableEnrollment: {
             label: 'Use user self-enrollment process',
-            link: '<a href="https://docs.defguard.net/help/enrollment" target="_blank">more information here</a>',
+            link: '<a href="https://docs.defguard.net/using-defguard-for-end-users/enrollment" target="_blank">more information here</a>',
           },
         },
       },
@@ -634,7 +634,7 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
     title: 'Add device',
     helpers: {
       setupOpt: `You can add a device using this wizard. Opt for our native application "defguard" or any other WireGuard client. If you're unsure, we recommend using defguard for simplicity.`,
-      client: `Please download defguard desktop client <a href="https://defguard.net/download" target="_blank">here</a> and then follow <a href="https://docs.defguard.net/help/configuring-vpn/add-new-instance" target="_blank">this guide</a>.`,
+      client: `Please download defguard desktop client <a href="https://defguard.net/download" target="_blank">here</a> and then follow <a href="https://docs.defguard.net/using-defguard-for-end-users/desktop-client/instance-configuration" target="_blank">this guide</a>.`,
     },
     messages: {
       deviceAdded: 'Device added',
@@ -1227,7 +1227,7 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
       title: 'LDAP Settings',
       sync: {
         header: 'LDAP two-way synchronization',
-        info: 'Before enabling synchronization, please read more about it in our [documentation](https://docs.defguard.net/enterprise/all-enteprise-features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization).',
+        info: 'Before enabling synchronization, please read more about it in our [documentation](https://docs.defguard.net/features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization).',
         info_enterprise: 'This feature is available only in Defguard Enterprise.',
         helpers: {
           heading:
@@ -1329,7 +1329,7 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
         custom: 'Custom',
         none: 'None',
         documentation:
-          'Make sure to check our [documentation](https://docs.defguard.net/enterprise/all-enteprise-features/external-openid-providers) for more information and examples.',
+          'Make sure to check our [documentation](https://docs.defguard.net/features/external-openid-providers) for more information and examples.',
         delete: 'Delete provider',
         directory_sync_settings: {
           title: 'Directory synchronization settings',
@@ -2116,7 +2116,7 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
       noConnection: `No connection established, please run provided command.`,
       connected: `Gateway connected.`,
       statusError: 'Failed to get gateway status',
-      oneLineInstall: `If you are doing one line install: https://docs.defguard.net/admin-and-features/setting-up-your-instance/one-line-install
+      oneLineInstall: `If you are doing one line install: https://docs.defguard.net/getting-started/one-line-install
           you don't need to do anything.`,
       fromPackage: `Install the package available at https://github.com/DefGuard/gateway/releases/latest and configure \`/etc/defguard/gateway.toml\`
           according to the [documentation]({setupGatewayDocs:string}).`,
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index a42774210d..2bd9e20581 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -276,7 +276,7 @@ type RootTranslation = {
 		​-​ ​E​x​t​e​r​n​a​l​ ​S​S​O​
 		​-​ ​C​o​n​t​r​o​l​l​i​n​g​ ​V​P​N​ ​c​l​i​e​n​t​s​ ​b​e​h​a​v​i​o​r​
 		​
-		​F​u​l​l​ ​e​n​t​e​r​p​r​i​s​e​ ​f​e​a​t​u​r​e​ ​l​i​s​t​:​ ​[​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​e​n​t​e​r​p​r​i​s​e​/​a​l​l​-​e​n​t​e​p​r​i​s​e​-​f​e​a​t​u​r​e​s​]​(​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​e​n​t​e​r​p​r​i​s​e​/​a​l​l​-​e​n​t​e​p​r​i​s​e​-​f​e​a​t​u​r​e​s​)​<​/​b​r​>​
+		​F​u​l​l​ ​e​n​t​e​r​p​r​i​s​e​ ​f​e​a​t​u​r​e​ ​l​i​s​t​:​ ​[​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​e​n​t​e​r​p​r​i​s​e​/​e​n​t​e​r​p​r​i​s​e​-​f​e​a​t​u​r​e​s​]​(​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​e​n​t​e​r​p​r​i​s​e​/​e​n​t​e​r​p​r​i​s​e​-​f​e​a​t​u​r​e​s​)​<​/​b​r​>​
 		​L​i​c​e​n​s​i​n​g​ ​i​n​f​o​r​m​a​t​i​o​n​:​ ​[​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​e​n​t​e​r​p​r​i​s​e​/​l​i​c​e​n​s​e​]​(​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​e​n​t​e​r​p​r​i​s​e​/​l​i​c​e​n​s​e​)​
 		​ ​ ​ ​ ​ ​ 
 			 */
@@ -1336,7 +1336,7 @@ type RootTranslation = {
 						 */
 						label: string
 						/**
-						 * <​a​ ​h​r​e​f​=​"​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​h​e​l​p​/​e​n​r​o​l​l​m​e​n​t​"​ ​t​a​r​g​e​t​=​"​_​b​l​a​n​k​"​>​m​o​r​e​ ​i​n​f​o​r​m​a​t​i​o​n​ ​h​e​r​e​<​/​a​>
+						 * <​a​ ​h​r​e​f​=​"​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​u​s​i​n​g​-​d​e​f​g​u​a​r​d​-​f​o​r​-​e​n​d​-​u​s​e​r​s​/​e​n​r​o​l​l​m​e​n​t​"​ ​t​a​r​g​e​t​=​"​_​b​l​a​n​k​"​>​m​o​r​e​ ​i​n​f​o​r​m​a​t​i​o​n​ ​h​e​r​e​<​/​a​>
 						 */
 						link: string
 					}
@@ -1488,7 +1488,7 @@ type RootTranslation = {
 			 */
 			setupOpt: string
 			/**
-			 * P​l​e​a​s​e​ ​d​o​w​n​l​o​a​d​ ​d​e​f​g​u​a​r​d​ ​d​e​s​k​t​o​p​ ​c​l​i​e​n​t​ ​<​a​ ​h​r​e​f​=​"​h​t​t​p​s​:​/​/​d​e​f​g​u​a​r​d​.​n​e​t​/​d​o​w​n​l​o​a​d​"​ ​t​a​r​g​e​t​=​"​_​b​l​a​n​k​"​>​h​e​r​e​<​/​a​>​ ​a​n​d​ ​t​h​e​n​ ​f​o​l​l​o​w​ ​<​a​ ​h​r​e​f​=​"​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​h​e​l​p​/​c​o​n​f​i​g​u​r​i​n​g​-​v​p​n​/​a​d​d​-​n​e​w​-​i​n​s​t​a​n​c​e​"​ ​t​a​r​g​e​t​=​"​_​b​l​a​n​k​"​>​t​h​i​s​ ​g​u​i​d​e​<​/​a​>​.
+			 * P​l​e​a​s​e​ ​d​o​w​n​l​o​a​d​ ​d​e​f​g​u​a​r​d​ ​d​e​s​k​t​o​p​ ​c​l​i​e​n​t​ ​<​a​ ​h​r​e​f​=​"​h​t​t​p​s​:​/​/​d​e​f​g​u​a​r​d​.​n​e​t​/​d​o​w​n​l​o​a​d​"​ ​t​a​r​g​e​t​=​"​_​b​l​a​n​k​"​>​h​e​r​e​<​/​a​>​ ​a​n​d​ ​t​h​e​n​ ​f​o​l​l​o​w​ ​<​a​ ​h​r​e​f​=​"​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​u​s​i​n​g​-​d​e​f​g​u​a​r​d​-​f​o​r​-​e​n​d​-​u​s​e​r​s​/​d​e​s​k​t​o​p​-​c​l​i​e​n​t​/​i​n​s​t​a​n​c​e​-​c​o​n​f​i​g​u​r​a​t​i​o​n​"​ ​t​a​r​g​e​t​=​"​_​b​l​a​n​k​"​>​t​h​i​s​ ​g​u​i​d​e​<​/​a​>​.
 			 */
 			client: string
 		}
@@ -3019,7 +3019,7 @@ type RootTranslation = {
 				 */
 				header: string
 				/**
-				 * B​e​f​o​r​e​ ​e​n​a​b​l​i​n​g​ ​s​y​n​c​h​r​o​n​i​z​a​t​i​o​n​,​ ​p​l​e​a​s​e​ ​r​e​a​d​ ​m​o​r​e​ ​a​b​o​u​t​ ​i​t​ ​i​n​ ​o​u​r​ ​[​d​o​c​u​m​e​n​t​a​t​i​o​n​]​(​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​e​n​t​e​r​p​r​i​s​e​/​a​l​l​-​e​n​t​e​p​r​i​s​e​-​f​e​a​t​u​r​e​s​/​l​d​a​p​-​a​n​d​-​a​c​t​i​v​e​-​d​i​r​e​c​t​o​r​y​-​i​n​t​e​g​r​a​t​i​o​n​/​t​w​o​-​w​a​y​-​l​d​a​p​-​a​n​d​-​a​c​t​i​v​e​-​d​i​r​e​c​t​o​r​y​-​s​y​n​c​h​r​o​n​i​z​a​t​i​o​n​)​.
+				 * B​e​f​o​r​e​ ​e​n​a​b​l​i​n​g​ ​s​y​n​c​h​r​o​n​i​z​a​t​i​o​n​,​ ​p​l​e​a​s​e​ ​r​e​a​d​ ​m​o​r​e​ ​a​b​o​u​t​ ​i​t​ ​i​n​ ​o​u​r​ ​[​d​o​c​u​m​e​n​t​a​t​i​o​n​]​(​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​f​e​a​t​u​r​e​s​/​l​d​a​p​-​a​n​d​-​a​c​t​i​v​e​-​d​i​r​e​c​t​o​r​y​-​i​n​t​e​g​r​a​t​i​o​n​/​t​w​o​-​w​a​y​-​l​d​a​p​-​a​n​d​-​a​c​t​i​v​e​-​d​i​r​e​c​t​o​r​y​-​s​y​n​c​h​r​o​n​i​z​a​t​i​o​n​)​.
 				 */
 				info: string
 				/**
@@ -3278,7 +3278,7 @@ type RootTranslation = {
 				 */
 				none: string
 				/**
-				 * M​a​k​e​ ​s​u​r​e​ ​t​o​ ​c​h​e​c​k​ ​o​u​r​ ​[​d​o​c​u​m​e​n​t​a​t​i​o​n​]​(​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​e​n​t​e​r​p​r​i​s​e​/​a​l​l​-​e​n​t​e​p​r​i​s​e​-​f​e​a​t​u​r​e​s​/​e​x​t​e​r​n​a​l​-​o​p​e​n​i​d​-​p​r​o​v​i​d​e​r​s​)​ ​f​o​r​ ​m​o​r​e​ ​i​n​f​o​r​m​a​t​i​o​n​ ​a​n​d​ ​e​x​a​m​p​l​e​s​.
+				 * M​a​k​e​ ​s​u​r​e​ ​t​o​ ​c​h​e​c​k​ ​o​u​r​ ​[​d​o​c​u​m​e​n​t​a​t​i​o​n​]​(​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​f​e​a​t​u​r​e​s​/​e​x​t​e​r​n​a​l​-​o​p​e​n​i​d​-​p​r​o​v​i​d​e​r​s​)​ ​f​o​r​ ​m​o​r​e​ ​i​n​f​o​r​m​a​t​i​o​n​ ​a​n​d​ ​e​x​a​m​p​l​e​s​.
 				 */
 				documentation: string
 				/**
@@ -5058,7 +5058,7 @@ type RootTranslation = {
 			 */
 			statusError: string
 			/**
-			 * I​f​ ​y​o​u​ ​a​r​e​ ​d​o​i​n​g​ ​o​n​e​ ​l​i​n​e​ ​i​n​s​t​a​l​l​:​ ​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​a​d​m​i​n​-​a​n​d​-​f​e​a​t​u​r​e​s​/​s​e​t​t​i​n​g​-​u​p​-​y​o​u​r​-​i​n​s​t​a​n​c​e​/​o​n​e​-​l​i​n​e​-​i​n​s​t​a​l​l​
+			 * I​f​ ​y​o​u​ ​a​r​e​ ​d​o​i​n​g​ ​o​n​e​ ​l​i​n​e​ ​i​n​s​t​a​l​l​:​ ​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​g​e​t​t​i​n​g​-​s​t​a​r​t​e​d​/​o​n​e​-​l​i​n​e​-​i​n​s​t​a​l​l​
 		​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​y​o​u​ ​d​o​n​'​t​ ​n​e​e​d​ ​t​o​ ​d​o​ ​a​n​y​t​h​i​n​g​.
 			 */
 			oneLineInstall: string
@@ -6983,7 +6983,7 @@ export type TranslationFunctions = {
 		- External SSO
 		- Controlling VPN clients behavior
 	
-		Full enterprise feature list: [https://docs.defguard.net/enterprise/all-enteprise-features](https://docs.defguard.net/enterprise/all-enteprise-features)</br>
+		Full enterprise feature list: [https://docs.defguard.net/enterprise/enterprise-features](https://docs.defguard.net/enterprise/enterprise-features)</br>
 		Licensing information: [https://docs.defguard.net/enterprise/license](https://docs.defguard.net/enterprise/license)
 		      
 			 */
@@ -8025,7 +8025,7 @@ export type TranslationFunctions = {
 						 */
 						label: () => LocalizedString
 						/**
-						 * <a href="https://docs.defguard.net/help/enrollment" target="_blank">more information here</a>
+						 * <a href="https://docs.defguard.net/using-defguard-for-end-users/enrollment" target="_blank">more information here</a>
 						 */
 						link: () => LocalizedString
 					}
@@ -8176,7 +8176,7 @@ export type TranslationFunctions = {
 			 */
 			setupOpt: () => LocalizedString
 			/**
-			 * Please download defguard desktop client <a href="https://defguard.net/download" target="_blank">here</a> and then follow <a href="https://docs.defguard.net/help/configuring-vpn/add-new-instance" target="_blank">this guide</a>.
+			 * Please download defguard desktop client <a href="https://defguard.net/download" target="_blank">here</a> and then follow <a href="https://docs.defguard.net/using-defguard-for-end-users/desktop-client/instance-configuration" target="_blank">this guide</a>.
 			 */
 			client: () => LocalizedString
 		}
@@ -9690,7 +9690,7 @@ export type TranslationFunctions = {
 				 */
 				header: () => LocalizedString
 				/**
-				 * Before enabling synchronization, please read more about it in our [documentation](https://docs.defguard.net/enterprise/all-enteprise-features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization).
+				 * Before enabling synchronization, please read more about it in our [documentation](https://docs.defguard.net/features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization).
 				 */
 				info: () => LocalizedString
 				/**
@@ -9949,7 +9949,7 @@ export type TranslationFunctions = {
 				 */
 				none: () => LocalizedString
 				/**
-				 * Make sure to check our [documentation](https://docs.defguard.net/enterprise/all-enteprise-features/external-openid-providers) for more information and examples.
+				 * Make sure to check our [documentation](https://docs.defguard.net/features/external-openid-providers) for more information and examples.
 				 */
 				documentation: () => LocalizedString
 				/**
@@ -11712,7 +11712,7 @@ export type TranslationFunctions = {
 			 */
 			statusError: () => LocalizedString
 			/**
-			 * If you are doing one line install: https://docs.defguard.net/admin-and-features/setting-up-your-instance/one-line-install
+			 * If you are doing one line install: https://docs.defguard.net/getting-started/one-line-install
 		          you don't need to do anything.
 			 */
 			oneLineInstall: () => LocalizedString
diff --git a/web/src/i18n/ko/index.ts b/web/src/i18n/ko/index.ts
index 4dbb5bcf7f..62ee06aff2 100644
--- a/web/src/i18n/ko/index.ts
+++ b/web/src/i18n/ko/index.ts
@@ -360,7 +360,7 @@ const translation: PartialDeep<Translation> = {
           },
           enableEnrollment: {
             label: '등록 프로세스 사용',
-            link: '<a href="https://docs.defguard.net/help/enrollment" target="_blank">자세한 정보는 여기를 참고하세요</a>',
+            link: '<a href="https://docs.defguard.net/using-defguard-for-end-users/enrollment" target="_blank">자세한 정보는 여기를 참고하세요</a>',
           },
         },
       },
@@ -427,7 +427,7 @@ const translation: PartialDeep<Translation> = {
     title: '장치 추가',
     helpers: {
       setupOpt: `이 마법사를 사용하여 장치를 추가할 수 있습니다. 당사의 기본 애플리케이션인 "defguard" 또는 다른 WireGuard 클라이언트를 선택하세요. 잘 모르시겠다면 간편하게 defguard를 사용하는 것을 권장합니다.`,
-      client: `defguard 데스크톱 클라이언트는 <a href="https://defguard.net/download" target="_blank">여기</a>에서 다운로드하고 <a href="https://docs.defguard.net/help/configuring-vpn/add-new-instance" target="_blank">이 가이드</a>를 따르세요.`,
+      client: `defguard 데스크톱 클라이언트는 <a href="https://defguard.net/download" target="_blank">여기</a>에서 다운로드하고 <a href="https://docs.defguard.net/using-defguard-for-end-users/desktop-client/instance-configuration" target="_blank">이 가이드</a>를 따르세요.`,
     },
     messages: {
       deviceAdded: '장치가 추가되었습니다',
@@ -1496,7 +1496,7 @@ const translation: PartialDeep<Translation> = {
       noConnection: `연결이 설정되지 않았습니다. 제공된 명령을 실행하십시오.`,
       connected: `게이트웨이가 연결되었습니다.`,
       statusError: '게이트웨이 상태를 가져오지 못했습니다',
-      oneLineInstall: `한 줄 설치를 수행하는 경우: https://docs.defguard.net/admin-and-features/setting-up-your-instance/one-line-install
+      oneLineInstall: `한 줄 설치를 수행하는 경우: https://docs.defguard.net/getting-started/one-line-install
           아무 것도 할 필요가 없습니다.`,
       fromPackage: `https://github.com/DefGuard/gateway/releases/latest에서 사용 가능한 패키지를 설치하고 [문서]({setupGatewayDocs})에 따라 \`/etc/defguard/gateway.toml\`을 구성하십시오.
           `,
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 66c665ffae..588a4a60e7 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -77,7 +77,7 @@ Aby dowiedzieć się więcej o:
 - Zewnętrznym SSO
 - Kontrolowaniu działania klientów VPN
 
-Pełna lista funkcjonalności enterprise: [https://docs.defguard.net/enterprise/all-enteprise-features](https://docs.defguard.net/enterprise/all-enteprise-features)</br>
+Pełna lista funkcjonalności enterprise: [https://docs.defguard.net/enterprise/enterprise-features](https://docs.defguard.net/enterprise/enterprise-features)</br>
 Informacja o licencjonowaniu: [https://docs.defguard.net/enterprise/license](https://docs.defguard.net/enterprise/license)
       `,
       controls: {
@@ -528,7 +528,7 @@ Informacja o licencjonowaniu: [https://docs.defguard.net/enterprise/license](htt
           },
           enableEnrollment: {
             label: 'Użyj zdalnej rejestracji',
-            link: '<a href="https://docs.defguard.net/help/enrollment" target="_blank">więcej informacji tutaj</a>',
+            link: '<a href="https://docs.defguard.net/using-defguard-for-end-users/enrollment" target="_blank">więcej informacji tutaj</a>',
           },
         },
       },
@@ -598,7 +598,7 @@ Informacja o licencjonowaniu: [https://docs.defguard.net/enterprise/license](htt
     },
     helpers: {
       setupOpt: `Możesz dodać urządzenie używając naszego klienta lub samemu skonfigurwać urządzenie.`,
-      client: `Pobierz klienta defguard <a href="https://defguard.net/download" target="_blank">tutaj</a>, a następnie postępuj zgodnie z <a href="https://docs.defguard.net/help/configuring-vpn/add-new-instance" target="_blank">instrukcją</a> w celu jego konfiguracji.`,
+      client: `Pobierz klienta defguard <a href="https://defguard.net/download" target="_blank">tutaj</a>, a następnie postępuj zgodnie z <a href="https://docs.defguard.net/using-defguard-for-end-users/desktop-client/instance-configuration" target="_blank">instrukcją</a> w celu jego konfiguracji.`,
     },
 
     steps: {
@@ -1126,7 +1126,7 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
         custom: 'Niestandardowy',
         none: 'Brak',
         documentation:
-          'Przeczytaj więcej o tej funkcji w naszej [dokumentacji](https://docs.defguard.net/enterprise/all-enteprise-features/external-openid-providers).',
+          'Przeczytaj więcej o tej funkcji w naszej [dokumentacji](https://docs.defguard.net/enterprise/enterprise-features).',
         delete: 'Usuń dostawcę',
         directory_sync_settings: {
           title: 'Ustawienia synchronizacji katalogu',
@@ -1861,7 +1861,7 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
       noConnection: `Brak połączenia proszę uruchom poniższą komendę.`,
       connected: `Gateway połączony.`,
       statusError: 'Nie udało się uzyskać statusu',
-      oneLineInstall: `Jeśli wykonujesz instalację w jednej linii: https://docs.defguard.net/admin-and-features/setting-up-your-instance/one-line-install
+      oneLineInstall: `Jeśli wykonujesz instalację w jednej linii: https://docs.defguard.net/getting-started/one-line-install
         nie ma potrzeby wykonywania dalszych kroków.`,
       fromPackage: `Zainstaluj pakiet dostępny na https://github.com/DefGuard/gateway/releases/latest i skonfiguruj \`/etc/defguard/gateway.toml\`
         na podstawie [dokumentacji]({setupGatewayDocs}).`,

From 7f339c09f3b181276a7872d23a550ec630cfb0e0 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Fri, 26 Sep 2025 10:31:39 +0200
Subject: [PATCH 15/50] Create SBOM files (#1620)

* implement & test sbom files creation during CI process

* add sbom workflow file

* strip 'v' from ref_name

* fix version stripping

* rename sbom file

* fix asset path

* spdx format

* uncomment build-binaries job

* run sbom on self-hosted workers

* use shogo82148/actions-upload-release-asset upload action
---
 .github/workflows/release.yml |  6 ++++
 .github/workflows/sbom.yml    | 55 +++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 .github/workflows/sbom.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7129fd2b56..a45196f589 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,6 +51,12 @@ jobs:
           draft: true
           generate_release_notes: true
 
+  create-sbom:
+    needs: [create-release, build-docker-release]
+    uses: ./.github/workflows/sbom.yml
+    with:
+      upload_url: ${{ needs.create-release.outputs.upload_url }}
+
   build-binaries:
     needs: [create-release]
 
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
new file mode 100644
index 0000000000..42a0353500
--- /dev/null
+++ b/.github/workflows/sbom.yml
@@ -0,0 +1,55 @@
+name: Create SBOM files
+
+on:
+  workflow_call:
+    inputs:
+      upload_url:
+        description: "Release assets upload URL"
+        required: true
+        type: string
+
+jobs:
+  create-sbom:
+    runs-on: self-hosted
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      # Store the version, stripping any v-prefix
+      - name: Write release version
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          echo Version: $VERSION
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Create SBOM with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          format: 'spdx-json'
+          output: "defguard-${{ env.VERSION }}.sbom.json"
+          scan-ref: '.'
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
+
+      - name: Create docker image SBOM with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: "ghcr.io/defguard/defguard:${{ env.VERSION }}"
+          scan-type: 'image'
+          format: 'spdx-json'
+          output: "defguard-${{ env.VERSION }}-docker.sbom.json"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
+
+      - name: Upload SBOM
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ inputs.upload_url }}
+          asset_path: "defguard-*.sbom.json"
+          asset_content_type: application/octet-stream

From fcb137a14ad4e8cfd8238a068034e5c289a06e29 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Fri, 26 Sep 2025 14:11:11 +0200
Subject: [PATCH 16/50] CI: scan code with trivy (#1622)

* CI: scan code with trivy

* update e2e pnpm deps

* update web dependencies

* configure trivy scan-ref

* include low severity vulns in sbom
---
 .github/workflows/build-docker.yml |    2 +-
 .github/workflows/ci.yml           |   10 +
 .github/workflows/sbom.yml         |    4 +-
 e2e/package.json                   |   20 +-
 e2e/pnpm-lock.yaml                 |  348 ++++-----
 web/package.json                   |   32 +-
 web/pnpm-lock.yaml                 | 1051 ++++++++++++++--------------
 7 files changed, 748 insertions(+), 719 deletions(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index f25226c1b7..5fbbc15202 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -72,7 +72,7 @@ jobs:
           cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }}
 
       - name: Scan image with Trivy
-        uses: aquasecurity/trivy-action@0.32.0
+        uses: aquasecurity/trivy-action@0.33.1
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 14a78a70f7..dd9c8de596 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -55,6 +55,16 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Scan code with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          exit-code: "1"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
+
       - name: Cache
         uses: Swatinem/rust-cache@v2
 
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 42a0353500..94944c2341 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -32,7 +32,7 @@ jobs:
           format: 'spdx-json'
           output: "defguard-${{ env.VERSION }}.sbom.json"
           scan-ref: '.'
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Create docker image SBOM with Trivy
@@ -42,7 +42,7 @@ jobs:
           scan-type: 'image'
           format: 'spdx-json'
           output: "defguard-${{ env.VERSION }}-docker.sbom.json"
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Upload SBOM
diff --git a/e2e/package.json b/e2e/package.json
index 72eb2257c5..f5789344af 100644
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -11,15 +11,15 @@
   "keywords": [],
   "author": "",
   "devDependencies": {
-    "@eslint/compat": "^1.3.2",
+    "@eslint/compat": "^1.4.0",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.34.0",
+    "@eslint/js": "^9.36.0",
     "@prettier/plugin-oxc": "^0.0.4",
-    "@types/node": "^22.18.0",
+    "@types/node": "^22.18.6",
     "@types/totp-generator": "^0.0.8",
-    "@typescript-eslint/eslint-plugin": "^8.41.0",
-    "@typescript-eslint/parser": "^8.41.0",
-    "eslint": "^9.34.0",
+    "@typescript-eslint/eslint-plugin": "^8.44.1",
+    "@typescript-eslint/parser": "^8.44.1",
+    "eslint": "^9.36.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-import": "^2.32.0",
     "eslint-plugin-prettier": "^5.5.4",
@@ -28,15 +28,15 @@
   },
   "dependencies": {
     "@faker-js/faker": "^9.9.0",
-    "@playwright/test": "^1.55.0",
+    "@playwright/test": "^1.55.1",
     "@scure/base": "^1.2.6",
     "@types/lodash": "^4.17.20",
     "@types/pg": "^8.15.5",
-    "axios": "^1.11.0",
-    "dotenv": "^17.2.1",
+    "axios": "^1.12.2",
+    "dotenv": "^17.2.2",
     "lodash": "^4.17.21",
     "pg": "^8.16.3",
-    "playwright": "^1.55.0",
+    "playwright": "^1.55.1",
     "totp-generator": "^1.0.0"
   },
   "volta": {
diff --git a/e2e/pnpm-lock.yaml b/e2e/pnpm-lock.yaml
index 9a7e0e96d6..b70d073f83 100644
--- a/e2e/pnpm-lock.yaml
+++ b/e2e/pnpm-lock.yaml
@@ -12,8 +12,8 @@ importers:
         specifier: ^9.9.0
         version: 9.9.0
       '@playwright/test':
-        specifier: ^1.55.0
-        version: 1.55.0
+        specifier: ^1.55.1
+        version: 1.55.1
       '@scure/base':
         specifier: ^1.2.6
         version: 1.2.6
@@ -24,11 +24,11 @@ importers:
         specifier: ^8.15.5
         version: 8.15.5
       axios:
-        specifier: ^1.11.0
-        version: 1.11.0
+        specifier: ^1.12.2
+        version: 1.12.2
       dotenv:
-        specifier: ^17.2.1
-        version: 17.2.1
+        specifier: ^17.2.2
+        version: 17.2.2
       lodash:
         specifier: ^4.17.21
         version: 4.17.21
@@ -36,68 +36,68 @@ importers:
         specifier: ^8.16.3
         version: 8.16.3
       playwright:
-        specifier: ^1.55.0
-        version: 1.55.0
+        specifier: ^1.55.1
+        version: 1.55.1
       totp-generator:
         specifier: ^1.0.0
         version: 1.0.0
     devDependencies:
       '@eslint/compat':
-        specifier: ^1.3.2
-        version: 1.3.2(eslint@9.34.0)
+        specifier: ^1.4.0
+        version: 1.4.0(eslint@9.36.0)
       '@eslint/eslintrc':
         specifier: ^3.3.1
         version: 3.3.1
       '@eslint/js':
-        specifier: ^9.34.0
-        version: 9.34.0
+        specifier: ^9.36.0
+        version: 9.36.0
       '@prettier/plugin-oxc':
         specifier: ^0.0.4
         version: 0.0.4
       '@types/node':
-        specifier: ^22.18.0
-        version: 22.18.0
+        specifier: ^22.18.6
+        version: 22.18.6
       '@types/totp-generator':
         specifier: ^0.0.8
         version: 0.0.8
       '@typescript-eslint/eslint-plugin':
-        specifier: ^8.41.0
-        version: 8.41.0(@typescript-eslint/parser@8.41.0(eslint@9.34.0)(typescript@5.8.2))(eslint@9.34.0)(typescript@5.8.2)
+        specifier: ^8.44.1
+        version: 8.44.1(@typescript-eslint/parser@8.44.1(eslint@9.36.0)(typescript@5.8.2))(eslint@9.36.0)(typescript@5.8.2)
       '@typescript-eslint/parser':
-        specifier: ^8.41.0
-        version: 8.41.0(eslint@9.34.0)(typescript@5.8.2)
+        specifier: ^8.44.1
+        version: 8.44.1(eslint@9.36.0)(typescript@5.8.2)
       eslint:
-        specifier: ^9.34.0
-        version: 9.34.0
+        specifier: ^9.36.0
+        version: 9.36.0
       eslint-config-prettier:
         specifier: ^10.1.8
-        version: 10.1.8(eslint@9.34.0)
+        version: 10.1.8(eslint@9.36.0)
       eslint-plugin-import:
         specifier: ^2.32.0
-        version: 2.32.0(@typescript-eslint/parser@8.41.0(eslint@9.34.0)(typescript@5.8.2))(eslint@9.34.0)
+        version: 2.32.0(@typescript-eslint/parser@8.44.1(eslint@9.36.0)(typescript@5.8.2))(eslint@9.36.0)
       eslint-plugin-prettier:
         specifier: ^5.5.4
-        version: 5.5.4(eslint-config-prettier@10.1.8(eslint@9.34.0))(eslint@9.34.0)(prettier@3.6.2)
+        version: 5.5.4(eslint-config-prettier@10.1.8(eslint@9.36.0))(eslint@9.36.0)(prettier@3.6.2)
       eslint-plugin-simple-import-sort:
         specifier: ^12.1.1
-        version: 12.1.1(eslint@9.34.0)
+        version: 12.1.1(eslint@9.36.0)
       prettier:
         specifier: ^3.6.2
         version: 3.6.2
 
 packages:
 
-  '@emnapi/core@1.4.5':
-    resolution: {integrity: sha512-XsLw1dEOpkSX/WucdqUhPWP7hDxSvZiY+fsUC14h+FtQ2Ifni4znbBt8punRX+Uj2JG/uDb8nEHVKvrVlvdZ5Q==}
+  '@emnapi/core@1.5.0':
+    resolution: {integrity: sha512-sbP8GzB1WDzacS8fgNPpHlp6C9VZe+SJP3F90W9rLemaQj2PzIuTEl1qDOYQf58YIpyjViI24y9aPWCjEzY2cg==}
 
-  '@emnapi/runtime@1.4.5':
-    resolution: {integrity: sha512-++LApOtY0pEEz1zrd9vy1/zXVaVJJ/EbAF3u0fXIzPJEDtnITsBGbbK0EkM72amhl/R5b+5xx0Y/QhcVOpuulg==}
+  '@emnapi/runtime@1.5.0':
+    resolution: {integrity: sha512-97/BJ3iXHww3djw6hYIfErCZFee7qCtrneuLa20UXFCOTCfBM2cvQHjWJ2EG0s0MtdNwInarqCTz35i4wWXHsQ==}
 
-  '@emnapi/wasi-threads@1.0.4':
-    resolution: {integrity: sha512-PJR+bOmMOPH8AtcTGAyYNiuJ3/Fcoj2XN/gBEWzDIKh254XO+mM9XoXHk5GNEhodxeMznbg7BlRojVbKN+gC6g==}
+  '@emnapi/wasi-threads@1.1.0':
+    resolution: {integrity: sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==}
 
-  '@eslint-community/eslint-utils@4.7.0':
-    resolution: {integrity: sha512-dyybb3AcajC7uha6CvhdVRJqaKyn7w2YKqKyAN37NKYgZT36w+iRb0Dymmc5qEJ549c/S31cMMSFd75bteCpCw==}
+  '@eslint-community/eslint-utils@4.9.0':
+    resolution: {integrity: sha512-ayVFHdtZ+hsq1t2Dy24wCmGXGe4q9Gu3smhLYALJrr473ZH27MsnSL+LKUlimp4BWJqMDMLmPpx/Q9R3OAlL4g==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     peerDependencies:
       eslint: ^6.0.0 || ^7.0.0 || >=8.0.0
@@ -106,8 +106,8 @@ packages:
     resolution: {integrity: sha512-CCZCDJuduB9OUkFkY2IgppNZMi2lBQgD2qzwXkEia16cge2pijY/aXi96CJMquDMn3nJdlPV1A5KrJEXwfLNzQ==}
     engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0}
 
-  '@eslint/compat@1.3.2':
-    resolution: {integrity: sha512-jRNwzTbd6p2Rw4sZ1CgWRS8YMtqG15YyZf7zvb6gY2rB2u6n+2Z+ELW0GtL0fQgyl0pr4Y/BzBfng/BdsereRA==}
+  '@eslint/compat@1.4.0':
+    resolution: {integrity: sha512-DEzm5dKeDBPm3r08Ixli/0cmxr8LkRdwxMRUIJBlSCpAwSrvFEJpVBzV+66JhDxiaqKxnRzCXhtiMiczF7Hglg==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     peerDependencies:
       eslint: ^8.40 || 9
@@ -127,12 +127,16 @@ packages:
     resolution: {integrity: sha512-78Md3/Rrxh83gCxoUc0EiciuOHsIITzLy53m3d9UyiW8y9Dj2D29FeETqyKA+BRK76tnTp6RXWb3pCay8Oyomg==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
+  '@eslint/core@0.16.0':
+    resolution: {integrity: sha512-nmC8/totwobIiFcGkDza3GIKfAw1+hLiYVrh3I1nIomQ8PEr5cxg34jnkmGawul/ep52wGRAcyeDCNtWKSOj4Q==}
+    engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
+
   '@eslint/eslintrc@3.3.1':
     resolution: {integrity: sha512-gtF186CXhIl1p4pJNGZw8Yc6RlshoePRvE0X91oPGb3vZ8pM3qOS9W9NGPat9LziaBV7XrJWGylNQXkGcnM3IQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  '@eslint/js@9.34.0':
-    resolution: {integrity: sha512-EoyvqQnBNsV1CWaEJ559rxXL4c8V92gxirbawSmVUOWXlsRxxQXl6LmCpdUblgxgSkDIqKnhzba2SjRTI/A5Rw==}
+  '@eslint/js@9.36.0':
+    resolution: {integrity: sha512-uhCbYtYynH30iZErszX78U+nR3pJU3RHGQ57NXy5QupD4SBVwDeU8TNBy+MjMngc1UyIW9noKqsRqfjQTBU2dw==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
   '@eslint/object-schema@2.1.6':
@@ -151,18 +155,14 @@ packages:
     resolution: {integrity: sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==}
     engines: {node: '>=18.18.0'}
 
-  '@humanfs/node@0.16.6':
-    resolution: {integrity: sha512-YuI2ZHQL78Q5HbhDiBA1X4LmYdXCKCMQIfw0pw7piHJwyREFebJUvrQN4cMssyES6x+vfUbx1CIpaQUKYdQZOw==}
+  '@humanfs/node@0.16.7':
+    resolution: {integrity: sha512-/zUx+yOsIrG4Y43Eh2peDeKCxlRt/gET6aHfaKpuq267qXdYDFViVHfMaLyygZOnl0kGWxFIgsBy8QFuTLUXEQ==}
     engines: {node: '>=18.18.0'}
 
   '@humanwhocodes/module-importer@1.0.1':
     resolution: {integrity: sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==}
     engines: {node: '>=12.22'}
 
-  '@humanwhocodes/retry@0.3.1':
-    resolution: {integrity: sha512-JBxkERygn7Bv/GbN5Rv8Ul6LVknS+5Bp6RgDC/O8gEBU/yeH5Ui5C/OlWrTb6qct7LjjfT6Re2NxB0ln0yYybA==}
-    engines: {node: '>=18.18'}
-
   '@humanwhocodes/retry@0.4.3':
     resolution: {integrity: sha512-bV0Tgo9K4hfPCek+aMAn81RppFKv2ySDQeMoSZuvTASywNTnVJCArCZE2FWqpvIatKu7VMRLWlR1EazvVhDyhQ==}
     engines: {node: '>=18.18'}
@@ -278,8 +278,8 @@ packages:
     resolution: {integrity: sha512-QNqXyfVS2wm9hweSYD2O7F0G06uurj9kZ96TRQE5Y9hU7+tgdZwIkbAKc5Ocy1HxEY2kuDQa6cQ1WRs/O5LFKA==}
     engines: {node: ^12.20.0 || ^14.18.0 || >=16.0.0}
 
-  '@playwright/test@1.55.0':
-    resolution: {integrity: sha512-04IXzPwHrW69XusN/SIdDdKZBzMfOT9UNT/YiJit/xpy2VuAoB8NHc8Aplb96zsWDddLnbkPL3TsmrS04ZU2xQ==}
+  '@playwright/test@1.55.1':
+    resolution: {integrity: sha512-IVAh/nOJaw6W9g+RJVlIQJ6gSiER+ae6mKQ5CX1bERzQgbC1VSeBlwdvczT7pxb0GWiyrxH4TGKbMfDb4Sq/ig==}
     engines: {node: '>=18'}
     hasBin: true
 
@@ -293,8 +293,8 @@ packages:
   '@scure/base@1.2.6':
     resolution: {integrity: sha512-g/nm5FgUa//MCj1gV09zTJTaM6KBAHqLN907YVQqf7zC49+DcO4B1so4ZX07Ef10Twr6nuqYEH9GEggFXA4Fmg==}
 
-  '@tybys/wasm-util@0.10.0':
-    resolution: {integrity: sha512-VyyPYFlOMNylG45GoAe0xDoLwWuowvf92F9kySqzYh8vmYm7D2u4iUJKa1tOUpS70Ku13ASrOkS4ScXFsTaCNQ==}
+  '@tybys/wasm-util@0.10.1':
+    resolution: {integrity: sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==}
 
   '@types/estree@1.0.8':
     resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==}
@@ -308,8 +308,8 @@ packages:
   '@types/lodash@4.17.20':
     resolution: {integrity: sha512-H3MHACvFUEiujabxhaI/ImO6gUrd8oOurg7LQtS7mbwIXA/cUqWrvBsaeJ23aZEPk1TAYkurjfMbSELfoCXlGA==}
 
-  '@types/node@22.18.0':
-    resolution: {integrity: sha512-m5ObIqwsUp6BZzyiy4RdZpzWGub9bqLJMvZDD0QMXhxjqMHMENlj+SqF5QxoUwaQNFe+8kz8XM8ZQhqkQPTgMQ==}
+  '@types/node@22.18.6':
+    resolution: {integrity: sha512-r8uszLPpeIWbNKtvWRt/DbVi5zbqZyj1PTmhRMqBMvDnaz1QpmSKujUtJLrqGZeoM8v72MfYggDceY4K1itzWQ==}
 
   '@types/pg@8.15.5':
     resolution: {integrity: sha512-LF7lF6zWEKxuT3/OR8wAZGzkg4ENGXFNyiV/JeOt9z5B+0ZVwbql9McqX5c/WStFq1GaGso7H1AzP/qSzmlCKQ==}
@@ -317,63 +317,63 @@ packages:
   '@types/totp-generator@0.0.8':
     resolution: {integrity: sha512-NAiruWgCYxW1sd2LjpTT/sVarogTjjQoUyLiiL/e2DZOz9eovKxzEx5BiH8YgZoKUDZql1VXiIzgDBK7VzOmNw==}
 
-  '@typescript-eslint/eslint-plugin@8.41.0':
-    resolution: {integrity: sha512-8fz6oa6wEKZrhXWro/S3n2eRJqlRcIa6SlDh59FXJ5Wp5XRZ8B9ixpJDcjadHq47hMx0u+HW6SNa6LjJQ6NLtw==}
+  '@typescript-eslint/eslint-plugin@8.44.1':
+    resolution: {integrity: sha512-molgphGqOBT7t4YKCSkbasmu1tb1MgrZ2szGzHbclF7PNmOkSTQVHy+2jXOSnxvR3+Xe1yySHFZoqMpz3TfQsw==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     peerDependencies:
-      '@typescript-eslint/parser': ^8.41.0
+      '@typescript-eslint/parser': ^8.44.1
       eslint: ^8.57.0 || ^9.0.0
       typescript: '>=4.8.4 <6.0.0'
 
-  '@typescript-eslint/parser@8.41.0':
-    resolution: {integrity: sha512-gTtSdWX9xiMPA/7MV9STjJOOYtWwIJIYxkQxnSV1U3xcE+mnJSH3f6zI0RYP+ew66WSlZ5ed+h0VCxsvdC1jJg==}
+  '@typescript-eslint/parser@8.44.1':
+    resolution: {integrity: sha512-EHrrEsyhOhxYt8MTg4zTF+DJMuNBzWwgvvOYNj/zm1vnaD/IC5zCXFehZv94Piqa2cRFfXrTFxIvO95L7Qc/cw==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     peerDependencies:
       eslint: ^8.57.0 || ^9.0.0
       typescript: '>=4.8.4 <6.0.0'
 
-  '@typescript-eslint/project-service@8.41.0':
-    resolution: {integrity: sha512-b8V9SdGBQzQdjJ/IO3eDifGpDBJfvrNTp2QD9P2BeqWTGrRibgfgIlBSw6z3b6R7dPzg752tOs4u/7yCLxksSQ==}
+  '@typescript-eslint/project-service@8.44.1':
+    resolution: {integrity: sha512-ycSa60eGg8GWAkVsKV4E6Nz33h+HjTXbsDT4FILyL8Obk5/mx4tbvCNsLf9zret3ipSumAOG89UcCs/KRaKYrA==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     peerDependencies:
       typescript: '>=4.8.4 <6.0.0'
 
-  '@typescript-eslint/scope-manager@8.41.0':
-    resolution: {integrity: sha512-n6m05bXn/Cd6DZDGyrpXrELCPVaTnLdPToyhBoFkLIMznRUQUEQdSp96s/pcWSQdqOhrgR1mzJ+yItK7T+WPMQ==}
+  '@typescript-eslint/scope-manager@8.44.1':
+    resolution: {integrity: sha512-NdhWHgmynpSvyhchGLXh+w12OMT308Gm25JoRIyTZqEbApiBiQHD/8xgb6LqCWCFcxFtWwaVdFsLPQI3jvhywg==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  '@typescript-eslint/tsconfig-utils@8.41.0':
-    resolution: {integrity: sha512-TDhxYFPUYRFxFhuU5hTIJk+auzM/wKvWgoNYOPcOf6i4ReYlOoYN8q1dV5kOTjNQNJgzWN3TUUQMtlLOcUgdUw==}
+  '@typescript-eslint/tsconfig-utils@8.44.1':
+    resolution: {integrity: sha512-B5OyACouEjuIvof3o86lRMvyDsFwZm+4fBOqFHccIctYgBjqR3qT39FBYGN87khcgf0ExpdCBeGKpKRhSFTjKQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     peerDependencies:
       typescript: '>=4.8.4 <6.0.0'
 
-  '@typescript-eslint/type-utils@8.41.0':
-    resolution: {integrity: sha512-63qt1h91vg3KsjVVonFJWjgSK7pZHSQFKH6uwqxAH9bBrsyRhO6ONoKyXxyVBzG1lJnFAJcKAcxLS54N1ee1OQ==}
+  '@typescript-eslint/type-utils@8.44.1':
+    resolution: {integrity: sha512-KdEerZqHWXsRNKjF9NYswNISnFzXfXNDfPxoTh7tqohU/PRIbwTmsjGK6V9/RTYWau7NZvfo52lgVk+sJh0K3g==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     peerDependencies:
       eslint: ^8.57.0 || ^9.0.0
       typescript: '>=4.8.4 <6.0.0'
 
-  '@typescript-eslint/types@8.41.0':
-    resolution: {integrity: sha512-9EwxsWdVqh42afLbHP90n2VdHaWU/oWgbH2P0CfcNfdKL7CuKpwMQGjwev56vWu9cSKU7FWSu6r9zck6CVfnag==}
+  '@typescript-eslint/types@8.44.1':
+    resolution: {integrity: sha512-Lk7uj7y9uQUOEguiDIDLYLJOrYHQa7oBiURYVFqIpGxclAFQ78f6VUOM8lI2XEuNOKNB7XuvM2+2cMXAoq4ALQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  '@typescript-eslint/typescript-estree@8.41.0':
-    resolution: {integrity: sha512-D43UwUYJmGhuwHfY7MtNKRZMmfd8+p/eNSfFe6tH5mbVDto+VQCayeAt35rOx3Cs6wxD16DQtIKw/YXxt5E0UQ==}
+  '@typescript-eslint/typescript-estree@8.44.1':
+    resolution: {integrity: sha512-qnQJ+mVa7szevdEyvfItbO5Vo+GfZ4/GZWWDRRLjrxYPkhM+6zYB2vRYwCsoJLzqFCdZT4mEqyJoyzkunsZ96A==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     peerDependencies:
       typescript: '>=4.8.4 <6.0.0'
 
-  '@typescript-eslint/utils@8.41.0':
-    resolution: {integrity: sha512-udbCVstxZ5jiPIXrdH+BZWnPatjlYwJuJkDA4Tbo3WyYLh8NvB+h/bKeSZHDOFKfphsZYJQqaFtLeXEqurQn1A==}
+  '@typescript-eslint/utils@8.44.1':
+    resolution: {integrity: sha512-DpX5Fp6edTlocMCwA+mHY8Mra+pPjRZ0TfHkXI8QFelIKcbADQz1LUPNtzOFUriBB2UYqw4Pi9+xV4w9ZczHFg==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     peerDependencies:
       eslint: ^8.57.0 || ^9.0.0
       typescript: '>=4.8.4 <6.0.0'
 
-  '@typescript-eslint/visitor-keys@8.41.0':
-    resolution: {integrity: sha512-+GeGMebMCy0elMNg67LRNoVnUFPIm37iu5CmHESVx56/9Jsfdpsvbv605DQ81Pi/x11IdKUsS5nzgTYbCQU9fg==}
+  '@typescript-eslint/visitor-keys@8.44.1':
+    resolution: {integrity: sha512-576+u0QD+Jp3tZzvfRfxon0EA2lzcDt3lhUbsC6Lgzy9x2VR4E+JUiNyGHi5T8vk0TV+fpJ5GLG1JsJuWCaKhw==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
   acorn-jsx@5.3.2:
@@ -431,8 +431,8 @@ packages:
     resolution: {integrity: sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==}
     engines: {node: '>= 0.4'}
 
-  axios@1.11.0:
-    resolution: {integrity: sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==}
+  axios@1.12.2:
+    resolution: {integrity: sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==}
 
   balanced-match@1.0.2:
     resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
@@ -505,8 +505,8 @@ packages:
       supports-color:
         optional: true
 
-  debug@4.4.1:
-    resolution: {integrity: sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==}
+  debug@4.4.3:
+    resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
     engines: {node: '>=6.0'}
     peerDependencies:
       supports-color: '*'
@@ -533,8 +533,8 @@ packages:
     resolution: {integrity: sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==}
     engines: {node: '>=0.10.0'}
 
-  dotenv@17.2.1:
-    resolution: {integrity: sha512-kQhDYKZecqnM0fCnzI5eIv5L4cAe/iRI+HqMbO/hbRdTAeXDG+M9FjipUxNfbARuEg4iHIbhnhs78BCHNbSxEQ==}
+  dotenv@17.2.2:
+    resolution: {integrity: sha512-Sf2LSQP+bOlhKWWyhFsn0UsfdK/kCWRv1iuA2gXAwt3dyNabr6QSj00I2V10pidqz69soatm9ZwZvpQMTIOd5Q==}
     engines: {node: '>=12'}
 
   dunder-proto@1.0.1:
@@ -644,8 +644,8 @@ packages:
     resolution: {integrity: sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  eslint@9.34.0:
-    resolution: {integrity: sha512-RNCHRX5EwdrESy3Jc9o8ie8Bog+PeYvvSR8sDGoZxNFTvZ4dlxUB3WzQ3bQMztFrSRODGrLLj8g6OFuGY/aiQg==}
+  eslint@9.36.0:
+    resolution: {integrity: sha512-hB4FIzXovouYzwzECDcUkJ4OcfOEkXTv2zRY6B9bkwjx/cprAq0uvm1nl7zvQ0/TsUk0zQiN4uPfJpB9m+rPMQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     hasBin: true
     peerDependencies:
@@ -1102,13 +1102,13 @@ packages:
     resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==}
     engines: {node: '>=8.6'}
 
-  playwright-core@1.55.0:
-    resolution: {integrity: sha512-GvZs4vU3U5ro2nZpeiwyb0zuFaqb9sUiAJuyrWpcGouD8y9/HLgGbNRjIph7zU9D3hnPaisMl9zG9CgFi/biIg==}
+  playwright-core@1.55.1:
+    resolution: {integrity: sha512-Z6Mh9mkwX+zxSlHqdr5AOcJnfp+xUWLCt9uKV18fhzA8eyxUd8NUWzAjxUh55RZKSYwDGX0cfaySdhZJGMoJ+w==}
     engines: {node: '>=18'}
     hasBin: true
 
-  playwright@1.55.0:
-    resolution: {integrity: sha512-sdCWStblvV1YU909Xqx0DhOjPZE4/5lJsIS84IfN9dAZfcl/CIZ5O8l3o0j7hPMjDvqoTF8ZUcc+i/GL5erstA==}
+  playwright@1.55.1:
+    resolution: {integrity: sha512-cJW4Xd/G3v5ovXtJJ52MAOclqeac9S/aGGgRzLabuF8TnIb6xHvMzKIa6JmrRzUkeXJgfL1MhukP0NK6l39h3A==}
     engines: {node: '>=18'}
     hasBin: true
 
@@ -1365,37 +1365,39 @@ packages:
 
 snapshots:
 
-  '@emnapi/core@1.4.5':
+  '@emnapi/core@1.5.0':
     dependencies:
-      '@emnapi/wasi-threads': 1.0.4
+      '@emnapi/wasi-threads': 1.1.0
       tslib: 2.8.1
     optional: true
 
-  '@emnapi/runtime@1.4.5':
+  '@emnapi/runtime@1.5.0':
     dependencies:
       tslib: 2.8.1
     optional: true
 
-  '@emnapi/wasi-threads@1.0.4':
+  '@emnapi/wasi-threads@1.1.0':
     dependencies:
       tslib: 2.8.1
     optional: true
 
-  '@eslint-community/eslint-utils@4.7.0(eslint@9.34.0)':
+  '@eslint-community/eslint-utils@4.9.0(eslint@9.36.0)':
     dependencies:
-      eslint: 9.34.0
+      eslint: 9.36.0
       eslint-visitor-keys: 3.4.3
 
   '@eslint-community/regexpp@4.12.1': {}
 
-  '@eslint/compat@1.3.2(eslint@9.34.0)':
+  '@eslint/compat@1.4.0(eslint@9.36.0)':
+    dependencies:
+      '@eslint/core': 0.16.0
     optionalDependencies:
-      eslint: 9.34.0
+      eslint: 9.36.0
 
   '@eslint/config-array@0.21.0':
     dependencies:
       '@eslint/object-schema': 2.1.6
-      debug: 4.4.1
+      debug: 4.4.3
       minimatch: 3.1.2
     transitivePeerDependencies:
       - supports-color
@@ -1406,10 +1408,14 @@ snapshots:
     dependencies:
       '@types/json-schema': 7.0.15
 
+  '@eslint/core@0.16.0':
+    dependencies:
+      '@types/json-schema': 7.0.15
+
   '@eslint/eslintrc@3.3.1':
     dependencies:
       ajv: 6.12.6
-      debug: 4.4.1
+      debug: 4.4.3
       espree: 10.4.0
       globals: 14.0.0
       ignore: 5.3.2
@@ -1420,7 +1426,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@eslint/js@9.34.0': {}
+  '@eslint/js@9.36.0': {}
 
   '@eslint/object-schema@2.1.6': {}
 
@@ -1433,22 +1439,20 @@ snapshots:
 
   '@humanfs/core@0.19.1': {}
 
-  '@humanfs/node@0.16.6':
+  '@humanfs/node@0.16.7':
     dependencies:
       '@humanfs/core': 0.19.1
-      '@humanwhocodes/retry': 0.3.1
+      '@humanwhocodes/retry': 0.4.3
 
   '@humanwhocodes/module-importer@1.0.1': {}
 
-  '@humanwhocodes/retry@0.3.1': {}
-
   '@humanwhocodes/retry@0.4.3': {}
 
   '@napi-rs/wasm-runtime@0.2.12':
     dependencies:
-      '@emnapi/core': 1.4.5
-      '@emnapi/runtime': 1.4.5
-      '@tybys/wasm-util': 0.10.0
+      '@emnapi/core': 1.5.0
+      '@emnapi/runtime': 1.5.0
+      '@tybys/wasm-util': 0.10.1
     optional: true
 
   '@nodelib/fs.scandir@2.1.5':
@@ -1514,9 +1518,9 @@ snapshots:
 
   '@pkgr/core@0.2.9': {}
 
-  '@playwright/test@1.55.0':
+  '@playwright/test@1.55.1':
     dependencies:
-      playwright: 1.55.0
+      playwright: 1.55.1
 
   '@prettier/plugin-oxc@0.0.4':
     dependencies:
@@ -1526,7 +1530,7 @@ snapshots:
 
   '@scure/base@1.2.6': {}
 
-  '@tybys/wasm-util@0.10.0':
+  '@tybys/wasm-util@0.10.1':
     dependencies:
       tslib: 2.8.1
     optional: true
@@ -1539,27 +1543,27 @@ snapshots:
 
   '@types/lodash@4.17.20': {}
 
-  '@types/node@22.18.0':
+  '@types/node@22.18.6':
     dependencies:
       undici-types: 6.21.0
 
   '@types/pg@8.15.5':
     dependencies:
-      '@types/node': 22.18.0
+      '@types/node': 22.18.6
       pg-protocol: 1.10.3
       pg-types: 2.2.0
 
   '@types/totp-generator@0.0.8': {}
 
-  '@typescript-eslint/eslint-plugin@8.41.0(@typescript-eslint/parser@8.41.0(eslint@9.34.0)(typescript@5.8.2))(eslint@9.34.0)(typescript@5.8.2)':
+  '@typescript-eslint/eslint-plugin@8.44.1(@typescript-eslint/parser@8.44.1(eslint@9.36.0)(typescript@5.8.2))(eslint@9.36.0)(typescript@5.8.2)':
     dependencies:
       '@eslint-community/regexpp': 4.12.1
-      '@typescript-eslint/parser': 8.41.0(eslint@9.34.0)(typescript@5.8.2)
-      '@typescript-eslint/scope-manager': 8.41.0
-      '@typescript-eslint/type-utils': 8.41.0(eslint@9.34.0)(typescript@5.8.2)
-      '@typescript-eslint/utils': 8.41.0(eslint@9.34.0)(typescript@5.8.2)
-      '@typescript-eslint/visitor-keys': 8.41.0
-      eslint: 9.34.0
+      '@typescript-eslint/parser': 8.44.1(eslint@9.36.0)(typescript@5.8.2)
+      '@typescript-eslint/scope-manager': 8.44.1
+      '@typescript-eslint/type-utils': 8.44.1(eslint@9.36.0)(typescript@5.8.2)
+      '@typescript-eslint/utils': 8.44.1(eslint@9.36.0)(typescript@5.8.2)
+      '@typescript-eslint/visitor-keys': 8.44.1
+      eslint: 9.36.0
       graphemer: 1.4.0
       ignore: 7.0.5
       natural-compare: 1.4.0
@@ -1568,57 +1572,57 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/parser@8.41.0(eslint@9.34.0)(typescript@5.8.2)':
+  '@typescript-eslint/parser@8.44.1(eslint@9.36.0)(typescript@5.8.2)':
     dependencies:
-      '@typescript-eslint/scope-manager': 8.41.0
-      '@typescript-eslint/types': 8.41.0
-      '@typescript-eslint/typescript-estree': 8.41.0(typescript@5.8.2)
-      '@typescript-eslint/visitor-keys': 8.41.0
-      debug: 4.4.1
-      eslint: 9.34.0
+      '@typescript-eslint/scope-manager': 8.44.1
+      '@typescript-eslint/types': 8.44.1
+      '@typescript-eslint/typescript-estree': 8.44.1(typescript@5.8.2)
+      '@typescript-eslint/visitor-keys': 8.44.1
+      debug: 4.4.3
+      eslint: 9.36.0
       typescript: 5.8.2
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/project-service@8.41.0(typescript@5.8.2)':
+  '@typescript-eslint/project-service@8.44.1(typescript@5.8.2)':
     dependencies:
-      '@typescript-eslint/tsconfig-utils': 8.41.0(typescript@5.8.2)
-      '@typescript-eslint/types': 8.41.0
-      debug: 4.4.1
+      '@typescript-eslint/tsconfig-utils': 8.44.1(typescript@5.8.2)
+      '@typescript-eslint/types': 8.44.1
+      debug: 4.4.3
       typescript: 5.8.2
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/scope-manager@8.41.0':
+  '@typescript-eslint/scope-manager@8.44.1':
     dependencies:
-      '@typescript-eslint/types': 8.41.0
-      '@typescript-eslint/visitor-keys': 8.41.0
+      '@typescript-eslint/types': 8.44.1
+      '@typescript-eslint/visitor-keys': 8.44.1
 
-  '@typescript-eslint/tsconfig-utils@8.41.0(typescript@5.8.2)':
+  '@typescript-eslint/tsconfig-utils@8.44.1(typescript@5.8.2)':
     dependencies:
       typescript: 5.8.2
 
-  '@typescript-eslint/type-utils@8.41.0(eslint@9.34.0)(typescript@5.8.2)':
+  '@typescript-eslint/type-utils@8.44.1(eslint@9.36.0)(typescript@5.8.2)':
     dependencies:
-      '@typescript-eslint/types': 8.41.0
-      '@typescript-eslint/typescript-estree': 8.41.0(typescript@5.8.2)
-      '@typescript-eslint/utils': 8.41.0(eslint@9.34.0)(typescript@5.8.2)
-      debug: 4.4.1
-      eslint: 9.34.0
+      '@typescript-eslint/types': 8.44.1
+      '@typescript-eslint/typescript-estree': 8.44.1(typescript@5.8.2)
+      '@typescript-eslint/utils': 8.44.1(eslint@9.36.0)(typescript@5.8.2)
+      debug: 4.4.3
+      eslint: 9.36.0
       ts-api-utils: 2.1.0(typescript@5.8.2)
       typescript: 5.8.2
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/types@8.41.0': {}
+  '@typescript-eslint/types@8.44.1': {}
 
-  '@typescript-eslint/typescript-estree@8.41.0(typescript@5.8.2)':
+  '@typescript-eslint/typescript-estree@8.44.1(typescript@5.8.2)':
     dependencies:
-      '@typescript-eslint/project-service': 8.41.0(typescript@5.8.2)
-      '@typescript-eslint/tsconfig-utils': 8.41.0(typescript@5.8.2)
-      '@typescript-eslint/types': 8.41.0
-      '@typescript-eslint/visitor-keys': 8.41.0
-      debug: 4.4.1
+      '@typescript-eslint/project-service': 8.44.1(typescript@5.8.2)
+      '@typescript-eslint/tsconfig-utils': 8.44.1(typescript@5.8.2)
+      '@typescript-eslint/types': 8.44.1
+      '@typescript-eslint/visitor-keys': 8.44.1
+      debug: 4.4.3
       fast-glob: 3.3.3
       is-glob: 4.0.3
       minimatch: 9.0.5
@@ -1628,20 +1632,20 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/utils@8.41.0(eslint@9.34.0)(typescript@5.8.2)':
+  '@typescript-eslint/utils@8.44.1(eslint@9.36.0)(typescript@5.8.2)':
     dependencies:
-      '@eslint-community/eslint-utils': 4.7.0(eslint@9.34.0)
-      '@typescript-eslint/scope-manager': 8.41.0
-      '@typescript-eslint/types': 8.41.0
-      '@typescript-eslint/typescript-estree': 8.41.0(typescript@5.8.2)
-      eslint: 9.34.0
+      '@eslint-community/eslint-utils': 4.9.0(eslint@9.36.0)
+      '@typescript-eslint/scope-manager': 8.44.1
+      '@typescript-eslint/types': 8.44.1
+      '@typescript-eslint/typescript-estree': 8.44.1(typescript@5.8.2)
+      eslint: 9.36.0
       typescript: 5.8.2
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/visitor-keys@8.41.0':
+  '@typescript-eslint/visitor-keys@8.44.1':
     dependencies:
-      '@typescript-eslint/types': 8.41.0
+      '@typescript-eslint/types': 8.44.1
       eslint-visitor-keys: 4.2.1
 
   acorn-jsx@5.3.2(acorn@8.15.0):
@@ -1721,7 +1725,7 @@ snapshots:
     dependencies:
       possible-typed-array-names: 1.1.0
 
-  axios@1.11.0:
+  axios@1.12.2:
     dependencies:
       follow-redirects: 1.15.11
       form-data: 4.0.4
@@ -1808,7 +1812,7 @@ snapshots:
     dependencies:
       ms: 2.1.3
 
-  debug@4.4.1:
+  debug@4.4.3:
     dependencies:
       ms: 2.1.3
 
@@ -1832,7 +1836,7 @@ snapshots:
     dependencies:
       esutils: 2.0.3
 
-  dotenv@17.2.1: {}
+  dotenv@17.2.2: {}
 
   dunder-proto@1.0.1:
     dependencies:
@@ -1924,9 +1928,9 @@ snapshots:
 
   escape-string-regexp@4.0.0: {}
 
-  eslint-config-prettier@10.1.8(eslint@9.34.0):
+  eslint-config-prettier@10.1.8(eslint@9.36.0):
     dependencies:
-      eslint: 9.34.0
+      eslint: 9.36.0
 
   eslint-import-resolver-node@0.3.9:
     dependencies:
@@ -1936,17 +1940,17 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  eslint-module-utils@2.12.1(@typescript-eslint/parser@8.41.0(eslint@9.34.0)(typescript@5.8.2))(eslint-import-resolver-node@0.3.9)(eslint@9.34.0):
+  eslint-module-utils@2.12.1(@typescript-eslint/parser@8.44.1(eslint@9.36.0)(typescript@5.8.2))(eslint-import-resolver-node@0.3.9)(eslint@9.36.0):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
-      '@typescript-eslint/parser': 8.41.0(eslint@9.34.0)(typescript@5.8.2)
-      eslint: 9.34.0
+      '@typescript-eslint/parser': 8.44.1(eslint@9.36.0)(typescript@5.8.2)
+      eslint: 9.36.0
       eslint-import-resolver-node: 0.3.9
     transitivePeerDependencies:
       - supports-color
 
-  eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.41.0(eslint@9.34.0)(typescript@5.8.2))(eslint@9.34.0):
+  eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.44.1(eslint@9.36.0)(typescript@5.8.2))(eslint@9.36.0):
     dependencies:
       '@rtsao/scc': 1.1.0
       array-includes: 3.1.9
@@ -1955,9 +1959,9 @@ snapshots:
       array.prototype.flatmap: 1.3.3
       debug: 3.2.7
       doctrine: 2.1.0
-      eslint: 9.34.0
+      eslint: 9.36.0
       eslint-import-resolver-node: 0.3.9
-      eslint-module-utils: 2.12.1(@typescript-eslint/parser@8.41.0(eslint@9.34.0)(typescript@5.8.2))(eslint-import-resolver-node@0.3.9)(eslint@9.34.0)
+      eslint-module-utils: 2.12.1(@typescript-eslint/parser@8.44.1(eslint@9.36.0)(typescript@5.8.2))(eslint-import-resolver-node@0.3.9)(eslint@9.36.0)
       hasown: 2.0.2
       is-core-module: 2.16.1
       is-glob: 4.0.3
@@ -1969,24 +1973,24 @@ snapshots:
       string.prototype.trimend: 1.0.9
       tsconfig-paths: 3.15.0
     optionalDependencies:
-      '@typescript-eslint/parser': 8.41.0(eslint@9.34.0)(typescript@5.8.2)
+      '@typescript-eslint/parser': 8.44.1(eslint@9.36.0)(typescript@5.8.2)
     transitivePeerDependencies:
       - eslint-import-resolver-typescript
       - eslint-import-resolver-webpack
       - supports-color
 
-  eslint-plugin-prettier@5.5.4(eslint-config-prettier@10.1.8(eslint@9.34.0))(eslint@9.34.0)(prettier@3.6.2):
+  eslint-plugin-prettier@5.5.4(eslint-config-prettier@10.1.8(eslint@9.36.0))(eslint@9.36.0)(prettier@3.6.2):
     dependencies:
-      eslint: 9.34.0
+      eslint: 9.36.0
       prettier: 3.6.2
       prettier-linter-helpers: 1.0.0
       synckit: 0.11.11
     optionalDependencies:
-      eslint-config-prettier: 10.1.8(eslint@9.34.0)
+      eslint-config-prettier: 10.1.8(eslint@9.36.0)
 
-  eslint-plugin-simple-import-sort@12.1.1(eslint@9.34.0):
+  eslint-plugin-simple-import-sort@12.1.1(eslint@9.36.0):
     dependencies:
-      eslint: 9.34.0
+      eslint: 9.36.0
 
   eslint-scope@8.4.0:
     dependencies:
@@ -1997,17 +2001,17 @@ snapshots:
 
   eslint-visitor-keys@4.2.1: {}
 
-  eslint@9.34.0:
+  eslint@9.36.0:
     dependencies:
-      '@eslint-community/eslint-utils': 4.7.0(eslint@9.34.0)
+      '@eslint-community/eslint-utils': 4.9.0(eslint@9.36.0)
       '@eslint-community/regexpp': 4.12.1
       '@eslint/config-array': 0.21.0
       '@eslint/config-helpers': 0.3.1
       '@eslint/core': 0.15.2
       '@eslint/eslintrc': 3.3.1
-      '@eslint/js': 9.34.0
+      '@eslint/js': 9.36.0
       '@eslint/plugin-kit': 0.3.5
-      '@humanfs/node': 0.16.6
+      '@humanfs/node': 0.16.7
       '@humanwhocodes/module-importer': 1.0.1
       '@humanwhocodes/retry': 0.4.3
       '@types/estree': 1.0.8
@@ -2015,7 +2019,7 @@ snapshots:
       ajv: 6.12.6
       chalk: 4.1.2
       cross-spawn: 7.0.6
-      debug: 4.4.1
+      debug: 4.4.3
       escape-string-regexp: 4.0.0
       eslint-scope: 8.4.0
       eslint-visitor-keys: 4.2.1
@@ -2503,11 +2507,11 @@ snapshots:
 
   picomatch@2.3.1: {}
 
-  playwright-core@1.55.0: {}
+  playwright-core@1.55.1: {}
 
-  playwright@1.55.0:
+  playwright@1.55.1:
     dependencies:
-      playwright-core: 1.55.0
+      playwright-core: 1.55.1
     optionalDependencies:
       fsevents: 2.3.2
 
diff --git a/web/package.json b/web/package.json
index 19a73a2751..72f2c3acba 100644
--- a/web/package.json
+++ b/web/package.json
@@ -45,17 +45,17 @@
   "dependencies": {
     "@floating-ui/react": "^0.27.16",
     "@github/webauthn-json": "^2.1.1",
-    "@hookform/resolvers": "^5.2.1",
+    "@hookform/resolvers": "^5.2.2",
     "@react-hook/resize-observer": "^2.0.2",
     "@react-rxjs/core": "^0.10.8",
     "@stablelib/base64": "^2.0.1",
     "@stablelib/x25519": "^2.0.1",
-    "@tanstack/query-core": "^5.87.1",
-    "@tanstack/react-query": "^5.87.1",
+    "@tanstack/query-core": "^5.90.2",
+    "@tanstack/react-query": "^5.90.2",
     "@tanstack/react-virtual": "3.13.12",
     "@tanstack/virtual-core": "3.13.12",
     "@use-gesture/react": "^10.3.1",
-    "axios": "^1.12.0",
+    "axios": "^1.12.2",
     "byte-size": "^9.0.1",
     "classnames": "^2.5.1",
     "clsx": "^2.1.1",
@@ -71,14 +71,14 @@
     "get-text-width": "^1.0.3",
     "hex-rgb": "^5.0.0",
     "html-react-parser": "^5.2.6",
-    "humanize-duration": "^3.33.0",
+    "humanize-duration": "^3.33.1",
     "ipaddr.js": "^2.2.0",
-    "itertools": "^2.4.1",
+    "itertools": "^2.5.0",
     "js-base64": "^3.7.8",
     "lodash-es": "^4.17.21",
     "merge-refs": "^2.0.0",
     "millify": "^6.1.0",
-    "motion": "^12.23.12",
+    "motion": "^12.23.22",
     "numbro": "^2.5.0",
     "qrcode": "^1.5.4",
     "qs": "^6.14.0",
@@ -87,7 +87,7 @@
     "react-click-away-listener": "^2.4.0",
     "react-datepicker": "^8.7.0",
     "react-dom": "^19.1.1",
-    "react-hook-form": "^7.62.0",
+    "react-hook-form": "^7.63.0",
     "react-idle-timer": "^5.7.2",
     "react-intersection-observer": "^9.16.0",
     "react-is": "^19.1.1",
@@ -99,13 +99,13 @@
     "react-router-dom": "^6.30.1",
     "react-tracked": "^2.0.1",
     "react-virtualized-auto-sizer": "^1.0.26",
-    "recharts": "^3.2.0",
+    "recharts": "^3.2.1",
     "rehype-external-links": "^3.0.0",
     "rehype-raw": "^7.0.0",
     "rehype-sanitize": "^6.0.0",
     "rxjs": "^7.8.2",
     "scheduler": "^0.26.0",
-    "text-case": "^1.2.4",
+    "text-case": "^1.2.9",
     "typesafe-i18n": "^5.26.2",
     "use-breakpoint": "^4.0.6",
     "zod": "^3.25.76",
@@ -117,21 +117,21 @@
     "@csstools/css-parser-algorithms": "^3.0.5",
     "@csstools/css-tokenizer": "^3.0.4",
     "@hookform/devtools": "^4.4.0",
-    "@tanstack/react-query-devtools": "^5.87.3",
+    "@tanstack/react-query-devtools": "^5.90.2",
     "@types/byte-size": "^8.1.2",
     "@types/file-saver": "^2.0.7",
     "@types/humanize-duration": "^3.27.4",
     "@types/lodash-es": "^4.17.12",
-    "@types/node": "^24.3.1",
+    "@types/node": "^24.5.2",
     "@types/qs": "^6.14.0",
-    "@types/react": "^19.1.12",
+    "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "@types/react-router-dom": "^5.3.3",
-    "@vitejs/plugin-react-swc": "^4.0.1",
+    "@vitejs/plugin-react-swc": "^4.1.0",
     "autoprefixer": "^10.4.21",
     "concurrently": "^9.2.1",
     "dotenv": "^17.2.2",
-    "esbuild": "^0.25.9",
+    "esbuild": "^0.25.10",
     "globals": "^16.4.0",
     "postcss": "^8.5.6",
     "prettier": "^3.6.2",
@@ -139,7 +139,7 @@
     "standard-version": "^9.5.0",
     "type-fest": "^4.41.0",
     "typescript": "~5.9.2",
-    "vite": "^7.1.5",
+    "vite": "^7.1.7",
     "vite-plugin-package-version": "^1.1.0"
   }
 }
diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml
index fb0bd13deb..a8738b8914 100644
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml
@@ -15,8 +15,8 @@ importers:
         specifier: ^2.1.1
         version: 2.1.1
       '@hookform/resolvers':
-        specifier: ^5.2.1
-        version: 5.2.1(react-hook-form@7.62.0(react@19.1.1))
+        specifier: ^5.2.2
+        version: 5.2.2(react-hook-form@7.63.0(react@19.1.1))
       '@react-hook/resize-observer':
         specifier: ^2.0.2
         version: 2.0.2(react@19.1.1)
@@ -30,11 +30,11 @@ importers:
         specifier: ^2.0.1
         version: 2.0.1
       '@tanstack/query-core':
-        specifier: ^5.87.1
-        version: 5.87.1
+        specifier: ^5.90.2
+        version: 5.90.2
       '@tanstack/react-query':
-        specifier: ^5.87.1
-        version: 5.87.1(react@19.1.1)
+        specifier: ^5.90.2
+        version: 5.90.2(react@19.1.1)
       '@tanstack/react-virtual':
         specifier: 3.13.12
         version: 3.13.12(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
@@ -45,8 +45,8 @@ importers:
         specifier: ^10.3.1
         version: 10.3.1(react@19.1.1)
       axios:
-        specifier: ^1.12.0
-        version: 1.12.0
+        specifier: ^1.12.2
+        version: 1.12.2
       byte-size:
         specifier: ^9.0.1
         version: 9.0.1
@@ -91,16 +91,16 @@ importers:
         version: 5.0.0
       html-react-parser:
         specifier: ^5.2.6
-        version: 5.2.6(@types/react@19.1.12)(react@19.1.1)
+        version: 5.2.6(@types/react@19.1.13)(react@19.1.1)
       humanize-duration:
-        specifier: ^3.33.0
-        version: 3.33.0
+        specifier: ^3.33.1
+        version: 3.33.1
       ipaddr.js:
         specifier: ^2.2.0
         version: 2.2.0
       itertools:
-        specifier: ^2.4.1
-        version: 2.4.1
+        specifier: ^2.5.0
+        version: 2.5.0
       js-base64:
         specifier: ^3.7.8
         version: 3.7.8
@@ -109,13 +109,13 @@ importers:
         version: 4.17.21
       merge-refs:
         specifier: ^2.0.0
-        version: 2.0.0(@types/react@19.1.12)
+        version: 2.0.0(@types/react@19.1.13)
       millify:
         specifier: ^6.1.0
         version: 6.1.0
       motion:
-        specifier: ^12.23.12
-        version: 12.23.12(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        specifier: ^12.23.22
+        version: 12.23.22(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
       numbro:
         specifier: ^2.5.0
         version: 2.5.0
@@ -141,8 +141,8 @@ importers:
         specifier: ^19.1.1
         version: 19.1.1(react@19.1.1)
       react-hook-form:
-        specifier: ^7.62.0
-        version: 7.62.0(react@19.1.1)
+        specifier: ^7.63.0
+        version: 7.63.0(react@19.1.1)
       react-idle-timer:
         specifier: ^5.7.2
         version: 5.7.2(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
@@ -157,7 +157,7 @@ importers:
         version: 3.5.0(react@19.1.1)
       react-markdown:
         specifier: ^10.1.0
-        version: 10.1.0(@types/react@19.1.12)(react@19.1.1)
+        version: 10.1.0(@types/react@19.1.13)(react@19.1.1)
       react-qr-code:
         specifier: ^2.0.18
         version: 2.0.18(react@19.1.1)
@@ -177,8 +177,8 @@ importers:
         specifier: ^1.0.26
         version: 1.0.26(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
       recharts:
-        specifier: ^3.2.0
-        version: 3.2.0(@types/react@19.1.12)(react-dom@19.1.1(react@19.1.1))(react-is@19.1.1)(react@19.1.1)(redux@5.0.1)
+        specifier: ^3.2.1
+        version: 3.2.1(@types/react@19.1.13)(react-dom@19.1.1(react@19.1.1))(react-is@19.1.1)(react@19.1.1)(redux@5.0.1)
       rehype-external-links:
         specifier: ^3.0.0
         version: 3.0.0
@@ -195,8 +195,8 @@ importers:
         specifier: ^0.26.0
         version: 0.26.0
       text-case:
-        specifier: ^1.2.4
-        version: 1.2.4
+        specifier: ^1.2.9
+        version: 1.2.9
       typesafe-i18n:
         specifier: ^5.26.2
         version: 5.26.2(typescript@5.9.2)
@@ -208,7 +208,7 @@ importers:
         version: 3.25.76
       zustand:
         specifier: ^5.0.8
-        version: 5.0.8(@types/react@19.1.12)(immer@10.1.3)(react@19.1.1)(use-sync-external-store@1.5.0(react@19.1.1))
+        version: 5.0.8(@types/react@19.1.13)(immer@10.1.3)(react@19.1.1)(use-sync-external-store@1.5.0(react@19.1.1))
     devDependencies:
       '@babel/core':
         specifier: ^7.28.4
@@ -224,10 +224,10 @@ importers:
         version: 3.0.4
       '@hookform/devtools':
         specifier: ^4.4.0
-        version: 4.4.0(@types/react@19.1.12)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 4.4.0(@types/react@19.1.13)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
       '@tanstack/react-query-devtools':
-        specifier: ^5.87.3
-        version: 5.87.3(@tanstack/react-query@5.87.1(react@19.1.1))(react@19.1.1)
+        specifier: ^5.90.2
+        version: 5.90.2(@tanstack/react-query@5.90.2(react@19.1.1))(react@19.1.1)
       '@types/byte-size':
         specifier: ^8.1.2
         version: 8.1.2
@@ -241,23 +241,23 @@ importers:
         specifier: ^4.17.12
         version: 4.17.12
       '@types/node':
-        specifier: ^24.3.1
-        version: 24.3.1
+        specifier: ^24.5.2
+        version: 24.5.2
       '@types/qs':
         specifier: ^6.14.0
         version: 6.14.0
       '@types/react':
-        specifier: ^19.1.12
-        version: 19.1.12
+        specifier: ^19.1.13
+        version: 19.1.13
       '@types/react-dom':
         specifier: ^19.1.9
-        version: 19.1.9(@types/react@19.1.12)
+        version: 19.1.9(@types/react@19.1.13)
       '@types/react-router-dom':
         specifier: ^5.3.3
         version: 5.3.3
       '@vitejs/plugin-react-swc':
-        specifier: ^4.0.1
-        version: 4.0.1(vite@7.1.5(@types/node@24.3.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+        specifier: ^4.1.0
+        version: 4.1.0(vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
       autoprefixer:
         specifier: ^10.4.21
         version: 10.4.21(postcss@8.5.6)
@@ -268,8 +268,8 @@ importers:
         specifier: ^17.2.2
         version: 17.2.2
       esbuild:
-        specifier: ^0.25.9
-        version: 0.25.9
+        specifier: ^0.25.10
+        version: 0.25.10
       globals:
         specifier: ^16.4.0
         version: 16.4.0
@@ -292,11 +292,11 @@ importers:
         specifier: ~5.9.2
         version: 5.9.2
       vite:
-        specifier: ^7.1.5
-        version: 7.1.5(@types/node@24.3.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+        specifier: ^7.1.7
+        version: 7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
       vite-plugin-package-version:
         specifier: ^1.1.0
-        version: 1.1.0(vite@7.1.5(@types/node@24.3.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+        version: 1.1.0(vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
 
 packages:
 
@@ -488,158 +488,158 @@ packages:
   '@emotion/weak-memoize@0.4.0':
     resolution: {integrity: sha512-snKqtPW01tN0ui7yu9rGv69aJXr/a/Ywvl11sUjNtEcRc+ng/mQriFL0wLXMef74iHa/EkftbDzU9F8iFbH+zg==}
 
-  '@esbuild/aix-ppc64@0.25.9':
-    resolution: {integrity: sha512-OaGtL73Jck6pBKjNIe24BnFE6agGl+6KxDtTfHhy1HmhthfKouEcOhqpSL64K4/0WCtbKFLOdzD/44cJ4k9opA==}
+  '@esbuild/aix-ppc64@0.25.10':
+    resolution: {integrity: sha512-0NFWnA+7l41irNuaSVlLfgNT12caWJVLzp5eAVhZ0z1qpxbockccEt3s+149rE64VUI3Ml2zt8Nv5JVc4QXTsw==}
     engines: {node: '>=18'}
     cpu: [ppc64]
     os: [aix]
 
-  '@esbuild/android-arm64@0.25.9':
-    resolution: {integrity: sha512-IDrddSmpSv51ftWslJMvl3Q2ZT98fUSL2/rlUXuVqRXHCs5EUF1/f+jbjF5+NG9UffUDMCiTyh8iec7u8RlTLg==}
+  '@esbuild/android-arm64@0.25.10':
+    resolution: {integrity: sha512-LSQa7eDahypv/VO6WKohZGPSJDq5OVOo3UoFR1E4t4Gj1W7zEQMUhI+lo81H+DtB+kP+tDgBp+M4oNCwp6kffg==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [android]
 
-  '@esbuild/android-arm@0.25.9':
-    resolution: {integrity: sha512-5WNI1DaMtxQ7t7B6xa572XMXpHAaI/9Hnhk8lcxF4zVN4xstUgTlvuGDorBguKEnZO70qwEcLpfifMLoxiPqHQ==}
+  '@esbuild/android-arm@0.25.10':
+    resolution: {integrity: sha512-dQAxF1dW1C3zpeCDc5KqIYuZ1tgAdRXNoZP7vkBIRtKZPYe2xVr/d3SkirklCHudW1B45tGiUlz2pUWDfbDD4w==}
     engines: {node: '>=18'}
     cpu: [arm]
     os: [android]
 
-  '@esbuild/android-x64@0.25.9':
-    resolution: {integrity: sha512-I853iMZ1hWZdNllhVZKm34f4wErd4lMyeV7BLzEExGEIZYsOzqDWDf+y082izYUE8gtJnYHdeDpN/6tUdwvfiw==}
+  '@esbuild/android-x64@0.25.10':
+    resolution: {integrity: sha512-MiC9CWdPrfhibcXwr39p9ha1x0lZJ9KaVfvzA0Wxwz9ETX4v5CHfF09bx935nHlhi+MxhA63dKRRQLiVgSUtEg==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [android]
 
-  '@esbuild/darwin-arm64@0.25.9':
-    resolution: {integrity: sha512-XIpIDMAjOELi/9PB30vEbVMs3GV1v2zkkPnuyRRURbhqjyzIINwj+nbQATh4H9GxUgH1kFsEyQMxwiLFKUS6Rg==}
+  '@esbuild/darwin-arm64@0.25.10':
+    resolution: {integrity: sha512-JC74bdXcQEpW9KkV326WpZZjLguSZ3DfS8wrrvPMHgQOIEIG/sPXEN/V8IssoJhbefLRcRqw6RQH2NnpdprtMA==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [darwin]
 
-  '@esbuild/darwin-x64@0.25.9':
-    resolution: {integrity: sha512-jhHfBzjYTA1IQu8VyrjCX4ApJDnH+ez+IYVEoJHeqJm9VhG9Dh2BYaJritkYK3vMaXrf7Ogr/0MQ8/MeIefsPQ==}
+  '@esbuild/darwin-x64@0.25.10':
+    resolution: {integrity: sha512-tguWg1olF6DGqzws97pKZ8G2L7Ig1vjDmGTwcTuYHbuU6TTjJe5FXbgs5C1BBzHbJ2bo1m3WkQDbWO2PvamRcg==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [darwin]
 
-  '@esbuild/freebsd-arm64@0.25.9':
-    resolution: {integrity: sha512-z93DmbnY6fX9+KdD4Ue/H6sYs+bhFQJNCPZsi4XWJoYblUqT06MQUdBCpcSfuiN72AbqeBFu5LVQTjfXDE2A6Q==}
+  '@esbuild/freebsd-arm64@0.25.10':
+    resolution: {integrity: sha512-3ZioSQSg1HT2N05YxeJWYR+Libe3bREVSdWhEEgExWaDtyFbbXWb49QgPvFH8u03vUPX10JhJPcz7s9t9+boWg==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [freebsd]
 
-  '@esbuild/freebsd-x64@0.25.9':
-    resolution: {integrity: sha512-mrKX6H/vOyo5v71YfXWJxLVxgy1kyt1MQaD8wZJgJfG4gq4DpQGpgTB74e5yBeQdyMTbgxp0YtNj7NuHN0PoZg==}
+  '@esbuild/freebsd-x64@0.25.10':
+    resolution: {integrity: sha512-LLgJfHJk014Aa4anGDbh8bmI5Lk+QidDmGzuC2D+vP7mv/GeSN+H39zOf7pN5N8p059FcOfs2bVlrRr4SK9WxA==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [freebsd]
 
-  '@esbuild/linux-arm64@0.25.9':
-    resolution: {integrity: sha512-BlB7bIcLT3G26urh5Dmse7fiLmLXnRlopw4s8DalgZ8ef79Jj4aUcYbk90g8iCa2467HX8SAIidbL7gsqXHdRw==}
+  '@esbuild/linux-arm64@0.25.10':
+    resolution: {integrity: sha512-5luJWN6YKBsawd5f9i4+c+geYiVEw20FVW5x0v1kEMWNq8UctFjDiMATBxLvmmHA4bf7F6hTRaJgtghFr9iziQ==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [linux]
 
-  '@esbuild/linux-arm@0.25.9':
-    resolution: {integrity: sha512-HBU2Xv78SMgaydBmdor38lg8YDnFKSARg1Q6AT0/y2ezUAKiZvc211RDFHlEZRFNRVhcMamiToo7bDx3VEOYQw==}
+  '@esbuild/linux-arm@0.25.10':
+    resolution: {integrity: sha512-oR31GtBTFYCqEBALI9r6WxoU/ZofZl962pouZRTEYECvNF/dtXKku8YXcJkhgK/beU+zedXfIzHijSRapJY3vg==}
     engines: {node: '>=18'}
     cpu: [arm]
     os: [linux]
 
-  '@esbuild/linux-ia32@0.25.9':
-    resolution: {integrity: sha512-e7S3MOJPZGp2QW6AK6+Ly81rC7oOSerQ+P8L0ta4FhVi+/j/v2yZzx5CqqDaWjtPFfYz21Vi1S0auHrap3Ma3A==}
+  '@esbuild/linux-ia32@0.25.10':
+    resolution: {integrity: sha512-NrSCx2Kim3EnnWgS4Txn0QGt0Xipoumb6z6sUtl5bOEZIVKhzfyp/Lyw4C1DIYvzeW/5mWYPBFJU3a/8Yr75DQ==}
     engines: {node: '>=18'}
     cpu: [ia32]
     os: [linux]
 
-  '@esbuild/linux-loong64@0.25.9':
-    resolution: {integrity: sha512-Sbe10Bnn0oUAB2AalYztvGcK+o6YFFA/9829PhOCUS9vkJElXGdphz0A3DbMdP8gmKkqPmPcMJmJOrI3VYB1JQ==}
+  '@esbuild/linux-loong64@0.25.10':
+    resolution: {integrity: sha512-xoSphrd4AZda8+rUDDfD9J6FUMjrkTz8itpTITM4/xgerAZZcFW7Dv+sun7333IfKxGG8gAq+3NbfEMJfiY+Eg==}
     engines: {node: '>=18'}
     cpu: [loong64]
     os: [linux]
 
-  '@esbuild/linux-mips64el@0.25.9':
-    resolution: {integrity: sha512-YcM5br0mVyZw2jcQeLIkhWtKPeVfAerES5PvOzaDxVtIyZ2NUBZKNLjC5z3/fUlDgT6w89VsxP2qzNipOaaDyA==}
+  '@esbuild/linux-mips64el@0.25.10':
+    resolution: {integrity: sha512-ab6eiuCwoMmYDyTnyptoKkVS3k8fy/1Uvq7Dj5czXI6DF2GqD2ToInBI0SHOp5/X1BdZ26RKc5+qjQNGRBelRA==}
     engines: {node: '>=18'}
     cpu: [mips64el]
     os: [linux]
 
-  '@esbuild/linux-ppc64@0.25.9':
-    resolution: {integrity: sha512-++0HQvasdo20JytyDpFvQtNrEsAgNG2CY1CLMwGXfFTKGBGQT3bOeLSYE2l1fYdvML5KUuwn9Z8L1EWe2tzs1w==}
+  '@esbuild/linux-ppc64@0.25.10':
+    resolution: {integrity: sha512-NLinzzOgZQsGpsTkEbdJTCanwA5/wozN9dSgEl12haXJBzMTpssebuXR42bthOF3z7zXFWH1AmvWunUCkBE4EA==}
     engines: {node: '>=18'}
     cpu: [ppc64]
     os: [linux]
 
-  '@esbuild/linux-riscv64@0.25.9':
-    resolution: {integrity: sha512-uNIBa279Y3fkjV+2cUjx36xkx7eSjb8IvnL01eXUKXez/CBHNRw5ekCGMPM0BcmqBxBcdgUWuUXmVWwm4CH9kg==}
+  '@esbuild/linux-riscv64@0.25.10':
+    resolution: {integrity: sha512-FE557XdZDrtX8NMIeA8LBJX3dC2M8VGXwfrQWU7LB5SLOajfJIxmSdyL/gU1m64Zs9CBKvm4UAuBp5aJ8OgnrA==}
     engines: {node: '>=18'}
     cpu: [riscv64]
     os: [linux]
 
-  '@esbuild/linux-s390x@0.25.9':
-    resolution: {integrity: sha512-Mfiphvp3MjC/lctb+7D287Xw1DGzqJPb/J2aHHcHxflUo+8tmN/6d4k6I2yFR7BVo5/g7x2Monq4+Yew0EHRIA==}
+  '@esbuild/linux-s390x@0.25.10':
+    resolution: {integrity: sha512-3BBSbgzuB9ajLoVZk0mGu+EHlBwkusRmeNYdqmznmMc9zGASFjSsxgkNsqmXugpPk00gJ0JNKh/97nxmjctdew==}
     engines: {node: '>=18'}
     cpu: [s390x]
     os: [linux]
 
-  '@esbuild/linux-x64@0.25.9':
-    resolution: {integrity: sha512-iSwByxzRe48YVkmpbgoxVzn76BXjlYFXC7NvLYq+b+kDjyyk30J0JY47DIn8z1MO3K0oSl9fZoRmZPQI4Hklzg==}
+  '@esbuild/linux-x64@0.25.10':
+    resolution: {integrity: sha512-QSX81KhFoZGwenVyPoberggdW1nrQZSvfVDAIUXr3WqLRZGZqWk/P4T8p2SP+de2Sr5HPcvjhcJzEiulKgnxtA==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [linux]
 
-  '@esbuild/netbsd-arm64@0.25.9':
-    resolution: {integrity: sha512-9jNJl6FqaUG+COdQMjSCGW4QiMHH88xWbvZ+kRVblZsWrkXlABuGdFJ1E9L7HK+T0Yqd4akKNa/lO0+jDxQD4Q==}
+  '@esbuild/netbsd-arm64@0.25.10':
+    resolution: {integrity: sha512-AKQM3gfYfSW8XRk8DdMCzaLUFB15dTrZfnX8WXQoOUpUBQ+NaAFCP1kPS/ykbbGYz7rxn0WS48/81l9hFl3u4A==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [netbsd]
 
-  '@esbuild/netbsd-x64@0.25.9':
-    resolution: {integrity: sha512-RLLdkflmqRG8KanPGOU7Rpg829ZHu8nFy5Pqdi9U01VYtG9Y0zOG6Vr2z4/S+/3zIyOxiK6cCeYNWOFR9QP87g==}
+  '@esbuild/netbsd-x64@0.25.10':
+    resolution: {integrity: sha512-7RTytDPGU6fek/hWuN9qQpeGPBZFfB4zZgcz2VK2Z5VpdUxEI8JKYsg3JfO0n/Z1E/6l05n0unDCNc4HnhQGig==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [netbsd]
 
-  '@esbuild/openbsd-arm64@0.25.9':
-    resolution: {integrity: sha512-YaFBlPGeDasft5IIM+CQAhJAqS3St3nJzDEgsgFixcfZeyGPCd6eJBWzke5piZuZ7CtL656eOSYKk4Ls2C0FRQ==}
+  '@esbuild/openbsd-arm64@0.25.10':
+    resolution: {integrity: sha512-5Se0VM9Wtq797YFn+dLimf2Zx6McttsH2olUBsDml+lm0GOCRVebRWUvDtkY4BWYv/3NgzS8b/UM3jQNh5hYyw==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [openbsd]
 
-  '@esbuild/openbsd-x64@0.25.9':
-    resolution: {integrity: sha512-1MkgTCuvMGWuqVtAvkpkXFmtL8XhWy+j4jaSO2wxfJtilVCi0ZE37b8uOdMItIHz4I6z1bWWtEX4CJwcKYLcuA==}
+  '@esbuild/openbsd-x64@0.25.10':
+    resolution: {integrity: sha512-XkA4frq1TLj4bEMB+2HnI0+4RnjbuGZfet2gs/LNs5Hc7D89ZQBHQ0gL2ND6Lzu1+QVkjp3x1gIcPKzRNP8bXw==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [openbsd]
 
-  '@esbuild/openharmony-arm64@0.25.9':
-    resolution: {integrity: sha512-4Xd0xNiMVXKh6Fa7HEJQbrpP3m3DDn43jKxMjxLLRjWnRsfxjORYJlXPO4JNcXtOyfajXorRKY9NkOpTHptErg==}
+  '@esbuild/openharmony-arm64@0.25.10':
+    resolution: {integrity: sha512-AVTSBhTX8Y/Fz6OmIVBip9tJzZEUcY8WLh7I59+upa5/GPhh2/aM6bvOMQySspnCCHvFi79kMtdJS1w0DXAeag==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [openharmony]
 
-  '@esbuild/sunos-x64@0.25.9':
-    resolution: {integrity: sha512-WjH4s6hzo00nNezhp3wFIAfmGZ8U7KtrJNlFMRKxiI9mxEK1scOMAaa9i4crUtu+tBr+0IN6JCuAcSBJZfnphw==}
+  '@esbuild/sunos-x64@0.25.10':
+    resolution: {integrity: sha512-fswk3XT0Uf2pGJmOpDB7yknqhVkJQkAQOcW/ccVOtfx05LkbWOaRAtn5SaqXypeKQra1QaEa841PgrSL9ubSPQ==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [sunos]
 
-  '@esbuild/win32-arm64@0.25.9':
-    resolution: {integrity: sha512-mGFrVJHmZiRqmP8xFOc6b84/7xa5y5YvR1x8djzXpJBSv/UsNK6aqec+6JDjConTgvvQefdGhFDAs2DLAds6gQ==}
+  '@esbuild/win32-arm64@0.25.10':
+    resolution: {integrity: sha512-ah+9b59KDTSfpaCg6VdJoOQvKjI33nTaQr4UluQwW7aEwZQsbMCfTmfEO4VyewOxx4RaDT/xCy9ra2GPWmO7Kw==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [win32]
 
-  '@esbuild/win32-ia32@0.25.9':
-    resolution: {integrity: sha512-b33gLVU2k11nVx1OhX3C8QQP6UHQK4ZtN56oFWvVXvz2VkDoe6fbG8TOgHFxEvqeqohmRnIHe5A1+HADk4OQww==}
+  '@esbuild/win32-ia32@0.25.10':
+    resolution: {integrity: sha512-QHPDbKkrGO8/cz9LKVnJU22HOi4pxZnZhhA2HYHez5Pz4JeffhDjf85E57Oyco163GnzNCVkZK0b/n4Y0UHcSw==}
     engines: {node: '>=18'}
     cpu: [ia32]
     os: [win32]
 
-  '@esbuild/win32-x64@0.25.9':
-    resolution: {integrity: sha512-PPOl1mi6lpLNQxnGoyAfschAodRFYXJ+9fs6WHXz7CSWKbOqiMZsubC+BQsVKuul+3vKLuwTHsS2c2y9EoKwxQ==}
+  '@esbuild/win32-x64@0.25.10':
+    resolution: {integrity: sha512-9KpxSVFCu0iK1owoez6aC/s/EdUQLDN3adTxGCqxMVhrPDj6bt5dbrHDXUuq+Bs2vATFBBrQS5vdQ/Ed2P+nbw==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [win32]
@@ -676,8 +676,8 @@ packages:
       react: ^16.8.0 || ^17 || ^18 || ^19
       react-dom: ^16.8.0 || ^17 || ^18 || ^19
 
-  '@hookform/resolvers@5.2.1':
-    resolution: {integrity: sha512-u0+6X58gkjMcxur1wRWokA7XsiiBJ6aK17aPZxhkoYiK5J+HcTx0Vhu9ovXe6H+dVpO6cjrn2FkJTryXEMlryQ==}
+  '@hookform/resolvers@5.2.2':
+    resolution: {integrity: sha512-A/IxlMLShx3KjV/HeTcTfaMxdwy690+L/ZADoeaTltLx+CVuzkeVIPuybK3jrRfw7YZnmdKsVVHAlEPIAEUNlA==}
     peerDependencies:
       react-hook-form: ^7.55.0
 
@@ -701,9 +701,6 @@ packages:
   '@jridgewell/sourcemap-codec@1.5.5':
     resolution: {integrity: sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==}
 
-  '@jridgewell/trace-mapping@0.3.30':
-    resolution: {integrity: sha512-GQ7Nw5G2lTu/BtHTKfXhKHok2WGetd4XYcVKGx00SjAk8GMwgJM3zr6zORiPGuOE+/vkc90KtTosSSvaCjKb2Q==}
-
   '@jridgewell/trace-mapping@0.3.31':
     resolution: {integrity: sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==}
 
@@ -743,111 +740,116 @@ packages:
     resolution: {integrity: sha512-O3rHJzAQKamUz1fvE0Qaw0xSFqsA/yafi2iqeE0pvdFtCO1viYx8QL6f3Ln/aCCTLxs68SLf0KPM9eSeM8yBnA==}
     engines: {node: '>=14.0.0'}
 
-  '@rolldown/pluginutils@1.0.0-beta.32':
-    resolution: {integrity: sha512-QReCdvxiUZAPkvp1xpAg62IeNzykOFA6syH2CnClif4YmALN1XKpB39XneL80008UbtMShthSVDKmrx05N1q/g==}
+  '@rolldown/pluginutils@1.0.0-beta.35':
+    resolution: {integrity: sha512-slYrCpoxJUqzFDDNlvrOYRazQUNRvWPjXA17dAOISY3rDMxX6k8K4cj2H+hEYMHF81HO3uNd5rHVigAWRM5dSg==}
 
-  '@rollup/rollup-android-arm-eabi@4.50.1':
-    resolution: {integrity: sha512-HJXwzoZN4eYTdD8bVV22DN8gsPCAj3V20NHKOs8ezfXanGpmVPR7kalUHd+Y31IJp9stdB87VKPFbsGY3H/2ag==}
+  '@rollup/rollup-android-arm-eabi@4.52.2':
+    resolution: {integrity: sha512-o3pcKzJgSGt4d74lSZ+OCnHwkKBeAbFDmbEm5gg70eA8VkyCuC/zV9TwBnmw6VjDlRdF4Pshfb+WE9E6XY1PoQ==}
     cpu: [arm]
     os: [android]
 
-  '@rollup/rollup-android-arm64@4.50.1':
-    resolution: {integrity: sha512-PZlsJVcjHfcH53mOImyt3bc97Ep3FJDXRpk9sMdGX0qgLmY0EIWxCag6EigerGhLVuL8lDVYNnSo8qnTElO4xw==}
+  '@rollup/rollup-android-arm64@4.52.2':
+    resolution: {integrity: sha512-cqFSWO5tX2vhC9hJTK8WAiPIm4Q8q/cU8j2HQA0L3E1uXvBYbOZMhE2oFL8n2pKB5sOCHY6bBuHaRwG7TkfJyw==}
     cpu: [arm64]
     os: [android]
 
-  '@rollup/rollup-darwin-arm64@4.50.1':
-    resolution: {integrity: sha512-xc6i2AuWh++oGi4ylOFPmzJOEeAa2lJeGUGb4MudOtgfyyjr4UPNK+eEWTPLvmPJIY/pgw6ssFIox23SyrkkJw==}
+  '@rollup/rollup-darwin-arm64@4.52.2':
+    resolution: {integrity: sha512-vngduywkkv8Fkh3wIZf5nFPXzWsNsVu1kvtLETWxTFf/5opZmflgVSeLgdHR56RQh71xhPhWoOkEBvbehwTlVA==}
     cpu: [arm64]
     os: [darwin]
 
-  '@rollup/rollup-darwin-x64@4.50.1':
-    resolution: {integrity: sha512-2ofU89lEpDYhdLAbRdeyz/kX3Y2lpYc6ShRnDjY35bZhd2ipuDMDi6ZTQ9NIag94K28nFMofdnKeHR7BT0CATw==}
+  '@rollup/rollup-darwin-x64@4.52.2':
+    resolution: {integrity: sha512-h11KikYrUCYTrDj6h939hhMNlqU2fo/X4NB0OZcys3fya49o1hmFaczAiJWVAFgrM1NCP6RrO7lQKeVYSKBPSQ==}
     cpu: [x64]
     os: [darwin]
 
-  '@rollup/rollup-freebsd-arm64@4.50.1':
-    resolution: {integrity: sha512-wOsE6H2u6PxsHY/BeFHA4VGQN3KUJFZp7QJBmDYI983fgxq5Th8FDkVuERb2l9vDMs1D5XhOrhBrnqcEY6l8ZA==}
+  '@rollup/rollup-freebsd-arm64@4.52.2':
+    resolution: {integrity: sha512-/eg4CI61ZUkLXxMHyVlmlGrSQZ34xqWlZNW43IAU4RmdzWEx0mQJ2mN/Cx4IHLVZFL6UBGAh+/GXhgvGb+nVxw==}
     cpu: [arm64]
     os: [freebsd]
 
-  '@rollup/rollup-freebsd-x64@4.50.1':
-    resolution: {integrity: sha512-A/xeqaHTlKbQggxCqispFAcNjycpUEHP52mwMQZUNqDUJFFYtPHCXS1VAG29uMlDzIVr+i00tSFWFLivMcoIBQ==}
+  '@rollup/rollup-freebsd-x64@4.52.2':
+    resolution: {integrity: sha512-QOWgFH5X9+p+S1NAfOqc0z8qEpJIoUHf7OWjNUGOeW18Mx22lAUOiA9b6r2/vpzLdfxi/f+VWsYjUOMCcYh0Ng==}
     cpu: [x64]
     os: [freebsd]
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.50.1':
-    resolution: {integrity: sha512-54v4okehwl5TaSIkpp97rAHGp7t3ghinRd/vyC1iXqXMfjYUTm7TfYmCzXDoHUPTTf36L8pr0E7YsD3CfB3ZDg==}
+  '@rollup/rollup-linux-arm-gnueabihf@4.52.2':
+    resolution: {integrity: sha512-kDWSPafToDd8LcBYd1t5jw7bD5Ojcu12S3uT372e5HKPzQt532vW+rGFFOaiR0opxePyUkHrwz8iWYEyH1IIQA==}
     cpu: [arm]
     os: [linux]
 
-  '@rollup/rollup-linux-arm-musleabihf@4.50.1':
-    resolution: {integrity: sha512-p/LaFyajPN/0PUHjv8TNyxLiA7RwmDoVY3flXHPSzqrGcIp/c2FjwPPP5++u87DGHtw+5kSH5bCJz0mvXngYxw==}
+  '@rollup/rollup-linux-arm-musleabihf@4.52.2':
+    resolution: {integrity: sha512-gKm7Mk9wCv6/rkzwCiUC4KnevYhlf8ztBrDRT9g/u//1fZLapSRc+eDZj2Eu2wpJ+0RzUKgtNijnVIB4ZxyL+w==}
     cpu: [arm]
     os: [linux]
 
-  '@rollup/rollup-linux-arm64-gnu@4.50.1':
-    resolution: {integrity: sha512-2AbMhFFkTo6Ptna1zO7kAXXDLi7H9fGTbVaIq2AAYO7yzcAsuTNWPHhb2aTA6GPiP+JXh85Y8CiS54iZoj4opw==}
+  '@rollup/rollup-linux-arm64-gnu@4.52.2':
+    resolution: {integrity: sha512-66lA8vnj5mB/rtDNwPgrrKUOtCLVQypkyDa2gMfOefXK6rcZAxKLO9Fy3GkW8VkPnENv9hBkNOFfGLf6rNKGUg==}
     cpu: [arm64]
     os: [linux]
 
-  '@rollup/rollup-linux-arm64-musl@4.50.1':
-    resolution: {integrity: sha512-Cgef+5aZwuvesQNw9eX7g19FfKX5/pQRIyhoXLCiBOrWopjo7ycfB292TX9MDcDijiuIJlx1IzJz3IoCPfqs9w==}
+  '@rollup/rollup-linux-arm64-musl@4.52.2':
+    resolution: {integrity: sha512-s+OPucLNdJHvuZHuIz2WwncJ+SfWHFEmlC5nKMUgAelUeBUnlB4wt7rXWiyG4Zn07uY2Dd+SGyVa9oyLkVGOjA==}
     cpu: [arm64]
     os: [linux]
 
-  '@rollup/rollup-linux-loongarch64-gnu@4.50.1':
-    resolution: {integrity: sha512-RPhTwWMzpYYrHrJAS7CmpdtHNKtt2Ueo+BlLBjfZEhYBhK00OsEqM08/7f+eohiF6poe0YRDDd8nAvwtE/Y62Q==}
+  '@rollup/rollup-linux-loong64-gnu@4.52.2':
+    resolution: {integrity: sha512-8wTRM3+gVMDLLDdaT6tKmOE3lJyRy9NpJUS/ZRWmLCmOPIJhVyXwjBo+XbrrwtV33Em1/eCTd5TuGJm4+DmYjw==}
     cpu: [loong64]
     os: [linux]
 
-  '@rollup/rollup-linux-ppc64-gnu@4.50.1':
-    resolution: {integrity: sha512-eSGMVQw9iekut62O7eBdbiccRguuDgiPMsw++BVUg+1K7WjZXHOg/YOT9SWMzPZA+w98G+Fa1VqJgHZOHHnY0Q==}
+  '@rollup/rollup-linux-ppc64-gnu@4.52.2':
+    resolution: {integrity: sha512-6yqEfgJ1anIeuP2P/zhtfBlDpXUb80t8DpbYwXQ3bQd95JMvUaqiX+fKqYqUwZXqdJDd8xdilNtsHM2N0cFm6A==}
     cpu: [ppc64]
     os: [linux]
 
-  '@rollup/rollup-linux-riscv64-gnu@4.50.1':
-    resolution: {integrity: sha512-S208ojx8a4ciIPrLgazF6AgdcNJzQE4+S9rsmOmDJkusvctii+ZvEuIC4v/xFqzbuP8yDjn73oBlNDgF6YGSXQ==}
+  '@rollup/rollup-linux-riscv64-gnu@4.52.2':
+    resolution: {integrity: sha512-sshYUiYVSEI2B6dp4jMncwxbrUqRdNApF2c3bhtLAU0qA8Lrri0p0NauOsTWh3yCCCDyBOjESHMExonp7Nzc0w==}
     cpu: [riscv64]
     os: [linux]
 
-  '@rollup/rollup-linux-riscv64-musl@4.50.1':
-    resolution: {integrity: sha512-3Ag8Ls1ggqkGUvSZWYcdgFwriy2lWo+0QlYgEFra/5JGtAd6C5Hw59oojx1DeqcA2Wds2ayRgvJ4qxVTzCHgzg==}
+  '@rollup/rollup-linux-riscv64-musl@4.52.2':
+    resolution: {integrity: sha512-duBLgd+3pqC4MMwBrKkFxaZerUxZcYApQVC5SdbF5/e/589GwVvlRUnyqMFbM8iUSb1BaoX/3fRL7hB9m2Pj8Q==}
     cpu: [riscv64]
     os: [linux]
 
-  '@rollup/rollup-linux-s390x-gnu@4.50.1':
-    resolution: {integrity: sha512-t9YrKfaxCYe7l7ldFERE1BRg/4TATxIg+YieHQ966jwvo7ddHJxPj9cNFWLAzhkVsbBvNA4qTbPVNsZKBO4NSg==}
+  '@rollup/rollup-linux-s390x-gnu@4.52.2':
+    resolution: {integrity: sha512-tzhYJJidDUVGMgVyE+PmxENPHlvvqm1KILjjZhB8/xHYqAGeizh3GBGf9u6WdJpZrz1aCpIIHG0LgJgH9rVjHQ==}
     cpu: [s390x]
     os: [linux]
 
-  '@rollup/rollup-linux-x64-gnu@4.50.1':
-    resolution: {integrity: sha512-MCgtFB2+SVNuQmmjHf+wfI4CMxy3Tk8XjA5Z//A0AKD7QXUYFMQcns91K6dEHBvZPCnhJSyDWLApk40Iq/H3tA==}
+  '@rollup/rollup-linux-x64-gnu@4.52.2':
+    resolution: {integrity: sha512-opH8GSUuVcCSSyHHcl5hELrmnk4waZoVpgn/4FDao9iyE4WpQhyWJ5ryl5M3ocp4qkRuHfyXnGqg8M9oKCEKRA==}
     cpu: [x64]
     os: [linux]
 
-  '@rollup/rollup-linux-x64-musl@4.50.1':
-    resolution: {integrity: sha512-nEvqG+0jeRmqaUMuwzlfMKwcIVffy/9KGbAGyoa26iu6eSngAYQ512bMXuqqPrlTyfqdlB9FVINs93j534UJrg==}
+  '@rollup/rollup-linux-x64-musl@4.52.2':
+    resolution: {integrity: sha512-LSeBHnGli1pPKVJ79ZVJgeZWWZXkEe/5o8kcn23M8eMKCUANejchJbF/JqzM4RRjOJfNRhKJk8FuqL1GKjF5oQ==}
     cpu: [x64]
     os: [linux]
 
-  '@rollup/rollup-openharmony-arm64@4.50.1':
-    resolution: {integrity: sha512-RDsLm+phmT3MJd9SNxA9MNuEAO/J2fhW8GXk62G/B4G7sLVumNFbRwDL6v5NrESb48k+QMqdGbHgEtfU0LCpbA==}
+  '@rollup/rollup-openharmony-arm64@4.52.2':
+    resolution: {integrity: sha512-uPj7MQ6/s+/GOpolavm6BPo+6CbhbKYyZHUDvZ/SmJM7pfDBgdGisFX3bY/CBDMg2ZO4utfhlApkSfZ92yXw7Q==}
     cpu: [arm64]
     os: [openharmony]
 
-  '@rollup/rollup-win32-arm64-msvc@4.50.1':
-    resolution: {integrity: sha512-hpZB/TImk2FlAFAIsoElM3tLzq57uxnGYwplg6WDyAxbYczSi8O2eQ+H2Lx74504rwKtZ3N2g4bCUkiamzS6TQ==}
+  '@rollup/rollup-win32-arm64-msvc@4.52.2':
+    resolution: {integrity: sha512-Z9MUCrSgIaUeeHAiNkm3cQyst2UhzjPraR3gYYfOjAuZI7tcFRTOD+4cHLPoS/3qinchth+V56vtqz1Tv+6KPA==}
     cpu: [arm64]
     os: [win32]
 
-  '@rollup/rollup-win32-ia32-msvc@4.50.1':
-    resolution: {integrity: sha512-SXjv8JlbzKM0fTJidX4eVsH+Wmnp0/WcD8gJxIZyR6Gay5Qcsmdbi9zVtnbkGPG8v2vMR1AD06lGWy5FLMcG7A==}
+  '@rollup/rollup-win32-ia32-msvc@4.52.2':
+    resolution: {integrity: sha512-+GnYBmpjldD3XQd+HMejo+0gJGwYIOfFeoBQv32xF/RUIvccUz20/V6Otdv+57NE70D5pa8W/jVGDoGq0oON4A==}
     cpu: [ia32]
     os: [win32]
 
-  '@rollup/rollup-win32-x64-msvc@4.50.1':
-    resolution: {integrity: sha512-StxAO/8ts62KZVRAm4JZYq9+NqNsV7RvimNK+YM7ry//zebEH6meuugqW/P5OFUCjyQgui+9fUxT6d5NShvMvA==}
+  '@rollup/rollup-win32-x64-gnu@4.52.2':
+    resolution: {integrity: sha512-ApXFKluSB6kDQkAqZOKXBjiaqdF1BlKi+/eqnYe9Ee7U2K3pUDKsIyr8EYm/QDHTJIM+4X+lI0gJc3TTRhd+dA==}
+    cpu: [x64]
+    os: [win32]
+
+  '@rollup/rollup-win32-x64-msvc@4.52.2':
+    resolution: {integrity: sha512-ARz+Bs8kY6FtitYM96PqPEVvPXqEZmPZsSkXvyX19YzDqkCaIlhCieLLMI5hxO9SRZ2XtCtm8wxhy0iJ2jxNfw==}
     cpu: [x64]
     os: [win32]
 
@@ -886,68 +888,68 @@ packages:
   '@standard-schema/utils@0.3.0':
     resolution: {integrity: sha512-e7Mew686owMaPJVNNLs55PUvgz371nKgwsc4vxE49zsODpJEnxgxRo2y/OKrqueavXgZNMDVj3DdHFlaSAeU8g==}
 
-  '@swc/core-darwin-arm64@1.13.5':
-    resolution: {integrity: sha512-lKNv7SujeXvKn16gvQqUQI5DdyY8v7xcoO3k06/FJbHJS90zEwZdQiMNRiqpYw/orU543tPaWgz7cIYWhbopiQ==}
+  '@swc/core-darwin-arm64@1.13.19':
+    resolution: {integrity: sha512-NxDyte9tCJSJ8+R62WDtqwg8eI57lubD52sHyGOfezpJBOPr36bUSGGLyO3Vod9zTGlOu2CpkuzA/2iVw92u1g==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [darwin]
 
-  '@swc/core-darwin-x64@1.13.5':
-    resolution: {integrity: sha512-ILd38Fg/w23vHb0yVjlWvQBoE37ZJTdlLHa8LRCFDdX4WKfnVBiblsCU9ar4QTMNdeTBEX9iUF4IrbNWhaF1Ng==}
+  '@swc/core-darwin-x64@1.13.19':
+    resolution: {integrity: sha512-+w5DYrJndSygFFRDcuPYmx5BljD6oYnAohZ15K1L6SfORHp/BTSIbgSFRKPoyhjuIkDiq3W0um8RoMTOBAcQjQ==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [darwin]
 
-  '@swc/core-linux-arm-gnueabihf@1.13.5':
-    resolution: {integrity: sha512-Q6eS3Pt8GLkXxqz9TAw+AUk9HpVJt8Uzm54MvPsqp2yuGmY0/sNaPPNVqctCX9fu/Nu8eaWUen0si6iEiCsazQ==}
+  '@swc/core-linux-arm-gnueabihf@1.13.19':
+    resolution: {integrity: sha512-7LlfgpdwwYq2q7himNkAAFo4q6jysMLFNoBH6GRP7WL29NcSsl5mPMJjmYZymK+sYq/9MTVieDTQvChzYDsapw==}
     engines: {node: '>=10'}
     cpu: [arm]
     os: [linux]
 
-  '@swc/core-linux-arm64-gnu@1.13.5':
-    resolution: {integrity: sha512-aNDfeN+9af+y+M2MYfxCzCy/VDq7Z5YIbMqRI739o8Ganz6ST+27kjQFd8Y/57JN/hcnUEa9xqdS3XY7WaVtSw==}
+  '@swc/core-linux-arm64-gnu@1.13.19':
+    resolution: {integrity: sha512-ml3I6Lm2marAQ3UC/TS9t/yILBh/eDSVHAdPpikp652xouWAVW1znUeV6bBSxe1sSZIenv+p55ubKAWq/u84sQ==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
 
-  '@swc/core-linux-arm64-musl@1.13.5':
-    resolution: {integrity: sha512-9+ZxFN5GJag4CnYnq6apKTnnezpfJhCumyz0504/JbHLo+Ue+ZtJnf3RhyA9W9TINtLE0bC4hKpWi8ZKoETyOQ==}
+  '@swc/core-linux-arm64-musl@1.13.19':
+    resolution: {integrity: sha512-M/otFc3/rWWkbF6VgbOXVzUKVoE7MFcphTaStxJp4bwb7oP5slYlxMZN51Dk/OTOfvCDo9pTAFDKNyixbkXMDQ==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
 
-  '@swc/core-linux-x64-gnu@1.13.5':
-    resolution: {integrity: sha512-WD530qvHrki8Ywt/PloKUjaRKgstQqNGvmZl54g06kA+hqtSE2FTG9gngXr3UJxYu/cNAjJYiBifm7+w4nbHbA==}
+  '@swc/core-linux-x64-gnu@1.13.19':
+    resolution: {integrity: sha512-NoMUKaOJEdouU4tKF88ggdDHFiRRING+gYLxDqnTfm+sUXaizB5OGBRzvSVDYSXQb1SuUuChnXFPFzwTWbt3ZQ==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
 
-  '@swc/core-linux-x64-musl@1.13.5':
-    resolution: {integrity: sha512-Luj8y4OFYx4DHNQTWjdIuKTq2f5k6uSXICqx+FSabnXptaOBAbJHNbHT/06JZh6NRUouaf0mYXN0mcsqvkhd7Q==}
+  '@swc/core-linux-x64-musl@1.13.19':
+    resolution: {integrity: sha512-r6krlZwyu8SBaw24QuS1lau2I9q8M+eJV6ITz0rpb6P1Bx0elf9ii5Bhh8ddmIqXXH8kOGSjC/dwcdHbZqAhgw==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
 
-  '@swc/core-win32-arm64-msvc@1.13.5':
-    resolution: {integrity: sha512-cZ6UpumhF9SDJvv4DA2fo9WIzlNFuKSkZpZmPG1c+4PFSEMy5DFOjBSllCvnqihCabzXzpn6ykCwBmHpy31vQw==}
+  '@swc/core-win32-arm64-msvc@1.13.19':
+    resolution: {integrity: sha512-awcZSIuxyVn0Dw28VjMvgk1qiDJ6CeQwHkZNUjg2UxVlq23zE01NMMp+zkoGFypmLG9gaGmJSzuoqvk/WCQ5tw==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [win32]
 
-  '@swc/core-win32-ia32-msvc@1.13.5':
-    resolution: {integrity: sha512-C5Yi/xIikrFUzZcyGj9L3RpKljFvKiDMtyDzPKzlsDrKIw2EYY+bF88gB6oGY5RGmv4DAX8dbnpRAqgFD0FMEw==}
+  '@swc/core-win32-ia32-msvc@1.13.19':
+    resolution: {integrity: sha512-H5d+KO7ISoLNgYvTbOcCQjJZNM3R7yaYlrMAF13lUr6GSiOUX+92xtM31B+HvzAWI7HtvVe74d29aC1b1TpXFA==}
     engines: {node: '>=10'}
     cpu: [ia32]
     os: [win32]
 
-  '@swc/core-win32-x64-msvc@1.13.5':
-    resolution: {integrity: sha512-YrKdMVxbYmlfybCSbRtrilc6UA8GF5aPmGKBdPvjrarvsmf4i7ZHGCEnLtfOMd3Lwbs2WUZq3WdMbozYeLU93Q==}
+  '@swc/core-win32-x64-msvc@1.13.19':
+    resolution: {integrity: sha512-qNoyCpXvv2O3JqXKanRIeoMn03Fho/As+N4Fhe7u0FsYh4VYqGQah4DGDzEP/yjl4Gx1IElhqLGDhCCGMwWaDw==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [win32]
 
-  '@swc/core@1.13.5':
-    resolution: {integrity: sha512-WezcBo8a0Dg2rnR82zhwoR6aRNxeTGfK5QCD6TQ+kg3xx/zNT02s/0o+81h/3zhvFSB24NtqEr8FTw88O5W/JQ==}
+  '@swc/core@1.13.19':
+    resolution: {integrity: sha512-V1r4wFdjaZIUIZZrV2Mb/prEeu03xvSm6oatPxsvnXKF9lNh5Jtk9QvUdiVfD9rrvi7bXrAVhg9Wpbmv/2Fl1g==}
     engines: {node: '>=10'}
     peerDependencies:
       '@swc/helpers': '>=0.5.17'
@@ -961,20 +963,20 @@ packages:
   '@swc/types@0.1.25':
     resolution: {integrity: sha512-iAoY/qRhNH8a/hBvm3zKj9qQ4oc2+3w1unPJa2XvTK3XjeLXtzcCingVPw/9e5mn1+0yPqxcBGp9Jf0pkfMb1g==}
 
-  '@tanstack/query-core@5.87.1':
-    resolution: {integrity: sha512-HOFHVvhOCprrWvtccSzc7+RNqpnLlZ5R6lTmngb8aq7b4rc2/jDT0w+vLdQ4lD9bNtQ+/A4GsFXy030Gk4ollA==}
+  '@tanstack/query-core@5.90.2':
+    resolution: {integrity: sha512-k/TcR3YalnzibscALLwxeiLUub6jN5EDLwKDiO7q5f4ICEoptJ+n9+7vcEFy5/x/i6Q+Lb/tXrsKCggf5uQJXQ==}
 
-  '@tanstack/query-devtools@5.87.3':
-    resolution: {integrity: sha512-LkzxzSr2HS1ALHTgDmJH5eGAVsSQiuwz//VhFW5OqNk0OQ+Fsqba0Tsf+NzWRtXYvpgUqwQr4b2zdFZwxHcGvg==}
+  '@tanstack/query-devtools@5.90.1':
+    resolution: {integrity: sha512-GtINOPjPUH0OegJExZ70UahT9ykmAhmtNVcmtdnOZbxLwT7R5OmRztR5Ahe3/Cu7LArEmR6/588tAycuaWb1xQ==}
 
-  '@tanstack/react-query-devtools@5.87.3':
-    resolution: {integrity: sha512-uV7m4/m58jU4OaLEyiPLRoXnL5H5E598lhFLSXIcK83on+ZXW7aIfiu5kwRwe1qFa4X4thH8wKaxz1lt6jNmAA==}
+  '@tanstack/react-query-devtools@5.90.2':
+    resolution: {integrity: sha512-vAXJzZuBXtCQtrY3F/yUNJCV4obT/A/n81kb3+YqLbro5Z2+phdAbceO+deU3ywPw8B42oyJlp4FhO0SoivDFQ==}
     peerDependencies:
-      '@tanstack/react-query': ^5.87.1
+      '@tanstack/react-query': ^5.90.2
       react: ^18 || ^19
 
-  '@tanstack/react-query@5.87.1':
-    resolution: {integrity: sha512-YKauf8jfMowgAqcxj96AHs+Ux3m3bWT1oSVKamaRPXSnW2HqSznnTCEkAVqctF1e/W9R/mPcyzzINIgpOH94qg==}
+  '@tanstack/react-query@5.90.2':
+    resolution: {integrity: sha512-CLABiR+h5PYfOWr/z+vWFt5VsOA2ekQeRQBFSKlcoW6Ndx/f8rfyVmq4LbgOM4GG2qtxAxjLYLOpCNTYm4uKzw==}
     peerDependencies:
       react: ^18 || ^19
 
@@ -990,8 +992,8 @@ packages:
   '@types/byte-size@8.1.2':
     resolution: {integrity: sha512-jGyVzYu6avI8yuqQCNTZd65tzI8HZrLjKX9sdMqZrGWVlNChu0rf6p368oVEDCYJe5BMx2Ov04tD1wqtgTwGSA==}
 
-  '@types/d3-array@3.2.1':
-    resolution: {integrity: sha512-Y2Jn2idRrLzUfAKV2LyRImR+y4oa2AntrgID95SHJxuMUrkNXmanDSed71sRNZysveJVt1hLLemQZIady0FpEg==}
+  '@types/d3-array@3.2.2':
+    resolution: {integrity: sha512-hOLWVbm7uRza0BYXpIIW5pxfrKe0W+D5lrFiAEYR+pb6w3N2SwSMaJbXdUfSEv+dT4MfHBLtn5js0LAWaO6otw==}
 
   '@types/d3-color@3.1.3':
     resolution: {integrity: sha512-iO90scth9WAbmgv7ogoq57O9YpKmFBbmoEoCHDB2xMBY0+/KVrqAaCDyCE16dUspeOvIxFFRI+0sEtqDqy2b4A==}
@@ -1053,8 +1055,8 @@ packages:
   '@types/ms@2.1.0':
     resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
 
-  '@types/node@24.3.1':
-    resolution: {integrity: sha512-3vXmQDXy+woz+gnrTvuvNrPzekOi+Ds0ReMxw0LzBiK3a+1k0kQn9f2NWk+lgD4rJehFUmYy2gMhJ2ZI+7YP9g==}
+  '@types/node@24.5.2':
+    resolution: {integrity: sha512-FYxk1I7wPv3K2XBaoyH2cTnocQEu8AOZ60hPbsyukMPLv5/5qr7V1i8PLHdl6Zf87I+xZXFvPCXYjiTFq+YSDQ==}
 
   '@types/normalize-package-data@2.4.4':
     resolution: {integrity: sha512-37i+OaWTh9qeK4LSHPsyRC7NahnGotNuZvjLSgcPzblpHB3rrCJxAOgI5gCdKm7coonsaX1Of0ILiTcnZjbfxA==}
@@ -1076,8 +1078,8 @@ packages:
   '@types/react-router@5.1.20':
     resolution: {integrity: sha512-jGjmu/ZqS7FjSH6owMcD5qpq19+1RS9DeVRqfl1FeBMxTDQAGwlMWOcs52NDoXaNKyG3d1cYQFMs9rCrb88o9Q==}
 
-  '@types/react@19.1.12':
-    resolution: {integrity: sha512-cMoR+FoAf/Jyq6+Df2/Z41jISvGZZ2eTlnsaJRptmZ76Caldwy1odD4xTr/gNV9VLj0AWgg/nmkevIyUfIIq5w==}
+  '@types/react@19.1.13':
+    resolution: {integrity: sha512-hHkbU/eoO3EG5/MZkuFSKmYqPbSVk5byPFa3e7y/8TybHiLMACgI8seVYlicwk7H5K/rI2px9xrQp/C+AUDTiQ==}
 
   '@types/unist@2.0.11':
     resolution: {integrity: sha512-CmBKiL6NNo/OqgmMn95Fk9Whlp2mtvIv+KNpQKN2F4SjvrEesubTRWGYSg+BnWZOnlCaSTU1sMpsBOzgbYhnsA==}
@@ -1099,8 +1101,8 @@ packages:
     peerDependencies:
       react: '>= 16.8.0'
 
-  '@vitejs/plugin-react-swc@4.0.1':
-    resolution: {integrity: sha512-NQhPjysi5duItyrMd5JWZFf2vNOuSMyw+EoZyTBDzk+DkfYD8WNrsUs09sELV2cr1P15nufsN25hsUBt4CKF9Q==}
+  '@vitejs/plugin-react-swc@4.1.0':
+    resolution: {integrity: sha512-Ff690TUck0Anlh7wdIcnsVMhofeEVgm44Y4OYdeeEEPSKyZHzDI9gfVBvySEhDfXtBp8tLCbfsVKPWEMEjq8/g==}
     engines: {node: ^20.19.0 || >=22.12.0}
     peerDependencies:
       vite: ^4 || ^5 || ^6 || ^7
@@ -1150,8 +1152,8 @@ packages:
     peerDependencies:
       postcss: ^8.1.0
 
-  axios@1.12.0:
-    resolution: {integrity: sha512-oXTDccv8PcfjZmPGlWsPSwtOJCZ/b6W5jAMCNcfwJbCzDckwG0jrYJFaWH1yvivfCXjVzV/SPDEhMB3Q+DSurg==}
+  axios@1.12.2:
+    resolution: {integrity: sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==}
 
   babel-plugin-macros@3.1.0:
     resolution: {integrity: sha512-Cg7TFGpIr01vOQNODXOOaGz2NpCU5gl8x1qJFbb6hbZxR7XrcE2vtbAsTAbJ7/xwJtUuJEw8K8Zr/AE0LHlesg==}
@@ -1163,6 +1165,10 @@ packages:
   balanced-match@1.0.2:
     resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
 
+  baseline-browser-mapping@2.8.7:
+    resolution: {integrity: sha512-bxxN2M3a4d1CRoQC//IqsR5XrLh0IJ8TCv2x6Y9N0nckNz/rTjZB3//GGscZziZOxmjP55rzxg/ze7usFI9FqQ==}
+    hasBin: true
+
   bignumber.js@9.3.1:
     resolution: {integrity: sha512-Ko0uX15oIUS7wJ3Rb30Fs6SkVbLmPBAKdlm7q9+ak9bbIeFf0MwuBsQV6z7+X768/cHsfg+WlysDWJcmthjsjQ==}
 
@@ -1177,8 +1183,8 @@ packages:
     resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
     engines: {node: '>=8'}
 
-  browserslist@4.25.4:
-    resolution: {integrity: sha512-4jYpcjabC606xJ3kw2QwGEZKX0Aw7sgQdZCvIK9dhVSPh76BKo+C+btT1RRofH7B+8iNpEbgGNVWiLki5q93yg==}
+  browserslist@4.26.2:
+    resolution: {integrity: sha512-ECFzp6uFOSB+dcZ5BK/IBaGWssbSYBHvuMeMt3MMFyhI0Z8SqGgEkBLARgpRH3hutIgPVsALcMwbDrJqPxQ65A==}
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
     hasBin: true
 
@@ -1214,8 +1220,8 @@ packages:
     resolution: {integrity: sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==}
     engines: {node: '>=6'}
 
-  caniuse-lite@1.0.30001741:
-    resolution: {integrity: sha512-QGUGitqsc8ARjLdgAfxETDhRbJ0REsP6O3I96TAth/mVjh2cYzN2u+3AzPP3aVSm2FehEItaJw1xd+IGBXWeSw==}
+  caniuse-lite@1.0.30001745:
+    resolution: {integrity: sha512-ywt6i8FzvdgrrrGbr1jZVObnVv6adj+0if2/omv9cmR2oiZs30zL4DIyaptKcbOrBdOIc74QTMoJvSE2QHh5UQ==}
 
   ccount@2.0.1:
     resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
@@ -1442,8 +1448,8 @@ packages:
   dayjs@1.11.18:
     resolution: {integrity: sha512-zFBQ7WFRvVRhKcWoUh+ZA1g2HVgUbsZm9sbddh8EC5iv93sui8DVVz1Npvz+r6meo9VKfa8NyLWBsQK1VvIKPA==}
 
-  debug@4.4.1:
-    resolution: {integrity: sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==}
+  debug@4.4.3:
+    resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
     engines: {node: '>=6.0'}
     peerDependencies:
       supports-color: '*'
@@ -1527,8 +1533,8 @@ packages:
     resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
     engines: {node: '>= 0.4'}
 
-  electron-to-chromium@1.5.215:
-    resolution: {integrity: sha512-TIvGp57UpeNetj/wV/xpFNpWGb0b/ROw372lHPx5Aafx02gjTBtWnEEcaSX3W2dLM3OSdGGyHX/cHl01JQsLaQ==}
+  electron-to-chromium@1.5.224:
+    resolution: {integrity: sha512-kWAoUu/bwzvnhpdZSIc6KUyvkI1rbRXMT0Eq8pKReyOyaPZcctMli+EgvcN1PAvwVc7Tdo4Fxi2PsLNDU05mdg==}
 
   emoji-regex@8.0.0:
     resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
@@ -1541,8 +1547,8 @@ packages:
     resolution: {integrity: sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==}
     engines: {node: '>=0.12'}
 
-  error-ex@1.3.2:
-    resolution: {integrity: sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==}
+  error-ex@1.3.4:
+    resolution: {integrity: sha512-sqQamAnR14VgCr1A618A3sGrygcpK+HEbenA/HiEAkkUwcZIIB/tgWqHFxWgOyDh4nB4JCRimh79dR5Ywc9MDQ==}
 
   es-define-property@1.0.1:
     resolution: {integrity: sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==}
@@ -1563,8 +1569,8 @@ packages:
   es-toolkit@1.39.10:
     resolution: {integrity: sha512-E0iGnTtbDhkeczB0T+mxmoVlT4YNweEKBLq7oaU4p11mecdsZpNWOglI4895Vh4usbQ+LsJiuLuI2L0Vdmfm2w==}
 
-  esbuild@0.25.9:
-    resolution: {integrity: sha512-CRbODhYyQx3qp7ZEwzxOk4JBqmD/seJrzPa/cGjY1VtIn5E09Oi9/dB4JwctnfZ8Q8iT7rioVv5k/FNT/uf54g==}
+  esbuild@0.25.10:
+    resolution: {integrity: sha512-9RiGKvCwaqxO2owP61uQ4BgNborAQskMR6QusfWzQqv7AZOg5oGehdY2pRJMTKuwxd1IDBP4rSbI5lHzU7SMsQ==}
     engines: {node: '>=18'}
     hasBin: true
 
@@ -1651,8 +1657,8 @@ packages:
   fraction.js@4.3.7:
     resolution: {integrity: sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==}
 
-  framer-motion@12.23.12:
-    resolution: {integrity: sha512-6e78rdVtnBvlEVgu6eFEAgG9v3wLnYEboM8I5O5EXvfKC8gxGQB8wXJdhkMy10iVcn05jl6CNw7/HTsTCfwcWg==}
+  framer-motion@12.23.22:
+    resolution: {integrity: sha512-ZgGvdxXCw55ZYvhoZChTlG6pUuehecgvEAJz0BHoC5pQKW1EC5xf1Mul1ej5+ai+pVY0pylyFfdl45qnM1/GsA==}
     peerDependencies:
       '@emotion/is-prop-valid': '*'
       react: ^18.0.0 || ^19.0.0
@@ -1824,8 +1830,8 @@ packages:
   htmlparser2@10.0.0:
     resolution: {integrity: sha512-TwAZM+zE5Tq3lrEHvOlvwgj1XLWQCtaaibSN11Q+gGBAS7Y1uZSWwXXRe4iF6OXnaq1riyQAPFOBtYc77Mxq0g==}
 
-  humanize-duration@3.33.0:
-    resolution: {integrity: sha512-vYJX7BSzn7EQ4SaP2lPYVy+icHDppB6k7myNeI3wrSRfwMS5+BHyGgzpHR0ptqJ2AQ6UuIKrclSg5ve6Ci4IAQ==}
+  humanize-duration@3.33.1:
+    resolution: {integrity: sha512-hwzSCymnRdFx9YdRkQQ0OYequXiVAV6ZGQA2uzocwB0F4309Ke6pO8dg0P8LHhRQJyVjGteRTAA/zNfEcpXn8A==}
 
   immer@10.1.3:
     resolution: {integrity: sha512-tmjF/k8QDKydUlm3mZU+tjM6zeq9/fFpPqH9SzWmBnVVKsPBg/V66qsMwb3/Bo90cgUN+ghdVBess+hPsxUyRw==}
@@ -1920,8 +1926,8 @@ packages:
   isarray@1.0.0:
     resolution: {integrity: sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==}
 
-  itertools@2.4.1:
-    resolution: {integrity: sha512-dFTSYzmbfeNE3q/qxwAr/QdKsK6/rp+LTz8SJdTg1+lo9omXFYpDcOKw47/7TevlnC0LorR5pRSf68+yB3N0GA==}
+  itertools@2.5.0:
+    resolution: {integrity: sha512-4ghJEXkRGkw4veNQhfO0cLY8+zePMXbe9wGt3ckSVFtrQVyyoKCUESaG2HsjuEfidVtuIEj1Dt1BlmTL3GUWFg==}
 
   jiti@2.4.2:
     resolution: {integrity: sha512-rg9zJN+G4n2nfJl5MW3BMygZX56zKPNVEYYqq7adpmMh4Jn2QNEwhvQlFy6jPVdcod7txZtKHWnyZiA3a0zP7A==}
@@ -2152,14 +2158,14 @@ packages:
     resolution: {integrity: sha512-xV2bxeN6F7oYjZWTe/YPAy6MN2M+sL4u/Rlm2AHCIVGfo2p1yGmBHQ6vHehl4bRTZBdHu3TSkWdYgkwpYzAGSw==}
     engines: {node: '>=0.10.0'}
 
-  motion-dom@12.23.12:
-    resolution: {integrity: sha512-RcR4fvMCTESQBD/uKQe49D5RUeDOokkGRmz4ceaJKDBgHYtZtntC/s2vLvY38gqGaytinij/yi3hMcWVcEF5Kw==}
+  motion-dom@12.23.21:
+    resolution: {integrity: sha512-5xDXx/AbhrfgsQmSE7YESMn4Dpo6x5/DTZ4Iyy4xqDvVHWvFVoV+V2Ri2S/ksx+D40wrZ7gPYiMWshkdoqNgNQ==}
 
   motion-utils@12.23.6:
     resolution: {integrity: sha512-eAWoPgr4eFEOFfg2WjIsMoqJTW6Z8MTUCgn/GZ3VRpClWBdnbjryiA3ZSNLyxCTmCQx4RmYX6jX1iWHbenUPNQ==}
 
-  motion@12.23.12:
-    resolution: {integrity: sha512-8jCD8uW5GD1csOoqh1WhH1A6j5APHVE15nuBkFeRiMzYBdRwyAHmSP/oXSuW0WJPZRXTFdBoG4hY9TFWNhhwng==}
+  motion@12.23.22:
+    resolution: {integrity: sha512-iSq6X9vLHbeYwmHvhK//+U74ROaPnZmBuy60XZzqNl0QtZkWfoZyMDHYnpKuWFv0sNMqHgED8aCXk94LCoQPGg==}
     peerDependencies:
       '@emotion/is-prop-valid': '*'
       react: ^18.0.0 || ^19.0.0
@@ -2186,8 +2192,8 @@ packages:
   neo-async@2.6.2:
     resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==}
 
-  node-releases@2.0.20:
-    resolution: {integrity: sha512-7gK6zSXEH6neM212JgfYFXe+GmZQM+fia5SsusuBIUgnPheLFBmIPhtFoAQRj8/7wASYQnbDlHPVwY0BefoFgA==}
+  node-releases@2.0.21:
+    resolution: {integrity: sha512-5b0pgg78U3hwXkCM8Z9b2FJdPZlr9Psr9V2gQPESdGHqbntyFJKFW4r5TeWGFzafGY3hzs1JC62VEQMbl1JFkw==}
 
   normalize-package-data@2.5.0:
     resolution: {integrity: sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==}
@@ -2386,8 +2392,8 @@ packages:
     peerDependencies:
       react: ^19.1.1
 
-  react-hook-form@7.62.0:
-    resolution: {integrity: sha512-7KWFejc98xqG/F4bAxpL41NB3o1nnvQO1RWZT3TqRZYL8RryQETGfEdVnJN2fy1crCiBLLjkRBVK05j24FxJGA==}
+  react-hook-form@7.63.0:
+    resolution: {integrity: sha512-ZwueDMvUeucovM2VjkCf7zIHcs1aAlDimZu2Hvel5C5907gUzMpm4xCrQXtRzCvsBqFjonB4m3x4LzCFI1ZKWA==}
     engines: {node: '>=18.0.0'}
     peerDependencies:
       react: ^16.8.0 || ^17 || ^18 || ^19
@@ -2510,8 +2516,8 @@ packages:
     resolution: {integrity: sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==}
     engines: {node: '>=8.10.0'}
 
-  recharts@3.2.0:
-    resolution: {integrity: sha512-fX0xCgNXo6mag9wz3oLuANR+dUQM4uIlTYBGTGq9CBRgW/8TZPzqPGYs5NTt8aENCf+i1CI8vqxT1py8L/5J2w==}
+  recharts@3.2.1:
+    resolution: {integrity: sha512-0JKwHRiFZdmLq/6nmilxEZl3pqb4T+aKkOkOi/ZISRZwfBhVMgInxzlYU9D4KnCH3KINScLy68m/OvMXoYGZUw==}
     engines: {node: '>=18'}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
@@ -2564,8 +2570,8 @@ packages:
     engines: {node: '>= 0.4'}
     hasBin: true
 
-  rollup@4.50.1:
-    resolution: {integrity: sha512-78E9voJHwnXQMiQdiqswVLZwJIzdBKJ1GdI5Zx6XwoFKUIk09/sSrr+05QFzvYb8q6Y9pPV45zzDuYa3907TZA==}
+  rollup@4.52.2:
+    resolution: {integrity: sha512-I25/2QgoROE1vYV+NQ1En9T9UFB9Cmfm2CJ83zZOlaDpvz29wGQSZXWKw7MiNXau7wYgB/T9fVIdIuEQ+KbiiA==}
     engines: {node: '>=18.0.0', npm: '>=8.0.0'}
     hasBin: true
 
@@ -2725,69 +2731,72 @@ packages:
     engines: {node: '>=10'}
     hasBin: true
 
-  text-camel-case@1.2.4:
-    resolution: {integrity: sha512-D3NrNDrXX9eNngw2g1aWKh+ai/wzmnU1s2jBi/5aFJMpif2johXX76pfK3e8DaQGEPcOsDsXXt11ts9De+TjXw==}
+  text-camel-case@1.2.9:
+    resolution: {integrity: sha512-wKYs9SgRxYizJE1mneR7BbLNlGw2IYzJAS8XwkWIry0CTbO1gvvPkFsx5Z1/hr+VqUaBqx9q3yKd30HpZLdMsQ==}
 
-  text-capital-case@1.2.4:
-    resolution: {integrity: sha512-pWqRqoAKIjARiJcQ2SDMhySWQ9ObcI2UfCVt0IRVr1vy+PwS9JkR8L7BdKLGEd7IF8AAR9qLvdlQIdDaN7GiQQ==}
+  text-capital-case@1.2.9:
+    resolution: {integrity: sha512-X5zV8U8pxtq2xS2t46lgAWqZdDbgWMKq03MQSNwY2CJdQCsdTNh144E2Q/q9wBxWzSBUXn+jRc9kF+Gs8/pGhA==}
 
-  text-case@1.2.4:
-    resolution: {integrity: sha512-ESwvqsWsua549qIFOXSB1M/FSo1qDxx5MuKtbyQOzwaKFLbjFWOqmOdZfzumsCbBR8qphGFsjwQ8xwv8aGUZbw==}
+  text-case@1.2.9:
+    resolution: {integrity: sha512-zZVdA8rMcjx9zhekdUuOPZShc25UTV7W8/ddKbgbPtfCEvIiToPtWiSd2lXLSuiGMovNhJ4+Tw49xll9o9ts+Q==}
 
-  text-constant-case@1.2.4:
-    resolution: {integrity: sha512-EjFEDNKfkd5AN2DOJ+lkCcU72s3qScsM8iIiaR/d8DdMW0lIpMLGwIZcBVmvDWEosjoJD3Y/FECWTZqnwyUuOQ==}
+  text-constant-case@1.2.9:
+    resolution: {integrity: sha512-Vosm6nC7Gag+JFakJHwqS9AXRNgl07j5KZ7srU9cYuKRzYwrxzeJ4RpEogRBNHw7CfmOm0j5FGEznblWtu7pIw==}
 
-  text-dot-case@1.2.4:
-    resolution: {integrity: sha512-ThshqZ5EGX6RQPJLT9g3I7Lnvo6CoAbHrbKykwpepvTBTkiGe6v+mKwkF/fYLpNxsZ2VXdepnHsChSQp/vYBkg==}
+  text-dot-case@1.2.9:
+    resolution: {integrity: sha512-N83hsnvGdSO9q9AfNSB9Cy1LFDNN2MCx53LcxtaPoDWPUTk47fv0JlvIY1tgY0wyzCiThF03kVj3jworvAOScA==}
 
   text-extensions@1.9.0:
     resolution: {integrity: sha512-wiBrwC1EhBelW12Zy26JeOUkQ5mRu+5o8rpsJk5+2t+Y5vE7e842qtZDQ2g1NpX/29HdyFeJ4nSIhI47ENSxlQ==}
     engines: {node: '>=0.10'}
 
-  text-header-case@1.2.4:
-    resolution: {integrity: sha512-eFIsIvGsbBMbdz6J5oTtV+iD1BbEV2cQYyezO/y4KKu2dYg+xZAh27aCq69SJ1+7LtSDzmU81AS1ykTDT6j4ww==}
+  text-header-case@1.2.9:
+    resolution: {integrity: sha512-TqryEKcYisQAfWLbtT3xPnZlMZ/mySO1uS+LUg+B0eNuqgETrSzVpXIUj5E6Zf/EyJHgpZf4VndbAXtOMJuT4w==}
+
+  text-is-lower-case@1.2.9:
+    resolution: {integrity: sha512-cEurrWSnYVYqL8FSwl5cK4mdfqF7qNDCcKJgXI3NnfTesiB8umxAhdlQoErrRYI1xEvYr2WN0MI333EehUhQjg==}
 
-  text-is-lower-case@1.2.4:
-    resolution: {integrity: sha512-S9lzKJO2apfVcYUkMsesjVYZOyL8SrJ40R3IDi8aQtSbiaNZ8LaxVxLCelSWmAkXKh2uZOktZOY/DjMchigOIQ==}
+  text-is-upper-case@1.2.9:
+    resolution: {integrity: sha512-HxsWr3VCsXXiLlhD0c+Ey+mS2lOTCiSJbkepjaXNHl2bp33KiscQaiG0qLwQmmpZQm4SJCg2s9FkndxS0RNDLQ==}
 
-  text-is-upper-case@1.2.4:
-    resolution: {integrity: sha512-bBfPYnfS1SEfxu/emUoPSXw7dtnsJGfJc6JoRb3x8yy3ROBSdj09n1EXY3a2PhuigAGbhf56BBeSrQMtBrpaNQ==}
+  text-kebab-case@1.2.9:
+    resolution: {integrity: sha512-nOUyNR5Ej2B9D/wyyXfwUEv26+pQuOb1pEX+ojE37mCIWo8QeOxw5y6nxuqDmG7NrEPzbO6265UMV+EICH13Cw==}
 
-  text-lower-case-first@1.2.4:
-    resolution: {integrity: sha512-3nuJelBFCEbpjAbEaqgNXLE5K446IyitlQR+8oX5ClUlSw5YS4CTeE3rPLFnxxhpUjRtogJt9J6iq4WNjXU9zQ==}
+  text-lower-case-first@1.2.9:
+    resolution: {integrity: sha512-iiphHTV7PVH0MljrEQUA9iBE7jfDpXoi4RQju3WzZU3BRVbS6540cNZgxR19hWa0z6z/7cJTH0Ls9LPBaiUfKg==}
 
-  text-lower-case@1.2.4:
-    resolution: {integrity: sha512-Q7HuNqwBeMvZLrh3zCjs1agalWPVdhWvpvegBRrOWKUsMON46ox6TInZd9tvQbPMIvsUSh2fxO77e+egql4pvw==}
+  text-lower-case@1.2.9:
+    resolution: {integrity: sha512-53AOnDrhPpiAUQkgY1SHleKUXp/u7GsqRX13NcCREZscmtjLLJ099uxMRjkK7q2KwHkFYVPl9ytkQlTkTQLS0w==}
 
-  text-no-case@1.2.4:
-    resolution: {integrity: sha512-XgegE+tVU024oyk5ACML8ucHioXjf1fS/tiEcQH6AGHkkWaqxq/7fTHT1kmSFwcp8J57wK1CCYfi4sUvZIXHtQ==}
+  text-no-case@1.2.9:
+    resolution: {integrity: sha512-IcCt328KaapimSrytP4ThfC8URmHZb2DgOqCL9BYvGjpxY2lDiqCkIQk9sClZtwcELs2gTnq83a7jNc573FTLA==}
 
-  text-param-case@1.2.4:
-    resolution: {integrity: sha512-kLojOiVCwIGZh2G5dv8T18eLzXKCLX7ukI4u4wiyA4j6c9hVfjV6xMPJgUPYLWilaLZRqXYpAcfjgDKQCZtJfg==}
+  text-param-case@1.2.9:
+    resolution: {integrity: sha512-nR/Ju9amY3aQS1en2CUCgqN/ZiZIVdDyjlJ3xX5J92ChBevGuA4o9K10fh3JGMkbzK97Vcb+bWQJ4Q+Svz+GyQ==}
 
-  text-pascal-case@1.2.4:
-    resolution: {integrity: sha512-Xt7bldDcfXp6QVgrDD+oKqN4CEjqxjq47kf/wIXyETjuJrciFWIQEIFdvH6yL5XdMVi3MunQGiilSzJ7vQX2jQ==}
+  text-pascal-case@1.2.9:
+    resolution: {integrity: sha512-o6ZxMGjWDTUW54pcghpXes+C2PqbYRMdU5mHrIhueb6z6nq1NueiIOeCUdrSjN/3wXfhCmnFjK7/d9aRGZNqSg==}
 
-  text-path-case@1.2.4:
-    resolution: {integrity: sha512-jXWMucVQlOl39qlf6vIZDDjWMLzdNoQ+Fa3s4x8whqC/UwFDw6Pu4HyhrTRggPYMNe6l5p3v0bLYjERd2Xonug==}
+  text-path-case@1.2.9:
+    resolution: {integrity: sha512-s8cJ6r5TkJp5ticXMgtxd7f12odEN4d1CfX5u4aoz6jcUtBR2lDqzIhVimkqWFMJ4UKPSrmilUha8Xc2BPi+ow==}
 
-  text-sentence-case@1.2.4:
-    resolution: {integrity: sha512-rEIf8n6O4SL1Kk0tEzlXK9eZnnF1KybCvOwLJyJfCo3OwJ4CGEUDgIDDUyK5SnRvtWV9UzqPE+Dfi0+sDBEHtg==}
+  text-sentence-case@1.2.9:
+    resolution: {integrity: sha512-/G/Yi5kZfUa1edFRV4O3lGZAkbDZTFvlwW8CYfH7szkEGe2k2MYEYbOyAkGRVQEGV6V6JiuUAaP3VS9c1tB6nQ==}
 
-  text-snake-case@1.2.4:
-    resolution: {integrity: sha512-RK+Nqbg9uT+WA0kh7tUSq7MQC6fpm0lRrZsD3zCmz2pybD4QiWMsHNFy0RtnVPGVnrqvJ8ZITD+RbswsS0Zsdw==}
+  text-snake-case@1.2.9:
+    resolution: {integrity: sha512-+ZrqK19ynF/TLQZ7ynqVrL2Dy04uu9syYZwsm8PhzUdsY3XrwPy6QiRqhIEFqhyWbShPcfyfmheer5UEQqFxlw==}
 
-  text-swap-case@1.2.4:
-    resolution: {integrity: sha512-N/5zdNnmYcU21kYdLi+X7GsKLrsdZp+1u+mExAaJoWGvZKbvxGC92tp7D1L8E2jVFrIm1qS1qmpKHy2acJr8qA==}
+  text-swap-case@1.2.9:
+    resolution: {integrity: sha512-g5fp12ldktYKK9wdHRMvvtSCQrZYNv/D+ZGLumDsvAY4q9T5bCMO2IWMkIP1F5gVQrysdHH6Xv877P/pjUq1iw==}
 
-  text-title-case@1.2.4:
-    resolution: {integrity: sha512-8Ce7gzPzFzrXFp2M5b6uzix9bb20TjWEak8vnxPf7i2wy4LLO5gdHbyrQHJrkrUnvb3dzocnbIZyGTU+Cy3a6w==}
+  text-title-case@1.2.9:
+    resolution: {integrity: sha512-RAtC9cdmPp41ns5/HXZBsaQg71BsHT7uZpj2ojTtuFa8o2dNuRYYOrSmy5YdLRIAJQ6WK5hQVpV3jHuq7a+4Tw==}
 
-  text-upper-case-first@1.2.4:
-    resolution: {integrity: sha512-TveJzwU7gyDmJ2p0rYx0dGlkT+45c1p8zsWTCBEikR1Klo5Cb4qABhlz9gA8CA4Y9Z9yqYTiIB9WjA8Ap2K05g==}
+  text-upper-case-first@1.2.9:
+    resolution: {integrity: sha512-wEDD1B6XqJmEV+xEnBJd+2sBCHZ+7fvA/8Rv/o8+dAsp05YWjYP/kjB8sPH6zqzW0s6jtehIg4IlcKjcYxk2CQ==}
 
-  text-upper-case@1.2.4:
-    resolution: {integrity: sha512-y4cCoj6CGHWjszb4WuRt4uQjqHDCcUfJff4gKsrI13OZ8rzu0YtfUMOpV9Lizv5IYu00Kv2gbXGcMr04aDjxqA==}
+  text-upper-case@1.2.9:
+    resolution: {integrity: sha512-K/0DNT7a4z8eah2spARtoJllTZyrNTo6Uc0ujhN/96Ir9uJ/slpahfs13y46H9osL3daaLl3O7iXOkW4xtX6bg==}
 
   through2@2.0.5:
     resolution: {integrity: sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==}
@@ -2861,8 +2870,8 @@ packages:
     engines: {node: '>=0.8.0'}
     hasBin: true
 
-  undici-types@7.10.0:
-    resolution: {integrity: sha512-t5Fy/nfn+14LuOc2KNYg75vZqClpAiqscVvMygNnlsHBFpSXdJaYtXMcdNLpl/Qvc3P2cB3s6lOV51nqsFq4ag==}
+  undici-types@7.12.0:
+    resolution: {integrity: sha512-goOacqME2GYyOZZfb5Lgtu+1IDmAlAEu5xnD3+xTzS10hT0vzpf0SPjkXwAw9Jm+4n/mQGDP3LO8CPbYROeBfQ==}
 
   unified@11.0.5:
     resolution: {integrity: sha512-xKvGhPWw3k84Qjh8bI3ZeJjqnyadK+GEFtazSfZv/rKeTkTjOJho6mFqh2SM96iIcZokxiOpg78GazTSg8+KHA==}
@@ -2938,8 +2947,8 @@ packages:
     peerDependencies:
       vite: '>=2.0.0-beta.69'
 
-  vite@7.1.5:
-    resolution: {integrity: sha512-4cKBO9wR75r0BeIWWWId9XK9Lj6La5X846Zw9dFfzMRw38IlTk2iCcUt6hsyiDRcPidc55ZParFYDXi0nXOeLQ==}
+  vite@7.1.7:
+    resolution: {integrity: sha512-VbA8ScMvAISJNJVbRDTJdCwqQoAareR/wutevKanhR2/1EkoXVZVkkORaYm/tNVCjP/UDTKtcw3bAkwOUdedmA==}
     engines: {node: ^20.19.0 || >=22.12.0}
     hasBin: true
     peerDependencies:
@@ -3096,7 +3105,7 @@ snapshots:
       '@babel/types': 7.28.4
       '@jridgewell/remapping': 2.3.5
       convert-source-map: 2.0.0
-      debug: 4.4.1
+      debug: 4.4.3
       gensync: 1.0.0-beta.2
       json5: 2.2.3
       semver: 6.3.1
@@ -3108,14 +3117,14 @@ snapshots:
       '@babel/parser': 7.28.4
       '@babel/types': 7.28.4
       '@jridgewell/gen-mapping': 0.3.13
-      '@jridgewell/trace-mapping': 0.3.30
+      '@jridgewell/trace-mapping': 0.3.31
       jsesc: 3.1.0
 
   '@babel/helper-compilation-targets@7.27.2':
     dependencies:
       '@babel/compat-data': 7.28.4
       '@babel/helper-validator-option': 7.27.1
-      browserslist: 4.25.4
+      browserslist: 4.26.2
       lru-cache: 5.1.1
       semver: 6.3.1
 
@@ -3168,7 +3177,7 @@ snapshots:
       '@babel/parser': 7.28.4
       '@babel/template': 7.27.2
       '@babel/types': 7.28.4
-      debug: 4.4.1
+      debug: 4.4.3
     transitivePeerDependencies:
       - supports-color
 
@@ -3250,7 +3259,7 @@ snapshots:
 
   '@emotion/memoize@0.9.0': {}
 
-  '@emotion/react@11.14.0(@types/react@19.1.12)(react@19.1.1)':
+  '@emotion/react@11.14.0(@types/react@19.1.13)(react@19.1.1)':
     dependencies:
       '@babel/runtime': 7.28.4
       '@emotion/babel-plugin': 11.13.5
@@ -3262,7 +3271,7 @@ snapshots:
       hoist-non-react-statics: 3.3.2
       react: 19.1.1
     optionalDependencies:
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
     transitivePeerDependencies:
       - supports-color
 
@@ -3276,18 +3285,18 @@ snapshots:
 
   '@emotion/sheet@1.4.0': {}
 
-  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.1.12)(react@19.1.1))(@types/react@19.1.12)(react@19.1.1)':
+  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.1.13)(react@19.1.1))(@types/react@19.1.13)(react@19.1.1)':
     dependencies:
       '@babel/runtime': 7.28.4
       '@emotion/babel-plugin': 11.13.5
       '@emotion/is-prop-valid': 1.4.0
-      '@emotion/react': 11.14.0(@types/react@19.1.12)(react@19.1.1)
+      '@emotion/react': 11.14.0(@types/react@19.1.13)(react@19.1.1)
       '@emotion/serialize': 1.3.3
       '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.1.1)
       '@emotion/utils': 1.4.2
       react: 19.1.1
     optionalDependencies:
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
     transitivePeerDependencies:
       - supports-color
 
@@ -3301,82 +3310,82 @@ snapshots:
 
   '@emotion/weak-memoize@0.4.0': {}
 
-  '@esbuild/aix-ppc64@0.25.9':
+  '@esbuild/aix-ppc64@0.25.10':
     optional: true
 
-  '@esbuild/android-arm64@0.25.9':
+  '@esbuild/android-arm64@0.25.10':
     optional: true
 
-  '@esbuild/android-arm@0.25.9':
+  '@esbuild/android-arm@0.25.10':
     optional: true
 
-  '@esbuild/android-x64@0.25.9':
+  '@esbuild/android-x64@0.25.10':
     optional: true
 
-  '@esbuild/darwin-arm64@0.25.9':
+  '@esbuild/darwin-arm64@0.25.10':
     optional: true
 
-  '@esbuild/darwin-x64@0.25.9':
+  '@esbuild/darwin-x64@0.25.10':
     optional: true
 
-  '@esbuild/freebsd-arm64@0.25.9':
+  '@esbuild/freebsd-arm64@0.25.10':
     optional: true
 
-  '@esbuild/freebsd-x64@0.25.9':
+  '@esbuild/freebsd-x64@0.25.10':
     optional: true
 
-  '@esbuild/linux-arm64@0.25.9':
+  '@esbuild/linux-arm64@0.25.10':
     optional: true
 
-  '@esbuild/linux-arm@0.25.9':
+  '@esbuild/linux-arm@0.25.10':
     optional: true
 
-  '@esbuild/linux-ia32@0.25.9':
+  '@esbuild/linux-ia32@0.25.10':
     optional: true
 
-  '@esbuild/linux-loong64@0.25.9':
+  '@esbuild/linux-loong64@0.25.10':
     optional: true
 
-  '@esbuild/linux-mips64el@0.25.9':
+  '@esbuild/linux-mips64el@0.25.10':
     optional: true
 
-  '@esbuild/linux-ppc64@0.25.9':
+  '@esbuild/linux-ppc64@0.25.10':
     optional: true
 
-  '@esbuild/linux-riscv64@0.25.9':
+  '@esbuild/linux-riscv64@0.25.10':
     optional: true
 
-  '@esbuild/linux-s390x@0.25.9':
+  '@esbuild/linux-s390x@0.25.10':
     optional: true
 
-  '@esbuild/linux-x64@0.25.9':
+  '@esbuild/linux-x64@0.25.10':
     optional: true
 
-  '@esbuild/netbsd-arm64@0.25.9':
+  '@esbuild/netbsd-arm64@0.25.10':
     optional: true
 
-  '@esbuild/netbsd-x64@0.25.9':
+  '@esbuild/netbsd-x64@0.25.10':
     optional: true
 
-  '@esbuild/openbsd-arm64@0.25.9':
+  '@esbuild/openbsd-arm64@0.25.10':
     optional: true
 
-  '@esbuild/openbsd-x64@0.25.9':
+  '@esbuild/openbsd-x64@0.25.10':
     optional: true
 
-  '@esbuild/openharmony-arm64@0.25.9':
+  '@esbuild/openharmony-arm64@0.25.10':
     optional: true
 
-  '@esbuild/sunos-x64@0.25.9':
+  '@esbuild/sunos-x64@0.25.10':
     optional: true
 
-  '@esbuild/win32-arm64@0.25.9':
+  '@esbuild/win32-arm64@0.25.10':
     optional: true
 
-  '@esbuild/win32-ia32@0.25.9':
+  '@esbuild/win32-ia32@0.25.10':
     optional: true
 
-  '@esbuild/win32-x64@0.25.9':
+  '@esbuild/win32-x64@0.25.10':
     optional: true
 
   '@floating-ui/core@1.7.3':
@@ -3406,10 +3415,10 @@ snapshots:
 
   '@github/webauthn-json@2.1.1': {}
 
-  '@hookform/devtools@4.4.0(@types/react@19.1.12)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)':
+  '@hookform/devtools@4.4.0(@types/react@19.1.13)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)':
     dependencies:
-      '@emotion/react': 11.14.0(@types/react@19.1.12)(react@19.1.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.1.12)(react@19.1.1))(@types/react@19.1.12)(react@19.1.1)
+      '@emotion/react': 11.14.0(@types/react@19.1.13)(react@19.1.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.1.13)(react@19.1.1))(@types/react@19.1.13)(react@19.1.1)
       '@types/lodash': 4.17.20
       little-state-machine: 4.8.1(react@19.1.1)
       lodash: 4.17.21
@@ -3422,22 +3431,22 @@ snapshots:
       - '@types/react'
       - supports-color
 
-  '@hookform/resolvers@5.2.1(react-hook-form@7.62.0(react@19.1.1))':
+  '@hookform/resolvers@5.2.2(react-hook-form@7.63.0(react@19.1.1))':
     dependencies:
       '@standard-schema/utils': 0.3.0
-      react-hook-form: 7.62.0(react@19.1.1)
+      react-hook-form: 7.63.0(react@19.1.1)
 
   '@hutson/parse-repository-url@3.0.2': {}
 
   '@jridgewell/gen-mapping@0.3.13':
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.5
-      '@jridgewell/trace-mapping': 0.3.30
+      '@jridgewell/trace-mapping': 0.3.31
 
   '@jridgewell/remapping@2.3.5':
     dependencies:
       '@jridgewell/gen-mapping': 0.3.13
-      '@jridgewell/trace-mapping': 0.3.30
+      '@jridgewell/trace-mapping': 0.3.31
 
   '@jridgewell/resolve-uri@3.1.2': {}
 
@@ -3449,16 +3458,10 @@ snapshots:
 
   '@jridgewell/sourcemap-codec@1.5.5': {}
 
-  '@jridgewell/trace-mapping@0.3.30':
-    dependencies:
-      '@jridgewell/resolve-uri': 3.1.2
-      '@jridgewell/sourcemap-codec': 1.5.5
-
   '@jridgewell/trace-mapping@0.3.31':
     dependencies:
       '@jridgewell/resolve-uri': 3.1.2
       '@jridgewell/sourcemap-codec': 1.5.5
-    optional: true
 
   '@react-hook/latest@1.0.3(react@19.1.1)':
     dependencies:
@@ -3481,7 +3484,7 @@ snapshots:
       rxjs: 7.8.2
       use-sync-external-store: 1.5.0(react@19.1.1)
 
-  '@reduxjs/toolkit@2.9.0(react-redux@9.2.0(@types/react@19.1.12)(react@19.1.1)(redux@5.0.1))(react@19.1.1)':
+  '@reduxjs/toolkit@2.9.0(react-redux@9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1))(react@19.1.1)':
     dependencies:
       '@standard-schema/spec': 1.0.0
       '@standard-schema/utils': 0.3.0
@@ -3491,73 +3494,76 @@ snapshots:
       reselect: 5.1.1
     optionalDependencies:
       react: 19.1.1
-      react-redux: 9.2.0(@types/react@19.1.12)(react@19.1.1)(redux@5.0.1)
+      react-redux: 9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1)
 
   '@remix-run/router@1.23.0': {}
 
-  '@rolldown/pluginutils@1.0.0-beta.32': {}
+  '@rolldown/pluginutils@1.0.0-beta.35': {}
+
+  '@rollup/rollup-android-arm-eabi@4.52.2':
+    optional: true
 
-  '@rollup/rollup-android-arm-eabi@4.50.1':
+  '@rollup/rollup-android-arm64@4.52.2':
     optional: true
 
-  '@rollup/rollup-android-arm64@4.50.1':
+  '@rollup/rollup-darwin-arm64@4.52.2':
     optional: true
 
-  '@rollup/rollup-darwin-arm64@4.50.1':
+  '@rollup/rollup-darwin-x64@4.52.2':
     optional: true
 
-  '@rollup/rollup-darwin-x64@4.50.1':
+  '@rollup/rollup-freebsd-arm64@4.52.2':
     optional: true
 
-  '@rollup/rollup-freebsd-arm64@4.50.1':
+  '@rollup/rollup-freebsd-x64@4.52.2':
     optional: true
 
-  '@rollup/rollup-freebsd-x64@4.50.1':
+  '@rollup/rollup-linux-arm-gnueabihf@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.50.1':
+  '@rollup/rollup-linux-arm-musleabihf@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-arm-musleabihf@4.50.1':
+  '@rollup/rollup-linux-arm64-gnu@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-arm64-gnu@4.50.1':
+  '@rollup/rollup-linux-arm64-musl@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-arm64-musl@4.50.1':
+  '@rollup/rollup-linux-loong64-gnu@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-loongarch64-gnu@4.50.1':
+  '@rollup/rollup-linux-ppc64-gnu@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-ppc64-gnu@4.50.1':
+  '@rollup/rollup-linux-riscv64-gnu@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-gnu@4.50.1':
+  '@rollup/rollup-linux-riscv64-musl@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-musl@4.50.1':
+  '@rollup/rollup-linux-s390x-gnu@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-s390x-gnu@4.50.1':
+  '@rollup/rollup-linux-x64-gnu@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-x64-gnu@4.50.1':
+  '@rollup/rollup-linux-x64-musl@4.52.2':
     optional: true
 
-  '@rollup/rollup-linux-x64-musl@4.50.1':
+  '@rollup/rollup-openharmony-arm64@4.52.2':
     optional: true
 
-  '@rollup/rollup-openharmony-arm64@4.50.1':
+  '@rollup/rollup-win32-arm64-msvc@4.52.2':
     optional: true
 
-  '@rollup/rollup-win32-arm64-msvc@4.50.1':
+  '@rollup/rollup-win32-ia32-msvc@4.52.2':
     optional: true
 
-  '@rollup/rollup-win32-ia32-msvc@4.50.1':
+  '@rollup/rollup-win32-x64-gnu@4.52.2':
     optional: true
 
-  '@rollup/rollup-win32-x64-msvc@4.50.1':
+  '@rollup/rollup-win32-x64-msvc@4.52.2':
     optional: true
 
   '@rx-state/core@0.1.4(rxjs@7.8.2)':
@@ -3595,51 +3601,51 @@ snapshots:
 
   '@standard-schema/utils@0.3.0': {}
 
-  '@swc/core-darwin-arm64@1.13.5':
+  '@swc/core-darwin-arm64@1.13.19':
     optional: true
 
-  '@swc/core-darwin-x64@1.13.5':
+  '@swc/core-darwin-x64@1.13.19':
     optional: true
 
-  '@swc/core-linux-arm-gnueabihf@1.13.5':
+  '@swc/core-linux-arm-gnueabihf@1.13.19':
     optional: true
 
-  '@swc/core-linux-arm64-gnu@1.13.5':
+  '@swc/core-linux-arm64-gnu@1.13.19':
     optional: true
 
-  '@swc/core-linux-arm64-musl@1.13.5':
+  '@swc/core-linux-arm64-musl@1.13.19':
     optional: true
 
-  '@swc/core-linux-x64-gnu@1.13.5':
+  '@swc/core-linux-x64-gnu@1.13.19':
     optional: true
 
-  '@swc/core-linux-x64-musl@1.13.5':
+  '@swc/core-linux-x64-musl@1.13.19':
     optional: true
 
-  '@swc/core-win32-arm64-msvc@1.13.5':
+  '@swc/core-win32-arm64-msvc@1.13.19':
     optional: true
 
-  '@swc/core-win32-ia32-msvc@1.13.5':
+  '@swc/core-win32-ia32-msvc@1.13.19':
     optional: true
 
-  '@swc/core-win32-x64-msvc@1.13.5':
+  '@swc/core-win32-x64-msvc@1.13.19':
     optional: true
 
-  '@swc/core@1.13.5':
+  '@swc/core@1.13.19':
     dependencies:
       '@swc/counter': 0.1.3
       '@swc/types': 0.1.25
     optionalDependencies:
-      '@swc/core-darwin-arm64': 1.13.5
-      '@swc/core-darwin-x64': 1.13.5
-      '@swc/core-linux-arm-gnueabihf': 1.13.5
-      '@swc/core-linux-arm64-gnu': 1.13.5
-      '@swc/core-linux-arm64-musl': 1.13.5
-      '@swc/core-linux-x64-gnu': 1.13.5
-      '@swc/core-linux-x64-musl': 1.13.5
-      '@swc/core-win32-arm64-msvc': 1.13.5
-      '@swc/core-win32-ia32-msvc': 1.13.5
-      '@swc/core-win32-x64-msvc': 1.13.5
+      '@swc/core-darwin-arm64': 1.13.19
+      '@swc/core-darwin-x64': 1.13.19
+      '@swc/core-linux-arm-gnueabihf': 1.13.19
+      '@swc/core-linux-arm64-gnu': 1.13.19
+      '@swc/core-linux-arm64-musl': 1.13.19
+      '@swc/core-linux-x64-gnu': 1.13.19
+      '@swc/core-linux-x64-musl': 1.13.19
+      '@swc/core-win32-arm64-msvc': 1.13.19
+      '@swc/core-win32-ia32-msvc': 1.13.19
+      '@swc/core-win32-x64-msvc': 1.13.19
 
   '@swc/counter@0.1.3': {}
 
@@ -3647,19 +3653,19 @@ snapshots:
     dependencies:
       '@swc/counter': 0.1.3
 
-  '@tanstack/query-core@5.87.1': {}
+  '@tanstack/query-core@5.90.2': {}
 
-  '@tanstack/query-devtools@5.87.3': {}
+  '@tanstack/query-devtools@5.90.1': {}
 
-  '@tanstack/react-query-devtools@5.87.3(@tanstack/react-query@5.87.1(react@19.1.1))(react@19.1.1)':
+  '@tanstack/react-query-devtools@5.90.2(@tanstack/react-query@5.90.2(react@19.1.1))(react@19.1.1)':
     dependencies:
-      '@tanstack/query-devtools': 5.87.3
-      '@tanstack/react-query': 5.87.1(react@19.1.1)
+      '@tanstack/query-devtools': 5.90.1
+      '@tanstack/react-query': 5.90.2(react@19.1.1)
       react: 19.1.1
 
-  '@tanstack/react-query@5.87.1(react@19.1.1)':
+  '@tanstack/react-query@5.90.2(react@19.1.1)':
     dependencies:
-      '@tanstack/query-core': 5.87.1
+      '@tanstack/query-core': 5.90.2
       react: 19.1.1
 
   '@tanstack/react-virtual@3.13.12(react-dom@19.1.1(react@19.1.1))(react@19.1.1)':
@@ -3672,7 +3678,7 @@ snapshots:
 
   '@types/byte-size@8.1.2': {}
 
-  '@types/d3-array@3.2.1': {}
+  '@types/d3-array@3.2.2': {}
 
   '@types/d3-color@3.1.3': {}
 
@@ -3730,9 +3736,9 @@ snapshots:
 
   '@types/ms@2.1.0': {}
 
-  '@types/node@24.3.1':
+  '@types/node@24.5.2':
     dependencies:
-      undici-types: 7.10.0
+      undici-types: 7.12.0
 
   '@types/normalize-package-data@2.4.4': {}
 
@@ -3740,22 +3746,22 @@ snapshots:
 
   '@types/qs@6.14.0': {}
 
-  '@types/react-dom@19.1.9(@types/react@19.1.12)':
+  '@types/react-dom@19.1.9(@types/react@19.1.13)':
     dependencies:
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
 
   '@types/react-router-dom@5.3.3':
     dependencies:
       '@types/history': 4.7.11
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
       '@types/react-router': 5.1.20
 
   '@types/react-router@5.1.20':
     dependencies:
       '@types/history': 4.7.11
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
 
-  '@types/react@19.1.12':
+  '@types/react@19.1.13':
     dependencies:
       csstype: 3.1.3
 
@@ -3774,11 +3780,11 @@ snapshots:
       '@use-gesture/core': 10.3.1
       react: 19.1.1
 
-  '@vitejs/plugin-react-swc@4.0.1(vite@7.1.5(@types/node@24.3.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))':
+  '@vitejs/plugin-react-swc@4.1.0(vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))':
     dependencies:
-      '@rolldown/pluginutils': 1.0.0-beta.32
-      '@swc/core': 1.13.5
-      vite: 7.1.5(@types/node@24.3.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+      '@rolldown/pluginutils': 1.0.0-beta.35
+      '@swc/core': 1.13.19
+      vite: 7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
     transitivePeerDependencies:
       - '@swc/helpers'
 
@@ -3815,15 +3821,15 @@ snapshots:
 
   autoprefixer@10.4.21(postcss@8.5.6):
     dependencies:
-      browserslist: 4.25.4
-      caniuse-lite: 1.0.30001741
+      browserslist: 4.26.2
+      caniuse-lite: 1.0.30001745
       fraction.js: 4.3.7
       normalize-range: 0.1.2
       picocolors: 1.1.1
       postcss: 8.5.6
       postcss-value-parser: 4.2.0
 
-  axios@1.12.0:
+  axios@1.12.2:
     dependencies:
       follow-redirects: 1.15.11
       form-data: 4.0.4
@@ -3841,6 +3847,8 @@ snapshots:
 
   balanced-match@1.0.2: {}
 
+  baseline-browser-mapping@2.8.7: {}
+
   bignumber.js@9.3.1: {}
 
   binary-extensions@2.3.0: {}
@@ -3854,12 +3862,13 @@ snapshots:
     dependencies:
       fill-range: 7.1.1
 
-  browserslist@4.25.4:
+  browserslist@4.26.2:
     dependencies:
-      caniuse-lite: 1.0.30001741
-      electron-to-chromium: 1.5.215
-      node-releases: 2.0.20
-      update-browserslist-db: 1.1.3(browserslist@4.25.4)
+      baseline-browser-mapping: 2.8.7
+      caniuse-lite: 1.0.30001745
+      electron-to-chromium: 1.5.224
+      node-releases: 2.0.21
+      update-browserslist-db: 1.1.3(browserslist@4.26.2)
 
   buffer-from@1.1.2: {}
 
@@ -3885,7 +3894,7 @@ snapshots:
 
   camelcase@5.3.1: {}
 
-  caniuse-lite@1.0.30001741: {}
+  caniuse-lite@1.0.30001745: {}
 
   ccount@2.0.1: {}
 
@@ -4160,7 +4169,7 @@ snapshots:
 
   dayjs@1.11.18: {}
 
-  debug@4.4.1:
+  debug@4.4.3:
     dependencies:
       ms: 2.1.3
 
@@ -4234,7 +4243,7 @@ snapshots:
       es-errors: 1.3.0
       gopd: 1.2.0
 
-  electron-to-chromium@1.5.215: {}
+  electron-to-chromium@1.5.224: {}
 
   emoji-regex@8.0.0: {}
 
@@ -4242,7 +4251,7 @@ snapshots:
 
   entities@6.0.1: {}
 
-  error-ex@1.3.2:
+  error-ex@1.3.4:
     dependencies:
       is-arrayish: 0.2.1
 
@@ -4263,34 +4272,34 @@ snapshots:
 
   es-toolkit@1.39.10: {}
 
-  esbuild@0.25.9:
+  esbuild@0.25.10:
     optionalDependencies:
-      '@esbuild/aix-ppc64': 0.25.9
-      '@esbuild/android-arm': 0.25.9
-      '@esbuild/android-arm64': 0.25.9
-      '@esbuild/android-x64': 0.25.9
-      '@esbuild/darwin-arm64': 0.25.9
-      '@esbuild/darwin-x64': 0.25.9
-      '@esbuild/freebsd-arm64': 0.25.9
-      '@esbuild/freebsd-x64': 0.25.9
-      '@esbuild/linux-arm': 0.25.9
-      '@esbuild/linux-arm64': 0.25.9
-      '@esbuild/linux-ia32': 0.25.9
-      '@esbuild/linux-loong64': 0.25.9
-      '@esbuild/linux-mips64el': 0.25.9
-      '@esbuild/linux-ppc64': 0.25.9
-      '@esbuild/linux-riscv64': 0.25.9
-      '@esbuild/linux-s390x': 0.25.9
-      '@esbuild/linux-x64': 0.25.9
-      '@esbuild/netbsd-arm64': 0.25.9
-      '@esbuild/netbsd-x64': 0.25.9
-      '@esbuild/openbsd-arm64': 0.25.9
-      '@esbuild/openbsd-x64': 0.25.9
-      '@esbuild/openharmony-arm64': 0.25.9
-      '@esbuild/sunos-x64': 0.25.9
-      '@esbuild/win32-arm64': 0.25.9
-      '@esbuild/win32-ia32': 0.25.9
-      '@esbuild/win32-x64': 0.25.9
+      '@esbuild/aix-ppc64': 0.25.10
+      '@esbuild/android-arm': 0.25.10
+      '@esbuild/android-arm64': 0.25.10
+      '@esbuild/android-x64': 0.25.10
+      '@esbuild/darwin-arm64': 0.25.10
+      '@esbuild/darwin-x64': 0.25.10
+      '@esbuild/freebsd-arm64': 0.25.10
+      '@esbuild/freebsd-x64': 0.25.10
+      '@esbuild/linux-arm': 0.25.10
+      '@esbuild/linux-arm64': 0.25.10
+      '@esbuild/linux-ia32': 0.25.10
+      '@esbuild/linux-loong64': 0.25.10
+      '@esbuild/linux-mips64el': 0.25.10
+      '@esbuild/linux-ppc64': 0.25.10
+      '@esbuild/linux-riscv64': 0.25.10
+      '@esbuild/linux-s390x': 0.25.10
+      '@esbuild/linux-x64': 0.25.10
+      '@esbuild/netbsd-arm64': 0.25.10
+      '@esbuild/netbsd-x64': 0.25.10
+      '@esbuild/openbsd-arm64': 0.25.10
+      '@esbuild/openbsd-x64': 0.25.10
+      '@esbuild/openharmony-arm64': 0.25.10
+      '@esbuild/sunos-x64': 0.25.10
+      '@esbuild/win32-arm64': 0.25.10
+      '@esbuild/win32-ia32': 0.25.10
+      '@esbuild/win32-x64': 0.25.10
 
   escalade@3.2.0: {}
 
@@ -4354,9 +4363,9 @@ snapshots:
 
   fraction.js@4.3.7: {}
 
-  framer-motion@12.23.12(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  framer-motion@12.23.22(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
     dependencies:
-      motion-dom: 12.23.12
+      motion-dom: 12.23.21
       motion-utils: 12.23.6
       tslib: 2.8.1
     optionalDependencies:
@@ -4559,7 +4568,7 @@ snapshots:
       domhandler: 5.0.3
       htmlparser2: 10.0.0
 
-  html-react-parser@5.2.6(@types/react@19.1.12)(react@19.1.1):
+  html-react-parser@5.2.6(@types/react@19.1.13)(react@19.1.1):
     dependencies:
       domhandler: 5.0.3
       html-dom-parser: 5.1.1
@@ -4567,7 +4576,7 @@ snapshots:
       react-property: 2.0.2
       style-to-js: 1.1.17
     optionalDependencies:
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
 
   html-url-attributes@3.0.1: {}
 
@@ -4580,7 +4589,7 @@ snapshots:
       domutils: 3.2.2
       entities: 6.0.1
 
-  humanize-duration@3.33.0: {}
+  humanize-duration@3.33.1: {}
 
   immer@10.1.3: {}
 
@@ -4648,7 +4657,7 @@ snapshots:
 
   isarray@1.0.0: {}
 
-  itertools@2.4.1: {}
+  itertools@2.5.0: {}
 
   jiti@2.4.2:
     optional: true
@@ -4831,9 +4840,9 @@ snapshots:
       type-fest: 0.18.1
       yargs-parser: 20.2.9
 
-  merge-refs@2.0.0(@types/react@19.1.12):
+  merge-refs@2.0.0(@types/react@19.1.13):
     optionalDependencies:
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
 
   micromark-core-commonmark@2.0.3:
     dependencies:
@@ -4949,7 +4958,7 @@ snapshots:
   micromark@4.0.2:
     dependencies:
       '@types/debug': 4.1.12
-      debug: 4.4.1
+      debug: 4.4.3
       decode-named-character-reference: 1.2.0
       devlop: 1.1.0
       micromark-core-commonmark: 2.0.3
@@ -4994,15 +5003,15 @@ snapshots:
 
   modify-values@1.0.1: {}
 
-  motion-dom@12.23.12:
+  motion-dom@12.23.21:
     dependencies:
       motion-utils: 12.23.6
 
   motion-utils@12.23.6: {}
 
-  motion@12.23.12(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  motion@12.23.22(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
     dependencies:
-      framer-motion: 12.23.12(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+      framer-motion: 12.23.22(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
       tslib: 2.8.1
     optionalDependencies:
       '@emotion/is-prop-valid': 1.4.0
@@ -5017,7 +5026,7 @@ snapshots:
 
   neo-async@2.6.2: {}
 
-  node-releases@2.0.20: {}
+  node-releases@2.0.21: {}
 
   normalize-package-data@2.5.0:
     dependencies:
@@ -5093,13 +5102,13 @@ snapshots:
 
   parse-json@4.0.0:
     dependencies:
-      error-ex: 1.3.2
+      error-ex: 1.3.4
       json-parse-better-errors: 1.0.2
 
   parse-json@5.2.0:
     dependencies:
       '@babel/code-frame': 7.27.1
-      error-ex: 1.3.2
+      error-ex: 1.3.4
       json-parse-even-better-errors: 2.3.1
       lines-and-columns: 1.2.4
 
@@ -5193,7 +5202,7 @@ snapshots:
       react: 19.1.1
       scheduler: 0.26.0
 
-  react-hook-form@7.62.0(react@19.1.1):
+  react-hook-form@7.63.0(react@19.1.1):
     dependencies:
       react: 19.1.1
 
@@ -5216,11 +5225,11 @@ snapshots:
     dependencies:
       react: 19.1.1
 
-  react-markdown@10.1.0(@types/react@19.1.12)(react@19.1.1):
+  react-markdown@10.1.0(@types/react@19.1.13)(react@19.1.1):
     dependencies:
       '@types/hast': 3.0.4
       '@types/mdast': 4.0.4
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
       devlop: 1.1.0
       hast-util-to-jsx-runtime: 2.3.6
       html-url-attributes: 3.0.1
@@ -5242,13 +5251,13 @@ snapshots:
       qr.js: 0.0.0
       react: 19.1.1
 
-  react-redux@9.2.0(@types/react@19.1.12)(react@19.1.1)(redux@5.0.1):
+  react-redux@9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1):
     dependencies:
       '@types/use-sync-external-store': 0.0.6
       react: 19.1.1
       use-sync-external-store: 1.5.0(react@19.1.1)
     optionalDependencies:
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
       redux: 5.0.1
 
   react-resize-detector@12.3.0(react@19.1.1):
@@ -5330,9 +5339,9 @@ snapshots:
     dependencies:
       picomatch: 2.3.1
 
-  recharts@3.2.0(@types/react@19.1.12)(react-dom@19.1.1(react@19.1.1))(react-is@19.1.1)(react@19.1.1)(redux@5.0.1):
+  recharts@3.2.1(@types/react@19.1.13)(react-dom@19.1.1(react@19.1.1))(react-is@19.1.1)(react@19.1.1)(redux@5.0.1):
     dependencies:
-      '@reduxjs/toolkit': 2.9.0(react-redux@9.2.0(@types/react@19.1.12)(react@19.1.1)(redux@5.0.1))(react@19.1.1)
+      '@reduxjs/toolkit': 2.9.0(react-redux@9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1))(react@19.1.1)
       clsx: 2.1.1
       decimal.js-light: 2.5.1
       es-toolkit: 1.39.10
@@ -5341,7 +5350,7 @@ snapshots:
       react: 19.1.1
       react-dom: 19.1.1(react@19.1.1)
       react-is: 19.1.1
-      react-redux: 9.2.0(@types/react@19.1.12)(react@19.1.1)(redux@5.0.1)
+      react-redux: 9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1)
       reselect: 5.1.1
       tiny-invariant: 1.3.3
       use-sync-external-store: 1.5.0(react@19.1.1)
@@ -5412,31 +5421,32 @@ snapshots:
       path-parse: 1.0.7
       supports-preserve-symlinks-flag: 1.0.0
 
-  rollup@4.50.1:
+  rollup@4.52.2:
     dependencies:
       '@types/estree': 1.0.8
     optionalDependencies:
-      '@rollup/rollup-android-arm-eabi': 4.50.1
-      '@rollup/rollup-android-arm64': 4.50.1
-      '@rollup/rollup-darwin-arm64': 4.50.1
-      '@rollup/rollup-darwin-x64': 4.50.1
-      '@rollup/rollup-freebsd-arm64': 4.50.1
-      '@rollup/rollup-freebsd-x64': 4.50.1
-      '@rollup/rollup-linux-arm-gnueabihf': 4.50.1
-      '@rollup/rollup-linux-arm-musleabihf': 4.50.1
-      '@rollup/rollup-linux-arm64-gnu': 4.50.1
-      '@rollup/rollup-linux-arm64-musl': 4.50.1
-      '@rollup/rollup-linux-loongarch64-gnu': 4.50.1
-      '@rollup/rollup-linux-ppc64-gnu': 4.50.1
-      '@rollup/rollup-linux-riscv64-gnu': 4.50.1
-      '@rollup/rollup-linux-riscv64-musl': 4.50.1
-      '@rollup/rollup-linux-s390x-gnu': 4.50.1
-      '@rollup/rollup-linux-x64-gnu': 4.50.1
-      '@rollup/rollup-linux-x64-musl': 4.50.1
-      '@rollup/rollup-openharmony-arm64': 4.50.1
-      '@rollup/rollup-win32-arm64-msvc': 4.50.1
-      '@rollup/rollup-win32-ia32-msvc': 4.50.1
-      '@rollup/rollup-win32-x64-msvc': 4.50.1
+      '@rollup/rollup-android-arm-eabi': 4.52.2
+      '@rollup/rollup-android-arm64': 4.52.2
+      '@rollup/rollup-darwin-arm64': 4.52.2
+      '@rollup/rollup-darwin-x64': 4.52.2
+      '@rollup/rollup-freebsd-arm64': 4.52.2
+      '@rollup/rollup-freebsd-x64': 4.52.2
+      '@rollup/rollup-linux-arm-gnueabihf': 4.52.2
+      '@rollup/rollup-linux-arm-musleabihf': 4.52.2
+      '@rollup/rollup-linux-arm64-gnu': 4.52.2
+      '@rollup/rollup-linux-arm64-musl': 4.52.2
+      '@rollup/rollup-linux-loong64-gnu': 4.52.2
+      '@rollup/rollup-linux-ppc64-gnu': 4.52.2
+      '@rollup/rollup-linux-riscv64-gnu': 4.52.2
+      '@rollup/rollup-linux-riscv64-musl': 4.52.2
+      '@rollup/rollup-linux-s390x-gnu': 4.52.2
+      '@rollup/rollup-linux-x64-gnu': 4.52.2
+      '@rollup/rollup-linux-x64-musl': 4.52.2
+      '@rollup/rollup-openharmony-arm64': 4.52.2
+      '@rollup/rollup-win32-arm64-msvc': 4.52.2
+      '@rollup/rollup-win32-ia32-msvc': 4.52.2
+      '@rollup/rollup-win32-x64-gnu': 4.52.2
+      '@rollup/rollup-win32-x64-msvc': 4.52.2
       fsevents: 2.3.3
 
   rxjs@7.8.2:
@@ -5611,95 +5621,100 @@ snapshots:
       source-map-support: 0.5.21
     optional: true
 
-  text-camel-case@1.2.4:
+  text-camel-case@1.2.9:
     dependencies:
-      text-pascal-case: 1.2.4
+      text-pascal-case: 1.2.9
 
-  text-capital-case@1.2.4:
+  text-capital-case@1.2.9:
     dependencies:
-      text-no-case: 1.2.4
-      text-upper-case-first: 1.2.4
+      text-no-case: 1.2.9
+      text-upper-case-first: 1.2.9
 
-  text-case@1.2.4:
+  text-case@1.2.9:
     dependencies:
-      text-camel-case: 1.2.4
-      text-capital-case: 1.2.4
-      text-constant-case: 1.2.4
-      text-dot-case: 1.2.4
-      text-header-case: 1.2.4
-      text-is-lower-case: 1.2.4
-      text-is-upper-case: 1.2.4
-      text-lower-case: 1.2.4
-      text-lower-case-first: 1.2.4
-      text-no-case: 1.2.4
-      text-param-case: 1.2.4
-      text-pascal-case: 1.2.4
-      text-path-case: 1.2.4
-      text-sentence-case: 1.2.4
-      text-snake-case: 1.2.4
-      text-swap-case: 1.2.4
-      text-title-case: 1.2.4
-      text-upper-case: 1.2.4
-      text-upper-case-first: 1.2.4
+      text-camel-case: 1.2.9
+      text-capital-case: 1.2.9
+      text-constant-case: 1.2.9
+      text-dot-case: 1.2.9
+      text-header-case: 1.2.9
+      text-is-lower-case: 1.2.9
+      text-is-upper-case: 1.2.9
+      text-kebab-case: 1.2.9
+      text-lower-case: 1.2.9
+      text-lower-case-first: 1.2.9
+      text-no-case: 1.2.9
+      text-param-case: 1.2.9
+      text-pascal-case: 1.2.9
+      text-path-case: 1.2.9
+      text-sentence-case: 1.2.9
+      text-snake-case: 1.2.9
+      text-swap-case: 1.2.9
+      text-title-case: 1.2.9
+      text-upper-case: 1.2.9
+      text-upper-case-first: 1.2.9
 
-  text-constant-case@1.2.4:
+  text-constant-case@1.2.9:
     dependencies:
-      text-no-case: 1.2.4
-      text-upper-case: 1.2.4
+      text-no-case: 1.2.9
+      text-upper-case: 1.2.9
 
-  text-dot-case@1.2.4:
+  text-dot-case@1.2.9:
     dependencies:
-      text-no-case: 1.2.4
+      text-no-case: 1.2.9
 
   text-extensions@1.9.0: {}
 
-  text-header-case@1.2.4:
+  text-header-case@1.2.9:
     dependencies:
-      text-capital-case: 1.2.4
+      text-capital-case: 1.2.9
+
+  text-is-lower-case@1.2.9: {}
 
-  text-is-lower-case@1.2.4: {}
+  text-is-upper-case@1.2.9: {}
 
-  text-is-upper-case@1.2.4: {}
+  text-kebab-case@1.2.9:
+    dependencies:
+      text-no-case: 1.2.9
 
-  text-lower-case-first@1.2.4: {}
+  text-lower-case-first@1.2.9: {}
 
-  text-lower-case@1.2.4: {}
+  text-lower-case@1.2.9: {}
 
-  text-no-case@1.2.4:
+  text-no-case@1.2.9:
     dependencies:
-      text-lower-case: 1.2.4
+      text-lower-case: 1.2.9
 
-  text-param-case@1.2.4:
+  text-param-case@1.2.9:
     dependencies:
-      text-dot-case: 1.2.4
+      text-dot-case: 1.2.9
 
-  text-pascal-case@1.2.4:
+  text-pascal-case@1.2.9:
     dependencies:
-      text-no-case: 1.2.4
+      text-no-case: 1.2.9
 
-  text-path-case@1.2.4:
+  text-path-case@1.2.9:
     dependencies:
-      text-dot-case: 1.2.4
+      text-dot-case: 1.2.9
 
-  text-sentence-case@1.2.4:
+  text-sentence-case@1.2.9:
     dependencies:
-      text-no-case: 1.2.4
-      text-upper-case-first: 1.2.4
+      text-no-case: 1.2.9
+      text-upper-case-first: 1.2.9
 
-  text-snake-case@1.2.4:
+  text-snake-case@1.2.9:
     dependencies:
-      text-dot-case: 1.2.4
+      text-dot-case: 1.2.9
 
-  text-swap-case@1.2.4: {}
+  text-swap-case@1.2.9: {}
 
-  text-title-case@1.2.4:
+  text-title-case@1.2.9:
     dependencies:
-      text-no-case: 1.2.4
-      text-upper-case-first: 1.2.4
+      text-no-case: 1.2.9
+      text-upper-case-first: 1.2.9
 
-  text-upper-case-first@1.2.4: {}
+  text-upper-case-first@1.2.9: {}
 
-  text-upper-case@1.2.4: {}
+  text-upper-case@1.2.9: {}
 
   through2@2.0.5:
     dependencies:
@@ -5752,7 +5767,7 @@ snapshots:
   uglify-js@3.19.3:
     optional: true
 
-  undici-types@7.10.0: {}
+  undici-types@7.12.0: {}
 
   unified@11.0.5:
     dependencies:
@@ -5787,9 +5802,9 @@ snapshots:
       unist-util-is: 6.0.0
       unist-util-visit-parents: 6.0.1
 
-  update-browserslist-db@1.1.3(browserslist@4.25.4):
+  update-browserslist-db@1.1.3(browserslist@4.26.2):
     dependencies:
-      browserslist: 4.25.4
+      browserslist: 4.26.2
       escalade: 3.2.0
       picocolors: 1.1.1
 
@@ -5839,7 +5854,7 @@ snapshots:
 
   victory-vendor@37.3.6:
     dependencies:
-      '@types/d3-array': 3.2.1
+      '@types/d3-array': 3.2.2
       '@types/d3-ease': 3.0.2
       '@types/d3-interpolate': 3.0.4
       '@types/d3-scale': 4.0.9
@@ -5854,20 +5869,20 @@ snapshots:
       d3-time: 3.1.0
       d3-timer: 3.0.1
 
-  vite-plugin-package-version@1.1.0(vite@7.1.5(@types/node@24.3.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)):
+  vite-plugin-package-version@1.1.0(vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)):
     dependencies:
-      vite: 7.1.5(@types/node@24.3.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+      vite: 7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
 
-  vite@7.1.5(@types/node@24.3.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1):
+  vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1):
     dependencies:
-      esbuild: 0.25.9
+      esbuild: 0.25.10
       fdir: 6.5.0(picomatch@4.0.3)
       picomatch: 4.0.3
       postcss: 8.5.6
-      rollup: 4.50.1
+      rollup: 4.52.2
       tinyglobby: 0.2.15
     optionalDependencies:
-      '@types/node': 24.3.1
+      '@types/node': 24.5.2
       fsevents: 2.3.3
       jiti: 2.4.2
       sass: 1.70.0
@@ -5954,9 +5969,9 @@ snapshots:
 
   zod@3.25.76: {}
 
-  zustand@5.0.8(@types/react@19.1.12)(immer@10.1.3)(react@19.1.1)(use-sync-external-store@1.5.0(react@19.1.1)):
+  zustand@5.0.8(@types/react@19.1.13)(immer@10.1.3)(react@19.1.1)(use-sync-external-store@1.5.0(react@19.1.1)):
     optionalDependencies:
-      '@types/react': 19.1.12
+      '@types/react': 19.1.13
       immer: 10.1.3
       react: 19.1.1
       use-sync-external-store: 1.5.0(react@19.1.1)

From 9d175b7eb954dfb49cd3986f4efd7794d15aed2e Mon Sep 17 00:00:00 2001
From: Adam <adam@defguard.net>
Date: Mon, 29 Sep 2025 15:26:42 +0200
Subject: [PATCH 17/50] Return NotFound to proxy for missing OpenID provider
 (#1626)

---
 Cargo.lock                           | 210 +++++++++++++--------------
 crates/defguard_core/src/grpc/mod.rs |   2 +-
 2 files changed, 105 insertions(+), 107 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 0bd268902d..79c2da0ed5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4,9 +4,9 @@ version = 4
 
 [[package]]
 name = "addr2line"
-version = "0.24.2"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1"
+checksum = "1b5d307320b3181d6d7954e663bd7c774a838b8220fe0593c86d9fb09f498b4b"
 dependencies = [
  "gimli",
 ]
@@ -284,9 +284,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
 [[package]]
 name = "axum"
-version = "0.8.4"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "021e862c184ae977658b36c4500f7feac3221ca5da43e3f25bd04ab6c79a29b5"
+checksum = "98e529aee37b5c8206bb4bf4c44797127566d72f76952c970bd3d1e85de8f4e2"
 dependencies = [
  "axum-core",
  "bytes",
@@ -303,8 +303,7 @@ dependencies = [
  "mime",
  "percent-encoding",
  "pin-project-lite",
- "rustversion",
- "serde",
+ "serde_core",
  "serde_json",
  "serde_path_to_error",
  "serde_urlencoded",
@@ -329,9 +328,9 @@ dependencies = [
 
 [[package]]
 name = "axum-core"
-version = "0.5.2"
+version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68464cd0412f486726fb3373129ef5d2993f90c34bc2bc1c1e9943b2f4fc7ca6"
+checksum = "0ac7a6beb1182c7e30253ee75c3e918080bfb83f5a3023bcdf7209d85fd147e6"
 dependencies = [
  "bytes",
  "futures-core",
@@ -340,7 +339,6 @@ dependencies = [
  "http-body-util",
  "mime",
  "pin-project-lite",
- "rustversion",
  "sync_wrapper",
  "tower-layer",
  "tower-service",
@@ -349,9 +347,9 @@ dependencies = [
 
 [[package]]
 name = "axum-extra"
-version = "0.10.1"
+version = "0.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45bf463831f5131b7d3c756525b305d40f1185b688565648a92e1392ca35713d"
+checksum = "d86d701cd16f401888ebe9c3214dc838c7ef27a405d5726196765a913603b5dd"
 dependencies = [
  "axum",
  "axum-core",
@@ -366,19 +364,19 @@ dependencies = [
  "mime",
  "pin-project-lite",
  "rustversion",
- "serde",
+ "serde_core",
  "serde_html_form",
  "serde_path_to_error",
- "tower",
  "tower-layer",
  "tower-service",
+ "tracing",
 ]
 
 [[package]]
 name = "backtrace"
-version = "0.3.75"
+version = "0.3.76"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002"
+checksum = "bb531853791a215d7c62a30daf0dde835f381ab5de4589cfe7c649d2cbe92bd6"
 dependencies = [
  "addr2line",
  "cfg-if",
@@ -386,7 +384,7 @@ dependencies = [
  "miniz_oxide",
  "object",
  "rustc-demangle",
- "windows-targets 0.52.6",
+ "windows-link 0.2.0",
 ]
 
 [[package]]
@@ -454,7 +452,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "syn",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]
 
 [[package]]
@@ -582,9 +580,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.38"
+version = "1.2.39"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "80f41ae168f955c12fb8960b057d70d0ca153fb83182b57d86380443527be7e9"
+checksum = "e1354349954c6fc9cb0deab020f27f783cf0b604e8bb754dc4658ecf0d29c35f"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -1135,7 +1133,7 @@ dependencies = [
  "serde",
  "sqlx",
  "struct-patch",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tonic",
  "tracing",
  "utoipa",
@@ -1198,7 +1196,7 @@ dependencies = [
  "strum",
  "strum_macros",
  "tera",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "time",
  "tokio",
  "tokio-stream",
@@ -1232,7 +1230,7 @@ dependencies = [
  "defguard_core",
  "serde_json",
  "sqlx",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tokio",
  "tracing",
 ]
@@ -1244,7 +1242,7 @@ dependencies = [
  "defguard_core",
  "defguard_event_logger",
  "defguard_mail",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tokio",
  "tracing",
 ]
@@ -1263,7 +1261,7 @@ dependencies = [
  "serde_json",
  "sqlx",
  "tera",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tokio",
  "tracing",
 ]
@@ -1288,7 +1286,7 @@ dependencies = [
  "os_info",
  "semver",
  "serde",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tonic",
  "tower",
  "tracing",
@@ -1331,12 +1329,12 @@ dependencies = [
 
 [[package]]
 name = "deranged"
-version = "0.5.3"
+version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d630bccd429a5bb5a64b5e94f693bfc48c9f8566418fda4c494cc94f911f87cc"
+checksum = "a41953f86f8a05768a6cda24def994fd2f424b04ec5c719cf89989779f199071"
 dependencies = [
  "powerfmt",
- "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -1638,7 +1636,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.0",
+ "windows-sys 0.61.1",
 ]
 
 [[package]]
@@ -1941,9 +1939,9 @@ dependencies = [
 
 [[package]]
 name = "gimli"
-version = "0.31.1"
+version = "0.32.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
+checksum = "e629b9b98ef3dd8afe6ca2bd0f89306cec16d43d907889945bc5d6687f2f13c7"
 
 [[package]]
 name = "git2"
@@ -2579,9 +2577,9 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.80"
+version = "0.3.81"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "852f13bec5eba4ba9afbeb93fd7c13fe56147f055939ae21c43a29a0ecb2702e"
+checksum = "ec48937a97411dcb524a265206ccd4c90bb711fca92b2792c407f268825b9305"
 dependencies = [
  "once_cell",
  "wasm-bindgen",
@@ -2715,9 +2713,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.175"
+version = "0.2.176"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a82ae493e598baaea5209805c49bbf2ea7de956d50d7da0da1164f9c6d28543"
+checksum = "58f929b4d672ea937a23a1ab494143d968337a5f47e56d0815df1e0890ddf174"
 
 [[package]]
 name = "libgit2-sys"
@@ -2895,9 +2893,9 @@ dependencies = [
 
 [[package]]
 name = "memchr"
-version = "2.7.5"
+version = "2.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0"
+checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273"
 
 [[package]]
 name = "mime"
@@ -3140,9 +3138,9 @@ dependencies = [
 
 [[package]]
 name = "object"
-version = "0.36.7"
+version = "0.37.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
+checksum = "ff76201f031d8863c38aa7f905eca4f53abbfa15f609db4277d44cd8938f33fe"
 dependencies = [
  "memchr",
 ]
@@ -3434,7 +3432,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "21e0a3a33733faeaf8651dfee72dd0f388f0c8e5ad496a3478fa5a922f49cfa8"
 dependencies = [
  "memchr",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "ucd-trie",
 ]
 
@@ -3882,7 +3880,7 @@ dependencies = [
  "rustc-hash",
  "rustls",
  "socket2",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tokio",
  "tracing",
  "web-time",
@@ -3903,7 +3901,7 @@ dependencies = [
  "rustls",
  "rustls-pki-types",
  "slab",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tinyvec",
  "tracing",
  "web-time",
@@ -3925,9 +3923,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.40"
+version = "1.0.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d"
+checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
 dependencies = [
  "proc-macro2",
 ]
@@ -4020,18 +4018,18 @@ dependencies = [
 
 [[package]]
 name = "ref-cast"
-version = "1.0.24"
+version = "1.0.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a0ae411dbe946a674d89546582cea4ba2bb8defac896622d6496f14c23ba5cf"
+checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d"
 dependencies = [
  "ref-cast-impl",
 ]
 
 [[package]]
 name = "ref-cast-impl"
-version = "1.0.24"
+version = "1.0.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1165225c21bff1f3bbce98f5a1f889949bc902d3575308cc7b0de30b4f6d27c7"
+checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4040,9 +4038,9 @@ dependencies = [
 
 [[package]]
 name = "regex"
-version = "1.11.2"
+version = "1.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "23d7fd106d8c02486a8d64e778353d1cffe08ce79ac2e82f540c86d0facf6912"
+checksum = "8b5288124840bee7b386bc413c487869b360b2b4ec421ea56425128692f2a82c"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -4052,9 +4050,9 @@ dependencies = [
 
 [[package]]
 name = "regex-automata"
-version = "0.4.10"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b9458fa0bfeeac22b5ca447c63aaf45f28439a709ccd244698632f9aa6394d6"
+checksum = "833eb9ce86d40ef33cb1306d8accf7bc8ec2bfea4355cbdebb3df68b40925cad"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -4257,7 +4255,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.61.0",
+ "windows-sys 0.61.1",
 ]
 
 [[package]]
@@ -4284,7 +4282,7 @@ dependencies = [
  "openssl-probe",
  "rustls-pki-types",
  "schannel",
- "security-framework 3.5.0",
+ "security-framework 3.5.1",
 ]
 
 [[package]]
@@ -4335,7 +4333,7 @@ version = "0.1.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1"
 dependencies = [
- "windows-sys 0.61.0",
+ "windows-sys 0.61.1",
 ]
 
 [[package]]
@@ -4408,9 +4406,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework"
-version = "3.5.0"
+version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc198e42d9b7510827939c9a15f5062a0c913f3371d765977e586d2fe6c16f4a"
+checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
 dependencies = [
  "bitflags 2.9.4",
  "core-foundation 0.10.1",
@@ -4441,9 +4439,9 @@ dependencies = [
 
 [[package]]
 name = "serde"
-version = "1.0.226"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0dca6411025b24b60bfa7ec1fe1f8e710ac09782dca409ee8237ba74b51295fd"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
 dependencies = [
  "serde_core",
  "serde_derive",
@@ -4481,18 +4479,18 @@ dependencies = [
 
 [[package]]
 name = "serde_core"
-version = "1.0.226"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba2ba63999edb9dac981fb34b3e5c0d111a69b0924e253ed29d83f7c99e966a4"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.226"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8db53ae22f34573731bafa1db20f04027b2d25e02d8205921b569171699cdb33"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4553,7 +4551,7 @@ checksum = "f3faaf9e727533a19351a43cc5a8de957372163c7d35cc48c90b75cdda13c352"
 dependencies = [
  "percent-encoding",
  "serde",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]
 
 [[package]]
@@ -4739,7 +4737,7 @@ checksum = "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb"
 dependencies = [
  "num-bigint",
  "num-traits",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "time",
 ]
 
@@ -4867,7 +4865,7 @@ dependencies = [
  "serde_json",
  "sha2",
  "smallvec",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tokio",
  "tokio-stream",
  "tracing",
@@ -4951,7 +4949,7 @@ dependencies = [
  "smallvec",
  "sqlx-core",
  "stringprep",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tracing",
  "uuid",
  "whoami",
@@ -4991,7 +4989,7 @@ dependencies = [
  "smallvec",
  "sqlx-core",
  "stringprep",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tracing",
  "uuid",
  "whoami",
@@ -5017,7 +5015,7 @@ dependencies = [
  "serde",
  "serde_urlencoded",
  "sqlx-core",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
  "tracing",
  "url",
  "uuid",
@@ -5232,15 +5230,15 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"
 
 [[package]]
 name = "tempfile"
-version = "3.22.0"
+version = "3.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84fa4d11fadde498443cca10fd3ac23c951f0dc59e080e9f4b93d4df4e4eea53"
+checksum = "2d31c77bdf42a745371d260a26ca7163f1e0924b64afa0b688e61b5a9fa02f16"
 dependencies = [
  "fastrand",
  "getrandom 0.3.3",
  "once_cell",
  "rustix",
- "windows-sys 0.61.0",
+ "windows-sys 0.61.1",
 ]
 
 [[package]]
@@ -5287,11 +5285,11 @@ dependencies = [
 
 [[package]]
 name = "thiserror"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
 dependencies = [
- "thiserror-impl 2.0.16",
+ "thiserror-impl 2.0.17",
 ]
 
 [[package]]
@@ -5307,9 +5305,9 @@ dependencies = [
 
 [[package]]
 name = "thiserror-impl"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5434,9 +5432,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.26.3"
+version = "0.26.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05f63835928ca123f1bef57abbcd23bb2ba0ac9ae1235f1e65bda0d06e7786bd"
+checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
 dependencies = [
  "rustls",
  "tokio",
@@ -6089,9 +6087,9 @@ checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.103"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab10a69fbd0a177f5f649ad4d8d3305499c42bab9aef2f7ff592d0ec8f833819"
+checksum = "c1da10c01ae9f1ae40cbfac0bac3b1e724b320abfcf52229f80b547c0d250e2d"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -6102,9 +6100,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.103"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bb702423545a6007bbc368fde243ba47ca275e549c8a28617f56f6ba53b1d1c"
+checksum = "671c9a5a66f49d8a47345ab942e2cb93c7d1d0339065d4f8139c486121b43b19"
 dependencies = [
  "bumpalo",
  "log",
@@ -6116,9 +6114,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.53"
+version = "0.4.54"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a0b221ff421256839509adbb55998214a70d829d3a28c69b4a6672e9d2a42f67"
+checksum = "7e038d41e478cc73bae0ff9b36c60cff1c98b8f38f8d7e8061e79ee63608ac5c"
 dependencies = [
  "cfg-if",
  "js-sys",
@@ -6129,9 +6127,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.103"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc65f4f411d91494355917b605e1480033152658d71f722a90647f56a70c88a0"
+checksum = "7ca60477e4c59f5f2986c50191cd972e3a50d8a95603bc9434501cf156a9a119"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -6139,9 +6137,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.103"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ffc003a991398a8ee604a401e194b6b3a39677b3173d6e74495eb51b82e99a32"
+checksum = "9f07d2f20d4da7b26400c9f4a0511e6e0345b040694e8a75bd41d578fa4421d7"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6152,9 +6150,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.103"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "293c37f4efa430ca14db3721dfbe48d8c33308096bd44d80ebaa775ab71ba1cf"
+checksum = "bad67dc8b2a1a6e5448428adec4c3e84c43e561d8c9ee8a9e5aabeb193ec41d1"
 dependencies = [
  "unicode-ident",
 ]
@@ -6174,9 +6172,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.80"
+version = "0.3.81"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbe734895e869dc429d78c4b433f8d17d95f8d05317440b4fad5ab2d33e596dc"
+checksum = "9367c417a924a74cae129e6a2ae3b47fabb1f8995595ab474029da749a8be120"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -6330,14 +6328,14 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.0",
+ "windows-sys 0.61.1",
 ]
 
 [[package]]
 name = "windows-core"
-version = "0.62.0"
+version = "0.62.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "57fe7168f7de578d2d8a05b07fd61870d2e73b4020e9f49aa00da8471723497c"
+checksum = "6844ee5416b285084d3d3fffd743b925a6c9385455f64f6d4fa3031c4c2749a9"
 dependencies = [
  "windows-implement",
  "windows-interface",
@@ -6348,9 +6346,9 @@ dependencies = [
 
 [[package]]
 name = "windows-implement"
-version = "0.60.0"
+version = "0.60.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836"
+checksum = "edb307e42a74fb6de9bf3a02d9712678b22399c87e6fa869d6dfcd8c1b7754e0"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6359,9 +6357,9 @@ dependencies = [
 
 [[package]]
 name = "windows-interface"
-version = "0.59.1"
+version = "0.59.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8"
+checksum = "c0abd1ddbc6964ac14db11c7213d6532ef34bd9aa042c2e5935f59d7908b46a5"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6460,14 +6458,14 @@ version = "0.60.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
 dependencies = [
- "windows-targets 0.53.3",
+ "windows-targets 0.53.4",
 ]
 
 [[package]]
 name = "windows-sys"
-version = "0.61.0"
+version = "0.61.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e201184e40b2ede64bc2ea34968b28e33622acdbbf37104f0e4a33f7abe657aa"
+checksum = "6f109e41dd4a3c848907eb83d5a42ea98b3769495597450cf6d153507b166f0f"
 dependencies = [
  "windows-link 0.2.0",
 ]
@@ -6505,11 +6503,11 @@ dependencies = [
 
 [[package]]
 name = "windows-targets"
-version = "0.53.3"
+version = "0.53.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5fe6031c4041849d7c496a8ded650796e7b6ecc19df1a431c1a363342e5dc91"
+checksum = "2d42b7b7f66d2a06854650af09cfdf8713e427a439c97ad65a6375318033ac4b"
 dependencies = [
- "windows-link 0.1.3",
+ "windows-link 0.2.0",
  "windows_aarch64_gnullvm 0.53.0",
  "windows_aarch64_msvc 0.53.0",
  "windows_i686_gnu 0.53.0",
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
index 9ef9ae7199..12c156697c 100644
--- a/crates/defguard_core/src/grpc/mod.rs
+++ b/crates/defguard_core/src/grpc/mod.rs
@@ -418,7 +418,7 @@ async fn handle_proxy_message_loop(
                             } else {
                                 error!("Failed to get current OpenID provider");
                                 Some(core_response::Payload::CoreError(CoreError {
-                                    status_code: Code::Internal as i32,
+                                    status_code: Code::NotFound as i32,
                                     message: "failed to get current OpenID provider".into(),
                                 }))
                             }

From e8754c5dc89ff6338fe1a147f21596ea80887e91 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Mon, 29 Sep 2025 15:47:02 +0200
Subject: [PATCH 18/50] Periodic sbom regeneration (#1627)

* regenerate sboms and advisories periodically

* fix sbom file name

* remove branch push trigger
---
 .github/workflows/sbom-regenerate.yml | 35 +++++++++++++++++
 .github/workflows/sbom.yml            | 54 ++++++++++++++++++++-------
 2 files changed, 76 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/sbom-regenerate.yml

diff --git a/.github/workflows/sbom-regenerate.yml b/.github/workflows/sbom-regenerate.yml
new file mode 100644
index 0000000000..d3c7522c34
--- /dev/null
+++ b/.github/workflows/sbom-regenerate.yml
@@ -0,0 +1,35 @@
+name: Periodic SBOM Regeneration
+
+on:
+  schedule:
+    - cron: '30 2 * * *' # 2:30 AM UTC
+
+jobs:
+  list-releases:
+    name: List releases
+    runs-on: ubuntu-latest
+    outputs:
+      releases: ${{ steps.get-releases.outputs.releases }}
+    steps:
+      - name: Get list of releases
+        id: get-releases
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          RELEASES_JSON=$(gh api repos/${{ github.repository }}/releases \
+            --jq '[.[] | select(.draft == false) | {tagName: .tag_name, uploadUrl: .upload_url}][:1]')
+          echo "releases=$RELEASES_JSON" >> $GITHUB_OUTPUT
+  regenerate-for-release:
+    name: Regenerate SBOM for release
+    needs: list-releases
+    # Don't run if no releases were found.
+    if: needs.list-releases.outputs.releases != '[]'
+    strategy:
+      fail-fast: false
+      matrix:
+        release: ${{ fromJson(needs.list-releases.outputs.releases) }}
+    uses: ./.github/workflows/sbom.yml
+    with:
+      upload_url: ${{ matrix.release.uploadUrl }}
+      tag: ${{ matrix.release.tagName }}
+    secrets: inherit
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 94944c2341..eb5317f1a0 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -7,30 +7,37 @@ on:
         description: "Release assets upload URL"
         required: true
         type: string
+      tag:
+        description: "The git tag to generate SBOM for - used in scheduled runs"
+        required: false
+        type: string
 
 jobs:
   create-sbom:
-    runs-on: self-hosted
+    runs-on: [self-hosted, Linux, X64]
 
     steps:
+      - name: Determine release tag and version
+        id: vars
+        # Uses inputs.tag for scheduled runs, otherwise github.ref_name.
+        run: |
+          TAG_NAME=${{ inputs.tag || github.ref_name }}
+          VERSION=${TAG_NAME#v}
+          echo "TAG_NAME=$TAG_NAME" >> $GITHUB_OUTPUT
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
+          ref: ${{ steps.vars.outputs.TAG_NAME }}
           submodules: recursive
 
-      # Store the version, stripping any v-prefix
-      - name: Write release version
-        run: |
-          VERSION=${GITHUB_REF_NAME#v}
-          echo Version: $VERSION
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
-
       - name: Create SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
         with:
           scan-type: 'fs'
           format: 'spdx-json'
-          output: "defguard-${{ env.VERSION }}.sbom.json"
+          output: "defguard-${{ steps.vars.outputs.VERSION }}.sbom.json"
           scan-ref: '.'
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
@@ -38,18 +45,39 @@ jobs:
       - name: Create docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
         with:
-          image-ref: "ghcr.io/defguard/defguard:${{ env.VERSION }}"
+          image-ref: "ghcr.io/defguard/defguard:${{ steps.vars.outputs.VERSION }}"
           scan-type: 'image'
           format: 'spdx-json'
-          output: "defguard-${{ env.VERSION }}-docker.sbom.json"
+          output: "defguard-${{ steps.vars.outputs.VERSION }}-docker.sbom.json"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
+
+      - name: Create security advisory file with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          format: 'json'
+          output: "defguard-${{ steps.vars.outputs.VERSION }}.advisories.json"
+          scan-ref: '.'
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
+
+      - name: Create docker image security advisory file with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
+          scan-type: 'image'
+          format: 'json'
+          output: "defguard-${{ steps.vars.outputs.VERSION }}-docker.advisories.json"
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
-      - name: Upload SBOM
+      - name: Upload SBOMs and advisories
         uses: shogo82148/actions-upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ inputs.upload_url }}
-          asset_path: "defguard-*.sbom.json"
+          asset_path: "defguard-*.json"
           asset_content_type: application/octet-stream
+          overwrite: true

From 8be6d9d4f1038bf193ecca3cfe4ccc88b8fc4f9c Mon Sep 17 00:00:00 2001
From: Adam <adam@defguard.net>
Date: Tue, 30 Sep 2025 09:07:44 +0200
Subject: [PATCH 19/50] Switch to non-Alpine node:24 (#1628)

---
 Cargo.lock | 8 ++++----
 Dockerfile | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 79c2da0ed5..4f054ec8a4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -128,9 +128,9 @@ dependencies = [
 
 [[package]]
 name = "anstyle"
-version = "1.0.11"
+version = "1.0.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd"
+checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
 
 [[package]]
 name = "anstyle-parse"
@@ -6791,9 +6791,9 @@ dependencies = [
 
 [[package]]
 name = "zeroize"
-version = "1.8.1"
+version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
 dependencies = [
  "zeroize_derive",
 ]
diff --git a/Dockerfile b/Dockerfile
index 48ce6c2ce3..4da63c50ff 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/node:24-alpine AS web
+FROM public.ecr.aws/docker/library/node:24 AS web
 
 WORKDIR /app
 COPY web/package.json web/pnpm-lock.yaml web/.npmrc ./

From 29a2f75150dcac3a013d7faa593171c08ec58b62 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Tue, 30 Sep 2025 09:52:08 +0200
Subject: [PATCH 20/50] add missing error log messages (#1616)

---
 crates/defguard_core/src/grpc/mod.rs | 71 ++++++++++++++++------------
 1 file changed, 40 insertions(+), 31 deletions(-)

diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
index 12c156697c..2346a8e1ad 100644
--- a/crates/defguard_core/src/grpc/mod.rs
+++ b/crates/defguard_core/src/grpc/mod.rs
@@ -381,39 +381,44 @@ async fn handle_proxy_message_loop(
                             }))
                         } else if let Ok(redirect_url) = Url::parse(&request.redirect_url) {
                             if let Some(provider) = OpenIdProvider::get_current(&pool).await? {
-                                if let Ok((_client_id, client)) =
-                                    make_oidc_client(redirect_url, &provider).await
-                                {
-                                    let mut authorize_url_builder = client
-                                        .authorize_url(
-                                            CoreAuthenticationFlow::AuthorizationCode,
-                                            || build_state(request.state),
-                                            Nonce::new_random,
-                                        )
-                                        .add_scope(Scope::new("email".to_string()))
-                                        .add_scope(Scope::new("profile".to_string()));
-
-                                    if SELECT_ACCOUNT_SUPPORTED_PROVIDERS
-                                        .iter()
-                                        .all(|p| p.eq_ignore_ascii_case(&provider.name))
-                                    {
-                                        authorize_url_builder = authorize_url_builder.add_prompt(
-                                            openidconnect::core::CoreAuthPrompt::SelectAccount,
+                                match make_oidc_client(redirect_url, &provider).await {
+                                    Ok((_client_id, client)) => {
+                                        let mut authorize_url_builder = client
+                                            .authorize_url(
+                                                CoreAuthenticationFlow::AuthorizationCode,
+                                                || build_state(request.state),
+                                                Nonce::new_random,
+                                            )
+                                            .add_scope(Scope::new("email".to_string()))
+                                            .add_scope(Scope::new("profile".to_string()));
+
+                                        if SELECT_ACCOUNT_SUPPORTED_PROVIDERS
+                                            .iter()
+                                            .all(|p| p.eq_ignore_ascii_case(&provider.name))
+                                        {
+                                            authorize_url_builder = authorize_url_builder
+                                                .add_prompt(
+                                                openidconnect::core::CoreAuthPrompt::SelectAccount,
+                                            );
+                                        }
+                                        let (url, csrf_token, nonce) = authorize_url_builder.url();
+
+                                        Some(core_response::Payload::AuthInfo(AuthInfoResponse {
+                                            url: url.into(),
+                                            csrf_token: csrf_token.secret().to_owned(),
+                                            nonce: nonce.secret().to_owned(),
+                                            button_display_name: provider.display_name,
+                                        }))
+                                    }
+                                    Err(err) => {
+                                        error!(
+                                            "Failed to setup external OIDC provider client: {err}"
                                         );
+                                        Some(core_response::Payload::CoreError(CoreError {
+                                            status_code: Code::Internal as i32,
+                                            message: "failed to build OIDC client".into(),
+                                        }))
                                     }
-                                    let (url, csrf_token, nonce) = authorize_url_builder.url();
-
-                                    Some(core_response::Payload::AuthInfo(AuthInfoResponse {
-                                        url: url.into(),
-                                        csrf_token: csrf_token.secret().to_owned(),
-                                        nonce: nonce.secret().to_owned(),
-                                        button_display_name: provider.display_name,
-                                    }))
-                                } else {
-                                    Some(core_response::Payload::CoreError(CoreError {
-                                        status_code: Code::Internal as i32,
-                                        message: "failed to build OIDC client".into(),
-                                    }))
                                 }
                             } else {
                                 error!("Failed to get current OpenID provider");
@@ -423,6 +428,10 @@ async fn handle_proxy_message_loop(
                                 }))
                             }
                         } else {
+                            error!(
+                                "Invalid redirect URL in authentication info request: {}",
+                                request.redirect_url
+                            );
                             Some(core_response::Payload::CoreError(CoreError {
                                 status_code: Code::Internal as i32,
                                 message: "invalid redirect URL".into(),

From 8b9c242e63e50a53fda23294939aef32e5e33214 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Tue, 30 Sep 2025 10:29:09 +0200
Subject: [PATCH 21/50] verify audit log events in API integration tests
 (#1624)

* add base framework for validating events in API integration tests

* add way to also test user context

* use queue clear helper

* add user login helper

* update some tests in user module

* update remaining tests in user module

* format docstring

* fix message formatting
---
 .../src/db/models/authentication_key.rs       |   4 +-
 crates/defguard_core/src/db/models/device.rs  |  12 +-
 .../src/db/models/oauth2client.rs             |   2 +-
 .../defguard_core/src/db/models/webauthn.rs   |   2 +-
 crates/defguard_core/src/db/models/webhook.rs |   2 +-
 .../db/models/activity_log_stream.rs          |   4 +-
 .../src/enterprise/db/models/api_tokens.rs    |   2 +-
 .../enterprise/db/models/openid_provider.rs   |   2 +-
 .../src/enterprise/db/models/snat.rs          |   2 +-
 crates/defguard_core/src/events.rs            |   4 +-
 .../tests/integration/api/acl.rs              |  76 +++---
 .../tests/integration/api/auth.rs             |  11 +-
 .../tests/integration/api/common/client.rs    | 119 +++++++++-
 .../tests/integration/api/common/mod.rs       |  29 ++-
 .../tests/integration/api/snat.rs             |   8 +-
 .../tests/integration/api/user.rs             | 222 +++++++++++++-----
 .../tests/integration/api/wireguard.rs        |   8 +-
 17 files changed, 381 insertions(+), 128 deletions(-)

diff --git a/crates/defguard_common/src/db/models/authentication_key.rs b/crates/defguard_common/src/db/models/authentication_key.rs
index a1bc189586..78b44b3c58 100644
--- a/crates/defguard_common/src/db/models/authentication_key.rs
+++ b/crates/defguard_common/src/db/models/authentication_key.rs
@@ -6,7 +6,7 @@ use sqlx::{Error as SqlxError, PgExecutor, Type, query_as};
 
 use crate::db::{Id, NoId};
 
-#[derive(Clone, Debug, Deserialize, Serialize, Type)]
+#[derive(Clone, Debug, Deserialize, Serialize, Type, PartialEq)]
 #[sqlx(type_name = "authentication_key_type", rename_all = "lowercase")]
 #[serde(rename_all = "lowercase")]
 pub enum AuthenticationKeyType {
@@ -23,7 +23,7 @@ impl Display for AuthenticationKeyType {
     }
 }
 
-#[derive(Clone, Debug, Deserialize, Model, Serialize)]
+#[derive(Clone, Debug, Deserialize, Model, Serialize, PartialEq)]
 #[table(authentication_key)]
 pub struct AuthenticationKey<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_core/src/db/models/device.rs b/crates/defguard_core/src/db/models/device.rs
index 00c895ff15..2c6433ca2e 100644
--- a/crates/defguard_core/src/db/models/device.rs
+++ b/crates/defguard_core/src/db/models/device.rs
@@ -3,7 +3,7 @@ use std::{fmt, net::IpAddr};
 use base64::{Engine, prelude::BASE64_STANDARD};
 #[cfg(test)]
 use chrono::NaiveDate;
-use chrono::{NaiveDateTime, Utc};
+use chrono::{NaiveDateTime, Timelike, Utc};
 use defguard_common::{
     csv::AsCsv,
     db::{Id, NoId, models::ModelError},
@@ -532,12 +532,20 @@ impl Device {
         description: Option<String>,
         configured: bool,
     ) -> Self {
+        // FIXME: this is a workaround for reducing timestamp precision.
+        // `chrono` has nanosecond precision by default, while Postgres only does microseconds.
+        // It avoids issues when comparing to objects fetched from DB.
+        let created = Utc::now().naive_utc();
+        let created = created
+            .with_nanosecond((created.nanosecond() / 1_000) * 1_000)
+            .expect("failed to truncate timestamp precision");
+
         Self {
             id: NoId,
             name,
             wireguard_pubkey,
             user_id,
-            created: Utc::now().naive_utc(),
+            created,
             device_type,
             description,
             configured,
diff --git a/crates/defguard_core/src/db/models/oauth2client.rs b/crates/defguard_core/src/db/models/oauth2client.rs
index 5f695618b5..6e8fae8428 100644
--- a/crates/defguard_core/src/db/models/oauth2client.rs
+++ b/crates/defguard_core/src/db/models/oauth2client.rs
@@ -7,7 +7,7 @@ use super::NewOpenIDClient;
 use defguard_common::db::{Id, NoId};
 use defguard_common::random::gen_alphanumeric;
 
-#[derive(Clone, Debug, Deserialize, Model, Serialize)]
+#[derive(Clone, Debug, Deserialize, Model, Serialize, PartialEq)]
 pub struct OAuth2Client<I = NoId> {
     pub id: I,
     pub client_id: String, // unique
diff --git a/crates/defguard_core/src/db/models/webauthn.rs b/crates/defguard_core/src/db/models/webauthn.rs
index 9b4407d67f..8cf61dba92 100644
--- a/crates/defguard_core/src/db/models/webauthn.rs
+++ b/crates/defguard_core/src/db/models/webauthn.rs
@@ -4,7 +4,7 @@ use webauthn_rs::prelude::Passkey;
 
 use defguard_common::db::{Id, NoId, models::ModelError};
 
-#[derive(Model, Clone, Debug)]
+#[derive(Model, Clone, Debug, PartialEq)]
 pub struct WebAuthn<I = NoId> {
     pub id: I,
     pub user_id: Id,
diff --git a/crates/defguard_core/src/db/models/webhook.rs b/crates/defguard_core/src/db/models/webhook.rs
index f45d9831d7..be3e2d26a4 100644
--- a/crates/defguard_core/src/db/models/webhook.rs
+++ b/crates/defguard_core/src/db/models/webhook.rs
@@ -47,7 +47,7 @@ impl AppEvent {
     }
 }
 
-#[derive(Clone, Debug, Deserialize, FromRow, Model, Serialize)]
+#[derive(Clone, Debug, Deserialize, FromRow, Model, Serialize, PartialEq)]
 pub struct WebHook<I = NoId> {
     pub id: I,
     pub url: String,
diff --git a/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs b/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
index 2d472bec2c..d6adb11fc4 100644
--- a/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
+++ b/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
@@ -9,7 +9,7 @@ use defguard_common::{
     secret::SecretStringWrapper,
 };
 
-#[derive(Debug, Serialize, Deserialize, Type, EnumString, Display, Clone)]
+#[derive(Debug, Serialize, Deserialize, Type, EnumString, Display, Clone, PartialEq)]
 #[sqlx(type_name = "text", rename_all = "snake_case")]
 #[serde(rename_all = "snake_case")]
 pub enum ActivityLogStreamType {
@@ -19,7 +19,7 @@ pub enum ActivityLogStreamType {
     LogstashHttp,
 }
 
-#[derive(Clone, Debug, Serialize, Model, FromRow)]
+#[derive(Clone, Debug, Serialize, Model, FromRow, PartialEq)]
 #[table(activity_log_stream)]
 pub struct ActivityLogStream<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_core/src/enterprise/db/models/api_tokens.rs b/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
index 9e01c7248c..5b44881fc8 100644
--- a/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
+++ b/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
@@ -4,7 +4,7 @@ use sqlx::{Error as SqlxError, PgExecutor, query_as};
 
 use defguard_common::db::{Id, NoId};
 
-#[derive(Clone, Debug, Deserialize, Model, Serialize)]
+#[derive(Clone, Debug, Deserialize, Model, Serialize, PartialEq)]
 #[table(api_token)]
 pub struct ApiToken<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_core/src/enterprise/db/models/openid_provider.rs b/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
index 1d6a563268..1ffdde6830 100644
--- a/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
+++ b/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
@@ -87,7 +87,7 @@ impl From<String> for DirectorySyncTarget {
     }
 }
 
-#[derive(Clone, Debug, Deserialize, Model, Serialize)]
+#[derive(Clone, Debug, Deserialize, Model, Serialize, PartialEq)]
 pub struct OpenIdProvider<I = NoId> {
     pub id: I,
     pub name: String,
diff --git a/crates/defguard_core/src/enterprise/db/models/snat.rs b/crates/defguard_core/src/enterprise/db/models/snat.rs
index 68b7b71c56..e8ed98df8e 100644
--- a/crates/defguard_core/src/enterprise/db/models/snat.rs
+++ b/crates/defguard_core/src/enterprise/db/models/snat.rs
@@ -8,7 +8,7 @@ use utoipa::ToSchema;
 use crate::enterprise::snat::error::UserSnatBindingError;
 use defguard_common::db::{Id, NoId};
 
-#[derive(Clone, Debug, Deserialize, Model, Serialize, ToSchema)]
+#[derive(Clone, Debug, Deserialize, Model, Serialize, ToSchema, PartialEq)]
 #[table(user_snat_binding)]
 pub struct UserSnatBinding<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_core/src/events.rs b/crates/defguard_core/src/events.rs
index 68bc260a72..eb763a6c84 100644
--- a/crates/defguard_core/src/events.rs
+++ b/crates/defguard_core/src/events.rs
@@ -23,7 +23,7 @@ use defguard_proto::proxy::MfaMethod;
 /// Mainly meant to be stored in the activity log.
 /// By design this is a duplicate of a similar struct in the `event_logger` module.
 /// This is done in order to avoid circular imports once we split the project into multiple crates.
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq)]
 pub struct ApiRequestContext {
     pub timestamp: NaiveDateTime,
     pub user_id: Id,
@@ -83,7 +83,7 @@ impl GrpcRequestContext {
     }
 }
 
-#[derive(Debug)]
+#[derive(Debug, PartialEq)]
 pub enum ApiEventType {
     UserLogin,
     UserLoginFailed {
diff --git a/crates/defguard_core/tests/integration/api/acl.rs b/crates/defguard_core/tests/integration/api/acl.rs
index 237b573fdd..352c92b54b 100644
--- a/crates/defguard_core/tests/integration/api/acl.rs
+++ b/crates/defguard_core/tests/integration/api/acl.rs
@@ -137,8 +137,8 @@ fn edit_alias_data_into_api_response(
 async fn test_rule_crud(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, _) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     let rule = make_rule();
 
@@ -189,8 +189,8 @@ async fn test_rule_crud(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_rule_enterprise(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, _) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     exceed_enterprise_limits(&client).await;
 
@@ -230,8 +230,8 @@ async fn test_rule_enterprise(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_alias_crud(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, _) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     let alias = make_alias();
 
@@ -284,8 +284,8 @@ async fn test_alias_crud(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_alias_enterprise(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, _) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     exceed_enterprise_limits(&client).await;
 
@@ -325,8 +325,8 @@ async fn test_alias_enterprise(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_empty_strings(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, _) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     // rule
     let mut rule = make_rule();
@@ -409,8 +409,8 @@ async fn test_related_objects(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     // create related objects
     // networks
@@ -541,8 +541,8 @@ async fn test_related_objects(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_invalid_related_objects(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, state) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     let rule = make_rule();
     let response = client.post("/api/v1/acl/rule").json(&rule).send().await;
@@ -644,8 +644,8 @@ async fn test_invalid_related_objects(_: PgPoolOptions, options: PgConnectOption
 async fn test_invalid_data(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, _) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     // invalid port
     let mut rule = make_rule();
@@ -677,8 +677,8 @@ async fn test_rule_create_modify_state(_: PgPoolOptions, options: PgConnectOptio
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     let rule = make_rule();
 
@@ -732,8 +732,8 @@ async fn test_rule_delete_state_new(_: PgPoolOptions, options: PgConnectOptions)
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     // test NEW rule deletion
     let rule = make_rule();
@@ -751,8 +751,8 @@ async fn test_rule_delete_state_applied(_: PgPoolOptions, options: PgConnectOpti
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     // create a location
     WireguardNetwork::new(
@@ -812,8 +812,8 @@ async fn test_rule_duplication(_: PgPoolOptions, options: PgConnectOptions) {
 
     // each modification / deletion of parent rule should remove the child and create a new one
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     let rule = make_rule();
     let response = client.post("/api/v1/acl/rule").json(&rule).send().await;
@@ -842,8 +842,8 @@ async fn test_rule_application(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     let rule = make_rule();
 
@@ -934,8 +934,8 @@ async fn test_multiple_rules_application(_: PgPoolOptions, options: PgConnectOpt
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     let rule_1 = make_rule();
     let rule_2 = make_rule();
@@ -972,8 +972,8 @@ async fn test_alias_create_modify_state(_: PgPoolOptions, options: PgConnectOpti
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     let alias = make_alias();
 
@@ -1012,8 +1012,8 @@ async fn test_alias_delete(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     // create alias
     let alias = make_alias();
@@ -1078,8 +1078,8 @@ async fn test_alias_duplication(_: PgPoolOptions, options: PgConnectOptions) {
 
     // each modification of parent alias should remove the child and create a new one
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     let alias = make_alias();
     let response = client.post("/api/v1/acl/alias").json(&alias).send().await;
@@ -1104,8 +1104,8 @@ async fn test_alias_application(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     // create new alias
     let alias = make_alias();
@@ -1165,8 +1165,8 @@ async fn test_multiple_aliases_application(_: PgPoolOptions, options: PgConnectO
     let pool = setup_pool(options).await;
 
     let config = init_config(None);
-    let client = make_client_v2(pool.clone(), config).await;
-    authenticate_admin(&client).await;
+    let mut client = make_client_v2(pool.clone(), config).await;
+    authenticate_admin(&mut client).await;
 
     let alias_1 = make_alias();
     let alias_2 = make_alias();
diff --git a/crates/defguard_core/tests/integration/api/auth.rs b/crates/defguard_core/tests/integration/api/auth.rs
index ad43507125..272eeadc49 100644
--- a/crates/defguard_core/tests/integration/api/auth.rs
+++ b/crates/defguard_core/tests/integration/api/auth.rs
@@ -6,6 +6,7 @@ use defguard_common::db::models::{MFAMethod, Settings, settings::update_current_
 use defguard_core::{
     auth::{TOTP_CODE_DIGITS, TOTP_CODE_VALIDITY_PERIOD},
     db::{MFAInfo, User, UserDetails},
+    events::ApiEventType,
     handlers::{Auth, AuthCode, AuthResponse, AuthTotp},
 };
 use reqwest::{StatusCode, header::USER_AGENT};
@@ -59,6 +60,8 @@ async fn test_logout(_: PgPoolOptions, options: PgConnectOptions) {
     let response = client.post("/api/v1/auth").json(&auth).send().await;
     assert_eq!(response.status(), StatusCode::OK);
 
+    client.verify_api_events_with_user(&[(ApiEventType::UserLogin, 2, "hpotter")]);
+
     // store auth cookie for later use
     let auth_cookie = response
         .cookies()
@@ -74,6 +77,8 @@ async fn test_logout(_: PgPoolOptions, options: PgConnectOptions) {
     let response = client.get("/api/v1/me").send().await;
     assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
 
+    client.verify_api_events_with_user(&[(ApiEventType::UserLogout, 2, "hpotter")]);
+
     // try reusing auth cookie
     client.set_cookie(&auth_cookie);
     let response = client.get("/api/v1/me").send().await;
@@ -84,7 +89,7 @@ async fn test_logout(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_login_bruteforce(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let mut client = make_client(pool).await;
 
     let invalid_auth = Auth::new("hpotter", "invalid");
 
@@ -93,8 +98,12 @@ async fn test_login_bruteforce(_: PgPoolOptions, options: PgConnectOptions) {
         let response = client.post("/api/v1/auth").json(&invalid_auth).send().await;
         if i == 5 {
             assert_eq!(response.status(), StatusCode::TOO_MANY_REQUESTS);
+            client.assert_event_queue_is_empty();
         } else {
             assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+            client.verify_api_events(&[ApiEventType::UserLoginFailed {
+                message: "Authentication for hpotter failed: invalid password".into(),
+            }]);
         }
     }
 }
diff --git a/crates/defguard_core/tests/integration/api/common/client.rs b/crates/defguard_core/tests/integration/api/common/client.rs
index 9292b31a3e..2203c0c899 100644
--- a/crates/defguard_core/tests/integration/api/common/client.rs
+++ b/crates/defguard_core/tests/integration/api/common/client.rs
@@ -2,22 +2,29 @@ use std::{net::SocketAddr, sync::Arc};
 
 use axum::{Router, serve};
 use bytes::Bytes;
-use defguard_core::events::ApiEvent;
+use defguard_common::db::Id;
+use defguard_core::{
+    events::{ApiEvent, ApiEventType},
+    handlers::Auth,
+};
 use reqwest::{
     Body, Client, StatusCode, Url,
     cookie::{Cookie, Jar},
     header::{HeaderMap, HeaderName, HeaderValue, USER_AGENT},
     redirect::Policy,
 };
-use tokio::{net::TcpListener, sync::mpsc::UnboundedReceiver, task::JoinHandle};
+use tokio::{
+    net::TcpListener,
+    sync::mpsc::{UnboundedReceiver, error::TryRecvError},
+    task::JoinHandle,
+};
 
 pub struct TestClient {
     client: Client,
     jar: Arc<Jar>,
     port: u16,
-    // Has to live during whole test
-    #[allow(dead_code)]
     api_event_rx: UnboundedReceiver<ApiEvent>,
+    // Has to live during whole test
     api_task_handle: JoinHandle<()>,
 }
 
@@ -65,6 +72,15 @@ impl TestClient {
             .add_cookie_str(&format!("{}={}", cookie.name(), cookie.value()), &url);
     }
 
+    // Helper to perform API login
+    pub async fn login_user(&mut self, username: &str, password: &str) {
+        let auth = Auth::new(username, password);
+        let response = self.post("/api/v1/auth").json(&auth).send().await;
+        assert_eq!(response.status(), StatusCode::OK);
+
+        self.verify_api_events(&[ApiEventType::UserLogin]);
+    }
+
     /// returns the base URL (http://ip:port) for this TestClient
     ///
     /// this is useful when trying to check if Location headers in responses
@@ -122,6 +138,101 @@ impl TestClient {
             builder: self.client.delete(full_url),
         }
     }
+
+    /// Assert that expected API events have been emitted
+    ///
+    /// `expected_events` should include all events that are currently in the queue
+    /// for the assertions to pass.
+    /// If there are too many or not enough events in the queue this should panic.
+    pub fn verify_api_events(&mut self, expected_events: &[ApiEventType]) {
+        // take all the events from the queue
+        let events = self.drain_all_events();
+
+        // verify number of events
+        assert_eq!(
+            events.len(),
+            expected_events.len(),
+            "Event number different than expected"
+        );
+
+        // compare events in order
+        for (index, (expected_event, (event, _user_id, _username))) in
+            expected_events.iter().zip(events.iter()).enumerate()
+        {
+            assert_eq!(
+                expected_event, event,
+                "Mismatch at index {index}: expected {expected_event:?}, got {event:?}",
+            );
+        }
+    }
+
+    /// A variant of `verify_api_events` which also compares user context
+    ///
+    /// Other parts of event context that would be hard and not that useful to test (timestamp, device) are omitted.
+    pub fn verify_api_events_with_user(&mut self, expected_events: &[(ApiEventType, Id, &str)]) {
+        // take all the events from the queue
+        let events = self.drain_all_events();
+
+        // verify number of events
+        assert_eq!(
+            events.len(),
+            expected_events.len(),
+            "Event number different than expected"
+        );
+
+        // compare events in order
+        for (
+            index,
+            ((expected_event, expected_user_id, expected_username), (event, user_id, username)),
+        ) in expected_events.iter().zip(events.iter()).enumerate()
+        {
+            assert_eq!(
+                expected_event, event,
+                "Event type mismatch at index {index}: expected {expected_event:?}, got {event:?}",
+            );
+            assert_eq!(
+                expected_user_id, user_id,
+                "User ID mismatch at index {index}: expected {expected_user_id:?}, got {user_id:?}",
+            );
+            assert_eq!(
+                expected_username, username,
+                "Username mismatch at index {index}: expected {expected_username:?}, got {username:?}",
+            );
+        }
+    }
+
+    /// Receive all messages currently present in API event queue
+    ///
+    /// Can also be used to clear the queue.
+    pub fn drain_all_events(&mut self) -> Vec<(ApiEventType, Id, String)> {
+        let mut all_events = Vec::new();
+
+        loop {
+            match self.api_event_rx.try_recv() {
+                Ok(msg) => all_events.push((*msg.event, msg.context.user_id, msg.context.username)),
+                Err(tokio::sync::mpsc::error::TryRecvError::Empty) => {
+                    // No more messages available right now
+                    break;
+                }
+                Err(tokio::sync::mpsc::error::TryRecvError::Disconnected) => {
+                    // Channel is closed
+                    break;
+                }
+            }
+        }
+        all_events
+    }
+
+    /// Assert there are no events queued
+    pub fn assert_event_queue_is_empty(&mut self) {
+        match self.api_event_rx.try_recv() {
+            Err(TryRecvError::Empty) => {
+                // Queue is empty, test passes
+            }
+            Ok(msg) => panic!("Expected empty queue, but got event: {msg:?}"),
+            Err(TryRecvError::Disconnected) => panic!("Channel is disconnected"),
+        }
+    }
 }
 
 impl Drop for TestClient {
diff --git a/crates/defguard_core/tests/integration/api/common/mod.rs b/crates/defguard_core/tests/integration/api/common/mod.rs
index 669ecc9649..233f51f056 100644
--- a/crates/defguard_core/tests/integration/api/common/mod.rs
+++ b/crates/defguard_core/tests/integration/api/common/mod.rs
@@ -14,7 +14,7 @@ use defguard_common::{
 use defguard_core::{
     auth::failed_login::FailedLoginMap,
     build_webapp,
-    db::{AppEvent, GatewayEvent, User, UserDetails},
+    db::{AppEvent, Device, GatewayEvent, User, UserDetails, WireguardNetwork},
     enterprise::license::{License, set_cached_license},
     events::ApiEvent,
     grpc::{WorkerState, gateway::map::GatewayMap},
@@ -241,8 +241,27 @@ pub(crate) async fn make_client_with_db(pool: PgPool) -> (TestClient, PgPool) {
     (client, client_state.pool)
 }
 
-pub(crate) async fn authenticate_admin(client: &TestClient) {
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+pub(crate) async fn authenticate_admin(client: &mut TestClient) {
+    client.login_user("admin", "pass123").await;
+}
+
+// Helper to fetch current user state from DB by username
+pub(crate) async fn get_db_user(pool: &PgPool, username: &str) -> User<Id> {
+    User::find_by_username(pool, username)
+        .await
+        .unwrap()
+        .unwrap()
+}
+
+// Helper to fetch current location state from DB by ID
+pub(crate) async fn get_db_location(pool: &PgPool, location_id: Id) -> WireguardNetwork<Id> {
+    WireguardNetwork::find_by_id(pool, location_id)
+        .await
+        .unwrap()
+        .unwrap()
+}
+
+// Helper to fetch current user device state from DB by device ID
+pub(crate) async fn get_db_device(pool: &PgPool, device_id: Id) -> Device<Id> {
+    Device::find_by_id(pool, device_id).await.unwrap().unwrap()
 }
diff --git a/crates/defguard_core/tests/integration/api/snat.rs b/crates/defguard_core/tests/integration/api/snat.rs
index 01655d9b56..3e0ad6428a 100644
--- a/crates/defguard_core/tests/integration/api/snat.rs
+++ b/crates/defguard_core/tests/integration/api/snat.rs
@@ -20,10 +20,10 @@ use super::common::{
 async fn test_snat_crud(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _) = make_test_client(pool).await;
+    let (mut client, _) = make_test_client(pool).await;
 
     // admin login
-    authenticate_admin(&client).await;
+    authenticate_admin(&mut client).await;
 
     // create location
     let response = client
@@ -110,10 +110,10 @@ async fn test_snat_crud(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_snat_enterprise_required(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _) = make_test_client(pool).await;
+    let (mut client, _) = make_test_client(pool).await;
 
     // admin login
-    authenticate_admin(&client).await;
+    authenticate_admin(&mut client).await;
 
     exceed_enterprise_limits(&client).await;
 
diff --git a/crates/defguard_core/tests/integration/api/user.rs b/crates/defguard_core/tests/integration/api/user.rs
index d7605a5348..936bcb69a5 100644
--- a/crates/defguard_core/tests/integration/api/user.rs
+++ b/crates/defguard_core/tests/integration/api/user.rs
@@ -4,12 +4,15 @@ use defguard_core::{
         AddDevice, UserInfo,
         models::{NewOpenIDClient, oauth2client::OAuth2Client},
     },
+    events::ApiEventType,
     handlers::{AddUserData, Auth, PasswordChange, PasswordChangeSelf, Username},
 };
 use reqwest::{StatusCode, header::USER_AGENT};
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 use tokio_stream::{self as stream, StreamExt};
 
+use crate::api::common::{get_db_device, get_db_location, get_db_user, make_client_with_db};
+
 use super::{
     TEST_SERVER_URL,
     common::{fetch_user_details, make_client, make_network, make_test_client, setup_pool},
@@ -19,7 +22,7 @@ use super::{
 async fn test_authenticate(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let mut client = make_client(pool).await;
 
     let auth = Auth::new("hpotter", "pass123");
     let response = client.post("/api/v1/auth").json(&auth).send().await;
@@ -32,35 +35,44 @@ async fn test_authenticate(_: PgPoolOptions, options: PgConnectOptions) {
     let auth = Auth::new("adumbledore", "pass123");
     let response = client.post("/api/v1/auth").json(&auth).send().await;
     assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+
+    // second user does not exist so we are unable to emit audit log event
+    client.verify_api_events_with_user(&[
+        (ApiEventType::UserLogin, 2, "hpotter"),
+        (
+            ApiEventType::UserLoginFailed {
+                message: "Authentication for hpotter failed: invalid password".into(),
+            },
+            2,
+            "hpotter",
+        ),
+    ]);
 }
 
 #[sqlx::test]
 async fn test_me(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let mut client = make_client(pool).await;
 
-    let auth = Auth::new("hpotter", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("hpotter", "pass123").await;
 
     let response = client.get("/api/v1/me").send().await;
     assert_eq!(response.status(), StatusCode::OK);
     let user_info: UserInfo = response.json().await;
     assert_eq!(user_info.first_name, "Harry");
     assert_eq!(user_info.last_name, "Potter");
+
+    client.assert_event_queue_is_empty();
 }
 
 #[sqlx::test]
 async fn test_change_self_password(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
-
-    let auth = Auth::new("hpotter", "pass123");
+    let mut client = make_client(pool).await;
 
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("hpotter", "pass123").await;
 
     let bad_old = "notCurrentPassword123!$";
 
@@ -103,6 +115,7 @@ async fn test_change_self_password(_: PgPoolOptions, options: PgConnectOptions)
     assert_eq!(response.status(), StatusCode::OK);
 
     // old pass login
+    let auth = Auth::new("hpotter", "pass123");
     let response = client.post("/api/v1/auth").json(&auth).send().await;
     assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
 
@@ -110,18 +123,27 @@ async fn test_change_self_password(_: PgPoolOptions, options: PgConnectOptions)
 
     let response = client.post("/api/v1/auth").json(&new_auth).send().await;
     assert_eq!(response.status(), StatusCode::OK);
+
+    client.verify_api_events_with_user(&[
+        (ApiEventType::PasswordChanged, 2, "hpotter"),
+        (
+            ApiEventType::UserLoginFailed {
+                message: "Authentication for hpotter failed: invalid password".into(),
+            },
+            2,
+            "hpotter",
+        ),
+        (ApiEventType::UserLogin, 2, "hpotter"),
+    ]);
 }
 
 #[sqlx::test]
 async fn test_change_password(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
-
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    let (mut client, pool) = make_client_with_db(pool).await;
 
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("admin", "pass123").await;
 
     let new_password = "newPassword43$!";
 
@@ -159,62 +181,69 @@ async fn test_change_password(_: PgPoolOptions, options: PgConnectOptions) {
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::FORBIDDEN);
+
+    let test_user = get_db_user(&pool, "hpotter").await;
+
+    client.verify_api_events_with_user(&[
+        (
+            ApiEventType::PasswordChangedByAdmin { user: test_user },
+            1,
+            "admin",
+        ),
+        (ApiEventType::UserLogin, 2, "hpotter"),
+    ]);
 }
 
 #[sqlx::test]
 async fn test_list_users(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let mut client = make_client(pool).await;
 
     let response = client.get("/api/v1/user").send().await;
     assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
 
     // normal user cannot list users
-    let auth = Auth::new("hpotter", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("hpotter", "pass123").await;
 
     let response = client.get("/api/v1/user").send().await;
     assert_eq!(response.status(), StatusCode::FORBIDDEN);
 
     // admin can list users
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("admin", "pass123").await;
 
     let response = client.get("/api/v1/user").send().await;
     assert_eq!(response.status(), StatusCode::OK);
+
+    client.assert_event_queue_is_empty();
 }
 
 #[sqlx::test]
 async fn test_get_user(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let mut client = make_client(pool).await;
 
     let response = client.get("/api/v1/user/hpotter").send().await;
     assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
 
-    let auth = Auth::new("hpotter", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("hpotter", "pass123").await;
 
     let user_info = fetch_user_details(&client, "hpotter").await;
     assert_eq!(user_info.user.first_name, "Harry");
     assert_eq!(user_info.user.last_name, "Potter");
+
+    client.assert_event_queue_is_empty();
 }
 
 #[sqlx::test]
 async fn test_username_available(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let mut client = make_client(pool).await;
 
     // standard user cannot check username availability
-    let auth = Auth::new("hpotter", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("hpotter", "pass123").await;
 
     let avail = Username {
         username: "hpotter".into(),
@@ -227,9 +256,7 @@ async fn test_username_available(_: PgPoolOptions, options: PgConnectOptions) {
     assert_eq!(response.status(), StatusCode::FORBIDDEN);
 
     // log in as admin
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("admin", "pass123").await;
 
     let avail = Username {
         username: "_CrashTestDummy".into(),
@@ -260,17 +287,17 @@ async fn test_username_available(_: PgPoolOptions, options: PgConnectOptions) {
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+
+    client.assert_event_queue_is_empty();
 }
 
 #[sqlx::test]
 async fn test_crud_user(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let (mut client, pool) = make_client_with_db(pool).await;
 
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("admin", "pass123").await;
 
     // create user
     let new_user = AddUserData {
@@ -288,6 +315,8 @@ async fn test_crud_user(_: PgPoolOptions, options: PgConnectOptions) {
     let mut user_details = fetch_user_details(&client, "adumbledore").await;
     assert_eq!(user_details.user.first_name, "Albus");
 
+    let old_test_user = get_db_user(&pool, "adumbledore").await;
+
     // edit user
     user_details.user.phone = Some("5678".into());
     let response = client
@@ -297,20 +326,33 @@ async fn test_crud_user(_: PgPoolOptions, options: PgConnectOptions) {
         .await;
     assert_eq!(response.status(), StatusCode::OK);
 
+    let new_test_user = get_db_user(&pool, "adumbledore").await;
+
     // delete user
     let response = client.delete("/api/v1/user/adumbledore").send().await;
     assert_eq!(response.status(), StatusCode::OK);
+
+    client.verify_api_events(&[
+        ApiEventType::UserAdded {
+            user: old_test_user.clone(),
+        },
+        ApiEventType::UserModified {
+            before: old_test_user,
+            after: new_test_user.clone(),
+        },
+        ApiEventType::UserRemoved {
+            user: new_test_user,
+        },
+    ]);
 }
 
 #[sqlx::test]
 async fn test_check_username(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let (mut client, pool) = make_client_with_db(pool).await;
 
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("admin", "pass123").await;
 
     let invalid_usernames = ["ADumble dore", ".1user"];
     let valid_usernames = ["user1", "use2r3", "not_wrong"];
@@ -328,6 +370,7 @@ async fn test_check_username(_: PgPoolOptions, options: PgConnectOptions) {
         assert_eq!(response.status(), StatusCode::BAD_REQUEST);
     }
 
+    let mut expected_events = Vec::new();
     for (i, username) in valid_usernames.into_iter().enumerate() {
         let new_user = AddUserData {
             username: username.into(),
@@ -339,19 +382,22 @@ async fn test_check_username(_: PgPoolOptions, options: PgConnectOptions) {
         };
         let response = client.post("/api/v1/user").json(&new_user).send().await;
         assert_eq!(response.status(), StatusCode::CREATED);
+
+        let test_user = get_db_user(&pool, username).await;
+        expected_events.push(ApiEventType::UserAdded { user: test_user })
     }
+
+    client.verify_api_events(&expected_events);
 }
 
 #[sqlx::test]
 async fn test_check_password_strength(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let (mut client, pool) = make_client_with_db(pool).await;
 
     // auth session with admin
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("admin", "pass123").await;
 
     // test
     let strong_password = "strongPass1234$!";
@@ -391,16 +437,20 @@ async fn test_check_password_strength(_: PgPoolOptions, options: PgConnectOption
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::CREATED);
+
+    let test_user = get_db_user(&pool, "strongpass").await;
+
+    client.verify_api_events(&[ApiEventType::UserAdded { user: test_user }]);
 }
 
 #[sqlx::test]
 async fn test_user_unregister_authorized_app(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    let (mut client, pool) = make_client_with_db(pool).await;
+    client.login_user("admin", "pass123").await;
+
+    // add OpenID app
     let openid_client = NewOpenIDClient {
         name: "Test".into(),
         redirect_uri: vec![TEST_SERVER_URL.into()],
@@ -415,6 +465,13 @@ async fn test_user_unregister_authorized_app(_: PgPoolOptions, options: PgConnec
     assert_eq!(response.status(), StatusCode::CREATED);
     let openid_client: OAuth2Client<Id> = response.json().await;
     assert_eq!(openid_client.name, "Test");
+
+    // verify app is not authorized yet
+    let response = client.get("/api/v1/me").send().await;
+    let user_info: UserInfo = response.json().await;
+    assert_eq!(user_info.authorized_apps.len(), 0);
+
+    // authorize app
     let response = client
         .post(format!(
             "/api/v1/oauth/authorize?\
@@ -433,6 +490,10 @@ async fn test_user_unregister_authorized_app(_: PgPoolOptions, options: PgConnec
     let response = client.get("/api/v1/me").send().await;
     let mut user_info: UserInfo = response.json().await;
     assert_eq!(user_info.authorized_apps.len(), 1);
+
+    let old_test_user = get_db_user(&pool, "admin").await;
+
+    // unregister app
     user_info.authorized_apps = [].into();
     let response = client
         .put("/api/v1/user/admin")
@@ -443,16 +504,28 @@ async fn test_user_unregister_authorized_app(_: PgPoolOptions, options: PgConnec
     let response = client.get("/api/v1/me").send().await;
     let user_info: UserInfo = response.json().await;
     assert_eq!(user_info.authorized_apps.len(), 0);
+
+    let new_test_user = get_db_user(&pool, "admin").await;
+
+    client.verify_api_events(&[
+        ApiEventType::OpenIdAppAdded { app: openid_client },
+        ApiEventType::UserModified {
+            before: old_test_user,
+            after: new_test_user.clone(),
+        },
+    ]);
 }
 
 #[sqlx::test]
 async fn test_user_add_device(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, state) = make_test_client(pool).await;
+    let (mut client, state) = make_test_client(pool).await;
     let mut mail_rx = state.mail_rx;
     let user_agent_header = "Mozilla/5.0 (iPhone; CPU iPhone OS 17_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Mobile/15E148 Safari/604.1";
 
+    let mut expected_events = Vec::new();
+
     // log in as admin
     let auth = Auth::new("admin", "pass123");
     let response = client
@@ -462,6 +535,7 @@ async fn test_user_add_device(_: PgPoolOptions, options: PgConnectOptions) {
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::OK);
+    expected_events.push(ApiEventType::UserLogin);
 
     // first email received is regarding admin login
     let mail = mail_rx.try_recv().unwrap();
@@ -478,6 +552,9 @@ async fn test_user_add_device(_: PgPoolOptions, options: PgConnectOptions) {
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::CREATED);
+    expected_events.push(ApiEventType::VpnLocationAdded {
+        location: get_db_location(&state.pool, 1).await,
+    });
 
     // add device for user
     let device_data = AddDevice {
@@ -491,6 +568,10 @@ async fn test_user_add_device(_: PgPoolOptions, options: PgConnectOptions) {
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::CREATED);
+    expected_events.push(ApiEventType::UserDeviceAdded {
+        owner: get_db_user(&state.pool, "hpotter").await,
+        device: get_db_device(&state.pool, 1).await,
+    });
 
     // send email regarding new device being added
     // it does not contain session info
@@ -512,6 +593,10 @@ async fn test_user_add_device(_: PgPoolOptions, options: PgConnectOptions) {
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::CREATED);
+    expected_events.push(ApiEventType::UserDeviceAdded {
+        owner: get_db_user(&state.pool, "admin").await,
+        device: get_db_device(&state.pool, 2).await,
+    });
 
     // send email regarding new device being added
     // it should contain session info
@@ -533,6 +618,7 @@ async fn test_user_add_device(_: PgPoolOptions, options: PgConnectOptions) {
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::OK);
+    expected_events.push(ApiEventType::UserLogin);
 
     let response = client.get("/api/v1/me").send().await;
     assert_eq!(response.status(), StatusCode::OK);
@@ -580,6 +666,10 @@ async fn test_user_add_device(_: PgPoolOptions, options: PgConnectOptions) {
         .send()
         .await;
     assert_eq!(response.status(), StatusCode::CREATED);
+    expected_events.push(ApiEventType::UserDeviceAdded {
+        owner: get_db_user(&state.pool, "hpotter").await,
+        device: get_db_device(&state.pool, 3).await,
+    });
 
     // send email regarding new device being added
     let mail = mail_rx.try_recv().unwrap();
@@ -590,17 +680,17 @@ async fn test_user_add_device(_: PgPoolOptions, options: PgConnectOptions) {
         mail.content
             .contains("Device type:</span> iPhone, OS: iOS 17.1, Mobile Safari")
     );
+
+    client.verify_api_events(&expected_events);
 }
 
 #[sqlx::test]
 async fn test_disable(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let (mut client, pool) = make_client_with_db(pool).await;
 
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("admin", "pass123").await;
 
     // get yourself
     let mut user_details = fetch_user_details(&client, "admin").await;
@@ -632,6 +722,8 @@ async fn test_disable(_: PgPoolOptions, options: PgConnectOptions) {
     assert_eq!(user_details.user.first_name, "Albus");
     assert!(user_details.user.is_active);
 
+    let old_test_user = get_db_user(&pool, "adumbledore").await;
+
     // disable user
     user_details.user.is_active = false;
     let response = client
@@ -644,17 +736,27 @@ async fn test_disable(_: PgPoolOptions, options: PgConnectOptions) {
     let user_details = fetch_user_details(&client, "adumbledore").await;
     assert_eq!(user_details.user.first_name, "Albus");
     assert!(!user_details.user.is_active);
+
+    let new_test_user = get_db_user(&pool, "adumbledore").await;
+
+    client.verify_api_events(&[
+        ApiEventType::UserAdded {
+            user: old_test_user.clone(),
+        },
+        ApiEventType::UserModified {
+            before: old_test_user,
+            after: new_test_user.clone(),
+        },
+    ]);
 }
 
 #[sqlx::test]
 async fn test_unique_email(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let client = make_client(pool).await;
+    let (mut client, pool) = make_client_with_db(pool).await;
 
-    let auth = Auth::new("admin", "pass123");
-    let response = client.post("/api/v1/auth").json(&auth).send().await;
-    assert_eq!(response.status(), StatusCode::OK);
+    client.login_user("admin", "pass123").await;
 
     // create user
     let new_user = AddUserData {
@@ -679,4 +781,8 @@ async fn test_unique_email(_: PgPoolOptions, options: PgConnectOptions) {
     };
     let response = client.post("/api/v1/user").json(&new_user).send().await;
     assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+
+    let test_user = get_db_user(&pool, "adumbledore").await;
+
+    client.verify_api_events(&[ApiEventType::UserAdded { user: test_user }]);
 }
diff --git a/crates/defguard_core/tests/integration/api/wireguard.rs b/crates/defguard_core/tests/integration/api/wireguard.rs
index 79625944c0..468e2a8cbd 100644
--- a/crates/defguard_core/tests/integration/api/wireguard.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard.rs
@@ -128,8 +128,8 @@ async fn test_network(_: PgPoolOptions, options: PgConnectOptions) {
 async fn test_location_mfa_mode_validation_create(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _client_state) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, _client_state) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     exceed_enterprise_limits(&client).await;
 
@@ -213,8 +213,8 @@ async fn test_location_mfa_mode_validation_create(_: PgPoolOptions, options: PgC
 async fn test_location_mfa_mode_validation_modify(_: PgPoolOptions, options: PgConnectOptions) {
     let pool = setup_pool(options).await;
 
-    let (client, _client_state) = make_test_client(pool).await;
-    authenticate_admin(&client).await;
+    let (mut client, _client_state) = make_test_client(pool).await;
+    authenticate_admin(&mut client).await;
 
     let mut location_data = WireguardNetworkData {
         name: "test_location".into(),

From d8b70a2eb650e378dd68a811624b584b529f0e11 Mon Sep 17 00:00:00 2001
From: Adam <adam@defguard.net>
Date: Thu, 9 Oct 2025 16:43:11 +0200
Subject: [PATCH 22/50] Upgrade Debian packages to get latest security fixes
 (#1648)

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 4da63c50ff..8939f2b525 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -44,7 +44,7 @@ RUN cargo install --locked --bin defguard --path ./crates/defguard --root /build
 
 # run
 FROM public.ecr.aws/docker/library/debian:13-slim
-RUN apt-get update -y && \
+RUN apt-get update -y && apt-get upgrade -y && \
     apt-get install --no-install-recommends -y ca-certificates libssl-dev && \
     rm -rf /var/lib/apt/lists/*
 WORKDIR /app

From 6083d31ea14b520fcb4fd3846cdde31287c6fa58 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Mon, 20 Oct 2025 10:29:15 +0200
Subject: [PATCH 23/50] APT uploading/signing workflow (#1655)

* workflow test

* ready to release

* delete comment

* add EOL

* Added ruby to path

* for loop

* typo 2

* refresh html
---
 .github/workflows/release.yml | 50 ++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a45196f589..95daff338b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -59,7 +59,6 @@ jobs:
 
   build-binaries:
     needs: [create-release]
-
     runs-on:
       - self-hosted
       - Linux
@@ -198,6 +197,19 @@ jobs:
           asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb
           asset_content_type: application/octet-stream
 
+      - name: Install ruby with deb-s3
+        if: matrix.build == 'linux'
+        run: |
+          sudo apt-get install -y ruby
+          gem install deb-s3
+          echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH
+
+      - name: Upload DEB to apt repository
+        if: matrix.build == 'linux'
+        run: |
+          COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
+
+          deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-${{ env.VERSION }}-${{ matrix.target }}.deb
       - name: Build RPM package
         if: matrix.build == 'linux'
         uses: defGuard/fpm-action@main
@@ -233,3 +245,39 @@ jobs:
           asset_path: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg
           asset_name: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg
           asset_content_type: application/octet-stream
+
+  apt-sign:
+    needs: 
+      - build-binaries
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Sign APT repository on trixie 
+        run: |
+          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
+          export AWS_REGION=eu-north-1
+          sudo apt update -y
+          sudo apt install -y awscli curl jq
+
+          for DIST in trixie; do
+            aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
+            
+            curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
+              -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
+              -F "file=@Release" \
+              -o response.json
+            
+            cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
+            cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
+            
+            aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+            aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+
+            aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
+            aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
+          done

From 2834e114b70f285546a00fbcee24013ae4f3aed1 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Wed, 22 Oct 2025 09:44:28 +0200
Subject: [PATCH 24/50] List whole directory (#1664)

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 95daff338b..850d1c41fc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -278,6 +278,6 @@ jobs:
             aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
             aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
 
-            aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
-            aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
           done
+          (aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
+          aws s3 cp index.html s3://apt.defguard.net/ --acl public-read

From 5cb6920ea6d0029b3fa9ec53a3507a629aea583a Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Thu, 23 Oct 2025 21:52:32 +0200
Subject: [PATCH 25/50] Properly validate IP address of endpoint in network
 wizard (#1667)

---
 .../WizardNetworkConfiguration.tsx                   | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx b/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
index caa6ef8530..77aa53abad 100644
--- a/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
+++ b/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
@@ -25,7 +25,11 @@ import { QueryKeys } from '../../../../shared/queries';
 import { LocationMfaMode } from '../../../../shared/types.ts';
 import { titleCase } from '../../../../shared/utils/titleCase';
 import { trimObjectStrings } from '../../../../shared/utils/trimObjectStrings.ts';
-import { validateIpList, validateIpOrDomainList } from '../../../../shared/validators';
+import {
+  validateIpList,
+  validateIpOrDomain,
+  validateIpOrDomainList,
+} from '../../../../shared/validators';
 import { useWizardStore } from '../../hooks/useWizardStore';
 import { DividerHeader } from './components/DividerHeader.tsx';
 
@@ -109,7 +113,11 @@ export const WizardNetworkConfiguration = () => {
           .refine((value) => {
             return validateIpList(value, ',', true);
           }, LL.form.error.addressNetmask()),
-        endpoint: z.string().trim().min(1, LL.form.error.required()),
+        endpoint: z
+          .string()
+          .trim()
+          .min(1, LL.form.error.required())
+          .refine((val) => validateIpOrDomain(val), LL.form.error.endpoint()),
         port: z
           .number({
             invalid_type_error: LL.form.error.invalid(),

From 68fe53901e0950edaccf8d345a5577534d2ddbbd Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Sun, 26 Oct 2025 15:29:30 +0100
Subject: [PATCH 26/50] Service locations (Pre-logon, Always-on) (#1666)

* service locations 1

* biome fix

* attempt 3

* sqlx prepare

* cleanup, some clippy changes

* remove unused imports

* Update deny.toml

* remove unnecessary operations

* sort imports

* remove import

* fix tests

* Update proto
---
 ...74a42e3447f9d2a949b6820e685ddab6561d.json} |  21 +-
 ...0b1ea9e8149f3bb760d2039b463ef262eb03.json} |  21 +-
 ...c2deb6e638c229a1929afe35d79dddfbdf67.json} |  21 +-
 ...42f9e63cf2ebf64a517adeea511ba932e2a0.json} |  21 +-
 ...d0aea3e87da3082b49d7f6d6dd82630597ac.json} |  21 +-
 ...7e657dcb71c90e209102b4033888f5c668cd.json} |  21 +-
 ...c33c6e14d74fb23bd9baf450dc9827d547c6.json} |  21 +-
 ...5034418d6224e190ce6ae96b8779e2505062.json} |  16 +-
 ...f7835e7ef3e0312aef9c56e495f05f11b4dd.json} |  21 +-
 ...85908407c4f642d3005e36df113a1aee841d.json} |  16 +-
 .../defguard_common/src/db/models/settings.rs |   3 +-
 .../src/db/models/activity_log/mod.rs         |   3 +-
 crates/defguard_core/src/db/models/device.rs  |  15 +-
 .../src/db/models/oauth2authorizedapp.rs      |   3 +-
 .../src/db/models/oauth2client.rs             |   9 +-
 .../src/db/models/polling_token.rs            |   7 +-
 crates/defguard_core/src/db/models/session.rs |   3 +-
 crates/defguard_core/src/db/models/user.rs    |  13 +-
 .../defguard_core/src/db/models/webauthn.rs   |   3 +-
 crates/defguard_core/src/db/models/webhook.rs |   2 +-
 .../defguard_core/src/db/models/wireguard.rs  | 231 +++++++++++++++++-
 .../src/db/models/wireguard_peer_stats.rs     |   3 +-
 crates/defguard_core/src/db/models/yubikey.rs |   3 +-
 .../src/enterprise/db/models/acl.rs           |   8 +-
 .../src/enterprise/db/models/acl/tests.rs     |   2 +
 .../db/models/activity_log_stream.rs          |   8 +-
 .../src/enterprise/db/models/api_tokens.rs    |   3 +-
 .../enterprise/db/models/openid_provider.rs   |   3 +-
 .../src/enterprise/db/models/snat.rs          |   2 +-
 .../src/enterprise/directory_sync/tests.rs    |   6 +-
 .../src/enterprise/firewall/mod.rs            |  10 +-
 .../src/enterprise/firewall/tests.rs          |   8 +-
 .../src/enterprise/grpc/desktop_client_mfa.rs |   2 +-
 .../src/enterprise/grpc/polling.rs            |   2 +-
 .../handlers/activity_log_stream.rs           |   2 +-
 .../src/enterprise/handlers/api_tokens.rs     |   2 +-
 .../src/enterprise/ldap/client.rs             |   2 +-
 .../defguard_core/src/enterprise/license.rs   |  12 +-
 crates/defguard_core/src/events.rs            |   2 +-
 crates/defguard_core/src/grpc/client_mfa.rs   |  10 +-
 crates/defguard_core/src/grpc/enrollment.rs   |  23 +-
 crates/defguard_core/src/grpc/gateway/map.rs  |   2 +-
 crates/defguard_core/src/grpc/gateway/mod.rs  |  11 +
 crates/defguard_core/src/grpc/mod.rs          |  15 +-
 .../defguard_core/src/grpc/password_reset.rs  |   8 +-
 crates/defguard_core/src/grpc/utils.rs        |  79 ++++--
 crates/defguard_core/src/grpc/worker.rs       |   4 +-
 crates/defguard_core/src/handlers/app_info.rs |   2 +-
 crates/defguard_core/src/handlers/mod.rs      |   3 +-
 .../defguard_core/src/handlers/wireguard.rs   |  20 +-
 crates/defguard_core/src/lib.rs               |  52 ++--
 crates/defguard_core/src/support.rs           |   8 +-
 crates/defguard_core/src/utility_thread.rs    |  44 +++-
 crates/defguard_core/src/version.rs           |   3 +-
 crates/defguard_core/src/wg_config.rs         |   6 +-
 .../src/wireguard_peer_disconnect.rs          |   5 +-
 .../tests/integration/api/acl.rs              |   7 +-
 .../tests/integration/api/auth.rs             |   3 +-
 .../tests/integration/api/common/mod.rs       |   9 +-
 .../tests/integration/api/user.rs             |   3 +-
 .../tests/integration/api/wireguard.rs        |  10 +-
 .../api/wireguard_network_allowed_groups.rs   |  24 +-
 .../api/wireguard_network_devices.rs          |   9 +-
 .../api/wireguard_network_import.rs           |   2 +
 .../tests/integration/grpc/gateway.rs         |   6 +-
 crates/defguard_proto/src/lib.rs              |  20 +-
 crates/defguard_version/src/lib.rs            |   8 +-
 crates/defguard_version/src/tracing.rs        |   4 +-
 deny.toml                                     |   8 +-
 .../20251015080719_service_locations.down.sql |   2 +
 .../20251015080719_service_locations.up.sql   |   7 +
 proto                                         |   2 +-
 web/src/i18n/en/index.ts                      |  25 ++
 web/src/i18n/i18n-types.ts                    | 108 ++++++++
 web/src/i18n/pl/index.ts                      |  57 +++++
 .../NetworkEditForm/NetworkEditForm.tsx       |  67 ++++-
 .../pages/network/NetworkEditForm/style.scss  |  13 +
 .../WizardNetworkConfiguration.tsx            |  34 ++-
 web/src/pages/wizard/hooks/useWizardStore.ts  |   3 +
 .../FormLocationMfaModeSelect.tsx             |   6 +-
 .../FormServiceLocationModeSelect.tsx         |  84 +++++++
 .../FormServiceLocationModeSelect/style.scss  |  59 +++++
 web/src/shared/types.ts                       |   7 +
 83 files changed, 1211 insertions(+), 243 deletions(-)
 rename .sqlx/{query-5350e57595e044cea6976a73910210e5106af580e45647ae620850de0b77785b.json => query-03710e2a3e96096e57f95a62543174a42e3447f9d2a949b6820e685ddab6561d.json} (77%)
 rename .sqlx/{query-0fb053b3b00a1fe78f764d2d1d90375d5674fd59fe3018af120ae2ef5fd10f48.json => query-0c237b235f0455c5f79f2ea4e8210b1ea9e8149f3bb760d2039b463ef262eb03.json} (76%)
 rename .sqlx/{query-89ec538b614f4ea6440ce15ec58044149463f9a39f673b1f83587980c527c575.json => query-38970835606c0fb0d2cf1d87253cc2deb6e638c229a1929afe35d79dddfbdf67.json} (77%)
 rename .sqlx/{query-21957027aa29a30a186e87441b86eadc2d27eeb56d18f9debf50d0ba71e01e48.json => query-4628fb49dfe7cb4e9470018f566342f9e63cf2ebf64a517adeea511ba932e2a0.json} (78%)
 rename .sqlx/{query-d6298964d89e9fdb087f7860a38f2f325d5ec81e6e0ea10660f74084718ac48e.json => query-4ad6e8059b230eee547c234d02f2d0aea3e87da3082b49d7f6d6dd82630597ac.json} (77%)
 rename .sqlx/{query-6f207a4d39d616b6cfdb10e4e4e7e2bf4a03081f33c0b4e779e5e431b092fbdc.json => query-60f62225c964c16171bfe23148757e657dcb71c90e209102b4033888f5c668cd.json} (78%)
 rename .sqlx/{query-0c7b5094f1e4dc79a5782b6948aa2527807bd9643f2758c83c728d1d003843ab.json => query-7938837afdae9daee7a22d0ed919c33c6e14d74fb23bd9baf450dc9827d547c6.json} (80%)
 rename .sqlx/{query-966dd7a3677babebc8e34b6f502e7e1aea7304e054c1241406aa62993d66117a.json => query-7cb2f4e82c2d2cb1aec62bc3ae335034418d6224e190ce6ae96b8779e2505062.json} (68%)
 rename .sqlx/{query-32187156f93aaff898a4445056a2a332453a9626e56a5f543c2790bff9d2109c.json => query-f7c1feed3561417bc20420558c27f7835e7ef3e0312aef9c56e495f05f11b4dd.json} (79%)
 rename .sqlx/{query-acb58694a7dc5ac4268c88e2d37a50697d20952973b676d574b01d0836f1aff0.json => query-fe2ad01a923b3d66c74343dbd9c385908407c4f642d3005e36df113a1aee841d.json} (70%)
 create mode 100644 migrations/20251015080719_service_locations.down.sql
 create mode 100644 migrations/20251015080719_service_locations.up.sql
 create mode 100644 web/src/shared/components/Form/FormServiceLocationModeSelect/FormServiceLocationModeSelect.tsx
 create mode 100644 web/src/shared/components/Form/FormServiceLocationModeSelect/style.scss

diff --git a/.sqlx/query-5350e57595e044cea6976a73910210e5106af580e45647ae620850de0b77785b.json b/.sqlx/query-03710e2a3e96096e57f95a62543174a42e3447f9d2a949b6820e685ddab6561d.json
similarity index 77%
rename from .sqlx/query-5350e57595e044cea6976a73910210e5106af580e45647ae620850de0b77785b.json
rename to .sqlx/query-03710e2a3e96096e57f95a62543174a42e3447f9d2a949b6820e685ddab6561d.json
index 36d70341c3..9bb03daf9c 100644
--- a/.sqlx/query-5350e57595e044cea6976a73910210e5106af580e45647ae620850de0b77785b.json
+++ b/.sqlx/query-03710e2a3e96096e57f95a62543174a42e3447f9d2a949b6820e685ddab6561d.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT n.id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" FROM aclrulenetwork r JOIN wireguard_network n ON n.id = r.network_id WHERE r.rule_id = $1",
+  "query": "SELECT n.id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", service_location_mode \"service_location_mode: ServiceLocationMode\" FROM aclrulenetwork r JOIN wireguard_network n ON n.id = r.network_id WHERE r.rule_id = $1",
   "describe": {
     "columns": [
       {
@@ -88,6 +88,22 @@
             }
           }
         }
+      },
+      {
+        "ordinal": 15,
+        "name": "service_location_mode: ServiceLocationMode",
+        "type_info": {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
+        }
       }
     ],
     "parameters": {
@@ -110,8 +126,9 @@
       false,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "5350e57595e044cea6976a73910210e5106af580e45647ae620850de0b77785b"
+  "hash": "03710e2a3e96096e57f95a62543174a42e3447f9d2a949b6820e685ddab6561d"
 }
diff --git a/.sqlx/query-0fb053b3b00a1fe78f764d2d1d90375d5674fd59fe3018af120ae2ef5fd10f48.json b/.sqlx/query-0c237b235f0455c5f79f2ea4e8210b1ea9e8149f3bb760d2039b463ef262eb03.json
similarity index 76%
rename from .sqlx/query-0fb053b3b00a1fe78f764d2d1d90375d5674fd59fe3018af120ae2ef5fd10f48.json
rename to .sqlx/query-0c237b235f0455c5f79f2ea4e8210b1ea9e8149f3bb760d2039b463ef262eb03.json
index 4d94977db3..3b4c356fed 100644
--- a/.sqlx/query-0fb053b3b00a1fe78f764d2d1d90375d5674fd59fe3018af120ae2ef5fd10f48.json
+++ b/.sqlx/query-0c237b235f0455c5f79f2ea4e8210b1ea9e8149f3bb760d2039b463ef262eb03.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at,  keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" FROM wireguard_network WHERE id IN (SELECT wireguard_network_id FROM wireguard_network_device WHERE device_id = $1 ORDER BY id LIMIT 1)",
+  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at,  keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", service_location_mode \"service_location_mode: ServiceLocationMode\" FROM wireguard_network WHERE id IN (SELECT wireguard_network_id FROM wireguard_network_device WHERE device_id = $1 ORDER BY id LIMIT 1)",
   "describe": {
     "columns": [
       {
@@ -88,6 +88,22 @@
             }
           }
         }
+      },
+      {
+        "ordinal": 15,
+        "name": "service_location_mode: ServiceLocationMode",
+        "type_info": {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
+        }
       }
     ],
     "parameters": {
@@ -110,8 +126,9 @@
       false,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "0fb053b3b00a1fe78f764d2d1d90375d5674fd59fe3018af120ae2ef5fd10f48"
+  "hash": "0c237b235f0455c5f79f2ea4e8210b1ea9e8149f3bb760d2039b463ef262eb03"
 }
diff --git a/.sqlx/query-89ec538b614f4ea6440ce15ec58044149463f9a39f673b1f83587980c527c575.json b/.sqlx/query-38970835606c0fb0d2cf1d87253cc2deb6e638c229a1929afe35d79dddfbdf67.json
similarity index 77%
rename from .sqlx/query-89ec538b614f4ea6440ce15ec58044149463f9a39f673b1f83587980c527c575.json
rename to .sqlx/query-38970835606c0fb0d2cf1d87253cc2deb6e638c229a1929afe35d79dddfbdf67.json
index 55255fc63f..3fbc28224b 100644
--- a/.sqlx/query-89ec538b614f4ea6440ce15ec58044149463f9a39f673b1f83587980c527c575.json
+++ b/.sqlx/query-38970835606c0fb0d2cf1d87253cc2deb6e638c229a1929afe35d79dddfbdf67.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" FROM wireguard_network WHERE location_mfa_mode = 'external'::location_mfa_mode",
+  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", service_location_mode \"service_location_mode: ServiceLocationMode\" FROM wireguard_network WHERE location_mfa_mode != 'disabled'::location_mfa_mode",
   "describe": {
     "columns": [
       {
@@ -88,6 +88,22 @@
             }
           }
         }
+      },
+      {
+        "ordinal": 15,
+        "name": "service_location_mode: ServiceLocationMode",
+        "type_info": {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
+        }
       }
     ],
     "parameters": {
@@ -108,8 +124,9 @@
       false,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "89ec538b614f4ea6440ce15ec58044149463f9a39f673b1f83587980c527c575"
+  "hash": "38970835606c0fb0d2cf1d87253cc2deb6e638c229a1929afe35d79dddfbdf67"
 }
diff --git a/.sqlx/query-21957027aa29a30a186e87441b86eadc2d27eeb56d18f9debf50d0ba71e01e48.json b/.sqlx/query-4628fb49dfe7cb4e9470018f566342f9e63cf2ebf64a517adeea511ba932e2a0.json
similarity index 78%
rename from .sqlx/query-21957027aa29a30a186e87441b86eadc2d27eeb56d18f9debf50d0ba71e01e48.json
rename to .sqlx/query-4628fb49dfe7cb4e9470018f566342f9e63cf2ebf64a517adeea511ba932e2a0.json
index 1b397c0991..75b2c85a66 100644
--- a/.sqlx/query-21957027aa29a30a186e87441b86eadc2d27eeb56d18f9debf50d0ba71e01e48.json
+++ b/.sqlx/query-4628fb49dfe7cb4e9470018f566342f9e63cf2ebf64a517adeea511ba932e2a0.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" FROM wireguard_network WHERE id = $1",
+  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", service_location_mode \"service_location_mode: ServiceLocationMode\" FROM wireguard_network WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -88,6 +88,22 @@
             }
           }
         }
+      },
+      {
+        "ordinal": 15,
+        "name": "service_location_mode: ServiceLocationMode",
+        "type_info": {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
+        }
       }
     ],
     "parameters": {
@@ -110,8 +126,9 @@
       false,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "21957027aa29a30a186e87441b86eadc2d27eeb56d18f9debf50d0ba71e01e48"
+  "hash": "4628fb49dfe7cb4e9470018f566342f9e63cf2ebf64a517adeea511ba932e2a0"
 }
diff --git a/.sqlx/query-d6298964d89e9fdb087f7860a38f2f325d5ec81e6e0ea10660f74084718ac48e.json b/.sqlx/query-4ad6e8059b230eee547c234d02f2d0aea3e87da3082b49d7f6d6dd82630597ac.json
similarity index 77%
rename from .sqlx/query-d6298964d89e9fdb087f7860a38f2f325d5ec81e6e0ea10660f74084718ac48e.json
rename to .sqlx/query-4ad6e8059b230eee547c234d02f2d0aea3e87da3082b49d7f6d6dd82630597ac.json
index cee5190d9a..613c96a482 100644
--- a/.sqlx/query-d6298964d89e9fdb087f7860a38f2f325d5ec81e6e0ea10660f74084718ac48e.json
+++ b/.sqlx/query-4ad6e8059b230eee547c234d02f2d0aea3e87da3082b49d7f6d6dd82630597ac.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" FROM wireguard_network WHERE location_mfa_mode != 'disabled'::location_mfa_mode",
+  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", service_location_mode \"service_location_mode: ServiceLocationMode\" FROM wireguard_network WHERE location_mfa_mode = 'external'::location_mfa_mode",
   "describe": {
     "columns": [
       {
@@ -88,6 +88,22 @@
             }
           }
         }
+      },
+      {
+        "ordinal": 15,
+        "name": "service_location_mode: ServiceLocationMode",
+        "type_info": {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
+        }
       }
     ],
     "parameters": {
@@ -108,8 +124,9 @@
       false,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "d6298964d89e9fdb087f7860a38f2f325d5ec81e6e0ea10660f74084718ac48e"
+  "hash": "4ad6e8059b230eee547c234d02f2d0aea3e87da3082b49d7f6d6dd82630597ac"
 }
diff --git a/.sqlx/query-6f207a4d39d616b6cfdb10e4e4e7e2bf4a03081f33c0b4e779e5e431b092fbdc.json b/.sqlx/query-60f62225c964c16171bfe23148757e657dcb71c90e209102b4033888f5c668cd.json
similarity index 78%
rename from .sqlx/query-6f207a4d39d616b6cfdb10e4e4e7e2bf4a03081f33c0b4e779e5e431b092fbdc.json
rename to .sqlx/query-60f62225c964c16171bfe23148757e657dcb71c90e209102b4033888f5c668cd.json
index 4b43522b73..e221cd0a9d 100644
--- a/.sqlx/query-6f207a4d39d616b6cfdb10e4e4e7e2bf4a03081f33c0b4e779e5e431b092fbdc.json
+++ b/.sqlx/query-60f62225c964c16171bfe23148757e657dcb71c90e209102b4033888f5c668cd.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" FROM wireguard_network WHERE name = $1",
+  "query": "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", service_location_mode \"service_location_mode: ServiceLocationMode\" FROM wireguard_network WHERE name = $1",
   "describe": {
     "columns": [
       {
@@ -88,6 +88,22 @@
             }
           }
         }
+      },
+      {
+        "ordinal": 15,
+        "name": "service_location_mode: ServiceLocationMode",
+        "type_info": {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
+        }
       }
     ],
     "parameters": {
@@ -110,8 +126,9 @@
       false,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "6f207a4d39d616b6cfdb10e4e4e7e2bf4a03081f33c0b4e779e5e431b092fbdc"
+  "hash": "60f62225c964c16171bfe23148757e657dcb71c90e209102b4033888f5c668cd"
 }
diff --git a/.sqlx/query-0c7b5094f1e4dc79a5782b6948aa2527807bd9643f2758c83c728d1d003843ab.json b/.sqlx/query-7938837afdae9daee7a22d0ed919c33c6e14d74fb23bd9baf450dc9827d547c6.json
similarity index 80%
rename from .sqlx/query-0c7b5094f1e4dc79a5782b6948aa2527807bd9643f2758c83c728d1d003843ab.json
rename to .sqlx/query-7938837afdae9daee7a22d0ed919c33c6e14d74fb23bd9baf450dc9827d547c6.json
index da1e780cd7..8a209a1cf5 100644
--- a/.sqlx/query-0c7b5094f1e4dc79a5782b6948aa2527807bd9643f2758c83c728d1d003843ab.json
+++ b/.sqlx/query-7938837afdae9daee7a22d0ed919c33c6e14d74fb23bd9baf450dc9827d547c6.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"name\",\"address\" \"address: _\",\"port\",\"pubkey\",\"prvkey\",\"endpoint\",\"dns\",\"allowed_ips\" \"allowed_ips: _\",\"connected_at\",\"acl_enabled\",\"acl_default_allow\",\"keepalive_interval\",\"peer_disconnect_threshold\",\"location_mfa_mode\" \"location_mfa_mode: _\" FROM \"wireguard_network\"",
+  "query": "SELECT id, \"name\",\"address\" \"address: _\",\"port\",\"pubkey\",\"prvkey\",\"endpoint\",\"dns\",\"allowed_ips\" \"allowed_ips: _\",\"connected_at\",\"acl_enabled\",\"acl_default_allow\",\"keepalive_interval\",\"peer_disconnect_threshold\",\"location_mfa_mode\" \"location_mfa_mode: _\",\"service_location_mode\" \"service_location_mode: _\" FROM \"wireguard_network\"",
   "describe": {
     "columns": [
       {
@@ -88,6 +88,22 @@
             }
           }
         }
+      },
+      {
+        "ordinal": 15,
+        "name": "service_location_mode: _",
+        "type_info": {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
+        }
       }
     ],
     "parameters": {
@@ -108,8 +124,9 @@
       false,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "0c7b5094f1e4dc79a5782b6948aa2527807bd9643f2758c83c728d1d003843ab"
+  "hash": "7938837afdae9daee7a22d0ed919c33c6e14d74fb23bd9baf450dc9827d547c6"
 }
diff --git a/.sqlx/query-966dd7a3677babebc8e34b6f502e7e1aea7304e054c1241406aa62993d66117a.json b/.sqlx/query-7cb2f4e82c2d2cb1aec62bc3ae335034418d6224e190ce6ae96b8779e2505062.json
similarity index 68%
rename from .sqlx/query-966dd7a3677babebc8e34b6f502e7e1aea7304e054c1241406aa62993d66117a.json
rename to .sqlx/query-7cb2f4e82c2d2cb1aec62bc3ae335034418d6224e190ce6ae96b8779e2505062.json
index 070daed9c5..6315118ca6 100644
--- a/.sqlx/query-966dd7a3677babebc8e34b6f502e7e1aea7304e054c1241406aa62993d66117a.json
+++ b/.sqlx/query-7cb2f4e82c2d2cb1aec62bc3ae335034418d6224e190ce6ae96b8779e2505062.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO \"wireguard_network\" (\"name\",\"address\",\"port\",\"pubkey\",\"prvkey\",\"endpoint\",\"dns\",\"allowed_ips\",\"connected_at\",\"acl_enabled\",\"acl_default_allow\",\"keepalive_interval\",\"peer_disconnect_threshold\",\"location_mfa_mode\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14) RETURNING id",
+  "query": "INSERT INTO \"wireguard_network\" (\"name\",\"address\",\"port\",\"pubkey\",\"prvkey\",\"endpoint\",\"dns\",\"allowed_ips\",\"connected_at\",\"acl_enabled\",\"acl_default_allow\",\"keepalive_interval\",\"peer_disconnect_threshold\",\"location_mfa_mode\",\"service_location_mode\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15) RETURNING id",
   "describe": {
     "columns": [
       {
@@ -35,6 +35,18 @@
               ]
             }
           }
+        },
+        {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
         }
       ]
     },
@@ -42,5 +54,5 @@
       false
     ]
   },
-  "hash": "966dd7a3677babebc8e34b6f502e7e1aea7304e054c1241406aa62993d66117a"
+  "hash": "7cb2f4e82c2d2cb1aec62bc3ae335034418d6224e190ce6ae96b8779e2505062"
 }
diff --git a/.sqlx/query-32187156f93aaff898a4445056a2a332453a9626e56a5f543c2790bff9d2109c.json b/.sqlx/query-f7c1feed3561417bc20420558c27f7835e7ef3e0312aef9c56e495f05f11b4dd.json
similarity index 79%
rename from .sqlx/query-32187156f93aaff898a4445056a2a332453a9626e56a5f543c2790bff9d2109c.json
rename to .sqlx/query-f7c1feed3561417bc20420558c27f7835e7ef3e0312aef9c56e495f05f11b4dd.json
index 37b1fe0d05..f238310936 100644
--- a/.sqlx/query-32187156f93aaff898a4445056a2a332453a9626e56a5f543c2790bff9d2109c.json
+++ b/.sqlx/query-f7c1feed3561417bc20420558c27f7835e7ef3e0312aef9c56e495f05f11b4dd.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"name\",\"address\" \"address: _\",\"port\",\"pubkey\",\"prvkey\",\"endpoint\",\"dns\",\"allowed_ips\" \"allowed_ips: _\",\"connected_at\",\"acl_enabled\",\"acl_default_allow\",\"keepalive_interval\",\"peer_disconnect_threshold\",\"location_mfa_mode\" \"location_mfa_mode: _\" FROM \"wireguard_network\" WHERE id = $1",
+  "query": "SELECT id, \"name\",\"address\" \"address: _\",\"port\",\"pubkey\",\"prvkey\",\"endpoint\",\"dns\",\"allowed_ips\" \"allowed_ips: _\",\"connected_at\",\"acl_enabled\",\"acl_default_allow\",\"keepalive_interval\",\"peer_disconnect_threshold\",\"location_mfa_mode\" \"location_mfa_mode: _\",\"service_location_mode\" \"service_location_mode: _\" FROM \"wireguard_network\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -88,6 +88,22 @@
             }
           }
         }
+      },
+      {
+        "ordinal": 15,
+        "name": "service_location_mode: _",
+        "type_info": {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
+        }
       }
     ],
     "parameters": {
@@ -110,8 +126,9 @@
       false,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "32187156f93aaff898a4445056a2a332453a9626e56a5f543c2790bff9d2109c"
+  "hash": "f7c1feed3561417bc20420558c27f7835e7ef3e0312aef9c56e495f05f11b4dd"
 }
diff --git a/.sqlx/query-acb58694a7dc5ac4268c88e2d37a50697d20952973b676d574b01d0836f1aff0.json b/.sqlx/query-fe2ad01a923b3d66c74343dbd9c385908407c4f642d3005e36df113a1aee841d.json
similarity index 70%
rename from .sqlx/query-acb58694a7dc5ac4268c88e2d37a50697d20952973b676d574b01d0836f1aff0.json
rename to .sqlx/query-fe2ad01a923b3d66c74343dbd9c385908407c4f642d3005e36df113a1aee841d.json
index 933ffa8b91..88bf4542cf 100644
--- a/.sqlx/query-acb58694a7dc5ac4268c88e2d37a50697d20952973b676d574b01d0836f1aff0.json
+++ b/.sqlx/query-fe2ad01a923b3d66c74343dbd9c385908407c4f642d3005e36df113a1aee841d.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"wireguard_network\" SET \"name\" = $2,\"address\" = $3,\"port\" = $4,\"pubkey\" = $5,\"prvkey\" = $6,\"endpoint\" = $7,\"dns\" = $8,\"allowed_ips\" = $9,\"connected_at\" = $10,\"acl_enabled\" = $11,\"acl_default_allow\" = $12,\"keepalive_interval\" = $13,\"peer_disconnect_threshold\" = $14,\"location_mfa_mode\" = $15 WHERE id = $1",
+  "query": "UPDATE \"wireguard_network\" SET \"name\" = $2,\"address\" = $3,\"port\" = $4,\"pubkey\" = $5,\"prvkey\" = $6,\"endpoint\" = $7,\"dns\" = $8,\"allowed_ips\" = $9,\"connected_at\" = $10,\"acl_enabled\" = $11,\"acl_default_allow\" = $12,\"keepalive_interval\" = $13,\"peer_disconnect_threshold\" = $14,\"location_mfa_mode\" = $15,\"service_location_mode\" = $16 WHERE id = $1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -30,10 +30,22 @@
               ]
             }
           }
+        },
+        {
+          "Custom": {
+            "name": "service_location_mode",
+            "kind": {
+              "Enum": [
+                "disabled",
+                "prelogon",
+                "alwayson"
+              ]
+            }
+          }
         }
       ]
     },
     "nullable": []
   },
-  "hash": "acb58694a7dc5ac4268c88e2d37a50697d20952973b676d574b01d0836f1aff0"
+  "hash": "fe2ad01a923b3d66c74343dbd9c385908407c4f642d3005e36df113a1aee841d"
 }
diff --git a/crates/defguard_common/src/db/models/settings.rs b/crates/defguard_common/src/db/models/settings.rs
index e2ae4fee63..018aa0b913 100644
--- a/crates/defguard_common/src/db/models/settings.rs
+++ b/crates/defguard_common/src/db/models/settings.rs
@@ -1,6 +1,5 @@
 use std::{collections::HashMap, fmt};
 
-use crate::{global_value, secret::SecretStringWrapper};
 use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, PgPool, Type, query, query_as};
 use struct_patch::Patch;
@@ -8,6 +7,8 @@ use thiserror::Error;
 use tracing::{debug, info, warn};
 use uuid::Uuid;
 
+use crate::{global_value, secret::SecretStringWrapper};
+
 global_value!(SETTINGS, Option<Settings>, None, set_settings, get_settings);
 
 /// Initializes global `SETTINGS` struct at program startup
diff --git a/crates/defguard_core/src/db/models/activity_log/mod.rs b/crates/defguard_core/src/db/models/activity_log/mod.rs
index 62cf59154c..cf9314cf42 100644
--- a/crates/defguard_core/src/db/models/activity_log/mod.rs
+++ b/crates/defguard_core/src/db/models/activity_log/mod.rs
@@ -1,10 +1,9 @@
 use chrono::NaiveDateTime;
+use defguard_common::db::{Id, NoId};
 use ipnetwork::IpNetwork;
 use model_derive::Model;
 use sqlx::{FromRow, Type};
 
-use defguard_common::db::{Id, NoId};
-
 pub mod metadata;
 
 #[derive(Clone, Debug, Deserialize, Serialize, Type)]
diff --git a/crates/defguard_core/src/db/models/device.rs b/crates/defguard_core/src/db/models/device.rs
index 2c6433ca2e..385faa8aa3 100644
--- a/crates/defguard_core/src/db/models/device.rs
+++ b/crates/defguard_core/src/db/models/device.rs
@@ -26,7 +26,10 @@ use utoipa::ToSchema;
 use super::wireguard::{
     LocationMfaMode, NetworkAddressError, WIREGUARD_MAX_HANDSHAKE, WireguardNetwork,
 };
-use crate::{KEY_LENGTH, db::User};
+use crate::{
+    KEY_LENGTH,
+    db::{User, models::wireguard::ServiceLocationMode},
+};
 
 #[derive(Serialize, ToSchema)]
 pub struct DeviceConfig {
@@ -42,6 +45,7 @@ pub struct DeviceConfig {
     pub(crate) dns: Option<String>,
     pub(crate) keepalive_interval: i32,
     pub(crate) location_mfa_mode: LocationMfaMode,
+    pub(crate) service_location_mode: ServiceLocationMode,
 }
 
 // The type of a device:
@@ -501,7 +505,8 @@ impl WireguardNetworkDevice {
             WireguardNetwork,
             "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, \
             connected_at, keepalive_interval, peer_disconnect_threshold, \
-            acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" \
+            acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", \
+            service_location_mode \"service_location_mode: ServiceLocationMode\" \
             FROM wireguard_network WHERE id = $1",
             self.wireguard_network_id
         )
@@ -703,6 +708,7 @@ impl Device<Id> {
             dns: network.dns.clone(),
             keepalive_interval: network.keepalive_interval,
             location_mfa_mode: network.location_mfa_mode.clone(),
+            service_location_mode: network.service_location_mode.clone(),
         };
 
         Ok((device_network_info, device_config))
@@ -736,6 +742,7 @@ impl Device<Id> {
             dns: network.dns.clone(),
             keepalive_interval: network.keepalive_interval,
             location_mfa_mode: network.location_mfa_mode.clone(),
+            service_location_mode: network.service_location_mode.clone(),
         };
 
         Ok((device_network_info, device_config))
@@ -798,6 +805,7 @@ impl Device<Id> {
                     dns: network.dns,
                     keepalive_interval: network.keepalive_interval,
                     location_mfa_mode: network.location_mfa_mode.clone(),
+                    service_location_mode: network.service_location_mode.clone(),
                 });
             }
         }
@@ -944,7 +952,8 @@ impl Device<Id> {
             WireguardNetwork,
             "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, \
             connected_at,  keepalive_interval, peer_disconnect_threshold, \
-            acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" \
+            acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", \
+            service_location_mode \"service_location_mode: ServiceLocationMode\" \
             FROM wireguard_network WHERE id IN \
             (SELECT wireguard_network_id FROM wireguard_network_device WHERE device_id = $1 ORDER BY id LIMIT 1)",
             self.id
diff --git a/crates/defguard_core/src/db/models/oauth2authorizedapp.rs b/crates/defguard_core/src/db/models/oauth2authorizedapp.rs
index 0039265a65..0b7bb1af90 100644
--- a/crates/defguard_core/src/db/models/oauth2authorizedapp.rs
+++ b/crates/defguard_core/src/db/models/oauth2authorizedapp.rs
@@ -1,8 +1,7 @@
+use defguard_common::db::{Id, NoId};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgPool, query_as};
 
-use defguard_common::db::{Id, NoId};
-
 #[derive(Model)]
 pub struct OAuth2AuthorizedApp<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_core/src/db/models/oauth2client.rs b/crates/defguard_core/src/db/models/oauth2client.rs
index 6e8fae8428..d7e2cbdb53 100644
--- a/crates/defguard_core/src/db/models/oauth2client.rs
+++ b/crates/defguard_core/src/db/models/oauth2client.rs
@@ -1,11 +1,12 @@
+use defguard_common::{
+    db::{Id, NoId},
+    random::gen_alphanumeric,
+};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query_as};
 
-use crate::db::OAuth2Token;
-
 use super::NewOpenIDClient;
-use defguard_common::db::{Id, NoId};
-use defguard_common::random::gen_alphanumeric;
+use crate::db::OAuth2Token;
 
 #[derive(Clone, Debug, Deserialize, Model, Serialize, PartialEq)]
 pub struct OAuth2Client<I = NoId> {
diff --git a/crates/defguard_core/src/db/models/polling_token.rs b/crates/defguard_core/src/db/models/polling_token.rs
index 8b19e98dda..b4d911936d 100644
--- a/crates/defguard_core/src/db/models/polling_token.rs
+++ b/crates/defguard_core/src/db/models/polling_token.rs
@@ -1,10 +1,11 @@
 use chrono::{NaiveDateTime, Utc};
+use defguard_common::{
+    db::{Id, NoId},
+    random::gen_alphanumeric,
+};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query_as};
 
-use defguard_common::db::{Id, NoId};
-use defguard_common::random::gen_alphanumeric;
-
 // Token used for polling requests.
 #[derive(Clone, Debug, Model)]
 pub struct PollingToken<I = NoId> {
diff --git a/crates/defguard_core/src/db/models/session.rs b/crates/defguard_core/src/db/models/session.rs
index 52d7a0fd9b..ee1cda00b0 100644
--- a/crates/defguard_core/src/db/models/session.rs
+++ b/crates/defguard_core/src/db/models/session.rs
@@ -1,10 +1,9 @@
 use chrono::{NaiveDateTime, TimeDelta, Utc};
 use defguard_common::{config::server_config, db::Id, random::gen_alphanumeric};
+use defguard_mail::templates::SessionContext;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, Type, query, query_as};
 use webauthn_rs::prelude::{PasskeyAuthentication, PasskeyRegistration};
 
-use defguard_mail::templates::SessionContext;
-
 #[derive(Clone, PartialEq, Type)]
 #[repr(i16)]
 pub enum SessionState {
diff --git a/crates/defguard_core/src/db/models/user.rs b/crates/defguard_core/src/db/models/user.rs
index 6ba075b646..df518b8bde 100644
--- a/crates/defguard_core/src/db/models/user.rs
+++ b/crates/defguard_core/src/db/models/user.rs
@@ -8,6 +8,11 @@ use argon2::{
     },
 };
 use axum::http::StatusCode;
+use defguard_common::{
+    config::server_config,
+    db::{Id, NoId, models::MFAMethod},
+    random::{gen_alphanumeric, gen_totp_secret},
+};
 use defguard_mail::templates::UserContext;
 use model_derive::Model;
 #[cfg(test)]
@@ -36,11 +41,6 @@ use crate::{
     error::WebError,
     grpc::gateway::{send_multiple_wireguard_events, send_wireguard_event},
 };
-use defguard_common::{
-    config::server_config,
-    db::{Id, NoId, models::MFAMethod},
-    random::{gen_alphanumeric, gen_totp_secret},
-};
 
 const RECOVERY_CODES_COUNT: usize = 8;
 
@@ -1275,12 +1275,11 @@ impl Distribution<User<NoId>> for Standard {
 mod test {
     use defguard_common::{
         config::{DefGuardConfig, SERVER_CONFIG},
-        db::setup_pool,
+        db::{models::settings::initialize_current_settings, setup_pool},
     };
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 
     use super::*;
-    use defguard_common::db::models::settings::initialize_current_settings;
 
     #[sqlx::test]
     async fn test_mfa_code(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_core/src/db/models/webauthn.rs b/crates/defguard_core/src/db/models/webauthn.rs
index 8cf61dba92..bd5a912f70 100644
--- a/crates/defguard_core/src/db/models/webauthn.rs
+++ b/crates/defguard_core/src/db/models/webauthn.rs
@@ -1,9 +1,8 @@
+use defguard_common::db::{Id, NoId, models::ModelError};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query, query_as, query_scalar};
 use webauthn_rs::prelude::Passkey;
 
-use defguard_common::db::{Id, NoId, models::ModelError};
-
 #[derive(Model, Clone, Debug, PartialEq)]
 pub struct WebAuthn<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_core/src/db/models/webhook.rs b/crates/defguard_core/src/db/models/webhook.rs
index be3e2d26a4..8b2715c46a 100644
--- a/crates/defguard_core/src/db/models/webhook.rs
+++ b/crates/defguard_core/src/db/models/webhook.rs
@@ -1,8 +1,8 @@
+use defguard_common::db::{Id, NoId};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, FromRow, PgPool, query_as};
 
 use super::UserInfo;
-use defguard_common::db::{Id, NoId};
 
 /// App events which triggers webhook action
 #[derive(Debug)]
diff --git a/crates/defguard_core/src/db/models/wireguard.rs b/crates/defguard_core/src/db/models/wireguard.rs
index fef77250f3..83f1b9966c 100644
--- a/crates/defguard_core/src/db/models/wireguard.rs
+++ b/crates/defguard_core/src/db/models/wireguard.rs
@@ -12,6 +12,13 @@ use defguard_common::{
     csv::AsCsv,
     db::{Id, NoId, models::ModelError},
 };
+use defguard_proto::{
+    enterprise::firewall::FirewallConfig,
+    gateway::Peer,
+    proxy::{
+        LocationMfaMode as ProtoLocationMfaMode, ServiceLocationMode as ProtoServiceLocationMode,
+    },
+};
 use ipnetwork::{IpNetwork, IpNetworkError, NetworkSize};
 use model_derive::Model;
 use rand::rngs::OsRng;
@@ -33,14 +40,10 @@ use super::{
     wireguard_peer_stats::WireguardPeerStats,
 };
 use crate::{
-    enterprise::firewall::FirewallError,
+    enterprise::{firewall::FirewallError, is_enterprise_enabled},
     grpc::gateway::{send_multiple_wireguard_events, state::GatewayState},
     wg_config::ImportedDevice,
 };
-use defguard_proto::{
-    enterprise::firewall::FirewallConfig, gateway::Peer,
-    proxy::LocationMfaMode as ProtoLocationMfaMode,
-};
 
 pub const DEFAULT_KEEPALIVE_INTERVAL: i32 = 25;
 pub const DEFAULT_DISCONNECT_THRESHOLD: i32 = 300;
@@ -126,6 +129,38 @@ impl From<LocationMfaMode> for ProtoLocationMfaMode {
     }
 }
 
+#[derive(Clone, Debug, Default, Deserialize, Eq, Hash, PartialEq, Serialize, ToSchema, Type)]
+#[sqlx(type_name = "service_location_mode", rename_all = "lowercase")]
+#[serde(rename_all = "lowercase")]
+pub enum ServiceLocationMode {
+    #[default]
+    Disabled,
+    PreLogon,
+    AlwaysOn,
+}
+
+impl From<ProtoServiceLocationMode> for ServiceLocationMode {
+    fn from(value: ProtoServiceLocationMode) -> Self {
+        match value {
+            ProtoServiceLocationMode::Unspecified | ProtoServiceLocationMode::Disabled => {
+                ServiceLocationMode::Disabled
+            }
+            ProtoServiceLocationMode::Prelogon => ServiceLocationMode::PreLogon,
+            ProtoServiceLocationMode::Alwayson => ServiceLocationMode::AlwaysOn,
+        }
+    }
+}
+
+impl From<ServiceLocationMode> for ProtoServiceLocationMode {
+    fn from(value: ServiceLocationMode) -> Self {
+        match value {
+            ServiceLocationMode::Disabled => ProtoServiceLocationMode::Disabled,
+            ServiceLocationMode::PreLogon => ProtoServiceLocationMode::Prelogon,
+            ServiceLocationMode::AlwaysOn => ProtoServiceLocationMode::Alwayson,
+        }
+    }
+}
+
 /// Stores configuration required to setup a WireGuard network
 #[derive(Clone, Debug, Deserialize, Eq, Hash, Model, PartialEq, Serialize, ToSchema)]
 #[table(wireguard_network)]
@@ -151,6 +186,8 @@ pub struct WireguardNetwork<I = NoId> {
     pub peer_disconnect_threshold: i32,
     #[model(enum)]
     pub location_mfa_mode: LocationMfaMode,
+    #[model(enum)]
+    pub service_location_mode: ServiceLocationMode,
 }
 
 pub struct WireguardKey {
@@ -189,6 +226,7 @@ impl Default for WireguardNetwork<Id> {
             acl_default_allow: false,
             acl_enabled: false,
             location_mfa_mode: LocationMfaMode::default(),
+            service_location_mode: ServiceLocationMode::default(),
         }
     }
 }
@@ -249,6 +287,7 @@ impl WireguardNetwork {
         acl_enabled: bool,
         acl_default_allow: bool,
         location_mfa_mode: LocationMfaMode,
+        service_location_mode: ServiceLocationMode,
     ) -> Self {
         let prvkey = StaticSecret::random_from_rng(OsRng);
         let pubkey = PublicKey::from(&prvkey);
@@ -269,6 +308,7 @@ impl WireguardNetwork {
             acl_enabled,
             acl_default_allow,
             location_mfa_mode,
+            service_location_mode,
         }
     }
 
@@ -299,7 +339,8 @@ impl WireguardNetwork<Id> {
             WireguardNetwork,
             "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, \
             connected_at, keepalive_interval, peer_disconnect_threshold, \
-            acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" \
+            acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", \
+            service_location_mode \"service_location_mode: ServiceLocationMode\" \
             FROM wireguard_network WHERE name = $1",
             name
         )
@@ -1238,7 +1279,8 @@ impl WireguardNetwork<Id> {
             WireguardNetwork,
             "SELECT id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, \
             connected_at, keepalive_interval, peer_disconnect_threshold, acl_enabled, \
-            acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" \
+            acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", \
+            service_location_mode \"service_location_mode: ServiceLocationMode\" \
             FROM wireguard_network WHERE location_mfa_mode = 'external'::location_mfa_mode",
         )
         .fetch_all(executor)
@@ -1261,6 +1303,13 @@ impl WireguardNetwork<Id> {
 
         Ok(token)
     }
+
+    /// If this location is marked as a service location, checks if all requirements are met for it to function:
+    /// - Enterprise is enabled
+    #[must_use]
+    pub fn should_prevent_service_location_usage(&self) -> bool {
+        self.service_location_mode != ServiceLocationMode::Disabled && !is_enterprise_enabled()
+    }
 }
 
 // [`IpNetwork`] does not implement [`Default`]
@@ -1282,6 +1331,7 @@ impl Default for WireguardNetwork {
             acl_enabled: false,
             acl_default_allow: false,
             location_mfa_mode: LocationMfaMode::default(),
+            service_location_mode: ServiceLocationMode::default(),
         }
     }
 }
@@ -1418,7 +1468,7 @@ pub(crate) async fn networks_stats(
 mod test {
     use std::str::FromStr;
 
-    use chrono::{SubsecRound, TimeDelta};
+    use chrono::{SubsecRound, TimeDelta, Utc};
     use defguard_common::db::setup_pool;
     use matches::assert_matches;
     use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
@@ -1995,6 +2045,7 @@ mod test {
             false,
             false,
             LocationMfaMode::Disabled,
+            ServiceLocationMode::Disabled,
         )
         .save(&pool)
         .await
@@ -2126,6 +2177,7 @@ mod test {
             false,
             false,
             LocationMfaMode::Disabled,
+            ServiceLocationMode::Disabled,
         )
         .save(&pool)
         .await
@@ -2245,4 +2297,167 @@ mod test {
             Err(NetworkAddressError::IsBroadcastAddress(..))
         );
     }
+
+    #[sqlx::test]
+    async fn test_get_peers_service_location_modes(_: PgPoolOptions, options: PgConnectOptions) {
+        let pool = setup_pool(options).await;
+
+        let user = User::new(
+            "testuser",
+            Some("password123"),
+            "Test",
+            "User",
+            "test@example.com",
+            None,
+        )
+        .save(&pool)
+        .await
+        .unwrap();
+
+        let device1 = Device::new(
+            "device1".into(),
+            "pubkey1".into(),
+            user.id,
+            DeviceType::User,
+            None,
+            true,
+        )
+        .save(&pool)
+        .await
+        .unwrap();
+
+        let device2 = Device::new(
+            "device2".into(),
+            "pubkey2".into(),
+            user.id,
+            DeviceType::User,
+            None,
+            true,
+        )
+        .save(&pool)
+        .await
+        .unwrap();
+
+        // Normal location (service_location_mode = Disabled) should return peers
+        let mut network_normal = WireguardNetwork {
+            name: "normal-location".to_string(),
+            service_location_mode: ServiceLocationMode::Disabled,
+            location_mfa_mode: LocationMfaMode::Disabled,
+            ..Default::default()
+        };
+        network_normal.try_set_address("10.1.1.1/24").unwrap();
+        let network_normal = network_normal.save(&pool).await.unwrap();
+
+        WireguardNetworkDevice::new(
+            network_normal.id,
+            device1.id,
+            vec![IpAddr::from_str("10.1.1.2").unwrap()],
+        )
+        .insert(&pool)
+        .await
+        .unwrap();
+
+        let peers_normal = network_normal.get_peers(&pool).await.unwrap();
+        assert_eq!(peers_normal.len(), 1, "Normal location should return peers");
+        assert_eq!(peers_normal[0].pubkey, "pubkey1");
+
+        // Service location with PreLogon mode returns peers when enterprise is enabled (test env default)
+        let mut network_prelogon = WireguardNetwork {
+            name: "prelogon-service-location".to_string(),
+            service_location_mode: ServiceLocationMode::PreLogon,
+            location_mfa_mode: LocationMfaMode::Disabled,
+            ..Default::default()
+        };
+        network_prelogon.try_set_address("10.2.1.1/24").unwrap();
+        let network_prelogon = network_prelogon.save(&pool).await.unwrap();
+
+        WireguardNetworkDevice::new(
+            network_prelogon.id,
+            device2.id,
+            vec![IpAddr::from_str("10.2.1.2").unwrap()],
+        )
+        .insert(&pool)
+        .await
+        .unwrap();
+
+        // PreLogon service location should return peers when enterprise is enabled
+        let peers_prelogon = network_prelogon.get_peers(&pool).await.unwrap();
+        assert_eq!(
+            peers_prelogon.len(),
+            1,
+            "PreLogon service location should return peers when enterprise is enabled"
+        );
+        assert_eq!(peers_prelogon[0].pubkey, "pubkey2");
+
+        // Service location with AlwaysOn mode also returns peers when enterprise is enabled
+        let mut network_alwayson = WireguardNetwork {
+            name: "alwayson-service-location".to_string(),
+            service_location_mode: ServiceLocationMode::AlwaysOn,
+            location_mfa_mode: LocationMfaMode::Disabled,
+            ..Default::default()
+        };
+        network_alwayson.try_set_address("10.3.1.1/24").unwrap();
+        let network_alwayson = network_alwayson.save(&pool).await.unwrap();
+
+        let device3 = Device::new(
+            "device3".into(),
+            "pubkey3".into(),
+            user.id,
+            DeviceType::User,
+            None,
+            true,
+        )
+        .save(&pool)
+        .await
+        .unwrap();
+
+        WireguardNetworkDevice::new(
+            network_alwayson.id,
+            device3.id,
+            vec![IpAddr::from_str("10.3.1.2").unwrap()],
+        )
+        .insert(&pool)
+        .await
+        .unwrap();
+
+        // AlwaysOn service location should return peers when enterprise is enabled
+        let peers_alwayson = network_alwayson.get_peers(&pool).await.unwrap();
+        assert_eq!(
+            peers_alwayson.len(),
+            1,
+            "AlwaysOn service location should return peers when enterprise is enabled"
+        );
+        assert_eq!(peers_alwayson[0].pubkey, "pubkey3");
+
+        // Now test the negative case: service locations with enterprise disabled
+        // Exceed the enterprise limits to disable enterprise features
+        use crate::enterprise::limits::{Counts, DEFAULT_LOCATIONS_LIMIT, set_counts};
+        let over_limit_counts = Counts::new(1, 1, DEFAULT_LOCATIONS_LIMIT + 1, 0);
+        set_counts(over_limit_counts);
+
+        // Test that normal location still returns peers even without enterprise
+        let peers_normal_no_ent = network_normal.get_peers(&pool).await.unwrap();
+        assert_eq!(
+            peers_normal_no_ent.len(),
+            1,
+            "Normal location should still return peers without enterprise"
+        );
+
+        // Test that PreLogon service location returns NO peers without enterprise
+        let peers_prelogon_no_ent = network_prelogon.get_peers(&pool).await.unwrap();
+        assert!(
+            peers_prelogon_no_ent.is_empty(),
+            "PreLogon service location should return NO peers when enterprise is disabled"
+        );
+
+        // Test that AlwaysOn service location returns NO peers without enterprise
+        let peers_alwayson_no_ent = network_alwayson.get_peers(&pool).await.unwrap();
+        assert!(
+            peers_alwayson_no_ent.is_empty(),
+            "AlwaysOn service location should return NO peers when enterprise is disabled"
+        );
+
+        let normal_counts = Counts::new(0, 0, 0, 0);
+        set_counts(normal_counts);
+    }
 }
diff --git a/crates/defguard_core/src/db/models/wireguard_peer_stats.rs b/crates/defguard_core/src/db/models/wireguard_peer_stats.rs
index 2323584c7d..350f826fdd 100644
--- a/crates/defguard_core/src/db/models/wireguard_peer_stats.rs
+++ b/crates/defguard_core/src/db/models/wireguard_peer_stats.rs
@@ -1,13 +1,12 @@
 use std::time::Duration;
 
 use chrono::{DateTime, NaiveDateTime, TimeDelta, Utc};
+use defguard_common::db::{Id, NoId};
 use humantime::format_duration;
 use ipnetwork::IpNetwork;
 use model_derive::Model;
 use sqlx::{PgExecutor, PgPool, query, query_as, query_scalar};
 
-use defguard_common::db::{Id, NoId};
-
 #[derive(Debug, Deserialize, Model, Serialize)]
 #[table(wireguard_peer_stats)]
 pub struct WireguardPeerStats<I = NoId> {
diff --git a/crates/defguard_core/src/db/models/yubikey.rs b/crates/defguard_core/src/db/models/yubikey.rs
index 0813319334..b12f4b8548 100644
--- a/crates/defguard_core/src/db/models/yubikey.rs
+++ b/crates/defguard_core/src/db/models/yubikey.rs
@@ -1,8 +1,7 @@
+use defguard_common::db::{Id, NoId};
 use model_derive::Model;
 use sqlx::{PgExecutor, query, query_as};
 
-use defguard_common::db::{Id, NoId};
-
 #[derive(Deserialize, Model, Serialize)]
 pub struct YubiKey<I = NoId> {
     pub id: I,
diff --git a/crates/defguard_core/src/enterprise/db/models/acl.rs b/crates/defguard_core/src/enterprise/db/models/acl.rs
index faddd5c08f..22bb80774c 100644
--- a/crates/defguard_core/src/enterprise/db/models/acl.rs
+++ b/crates/defguard_core/src/enterprise/db/models/acl.rs
@@ -18,7 +18,10 @@ use thiserror::Error;
 use crate::{
     DeviceType,
     appstate::AppState,
-    db::{Device, GatewayEvent, Group, User, WireguardNetwork, models::wireguard::LocationMfaMode},
+    db::{
+        Device, GatewayEvent, Group, User, WireguardNetwork,
+        models::wireguard::{LocationMfaMode, ServiceLocationMode},
+    },
     enterprise::{
         firewall::FirewallError,
         handlers::acl::{ApiAclAlias, ApiAclRule, EditAclAlias, EditAclRule},
@@ -906,7 +909,8 @@ impl AclRule<Id> {
                 WireguardNetwork,
                 "SELECT n.id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, \
                 connected_at, keepalive_interval, peer_disconnect_threshold, \
-                acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" \
+                acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", \
+                service_location_mode \"service_location_mode: ServiceLocationMode\" \
                 FROM aclrulenetwork r \
                 JOIN wireguard_network n \
                 ON n.id = r.network_id \
diff --git a/crates/defguard_core/src/enterprise/db/models/acl/tests.rs b/crates/defguard_core/src/enterprise/db/models/acl/tests.rs
index becdc26481..85cdd42d82 100644
--- a/crates/defguard_core/src/enterprise/db/models/acl/tests.rs
+++ b/crates/defguard_core/src/enterprise/db/models/acl/tests.rs
@@ -183,6 +183,7 @@ async fn test_rule_relations(_: PgPoolOptions, options: PgConnectOptions) {
         false,
         false,
         LocationMfaMode::Disabled,
+        ServiceLocationMode::Disabled,
     )
     .save(&pool)
     .await
@@ -199,6 +200,7 @@ async fn test_rule_relations(_: PgPoolOptions, options: PgConnectOptions) {
         false,
         false,
         LocationMfaMode::Disabled,
+        ServiceLocationMode::Disabled,
     )
     .save(&pool)
     .await
diff --git a/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs b/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
index d6adb11fc4..3548de1883 100644
--- a/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
+++ b/crates/defguard_core/src/enterprise/db/models/activity_log_stream.rs
@@ -1,13 +1,13 @@
+use defguard_common::{
+    db::{Id, NoId},
+    secret::SecretStringWrapper,
+};
 use model_derive::Model;
 use serde::Serialize;
 use sqlx::{Error as SqlxError, FromRow, PgExecutor, Type, query_as};
 use strum_macros::{Display, EnumString};
 
 use crate::enterprise::activity_log_stream::error::ActivityLogStreamError;
-use defguard_common::{
-    db::{Id, NoId},
-    secret::SecretStringWrapper,
-};
 
 #[derive(Debug, Serialize, Deserialize, Type, EnumString, Display, Clone, PartialEq)]
 #[sqlx(type_name = "text", rename_all = "snake_case")]
diff --git a/crates/defguard_core/src/enterprise/db/models/api_tokens.rs b/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
index 5b44881fc8..7b65a80e96 100644
--- a/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
+++ b/crates/defguard_core/src/enterprise/db/models/api_tokens.rs
@@ -1,9 +1,8 @@
 use chrono::NaiveDateTime;
+use defguard_common::db::{Id, NoId};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, query_as};
 
-use defguard_common::db::{Id, NoId};
-
 #[derive(Clone, Debug, Deserialize, Model, Serialize, PartialEq)]
 #[table(api_token)]
 pub struct ApiToken<I = NoId> {
diff --git a/crates/defguard_core/src/enterprise/db/models/openid_provider.rs b/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
index 1ffdde6830..7143b062b3 100644
--- a/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
+++ b/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
@@ -1,10 +1,9 @@
 use std::fmt;
 
+use defguard_common::db::{Id, NoId};
 use model_derive::Model;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, Type, query, query_as};
 
-use defguard_common::db::{Id, NoId};
-
 // The behavior when a user is deleted from the directory
 // Keep: Keep the user, despite being deleted from the external provider's directory
 // Disable: Disable the user
diff --git a/crates/defguard_core/src/enterprise/db/models/snat.rs b/crates/defguard_core/src/enterprise/db/models/snat.rs
index e8ed98df8e..c4ae69fc8e 100644
--- a/crates/defguard_core/src/enterprise/db/models/snat.rs
+++ b/crates/defguard_core/src/enterprise/db/models/snat.rs
@@ -1,12 +1,12 @@
 use std::net::IpAddr;
 
+use defguard_common::db::{Id, NoId};
 use model_derive::Model;
 use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, query_as};
 use utoipa::ToSchema;
 
 use crate::enterprise::snat::error::UserSnatBindingError;
-use defguard_common::db::{Id, NoId};
 
 #[derive(Clone, Debug, Deserialize, Model, Serialize, ToSchema, PartialEq)]
 #[table(user_snat_binding)]
diff --git a/crates/defguard_core/src/enterprise/directory_sync/tests.rs b/crates/defguard_core/src/enterprise/directory_sync/tests.rs
index d6ae4f4beb..e0d1a5496c 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/tests.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/tests.rs
@@ -18,7 +18,10 @@ mod test {
     use crate::{
         db::{
             Device, Session, SessionState, WireguardNetwork,
-            models::{device::DeviceType, wireguard::LocationMfaMode},
+            models::{
+                device::DeviceType,
+                wireguard::{LocationMfaMode, ServiceLocationMode},
+            },
         },
         enterprise::db::models::openid_provider::DirectorySyncTarget,
     };
@@ -59,6 +62,7 @@ mod test {
             false,
             false,
             LocationMfaMode::Disabled,
+            ServiceLocationMode::Disabled,
         )
         .save(pool)
         .await
diff --git a/crates/defguard_core/src/enterprise/firewall/mod.rs b/crates/defguard_core/src/enterprise/firewall/mod.rs
index a87f9110ac..5e2b7e8d97 100644
--- a/crates/defguard_core/src/enterprise/firewall/mod.rs
+++ b/crates/defguard_core/src/enterprise/firewall/mod.rs
@@ -4,6 +4,11 @@ use std::{
 };
 
 use defguard_common::db::{Id, models::ModelError};
+use defguard_proto::enterprise::firewall::{
+    FirewallConfig, FirewallPolicy, FirewallRule, IpAddress, IpRange, IpVersion, Port,
+    PortRange as PortRangeProto, SnatBinding as SnatBindingProto, ip_address::Address,
+    port::Port as PortInner,
+};
 use ipnetwork::IpNetwork;
 use sqlx::{Error as SqlxError, PgConnection, query_as, query_scalar};
 
@@ -21,11 +26,6 @@ use crate::{
         is_enterprise_enabled,
     },
 };
-use defguard_proto::enterprise::firewall::{
-    FirewallConfig, FirewallPolicy, FirewallRule, IpAddress, IpRange, IpVersion, Port,
-    PortRange as PortRangeProto, SnatBinding as SnatBindingProto, ip_address::Address,
-    port::Port as PortInner,
-};
 
 #[derive(Debug, thiserror::Error)]
 pub enum FirewallError {
diff --git a/crates/defguard_core/src/enterprise/firewall/tests.rs b/crates/defguard_core/src/enterprise/firewall/tests.rs
index 0785fb85fc..abad1a6910 100644
--- a/crates/defguard_core/src/enterprise/firewall/tests.rs
+++ b/crates/defguard_core/src/enterprise/firewall/tests.rs
@@ -2,6 +2,10 @@ use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
 
 use chrono::{DateTime, NaiveDateTime};
 use defguard_common::db::{Id, NoId, setup_pool};
+use defguard_proto::enterprise::firewall::{
+    FirewallPolicy, IpAddress, IpRange, IpVersion, Port, PortRange as PortRangeProto, Protocol,
+    ip_address::Address, port::Port as PortInner,
+};
 use ipnetwork::{IpNetwork, Ipv6Network};
 use rand::{Rng, thread_rng};
 use sqlx::{
@@ -27,10 +31,6 @@ use crate::{
         firewall::{get_source_addrs, get_source_network_devices},
     },
 };
-use defguard_proto::enterprise::firewall::{
-    FirewallPolicy, IpAddress, IpRange, IpVersion, Port, PortRange as PortRangeProto, Protocol,
-    ip_address::Address, port::Port as PortInner,
-};
 
 impl Default for AclRuleDestinationRange<Id> {
     fn default() -> Self {
diff --git a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
index eeb022224f..b03d904df9 100644
--- a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
+++ b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
@@ -1,3 +1,4 @@
+use defguard_proto::proxy::{ClientMfaOidcAuthenticateRequest, DeviceInfo, MfaMethod};
 use openidconnect::{AuthorizationCode, Nonce};
 use reqwest::Url;
 use tonic::Status;
@@ -13,7 +14,6 @@ use crate::{
         utils::parse_client_info,
     },
 };
-use defguard_proto::proxy::{ClientMfaOidcAuthenticateRequest, DeviceInfo, MfaMethod};
 
 impl ClientMfaServer {
     #[instrument(skip_all)]
diff --git a/crates/defguard_core/src/enterprise/grpc/polling.rs b/crates/defguard_core/src/enterprise/grpc/polling.rs
index 782ca70fab..ecce3ec2f3 100644
--- a/crates/defguard_core/src/enterprise/grpc/polling.rs
+++ b/crates/defguard_core/src/enterprise/grpc/polling.rs
@@ -1,4 +1,5 @@
 use defguard_common::db::Id;
+use defguard_proto::proxy::{InstanceInfoRequest, InstanceInfoResponse};
 use sqlx::PgPool;
 use tonic::Status;
 
@@ -7,7 +8,6 @@ use crate::{
     enterprise::is_enterprise_enabled,
     grpc::utils::build_device_config_response,
 };
-use defguard_proto::proxy::{InstanceInfoRequest, InstanceInfoResponse};
 
 pub struct PollingServer {
     pool: PgPool,
diff --git a/crates/defguard_core/src/enterprise/handlers/activity_log_stream.rs b/crates/defguard_core/src/enterprise/handlers/activity_log_stream.rs
index f125fddf5e..e8bbe7573a 100644
--- a/crates/defguard_core/src/enterprise/handlers/activity_log_stream.rs
+++ b/crates/defguard_core/src/enterprise/handlers/activity_log_stream.rs
@@ -2,6 +2,7 @@ use axum::{
     Json,
     extract::{Path, State},
 };
+use defguard_common::db::{Id, NoId};
 use reqwest::StatusCode;
 use serde_json::json;
 
@@ -15,7 +16,6 @@ use crate::{
     events::{ApiEvent, ApiEventType, ApiRequestContext},
     handlers::{ApiResponse, ApiResult},
 };
-use defguard_common::db::{Id, NoId};
 
 pub async fn get_activity_log_stream(
     _admin: AdminRole,
diff --git a/crates/defguard_core/src/enterprise/handlers/api_tokens.rs b/crates/defguard_core/src/enterprise/handlers/api_tokens.rs
index 12132fbc7e..15a40ecfda 100644
--- a/crates/defguard_core/src/enterprise/handlers/api_tokens.rs
+++ b/crates/defguard_core/src/enterprise/handlers/api_tokens.rs
@@ -4,6 +4,7 @@ use axum::{
     http::StatusCode,
 };
 use chrono::Utc;
+use defguard_common::random::gen_alphanumeric;
 use serde_json::json;
 
 use super::LicenseInfo;
@@ -16,7 +17,6 @@ use crate::{
     events::{ApiEvent, ApiEventType, ApiRequestContext},
     handlers::{ApiResponse, ApiResult, user_for_admin_or_self},
 };
-use defguard_common::random::gen_alphanumeric;
 
 const API_TOKEN_LENGTH: usize = 32;
 
diff --git a/crates/defguard_core/src/enterprise/ldap/client.rs b/crates/defguard_core/src/enterprise/ldap/client.rs
index 36a5f1b0d9..0524f3b649 100644
--- a/crates/defguard_core/src/enterprise/ldap/client.rs
+++ b/crates/defguard_core/src/enterprise/ldap/client.rs
@@ -4,6 +4,7 @@ use std::{
     time::Duration,
 };
 
+use defguard_common::db::models::Settings;
 use ldap3::{
     LdapConnAsync, LdapConnSettings, Mod, Scope, SearchEntry, adapters::PagedResults, drive,
     ldap_escape,
@@ -11,7 +12,6 @@ use ldap3::{
 
 use super::error::LdapError;
 use crate::{db::User, enterprise::ldap::model::extract_rdn_value};
-use defguard_common::db::models::Settings;
 
 impl super::LDAPConnection {
     pub(crate) async fn create() -> Result<super::LDAPConnection, LdapError> {
diff --git a/crates/defguard_core/src/enterprise/license.rs b/crates/defguard_core/src/enterprise/license.rs
index 499839d8cd..2bec3c4747 100644
--- a/crates/defguard_core/src/enterprise/license.rs
+++ b/crates/defguard_core/src/enterprise/license.rs
@@ -3,6 +3,12 @@ use std::time::Duration;
 use anyhow::Result;
 use base64::prelude::*;
 use chrono::{DateTime, TimeDelta, Utc};
+use defguard_common::{
+    VERSION,
+    config::server_config,
+    db::models::{Settings, settings::update_current_settings},
+    global_value,
+};
 use humantime::format_duration;
 use pgp::{
     composed::{Deserializable, SignedPublicKey, StandaloneSignature},
@@ -15,12 +21,6 @@ use tokio::time::sleep;
 
 use super::limits::Counts;
 use crate::grpc::proto::enterprise::license::{LicenseKey, LicenseLimits, LicenseMetadata};
-use defguard_common::{
-    VERSION,
-    config::server_config,
-    db::models::{Settings, settings::update_current_settings},
-    global_value,
-};
 
 const LICENSE_SERVER_URL: &str = "https://pkgs.defguard.net/api/license/renew";
 
diff --git a/crates/defguard_core/src/events.rs b/crates/defguard_core/src/events.rs
index eb763a6c84..dc316c0992 100644
--- a/crates/defguard_core/src/events.rs
+++ b/crates/defguard_core/src/events.rs
@@ -5,6 +5,7 @@ use defguard_common::db::{
     Id,
     models::{AuthenticationKey, MFAMethod, Settings},
 };
+use defguard_proto::proxy::MfaMethod;
 
 use crate::{
     db::{
@@ -16,7 +17,6 @@ use crate::{
         openid_provider::OpenIdProvider, snat::UserSnatBinding,
     },
 };
-use defguard_proto::proxy::MfaMethod;
 
 /// Shared context that needs to be added to every API event
 ///
diff --git a/crates/defguard_core/src/grpc/client_mfa.rs b/crates/defguard_core/src/grpc/client_mfa.rs
index e2b86685b0..ea1e6482d6 100644
--- a/crates/defguard_core/src/grpc/client_mfa.rs
+++ b/crates/defguard_core/src/grpc/client_mfa.rs
@@ -9,6 +9,11 @@ use defguard_common::{
     },
 };
 use defguard_mail::Mail;
+use defguard_proto::proxy::{
+    self, ClientMfaFinishRequest, ClientMfaFinishResponse, ClientMfaStartRequest,
+    ClientMfaStartResponse, ClientMfaTokenValidationRequest, ClientMfaTokenValidationResponse,
+    MfaMethod,
+};
 use sqlx::PgPool;
 use thiserror::Error;
 use tokio::sync::{
@@ -30,11 +35,6 @@ use crate::{
     grpc::utils::parse_client_info,
     handlers::mail::send_email_mfa_code_email,
 };
-use defguard_proto::proxy::{
-    self, ClientMfaFinishRequest, ClientMfaFinishResponse, ClientMfaStartRequest,
-    ClientMfaStartResponse, ClientMfaTokenValidationRequest, ClientMfaTokenValidationResponse,
-    MfaMethod,
-};
 
 const CLIENT_SESSION_TIMEOUT: u64 = 60 * 5; // 10 minutes
 
diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index 2a744913e8..ddf124c597 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -11,6 +11,14 @@ use defguard_mail::{
     Mail,
     templates::{self, TemplateLocation},
 };
+use defguard_proto::proxy::{
+    ActivateUserRequest, AdminInfo, CodeMfaSetupFinishRequest, CodeMfaSetupFinishResponse,
+    CodeMfaSetupStartRequest, CodeMfaSetupStartResponse, Device as ProtoDevice,
+    DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, EnrollmentStartRequest,
+    EnrollmentStartResponse, ExistingDevice, InitialUserInfo,
+    LocationMfaMode as ProtoLocationMfaMode, MfaMethod, NewDevice, RegisterMobileAuthRequest,
+    ServiceLocationMode as ProtoServiceLocationMode,
+};
 use sqlx::{PgPool, Transaction, query_scalar};
 use tokio::sync::{
     broadcast::Sender,
@@ -26,7 +34,7 @@ use crate::{
             device::{DeviceConfig, DeviceInfo, DeviceType},
             enrollment::{ENROLLMENT_TOKEN_TYPE, Token, TokenError},
             polling_token::PollingToken,
-            wireguard::LocationMfaMode,
+            wireguard::{LocationMfaMode, ServiceLocationMode},
         },
     },
     enterprise::{
@@ -45,13 +53,6 @@ use crate::{
     headers::get_device_info,
     is_valid_phone_number, server_config,
 };
-use defguard_proto::proxy::{
-    ActivateUserRequest, AdminInfo, CodeMfaSetupFinishRequest, CodeMfaSetupFinishResponse,
-    CodeMfaSetupStartRequest, CodeMfaSetupStartResponse, Device as ProtoDevice,
-    DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, EnrollmentStartRequest,
-    EnrollmentStartResponse, ExistingDevice, InitialUserInfo,
-    LocationMfaMode as ProtoLocationMfaMode, MfaMethod, NewDevice, RegisterMobileAuthRequest,
-};
 
 pub(super) struct EnrollmentServer {
     pool: PgPool,
@@ -1078,6 +1079,12 @@ impl From<DeviceConfig> for ProtoDeviceConfig {
                 <LocationMfaMode as Into<ProtoLocationMfaMode>>::into(config.location_mfa_mode)
                     .into(),
             ),
+            service_location_mode: Some(
+                <ServiceLocationMode as Into<ProtoServiceLocationMode>>::into(
+                    config.service_location_mode,
+                )
+                .into(),
+            ),
         }
     }
 }
diff --git a/crates/defguard_core/src/grpc/gateway/map.rs b/crates/defguard_core/src/grpc/gateway/map.rs
index 42e665784d..60b5ab49d0 100644
--- a/crates/defguard_core/src/grpc/gateway/map.rs
+++ b/crates/defguard_core/src/grpc/gateway/map.rs
@@ -2,6 +2,7 @@ use std::collections::HashMap;
 
 use chrono::Utc;
 use defguard_common::db::Id;
+use defguard_mail::Mail;
 use defguard_version::tracing::VersionInfo;
 use semver::Version;
 use sqlx::PgPool;
@@ -10,7 +11,6 @@ use tokio::sync::mpsc::UnboundedSender;
 use uuid::Uuid;
 
 use super::state::GatewayState;
-use defguard_mail::Mail;
 
 /// Helper struct used to handle gateway state. Gateways are grouped by network.
 type GatewayHostname = String;
diff --git a/crates/defguard_core/src/grpc/gateway/mod.rs b/crates/defguard_core/src/grpc/gateway/mod.rs
index ca3d668283..1fd5ad6f3a 100644
--- a/crates/defguard_core/src/grpc/gateway/mod.rs
+++ b/crates/defguard_core/src/grpc/gateway/mod.rs
@@ -95,11 +95,22 @@ impl WireguardNetwork<Id> {
     ///
     /// Each device is marked as allowed or not allowed in a given network,
     /// which enables enforcing peer disconnect in MFA-protected networks.
+    ///
+    /// If the location is a service location, only returns peers if enterprise features are enabled.
     pub async fn get_peers<'e, E>(&self, executor: E) -> Result<Vec<Peer>, SqlxError>
     where
         E: PgExecutor<'e>,
     {
         debug!("Fetching all peers for network {}", self.id);
+
+        if self.should_prevent_service_location_usage() {
+            warn!(
+                "Tried to use service location {} with disabled enterprise features. No clients will be allowed to connect.",
+                self.name
+            );
+            return Ok(Vec::new());
+        }
+
         let rows = query!(
             "SELECT d.wireguard_pubkey pubkey, preshared_key, \
                 -- TODO possible to not use ARRAY-unnest here?
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
index 2346a8e1ad..85cf800d95 100644
--- a/crates/defguard_core/src/grpc/mod.rs
+++ b/crates/defguard_core/src/grpc/mod.rs
@@ -1,11 +1,9 @@
 use std::{
     collections::hash_map::HashMap,
     fs::read_to_string,
-    time::{Duration, Instant},
-};
-use std::{
     net::{IpAddr, Ipv4Addr, SocketAddr},
     sync::{Arc, Mutex, RwLock},
+    time::{Duration, Instant},
 };
 
 use axum::http::Uri;
@@ -15,10 +13,9 @@ use defguard_common::{
     db::{Id, models::Settings},
 };
 use defguard_mail::Mail;
-use defguard_version::server::DefguardVersionLayer;
 use defguard_version::{
     ComponentInfo, DefguardComponent, Version, client::ClientVersionInterceptor,
-    get_tracing_variables,
+    get_tracing_variables, server::DefguardVersionLayer,
 };
 use openidconnect::{AuthorizationCode, Nonce, Scope, core::CoreAuthenticationFlow};
 use reqwest::Url;
@@ -40,18 +37,16 @@ use tonic::{
 };
 use tower::ServiceBuilder;
 
-use self::gateway::GatewayServer;
 use self::{
     auth::AuthServer, client_mfa::ClientMfaServer, enrollment::EnrollmentServer,
-    password_reset::PasswordResetServer,
+    gateway::GatewayServer, interceptor::JwtInterceptor, password_reset::PasswordResetServer,
+    worker::WorkerServer,
 };
-use self::{interceptor::JwtInterceptor, worker::WorkerServer};
-use crate::db::GatewayEvent;
 pub use crate::version::MIN_GATEWAY_VERSION;
 use crate::{
     auth::failed_login::FailedLoginMap,
     db::{
-        AppEvent,
+        AppEvent, GatewayEvent,
         models::enrollment::{ENROLLMENT_TOKEN_TYPE, Token},
     },
     enterprise::{
diff --git a/crates/defguard_core/src/grpc/password_reset.rs b/crates/defguard_core/src/grpc/password_reset.rs
index 9049fb449e..0c1957e713 100644
--- a/crates/defguard_core/src/grpc/password_reset.rs
+++ b/crates/defguard_core/src/grpc/password_reset.rs
@@ -1,4 +1,8 @@
 use defguard_mail::Mail;
+use defguard_proto::proxy::{
+    DeviceInfo, PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest,
+    PasswordResetStartResponse,
+};
 use sqlx::PgPool;
 use tokio::sync::mpsc::{UnboundedSender, error::SendError};
 use tonic::Status;
@@ -18,10 +22,6 @@ use crate::{
     headers::get_device_info,
     server_config,
 };
-use defguard_proto::proxy::{
-    DeviceInfo, PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest,
-    PasswordResetStartResponse,
-};
 
 pub(super) struct PasswordResetServer {
     pool: PgPool,
diff --git a/crates/defguard_core/src/grpc/utils.rs b/crates/defguard_core/src/grpc/utils.rs
index 757b9d9490..1f7ffec69a 100644
--- a/crates/defguard_core/src/grpc/utils.rs
+++ b/crates/defguard_core/src/grpc/utils.rs
@@ -4,6 +4,10 @@ use defguard_common::{
     csv::AsCsv,
     db::{Id, models::Settings},
 };
+use defguard_proto::proxy::{
+    DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, DeviceInfo,
+    LocationMfaMode as ProtoLocationMfaMode,
+};
 use sqlx::PgPool;
 use tonic::Status;
 
@@ -14,17 +18,13 @@ use crate::{
         models::{
             device::{DeviceType, WireguardNetworkDevice},
             polling_token::PollingToken,
-            wireguard::{LocationMfaMode, WireguardNetwork},
+            wireguard::{LocationMfaMode, ServiceLocationMode, WireguardNetwork},
         },
     },
     enterprise::db::models::{
         enterprise_settings::EnterpriseSettings, openid_provider::OpenIdProvider,
     },
 };
-use defguard_proto::proxy::{
-    DeviceConfig as ProtoDeviceConfig, DeviceConfigResponse, DeviceInfo,
-    LocationMfaMode as ProtoLocationMfaMode,
-};
 
 // Create a new token for configuration polling.
 pub(crate) async fn new_polling_token(
@@ -122,27 +122,44 @@ pub(crate) async fn build_device_config_response(
                     );
                     Status::internal(format!("unexpected error: {err}"))
                 })?;
+            if network.should_prevent_service_location_usage() {
+                error!(
+                    "Tried to use service location {} with disabled enterprise features.",
+                    network.name
+                );
+                return Err(Status::permission_denied(
+                    "service location mode is not available",
+                ));
+            }
             // DEPRECATED(1.5): superseeded by location_mfa_mode
             let mfa_enabled = network.location_mfa_mode == LocationMfaMode::Internal;
-            let config = ProtoDeviceConfig {
-                config: Device::create_config(&network, &wireguard_network_device),
-                network_id: network.id,
-                network_name: network.name,
-                assigned_ip: wireguard_network_device.wireguard_ips.as_csv(),
-                endpoint: format!("{}:{}", network.endpoint, network.port),
-                pubkey: network.pubkey,
-                allowed_ips: network.allowed_ips.as_csv(),
-                dns: network.dns,
-                keepalive_interval: network.keepalive_interval,
-                #[allow(deprecated)]
-                mfa_enabled,
-                location_mfa_mode: Some(
-                    <LocationMfaMode as Into<ProtoLocationMfaMode>>::into(
-                        network.location_mfa_mode,
-                    )
-                    .into(),
-                ),
-            };
+            let config =
+                ProtoDeviceConfig {
+                    config: Device::create_config(&network, &wireguard_network_device),
+                    network_id: network.id,
+                    network_name: network.name,
+                    assigned_ip: wireguard_network_device.wireguard_ips.as_csv(),
+                    endpoint: format!("{}:{}", network.endpoint, network.port),
+                    pubkey: network.pubkey,
+                    allowed_ips: network.allowed_ips.as_csv(),
+                    dns: network.dns,
+                    keepalive_interval: network.keepalive_interval,
+                    #[allow(deprecated)]
+                    mfa_enabled,
+                    location_mfa_mode: Some(
+                        <LocationMfaMode as Into<ProtoLocationMfaMode>>::into(
+                            network.location_mfa_mode,
+                        )
+                        .into(),
+                    ),
+                    service_location_mode:
+                        Some(
+                            <ServiceLocationMode as Into<
+                                defguard_proto::proxy::ServiceLocationMode,
+                            >>::into(network.service_location_mode)
+                            .into(),
+                        ),
+                };
             configs.push(config);
         }
     } else {
@@ -158,6 +175,13 @@ pub(crate) async fn build_device_config_response(
                 );
                 Status::internal(format!("unexpected error: {err}"))
             })?;
+            if network.should_prevent_service_location_usage() {
+                warn!(
+                    "Tried to use service location {} with disabled enterprise features.",
+                    network.name
+                );
+                continue;
+            }
             // DEPRECATED(1.5): superseeded by location_mfa_mode
             let mfa_enabled = network.location_mfa_mode == LocationMfaMode::Internal;
             if let Some(wireguard_network_device) = wireguard_network_device {
@@ -179,6 +203,13 @@ pub(crate) async fn build_device_config_response(
                         )
                         .into(),
                     ),
+                    service_location_mode:
+                        Some(
+                            <ServiceLocationMode as Into<
+                                defguard_proto::proxy::ServiceLocationMode,
+                            >>::into(network.service_location_mode)
+                            .into(),
+                        ),
                 };
                 configs.push(config);
             }
diff --git a/crates/defguard_core/src/grpc/worker.rs b/crates/defguard_core/src/grpc/worker.rs
index c0acfa12ec..069492a687 100644
--- a/crates/defguard_core/src/grpc/worker.rs
+++ b/crates/defguard_core/src/grpc/worker.rs
@@ -6,14 +6,14 @@ use std::{
 };
 
 use defguard_common::db::models::{AuthenticationKey, AuthenticationKeyType};
+pub use defguard_proto::worker::JobStatus;
+use defguard_proto::worker::{GetJobResponse, Worker, worker_service_server};
 use sqlx::{PgPool, query};
 use tokio::sync::mpsc::UnboundedSender;
 use tonic::{Request, Response, Status};
 
 use super::{Job, JobResponse, WorkerDetail, WorkerInfo, WorkerState};
 use crate::db::{AppEvent, HWKeyUserData, User, YubiKey};
-pub use defguard_proto::worker::JobStatus;
-use defguard_proto::worker::{GetJobResponse, Worker, worker_service_server};
 
 impl WorkerInfo {
     /// Create new `Worker` instance.
diff --git a/crates/defguard_core/src/handlers/app_info.rs b/crates/defguard_core/src/handlers/app_info.rs
index e53592f9c8..344ee41925 100644
--- a/crates/defguard_core/src/handlers/app_info.rs
+++ b/crates/defguard_core/src/handlers/app_info.rs
@@ -1,4 +1,5 @@
 use axum::{extract::State, http::StatusCode};
+use defguard_common::{VERSION, db::models::Settings};
 use serde_json::json;
 
 use super::{ApiResponse, ApiResult};
@@ -13,7 +14,6 @@ use crate::{
         limits::{LimitsExceeded, get_counts},
     },
 };
-use defguard_common::{VERSION, db::models::Settings};
 
 #[derive(Serialize)]
 struct LicenseInfo {
diff --git a/crates/defguard_core/src/handlers/mod.rs b/crates/defguard_core/src/handlers/mod.rs
index cbe8263013..c83fed9a13 100644
--- a/crates/defguard_core/src/handlers/mod.rs
+++ b/crates/defguard_core/src/handlers/mod.rs
@@ -12,11 +12,10 @@ use sqlx::PgPool;
 use utoipa::ToSchema;
 use webauthn_rs::prelude::RegisterPublicKeyCredential;
 
-use crate::db::Device;
 use crate::{
     appstate::AppState,
     auth::SessionInfo,
-    db::{User, UserInfo, WebHook},
+    db::{Device, User, UserInfo, WebHook},
     enterprise::{db::models::acl::AclError, license::LicenseError},
     error::WebError,
     events::ApiRequestContext,
diff --git a/crates/defguard_core/src/handlers/wireguard.rs b/crates/defguard_core/src/handlers/wireguard.rs
index 466cc7cb62..4aa617b107 100644
--- a/crates/defguard_core/src/handlers/wireguard.rs
+++ b/crates/defguard_core/src/handlers/wireguard.rs
@@ -31,8 +31,9 @@ use crate::{
                 WireguardNetworkDevice,
             },
             wireguard::{
-                DateTimeAggregation, LocationMfaMode, MappedDevice, WireguardDeviceStatsRow,
-                WireguardNetworkInfo, WireguardNetworkStats, WireguardUserStatsRow, networks_stats,
+                DateTimeAggregation, LocationMfaMode, MappedDevice, ServiceLocationMode,
+                WireguardDeviceStatsRow, WireguardNetworkInfo, WireguardNetworkStats,
+                WireguardUserStatsRow, networks_stats,
             },
         },
     },
@@ -85,6 +86,7 @@ pub struct WireguardNetworkData {
     pub acl_enabled: bool,
     pub acl_default_allow: bool,
     pub location_mfa_mode: LocationMfaMode,
+    pub service_location_mode: ServiceLocationMode,
 }
 
 impl WireguardNetworkData {
@@ -196,6 +198,7 @@ pub(crate) async fn create_network(
         data.acl_enabled,
         data.acl_default_allow,
         data.location_mfa_mode,
+        data.service_location_mode,
     );
 
     let mut transaction = appstate.pool.begin().await?;
@@ -292,6 +295,16 @@ pub(crate) async fn modify_network(
     network.peer_disconnect_threshold = data.peer_disconnect_threshold;
     network.acl_enabled = data.acl_enabled;
     network.acl_default_allow = data.acl_default_allow;
+    network.service_location_mode = match data.location_mfa_mode {
+        LocationMfaMode::Disabled => data.service_location_mode,
+        _ => {
+            warn!(
+                "Disabling service location mode for location {} because location MFA is enabled",
+                network.name
+            );
+            ServiceLocationMode::Disabled
+        }
+    };
     network.location_mfa_mode = data.location_mfa_mode;
 
     network.save(&mut *transaction).await?;
@@ -716,7 +729,8 @@ pub struct AddDeviceResult {
                         "pubkey": "pubkey",
                         "dns": "8.8.8.8",
                         "keepalive_interval": 5,
-			            "location_mfa_mode": "disabled"
+			            "location_mfa_mode": "disabled",
+                        "service_location_mode": "disabled"
                     }
                 ],
                 "device": {
diff --git a/crates/defguard_core/src/lib.rs b/crates/defguard_core/src/lib.rs
index 5e200f2725..0c4f17c3c4 100644
--- a/crates/defguard_core/src/lib.rs
+++ b/crates/defguard_core/src/lib.rs
@@ -6,7 +6,6 @@ use std::{
     sync::{Arc, LazyLock, Mutex, RwLock},
 };
 
-use crate::version::IncompatibleComponents;
 use anyhow::anyhow;
 use axum::{
     Extension, Json, Router,
@@ -89,31 +88,19 @@ use utoipa::{
 };
 use utoipa_swagger_ui::SwaggerUi;
 
-use self::handlers::wireguard::{
-    add_device, add_user_devices, create_network, create_network_token, delete_device,
-    delete_network, devices_stats, download_config, gateway_status, get_device, import_network,
-    list_devices, list_networks, list_user_devices, modify_device, modify_network, network_details,
-    network_stats, remove_gateway,
-};
-use self::handlers::worker::{
-    create_job, create_worker_token, job_status, list_workers, remove_worker,
-};
-use self::handlers::{
-    openid_clients::{
-        add_openid_client, change_openid_client, change_openid_client_state, delete_openid_client,
-        get_openid_client, list_openid_clients,
-    },
-    openid_flow::{
-        authorization, discovery_keys, openid_configuration, secure_authorization, token, userinfo,
-    },
-};
 use self::{
     appstate::AppState,
+    auth::failed_login::FailedLoginMap,
     db::{
         AppEvent, Device, GatewayEvent, User, WireguardNetwork,
-        models::wireguard::{DEFAULT_DISCONNECT_THRESHOLD, DEFAULT_KEEPALIVE_INTERVAL},
+        models::{
+            oauth2client::OAuth2Client,
+            wireguard::{DEFAULT_DISCONNECT_THRESHOLD, DEFAULT_KEEPALIVE_INTERVAL},
+        },
     },
+    grpc::{WorkerState, gateway::map::GatewayMap},
     handlers::{
+        app_info::get_app_info,
         auth::{
             authenticate, email_mfa_code, email_mfa_disable, email_mfa_enable, email_mfa_init,
             logout, mfa_disable, mfa_enable, recovery_code, request_email_mfa_code, totp_code,
@@ -126,6 +113,14 @@ use self::{
             remove_group_member,
         },
         mail::{send_support_data, test_mail},
+        openid_clients::{
+            add_openid_client, change_openid_client, change_openid_client_state,
+            delete_openid_client, get_openid_client, list_openid_clients,
+        },
+        openid_flow::{
+            authorization, discovery_keys, openid_configuration, secure_authorization, token,
+            userinfo,
+        },
         settings::{
             get_settings, get_settings_essentials, patch_settings, set_default_branding,
             test_ldap_settings, update_settings,
@@ -142,14 +137,16 @@ use self::{
         webhooks::{
             add_webhook, change_enabled, change_webhook, delete_webhook, get_webhook, list_webhooks,
         },
+        wireguard::{
+            add_device, add_user_devices, create_network, create_network_token, delete_device,
+            delete_network, devices_stats, download_config, gateway_status, get_device,
+            import_network, list_devices, list_networks, list_user_devices, modify_device,
+            modify_network, network_details, network_stats, remove_gateway,
+        },
+        worker::{create_job, create_worker_token, job_status, list_workers, remove_worker},
     },
 };
-use self::{
-    auth::failed_login::FailedLoginMap,
-    db::models::oauth2client::OAuth2Client,
-    grpc::{WorkerState, gateway::map::GatewayMap},
-    handlers::app_info::get_app_info,
-};
+use crate::{db::models::wireguard::ServiceLocationMode, version::IncompatibleComponents};
 
 pub mod appstate;
 pub mod auth;
@@ -777,6 +774,7 @@ pub async fn init_dev_env(config: &DefGuardConfig) {
             false,
             false,
             LocationMfaMode::Disabled,
+            ServiceLocationMode::Disabled,
         );
         network.pubkey = "zGMeVGm9HV9I4wSKF9AXmYnnAIhDySyqLMuKpcfIaQo=".to_string();
         network.prvkey = "MAk3d5KuB167G88HM7nGYR6ksnPMAOguAg2s5EcPp1M=".to_string();
@@ -874,6 +872,7 @@ pub async fn init_vpn_location(
                 false,
                 false,
                 LocationMfaMode::Disabled,
+                ServiceLocationMode::Disabled,
             )
             .save(&mut *transaction)
             .await?;
@@ -913,6 +912,7 @@ pub async fn init_vpn_location(
             false,
             false,
             LocationMfaMode::Disabled,
+            ServiceLocationMode::Disabled,
         )
         .save(pool)
         .await?
diff --git a/crates/defguard_core/src/support.rs b/crates/defguard_core/src/support.rs
index 753daa5c5e..e37bf4e770 100644
--- a/crates/defguard_core/src/support.rs
+++ b/crates/defguard_core/src/support.rs
@@ -1,5 +1,9 @@
 use std::{collections::HashMap, fmt::Display};
 
+use defguard_common::{
+    VERSION,
+    db::{Id, models::Settings},
+};
 use serde::Serialize;
 use serde_json::{Value, json, value::to_value};
 use sqlx::PgPool;
@@ -8,10 +12,6 @@ use crate::{
     db::{User, WireguardNetwork, models::device::WireguardNetworkDevice},
     server_config,
 };
-use defguard_common::{
-    VERSION,
-    db::{Id, models::Settings},
-};
 
 /// Unwraps the result returning a JSON representation of value or error
 fn unwrap_json<S: Serialize, D: Display>(result: Result<S, D>) -> Value {
diff --git a/crates/defguard_core/src/utility_thread.rs b/crates/defguard_core/src/utility_thread.rs
index 6533ff71c5..5a0de67b32 100644
--- a/crates/defguard_core/src/utility_thread.rs
+++ b/crates/defguard_core/src/utility_thread.rs
@@ -9,7 +9,7 @@ use tokio::{
 use tracing::Instrument;
 
 use crate::{
-    db::{GatewayEvent, WireguardNetwork},
+    db::{GatewayEvent, WireguardNetwork, models::wireguard::ServiceLocationMode},
     enterprise::{
         db::models::acl::{AclRule, RuleState},
         directory_sync::{do_directory_sync, get_directory_sync_interval},
@@ -172,25 +172,51 @@ async fn enterprise_status_check(
         if new_enterprise_enabled {
             // handle switch from disabled -> enabled
             debug!("Re-enabling gateway firewall configuration for ACL-enabled locations");
-            let mut conn = pool.acquire().await?;
+            let mut transaction = pool.begin().await?;
             for location in locations {
                 debug!("Re-enabling gateway firewall configuration for location {location:?}");
                 let firewall_config = location
-                    .try_get_firewall_config(&mut conn)
+                    .try_get_firewall_config(&mut transaction)
                     .await?
                     .expect("ACL-enabled location must have firewall config");
 
-                wireguard_tx.send(GatewayEvent::FirewallConfigChanged(
-                    location.id,
-                    firewall_config,
-                ))?;
+                // Handle service location update or just update the firewall
+                if location.service_location_mode != ServiceLocationMode::Disabled {
+                    let new_peers = location.get_peers(&mut *transaction).await?;
+                    wireguard_tx.send(GatewayEvent::NetworkModified(
+                        location.id,
+                        location,
+                        new_peers,
+                        Some(firewall_config),
+                    ))?;
+                } else {
+                    wireguard_tx.send(GatewayEvent::FirewallConfigChanged(
+                        location.id,
+                        firewall_config,
+                    ))?;
+                }
             }
+            transaction.commit().await?;
         } else {
             // handle switch from enabled -> disabled
             debug!("Disabling gateway firewall configuration for ACL-enabled locations");
             for location in locations {
-                debug!("Disabling gateway firewall configuration for location {location:?}");
-                wireguard_tx.send(GatewayEvent::FirewallDisabled(location.id))?;
+                if location.service_location_mode != ServiceLocationMode::Disabled {
+                    debug!(
+                        "Disabling gateway firewall configuration and service location client connections \
+                        for location {location:?}"
+                    );
+                    wireguard_tx.send(GatewayEvent::NetworkModified(
+                        location.id,
+                        location,
+                        // Send empty peer list, we are disabling the service location
+                        Vec::new(),
+                        None,
+                    ))?;
+                } else {
+                    debug!("Disabling gateway firewall configuration for location {location:?}");
+                    wireguard_tx.send(GatewayEvent::FirewallDisabled(location.id))?;
+                }
             }
         }
     }
diff --git a/crates/defguard_core/src/version.rs b/crates/defguard_core/src/version.rs
index 5285e2e2eb..e61142618e 100644
--- a/crates/defguard_core/src/version.rs
+++ b/crates/defguard_core/src/version.rs
@@ -5,11 +5,10 @@ use std::{
 };
 
 use chrono::{NaiveDateTime, TimeDelta, Utc};
+use defguard_version::{ComponentInfo, Version, is_version_lower};
 use serde::Serialize;
 use tonic::{Status, service::Interceptor};
 
-use defguard_version::{ComponentInfo, Version, is_version_lower};
-
 const MIN_PROXY_VERSION: Version = Version::new(1, 5, 0);
 pub const MIN_GATEWAY_VERSION: Version = Version::new(1, 5, 0);
 static OUTDATED_COMPONENT_LIFETIME: TimeDelta = TimeDelta::hours(1);
diff --git a/crates/defguard_core/src/wg_config.rs b/crates/defguard_core/src/wg_config.rs
index 2a42ea68dd..38d40c6f0c 100644
--- a/crates/defguard_core/src/wg_config.rs
+++ b/crates/defguard_core/src/wg_config.rs
@@ -11,7 +11,7 @@ use crate::{
         Device, WireguardNetwork,
         models::wireguard::{
             DEFAULT_DISCONNECT_THRESHOLD, DEFAULT_KEEPALIVE_INTERVAL, LocationMfaMode,
-            WireguardNetworkError,
+            ServiceLocationMode, WireguardNetworkError,
         },
     },
 };
@@ -112,6 +112,7 @@ pub(crate) fn parse_wireguard_config(
         false,
         false,
         LocationMfaMode::Disabled,
+        ServiceLocationMode::Disabled,
     );
     network.pubkey = pubkey;
     network.prvkey = prvkey.to_string();
@@ -170,9 +171,10 @@ pub(crate) fn parse_wireguard_config(
 
 #[cfg(test)]
 mod test {
-    use super::*;
     use defguard_common::db::NoId;
 
+    use super::*;
+
     #[test]
     fn test_parse_config() {
         let config = "
diff --git a/crates/defguard_core/src/wireguard_peer_disconnect.rs b/crates/defguard_core/src/wireguard_peer_disconnect.rs
index 537db19a30..12a5d02acb 100644
--- a/crates/defguard_core/src/wireguard_peer_disconnect.rs
+++ b/crates/defguard_core/src/wireguard_peer_disconnect.rs
@@ -27,7 +27,7 @@ use crate::{
         Device, GatewayEvent, WireguardNetwork,
         models::{
             device::{DeviceInfo, DeviceNetworkInfo, DeviceType, WireguardNetworkDevice},
-            wireguard::{LocationMfaMode, WireguardNetworkError},
+            wireguard::{LocationMfaMode, ServiceLocationMode, WireguardNetworkError},
         },
     },
     events::{InternalEvent, InternalEventContext},
@@ -97,7 +97,8 @@ pub async fn run_periodic_peer_disconnect(
             "SELECT \
                 id, name, address, port, pubkey, prvkey, endpoint, dns, allowed_ips, \
                 connected_at, keepalive_interval, peer_disconnect_threshold, \
-                acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\" \
+                acl_enabled, acl_default_allow, location_mfa_mode \"location_mfa_mode: LocationMfaMode\", \
+                service_location_mode \"service_location_mode: ServiceLocationMode\" \
             FROM wireguard_network WHERE location_mfa_mode != 'disabled'::location_mfa_mode",
         )
         .fetch_all(&pool)
diff --git a/crates/defguard_core/tests/integration/api/acl.rs b/crates/defguard_core/tests/integration/api/acl.rs
index 352c92b54b..1272d5d8d9 100644
--- a/crates/defguard_core/tests/integration/api/acl.rs
+++ b/crates/defguard_core/tests/integration/api/acl.rs
@@ -5,7 +5,10 @@ use defguard_common::{
 use defguard_core::{
     db::{
         Device, Group, User, WireguardNetwork,
-        models::{device::DeviceType, wireguard::LocationMfaMode},
+        models::{
+            device::DeviceType,
+            wireguard::{LocationMfaMode, ServiceLocationMode},
+        },
     },
     enterprise::{
         db::models::acl::{AclAlias, AclRule, AliasKind, AliasState, RuleState},
@@ -427,6 +430,7 @@ async fn test_related_objects(_: PgPoolOptions, options: PgConnectOptions) {
             false,
             false,
             LocationMfaMode::Disabled,
+            ServiceLocationMode::Disabled,
         )
         .save(&pool)
         .await
@@ -767,6 +771,7 @@ async fn test_rule_delete_state_applied(_: PgPoolOptions, options: PgConnectOpti
         false,
         false,
         LocationMfaMode::Disabled,
+        ServiceLocationMode::Disabled,
     )
     .save(&pool)
     .await
diff --git a/crates/defguard_core/tests/integration/api/auth.rs b/crates/defguard_core/tests/integration/api/auth.rs
index 272eeadc49..60d3c29e2b 100644
--- a/crates/defguard_core/tests/integration/api/auth.rs
+++ b/crates/defguard_core/tests/integration/api/auth.rs
@@ -20,12 +20,11 @@ use totp_lite::{Sha1, totp_custom};
 use webauthn_authenticator_rs::{WebauthnAuthenticator, prelude::Url, softpasskey::SoftPasskey};
 use webauthn_rs::prelude::{CreationChallengeResponse, RequestChallengeResponse};
 
-use crate::api::common::client::TestResponse;
-
 use super::common::{
     X_FORWARDED_FOR, fetch_user_details, make_client, make_client_with_db, make_test_client,
     setup_pool,
 };
+use crate::api::common::client::TestResponse;
 
 static SESSION_COOKIE_NAME: &str = "defguard_session";
 
diff --git a/crates/defguard_core/tests/integration/api/common/mod.rs b/crates/defguard_core/tests/integration/api/common/mod.rs
index 233f51f056..1c4e222445 100644
--- a/crates/defguard_core/tests/integration/api/common/mod.rs
+++ b/crates/defguard_core/tests/integration/api/common/mod.rs
@@ -181,7 +181,8 @@ pub(crate) async fn exceed_enterprise_limits(client: &TestClient) {
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -201,7 +202,8 @@ pub(crate) async fn exceed_enterprise_limits(client: &TestClient) {
                 "peer_disconnect_threshold": 300,
                 "acl_enabled": false,
                 "acl_default_allow": false,
-                "location_mfa_mode": "disabled"
+                "location_mfa_mode": "disabled",
+                "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -221,7 +223,8 @@ pub(crate) fn make_network() -> Value {
         "peer_disconnect_threshold": 300,
         "acl_enabled": false,
         "acl_default_allow": false,
-        "location_mfa_mode": "disabled"
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
     })
 }
 
diff --git a/crates/defguard_core/tests/integration/api/user.rs b/crates/defguard_core/tests/integration/api/user.rs
index 936bcb69a5..1028c6093e 100644
--- a/crates/defguard_core/tests/integration/api/user.rs
+++ b/crates/defguard_core/tests/integration/api/user.rs
@@ -11,12 +11,11 @@ use reqwest::{StatusCode, header::USER_AGENT};
 use sqlx::postgres::{PgConnectOptions, PgPoolOptions};
 use tokio_stream::{self as stream, StreamExt};
 
-use crate::api::common::{get_db_device, get_db_location, get_db_user, make_client_with_db};
-
 use super::{
     TEST_SERVER_URL,
     common::{fetch_user_details, make_client, make_network, make_test_client, setup_pool},
 };
+use crate::api::common::{get_db_device, get_db_location, get_db_user, make_client_with_db};
 
 #[sqlx::test]
 async fn test_authenticate(_: PgPoolOptions, options: PgConnectOptions) {
diff --git a/crates/defguard_core/tests/integration/api/wireguard.rs b/crates/defguard_core/tests/integration/api/wireguard.rs
index 468e2a8cbd..02d7a73f36 100644
--- a/crates/defguard_core/tests/integration/api/wireguard.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard.rs
@@ -8,6 +8,7 @@ use defguard_core::{
             device::WireguardNetworkDevice,
             wireguard::{
                 DEFAULT_DISCONNECT_THRESHOLD, DEFAULT_KEEPALIVE_INTERVAL, LocationMfaMode,
+                ServiceLocationMode,
             },
         },
     },
@@ -71,6 +72,7 @@ async fn test_network(_: PgPoolOptions, options: PgConnectOptions) {
         acl_enabled: false,
         acl_default_allow: false,
         location_mfa_mode: LocationMfaMode::Disabled,
+        service_location_mode: ServiceLocationMode::Disabled,
     };
     let response = client
         .put(format!("/api/v1/network/{}", network.id))
@@ -150,6 +152,7 @@ async fn test_location_mfa_mode_validation_create(_: PgPoolOptions, options: PgC
         acl_enabled: false,
         acl_default_allow: false,
         location_mfa_mode: LocationMfaMode::External,
+        service_location_mode: ServiceLocationMode::Disabled,
     };
 
     // create network
@@ -229,6 +232,7 @@ async fn test_location_mfa_mode_validation_modify(_: PgPoolOptions, options: PgC
         acl_enabled: false,
         acl_default_allow: false,
         location_mfa_mode: LocationMfaMode::Disabled,
+        service_location_mode: ServiceLocationMode::Disabled,
     };
 
     // create network
@@ -489,7 +493,8 @@ async fn test_network_address_reassignment(_: PgPoolOptions, options: PgConnectO
         "peer_disconnect_threshold": 300,
         "acl_enabled": false,
         "acl_default_allow": false,
-        "location_mfa_mode": "disabled"
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
     });
     let response = client.post("/api/v1/network").json(&network).send().await;
     assert_eq!(response.status(), StatusCode::CREATED);
@@ -557,7 +562,8 @@ async fn test_network_address_reassignment(_: PgPoolOptions, options: PgConnectO
         "peer_disconnect_threshold": 300,
         "acl_enabled": false,
         "acl_default_allow": false,
-        "location_mfa_mode": "disabled"
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
     });
     let response = client
         .put(format!("/api/v1/network/{}", network_from_details.id))
diff --git a/crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs b/crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs
index 3a2f9e15a1..d641de589e 100644
--- a/crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard_network_allowed_groups.rs
@@ -151,7 +151,8 @@ async fn test_create_new_network(_: PgPoolOptions, options: PgConnectOptions) {
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -197,7 +198,8 @@ async fn test_modify_network(_: PgPoolOptions, options: PgConnectOptions) {
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -230,7 +232,8 @@ async fn test_modify_network(_: PgPoolOptions, options: PgConnectOptions) {
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -257,7 +260,8 @@ async fn test_modify_network(_: PgPoolOptions, options: PgConnectOptions) {
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -285,7 +289,8 @@ async fn test_modify_network(_: PgPoolOptions, options: PgConnectOptions) {
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -312,7 +317,8 @@ async fn test_modify_network(_: PgPoolOptions, options: PgConnectOptions) {
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -561,7 +567,8 @@ async fn test_modify_user(_: PgPoolOptions, options: PgConnectOptions) {
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
@@ -660,7 +667,8 @@ async fn test_delete_only_allowed_group(_: PgPoolOptions, options: PgConnectOpti
             "peer_disconnect_threshold": 300,
             "acl_enabled": false,
             "acl_default_allow": false,
-            "location_mfa_mode": "disabled"
+            "location_mfa_mode": "disabled",
+            "service_location_mode": "disabled"
         }))
         .send()
         .await;
diff --git a/crates/defguard_core/tests/integration/api/wireguard_network_devices.rs b/crates/defguard_core/tests/integration/api/wireguard_network_devices.rs
index f16ed592bd..225df95bb2 100644
--- a/crates/defguard_core/tests/integration/api/wireguard_network_devices.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard_network_devices.rs
@@ -27,7 +27,8 @@ fn make_network() -> Value {
         "peer_disconnect_threshold": 300,
         "acl_enabled": false,
         "acl_default_allow": false,
-        "location_mfa_mode": "disabled"
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
     })
 }
 
@@ -44,7 +45,8 @@ fn make_second_network() -> Value {
         "peer_disconnect_threshold": 300,
         "acl_enabled": false,
         "acl_default_allow": false,
-        "location_mfa_mode": "disabled"
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
     })
 }
 
@@ -303,7 +305,8 @@ async fn test_device_ip_validation(_: PgPoolOptions, options: PgConnectOptions)
         "peer_disconnect_threshold": 300,
         "acl_enabled": false,
         "acl_default_allow": false,
-        "location_mfa_mode": "disabled"
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
     });
     let response = client.post("/api/v1/network").json(&location).send().await;
     assert_eq!(response.status(), StatusCode::CREATED);
diff --git a/crates/defguard_core/tests/integration/api/wireguard_network_import.rs b/crates/defguard_core/tests/integration/api/wireguard_network_import.rs
index aad4c8d62c..9db3ce63eb 100644
--- a/crates/defguard_core/tests/integration/api/wireguard_network_import.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard_network_import.rs
@@ -7,6 +7,7 @@ use defguard_core::{
             device::{DeviceType, UserDevice},
             wireguard::{
                 DEFAULT_DISCONNECT_THRESHOLD, DEFAULT_KEEPALIVE_INTERVAL, LocationMfaMode,
+                ServiceLocationMode,
             },
         },
     },
@@ -62,6 +63,7 @@ async fn test_config_import(_: PgPoolOptions, options: PgConnectOptions) {
         false,
         false,
         LocationMfaMode::Disabled,
+        ServiceLocationMode::Disabled,
     );
     initial_network.save(&pool).await.unwrap();
 
diff --git a/crates/defguard_core/tests/integration/grpc/gateway.rs b/crates/defguard_core/tests/integration/grpc/gateway.rs
index 8be4c88c31..3f35c2007c 100644
--- a/crates/defguard_core/tests/integration/grpc/gateway.rs
+++ b/crates/defguard_core/tests/integration/grpc/gateway.rs
@@ -10,7 +10,8 @@ use defguard_core::{
     db::{
         Device, User, WireguardNetwork,
         models::{
-            device::DeviceType, wireguard::LocationMfaMode,
+            device::DeviceType,
+            wireguard::{LocationMfaMode, ServiceLocationMode},
             wireguard_peer_stats::WireguardPeerStats,
         },
     },
@@ -50,6 +51,7 @@ async fn setup_test_server(
         false,
         false,
         LocationMfaMode::Disabled,
+        ServiceLocationMode::Disabled,
     )
     .save(&pool)
     .await
@@ -399,6 +401,7 @@ async fn test_gateway_update_routing(_: PgPoolOptions, options: PgConnectOptions
         false,
         false,
         LocationMfaMode::Disabled,
+        ServiceLocationMode::Disabled,
     )
     .save(&pool)
     .await
@@ -520,6 +523,7 @@ async fn test_gateway_config(_: PgPoolOptions, options: PgConnectOptions) {
         false,
         false,
         LocationMfaMode::Disabled,
+        ServiceLocationMode::Disabled,
     )
     .save(&pool)
     .await
diff --git a/crates/defguard_proto/src/lib.rs b/crates/defguard_proto/src/lib.rs
index b7a38faaaf..0313436669 100644
--- a/crates/defguard_proto/src/lib.rs
+++ b/crates/defguard_proto/src/lib.rs
@@ -29,11 +29,11 @@ impl fmt::Display for MfaMethod {
             f,
             "{}",
             match self {
-                MfaMethod::Totp => "TOTP",
-                MfaMethod::Email => "Email",
-                MfaMethod::Oidc => "OIDC",
-                MfaMethod::Biometric => "Biometric",
-                MfaMethod::MobileApprove => "MobileApprove",
+                Self::Totp => "TOTP",
+                Self::Email => "Email",
+                Self::Oidc => "OIDC",
+                Self::Biometric => "Biometric",
+                Self::MobileApprove => "MobileApprove",
             }
         )
     }
@@ -45,11 +45,11 @@ impl Serialize for MfaMethod {
         S: serde::Serializer,
     {
         match *self {
-            MfaMethod::Totp => serializer.serialize_unit_variant("MfaMethod", 0, "Totp"),
-            MfaMethod::Email => serializer.serialize_unit_variant("MfaMethod", 1, "Email"),
-            MfaMethod::Oidc => serializer.serialize_unit_variant("MfaMethod", 2, "Oidc"),
-            MfaMethod::Biometric => serializer.serialize_unit_variant("MfaMethod", 3, "Biometric"),
-            MfaMethod::MobileApprove => {
+            Self::Totp => serializer.serialize_unit_variant("MfaMethod", 0, "Totp"),
+            Self::Email => serializer.serialize_unit_variant("MfaMethod", 1, "Email"),
+            Self::Oidc => serializer.serialize_unit_variant("MfaMethod", 2, "Oidc"),
+            Self::Biometric => serializer.serialize_unit_variant("MfaMethod", 3, "Biometric"),
+            Self::MobileApprove => {
                 serializer.serialize_unit_variant("MfaMethod", 4, "MobileApprove")
             }
         }
diff --git a/crates/defguard_version/src/lib.rs b/crates/defguard_version/src/lib.rs
index 18c19a1339..05f177b24f 100644
--- a/crates/defguard_version/src/lib.rs
+++ b/crates/defguard_version/src/lib.rs
@@ -103,9 +103,9 @@ impl FromStr for DefguardComponent {
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
         match s.to_lowercase().as_str() {
-            "core" => Ok(DefguardComponent::Core),
-            "proxy" => Ok(DefguardComponent::Proxy),
-            "gateway" => Ok(DefguardComponent::Gateway),
+            "core" => Ok(Self::Core),
+            "proxy" => Ok(Self::Proxy),
+            "gateway" => Ok(Self::Gateway),
             _ => Err(Self::Err::InvalidDefguardComponent(s.to_string())),
         }
     }
@@ -217,7 +217,7 @@ pub struct ComponentInfo {
 }
 
 impl ComponentInfo {
-    /// Creates a new ComponentInfo with the provided version and automatically detects
+    /// Creates a new `ComponentInfo` with the provided version and automatically detects
     /// the current system information.
     ///
     /// # Arguments
diff --git a/crates/defguard_version/src/tracing.rs b/crates/defguard_version/src/tracing.rs
index c81793499b..bcf33fecdf 100644
--- a/crates/defguard_version/src/tracing.rs
+++ b/crates/defguard_version/src/tracing.rs
@@ -209,8 +209,8 @@ pub fn build_version_suffix(
 /// Custom tracing formatter that conditionally includes version information in log messages.
 ///
 /// This formatter wraps the default tracing formatter and adds version suffix to log messages:
-/// - For ERROR level logs: includes own_version, own_info and components version and info
-/// - For other levels: includes only own_version and component version if available
+/// - For ERROR level logs: includes `own_version`, `own_info` and components version and info
+/// - For other levels: includes only `own_version` and component version if available
 ///
 /// The version information is extracted from tracing span fields.
 pub struct VersionSuffixFormat {
diff --git a/deny.toml b/deny.toml
index d26808d382..b40c3db21b 100644
--- a/deny.toml
+++ b/deny.toml
@@ -71,7 +71,13 @@ feature-depth = 1
 # output a note when they are encountered.
 ignore = [
     { id = "RUSTSEC-2023-0071", reason = "https://github.com/RustCrypto/RSA/issues/19" },
-    { id = "RUSTSEC-2024-0436", reason = "Unmaintained" },
+    { id = "RUSTSEC-2024-0436", reason = "Unmaintained dependency of tera" },
+    { id = "RUSTSEC-2025-0098", reason = "Unmaintained dependency of tera" },
+    { id = "RUSTSEC-2025-0104", reason = "Unmaintained dependency of tera" },
+    { id = "RUSTSEC-2025-0074", reason = "Unmaintained dependency of tera" },
+    { id = "RUSTSEC-2025-0080", reason = "Unmaintained dependency of tera" },
+    { id = "RUSTSEC-2025-0075", reason = "Unmaintained dependency of tera" },
+    { id = "RUSTSEC-2025-0081", reason = "Unmaintained dependency of tera" },
 ]
 # If this is true, then cargo deny will use the git executable to fetch advisory database.
 # If this is false, then it uses a built-in git library.
diff --git a/migrations/20251015080719_service_locations.down.sql b/migrations/20251015080719_service_locations.down.sql
new file mode 100644
index 0000000000..2cc3003aa7
--- /dev/null
+++ b/migrations/20251015080719_service_locations.down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE wireguard_network DROP COLUMN "service_location_mode";
+DROP TYPE service_location_mode;
diff --git a/migrations/20251015080719_service_locations.up.sql b/migrations/20251015080719_service_locations.up.sql
new file mode 100644
index 0000000000..4347d98b12
--- /dev/null
+++ b/migrations/20251015080719_service_locations.up.sql
@@ -0,0 +1,7 @@
+CREATE TYPE service_location_mode AS ENUM (
+    'disabled',
+    'prelogon',
+    'alwayson'
+);
+
+ALTER TABLE wireguard_network ADD COLUMN "service_location_mode" service_location_mode NOT NULL DEFAULT 'disabled';
diff --git a/proto b/proto
index 883487df67..fee706013b 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit 883487df67d90fd14fae900737cd8b5ea6c10de3
+Subproject commit fee706013b3bb5452c3c4dbf35bd973d0637ff25
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index b8a7a44721..76f8484653 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -1162,6 +1162,14 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
         external: 'External MFA',
       },
     },
+    serviceLocationModeSelect: {
+      label: 'Service Location Mode',
+      options: {
+        disabled: 'Disabled',
+        prelogon: 'Pre-logon',
+        alwayson: 'Always-on',
+      },
+    },
   },
   settingsPage: {
     title: 'Settings',
@@ -2030,6 +2038,17 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
             "Internal MFA - MFA is enforced using Defguard's built-in MFA (e.g. TOTP, WebAuthn) with internal identity",
           external:
             'External MFA - If configured (see [OpenID settings](settings)) this option uses external identity provider for MFA',
+          serviceLocationWarning:
+            "Location MFA can't be used when service location mode is enabled.",
+        },
+        serviceLocation: {
+          description:
+            'Choose if this location should work as a service location. This feature is currently not supported on every platform. Consult our [documentation](https://docs.defguard.net/features/service-locations) for more details.',
+          preLogon:
+            'Pre-logon - A VPN connection to this location will be active only before the user logs in on their device. When the user completes the login, the VPN connection will be terminated.',
+          alwaysOn:
+            'Always-on - A VPN connection will always be active when the user device is on.',
+          mfaWarning: "Service locations can't be used while location MFA is enabled.",
         },
       },
       sections: {
@@ -2039,6 +2058,9 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
         mfa: {
           header: 'Multi-Factor Authentication',
         },
+        serviceLocation: {
+          header: 'Service location',
+        },
       },
       messages: {
         networkModified: 'Location modified.',
@@ -2082,6 +2104,9 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
         location_mfa_mode: {
           label: 'MFA requirement',
         },
+        service_location_mode: {
+          label: 'Service location mode',
+        },
       },
       controls: {
         submit: 'Save changes',
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 2bd9e20581..e934c44085 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2851,6 +2851,26 @@ type RootTranslation = {
 				external: string
 			}
 		}
+		serviceLocationModeSelect: {
+			/**
+			 * S​e​r​v​i​c​e​ ​L​o​c​a​t​i​o​n​ ​M​o​d​e
+			 */
+			label: string
+			options: {
+				/**
+				 * D​i​s​a​b​l​e​d
+				 */
+				disabled: string
+				/**
+				 * P​r​e​-​l​o​g​o​n
+				 */
+				prelogon: string
+				/**
+				 * A​l​w​a​y​s​-​o​n
+				 */
+				alwayson: string
+			}
+		}
 	}
 	settingsPage: {
 		/**
@@ -4871,6 +4891,28 @@ type RootTranslation = {
 					 * E​x​t​e​r​n​a​l​ ​M​F​A​ ​-​ ​I​f​ ​c​o​n​f​i​g​u​r​e​d​ ​(​s​e​e​ ​[​O​p​e​n​I​D​ ​s​e​t​t​i​n​g​s​]​(​s​e​t​t​i​n​g​s​)​)​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​u​s​e​s​ ​e​x​t​e​r​n​a​l​ ​i​d​e​n​t​i​t​y​ ​p​r​o​v​i​d​e​r​ ​f​o​r​ ​M​F​A
 					 */
 					external: string
+					/**
+					 * L​o​c​a​t​i​o​n​ ​M​F​A​ ​c​a​n​'​t​ ​b​e​ ​u​s​e​d​ ​w​h​e​n​ ​s​e​r​v​i​c​e​ ​l​o​c​a​t​i​o​n​ ​m​o​d​e​ ​i​s​ ​e​n​a​b​l​e​d​.
+					 */
+					serviceLocationWarning: string
+				}
+				serviceLocation: {
+					/**
+					 * C​h​o​o​s​e​ ​i​f​ ​t​h​i​s​ ​l​o​c​a​t​i​o​n​ ​s​h​o​u​l​d​ ​w​o​r​k​ ​a​s​ ​a​ ​s​e​r​v​i​c​e​ ​l​o​c​a​t​i​o​n​.​ ​T​h​i​s​ ​f​e​a​t​u​r​e​ ​i​s​ ​c​u​r​r​e​n​t​l​y​ ​n​o​t​ ​s​u​p​p​o​r​t​e​d​ ​o​n​ ​e​v​e​r​y​ ​p​l​a​t​f​o​r​m​.​ ​C​o​n​s​u​l​t​ ​o​u​r​ ​[​d​o​c​u​m​e​n​t​a​t​i​o​n​]​(​h​t​t​p​s​:​/​/​d​o​c​s​.​d​e​f​g​u​a​r​d​.​n​e​t​/​f​e​a​t​u​r​e​s​/​s​e​r​v​i​c​e​-​l​o​c​a​t​i​o​n​s​)​ ​f​o​r​ ​m​o​r​e​ ​d​e​t​a​i​l​s​.
+					 */
+					description: string
+					/**
+					 * P​r​e​-​l​o​g​o​n​ ​-​ ​A​ ​V​P​N​ ​c​o​n​n​e​c​t​i​o​n​ ​t​o​ ​t​h​i​s​ ​l​o​c​a​t​i​o​n​ ​w​i​l​l​ ​b​e​ ​a​c​t​i​v​e​ ​o​n​l​y​ ​b​e​f​o​r​e​ ​t​h​e​ ​u​s​e​r​ ​l​o​g​s​ ​i​n​ ​o​n​ ​t​h​e​i​r​ ​d​e​v​i​c​e​.​ ​W​h​e​n​ ​t​h​e​ ​u​s​e​r​ ​c​o​m​p​l​e​t​e​s​ ​t​h​e​ ​l​o​g​i​n​,​ ​t​h​e​ ​V​P​N​ ​c​o​n​n​e​c​t​i​o​n​ ​w​i​l​l​ ​b​e​ ​t​e​r​m​i​n​a​t​e​d​.
+					 */
+					preLogon: string
+					/**
+					 * A​l​w​a​y​s​-​o​n​ ​-​ ​A​ ​V​P​N​ ​c​o​n​n​e​c​t​i​o​n​ ​w​i​l​l​ ​a​l​w​a​y​s​ ​b​e​ ​a​c​t​i​v​e​ ​w​h​e​n​ ​t​h​e​ ​u​s​e​r​ ​d​e​v​i​c​e​ ​i​s​ ​o​n​.
+					 */
+					alwaysOn: string
+					/**
+					 * S​e​r​v​i​c​e​ ​l​o​c​a​t​i​o​n​s​ ​c​a​n​'​t​ ​b​e​ ​u​s​e​d​ ​w​h​i​l​e​ ​l​o​c​a​t​i​o​n​ ​M​F​A​ ​i​s​ ​e​n​a​b​l​e​d​.
+					 */
+					mfaWarning: string
 				}
 			}
 			sections: {
@@ -4886,6 +4928,12 @@ type RootTranslation = {
 					 */
 					header: string
 				}
+				serviceLocation: {
+					/**
+					 * S​e​r​v​i​c​e​ ​l​o​c​a​t​i​o​n
+					 */
+					header: string
+				}
 			}
 			messages: {
 				/**
@@ -4974,6 +5022,12 @@ type RootTranslation = {
 					 */
 					label: string
 				}
+				service_location_mode: {
+					/**
+					 * S​e​r​v​i​c​e​ ​l​o​c​a​t​i​o​n​ ​m​o​d​e
+					 */
+					label: string
+				}
 			}
 			controls: {
 				/**
@@ -9525,6 +9579,26 @@ export type TranslationFunctions = {
 				external: () => LocalizedString
 			}
 		}
+		serviceLocationModeSelect: {
+			/**
+			 * Service Location Mode
+			 */
+			label: () => LocalizedString
+			options: {
+				/**
+				 * Disabled
+				 */
+				disabled: () => LocalizedString
+				/**
+				 * Pre-logon
+				 */
+				prelogon: () => LocalizedString
+				/**
+				 * Always-on
+				 */
+				alwayson: () => LocalizedString
+			}
+		}
 	}
 	settingsPage: {
 		/**
@@ -11526,6 +11600,28 @@ export type TranslationFunctions = {
 					 * External MFA - If configured (see [OpenID settings](settings)) this option uses external identity provider for MFA
 					 */
 					external: () => LocalizedString
+					/**
+					 * Location MFA can't be used when service location mode is enabled.
+					 */
+					serviceLocationWarning: () => LocalizedString
+				}
+				serviceLocation: {
+					/**
+					 * Choose if this location should work as a service location. This feature is currently not supported on every platform. Consult our [documentation](https://docs.defguard.net/features/service-locations) for more details.
+					 */
+					description: () => LocalizedString
+					/**
+					 * Pre-logon - A VPN connection to this location will be active only before the user logs in on their device. When the user completes the login, the VPN connection will be terminated.
+					 */
+					preLogon: () => LocalizedString
+					/**
+					 * Always-on - A VPN connection will always be active when the user device is on.
+					 */
+					alwaysOn: () => LocalizedString
+					/**
+					 * Service locations can't be used while location MFA is enabled.
+					 */
+					mfaWarning: () => LocalizedString
 				}
 			}
 			sections: {
@@ -11541,6 +11637,12 @@ export type TranslationFunctions = {
 					 */
 					header: () => LocalizedString
 				}
+				serviceLocation: {
+					/**
+					 * Service location
+					 */
+					header: () => LocalizedString
+				}
 			}
 			messages: {
 				/**
@@ -11629,6 +11731,12 @@ export type TranslationFunctions = {
 					 */
 					label: () => LocalizedString
 				}
+				service_location_mode: {
+					/**
+					 * Service location mode
+					 */
+					label: () => LocalizedString
+				}
 			}
 			controls: {
 				/**
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 588a4a60e7..6525901519 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -1032,6 +1032,22 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
         contact: 'poprzez kontakt:',
       },
     },
+    locationMfaModeSelect: {
+      label: 'Wymaganie MFA',
+      options: {
+        disabled: 'Nie wymuszaj MFA',
+        internal: 'Wewnętrzne MFA',
+        external: 'Zewnętrzne MFA',
+      },
+    },
+    serviceLocationModeSelect: {
+      label: 'Tryb lokalizacji usługi',
+      options: {
+        disabled: 'Wyłączone',
+        prelogon: 'Pre-logon',
+        alwayson: 'Always-on',
+      },
+    },
   },
   settingsPage: {
     title: 'Ustawienia',
@@ -1784,11 +1800,46 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
         allowedIps: 'Lista adresów/masek, które powinny być routowane przez sieć VPN.',
         allowedGroups:
           'Domyślnie wszyscy użytkownicy będą mogli połączyć się z tą lokalizacją. Jeżeli chcesz ogranicznyć dostęp do tej lokalizacji do wybranej grupy użytkowników, wybierz ją poniżej.',
+        aclFeatureDisabled:
+          'Funkcjonalność ACL jest funkcją enterprise i przekroczyłeś limity użytkowników, urządzeń lub sieciź. Aby korzystać z tej funkcji, kup licencję enterprise lub zaktualizuj istniejącą.',
+        peerDisconnectThreshold:
+          'Klienci autoryzowani za pomocą MFA zostaną rozłączeni z lokalizacji, gdy nie zostanie wykryta żadna aktywność sieciowa między nimi a bramą VPN przez czas skonfigurowany poniżej.',
+        locationMfaMode: {
+          description:
+            'Wybierz, w jaki sposób wymuszane jest MFA podczas łączenia się z tą lokalizacją:',
+          internal:
+            'Wewnętrzne MFA - MFA jest wymuszane przy użyciu wbudowanego MFA Defguard (np. TOTP, WebAuthn) z wewnętrzną tożsamością',
+          external:
+            'Zewnętrzne MFA - Jeśli skonfigurowane (zobacz [ustawienia OpenID](settings)), ta opcja używa zewnętrznego dostawcy tożsamości do MFA',
+          serviceLocationWarning:
+            'Nie można używać MFA lokalizacji, gdy włączony jest tryb lokalizacji serwisowej.',
+        },
+        serviceLocation: {
+          description:
+            'Wybierz, czy ta lokalizacja ma działać jako lokalizacja serwisowa. Ta funkcja nie jest obecnie obsługiwana na każdej platformie. Zapoznaj się z naszą [dokumentacją](https://docs.defguard.net/features/service-locations), aby uzyskać więcej szczegółów.',
+          preLogon:
+            'Pre-logon - Połączenie VPN z tą lokalizacją będzie aktywne tylko przed zalogowaniem użytkownika na jego urządzeniu. Połączenie VPN zostanie zakończone po zalogowaniu się użytkownika.',
+          alwaysOn:
+            'Always-on - Połączenie VPN będzie zawsze aktywne, gdy urządzenie użytkownika jest włączone.',
+          mfaWarning:
+            'Nie można używać lokalizacji serwisowej, gdy włączone jest MFA lokalizacji.',
+        },
       },
       messages: {
         networkModified: 'Lokalizacja zmodyfikowana',
         networkCreated: 'Lokalizacja utworzona',
       },
+      sections: {
+        accessControl: {
+          header: 'Kontrola dostępu i firewall',
+        },
+        mfa: {
+          header: 'Uwierzytelnianie wieloskładnikowe',
+        },
+        serviceLocation: {
+          header: 'Lokalizacja serwisowa',
+        },
+      },
       fields: {
         name: {
           label: 'Nazwa lokalizacji',
@@ -1827,6 +1878,12 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
         acl_default_allow: {
           label: 'Domyślna polityka ACL',
         },
+        location_mfa_mode: {
+          label: 'Tryb MFA lokalizacji',
+        },
+        service_location_mode: {
+          label: 'Tryb lokalizacji serwisowej',
+        },
       },
       controls: {
         submit: 'Zapisz zmiany',
diff --git a/web/src/pages/network/NetworkEditForm/NetworkEditForm.tsx b/web/src/pages/network/NetworkEditForm/NetworkEditForm.tsx
index f73bcecd00..772c97a2a1 100644
--- a/web/src/pages/network/NetworkEditForm/NetworkEditForm.tsx
+++ b/web/src/pages/network/NetworkEditForm/NetworkEditForm.tsx
@@ -12,6 +12,7 @@ import { shallow } from 'zustand/shallow';
 import { useI18nContext } from '../../../i18n/i18n-react';
 import { FormAclDefaultPolicy } from '../../../shared/components/Form/FormAclDefaultPolicySelect/FormAclDefaultPolicy.tsx';
 import { FormLocationMfaModeSelect } from '../../../shared/components/Form/FormLocationMfaModeSelect/FormLocationMfaModeSelect.tsx';
+import { FormServiceLocationModeSelect } from '../../../shared/components/Form/FormServiceLocationModeSelect/FormServiceLocationModeSelect.tsx';
 import { RenderMarkdown } from '../../../shared/components/Layout/RenderMarkdown/RenderMarkdown.tsx';
 import { FormCheckBox } from '../../../shared/defguard-ui/components/Form/FormCheckBox/FormCheckBox.tsx';
 import { FormInput } from '../../../shared/defguard-ui/components/Form/FormInput/FormInput';
@@ -23,7 +24,11 @@ import { useAppStore } from '../../../shared/hooks/store/useAppStore.ts';
 import useApi from '../../../shared/hooks/useApi';
 import { useToaster } from '../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../shared/queries';
-import { LocationMfaMode, type Network } from '../../../shared/types';
+import {
+  LocationMfaMode,
+  type Network,
+  ServiceLocationMode,
+} from '../../../shared/types';
 import { titleCase } from '../../../shared/utils/titleCase';
 import { trimObjectStrings } from '../../../shared/utils/trimObjectStrings.ts';
 import {
@@ -161,6 +166,7 @@ export const NetworkEditForm = () => {
         acl_enabled: z.boolean(),
         acl_default_allow: z.boolean(),
         location_mfa_mode: z.nativeEnum(LocationMfaMode),
+        service_location_mode: z.nativeEnum(ServiceLocationMode),
       }),
     [LL.form.error],
   );
@@ -181,6 +187,7 @@ export const NetworkEditForm = () => {
       acl_enabled: false,
       acl_default_allow: false,
       location_mfa_mode: LocationMfaMode.DISABLED,
+      service_location_mode: ServiceLocationMode.DISABLED,
     }),
     [],
   );
@@ -237,7 +244,7 @@ export const NetworkEditForm = () => {
     return defaultValues;
   }, [defaultValues, networkToForm, networks, selectedNetworkId]);
 
-  const { control, handleSubmit, reset } = useForm<FormFields>({
+  const { control, handleSubmit, reset, setValue } = useForm<FormFields>({
     defaultValues: defaultFormValues,
     resolver: zodResolver(zodSchema),
     mode: 'all',
@@ -257,6 +264,25 @@ export const NetworkEditForm = () => {
     () => locationMfaMode === LocationMfaMode.DISABLED,
     [locationMfaMode],
   );
+  const serviceLocationMode = useWatch({
+    control,
+    name: 'service_location_mode',
+    defaultValue: defaultFormValues.service_location_mode,
+  });
+  const serviceLocationEnabled = useMemo(
+    () => serviceLocationMode !== ServiceLocationMode.DISABLED,
+    [serviceLocationMode],
+  );
+
+  useEffect(() => {
+    if (!mfaDisabled && serviceLocationMode !== ServiceLocationMode.DISABLED) {
+      setValue('service_location_mode', ServiceLocationMode.DISABLED, {
+        shouldDirty: true,
+        shouldTouch: true,
+        shouldValidate: true,
+      });
+    }
+  }, [mfaDisabled, serviceLocationMode, setValue]);
 
   const onValidSubmit: SubmitHandler<FormFields> = (values) => {
     if (selectedNetworkId) {
@@ -387,7 +413,17 @@ export const NetworkEditForm = () => {
             </li>
           </ul>
         </MessageBox>
-        <FormLocationMfaModeSelect controller={{ control, name: 'location_mfa_mode' }} />
+        {serviceLocationEnabled && (
+          <MessageBox type={MessageBoxType.WARNING}>
+            <p>
+              {LL.networkConfiguration.form.helpers.locationMfaMode.serviceLocationWarning()}
+            </p>
+          </MessageBox>
+        )}
+        <FormLocationMfaModeSelect
+          controller={{ control, name: 'location_mfa_mode' }}
+          disabled={serviceLocationEnabled}
+        />
         <MessageBox>
           <p>{LL.networkConfiguration.form.helpers.peerDisconnectThreshold()}</p>
         </MessageBox>
@@ -397,6 +433,31 @@ export const NetworkEditForm = () => {
           type="number"
           disabled={mfaDisabled}
         />
+        <DividerHeader
+          text={LL.networkConfiguration.form.sections.serviceLocation.header()}
+        />
+        <MessageBox id="service-location-mode-explain-message-box">
+          <RenderMarkdown
+            content={LL.networkConfiguration.form.helpers.serviceLocation.description()}
+          />
+          <ul>
+            <li>
+              <p>{LL.networkConfiguration.form.helpers.serviceLocation.preLogon()}</p>
+            </li>
+            <li>
+              <p>{LL.networkConfiguration.form.helpers.serviceLocation.alwaysOn()}</p>
+            </li>
+          </ul>
+        </MessageBox>
+        {!mfaDisabled && (
+          <MessageBox type={MessageBoxType.WARNING}>
+            <p>{LL.networkConfiguration.form.helpers.serviceLocation.mfaWarning()}</p>
+          </MessageBox>
+        )}
+        <FormServiceLocationModeSelect
+          controller={{ control, name: 'service_location_mode' }}
+          disabled={!mfaDisabled}
+        />
         <button type="submit" className="hidden" ref={submitRef}></button>
       </form>
     </section>
diff --git a/web/src/pages/network/NetworkEditForm/style.scss b/web/src/pages/network/NetworkEditForm/style.scss
index c8840e9d88..b66171214d 100644
--- a/web/src/pages/network/NetworkEditForm/style.scss
+++ b/web/src/pages/network/NetworkEditForm/style.scss
@@ -43,6 +43,19 @@
     }
   }
 
+  #service-location-mode-explain-message-box {
+    ul {
+      list-style-position: inside;
+      margin-top: 8px;
+
+      li {
+        p {
+          display: inline;
+        }
+      }
+    }
+  }
+
   .divider-header {
     padding-bottom: var(--spacing-s);
 
diff --git a/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx b/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
index 77aa53abad..8d416e221e 100644
--- a/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
+++ b/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
@@ -10,6 +10,7 @@ import { shallow } from 'zustand/shallow';
 import { useI18nContext } from '../../../../i18n/i18n-react';
 import { FormAclDefaultPolicy } from '../../../../shared/components/Form/FormAclDefaultPolicySelect/FormAclDefaultPolicy.tsx';
 import { FormLocationMfaModeSelect } from '../../../../shared/components/Form/FormLocationMfaModeSelect/FormLocationMfaModeSelect.tsx';
+import { FormServiceLocationModeSelect } from '../../../../shared/components/Form/FormServiceLocationModeSelect/FormServiceLocationModeSelect.tsx';
 import { RenderMarkdown } from '../../../../shared/components/Layout/RenderMarkdown/RenderMarkdown.tsx';
 import { FormCheckBox } from '../../../../shared/defguard-ui/components/Form/FormCheckBox/FormCheckBox.tsx';
 import { FormInput } from '../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
@@ -22,7 +23,7 @@ import { useAppStore } from '../../../../shared/hooks/store/useAppStore.ts';
 import useApi from '../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../../shared/queries';
-import { LocationMfaMode } from '../../../../shared/types.ts';
+import { LocationMfaMode, ServiceLocationMode } from '../../../../shared/types.ts';
 import { titleCase } from '../../../../shared/utils/titleCase';
 import { trimObjectStrings } from '../../../../shared/utils/trimObjectStrings.ts';
 import {
@@ -149,6 +150,7 @@ export const WizardNetworkConfiguration = () => {
         acl_enabled: z.boolean(),
         acl_default_allow: z.boolean(),
         location_mfa_mode: z.nativeEnum(LocationMfaMode),
+        service_location_mode: z.nativeEnum(ServiceLocationMode),
       }),
     [LL.form.error],
   );
@@ -179,6 +181,15 @@ export const WizardNetworkConfiguration = () => {
     () => locationMfaMode === LocationMfaMode.DISABLED,
     [locationMfaMode],
   );
+  const serviceLocationMode = useWatch({
+    control,
+    name: 'service_location_mode',
+    defaultValue: getDefaultValues.service_location_mode,
+  });
+  const serviceLocationEnabled = useMemo(
+    () => serviceLocationMode !== ServiceLocationMode.DISABLED,
+    [serviceLocationMode],
+  );
 
   const handleValidSubmit: SubmitHandler<FormInputs> = (values) => {
     const trimmed = trimObjectStrings(values);
@@ -290,7 +301,17 @@ export const WizardNetworkConfiguration = () => {
             </li>
           </ul>
         </MessageBox>
-        <FormLocationMfaModeSelect controller={{ control, name: 'location_mfa_mode' }} />
+        {serviceLocationEnabled && (
+          <MessageBox type={MessageBoxType.WARNING}>
+            <p>
+              {LL.networkConfiguration.form.helpers.locationMfaMode.serviceLocationWarning()}
+            </p>
+          </MessageBox>
+        )}
+        <FormLocationMfaModeSelect
+          controller={{ control, name: 'location_mfa_mode' }}
+          disabled={serviceLocationEnabled}
+        />
         <MessageBox>
           <p>{LL.networkConfiguration.form.helpers.peerDisconnectThreshold()}</p>
         </MessageBox>
@@ -300,6 +321,15 @@ export const WizardNetworkConfiguration = () => {
           type="number"
           disabled={mfaDisabled}
         />
+        {!mfaDisabled && (
+          <MessageBox type={MessageBoxType.WARNING}>
+            <p>{LL.networkConfiguration.form.helpers.serviceLocation.mfaWarning()}</p>
+          </MessageBox>
+        )}
+        <FormServiceLocationModeSelect
+          controller={{ control, name: 'service_location_mode' }}
+          disabled={!mfaDisabled}
+        />
         <input type="submit" className="visually-hidden" ref={submitRef} />
       </form>
     </Card>
diff --git a/web/src/pages/wizard/hooks/useWizardStore.ts b/web/src/pages/wizard/hooks/useWizardStore.ts
index 0206902238..944f9b48f0 100644
--- a/web/src/pages/wizard/hooks/useWizardStore.ts
+++ b/web/src/pages/wizard/hooks/useWizardStore.ts
@@ -7,6 +7,7 @@ import {
   type ImportedDevice,
   LocationMfaMode,
   type Network,
+  ServiceLocationMode,
 } from '../../../shared/types';
 
 export enum WizardSetupType {
@@ -34,6 +35,7 @@ const defaultValues: StoreFields = {
     acl_enabled: false,
     acl_default_allow: false,
     location_mfa_mode: LocationMfaMode.DISABLED,
+    service_location_mode: ServiceLocationMode.DISABLED,
   },
 };
 
@@ -90,6 +92,7 @@ type StoreFields = {
     acl_enabled: boolean;
     acl_default_allow: boolean;
     location_mfa_mode: LocationMfaMode;
+    service_location_mode: ServiceLocationMode;
   };
 };
 
diff --git a/web/src/shared/components/Form/FormLocationMfaModeSelect/FormLocationMfaModeSelect.tsx b/web/src/shared/components/Form/FormLocationMfaModeSelect/FormLocationMfaModeSelect.tsx
index 0c87aae1c7..23e89e11c0 100644
--- a/web/src/shared/components/Form/FormLocationMfaModeSelect/FormLocationMfaModeSelect.tsx
+++ b/web/src/shared/components/Form/FormLocationMfaModeSelect/FormLocationMfaModeSelect.tsx
@@ -14,10 +14,12 @@ import { LocationMfaMode } from '../../../types';
 
 type Props<T extends FieldValues> = {
   controller: UseControllerProps<T>;
+  disabled?: boolean;
 };
 
 export const FormLocationMfaModeSelect = <T extends FieldValues>({
   controller,
+  disabled = false,
 }: Props<T>) => {
   const { LL } = useI18nContext();
   const {
@@ -38,12 +40,13 @@ export const FormLocationMfaModeSelect = <T extends FieldValues>({
         key: LocationMfaMode.INTERNAL,
         value: LocationMfaMode.INTERNAL,
         label: LL.components.locationMfaModeSelect.options.internal(),
+        disabled: disabled,
       },
       {
         key: LocationMfaMode.EXTERNAL,
         value: LocationMfaMode.EXTERNAL,
         label: LL.components.locationMfaModeSelect.options.external(),
-        disabled: externalMfaDisabled,
+        disabled: externalMfaDisabled || disabled,
       },
     ],
     [
@@ -51,6 +54,7 @@ export const FormLocationMfaModeSelect = <T extends FieldValues>({
       LL.components.locationMfaModeSelect.options.external,
       LL.components.locationMfaModeSelect.options.internal,
       externalMfaDisabled,
+      disabled,
     ],
   );
 
diff --git a/web/src/shared/components/Form/FormServiceLocationModeSelect/FormServiceLocationModeSelect.tsx b/web/src/shared/components/Form/FormServiceLocationModeSelect/FormServiceLocationModeSelect.tsx
new file mode 100644
index 0000000000..150c158f1d
--- /dev/null
+++ b/web/src/shared/components/Form/FormServiceLocationModeSelect/FormServiceLocationModeSelect.tsx
@@ -0,0 +1,84 @@
+import './style.scss';
+import clsx from 'clsx';
+import { useMemo } from 'react';
+import {
+  type FieldValues,
+  type UseControllerProps,
+  useController,
+} from 'react-hook-form';
+import { useI18nContext } from '../../../../i18n/i18n-react';
+import { RadioButton } from '../../../defguard-ui/components/Layout/RadioButton/Radiobutton';
+import type { SelectOption } from '../../../defguard-ui/components/Layout/Select/types';
+import { useAppStore } from '../../../hooks/store/useAppStore';
+import { ServiceLocationMode } from '../../../types';
+
+type Props<T extends FieldValues> = {
+  controller: UseControllerProps<T>;
+  disabled?: boolean;
+};
+
+export const FormServiceLocationModeSelect = <T extends FieldValues>({
+  controller,
+  disabled = false,
+}: Props<T>) => {
+  const { LL } = useI18nContext();
+  const {
+    field: { onChange, value: fieldValue },
+  } = useController(controller);
+  const enterpriseEnabled = useAppStore((s) => s.appInfo?.license_info.enterprise);
+
+  const options = useMemo(
+    (): SelectOption<ServiceLocationMode>[] => [
+      {
+        key: ServiceLocationMode.DISABLED,
+        value: ServiceLocationMode.DISABLED,
+        label: LL.components.serviceLocationModeSelect.options.disabled(),
+      },
+      {
+        key: ServiceLocationMode.PRELOGON,
+        value: ServiceLocationMode.PRELOGON,
+        label: LL.components.serviceLocationModeSelect.options.prelogon(),
+        disabled: !enterpriseEnabled || disabled,
+      },
+      {
+        key: ServiceLocationMode.ALWAYSON,
+        value: ServiceLocationMode.ALWAYSON,
+        label: LL.components.serviceLocationModeSelect.options.alwayson(),
+        disabled: !enterpriseEnabled || disabled,
+      },
+    ],
+    [
+      LL.components.serviceLocationModeSelect.options.disabled,
+      LL.components.serviceLocationModeSelect.options.prelogon,
+      LL.components.serviceLocationModeSelect.options.alwayson,
+      disabled,
+      enterpriseEnabled,
+    ],
+  );
+
+  return (
+    <div className="service-location-mode-select">
+      <label>{LL.networkConfiguration.form.fields.service_location_mode.label()}</label>
+      {options.map(({ key, value, label, disabled = false }) => {
+        const active = fieldValue === value;
+        return (
+          <div
+            className={clsx(`service-location-mode`, {
+              active,
+              disabled,
+            })}
+            key={key}
+            onClick={() => {
+              if (!disabled) {
+                onChange(value);
+              }
+            }}
+          >
+            <p className="label">{label}</p>
+            <RadioButton active={active} />
+          </div>
+        );
+      })}
+    </div>
+  );
+};
diff --git a/web/src/shared/components/Form/FormServiceLocationModeSelect/style.scss b/web/src/shared/components/Form/FormServiceLocationModeSelect/style.scss
new file mode 100644
index 0000000000..4cc39d601e
--- /dev/null
+++ b/web/src/shared/components/Form/FormServiceLocationModeSelect/style.scss
@@ -0,0 +1,59 @@
+.service-location-mode-select {
+  display: flex;
+  flex-flow: column;
+  row-gap: var(--spacing-s);
+  margin-bottom: 25px;
+
+  .service-location-mode {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    column-gap: var(--spacing-xs);
+    min-height: 30px;
+    border: 1px solid var(--border-primary);
+    padding: var(--spacing-xs) var(--spacing-s);
+    border-radius: 10px;
+    cursor: pointer;
+    user-select: none;
+    transition-property: border-color, opacity;
+    @include animate-standard;
+
+    &:not(.active) {
+      &:hover {
+        border-color: var(--border-separator);
+      }
+    }
+
+    &.active {
+      border-color: var(--surface-main-primary);
+    }
+
+    &.active,
+    &:hover {
+      .label {
+        color: var(--text-body-primary);
+      }
+    }
+
+    &.disabled {
+      opacity: 0.6;
+      cursor: not-allowed;
+      background-color: var(--surface-secondary);
+
+      .label {
+        color: var(--text-body-disabled);
+      }
+
+      &:hover {
+        border-color: var(--border-primary);
+      }
+    }
+
+    .label {
+      color: var(--text-body-secondary);
+      transition-property: color;
+      @include typography(app-modal-1);
+      @include animate-standard;
+    }
+  }
+}
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index d423ceed58..3c181cb11e 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -139,6 +139,12 @@ export enum LocationMfaMode {
   EXTERNAL = 'external',
 }
 
+export enum ServiceLocationMode {
+  DISABLED = 'disabled',
+  PRELOGON = 'prelogon',
+  ALWAYSON = 'alwayson',
+}
+
 export interface Network {
   id: number;
   name: string;
@@ -156,6 +162,7 @@ export interface Network {
   acl_enabled: boolean;
   acl_default_allow: boolean;
   location_mfa_mode: LocationMfaMode;
+  service_location_mode: ServiceLocationMode;
 }
 
 export type ModifyNetworkRequest = {

From e3a3b09f907b6d0cf2f3651b4917415fa9782ae5 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Fri, 31 Oct 2025 08:40:22 +0100
Subject: [PATCH 27/50] User enrollment pending (#1675)

---
 ...6bea01b09ec20e7ff70e626488191509bcf4.json} |  12 +-
 ...5ed13ec41c1209e82412c4f7a70d39b21aca.json} |  12 +-
 ...2dbd2cda17952cf77ac3d743a4fa85d37482.json} |  12 +-
 ...6db89b7e0afa4f7301eb6e2c9fefe604042d.json} |  12 +-
 ...0ed1b03ab9dbe8de5368321466b0256d028c.json} |   7 +-
 ...c23d7e5d4ebac61f87d98c441a12e14e8774.json} |  12 +-
 ...bbb2ed2bf453b32cb1c22b227d8541a63392.json} |  10 +-
 ...5afbee229e80bbaecc1b321c9e309c70409c.json} |  12 +-
 ...4707951915fdac31ecc117dfbdbd0434366d.json} |  12 +-
 ...5a002501d911b81f03ae5f969e69a9a4ffa5.json} |  12 +-
 ...1042ab6b05212938918eebe43cd56795ac76.json} |  12 +-
 ...116227f55516d17150bd4f370d21f2e1a46b.json} |   7 +-
 ...603a13056d395734ba2399cd11c146f4d473.json} |  12 +-
 ...c5d84efa6746a9cff3e28db6d8be28e7f69c.json} |  12 +-
 ...fbae9869524f2ecf68ee407ab9ac4fae4cb4.json} |  12 +-
 ...805d0b5b6a222ed4036da7880c57c9790091.json} |  10 +-
 ...e68fdd5e37d84269497c82184b1bb1db710e.json} |  12 +-
 ...876821bd29b49c096d798754857b22089c21.json} |  12 +-
 crates/defguard_core/src/db/models/device.rs  |   2 +-
 .../defguard_core/src/db/models/enrollment.rs |   7 +-
 crates/defguard_core/src/db/models/group.rs   |   2 +-
 crates/defguard_core/src/db/models/user.rs    |  99 +++++++++--
 .../src/enterprise/db/models/acl.rs           |  12 +-
 .../src/enterprise/ldap/model.rs              |   2 +-
 crates/defguard_core/src/grpc/enrollment.rs   |  10 ++
 crates/defguard_core/src/handlers/group.rs    |   2 +-
 crates/defguard_core/src/handlers/user.rs     |   4 +-
 .../tests/integration/api/enrollment.rs       | 160 +++++++++++++++++-
 ...030081542_user_enrollment_pending.down.sql |   1 +
 ...51030081542_user_enrollment_pending.up.sql |   1 +
 30 files changed, 425 insertions(+), 79 deletions(-)
 rename .sqlx/{query-08dfc889eda4765110276bfa2f660c2db2a35045a66fff8d25aa3e5763733529.json => query-11c5c9eaade29091b93d5d3e2fca6bea01b09ec20e7ff70e626488191509bcf4.json} (87%)
 rename .sqlx/{query-9aa803c71e997fb57e12108041077b49a6b3fbf202c63031bf38e9c68cc1fb31.json => query-37214c3279207b0d6e33b46726f35ed13ec41c1209e82412c4f7a70d39b21aca.json} (89%)
 rename .sqlx/{query-0e1afbbf6d2f59c7ff6c3b6e079c262162fab493a5c394730f10cfc48c9c91a0.json => query-4b7289fe59a0e9553fa0bfd9e9da2dbd2cda17952cf77ac3d743a4fa85d37482.json} (90%)
 rename .sqlx/{query-865dc85f17a0fef547a43c402719b86252990422a10231a53313e9b9af249a11.json => query-4d28fb2ad919eafeefd19e2796ce6db89b7e0afa4f7301eb6e2c9fefe604042d.json} (90%)
 rename .sqlx/{query-f2f3c5edc14b5b46a34fafdfb71e5cff07adc5b237228d8337004b803ac932b5.json => query-523933d20a62a730c3eb881814200ed1b03ab9dbe8de5368321466b0256d028c.json} (81%)
 rename .sqlx/{query-f9b514b027dbca84d45db0a1d4cb3f58927885992773f753abf0a524ff2d783f.json => query-5b9e2982325e824daab097a76e29c23d7e5d4ebac61f87d98c441a12e14e8774.json} (88%)
 rename .sqlx/{query-88cead8923416e5c3b6689470daff40dc34b54678899d3bfc9edcefe16fcf43c.json => query-84b5185c8c297717e9935cd2521bbbb2ed2bf453b32cb1c22b227d8541a63392.json} (90%)
 rename .sqlx/{query-6de98bad88b7a3b01ffb107637f053b4ca587bb59340cfdd463fd04dbd7f8991.json => query-98d0dc6568f54ebee7efaf5ee6965afbee229e80bbaecc1b321c9e309c70409c.json} (86%)
 rename .sqlx/{query-f49077bed4fb50e783b98e5ce0e9ad592f72285ee9165c5d2564a4610608b358.json => query-9a96f2f262ba86ab421f5f3b08984707951915fdac31ecc117dfbdbd0434366d.json} (90%)
 rename .sqlx/{query-9104f25ba81fa2589759e9d3ad6a932e984557fb7bc7807bb1c5a3784eaecd3a.json => query-afbebcf9d6784d63227376d154a35a002501d911b81f03ae5f969e69a9a4ffa5.json} (90%)
 rename .sqlx/{query-e03f1fbd03f348b0ec4a4411df8dce8a890be3fd09ceff9a26a4ce661733b88e.json => query-b5598af6a2b352c73c4bdf5b93f21042ab6b05212938918eebe43cd56795ac76.json} (88%)
 rename .sqlx/{query-e428a1588ae20f1b217396600a4181dd9567568ff05c5ebcd94677aa66010c6c.json => query-b855a2bc8e31ac52f8e23f783652116227f55516d17150bd4f370d21f2e1a46b.json} (83%)
 rename .sqlx/{query-9387577dcb8f6d64052ddc8b28ef6b60bd37fd6d6a6b71fad7103260f8479e8b.json => query-c973c8ca54523b237b7b3b4c95d9603a13056d395734ba2399cd11c146f4d473.json} (90%)
 rename .sqlx/{query-1e08b3fc959f39560270027723ee12284a2532464a8f59d37699dcff97c3ba63.json => query-d1595e6cfd8947354669341ac26ac5d84efa6746a9cff3e28db6d8be28e7f69c.json} (90%)
 rename .sqlx/{query-58f875f68fdee165045a6ab1185d14726f9aa86e613ab050358ca8ea455693e7.json => query-e5a4b8671069997f4ae7fc38c33ffbae9869524f2ecf68ee407ab9ac4fae4cb4.json} (88%)
 rename .sqlx/{query-a6dfaf41f375066925c5e15dbdd649eac7e2eb3bbe57be5d9ac0f43964064ed2.json => query-f3568532db86448be0fcdc2bcdea805d0b5b6a222ed4036da7880c57c9790091.json} (91%)
 rename .sqlx/{query-dc7082efd9915800029f47135458b87498913f37463f974fb6f1935225c37ea8.json => query-f98428d4f6faeaf5475a9292045ce68fdd5e37d84269497c82184b1bb1db710e.json} (88%)
 rename .sqlx/{query-04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0.json => query-fd671557afabd523045f73a2f32e876821bd29b49c096d798754857b22089c21.json} (90%)
 create mode 100644 migrations/20251030081542_user_enrollment_pending.down.sql
 create mode 100644 migrations/20251030081542_user_enrollment_pending.up.sql

diff --git a/.sqlx/query-08dfc889eda4765110276bfa2f660c2db2a35045a66fff8d25aa3e5763733529.json b/.sqlx/query-11c5c9eaade29091b93d5d3e2fca6bea01b09ec20e7ff70e626488191509bcf4.json
similarity index 87%
rename from .sqlx/query-08dfc889eda4765110276bfa2f660c2db2a35045a66fff8d25aa3e5763733529.json
rename to .sqlx/query-11c5c9eaade29091b93d5d3e2fca6bea01b09ec20e7ff70e626488191509bcf4.json
index cfdbec3ef1..c96dd9aff6 100644
--- a/.sqlx/query-08dfc889eda4765110276bfa2f660c2db2a35045a66fff8d25aa3e5763733529.json
+++ b/.sqlx/query-11c5c9eaade29091b93d5d3e2fca6bea01b09ec20e7ff70e626488191509bcf4.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            SELECT u.id, u.username, u.password_hash, u.last_name, u.first_name, u.email, u.phone, u.mfa_enabled, u.totp_enabled, u.email_mfa_enabled, u.totp_secret, u.email_mfa_secret, u.mfa_method \"mfa_method: _\", u.recovery_codes, u.is_active, u.openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" u WHERE EXISTS (SELECT 1 FROM group_user gu LEFT JOIN \"group\" g ON gu.group_id = g.id WHERE is_admin = true AND user_id = u.id) AND u.is_active = true",
+  "query": "\n            SELECT u.id, u.username, u.password_hash, u.last_name, u.first_name, u.email, u.phone, u.mfa_enabled, u.totp_enabled, u.email_mfa_enabled, u.totp_secret, u.email_mfa_secret, u.mfa_method \"mfa_method: _\", u.recovery_codes, u.is_active, u.openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" u WHERE EXISTS (SELECT 1 FROM group_user gu LEFT JOIN \"group\" g ON gu.group_id = g.id WHERE is_admin = true AND user_id = u.id) AND u.is_active = true",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -139,8 +144,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "08dfc889eda4765110276bfa2f660c2db2a35045a66fff8d25aa3e5763733529"
+  "hash": "11c5c9eaade29091b93d5d3e2fca6bea01b09ec20e7ff70e626488191509bcf4"
 }
diff --git a/.sqlx/query-9aa803c71e997fb57e12108041077b49a6b3fbf202c63031bf38e9c68cc1fb31.json b/.sqlx/query-37214c3279207b0d6e33b46726f35ed13ec41c1209e82412c4f7a70d39b21aca.json
similarity index 89%
rename from .sqlx/query-9aa803c71e997fb57e12108041077b49a6b3fbf202c63031bf38e9c68cc1fb31.json
rename to .sqlx/query-37214c3279207b0d6e33b46726f35ed13ec41c1209e82412c4f7a70d39b21aca.json
index 4294f4f023..0de478df57 100644
--- a/.sqlx/query-9aa803c71e997fb57e12108041077b49a6b3fbf202c63031bf38e9c68cc1fb31.json
+++ b/.sqlx/query-37214c3279207b0d6e33b46726f35ed13ec41c1209e82412c4f7a70d39b21aca.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "\n            SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE ldap_user_path IS NULL\n            ",
+  "query": "\n            SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" WHERE ldap_user_path IS NULL\n            ",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -139,8 +144,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "9aa803c71e997fb57e12108041077b49a6b3fbf202c63031bf38e9c68cc1fb31"
+  "hash": "37214c3279207b0d6e33b46726f35ed13ec41c1209e82412c4f7a70d39b21aca"
 }
diff --git a/.sqlx/query-0e1afbbf6d2f59c7ff6c3b6e079c262162fab493a5c394730f10cfc48c9c91a0.json b/.sqlx/query-4b7289fe59a0e9553fa0bfd9e9da2dbd2cda17952cf77ac3d743a4fa85d37482.json
similarity index 90%
rename from .sqlx/query-0e1afbbf6d2f59c7ff6c3b6e079c262162fab493a5c394730f10cfc48c9c91a0.json
rename to .sqlx/query-4b7289fe59a0e9553fa0bfd9e9da2dbd2cda17952cf77ac3d743a4fa85d37482.json
index 38d6a590b6..872ad26651 100644
--- a/.sqlx/query-0e1afbbf6d2f59c7ff6c3b6e079c262162fab493a5c394730f10cfc48c9c91a0.json
+++ b/.sqlx/query-4b7289fe59a0e9553fa0bfd9e9da2dbd2cda17952cf77ac3d743a4fa85d37482.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE email ILIKE $1",
+  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" WHERE openid_sub = $1",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "0e1afbbf6d2f59c7ff6c3b6e079c262162fab493a5c394730f10cfc48c9c91a0"
+  "hash": "4b7289fe59a0e9553fa0bfd9e9da2dbd2cda17952cf77ac3d743a4fa85d37482"
 }
diff --git a/.sqlx/query-865dc85f17a0fef547a43c402719b86252990422a10231a53313e9b9af249a11.json b/.sqlx/query-4d28fb2ad919eafeefd19e2796ce6db89b7e0afa4f7301eb6e2c9fefe604042d.json
similarity index 90%
rename from .sqlx/query-865dc85f17a0fef547a43c402719b86252990422a10231a53313e9b9af249a11.json
rename to .sqlx/query-4d28fb2ad919eafeefd19e2796ce6db89b7e0afa4f7301eb6e2c9fefe604042d.json
index 2f56a55c4c..790bbc027c 100644
--- a/.sqlx/query-865dc85f17a0fef547a43c402719b86252990422a10231a53313e9b9af249a11.json
+++ b/.sqlx/query-4d28fb2ad919eafeefd19e2796ce6db89b7e0afa4f7301eb6e2c9fefe604042d.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE is_active = true",
+  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" WHERE is_active = true",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -139,8 +144,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "865dc85f17a0fef547a43c402719b86252990422a10231a53313e9b9af249a11"
+  "hash": "4d28fb2ad919eafeefd19e2796ce6db89b7e0afa4f7301eb6e2c9fefe604042d"
 }
diff --git a/.sqlx/query-f2f3c5edc14b5b46a34fafdfb71e5cff07adc5b237228d8337004b803ac932b5.json b/.sqlx/query-523933d20a62a730c3eb881814200ed1b03ab9dbe8de5368321466b0256d028c.json
similarity index 81%
rename from .sqlx/query-f2f3c5edc14b5b46a34fafdfb71e5cff07adc5b237228d8337004b803ac932b5.json
rename to .sqlx/query-523933d20a62a730c3eb881814200ed1b03ab9dbe8de5368321466b0256d028c.json
index fda9187be2..cf84d03729 100644
--- a/.sqlx/query-f2f3c5edc14b5b46a34fafdfb71e5cff07adc5b237228d8337004b803ac932b5.json
+++ b/.sqlx/query-523933d20a62a730c3eb881814200ed1b03ab9dbe8de5368321466b0256d028c.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO \"user\" (\"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"from_ldap\",\"ldap_pass_randomized\",\"ldap_rdn\",\"ldap_user_path\",\"openid_sub\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\",\"recovery_codes\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19) RETURNING id",
+  "query": "INSERT INTO \"user\" (\"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"from_ldap\",\"ldap_pass_randomized\",\"ldap_rdn\",\"ldap_user_path\",\"openid_sub\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\",\"recovery_codes\",\"enrollment_pending\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20) RETURNING id",
   "describe": {
     "columns": [
       {
@@ -41,12 +41,13 @@
             }
           }
         },
-        "TextArray"
+        "TextArray",
+        "Bool"
       ]
     },
     "nullable": [
       false
     ]
   },
-  "hash": "f2f3c5edc14b5b46a34fafdfb71e5cff07adc5b237228d8337004b803ac932b5"
+  "hash": "523933d20a62a730c3eb881814200ed1b03ab9dbe8de5368321466b0256d028c"
 }
diff --git a/.sqlx/query-f9b514b027dbca84d45db0a1d4cb3f58927885992773f753abf0a524ff2d783f.json b/.sqlx/query-5b9e2982325e824daab097a76e29c23d7e5d4ebac61f87d98c441a12e14e8774.json
similarity index 88%
rename from .sqlx/query-f9b514b027dbca84d45db0a1d4cb3f58927885992773f753abf0a524ff2d783f.json
rename to .sqlx/query-5b9e2982325e824daab097a76e29c23d7e5d4ebac61f87d98c441a12e14e8774.json
index 3334968c24..48a9989af2 100644
--- a/.sqlx/query-f9b514b027dbca84d45db0a1d4cb3f58927885992773f753abf0a524ff2d783f.json
+++ b/.sqlx/query-5b9e2982325e824daab097a76e29c23d7e5d4ebac61f87d98c441a12e14e8774.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT \"user\".id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" JOIN group_user ON \"user\".id = group_user.user_id WHERE group_user.group_id = $1",
+  "query": "SELECT \"user\".id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" JOIN group_user ON \"user\".id = group_user.user_id WHERE group_user.group_id = $1",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "f9b514b027dbca84d45db0a1d4cb3f58927885992773f753abf0a524ff2d783f"
+  "hash": "5b9e2982325e824daab097a76e29c23d7e5d4ebac61f87d98c441a12e14e8774"
 }
diff --git a/.sqlx/query-88cead8923416e5c3b6689470daff40dc34b54678899d3bfc9edcefe16fcf43c.json b/.sqlx/query-84b5185c8c297717e9935cd2521bbbb2ed2bf453b32cb1c22b227d8541a63392.json
similarity index 90%
rename from .sqlx/query-88cead8923416e5c3b6689470daff40dc34b54678899d3bfc9edcefe16fcf43c.json
rename to .sqlx/query-84b5185c8c297717e9935cd2521bbbb2ed2bf453b32cb1c22b227d8541a63392.json
index 59dfb194d2..95c30504ab 100644
--- a/.sqlx/query-88cead8923416e5c3b6689470daff40dc34b54678899d3bfc9edcefe16fcf43c.json
+++ b/.sqlx/query-84b5185c8c297717e9935cd2521bbbb2ed2bf453b32cb1c22b227d8541a63392.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"from_ldap\",\"ldap_pass_randomized\",\"ldap_rdn\",\"ldap_user_path\",\"openid_sub\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\" \"mfa_method: _\",\"recovery_codes\" \"recovery_codes: _\" FROM \"user\" WHERE id = $1",
+  "query": "SELECT id, \"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"from_ldap\",\"ldap_pass_randomized\",\"ldap_rdn\",\"ldap_user_path\",\"openid_sub\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\" \"mfa_method: _\",\"recovery_codes\" \"recovery_codes: _\",\"enrollment_pending\" FROM \"user\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "recovery_codes: _",
         "type_info": "TextArray"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       true,
       true,
       false,
+      false,
       false
     ]
   },
-  "hash": "88cead8923416e5c3b6689470daff40dc34b54678899d3bfc9edcefe16fcf43c"
+  "hash": "84b5185c8c297717e9935cd2521bbbb2ed2bf453b32cb1c22b227d8541a63392"
 }
diff --git a/.sqlx/query-6de98bad88b7a3b01ffb107637f053b4ca587bb59340cfdd463fd04dbd7f8991.json b/.sqlx/query-98d0dc6568f54ebee7efaf5ee6965afbee229e80bbaecc1b321c9e309c70409c.json
similarity index 86%
rename from .sqlx/query-6de98bad88b7a3b01ffb107637f053b4ca587bb59340cfdd463fd04dbd7f8991.json
rename to .sqlx/query-98d0dc6568f54ebee7efaf5ee6965afbee229e80bbaecc1b321c9e309c70409c.json
index b8bfc1f022..3ba7d6e933 100644
--- a/.sqlx/query-6de98bad88b7a3b01ffb107637f053b4ca587bb59340cfdd463fd04dbd7f8991.json
+++ b/.sqlx/query-98d0dc6568f54ebee7efaf5ee6965afbee229e80bbaecc1b321c9e309c70409c.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT \"user\".id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" INNER JOIN \"group_user\" ON \"user\".id = \"group_user\".user_id INNER JOIN \"group\" ON \"group_user\".group_id = \"group\".id WHERE \"group\".name = $1",
+  "query": "SELECT \"user\".id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" INNER JOIN \"group_user\" ON \"user\".id = \"group_user\".user_id INNER JOIN \"group\" ON \"group_user\".group_id = \"group\".id WHERE \"group\".name = $1",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "6de98bad88b7a3b01ffb107637f053b4ca587bb59340cfdd463fd04dbd7f8991"
+  "hash": "98d0dc6568f54ebee7efaf5ee6965afbee229e80bbaecc1b321c9e309c70409c"
 }
diff --git a/.sqlx/query-f49077bed4fb50e783b98e5ce0e9ad592f72285ee9165c5d2564a4610608b358.json b/.sqlx/query-9a96f2f262ba86ab421f5f3b08984707951915fdac31ecc117dfbdbd0434366d.json
similarity index 90%
rename from .sqlx/query-f49077bed4fb50e783b98e5ce0e9ad592f72285ee9165c5d2564a4610608b358.json
rename to .sqlx/query-9a96f2f262ba86ab421f5f3b08984707951915fdac31ecc117dfbdbd0434366d.json
index 918146a1d4..bb0ffd7dcf 100644
--- a/.sqlx/query-f49077bed4fb50e783b98e5ce0e9ad592f72285ee9165c5d2564a4610608b358.json
+++ b/.sqlx/query-9a96f2f262ba86ab421f5f3b08984707951915fdac31ecc117dfbdbd0434366d.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE id = ANY($1)",
+  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" WHERE id = ANY($1)",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "f49077bed4fb50e783b98e5ce0e9ad592f72285ee9165c5d2564a4610608b358"
+  "hash": "9a96f2f262ba86ab421f5f3b08984707951915fdac31ecc117dfbdbd0434366d"
 }
diff --git a/.sqlx/query-9104f25ba81fa2589759e9d3ad6a932e984557fb7bc7807bb1c5a3784eaecd3a.json b/.sqlx/query-afbebcf9d6784d63227376d154a35a002501d911b81f03ae5f969e69a9a4ffa5.json
similarity index 90%
rename from .sqlx/query-9104f25ba81fa2589759e9d3ad6a932e984557fb7bc7807bb1c5a3784eaecd3a.json
rename to .sqlx/query-afbebcf9d6784d63227376d154a35a002501d911b81f03ae5f969e69a9a4ffa5.json
index 98b4e67056..0b95519c07 100644
--- a/.sqlx/query-9104f25ba81fa2589759e9d3ad6a932e984557fb7bc7807bb1c5a3784eaecd3a.json
+++ b/.sqlx/query-afbebcf9d6784d63227376d154a35a002501d911b81f03ae5f969e69a9a4ffa5.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT u.id, u.username, u.password_hash, u.last_name, u.first_name, u.email, u.phone, u.mfa_enabled, u.totp_enabled, u.email_mfa_enabled, u.totp_secret, u.email_mfa_secret, u.mfa_method \"mfa_method: _\", u.recovery_codes, u.is_active, u.openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" u JOIN \"device\" d ON u.id = d.user_id WHERE d.id = $1",
+  "query": "SELECT u.id, u.username, u.password_hash, u.last_name, u.first_name, u.email, u.phone, u.mfa_enabled, u.totp_enabled, u.email_mfa_enabled, u.totp_secret, u.email_mfa_secret, u.mfa_method \"mfa_method: _\", u.recovery_codes, u.is_active, u.openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" u JOIN \"device\" d ON u.id = d.user_id WHERE d.id = $1",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "9104f25ba81fa2589759e9d3ad6a932e984557fb7bc7807bb1c5a3784eaecd3a"
+  "hash": "afbebcf9d6784d63227376d154a35a002501d911b81f03ae5f969e69a9a4ffa5"
 }
diff --git a/.sqlx/query-e03f1fbd03f348b0ec4a4411df8dce8a890be3fd09ceff9a26a4ce661733b88e.json b/.sqlx/query-b5598af6a2b352c73c4bdf5b93f21042ab6b05212938918eebe43cd56795ac76.json
similarity index 88%
rename from .sqlx/query-e03f1fbd03f348b0ec4a4411df8dce8a890be3fd09ceff9a26a4ce661733b88e.json
rename to .sqlx/query-b5598af6a2b352c73c4bdf5b93f21042ab6b05212938918eebe43cd56795ac76.json
index 1f0b827afd..88a86ecca5 100644
--- a/.sqlx/query-e03f1fbd03f348b0ec4a4411df8dce8a890be3fd09ceff9a26a4ce661733b88e.json
+++ b/.sqlx/query-b5598af6a2b352c73c4bdf5b93f21042ab6b05212938918eebe43cd56795ac76.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT u.id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM aclruleuser r JOIN \"user\" u ON u.id = r.user_id WHERE r.rule_id = $1 AND NOT r.allow AND u.is_active = true",
+  "query": "SELECT u.id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM aclruleuser r JOIN \"user\" u ON u.id = r.user_id WHERE r.rule_id = $1 AND NOT r.allow AND u.is_active = true",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "e03f1fbd03f348b0ec4a4411df8dce8a890be3fd09ceff9a26a4ce661733b88e"
+  "hash": "b5598af6a2b352c73c4bdf5b93f21042ab6b05212938918eebe43cd56795ac76"
 }
diff --git a/.sqlx/query-e428a1588ae20f1b217396600a4181dd9567568ff05c5ebcd94677aa66010c6c.json b/.sqlx/query-b855a2bc8e31ac52f8e23f783652116227f55516d17150bd4f370d21f2e1a46b.json
similarity index 83%
rename from .sqlx/query-e428a1588ae20f1b217396600a4181dd9567568ff05c5ebcd94677aa66010c6c.json
rename to .sqlx/query-b855a2bc8e31ac52f8e23f783652116227f55516d17150bd4f370d21f2e1a46b.json
index 90c559cc22..22086c1e09 100644
--- a/.sqlx/query-e428a1588ae20f1b217396600a4181dd9567568ff05c5ebcd94677aa66010c6c.json
+++ b/.sqlx/query-b855a2bc8e31ac52f8e23f783652116227f55516d17150bd4f370d21f2e1a46b.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"user\" SET \"username\" = $2,\"password_hash\" = $3,\"last_name\" = $4,\"first_name\" = $5,\"email\" = $6,\"phone\" = $7,\"mfa_enabled\" = $8,\"is_active\" = $9,\"from_ldap\" = $10,\"ldap_pass_randomized\" = $11,\"ldap_rdn\" = $12,\"ldap_user_path\" = $13,\"openid_sub\" = $14,\"totp_enabled\" = $15,\"email_mfa_enabled\" = $16,\"totp_secret\" = $17,\"email_mfa_secret\" = $18,\"mfa_method\" = $19,\"recovery_codes\" = $20 WHERE id = $1",
+  "query": "UPDATE \"user\" SET \"username\" = $2,\"password_hash\" = $3,\"last_name\" = $4,\"first_name\" = $5,\"email\" = $6,\"phone\" = $7,\"mfa_enabled\" = $8,\"is_active\" = $9,\"from_ldap\" = $10,\"ldap_pass_randomized\" = $11,\"ldap_rdn\" = $12,\"ldap_user_path\" = $13,\"openid_sub\" = $14,\"totp_enabled\" = $15,\"email_mfa_enabled\" = $16,\"totp_secret\" = $17,\"email_mfa_secret\" = $18,\"mfa_method\" = $19,\"recovery_codes\" = $20,\"enrollment_pending\" = $21 WHERE id = $1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -36,10 +36,11 @@
             }
           }
         },
-        "TextArray"
+        "TextArray",
+        "Bool"
       ]
     },
     "nullable": []
   },
-  "hash": "e428a1588ae20f1b217396600a4181dd9567568ff05c5ebcd94677aa66010c6c"
+  "hash": "b855a2bc8e31ac52f8e23f783652116227f55516d17150bd4f370d21f2e1a46b"
 }
diff --git a/.sqlx/query-9387577dcb8f6d64052ddc8b28ef6b60bd37fd6d6a6b71fad7103260f8479e8b.json b/.sqlx/query-c973c8ca54523b237b7b3b4c95d9603a13056d395734ba2399cd11c146f4d473.json
similarity index 90%
rename from .sqlx/query-9387577dcb8f6d64052ddc8b28ef6b60bd37fd6d6a6b71fad7103260f8479e8b.json
rename to .sqlx/query-c973c8ca54523b237b7b3b4c95d9603a13056d395734ba2399cd11c146f4d473.json
index 87955ba2a5..6e0608e1d0 100644
--- a/.sqlx/query-9387577dcb8f6d64052ddc8b28ef6b60bd37fd6d6a6b71fad7103260f8479e8b.json
+++ b/.sqlx/query-c973c8ca54523b237b7b3b4c95d9603a13056d395734ba2399cd11c146f4d473.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE username = $1",
+  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" WHERE email ILIKE $1",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "9387577dcb8f6d64052ddc8b28ef6b60bd37fd6d6a6b71fad7103260f8479e8b"
+  "hash": "c973c8ca54523b237b7b3b4c95d9603a13056d395734ba2399cd11c146f4d473"
 }
diff --git a/.sqlx/query-1e08b3fc959f39560270027723ee12284a2532464a8f59d37699dcff97c3ba63.json b/.sqlx/query-d1595e6cfd8947354669341ac26ac5d84efa6746a9cff3e28db6d8be28e7f69c.json
similarity index 90%
rename from .sqlx/query-1e08b3fc959f39560270027723ee12284a2532464a8f59d37699dcff97c3ba63.json
rename to .sqlx/query-d1595e6cfd8947354669341ac26ac5d84efa6746a9cff3e28db6d8be28e7f69c.json
index 0d1ffd478e..c2515c8b66 100644
--- a/.sqlx/query-1e08b3fc959f39560270027723ee12284a2532464a8f59d37699dcff97c3ba63.json
+++ b/.sqlx/query-d1595e6cfd8947354669341ac26ac5d84efa6746a9cff3e28db6d8be28e7f69c.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE id = $1",
+  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "1e08b3fc959f39560270027723ee12284a2532464a8f59d37699dcff97c3ba63"
+  "hash": "d1595e6cfd8947354669341ac26ac5d84efa6746a9cff3e28db6d8be28e7f69c"
 }
diff --git a/.sqlx/query-58f875f68fdee165045a6ab1185d14726f9aa86e613ab050358ca8ea455693e7.json b/.sqlx/query-e5a4b8671069997f4ae7fc38c33ffbae9869524f2ecf68ee407ab9ac4fae4cb4.json
similarity index 88%
rename from .sqlx/query-58f875f68fdee165045a6ab1185d14726f9aa86e613ab050358ca8ea455693e7.json
rename to .sqlx/query-e5a4b8671069997f4ae7fc38c33ffbae9869524f2ecf68ee407ab9ac4fae4cb4.json
index 25a55dc8c4..aeb15fac8e 100644
--- a/.sqlx/query-58f875f68fdee165045a6ab1185d14726f9aa86e613ab050358ca8ea455693e7.json
+++ b/.sqlx/query-e5a4b8671069997f4ae7fc38c33ffbae9869524f2ecf68ee407ab9ac4fae4cb4.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" u JOIN group_user gu ON u.id=gu.user_id WHERE u.is_active=true AND gu.group_id=ANY($1)",
+  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" u JOIN group_user gu ON u.id=gu.user_id WHERE u.is_active=true AND gu.group_id=ANY($1)",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "58f875f68fdee165045a6ab1185d14726f9aa86e613ab050358ca8ea455693e7"
+  "hash": "e5a4b8671069997f4ae7fc38c33ffbae9869524f2ecf68ee407ab9ac4fae4cb4"
 }
diff --git a/.sqlx/query-a6dfaf41f375066925c5e15dbdd649eac7e2eb3bbe57be5d9ac0f43964064ed2.json b/.sqlx/query-f3568532db86448be0fcdc2bcdea805d0b5b6a222ed4036da7880c57c9790091.json
similarity index 91%
rename from .sqlx/query-a6dfaf41f375066925c5e15dbdd649eac7e2eb3bbe57be5d9ac0f43964064ed2.json
rename to .sqlx/query-f3568532db86448be0fcdc2bcdea805d0b5b6a222ed4036da7880c57c9790091.json
index a2c50d66a5..01a2303485 100644
--- a/.sqlx/query-a6dfaf41f375066925c5e15dbdd649eac7e2eb3bbe57be5d9ac0f43964064ed2.json
+++ b/.sqlx/query-f3568532db86448be0fcdc2bcdea805d0b5b6a222ed4036da7880c57c9790091.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"from_ldap\",\"ldap_pass_randomized\",\"ldap_rdn\",\"ldap_user_path\",\"openid_sub\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\" \"mfa_method: _\",\"recovery_codes\" \"recovery_codes: _\" FROM \"user\"",
+  "query": "SELECT id, \"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"from_ldap\",\"ldap_pass_randomized\",\"ldap_rdn\",\"ldap_user_path\",\"openid_sub\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\" \"mfa_method: _\",\"recovery_codes\" \"recovery_codes: _\",\"enrollment_pending\" FROM \"user\"",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "recovery_codes: _",
         "type_info": "TextArray"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -139,8 +144,9 @@
       true,
       true,
       false,
+      false,
       false
     ]
   },
-  "hash": "a6dfaf41f375066925c5e15dbdd649eac7e2eb3bbe57be5d9ac0f43964064ed2"
+  "hash": "f3568532db86448be0fcdc2bcdea805d0b5b6a222ed4036da7880c57c9790091"
 }
diff --git a/.sqlx/query-dc7082efd9915800029f47135458b87498913f37463f974fb6f1935225c37ea8.json b/.sqlx/query-f98428d4f6faeaf5475a9292045ce68fdd5e37d84269497c82184b1bb1db710e.json
similarity index 88%
rename from .sqlx/query-dc7082efd9915800029f47135458b87498913f37463f974fb6f1935225c37ea8.json
rename to .sqlx/query-f98428d4f6faeaf5475a9292045ce68fdd5e37d84269497c82184b1bb1db710e.json
index a4302b3f3c..18ccc08762 100644
--- a/.sqlx/query-dc7082efd9915800029f47135458b87498913f37463f974fb6f1935225c37ea8.json
+++ b/.sqlx/query-f98428d4f6faeaf5475a9292045ce68fdd5e37d84269497c82184b1bb1db710e.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT u.id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM aclruleuser r JOIN \"user\" u ON u.id = r.user_id WHERE r.rule_id = $1 AND r.allow AND u.is_active = true",
+  "query": "SELECT u.id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM aclruleuser r JOIN \"user\" u ON u.id = r.user_id WHERE r.rule_id = $1 AND r.allow AND u.is_active = true",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "dc7082efd9915800029f47135458b87498913f37463f974fb6f1935225c37ea8"
+  "hash": "f98428d4f6faeaf5475a9292045ce68fdd5e37d84269497c82184b1bb1db710e"
 }
diff --git a/.sqlx/query-04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0.json b/.sqlx/query-fd671557afabd523045f73a2f32e876821bd29b49c096d798754857b22089c21.json
similarity index 90%
rename from .sqlx/query-04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0.json
rename to .sqlx/query-fd671557afabd523045f73a2f32e876821bd29b49c096d798754857b22089c21.json
index 7396561c7f..5280946e04 100644
--- a/.sqlx/query-04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0.json
+++ b/.sqlx/query-fd671557afabd523045f73a2f32e876821bd29b49c096d798754857b22089c21.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path FROM \"user\" WHERE openid_sub = $1",
+  "query": "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending FROM \"user\" WHERE username = $1",
   "describe": {
     "columns": [
       {
@@ -114,6 +114,11 @@
         "ordinal": 19,
         "name": "ldap_user_path",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 20,
+        "name": "enrollment_pending",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -141,8 +146,9 @@
       false,
       false,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "04163625da5365779cb5e2a47242b7d7faff6d6327e279362212cda4960caca0"
+  "hash": "fd671557afabd523045f73a2f32e876821bd29b49c096d798754857b22089c21"
 }
diff --git a/crates/defguard_core/src/db/models/device.rs b/crates/defguard_core/src/db/models/device.rs
index 385faa8aa3..f359eb6383 100644
--- a/crates/defguard_core/src/db/models/device.rs
+++ b/crates/defguard_core/src/db/models/device.rs
@@ -1015,7 +1015,7 @@ impl Device<Id> {
             "SELECT id, username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
             totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" WHERE id = $1",
             self.user_id
         ).fetch_one(executor).await
diff --git a/crates/defguard_core/src/db/models/enrollment.rs b/crates/defguard_core/src/db/models/enrollment.rs
index 7c9237c3ca..e0e0824d2e 100644
--- a/crates/defguard_core/src/db/models/enrollment.rs
+++ b/crates/defguard_core/src/db/models/enrollment.rs
@@ -394,7 +394,7 @@ impl User<Id> {
     /// This creates a new enrollment token valid for 24h
     /// and optionally sends enrollment email notification to user
     pub async fn start_enrollment(
-        &self,
+        &mut self,
         transaction: &mut PgConnection,
         admin: &User<Id>,
         email: Option<String>,
@@ -447,6 +447,11 @@ impl User<Id> {
             enrollment.id, self.username
         );
 
+        // Mark the user with enrollment-pending flag.
+        // https://github.com/DefGuard/client/issues/647
+        self.enrollment_pending = true;
+        self.save(&mut *transaction).await?;
+
         if send_user_notification {
             if let Some(email) = email {
                 debug!(
diff --git a/crates/defguard_core/src/db/models/group.rs b/crates/defguard_core/src/db/models/group.rs
index b9734fd4f6..017075934c 100644
--- a/crates/defguard_core/src/db/models/group.rs
+++ b/crates/defguard_core/src/db/models/group.rs
@@ -85,7 +85,7 @@ impl Group<Id> {
             "SELECT \"user\".id, username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" \
             JOIN group_user ON \"user\".id = group_user.user_id \
             WHERE group_user.group_id = $1",
diff --git a/crates/defguard_core/src/db/models/user.rs b/crates/defguard_core/src/db/models/user.rs
index df518b8bde..f545ed850d 100644
--- a/crates/defguard_core/src/db/models/user.rs
+++ b/crates/defguard_core/src/db/models/user.rs
@@ -96,6 +96,10 @@ pub struct User<I = NoId> {
     pub(crate) mfa_method: MFAMethod,
     #[model(ref)]
     pub(crate) recovery_codes: Vec<String>,
+    /// Indicates that an administrator has requested an enrollment token for this user.
+    /// Uninitialized clients should then guide the user through enrollment process.
+    /// Related issue: https://github.com/DefGuard/client/issues/647.
+    pub enrollment_pending: bool,
 }
 
 // TODO: Refactor the user struct to use SecretStringWrapper instead of this
@@ -122,6 +126,7 @@ impl<I: std::fmt::Debug> fmt::Debug for User<I> {
             email_mfa_secret: _,
             mfa_method,
             recovery_codes,
+            enrollment_pending,
         } = self;
 
         f.debug_struct("User")
@@ -148,6 +153,7 @@ impl<I: std::fmt::Debug> fmt::Debug for User<I> {
             .field("password_hash", &"***")
             .field("totp_secret", &"***")
             .field("email_mfa_secret", &"***")
+            .field("enrollment_pending", enrollment_pending)
             .finish()
     }
 }
@@ -201,6 +207,7 @@ impl User {
             ldap_pass_randomized: false,
             ldap_rdn: Some(username.clone()),
             ldap_user_path: None,
+            enrollment_pending: false,
         }
     }
 }
@@ -237,12 +244,17 @@ impl<I> User<I> {
         format!("{} {}", self.first_name, self.last_name)
     }
 
-    /// Check if user is enrolled.
-    /// We assume the user is enrolled if they have a password set
-    /// or they have logged in using an external OIDC.
+    /// Determines whether the user is considered enrolled.
+    ///
+    /// A user is treated as enrolled if:
+    /// - The `enrollment_pending` flag is **not** set, i.e. enrollment was not requested by an
+    ///   administrator (https://github.com/DefGuard/client/issues/647).
+    /// - They either have a password configured, have authenticated via an external OIDC provider
+    ///   or were synced from LDAP.
     #[must_use]
     pub fn is_enrolled(&self) -> bool {
-        self.password_hash.is_some() || self.openid_sub.is_some() || self.from_ldap
+        !self.enrollment_pending
+            && (self.password_hash.is_some() || self.openid_sub.is_some() || self.from_ldap)
     }
 
     #[must_use]
@@ -675,7 +687,7 @@ impl User<Id> {
             phone, mfa_enabled, totp_enabled, totp_secret, \
             email_mfa_enabled, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" \
             INNER JOIN \"group_user\" ON \"user\".id = \"group_user\".user_id \
             INNER JOIN \"group\" ON \"group_user\".group_id = \"group\".id \
@@ -826,7 +838,7 @@ impl User<Id> {
             "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, \
             totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" WHERE username = $1",
             username
         )
@@ -846,7 +858,7 @@ impl User<Id> {
             "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, \
             totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, \
-            ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" WHERE email ILIKE $1",
             email
         )
@@ -880,7 +892,8 @@ impl User<Id> {
         query_as(
             "SELECT id, username, password_hash, last_name, first_name, email, phone, \
             mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
-            mfa_method, recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            mfa_method, recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, \
+            ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" WHERE email = ANY($1)",
         )
         .bind(emails)
@@ -900,7 +913,7 @@ impl User<Id> {
             "SELECT id, username, password_hash, last_name, first_name, email, phone, \
             mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" WHERE openid_sub = $1",
             sub
         )
@@ -1129,8 +1142,9 @@ impl User<Id> {
             Self,
             "SELECT u.id, u.username, u.password_hash, u.last_name, u.first_name, u.email, \
             u.phone, u.mfa_enabled, u.totp_enabled, u.email_mfa_enabled, \
-            u.totp_secret, u.email_mfa_secret, u.mfa_method \"mfa_method: _\", u.recovery_codes, u.is_active, u.openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            u.totp_secret, u.email_mfa_secret, u.mfa_method \"mfa_method: _\", u.recovery_codes, \
+            u.is_active, u.openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, \
+            enrollment_pending \
             FROM \"user\" u \
             JOIN \"device\" d ON u.id = d.user_id \
             WHERE d.id = $1",
@@ -1152,7 +1166,8 @@ impl User<Id> {
         query_as(
             "SELECT id, username, password_hash, last_name, first_name, email, phone, \
             mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
-            mfa_method, recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            mfa_method, recovery_codes, is_active, openid_sub, from_ldap, ldap_pass_randomized, \
+            ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" WHERE email NOT IN (SELECT * FROM UNNEST($1::TEXT[]))",
         )
         .bind(user_emails)
@@ -1181,7 +1196,7 @@ impl User<Id> {
             SELECT u.id, u.username, u.password_hash, u.last_name, u.first_name, u.email, \
             u.phone, u.mfa_enabled, u.totp_enabled, u.email_mfa_enabled, \
             u.totp_secret, u.email_mfa_secret, u.mfa_method \"mfa_method: _\", u.recovery_codes, u.is_active, u.openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" u \
             WHERE EXISTS (SELECT 1 FROM group_user gu LEFT JOIN \"group\" g ON gu.group_id = g.id \
             WHERE is_admin = true AND user_id = u.id) AND u.is_active = true"
@@ -1227,6 +1242,7 @@ impl Distribution<User<Id>> for Standard {
             ldap_pass_randomized: false,
             ldap_rdn: None,
             ldap_user_path: None,
+            enrollment_pending: false,
         }
     }
 }
@@ -1267,6 +1283,7 @@ impl Distribution<User<NoId>> for Standard {
             ldap_pass_randomized: false,
             ldap_rdn: None,
             ldap_user_path: None,
+            enrollment_pending: false,
         }
     }
 }
@@ -1625,4 +1642,60 @@ mod test {
         assert_eq!(users[0].id, user1.id);
         assert_eq!(users[1].id, albus.id);
     }
+
+    #[sqlx::test]
+    async fn test_user_is_enrolled(_: PgPoolOptions, options: PgConnectOptions) {
+        let pool = setup_pool(options).await;
+        let user = User::new(
+            "test",
+            Some("31071980"),
+            "harry",
+            "potter",
+            "harry@hogwart.edu.uk",
+            None,
+        );
+        let mut user = user.save(&pool).await.unwrap();
+
+        user.enrollment_pending = false;
+        user.password_hash = Some(hash_password("31071980").unwrap());
+        user.openid_sub = Some("sub".to_string());
+        user.from_ldap = true;
+        user.save(&pool).await.unwrap();
+        assert!(user.is_enrolled());
+
+        user.enrollment_pending = false;
+        user.password_hash = None;
+        user.openid_sub = Some("sub".to_string());
+        user.from_ldap = true;
+        user.save(&pool).await.unwrap();
+        assert!(user.is_enrolled());
+
+        user.enrollment_pending = false;
+        user.password_hash = None;
+        user.openid_sub = None;
+        user.from_ldap = true;
+        user.save(&pool).await.unwrap();
+        assert!(user.is_enrolled());
+
+        user.enrollment_pending = false;
+        user.password_hash = None;
+        user.openid_sub = None;
+        user.from_ldap = false;
+        user.save(&pool).await.unwrap();
+        assert!(!user.is_enrolled());
+
+        user.enrollment_pending = true;
+        user.password_hash = None;
+        user.openid_sub = None;
+        user.from_ldap = false;
+        user.save(&pool).await.unwrap();
+        assert!(!user.is_enrolled());
+
+        user.enrollment_pending = true;
+        user.password_hash = Some(hash_password("31071980").unwrap());
+        user.openid_sub = Some("sub".to_string());
+        user.from_ldap = true;
+        user.save(&pool).await.unwrap();
+        assert!(!user.is_enrolled());
+    }
 }
diff --git a/crates/defguard_core/src/enterprise/db/models/acl.rs b/crates/defguard_core/src/enterprise/db/models/acl.rs
index 22bb80774c..069a9ebe81 100644
--- a/crates/defguard_core/src/enterprise/db/models/acl.rs
+++ b/crates/defguard_core/src/enterprise/db/models/acl.rs
@@ -973,7 +973,7 @@ impl AclRule<Id> {
             "SELECT u.id, username, password_hash, last_name, first_name, email, phone, \
             mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, \
-            ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM aclruleuser r \
             JOIN \"user\" u \
             ON u.id = r.user_id \
@@ -999,7 +999,7 @@ impl AclRule<Id> {
             "SELECT u.id, username, password_hash, last_name, first_name, email, phone, \
             mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, \
-            ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM aclruleuser r \
             JOIN \"user\" u \
             ON u.id = r.user_id \
@@ -1180,7 +1180,7 @@ impl AclRuleInfo<Id> {
                 phone, mfa_enabled, totp_enabled, totp_secret, \
                 email_mfa_enabled, email_mfa_secret, \
                 mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, \
-                ldap_pass_randomized, ldap_rdn, ldap_user_path \
+                ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
                 FROM \"user\" \
                 WHERE is_active = true"
             )
@@ -1202,7 +1202,7 @@ impl AclRuleInfo<Id> {
             "SELECT id, username, password_hash, last_name, first_name, email, phone, mfa_enabled, \
             totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" u \
             JOIN group_user gu ON u.id=gu.user_id \
             WHERE u.is_active=true AND gu.group_id=ANY($1)",
@@ -1241,7 +1241,7 @@ impl AclRuleInfo<Id> {
                 phone, mfa_enabled, totp_enabled, totp_secret, \
                 email_mfa_enabled, email_mfa_secret, \
                 mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, from_ldap, \
-                ldap_pass_randomized, ldap_rdn, ldap_user_path \
+                ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
                 FROM \"user\" \
                 WHERE is_active = true"
             )
@@ -1264,7 +1264,7 @@ impl AclRuleInfo<Id> {
                 phone, mfa_enabled, totp_enabled, totp_secret, \
                 email_mfa_enabled, email_mfa_secret, \
                 mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-                from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+                from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
                 FROM \"user\" u \
             JOIN group_user gu ON u.id=gu.user_id \
                 WHERE u.is_active=true AND gu.group_id=ANY($1)",
diff --git a/crates/defguard_core/src/enterprise/ldap/model.rs b/crates/defguard_core/src/enterprise/ldap/model.rs
index 79a295732d..0da8afc1c7 100644
--- a/crates/defguard_core/src/enterprise/ldap/model.rs
+++ b/crates/defguard_core/src/enterprise/ldap/model.rs
@@ -284,7 +284,7 @@ impl User<Id> {
             SELECT id, username, password_hash, last_name, first_name, email, phone, \
             mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, \
             mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" WHERE ldap_user_path IS NULL
             ",
         )
diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index ddf124c597..5c8796e162 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -459,6 +459,16 @@ impl EnrollmentServer {
             )?;
         }
 
+        // Unset the enrollment-pending flag (https://github.com/DefGuard/client/issues/647).
+        user.enrollment_pending = false;
+        user.save(&mut *transaction).await.map_err(|err| {
+            error!(
+                "Failed to unset enrollment_pending flag for user {}: {err}",
+                user.username
+            );
+            Status::internal("unexpected error")
+        })?;
+
         transaction.commit().await.map_err(|err| {
             error!("Failed to commit transaction: {err}");
             Status::internal("unexpected error")
diff --git a/crates/defguard_core/src/handlers/group.rs b/crates/defguard_core/src/handlers/group.rs
index a728b4ccc9..41bebed9d9 100644
--- a/crates/defguard_core/src/handlers/group.rs
+++ b/crates/defguard_core/src/handlers/group.rs
@@ -77,7 +77,7 @@ pub(crate) async fn bulk_assign_to_groups(
         "SELECT id, username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
             totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_sub, \
-            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path \
+            from_ldap, ldap_pass_randomized, ldap_rdn, ldap_user_path, enrollment_pending \
             FROM \"user\" WHERE id = ANY($1)",
         &data.users
     )
diff --git a/crates/defguard_core/src/handlers/user.rs b/crates/defguard_core/src/handlers/user.rs
index 5ea0e977d7..28fec53496 100644
--- a/crates/defguard_core/src/handlers/user.rs
+++ b/crates/defguard_core/src/handlers/user.rs
@@ -417,7 +417,7 @@ pub async fn start_enrollment(
         "Search for the user {} in database to get started with enrollment process.",
         username
     );
-    let Some(user) = User::find_by_username(&appstate.pool, &username).await? else {
+    let Some(mut user) = User::find_by_username(&appstate.pool, &username).await? else {
         error!("User {username} couldn't be found, enrollment aborted");
         return Err(WebError::ObjectNotFound(format!(
             "user {username} not found"
@@ -440,7 +440,7 @@ pub async fn start_enrollment(
         )
         .await?;
 
-    debug!("Try to commit transaction to save the enrollment token into the databse.");
+    debug!("Try to commit transaction to save the enrollment token into the database.");
     transaction.commit().await?;
     debug!("Transaction committed.");
 
diff --git a/crates/defguard_core/tests/integration/api/enrollment.rs b/crates/defguard_core/tests/integration/api/enrollment.rs
index 7068650a3d..5b42f7376c 100644
--- a/crates/defguard_core/tests/integration/api/enrollment.rs
+++ b/crates/defguard_core/tests/integration/api/enrollment.rs
@@ -1,5 +1,5 @@
 use defguard_core::{
-    db::models::enrollment::Token,
+    db::{User, models::enrollment::Token},
     handlers::{AddUserData, Auth},
 };
 use reqwest::StatusCode;
@@ -120,3 +120,161 @@ async fn test_enroll_disabled_user(_: PgPoolOptions, options: PgConnectOptions)
         .await;
     assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
 }
+
+#[sqlx::test]
+async fn test_enrollment_pending_unset_for_regular_user(
+    _: PgPoolOptions,
+    options: PgConnectOptions,
+) {
+    let pool = setup_pool(options).await;
+
+    let (client, pool) = make_client_with_db(pool).await;
+
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // create user with password
+    let new_user = AddUserData {
+        username: "adumbledore".into(),
+        last_name: "Dumbledore".into(),
+        first_name: "Albus".into(),
+        email: "a.dumbledore@hogwart.edu.uk".into(),
+        phone: Some("1234".into()),
+        password: Some("Password1234543$!".into()),
+    };
+    let response = client.post("/api/v1/user").json(&new_user).send().await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    let user = User::find_by_username(&pool, &new_user.username)
+        .await
+        .unwrap()
+        .unwrap();
+
+    // verify enrollment_pending flag is not set
+    assert!(!user.enrollment_pending);
+
+    // verify user is considered enrolled
+    assert!(user.is_enrolled());
+}
+
+#[sqlx::test]
+async fn test_request_enrollment(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+
+    let (client, pool) = make_client_with_db(pool).await;
+
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // create user without password
+    let new_user = AddUserData {
+        username: "adumbledore".into(),
+        last_name: "Dumbledore".into(),
+        first_name: "Albus".into(),
+        email: "a.dumbledore@hogwart.edu.uk".into(),
+        phone: Some("1234".into()),
+        password: None,
+    };
+    let response = client.post("/api/v1/user").json(&new_user).send().await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    let user = User::find_by_username(&pool, &new_user.username)
+        .await
+        .unwrap()
+        .unwrap();
+
+    // verify enrollment token was not created
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 0);
+
+    // verify enrollment variables
+    assert!(!user.enrollment_pending);
+    assert!(!user.is_enrolled());
+
+    // request enrollment
+    let response = client
+        .post(format!("/api/v1/user/{}/start_enrollment", user.username))
+        .json(&json!({"email": user.email, "send_enrollment_notification": false}))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // re-fetch the user
+    let user = User::find_by_username(&pool, &new_user.username)
+        .await
+        .unwrap()
+        .unwrap();
+
+    // verify enrollment variables
+    assert!(user.enrollment_pending);
+    assert!(!user.is_enrolled());
+
+    // verify enrollment token was created correctly
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 1);
+    let token = tokens.first().unwrap();
+    assert!(token.used_at.is_none());
+}
+
+#[sqlx::test]
+async fn test_enrollment_pending_unset_for_desktop_client(
+    _: PgPoolOptions,
+    options: PgConnectOptions,
+) {
+    let pool = setup_pool(options).await;
+
+    let (client, pool) = make_client_with_db(pool).await;
+
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // create user with password
+    let new_user = AddUserData {
+        username: "adumbledore".into(),
+        last_name: "Dumbledore".into(),
+        first_name: "Albus".into(),
+        email: "a.dumbledore@hogwart.edu.uk".into(),
+        phone: Some("1234".into()),
+        password: Some("Password1234543$!".into()),
+    };
+    let response = client.post("/api/v1/user").json(&new_user).send().await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // verify enrollment token was not created
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 0);
+
+    let user = User::find_by_username(&pool, &new_user.username)
+        .await
+        .unwrap()
+        .unwrap();
+
+    // verify enrollment variables
+    assert!(!user.enrollment_pending);
+    assert!(user.is_enrolled());
+
+    // request device configuration
+    let response = client
+        .post("/api/v1/user/adumbledore/start_desktop")
+        .json(&json!({
+            "username": user.username,
+            "email": user.email,
+            "send_enrollment_notification": false
+        }))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // verify enrollment token was created correctly
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 1);
+    let token = tokens.first().unwrap();
+    assert!(token.used_at.is_none());
+
+    // verify enrollment variables
+    assert!(!user.enrollment_pending);
+    assert!(user.is_enrolled());
+}
diff --git a/migrations/20251030081542_user_enrollment_pending.down.sql b/migrations/20251030081542_user_enrollment_pending.down.sql
new file mode 100644
index 0000000000..2354958309
--- /dev/null
+++ b/migrations/20251030081542_user_enrollment_pending.down.sql
@@ -0,0 +1 @@
+ALTER TABLE "user" DROP COLUMN enrollment_pending;
diff --git a/migrations/20251030081542_user_enrollment_pending.up.sql b/migrations/20251030081542_user_enrollment_pending.up.sql
new file mode 100644
index 0000000000..e445c24d8b
--- /dev/null
+++ b/migrations/20251030081542_user_enrollment_pending.up.sql
@@ -0,0 +1 @@
+ALTER TABLE "user" ADD COLUMN enrollment_pending BOOLEAN NOT NULL DEFAULT false;

From dcfe3ed003d6bae337bde24f4ecadb1761980149 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Mon, 3 Nov 2025 09:47:48 +0100
Subject: [PATCH 28/50] allow "Apache-2.0 WITH LLVM-exception"

---
 deny.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deny.toml b/deny.toml
index b40c3db21b..d303e40449 100644
--- a/deny.toml
+++ b/deny.toml
@@ -95,6 +95,7 @@ ignore = [
 allow = [
     "MIT",
     "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
     "MPL-2.0",
     "BSD-3-Clause",
     "Unicode-3.0",

From 9e8324802edf16ece36e743ea10a770176cdf1d1 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Mon, 3 Nov 2025 09:48:26 +0100
Subject: [PATCH 29/50] bump version to 1.6.0, bump dependencies

---
 Cargo.lock                        | 809 +++++++++++++-----------------
 crates/defguard_common/Cargo.toml |   2 +-
 2 files changed, 358 insertions(+), 453 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2ae9c31040..436bc1792a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2,15 +2,6 @@
 # It is not intended for manual editing.
 version = 4
 
-[[package]]
-name = "addr2line"
-version = "0.25.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b5d307320b3181d6d7954e663bd7c774a838b8220fe0593c86d9fb09f498b4b"
-dependencies = [
- "gimli",
-]
-
 [[package]]
 name = "adler2"
 version = "2.0.1"
@@ -76,9 +67,9 @@ dependencies = [
 
 [[package]]
 name = "aho-corasick"
-version = "1.1.3"
+version = "1.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
 dependencies = [
  "memchr",
 ]
@@ -113,9 +104,9 @@ dependencies = [
 
 [[package]]
 name = "anstream"
-version = "0.6.20"
+version = "0.6.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ae563653d1938f79b1ab1b5e668c87c76a9930414574a6583a7b7e11a8e6192"
+checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a"
 dependencies = [
  "anstyle",
  "anstyle-parse",
@@ -167,6 +158,15 @@ version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
 
+[[package]]
+name = "ar_archive_writer"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0c269894b6fe5e9d7ada0cf69b5bf847ff35bc25fc271f08e1d080fce80339a"
+dependencies = [
+ "object",
+]
+
 [[package]]
 name = "arbitrary"
 version = "1.4.2"
@@ -284,9 +284,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
 [[package]]
 name = "axum"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98e529aee37b5c8206bb4bf4c44797127566d72f76952c970bd3d1e85de8f4e2"
+checksum = "8a18ed336352031311f4e0b4dd2ff392d4fbb370777c9d18d7fc9d7359f73871"
 dependencies = [
  "axum-core",
  "bytes",
@@ -328,9 +328,9 @@ dependencies = [
 
 [[package]]
 name = "axum-core"
-version = "0.5.4"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ac7a6beb1182c7e30253ee75c3e918080bfb83f5a3023bcdf7209d85fd147e6"
+checksum = "59446ce19cd142f8833f856eb31f3eb097812d1479ab224f54d72428ca21ea22"
 dependencies = [
  "bytes",
  "futures-core",
@@ -347,9 +347,9 @@ dependencies = [
 
 [[package]]
 name = "axum-extra"
-version = "0.10.2"
+version = "0.10.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d86d701cd16f401888ebe9c3214dc838c7ef27a405d5726196765a913603b5dd"
+checksum = "9963ff19f40c6102c76756ef0a46004c0d58957d87259fc9208ff8441c12ab96"
 dependencies = [
  "axum",
  "axum-core",
@@ -372,21 +372,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "backtrace"
-version = "0.3.76"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb531853791a215d7c62a30daf0dde835f381ab5de4589cfe7c649d2cbe92bd6"
-dependencies = [
- "addr2line",
- "cfg-if",
- "libc",
- "miniz_oxide",
- "object",
- "rustc-demangle",
- "windows-link 0.2.0",
-]
-
 [[package]]
 name = "base16ct"
 version = "0.2.0"
@@ -425,9 +410,9 @@ checksum = "55248b47b0caf0546f7988906588779981c43bb1bc9d0c44087278f80cdb44ba"
 
 [[package]]
 name = "base64urlsafedata"
-version = "0.5.2"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5913e643e4dfb43d5908e9e6f1386f8e0dfde086ecef124a6450c6195d89160"
+checksum = "215ee31f8a88f588c349ce2d20108b2ed96089b96b9c2b03775dc35dd72938e8"
 dependencies = [
  "base64 0.21.7",
  "pastey",
@@ -463,11 +448,11 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
 [[package]]
 name = "bitflags"
-version = "2.9.4"
+version = "2.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2261d10cca569e4643e526d8dc2e62e433cc8aba21ab764233731f8d369bf394"
+checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
 dependencies = [
- "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -521,9 +506,9 @@ dependencies = [
 
 [[package]]
 name = "bstr"
-version = "1.12.0"
+version = "1.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "234113d19d0d7d613b40e86fb654acf958910802bcceab913a4f9e7cda03b1a4"
+checksum = "63044e1ae8e69f3b5a92c736ca6269b8d12fa7efe39bf34ddb06d102cf0e2cab"
 dependencies = [
  "memchr",
  "serde",
@@ -580,9 +565,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.39"
+version = "1.2.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1354349954c6fc9cb0deab020f27f783cf0b604e8bb754dc4658ecf0d29c35f"
+checksum = "37521ac7aabe3d13122dc382493e20c9416f299d2ccd5b3a5340a2570cdeb0f3"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -601,9 +586,9 @@ dependencies = [
 
 [[package]]
 name = "cfg-if"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2fd1289c04a9ea8cb22300a459a72a385d7c73d3259e2ed7dcb2af674838cfa9"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
 
 [[package]]
 name = "cfg_aliases"
@@ -622,7 +607,7 @@ dependencies = [
  "num-traits",
  "serde",
  "wasm-bindgen",
- "windows-link 0.2.0",
+ "windows-link 0.2.1",
 ]
 
 [[package]]
@@ -675,9 +660,9 @@ checksum = "bba18ee93d577a8428902687bcc2b6b45a56b1981a1f6d779731c86cc4c5db18"
 
 [[package]]
 name = "clap"
-version = "4.5.48"
+version = "4.5.51"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2134bb3ea021b78629caa971416385309e0131b351b25e01dc16fb54e1b5fae"
+checksum = "4c26d721170e0295f191a69bd9a1f93efcdb0aff38684b61ab5750468972e5f5"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -685,9 +670,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.48"
+version = "4.5.51"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2ba64afa3c0a6df7fa517765e31314e983f51dda798ffba27b988194fb65dc9"
+checksum = "75835f0c7bf681bfd05abe44e965760fea999a5286c6eb2d59883634fd02011a"
 dependencies = [
  "anstream",
  "anstyle",
@@ -697,9 +682,9 @@ dependencies = [
 
 [[package]]
 name = "clap_derive"
-version = "4.5.47"
+version = "4.5.49"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbfd7eae0b0f1a6e63d4b13c9c478de77c2eb546fba158ad50b4203dc24b9f9c"
+checksum = "2a0b5487afeab2deb2ff4e03a807ad1a03ac532ff5a2cee5d86884440c7f7671"
 dependencies = [
  "heck",
  "proc-macro2",
@@ -709,9 +694,9 @@ dependencies = [
 
 [[package]]
 name = "clap_lex"
-version = "0.7.5"
+version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675"
+checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d"
 
 [[package]]
 name = "cmac"
@@ -1113,7 +1098,7 @@ dependencies = [
 
 [[package]]
 name = "defguard_common"
-version = "1.5.2"
+version = "1.6.0"
 dependencies = [
  "anyhow",
  "base64 0.22.1",
@@ -1184,7 +1169,7 @@ dependencies = [
  "secrecy",
  "semver",
  "serde",
- "serde_cbor_2",
+ "serde_cbor_2 0.12.0-dev",
  "serde_json",
  "serde_qs",
  "serde_urlencoded",
@@ -1329,9 +1314,9 @@ dependencies = [
 
 [[package]]
 name = "deranged"
-version = "0.5.4"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a41953f86f8a05768a6cda24def994fd2f424b04ec5c719cf89989779f199071"
+checksum = "ececcb659e7ba858fb4f10388c250a7252eb0a27373f1a72b8748afdd248e587"
 dependencies = [
  "powerfmt",
  "serde_core",
@@ -1462,9 +1447,9 @@ dependencies = [
 
 [[package]]
 name = "document-features"
-version = "0.2.11"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95249b50c6c185bee49034bcb378a49dc2b5dff0be90ff6616d31d64febab05d"
+checksum = "d4b8a88685455ed29a21542a33abd9cb6510b6b129abadabdcef0f4c55bc8f61"
 dependencies = [
  "litrs",
 ]
@@ -1636,7 +1621,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.1",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -1686,9 +1671,9 @@ checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
 
 [[package]]
 name = "find-msvc-tools"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ced73b1dacfc750a6db6c0a0c3a3853c8b41997e2e2c563dc90804ae6867959"
+checksum = "52051878f80a721bb68ebfbc930e07b65ba72f2da88968ea5c06fd6ca3d3a127"
 
 [[package]]
 name = "fixedbitset"
@@ -1698,9 +1683,9 @@ checksum = "1d674e81391d1e1ab681a28d99df07927c6d4aa5b027d7da16ba32d1d21ecd99"
 
 [[package]]
 name = "flate2"
-version = "1.1.2"
+version = "1.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a3d7db9596fecd151c5f638c0ee5d5bd487b6e0ea232e5dc96d5250f6f94b1d"
+checksum = "bfe33edd8e85a12a67454e37f8c75e730830d83e313556ab9ebf9ee7fbeb3bfb"
 dependencies = [
  "crc32fast",
  "libz-rs-sys",
@@ -1882,9 +1867,9 @@ dependencies = [
 
 [[package]]
 name = "generic-array"
-version = "0.14.7"
+version = "0.14.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+checksum = "4bb6743198531e02858aeaea5398fcc883e71851fcbcb5a2f773e2fb6cb1edf2"
 dependencies = [
  "typenum",
  "version_check",
@@ -1909,21 +1894,21 @@ dependencies = [
  "cfg-if",
  "js-sys",
  "libc",
- "wasi 0.11.1+wasi-snapshot-preview1",
+ "wasi",
  "wasm-bindgen",
 ]
 
 [[package]]
 name = "getrandom"
-version = "0.3.3"
+version = "0.3.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
 dependencies = [
  "cfg-if",
  "js-sys",
  "libc",
  "r-efi",
- "wasi 0.14.7+wasi-0.2.4",
+ "wasip2",
  "wasm-bindgen",
 ]
 
@@ -1937,19 +1922,13 @@ dependencies = [
  "polyval",
 ]
 
-[[package]]
-name = "gimli"
-version = "0.32.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e629b9b98ef3dd8afe6ca2bd0f89306cec16d43d907889945bc5d6687f2f13c7"
-
 [[package]]
 name = "git2"
 version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2deb07a133b1520dc1a5690e9bd08950108873d7ed5de38dcc74d3b5ebffa110"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "libc",
  "libgit2-sys",
  "log",
@@ -1958,9 +1937,9 @@ dependencies = [
 
 [[package]]
 name = "globset"
-version = "0.4.16"
+version = "0.4.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54a1028dfc5f5df5da8a56a73e6c153c9a9708ec57232470703592a3f18e49f5"
+checksum = "52dfc19153a48bde0cbd630453615c8151bce3a5adfac7a0aebfbf0a1e1f57e3"
 dependencies = [
  "aho-corasick",
  "bstr",
@@ -1975,7 +1954,7 @@ version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0bf760ebf69878d9fd8f110c89703d90ce35095324d1f1edcb595c63945ee757"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "ignore",
  "walkdir",
 ]
@@ -2003,7 +1982,7 @@ dependencies = [
  "futures-core",
  "futures-sink",
  "http",
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "slab",
  "tokio",
  "tokio-util",
@@ -2016,6 +1995,17 @@ version = "1.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b43ede17f21864e81be2fa654110bf1e793774238d86ef8555c37e6519c0403"
 
+[[package]]
+name = "half"
+version = "2.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b"
+dependencies = [
+ "cfg-if",
+ "crunchy",
+ "zerocopy",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.12.3"
@@ -2114,11 +2104,11 @@ dependencies = [
 
 [[package]]
 name = "home"
-version = "0.5.11"
+version = "0.5.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf"
+checksum = "cc627f471c528ff0c4a49e1d5e60450c8f6461dd6d10ba9dcd3a61d3dff7728d"
 dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -2331,9 +2321,9 @@ dependencies = [
 
 [[package]]
 name = "icu_collections"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
 dependencies = [
  "displaydoc",
  "potential_utf",
@@ -2344,9 +2334,9 @@ dependencies = [
 
 [[package]]
 name = "icu_locale_core"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
 dependencies = [
  "displaydoc",
  "litemap",
@@ -2357,11 +2347,10 @@ dependencies = [
 
 [[package]]
 name = "icu_normalizer"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
 dependencies = [
- "displaydoc",
  "icu_collections",
  "icu_normalizer_data",
  "icu_properties",
@@ -2372,42 +2361,38 @@ dependencies = [
 
 [[package]]
 name = "icu_normalizer_data"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
 
 [[package]]
 name = "icu_properties"
-version = "2.0.1"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
+checksum = "e93fcd3157766c0c8da2f8cff6ce651a31f0810eaa1c51ec363ef790bbb5fb99"
 dependencies = [
- "displaydoc",
  "icu_collections",
  "icu_locale_core",
  "icu_properties_data",
  "icu_provider",
- "potential_utf",
  "zerotrie",
  "zerovec",
 ]
 
 [[package]]
 name = "icu_properties_data"
-version = "2.0.1"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
+checksum = "02845b3647bb045f1100ecd6480ff52f34c35f82d9880e029d329c21d1054899"
 
 [[package]]
 name = "icu_provider"
-version = "2.0.0"
+version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
 dependencies = [
  "displaydoc",
  "icu_locale_core",
- "stable_deref_trait",
- "tinystr",
  "writeable",
  "yoke",
  "zerofrom",
@@ -2453,9 +2438,9 @@ dependencies = [
 
 [[package]]
 name = "ignore"
-version = "0.4.23"
+version = "0.4.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d89fd380afde86567dfba715db065673989d6253f42b88179abd3eae47bda4b"
+checksum = "d3d782a365a015e0f5c04902246139249abf769125006fbe7649e2ee88169b4a"
 dependencies = [
  "crossbeam-deque",
  "globset",
@@ -2480,9 +2465,9 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.11.4"
+version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
+checksum = "6717a8d2a5a929a1a2eb43a12812498ed141a0bcfb7e8f7844fbdbe4303bba9f"
 dependencies = [
  "equivalent",
  "hashbrown 0.16.0",
@@ -2499,17 +2484,6 @@ dependencies = [
  "generic-array",
 ]
 
-[[package]]
-name = "io-uring"
-version = "0.7.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "046fa2d4d00aea763528b4950358d0ead425372445dc8ff86312b3c69ff7727b"
-dependencies = [
- "bitflags 2.9.4",
- "cfg-if",
- "libc",
-]
-
 [[package]]
 name = "ipnet"
 version = "2.11.0"
@@ -2537,9 +2511,9 @@ dependencies = [
 
 [[package]]
 name = "is_terminal_polyfill"
-version = "1.70.1"
+version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
 
 [[package]]
 name = "itertools"
@@ -2571,15 +2545,15 @@ version = "0.1.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
 dependencies = [
- "getrandom 0.3.3",
+ "getrandom 0.3.4",
  "libc",
 ]
 
 [[package]]
 name = "js-sys"
-version = "0.3.81"
+version = "0.3.82"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec48937a97411dcb524a265206ccd4c90bb711fca92b2792c407f268825b9305"
+checksum = "b011eec8cc36da2aab2d5cff675ec18454fad408585853910a202391cf9f8e65"
 dependencies = [
  "once_cell",
  "wasm-bindgen",
@@ -2685,9 +2659,9 @@ dependencies = [
 
 [[package]]
 name = "lettre"
-version = "0.11.18"
+version = "0.11.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5cb54db6ff7a89efac87dba5baeac57bb9ccd726b49a9b6f21fb92b3966aaf56"
+checksum = "9e13e10e8818f8b2a60f52cb127041d388b89f3a96a62be9ceaffa22262fef7f"
 dependencies = [
  "async-trait",
  "base64 0.22.1",
@@ -2713,9 +2687,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.176"
+version = "0.2.177"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "58f929b4d672ea937a23a1ab494143d968337a5f47e56d0815df1e0890ddf174"
+checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"
 
 [[package]]
 name = "libgit2-sys"
@@ -2741,7 +2715,7 @@ version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "416f7e718bdb06000964960ffa43b4335ad4012ae8b99060261aa4a8088d5ccb"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "libc",
  "redox_syscall",
 ]
@@ -2785,23 +2759,22 @@ checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039"
 
 [[package]]
 name = "litemap"
-version = "0.8.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
 
 [[package]]
 name = "litrs"
-version = "0.4.2"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f5e54036fe321fd421e10d732f155734c4e4afd610dd556d9a82833ab3ee0bed"
+checksum = "11d3d7f243d5c5a8b9bb5d6dd2b1602c0cb0b9db1621bafc7ed66e35ff9fe092"
 
 [[package]]
 name = "lock_api"
-version = "0.4.13"
+version = "0.4.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96936507f153605bddfcda068dd804796c84324ed2510809e5b2a624c81da765"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
 dependencies = [
- "autocfg",
  "scopeguard",
 ]
 
@@ -2926,17 +2899,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
 dependencies = [
  "adler2",
+ "simd-adler32",
 ]
 
 [[package]]
 name = "mio"
-version = "1.0.4"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c"
+checksum = "69d83b0086dc8ecf3ce9ae2874b2d1290252e2a30720bea58a5c6639b0092873"
 dependencies = [
  "libc",
- "wasi 0.11.1+wasi-snapshot-preview1",
- "windows-sys 0.59.0",
+ "wasi",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -3003,11 +2977,11 @@ checksum = "e9e591e719385e6ebaeb5ce5d3887f7d5676fceca6411d1925ccc95745f3d6f7"
 
 [[package]]
 name = "nu-ansi-term"
-version = "0.50.1"
+version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4a28e057d01f97e61255210fcff094d74ed0466038633e95017f5beb68e4399"
+checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -3022,11 +2996,10 @@ dependencies = [
 
 [[package]]
 name = "num-bigint-dig"
-version = "0.8.4"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151"
+checksum = "82c79c15c05d4bf82b6f5ef163104cc81a760d8e874d38ac50ab67c8877b647b"
 dependencies = [
- "byteorder",
  "lazy_static",
  "libm",
  "num-integer",
@@ -3087,9 +3060,9 @@ dependencies = [
 
 [[package]]
 name = "num_enum"
-version = "0.7.4"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a973b4e44ce6cad84ce69d797acf9a044532e4184c4f267913d1b546a0727b7a"
+checksum = "b1207a7e20ad57b847bbddc6776b968420d38292bbfe2089accff5e19e82454c"
 dependencies = [
  "num_enum_derive",
  "rustversion",
@@ -3097,9 +3070,9 @@ dependencies = [
 
 [[package]]
 name = "num_enum_derive"
-version = "0.7.4"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77e878c846a8abae00dd069496dbe8751b16ac1c3d6bd2a7283a938e8228f90d"
+checksum = "ff32365de1b6743cb203b710788263c44a03de03802daf96092f2da4fe6ba4d7"
 dependencies = [
  "proc-macro-crate",
  "proc-macro2",
@@ -3138,9 +3111,9 @@ dependencies = [
 
 [[package]]
 name = "object"
-version = "0.37.3"
+version = "0.32.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff76201f031d8863c38aa7f905eca4f53abbfa15f609db4277d44cd8938f33fe"
+checksum = "a6a622008b6e321afc04970976f62ee297fdbaa6f95318ca343e3eebb9648441"
 dependencies = [
  "memchr",
 ]
@@ -3174,9 +3147,9 @@ checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
 
 [[package]]
 name = "once_cell_polyfill"
-version = "1.70.1"
+version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
 [[package]]
 name = "opaque-debug"
@@ -3217,11 +3190,11 @@ dependencies = [
 
 [[package]]
 name = "openssl"
-version = "0.10.73"
+version = "0.10.74"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8505734d46c8ab1e19a1dce3aef597ad87dcb4c37e7188231769bd6bd51cebf8"
+checksum = "24ad14dd45412269e1a30f52ad8f0664f0f4f4a89ee8fe28c3b3527021ebb654"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "cfg-if",
  "foreign-types",
  "libc",
@@ -3249,9 +3222,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.109"
+version = "0.9.110"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90096e2e47630d78b7d1c20952dc621f957103f8bc2c8359ec81290d75238571"
+checksum = "0a9f0075ba3c21b09f8e8b2026584b1d18d49388648f2fbbf3c97ea8deced8e2"
 dependencies = [
  "cc",
  "libc",
@@ -3336,9 +3309,9 @@ checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
 
 [[package]]
 name = "parking_lot"
-version = "0.12.4"
+version = "0.12.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70d58bf43669b5795d1576d0641cfb6fbb2057bf629506267a92807158584a13"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
 dependencies = [
  "lock_api",
  "parking_lot_core",
@@ -3346,15 +3319,15 @@ dependencies = [
 
 [[package]]
 name = "parking_lot_core"
-version = "0.9.11"
+version = "0.9.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bc838d2a56b5b1a6c25f55575dfc605fabb63bb2365f6c2353ef9159aa69e4a5"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
 dependencies = [
  "cfg-if",
  "libc",
  "redox_syscall",
  "smallvec",
- "windows-targets 0.52.6",
+ "windows-link 0.2.1",
 ]
 
 [[package]]
@@ -3402,12 +3375,12 @@ checksum = "35fb2e5f958ec131621fdd531e9fc186ed768cbe395337403ae56c17a74c68ec"
 
 [[package]]
 name = "pem"
-version = "3.0.5"
+version = "3.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38af38e8470ac9dee3ce1bae1af9c1671fffc44ddfd8bd1d0a3445bf349a8ef3"
+checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
 dependencies = [
  "base64 0.22.1",
- "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -3427,20 +3400,19 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 
 [[package]]
 name = "pest"
-version = "2.8.2"
+version = "2.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21e0a3a33733faeaf8651dfee72dd0f388f0c8e5ad496a3478fa5a922f49cfa8"
+checksum = "989e7521a040efde50c3ab6bbadafbe15ab6dc042686926be59ac35d74607df4"
 dependencies = [
  "memchr",
- "thiserror 2.0.17",
  "ucd-trie",
 ]
 
 [[package]]
 name = "pest_derive"
-version = "2.8.2"
+version = "2.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bc58706f770acb1dbd0973e6530a3cff4746fb721207feb3a8a6064cd0b6c663"
+checksum = "187da9a3030dbafabbbfb20cb323b976dc7b7ce91fcd84f2f74d6e31d378e2de"
 dependencies = [
  "pest",
  "pest_generator",
@@ -3448,9 +3420,9 @@ dependencies = [
 
 [[package]]
 name = "pest_generator"
-version = "2.8.2"
+version = "2.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d4f36811dfe07f7b8573462465d5cb8965fffc2e71ae377a33aecf14c2c9a2f"
+checksum = "49b401d98f5757ebe97a26085998d6c0eecec4995cad6ab7fc30ffdf4b052843"
 dependencies = [
  "pest",
  "pest_meta",
@@ -3461,9 +3433,9 @@ dependencies = [
 
 [[package]]
 name = "pest_meta"
-version = "2.8.2"
+version = "2.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42919b05089acbd0a5dcd5405fb304d17d1053847b81163d09c4ad18ce8e8420"
+checksum = "72f27a2cfee9f9039c4d86faa5af122a0ac3851441a34865b8a043b46be0065a"
 dependencies = [
  "pest",
  "sha2",
@@ -3476,7 +3448,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3672b37090dbd86368a4145bc067582552b29c27377cad4e0a306c97f9bd7772"
 dependencies = [
  "fixedbitset",
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
 ]
 
 [[package]]
@@ -3665,7 +3637,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "740ebea15c5d1428f910cd1a5f52cebf8d25006245ed8ade92702f4943d91e07"
 dependencies = [
  "base64 0.22.1",
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "quick-xml",
  "serde",
  "time",
@@ -3685,9 +3657,9 @@ dependencies = [
 
 [[package]]
 name = "potential_utf"
-version = "0.1.3"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84df19adbe5b5a0782edcab45899906947ab039ccf4573713735ee7de1e6b08a"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
 dependencies = [
  "zerovec",
 ]
@@ -3743,9 +3715,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.101"
+version = "1.0.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89ae43fd86e4158d6db51ad8e2b80f313af9cc74f5c0e03ccb87de09998732de"
+checksum = "5ee95bc4ef87b8d5ba32e8b7714ccc834865276eab0aed5c9958d00ec45f49e8"
 dependencies = [
  "unicode-ident",
 ]
@@ -3812,10 +3784,11 @@ checksum = "33cb294fe86a74cbcf50d4445b37da762029549ebeea341421c7c70370f86cac"
 
 [[package]]
 name = "psm"
-version = "0.1.26"
+version = "0.1.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e944464ec8536cd1beb0bbfd96987eb5e3b72f2ecdafdc5c769a37f1fa2ae1f"
+checksum = "d11f2fedc3b7dafdc2851bc52f277377c5473d378859be234bc7ebb593144d01"
 dependencies = [
+ "ar_archive_writer",
  "cc",
 ]
 
@@ -3835,7 +3808,7 @@ version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e8bbe1a966bd2f362681a44f6edce3c2310ac21e4d5067a6e7ec396297a6ea0"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "getopts",
  "memchr",
  "pulldown-cmark-escape",
@@ -3893,7 +3866,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f1906b49b0c3bc04b5fe5d86a77925ae6524a19b816ae38ce1e426255f1d8a31"
 dependencies = [
  "bytes",
- "getrandom 0.3.3",
+ "getrandom 0.3.4",
  "lru-slab",
  "rand 0.9.2",
  "ring",
@@ -4004,16 +3977,16 @@ version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
 dependencies = [
- "getrandom 0.3.3",
+ "getrandom 0.3.4",
 ]
 
 [[package]]
 name = "redox_syscall"
-version = "0.5.17"
+version = "0.5.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5407465600fb0548f1442edf71dd20683c6ed326200ace4b1ef0763521bb3b77"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
 ]
 
 [[package]]
@@ -4038,9 +4011,9 @@ dependencies = [
 
 [[package]]
 name = "regex"
-version = "1.11.3"
+version = "1.12.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b5288124840bee7b386bc413c487869b360b2b4ec421ea56425128692f2a82c"
+checksum = "843bc0191f75f3e22651ae5f1e72939ab2f72a4bc30fa80a066bd66edefc24d4"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -4050,9 +4023,9 @@ dependencies = [
 
 [[package]]
 name = "regex-automata"
-version = "0.4.11"
+version = "0.4.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "833eb9ce86d40ef33cb1306d8accf7bc8ec2bfea4355cbdebb3df68b40925cad"
+checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -4061,15 +4034,15 @@ dependencies = [
 
 [[package]]
 name = "regex-syntax"
-version = "0.8.6"
+version = "0.8.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "caf4aa5b0f434c91fe5c7f1ecb6a5ece2130b02ad2a590589dda5146df959001"
+checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58"
 
 [[package]]
 name = "reqwest"
-version = "0.12.23"
+version = "0.12.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d429f34c8092b2d42c7c93cec323bb4adeb7c67698f70839adec842ec10c7ceb"
+checksum = "9d0946410b9f7b082a427e4ef5c8ff541a88b357bc6c637c40db3a68ac70a36f"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -4171,9 +4144,9 @@ dependencies = [
 
 [[package]]
 name = "rust-embed"
-version = "8.7.2"
+version = "8.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "025908b8682a26ba8d12f6f2d66b987584a4a87bc024abc5bbc12553a8cd178a"
+checksum = "947d7f3fad52b283d261c4c99a084937e2fe492248cb9a68a8435a861b8798ca"
 dependencies = [
  "rust-embed-impl",
  "rust-embed-utils",
@@ -4182,9 +4155,9 @@ dependencies = [
 
 [[package]]
 name = "rust-embed-impl"
-version = "8.7.2"
+version = "8.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6065f1a4392b71819ec1ea1df1120673418bf386f50de1d6f54204d836d4349c"
+checksum = "5fa2c8c9e8711e10f9c4fd2d64317ef13feaab820a4c51541f1a8c8e2e851ab2"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4195,9 +4168,9 @@ dependencies = [
 
 [[package]]
 name = "rust-embed-utils"
-version = "8.7.2"
+version = "8.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6cc0c81648b20b70c491ff8cce00c1c3b223bb8ed2b5d41f0e54c6c4c0a3594"
+checksum = "60b161f275cb337fe0a44d924a5f4df0ed69c2c39519858f931ce61c779d3475"
 dependencies = [
  "globset",
  "sha2",
@@ -4215,12 +4188,6 @@ dependencies = [
  "trim-in-place",
 ]
 
-[[package]]
-name = "rustc-demangle"
-version = "0.1.26"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56f7d92ca342cea22a06f2121d944b4fd82af56988c270852495420f961d4ace"
-
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -4251,18 +4218,18 @@ version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cd15f8a2c5551a84d56efdc1cd049089e409ac19a3072d5037a17fd70719ff3e"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.61.1",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
 name = "rustls"
-version = "0.23.32"
+version = "0.23.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd3c25631629d034ce7cd9940adc9d45762d46de2b0f57193c4443b92c6d4d40"
+checksum = "6a9586e9ee2b4f8fab52a0048ca7334d7024eef48e2cb9407e3497bb7cab7fa7"
 dependencies = [
  "log",
  "once_cell",
@@ -4275,9 +4242,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-native-certs"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fcff2dd52b58a8d98a70243663a0d234c4e2b79235637849d15913394a247d3"
+checksum = "9980d917ebb0c0536119ba501e90834767bffc3d60641457fd84a1f3fd337923"
 dependencies = [
  "openssl-probe",
  "rustls-pki-types",
@@ -4287,9 +4254,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-pki-types"
-version = "1.12.0"
+version = "1.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79"
+checksum = "94182ad936a0c91c324cd46c6511b9510ed16af436d7b5bab34beab0afd55f7a"
 dependencies = [
  "web-time",
  "zeroize",
@@ -4297,9 +4264,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.6"
+version = "0.103.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8572f3c2cb9934231157b45499fc41e1f58c589fdfb81a844ba873265e80f8eb"
+checksum = "2ffdfa2f5286e2247234e03f680868ac2815974dc39e00ea15adc445d0aafe52"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -4333,7 +4300,7 @@ version = "0.1.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1"
 dependencies = [
- "windows-sys 0.61.1",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4350,9 +4317,9 @@ dependencies = [
 
 [[package]]
 name = "schemars"
-version = "1.0.4"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82d20c4491bc164fa2f6c5d44565947a52ad80b9505d8e36f8d54c27c739fcd0"
+checksum = "1317c3bf3e7df961da95b0a56a172a02abead31276215a0497241a7624b487ce"
 dependencies = [
  "dyn-clone",
  "ref-cast",
@@ -4397,7 +4364,7 @@ version = "2.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "core-foundation 0.9.4",
  "core-foundation-sys",
  "libc",
@@ -4410,7 +4377,7 @@ version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "core-foundation 0.10.1",
  "core-foundation-sys",
  "libc",
@@ -4473,7 +4440,17 @@ version = "0.12.0-dev"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b46d75f449e01f1eddbe9b00f432d616fbbd899b809c837d0fbc380496a0dd55"
 dependencies = [
- "half",
+ "half 1.8.3",
+ "serde",
+]
+
+[[package]]
+name = "serde_cbor_2"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34aec2709de9078e077090abd848e967abab63c9fb3fdb5d4799ad359d8d482c"
+dependencies = [
+ "half 2.7.1",
  "serde",
 ]
 
@@ -4504,7 +4481,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b2f2d7ff8a2140333718bb329f5c40fc5f0865b84c426183ce14c97d2ab8154f"
 dependencies = [
  "form_urlencoded",
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "itoa",
  "ryu",
  "serde_core",
@@ -4568,19 +4545,18 @@ dependencies = [
 
 [[package]]
 name = "serde_with"
-version = "3.14.1"
+version = "3.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c522100790450cf78eeac1507263d0a350d4d5b30df0c8e1fe051a10c22b376e"
+checksum = "aa66c845eee442168b2c8134fec70ac50dc20e760769c8ba0ad1319ca1959b04"
 dependencies = [
  "base64 0.22.1",
  "chrono",
  "hex",
  "indexmap 1.9.3",
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "schemars 0.9.0",
- "schemars 1.0.4",
- "serde",
- "serde_derive",
+ "schemars 1.0.5",
+ "serde_core",
  "serde_json",
  "serde_with_macros",
  "time",
@@ -4588,9 +4564,9 @@ dependencies = [
 
 [[package]]
 name = "serde_with_macros"
-version = "3.14.1"
+version = "3.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "327ada00f7d64abaac1e55a6911e90cf665aa051b9a561c7006c157f4633135e"
+checksum = "b91a903660542fced4e99881aa481bdbaec1634568ee02e0b8bd57c64cb38955"
 dependencies = [
  "darling 0.21.3",
  "proc-macro2",
@@ -4604,7 +4580,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "itoa",
  "ryu",
  "serde",
@@ -4795,12 +4771,12 @@ dependencies = [
 
 [[package]]
 name = "socket2"
-version = "0.6.0"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
+checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881"
 dependencies = [
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -4854,7 +4830,7 @@ dependencies = [
  "futures-util",
  "hashbrown 0.15.5",
  "hashlink",
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "ipnetwork",
  "log",
  "memchr",
@@ -4919,7 +4895,7 @@ checksum = "aa003f0038df784eb8fecbbac13affe3da23b45194bd57dba231c8f48199c526"
 dependencies = [
  "atoi",
  "base64 0.22.1",
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "byteorder",
  "bytes",
  "chrono",
@@ -4963,7 +4939,7 @@ checksum = "db58fcd5a53cf07c184b154801ff91347e4c30d17a3562a635ff028ad5deda46"
 dependencies = [
  "atoi",
  "base64 0.22.1",
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "byteorder",
  "chrono",
  "crc",
@@ -5064,15 +5040,15 @@ dependencies = [
 
 [[package]]
 name = "stable_deref_trait"
-version = "1.2.0"
+version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
 
 [[package]]
 name = "stacker"
-version = "0.1.21"
+version = "0.1.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cddb07e32ddb770749da91081d8d0ac3a16f1a569a18b20348cd371f5dead06b"
+checksum = "e1f8b29fb42aafcea4edeeb6b2f2d7ecd0d969c48b4cf0d2e64aafc471dd6e59"
 dependencies = [
  "cc",
  "cfg-if",
@@ -5172,9 +5148,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.106"
+version = "2.0.108"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ede7c438028d4436d71104916910f5bb611972c5cfd7f89b8300a8186e6fada6"
+checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5207,7 +5183,7 @@ version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "core-foundation 0.9.4",
  "system-configuration-sys",
 ]
@@ -5235,10 +5211,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d31c77bdf42a745371d260a26ca7163f1e0924b64afa0b688e61b5a9fa02f16"
 dependencies = [
  "fastrand",
- "getrandom 0.3.3",
+ "getrandom 0.3.4",
  "once_cell",
  "rustix",
- "windows-sys 0.61.1",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -5254,9 +5230,9 @@ dependencies = [
 
 [[package]]
 name = "tera"
-version = "1.20.0"
+version = "1.20.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab9d851b45e865f178319da0abdbfe6acbc4328759ff18dafc3a41c16b4cd2ee"
+checksum = "e8004bca281f2d32df3bacd59bc67b312cb4c70cea46cbd79dbe8ac5ed206722"
 dependencies = [
  "chrono",
  "chrono-tz",
@@ -5271,7 +5247,7 @@ dependencies = [
  "serde",
  "serde_json",
  "slug",
- "unic-segment",
+ "unicode-segmentation",
 ]
 
 [[package]]
@@ -5367,9 +5343,9 @@ dependencies = [
 
 [[package]]
 name = "tinystr"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
 dependencies = [
  "displaydoc",
  "zerovec",
@@ -5392,28 +5368,25 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.47.1"
+version = "1.48.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89e49afdadebb872d3145a5638b59eb0691ea23e46ca484037cfab3b76b95038"
+checksum = "ff360e02eab121e0bc37a2d3b4d4dc622e6eda3a8e5253d5435ecf5bd4c68408"
 dependencies = [
- "backtrace",
  "bytes",
- "io-uring",
  "libc",
  "mio",
  "parking_lot",
  "pin-project-lite",
- "slab",
  "socket2",
  "tokio-macros",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
 name = "tokio-macros"
-version = "2.5.0"
+version = "2.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
+checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -5454,9 +5427,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-util"
-version = "0.7.16"
+version = "0.7.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14307c986784f72ef81c89db7d9e28d6ac26d16213b109ea501696195e6e3ce5"
+checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594"
 dependencies = [
  "bytes",
  "futures-core",
@@ -5467,20 +5440,20 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "0.7.2"
+version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32f1085dec27c2b6632b04c80b3bb1b4300d6495d1e129693bdda7d91e72eec1"
+checksum = "f2cdb639ebbc97961c51720f858597f7f24c4fc295327923af55b74c3c724533"
 dependencies = [
  "serde_core",
 ]
 
 [[package]]
 name = "toml_edit"
-version = "0.23.6"
+version = "0.23.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3effe7c0e86fdff4f69cdd2ccc1b96f933e24811c5441d44904e8683e27184b"
+checksum = "6485ef6d0d9b5d0ec17244ff7eb05310113c3f316f2d14200d4de56b3cb98f8d"
 dependencies = [
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "toml_datetime",
  "toml_parser",
  "winnow",
@@ -5488,9 +5461,9 @@ dependencies = [
 
 [[package]]
 name = "toml_parser"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4cf893c33be71572e0e9aa6dd15e6677937abd686b066eac3f8cd3531688a627"
+checksum = "c0cbe268d35bdb4bb5a56a2de88d0ad0eb70af5384a99d648cd4b3d04039800e"
 dependencies = [
  "winnow",
 ]
@@ -5599,7 +5572,7 @@ checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
 dependencies = [
  "futures-core",
  "futures-util",
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "pin-project-lite",
  "slab",
  "sync_wrapper",
@@ -5616,7 +5589,7 @@ version = "0.6.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
 dependencies = [
- "bitflags 2.9.4",
+ "bitflags 2.10.0",
  "bytes",
  "futures-core",
  "futures-util",
@@ -5746,9 +5719,9 @@ dependencies = [
 
 [[package]]
 name = "typenum"
-version = "1.18.0"
+version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f"
+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
 
 [[package]]
 name = "uaparser"
@@ -5770,56 +5743,6 @@ version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2896d95c02a80c6d6a5d6e953d479f5ddf2dfdb6a244441010e373ac0fb88971"
 
-[[package]]
-name = "unic-char-property"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8c57a407d9b6fa02b4795eb81c5b6652060a15a7903ea981f3d723e6c0be221"
-dependencies = [
- "unic-char-range",
-]
-
-[[package]]
-name = "unic-char-range"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0398022d5f700414f6b899e10b8348231abf9173fa93144cbc1a43b9793c1fbc"
-
-[[package]]
-name = "unic-common"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "80d7ff825a6a654ee85a63e80f92f054f904f21e7d12da4e22f9834a4aaa35bc"
-
-[[package]]
-name = "unic-segment"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e4ed5d26be57f84f176157270c112ef57b86debac9cd21daaabbe56db0f88f23"
-dependencies = [
- "unic-ucd-segment",
-]
-
-[[package]]
-name = "unic-ucd-segment"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2079c122a62205b421f499da10f3ee0f7697f012f55b675e002483c73ea34700"
-dependencies = [
- "unic-char-property",
- "unic-char-range",
- "unic-ucd-version",
-]
-
-[[package]]
-name = "unic-ucd-version"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96bd2f2237fe450fcd0a1d2f5f4e91711124f7857ba2e964247776ebeeb7b0c4"
-dependencies = [
- "unic-common",
-]
-
 [[package]]
 name = "unicase"
 version = "2.8.1"
@@ -5834,30 +5757,36 @@ checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.19"
+version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d"
+checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"
 
 [[package]]
 name = "unicode-normalization"
-version = "0.1.24"
+version = "0.1.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5033c97c4262335cded6d6fc3e5c18ab755e1a3dc96376350f3d8e9f009ad956"
+checksum = "5fd4f6878c9cb28d874b009da9e8d183b5abc80117c40bbd187a1fde336be6e8"
 dependencies = [
  "tinyvec",
 ]
 
 [[package]]
 name = "unicode-properties"
-version = "0.1.3"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7df058c713841ad818f1dc5d3fd88063241cc61f49f5fbea4b951e8cf5a8d71d"
+
+[[package]]
+name = "unicode-segmentation"
+version = "1.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e70f2a8b45122e719eb623c01822704c4e0907e7e426a05927e1a1cfff5b75d0"
+checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493"
 
 [[package]]
 name = "unicode-width"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a1a07cc7db3810833284e8d372ccdc6da29741639ecc70c9ec107df0fa6154c"
+checksum = "b4ac048d71ede7ee76d585517add45da530660ef4390e49b098733c6e897f254"
 
 [[package]]
 name = "unicode-xid"
@@ -5923,7 +5852,7 @@ version = "5.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fcc29c80c21c31608227e0912b2d7fddba57ad76b606890627ba8ee7964e993"
 dependencies = [
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "serde",
  "serde_json",
  "utoipa-gen",
@@ -5973,7 +5902,7 @@ version = "1.18.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2f87b8aa10b915a06587d0dec516c282ff295b475d94abf425d62b57710070a2"
 dependencies = [
- "getrandom 0.3.3",
+ "getrandom 0.3.4",
  "js-sys",
  "serde",
  "wasm-bindgen",
@@ -6061,15 +5990,6 @@ version = "0.11.1+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
 
-[[package]]
-name = "wasi"
-version = "0.14.7+wasi-0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "883478de20367e224c0090af9cf5f9fa85bed63a95c1abf3afc5c083ebc06e8c"
-dependencies = [
- "wasip2",
-]
-
 [[package]]
 name = "wasip2"
 version = "1.0.1+wasi-0.2.4"
@@ -6087,9 +6007,9 @@ checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.104"
+version = "0.2.105"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1da10c01ae9f1ae40cbfac0bac3b1e724b320abfcf52229f80b547c0d250e2d"
+checksum = "da95793dfc411fbbd93f5be7715b0578ec61fe87cb1a42b12eb625caa5c5ea60"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -6098,25 +6018,11 @@ dependencies = [
  "wasm-bindgen-shared",
 ]
 
-[[package]]
-name = "wasm-bindgen-backend"
-version = "0.2.104"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "671c9a5a66f49d8a47345ab942e2cb93c7d1d0339065d4f8139c486121b43b19"
-dependencies = [
- "bumpalo",
- "log",
- "proc-macro2",
- "quote",
- "syn",
- "wasm-bindgen-shared",
-]
-
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.54"
+version = "0.4.55"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e038d41e478cc73bae0ff9b36c60cff1c98b8f38f8d7e8061e79ee63608ac5c"
+checksum = "551f88106c6d5e7ccc7cd9a16f312dd3b5d36ea8b4954304657d5dfba115d4a0"
 dependencies = [
  "cfg-if",
  "js-sys",
@@ -6127,9 +6033,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.104"
+version = "0.2.105"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ca60477e4c59f5f2986c50191cd972e3a50d8a95603bc9434501cf156a9a119"
+checksum = "04264334509e04a7bf8690f2384ef5265f05143a4bff3889ab7a3269adab59c2"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -6137,22 +6043,22 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.104"
+version = "0.2.105"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f07d2f20d4da7b26400c9f4a0511e6e0345b040694e8a75bd41d578fa4421d7"
+checksum = "420bc339d9f322e562942d52e115d57e950d12d88983a14c79b86859ee6c7ebc"
 dependencies = [
+ "bumpalo",
  "proc-macro2",
  "quote",
  "syn",
- "wasm-bindgen-backend",
  "wasm-bindgen-shared",
 ]
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.104"
+version = "0.2.105"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bad67dc8b2a1a6e5448428adec4c3e84c43e561d8c9ee8a9e5aabeb193ec41d1"
+checksum = "76f218a38c84bcb33c25ec7059b07847d465ce0e0a76b995e134a45adcb6af76"
 dependencies = [
  "unicode-ident",
 ]
@@ -6172,9 +6078,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.81"
+version = "0.3.82"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9367c417a924a74cae129e6a2ae3b47fabb1f8995595ab474029da749a8be120"
+checksum = "3a1f95c0d03a47f4ae1f7a64643a6bb97465d9b740f0fa8f90ea33915c99a9a1"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -6204,9 +6110,9 @@ dependencies = [
 
 [[package]]
 name = "webauthn-attestation-ca"
-version = "0.5.2"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "384e43534efe4e8f56c4eb1615a27e24d2ff29281385c843cf9f16ac1077dbdc"
+checksum = "f77a2892ec44032e6c48dad9aad1b05fada09c346ada11d8d32db119b4b4f205"
 dependencies = [
  "base64urlsafedata",
  "openssl",
@@ -6218,9 +6124,9 @@ dependencies = [
 
 [[package]]
 name = "webauthn-authenticator-rs"
-version = "0.5.2"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "720d11d7d7408e6c7cf65ab4d79b1f96c2a531df4e469e12656d6b814bdcd1b1"
+checksum = "45f8fe3811c8d6c6830d263452670a608fd4dcdfc481349bd4d1e6a46d6c7a0f"
 dependencies = [
  "async-stream",
  "async-trait",
@@ -6236,7 +6142,7 @@ dependencies = [
  "openssl-sys",
  "serde",
  "serde_bytes",
- "serde_cbor_2",
+ "serde_cbor_2 0.13.0",
  "serde_json",
  "thiserror 1.0.69",
  "tokio",
@@ -6251,9 +6157,9 @@ dependencies = [
 
 [[package]]
 name = "webauthn-rs"
-version = "0.5.2"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed1f861a94557baeb0cf711e3e55d623c46b68f4aab7aa932562f785b8b5f1ab"
+checksum = "eb7c3a2f9c8bddd524e47bbd427bcf3a28aa074de55d74470b42a91a41937b8e"
 dependencies = [
  "base64urlsafedata",
  "serde",
@@ -6265,9 +6171,9 @@ dependencies = [
 
 [[package]]
 name = "webauthn-rs-core"
-version = "0.5.2"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "269c210cd5f183aaca860bb5733187d1dd110ebed54640f8fc1aca31a04aa4dc"
+checksum = "19f1d80f3146382529fe70a3ab5d0feb2413a015204ed7843f9377cd39357fc4"
 dependencies = [
  "base64 0.21.7",
  "base64urlsafedata",
@@ -6279,7 +6185,7 @@ dependencies = [
  "rand 0.8.5",
  "rand_chacha 0.3.1",
  "serde",
- "serde_cbor_2",
+ "serde_cbor_2 0.13.0",
  "serde_json",
  "thiserror 1.0.69",
  "tracing",
@@ -6292,9 +6198,9 @@ dependencies = [
 
 [[package]]
 name = "webauthn-rs-proto"
-version = "0.5.2"
+version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "144dbee9abb4bfad78fd283a2613f0312a0ed5955051b7864cfc98679112ae60"
+checksum = "9e786894f89facb9aaf1c5f6559670236723c98382e045521c76f3d5ca5047bd"
 dependencies = [
  "base64 0.21.7",
  "base64urlsafedata",
@@ -6305,9 +6211,9 @@ dependencies = [
 
 [[package]]
 name = "webpki-roots"
-version = "1.0.2"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e8983c3ab33d6fb807cfcdad2491c4ea8cbc8ed839181c7dfd9c67c83e261b2"
+checksum = "b2878ef029c47c6e8cf779119f20fcf52bde7ad42a731b2a304bc221df17571e"
 dependencies = [
  "rustls-pki-types",
 ]
@@ -6328,27 +6234,27 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.1",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
 name = "windows-core"
-version = "0.62.1"
+version = "0.62.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6844ee5416b285084d3d3fffd743b925a6c9385455f64f6d4fa3031c4c2749a9"
+checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
 dependencies = [
  "windows-implement",
  "windows-interface",
- "windows-link 0.2.0",
- "windows-result 0.4.0",
- "windows-strings 0.5.0",
+ "windows-link 0.2.1",
+ "windows-result 0.4.1",
+ "windows-strings 0.5.1",
 ]
 
 [[package]]
 name = "windows-implement"
-version = "0.60.1"
+version = "0.60.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edb307e42a74fb6de9bf3a02d9712678b22399c87e6fa869d6dfcd8c1b7754e0"
+checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6357,9 +6263,9 @@ dependencies = [
 
 [[package]]
 name = "windows-interface"
-version = "0.59.2"
+version = "0.59.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0abd1ddbc6964ac14db11c7213d6532ef34bd9aa042c2e5935f59d7908b46a5"
+checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6374,9 +6280,9 @@ checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a"
 
 [[package]]
 name = "windows-link"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45e46c0661abb7180e7b9c281db115305d49ca1709ab8242adf09666d2173c65"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
 [[package]]
 name = "windows-registry"
@@ -6400,11 +6306,11 @@ dependencies = [
 
 [[package]]
 name = "windows-result"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7084dcc306f89883455a206237404d3eaf961e5bd7e0f312f7c91f57eb44167f"
+checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
 dependencies = [
- "windows-link 0.2.0",
+ "windows-link 0.2.1",
 ]
 
 [[package]]
@@ -6418,11 +6324,11 @@ dependencies = [
 
 [[package]]
 name = "windows-strings"
-version = "0.5.0"
+version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7218c655a553b0bed4426cf54b20d7ba363ef543b52d515b3e48d7fd55318dda"
+checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
 dependencies = [
- "windows-link 0.2.0",
+ "windows-link 0.2.1",
 ]
 
 [[package]]
@@ -6458,16 +6364,16 @@ version = "0.60.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
 dependencies = [
- "windows-targets 0.53.4",
+ "windows-targets 0.53.5",
 ]
 
 [[package]]
 name = "windows-sys"
-version = "0.61.1"
+version = "0.61.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6f109e41dd4a3c848907eb83d5a42ea98b3769495597450cf6d153507b166f0f"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
 dependencies = [
- "windows-link 0.2.0",
+ "windows-link 0.2.1",
 ]
 
 [[package]]
@@ -6503,19 +6409,19 @@ dependencies = [
 
 [[package]]
 name = "windows-targets"
-version = "0.53.4"
+version = "0.53.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d42b7b7f66d2a06854650af09cfdf8713e427a439c97ad65a6375318033ac4b"
+checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
 dependencies = [
- "windows-link 0.2.0",
- "windows_aarch64_gnullvm 0.53.0",
- "windows_aarch64_msvc 0.53.0",
- "windows_i686_gnu 0.53.0",
- "windows_i686_gnullvm 0.53.0",
- "windows_i686_msvc 0.53.0",
- "windows_x86_64_gnu 0.53.0",
- "windows_x86_64_gnullvm 0.53.0",
- "windows_x86_64_msvc 0.53.0",
+ "windows-link 0.2.1",
+ "windows_aarch64_gnullvm 0.53.1",
+ "windows_aarch64_msvc 0.53.1",
+ "windows_i686_gnu 0.53.1",
+ "windows_i686_gnullvm 0.53.1",
+ "windows_i686_msvc 0.53.1",
+ "windows_x86_64_gnu 0.53.1",
+ "windows_x86_64_gnullvm 0.53.1",
+ "windows_x86_64_msvc 0.53.1",
 ]
 
 [[package]]
@@ -6532,9 +6438,9 @@ checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 
 [[package]]
 name = "windows_aarch64_gnullvm"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764"
+checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
 
 [[package]]
 name = "windows_aarch64_msvc"
@@ -6550,9 +6456,9 @@ checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 
 [[package]]
 name = "windows_aarch64_msvc"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c"
+checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
 
 [[package]]
 name = "windows_i686_gnu"
@@ -6568,9 +6474,9 @@ checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
 
 [[package]]
 name = "windows_i686_gnu"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1dc67659d35f387f5f6c479dc4e28f1d4bb90ddd1a5d3da2e5d97b42d6272c3"
+checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3"
 
 [[package]]
 name = "windows_i686_gnullvm"
@@ -6580,9 +6486,9 @@ checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 
 [[package]]
 name = "windows_i686_gnullvm"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11"
+checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
 
 [[package]]
 name = "windows_i686_msvc"
@@ -6598,9 +6504,9 @@ checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 
 [[package]]
 name = "windows_i686_msvc"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d"
+checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
 
 [[package]]
 name = "windows_x86_64_gnu"
@@ -6616,9 +6522,9 @@ checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 
 [[package]]
 name = "windows_x86_64_gnu"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba"
+checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
 
 [[package]]
 name = "windows_x86_64_gnullvm"
@@ -6634,9 +6540,9 @@ checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 
 [[package]]
 name = "windows_x86_64_gnullvm"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57"
+checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
 
 [[package]]
 name = "windows_x86_64_msvc"
@@ -6652,9 +6558,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
 [[package]]
 name = "windows_x86_64_msvc"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"
+checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
 
 [[package]]
 name = "winnow"
@@ -6673,9 +6579,9 @@ checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59"
 
 [[package]]
 name = "writeable"
-version = "0.6.1"
+version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
+checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
 
 [[package]]
 name = "wyz"
@@ -6726,11 +6632,10 @@ dependencies = [
 
 [[package]]
 name = "yoke"
-version = "0.8.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
 dependencies = [
- "serde",
  "stable_deref_trait",
  "yoke-derive",
  "zerofrom",
@@ -6738,9 +6643,9 @@ dependencies = [
 
 [[package]]
 name = "yoke-derive"
-version = "0.8.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6811,9 +6716,9 @@ dependencies = [
 
 [[package]]
 name = "zerotrie"
-version = "0.2.2"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
 dependencies = [
  "displaydoc",
  "yoke",
@@ -6822,9 +6727,9 @@ dependencies = [
 
 [[package]]
 name = "zerovec"
-version = "0.11.4"
+version = "0.11.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e7aa2bd55086f1ab526693ecbe444205da57e25f4489879da80635a46d90e73b"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
 dependencies = [
  "yoke",
  "zerofrom",
@@ -6833,9 +6738,9 @@ dependencies = [
 
 [[package]]
 name = "zerovec-derive"
-version = "0.11.1"
+version = "0.11.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6851,7 +6756,7 @@ dependencies = [
  "arbitrary",
  "crc32fast",
  "flate2",
- "indexmap 2.11.4",
+ "indexmap 2.12.0",
  "memchr",
  "zopfli",
 ]
@@ -6864,9 +6769,9 @@ checksum = "2f06ae92f42f5e5c42443fd094f245eb656abf56dd7cce9b8b263236565e00f2"
 
 [[package]]
 name = "zopfli"
-version = "0.8.2"
+version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edfc5ee405f504cd4984ecc6f14d02d55cfda60fa4b689434ef4102aae150cd7"
+checksum = "f05cd8797d63865425ff89b5c4a48804f35ba0ce8d125800027ad6017d2b5249"
 dependencies = [
  "bumpalo",
  "crc32fast",
diff --git a/crates/defguard_common/Cargo.toml b/crates/defguard_common/Cargo.toml
index 2bc3053fcf..1855788cb0 100644
--- a/crates/defguard_common/Cargo.toml
+++ b/crates/defguard_common/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "defguard_common"
-version = "1.5.2"
+version = "1.6.0"
 edition.workspace = true
 license-file.workspace = true
 homepage.workspace = true

From 37b76a6043c998172e18eaf91f4540ccc1ff39c7 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Mon, 3 Nov 2025 09:49:47 +0100
Subject: [PATCH 30/50] remove unnecessary cargo-deny ignores

---
 deny.toml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/deny.toml b/deny.toml
index d303e40449..4bbfa288c1 100644
--- a/deny.toml
+++ b/deny.toml
@@ -72,12 +72,6 @@ feature-depth = 1
 ignore = [
     { id = "RUSTSEC-2023-0071", reason = "https://github.com/RustCrypto/RSA/issues/19" },
     { id = "RUSTSEC-2024-0436", reason = "Unmaintained dependency of tera" },
-    { id = "RUSTSEC-2025-0098", reason = "Unmaintained dependency of tera" },
-    { id = "RUSTSEC-2025-0104", reason = "Unmaintained dependency of tera" },
-    { id = "RUSTSEC-2025-0074", reason = "Unmaintained dependency of tera" },
-    { id = "RUSTSEC-2025-0080", reason = "Unmaintained dependency of tera" },
-    { id = "RUSTSEC-2025-0075", reason = "Unmaintained dependency of tera" },
-    { id = "RUSTSEC-2025-0081", reason = "Unmaintained dependency of tera" },
 ]
 # If this is true, then cargo deny will use the git executable to fetch advisory database.
 # If this is false, then it uses a built-in git library.

From 4c97ccee5e83dde22edfc78bed9950ce92845f8a Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Mon, 3 Nov 2025 09:59:06 +0100
Subject: [PATCH 31/50] pnpm update

---
 web/package.json   |   46 +-
 web/pnpm-lock.yaml | 1312 ++++++++++++++++++++++----------------------
 2 files changed, 691 insertions(+), 667 deletions(-)

diff --git a/web/package.json b/web/package.json
index 72f2c3acba..f9871491d5 100644
--- a/web/package.json
+++ b/web/package.json
@@ -50,17 +50,17 @@
     "@react-rxjs/core": "^0.10.8",
     "@stablelib/base64": "^2.0.1",
     "@stablelib/x25519": "^2.0.1",
-    "@tanstack/query-core": "^5.90.2",
-    "@tanstack/react-query": "^5.90.2",
+    "@tanstack/query-core": "^5.90.6",
+    "@tanstack/react-query": "^5.90.6",
     "@tanstack/react-virtual": "3.13.12",
     "@tanstack/virtual-core": "3.13.12",
     "@use-gesture/react": "^10.3.1",
-    "axios": "^1.12.2",
+    "axios": "^1.13.1",
     "byte-size": "^9.0.1",
     "classnames": "^2.5.1",
     "clsx": "^2.1.1",
     "date-fns": "^4.1.0",
-    "dayjs": "^1.11.18",
+    "dayjs": "^1.11.19",
     "deepmerge-ts": "^7.1.5",
     "detect-browser": "^5.3.0",
     "dice-coefficient": "^2.1.1",
@@ -70,7 +70,7 @@
     "fuse.js": "^7.1.0",
     "get-text-width": "^1.0.3",
     "hex-rgb": "^5.0.0",
-    "html-react-parser": "^5.2.6",
+    "html-react-parser": "^5.2.7",
     "humanize-duration": "^3.33.1",
     "ipaddr.js": "^2.2.0",
     "itertools": "^2.5.0",
@@ -78,19 +78,19 @@
     "lodash-es": "^4.17.21",
     "merge-refs": "^2.0.0",
     "millify": "^6.1.0",
-    "motion": "^12.23.22",
+    "motion": "^12.23.24",
     "numbro": "^2.5.0",
     "qrcode": "^1.5.4",
     "qs": "^6.14.0",
     "radash": "^12.1.1",
-    "react": "^19.1.1",
+    "react": "^19.2.0",
     "react-click-away-listener": "^2.4.0",
-    "react-datepicker": "^8.7.0",
-    "react-dom": "^19.1.1",
-    "react-hook-form": "^7.63.0",
+    "react-datepicker": "^8.8.0",
+    "react-dom": "^19.2.0",
+    "react-hook-form": "^7.66.0",
     "react-idle-timer": "^5.7.2",
     "react-intersection-observer": "^9.16.0",
-    "react-is": "^19.1.1",
+    "react-is": "^19.2.0",
     "react-loading-skeleton": "^3.5.0",
     "react-markdown": "^10.1.0",
     "react-qr-code": "^2.0.18",
@@ -99,7 +99,7 @@
     "react-router-dom": "^6.30.1",
     "react-tracked": "^2.0.1",
     "react-virtualized-auto-sizer": "^1.0.26",
-    "recharts": "^3.2.1",
+    "recharts": "^3.3.0",
     "rehype-external-links": "^3.0.0",
     "rehype-raw": "^7.0.0",
     "rehype-sanitize": "^6.0.0",
@@ -107,12 +107,12 @@
     "scheduler": "^0.26.0",
     "text-case": "^1.2.9",
     "typesafe-i18n": "^5.26.2",
-    "use-breakpoint": "^4.0.6",
+    "use-breakpoint": "^4.0.10",
     "zod": "^3.25.76",
     "zustand": "^5.0.8"
   },
   "devDependencies": {
-    "@babel/core": "^7.28.4",
+    "@babel/core": "^7.28.5",
     "@biomejs/biome": "2.2.2",
     "@csstools/css-parser-algorithms": "^3.0.5",
     "@csstools/css-tokenizer": "^3.0.4",
@@ -122,24 +122,24 @@
     "@types/file-saver": "^2.0.7",
     "@types/humanize-duration": "^3.27.4",
     "@types/lodash-es": "^4.17.12",
-    "@types/node": "^24.5.2",
+    "@types/node": "^24.10.0",
     "@types/qs": "^6.14.0",
-    "@types/react": "^19.1.13",
-    "@types/react-dom": "^19.1.9",
+    "@types/react": "^19.2.2",
+    "@types/react-dom": "^19.2.2",
     "@types/react-router-dom": "^5.3.3",
-    "@vitejs/plugin-react-swc": "^4.1.0",
+    "@vitejs/plugin-react-swc": "^4.2.0",
     "autoprefixer": "^10.4.21",
     "concurrently": "^9.2.1",
-    "dotenv": "^17.2.2",
-    "esbuild": "^0.25.10",
-    "globals": "^16.4.0",
+    "dotenv": "^17.2.3",
+    "esbuild": "^0.25.12",
+    "globals": "^16.5.0",
     "postcss": "^8.5.6",
     "prettier": "^3.6.2",
     "sass": "~1.70.0",
     "standard-version": "^9.5.0",
     "type-fest": "^4.41.0",
-    "typescript": "~5.9.2",
-    "vite": "^7.1.7",
+    "typescript": "~5.9.3",
+    "vite": "^7.1.12",
     "vite-plugin-package-version": "^1.1.0"
   }
 }
diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml
index a8738b8914..da8c3eb2ae 100644
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml
@@ -10,19 +10,19 @@ importers:
     dependencies:
       '@floating-ui/react':
         specifier: ^0.27.16
-        version: 0.27.16(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 0.27.16(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       '@github/webauthn-json':
         specifier: ^2.1.1
         version: 2.1.1
       '@hookform/resolvers':
         specifier: ^5.2.2
-        version: 5.2.2(react-hook-form@7.63.0(react@19.1.1))
+        version: 5.2.2(react-hook-form@7.66.0(react@19.2.0))
       '@react-hook/resize-observer':
         specifier: ^2.0.2
-        version: 2.0.2(react@19.1.1)
+        version: 2.0.2(react@19.2.0)
       '@react-rxjs/core':
         specifier: ^0.10.8
-        version: 0.10.8(react@19.1.1)(rxjs@7.8.2)
+        version: 0.10.8(react@19.2.0)(rxjs@7.8.2)
       '@stablelib/base64':
         specifier: ^2.0.1
         version: 2.0.1
@@ -30,23 +30,23 @@ importers:
         specifier: ^2.0.1
         version: 2.0.1
       '@tanstack/query-core':
-        specifier: ^5.90.2
-        version: 5.90.2
+        specifier: ^5.90.6
+        version: 5.90.6
       '@tanstack/react-query':
-        specifier: ^5.90.2
-        version: 5.90.2(react@19.1.1)
+        specifier: ^5.90.6
+        version: 5.90.6(react@19.2.0)
       '@tanstack/react-virtual':
         specifier: 3.13.12
-        version: 3.13.12(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 3.13.12(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       '@tanstack/virtual-core':
         specifier: 3.13.12
         version: 3.13.12
       '@use-gesture/react':
         specifier: ^10.3.1
-        version: 10.3.1(react@19.1.1)
+        version: 10.3.1(react@19.2.0)
       axios:
-        specifier: ^1.12.2
-        version: 1.12.2
+        specifier: ^1.13.1
+        version: 1.13.1
       byte-size:
         specifier: ^9.0.1
         version: 9.0.1
@@ -60,8 +60,8 @@ importers:
         specifier: ^4.1.0
         version: 4.1.0
       dayjs:
-        specifier: ^1.11.18
-        version: 1.11.18
+        specifier: ^1.11.19
+        version: 1.11.19
       deepmerge-ts:
         specifier: ^7.1.5
         version: 7.1.5
@@ -90,8 +90,8 @@ importers:
         specifier: ^5.0.0
         version: 5.0.0
       html-react-parser:
-        specifier: ^5.2.6
-        version: 5.2.6(@types/react@19.1.13)(react@19.1.1)
+        specifier: ^5.2.7
+        version: 5.2.7(@types/react@19.2.2)(react@19.2.0)
       humanize-duration:
         specifier: ^3.33.1
         version: 3.33.1
@@ -109,13 +109,13 @@ importers:
         version: 4.17.21
       merge-refs:
         specifier: ^2.0.0
-        version: 2.0.0(@types/react@19.1.13)
+        version: 2.0.0(@types/react@19.2.2)
       millify:
         specifier: ^6.1.0
         version: 6.1.0
       motion:
-        specifier: ^12.23.22
-        version: 12.23.22(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        specifier: ^12.23.24
+        version: 12.23.24(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       numbro:
         specifier: ^2.5.0
         version: 2.5.0
@@ -129,56 +129,56 @@ importers:
         specifier: ^12.1.1
         version: 12.1.1
       react:
-        specifier: ^19.1.1
-        version: 19.1.1
+        specifier: ^19.2.0
+        version: 19.2.0
       react-click-away-listener:
         specifier: ^2.4.0
-        version: 2.4.0(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 2.4.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       react-datepicker:
-        specifier: ^8.7.0
-        version: 8.7.0(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        specifier: ^8.8.0
+        version: 8.8.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       react-dom:
-        specifier: ^19.1.1
-        version: 19.1.1(react@19.1.1)
+        specifier: ^19.2.0
+        version: 19.2.0(react@19.2.0)
       react-hook-form:
-        specifier: ^7.63.0
-        version: 7.63.0(react@19.1.1)
+        specifier: ^7.66.0
+        version: 7.66.0(react@19.2.0)
       react-idle-timer:
         specifier: ^5.7.2
-        version: 5.7.2(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 5.7.2(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       react-intersection-observer:
         specifier: ^9.16.0
-        version: 9.16.0(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 9.16.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       react-is:
-        specifier: ^19.1.1
-        version: 19.1.1
+        specifier: ^19.2.0
+        version: 19.2.0
       react-loading-skeleton:
         specifier: ^3.5.0
-        version: 3.5.0(react@19.1.1)
+        version: 3.5.0(react@19.2.0)
       react-markdown:
         specifier: ^10.1.0
-        version: 10.1.0(@types/react@19.1.13)(react@19.1.1)
+        version: 10.1.0(@types/react@19.2.2)(react@19.2.0)
       react-qr-code:
         specifier: ^2.0.18
-        version: 2.0.18(react@19.1.1)
+        version: 2.0.18(react@19.2.0)
       react-resize-detector:
         specifier: ^12.3.0
-        version: 12.3.0(react@19.1.1)
+        version: 12.3.0(react@19.2.0)
       react-router:
         specifier: ^6.30.1
-        version: 6.30.1(react@19.1.1)
+        version: 6.30.1(react@19.2.0)
       react-router-dom:
         specifier: ^6.30.1
-        version: 6.30.1(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 6.30.1(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       react-tracked:
         specifier: ^2.0.1
-        version: 2.0.1(react@19.1.1)(scheduler@0.26.0)
+        version: 2.0.1(react@19.2.0)(scheduler@0.26.0)
       react-virtualized-auto-sizer:
         specifier: ^1.0.26
-        version: 1.0.26(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 1.0.26(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       recharts:
-        specifier: ^3.2.1
-        version: 3.2.1(@types/react@19.1.13)(react-dom@19.1.1(react@19.1.1))(react-is@19.1.1)(react@19.1.1)(redux@5.0.1)
+        specifier: ^3.3.0
+        version: 3.3.0(@types/react@19.2.2)(react-dom@19.2.0(react@19.2.0))(react-is@19.2.0)(react@19.2.0)(redux@5.0.1)
       rehype-external-links:
         specifier: ^3.0.0
         version: 3.0.0
@@ -199,20 +199,20 @@ importers:
         version: 1.2.9
       typesafe-i18n:
         specifier: ^5.26.2
-        version: 5.26.2(typescript@5.9.2)
+        version: 5.26.2(typescript@5.9.3)
       use-breakpoint:
-        specifier: ^4.0.6
-        version: 4.0.6(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        specifier: ^4.0.10
+        version: 4.0.10(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       zod:
         specifier: ^3.25.76
         version: 3.25.76
       zustand:
         specifier: ^5.0.8
-        version: 5.0.8(@types/react@19.1.13)(immer@10.1.3)(react@19.1.1)(use-sync-external-store@1.5.0(react@19.1.1))
+        version: 5.0.8(@types/react@19.2.2)(immer@10.2.0)(react@19.2.0)(use-sync-external-store@1.6.0(react@19.2.0))
     devDependencies:
       '@babel/core':
-        specifier: ^7.28.4
-        version: 7.28.4
+        specifier: ^7.28.5
+        version: 7.28.5
       '@biomejs/biome':
         specifier: 2.2.2
         version: 2.2.2
@@ -224,10 +224,10 @@ importers:
         version: 3.0.4
       '@hookform/devtools':
         specifier: ^4.4.0
-        version: 4.4.0(@types/react@19.1.13)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+        version: 4.4.0(@types/react@19.2.2)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       '@tanstack/react-query-devtools':
         specifier: ^5.90.2
-        version: 5.90.2(@tanstack/react-query@5.90.2(react@19.1.1))(react@19.1.1)
+        version: 5.90.2(@tanstack/react-query@5.90.6(react@19.2.0))(react@19.2.0)
       '@types/byte-size':
         specifier: ^8.1.2
         version: 8.1.2
@@ -241,23 +241,23 @@ importers:
         specifier: ^4.17.12
         version: 4.17.12
       '@types/node':
-        specifier: ^24.5.2
-        version: 24.5.2
+        specifier: ^24.10.0
+        version: 24.10.0
       '@types/qs':
         specifier: ^6.14.0
         version: 6.14.0
       '@types/react':
-        specifier: ^19.1.13
-        version: 19.1.13
+        specifier: ^19.2.2
+        version: 19.2.2
       '@types/react-dom':
-        specifier: ^19.1.9
-        version: 19.1.9(@types/react@19.1.13)
+        specifier: ^19.2.2
+        version: 19.2.2(@types/react@19.2.2)
       '@types/react-router-dom':
         specifier: ^5.3.3
         version: 5.3.3
       '@vitejs/plugin-react-swc':
-        specifier: ^4.1.0
-        version: 4.1.0(vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+        specifier: ^4.2.0
+        version: 4.2.0(vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
       autoprefixer:
         specifier: ^10.4.21
         version: 10.4.21(postcss@8.5.6)
@@ -265,14 +265,14 @@ importers:
         specifier: ^9.2.1
         version: 9.2.1
       dotenv:
-        specifier: ^17.2.2
-        version: 17.2.2
+        specifier: ^17.2.3
+        version: 17.2.3
       esbuild:
-        specifier: ^0.25.10
-        version: 0.25.10
+        specifier: ^0.25.12
+        version: 0.25.12
       globals:
-        specifier: ^16.4.0
-        version: 16.4.0
+        specifier: ^16.5.0
+        version: 16.5.0
       postcss:
         specifier: ^8.5.6
         version: 8.5.6
@@ -289,14 +289,14 @@ importers:
         specifier: ^4.41.0
         version: 4.41.0
       typescript:
-        specifier: ~5.9.2
-        version: 5.9.2
+        specifier: ~5.9.3
+        version: 5.9.3
       vite:
-        specifier: ^7.1.7
-        version: 7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+        specifier: ^7.1.12
+        version: 7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
       vite-plugin-package-version:
         specifier: ^1.1.0
-        version: 1.1.0(vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+        version: 1.1.0(vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
 
 packages:
 
@@ -304,16 +304,16 @@ packages:
     resolution: {integrity: sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/compat-data@7.28.4':
-    resolution: {integrity: sha512-YsmSKC29MJwf0gF8Rjjrg5LQCmyh+j/nD8/eP7f+BeoQTKYqs9RoWbjGOdy0+1Ekr68RJZMUOPVQaQisnIo4Rw==}
+  '@babel/compat-data@7.28.5':
+    resolution: {integrity: sha512-6uFXyCayocRbqhZOB+6XcuZbkMNimwfVGFji8CTZnCzOHVGvDqzvitu1re2AU5LROliz7eQPhB8CpAMvnx9EjA==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/core@7.28.4':
-    resolution: {integrity: sha512-2BCOP7TN8M+gVDj7/ht3hsaO/B/n5oDbiAyyvnRlNOs+u1o+JWNYTQrmpuNp1/Wq2gcFrI01JAW+paEKDMx/CA==}
+  '@babel/core@7.28.5':
+    resolution: {integrity: sha512-e7jT4DxYvIDLk1ZHmU/m/mB19rex9sv0c2ftBtjSBv+kVM/902eh0fINUzD7UwLLNR+jU585GxUJ8/EBfAM5fw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/generator@7.28.3':
-    resolution: {integrity: sha512-3lSpxGgvnmZznmBkCRnVREPUFJv2wrv9iAoFDvADJc0ypmdOxdUtcLeBgBJ6zE0PMeTKnxeQzyk0xTBq4Ep7zw==}
+  '@babel/generator@7.28.5':
+    resolution: {integrity: sha512-3EwLFhZ38J4VyIP6WNtt2kUdW9dokXA9Cr4IVIFHuCpZ3H8/YFOl5JjZHisrn1fATPBmKKqXzDFvh9fUwHz6CQ==}
     engines: {node: '>=6.9.0'}
 
   '@babel/helper-compilation-targets@7.27.2':
@@ -338,8 +338,8 @@ packages:
     resolution: {integrity: sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-validator-identifier@7.27.1':
-    resolution: {integrity: sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==}
+  '@babel/helper-validator-identifier@7.28.5':
+    resolution: {integrity: sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==}
     engines: {node: '>=6.9.0'}
 
   '@babel/helper-validator-option@7.27.1':
@@ -350,8 +350,8 @@ packages:
     resolution: {integrity: sha512-HFN59MmQXGHVyYadKLVumYsA9dBFun/ldYxipEjzA4196jpLZd8UjEEBLkbEkvfYreDqJhZxYAWFPtrfhNpj4w==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/parser@7.28.4':
-    resolution: {integrity: sha512-yZbBqeM6TkpP9du/I2pUZnJsRMGGvOuIrhjzC1AwHwW+6he4mni6Bp/m8ijn0iOuZuPI2BfkCoSRunpyjnrQKg==}
+  '@babel/parser@7.28.5':
+    resolution: {integrity: sha512-KKBU1VGYR7ORr3At5HAtUQ+TV3SzRCXmA/8OdDZiLDBIZxVyzXuztPjfLd3BV1PRAQGCMWWSHYhL0F8d5uHBDQ==}
     engines: {node: '>=6.0.0'}
     hasBin: true
 
@@ -363,12 +363,12 @@ packages:
     resolution: {integrity: sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/traverse@7.28.4':
-    resolution: {integrity: sha512-YEzuboP2qvQavAcjgQNVgsvHIDv6ZpwXvcvjmyySP2DIMuByS/6ioU5G9pYrWHM6T2YDfc7xga9iNzYOs12CFQ==}
+  '@babel/traverse@7.28.5':
+    resolution: {integrity: sha512-TCCj4t55U90khlYkVV/0TfkJkAkUg3jZFA3Neb7unZT8CPok7iiRfaX0F+WnqWqt7OxhOn0uBKXCw4lbL8W0aQ==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/types@7.28.4':
-    resolution: {integrity: sha512-bkFqkLhh3pMBUQQkpVgWDWq/lqzc2678eUyDlTBhRqhCHFguYYGM0Efga7tYk4TogG/3x0EEl66/OQ+WGbWB/Q==}
+  '@babel/types@7.28.5':
+    resolution: {integrity: sha512-qQ5m48eI/MFLQ5PxQj4PFaprjyCTLI37ElWMmNs0K8Lk3dVeOdNpB3ks8jc7yM5CDmVC73eMVk/trk3fgmrUpA==}
     engines: {node: '>=6.9.0'}
 
   '@biomejs/biome@2.2.2':
@@ -488,158 +488,158 @@ packages:
   '@emotion/weak-memoize@0.4.0':
     resolution: {integrity: sha512-snKqtPW01tN0ui7yu9rGv69aJXr/a/Ywvl11sUjNtEcRc+ng/mQriFL0wLXMef74iHa/EkftbDzU9F8iFbH+zg==}
 
-  '@esbuild/aix-ppc64@0.25.10':
-    resolution: {integrity: sha512-0NFWnA+7l41irNuaSVlLfgNT12caWJVLzp5eAVhZ0z1qpxbockccEt3s+149rE64VUI3Ml2zt8Nv5JVc4QXTsw==}
+  '@esbuild/aix-ppc64@0.25.12':
+    resolution: {integrity: sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==}
     engines: {node: '>=18'}
     cpu: [ppc64]
     os: [aix]
 
-  '@esbuild/android-arm64@0.25.10':
-    resolution: {integrity: sha512-LSQa7eDahypv/VO6WKohZGPSJDq5OVOo3UoFR1E4t4Gj1W7zEQMUhI+lo81H+DtB+kP+tDgBp+M4oNCwp6kffg==}
+  '@esbuild/android-arm64@0.25.12':
+    resolution: {integrity: sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [android]
 
-  '@esbuild/android-arm@0.25.10':
-    resolution: {integrity: sha512-dQAxF1dW1C3zpeCDc5KqIYuZ1tgAdRXNoZP7vkBIRtKZPYe2xVr/d3SkirklCHudW1B45tGiUlz2pUWDfbDD4w==}
+  '@esbuild/android-arm@0.25.12':
+    resolution: {integrity: sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg==}
     engines: {node: '>=18'}
     cpu: [arm]
     os: [android]
 
-  '@esbuild/android-x64@0.25.10':
-    resolution: {integrity: sha512-MiC9CWdPrfhibcXwr39p9ha1x0lZJ9KaVfvzA0Wxwz9ETX4v5CHfF09bx935nHlhi+MxhA63dKRRQLiVgSUtEg==}
+  '@esbuild/android-x64@0.25.12':
+    resolution: {integrity: sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [android]
 
-  '@esbuild/darwin-arm64@0.25.10':
-    resolution: {integrity: sha512-JC74bdXcQEpW9KkV326WpZZjLguSZ3DfS8wrrvPMHgQOIEIG/sPXEN/V8IssoJhbefLRcRqw6RQH2NnpdprtMA==}
+  '@esbuild/darwin-arm64@0.25.12':
+    resolution: {integrity: sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [darwin]
 
-  '@esbuild/darwin-x64@0.25.10':
-    resolution: {integrity: sha512-tguWg1olF6DGqzws97pKZ8G2L7Ig1vjDmGTwcTuYHbuU6TTjJe5FXbgs5C1BBzHbJ2bo1m3WkQDbWO2PvamRcg==}
+  '@esbuild/darwin-x64@0.25.12':
+    resolution: {integrity: sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [darwin]
 
-  '@esbuild/freebsd-arm64@0.25.10':
-    resolution: {integrity: sha512-3ZioSQSg1HT2N05YxeJWYR+Libe3bREVSdWhEEgExWaDtyFbbXWb49QgPvFH8u03vUPX10JhJPcz7s9t9+boWg==}
+  '@esbuild/freebsd-arm64@0.25.12':
+    resolution: {integrity: sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [freebsd]
 
-  '@esbuild/freebsd-x64@0.25.10':
-    resolution: {integrity: sha512-LLgJfHJk014Aa4anGDbh8bmI5Lk+QidDmGzuC2D+vP7mv/GeSN+H39zOf7pN5N8p059FcOfs2bVlrRr4SK9WxA==}
+  '@esbuild/freebsd-x64@0.25.12':
+    resolution: {integrity: sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [freebsd]
 
-  '@esbuild/linux-arm64@0.25.10':
-    resolution: {integrity: sha512-5luJWN6YKBsawd5f9i4+c+geYiVEw20FVW5x0v1kEMWNq8UctFjDiMATBxLvmmHA4bf7F6hTRaJgtghFr9iziQ==}
+  '@esbuild/linux-arm64@0.25.12':
+    resolution: {integrity: sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [linux]
 
-  '@esbuild/linux-arm@0.25.10':
-    resolution: {integrity: sha512-oR31GtBTFYCqEBALI9r6WxoU/ZofZl962pouZRTEYECvNF/dtXKku8YXcJkhgK/beU+zedXfIzHijSRapJY3vg==}
+  '@esbuild/linux-arm@0.25.12':
+    resolution: {integrity: sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw==}
     engines: {node: '>=18'}
     cpu: [arm]
     os: [linux]
 
-  '@esbuild/linux-ia32@0.25.10':
-    resolution: {integrity: sha512-NrSCx2Kim3EnnWgS4Txn0QGt0Xipoumb6z6sUtl5bOEZIVKhzfyp/Lyw4C1DIYvzeW/5mWYPBFJU3a/8Yr75DQ==}
+  '@esbuild/linux-ia32@0.25.12':
+    resolution: {integrity: sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA==}
     engines: {node: '>=18'}
     cpu: [ia32]
     os: [linux]
 
-  '@esbuild/linux-loong64@0.25.10':
-    resolution: {integrity: sha512-xoSphrd4AZda8+rUDDfD9J6FUMjrkTz8itpTITM4/xgerAZZcFW7Dv+sun7333IfKxGG8gAq+3NbfEMJfiY+Eg==}
+  '@esbuild/linux-loong64@0.25.12':
+    resolution: {integrity: sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng==}
     engines: {node: '>=18'}
     cpu: [loong64]
     os: [linux]
 
-  '@esbuild/linux-mips64el@0.25.10':
-    resolution: {integrity: sha512-ab6eiuCwoMmYDyTnyptoKkVS3k8fy/1Uvq7Dj5czXI6DF2GqD2ToInBI0SHOp5/X1BdZ26RKc5+qjQNGRBelRA==}
+  '@esbuild/linux-mips64el@0.25.12':
+    resolution: {integrity: sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw==}
     engines: {node: '>=18'}
     cpu: [mips64el]
     os: [linux]
 
-  '@esbuild/linux-ppc64@0.25.10':
-    resolution: {integrity: sha512-NLinzzOgZQsGpsTkEbdJTCanwA5/wozN9dSgEl12haXJBzMTpssebuXR42bthOF3z7zXFWH1AmvWunUCkBE4EA==}
+  '@esbuild/linux-ppc64@0.25.12':
+    resolution: {integrity: sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA==}
     engines: {node: '>=18'}
     cpu: [ppc64]
     os: [linux]
 
-  '@esbuild/linux-riscv64@0.25.10':
-    resolution: {integrity: sha512-FE557XdZDrtX8NMIeA8LBJX3dC2M8VGXwfrQWU7LB5SLOajfJIxmSdyL/gU1m64Zs9CBKvm4UAuBp5aJ8OgnrA==}
+  '@esbuild/linux-riscv64@0.25.12':
+    resolution: {integrity: sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w==}
     engines: {node: '>=18'}
     cpu: [riscv64]
     os: [linux]
 
-  '@esbuild/linux-s390x@0.25.10':
-    resolution: {integrity: sha512-3BBSbgzuB9ajLoVZk0mGu+EHlBwkusRmeNYdqmznmMc9zGASFjSsxgkNsqmXugpPk00gJ0JNKh/97nxmjctdew==}
+  '@esbuild/linux-s390x@0.25.12':
+    resolution: {integrity: sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg==}
     engines: {node: '>=18'}
     cpu: [s390x]
     os: [linux]
 
-  '@esbuild/linux-x64@0.25.10':
-    resolution: {integrity: sha512-QSX81KhFoZGwenVyPoberggdW1nrQZSvfVDAIUXr3WqLRZGZqWk/P4T8p2SP+de2Sr5HPcvjhcJzEiulKgnxtA==}
+  '@esbuild/linux-x64@0.25.12':
+    resolution: {integrity: sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [linux]
 
-  '@esbuild/netbsd-arm64@0.25.10':
-    resolution: {integrity: sha512-AKQM3gfYfSW8XRk8DdMCzaLUFB15dTrZfnX8WXQoOUpUBQ+NaAFCP1kPS/ykbbGYz7rxn0WS48/81l9hFl3u4A==}
+  '@esbuild/netbsd-arm64@0.25.12':
+    resolution: {integrity: sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [netbsd]
 
-  '@esbuild/netbsd-x64@0.25.10':
-    resolution: {integrity: sha512-7RTytDPGU6fek/hWuN9qQpeGPBZFfB4zZgcz2VK2Z5VpdUxEI8JKYsg3JfO0n/Z1E/6l05n0unDCNc4HnhQGig==}
+  '@esbuild/netbsd-x64@0.25.12':
+    resolution: {integrity: sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [netbsd]
 
-  '@esbuild/openbsd-arm64@0.25.10':
-    resolution: {integrity: sha512-5Se0VM9Wtq797YFn+dLimf2Zx6McttsH2olUBsDml+lm0GOCRVebRWUvDtkY4BWYv/3NgzS8b/UM3jQNh5hYyw==}
+  '@esbuild/openbsd-arm64@0.25.12':
+    resolution: {integrity: sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [openbsd]
 
-  '@esbuild/openbsd-x64@0.25.10':
-    resolution: {integrity: sha512-XkA4frq1TLj4bEMB+2HnI0+4RnjbuGZfet2gs/LNs5Hc7D89ZQBHQ0gL2ND6Lzu1+QVkjp3x1gIcPKzRNP8bXw==}
+  '@esbuild/openbsd-x64@0.25.12':
+    resolution: {integrity: sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [openbsd]
 
-  '@esbuild/openharmony-arm64@0.25.10':
-    resolution: {integrity: sha512-AVTSBhTX8Y/Fz6OmIVBip9tJzZEUcY8WLh7I59+upa5/GPhh2/aM6bvOMQySspnCCHvFi79kMtdJS1w0DXAeag==}
+  '@esbuild/openharmony-arm64@0.25.12':
+    resolution: {integrity: sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [openharmony]
 
-  '@esbuild/sunos-x64@0.25.10':
-    resolution: {integrity: sha512-fswk3XT0Uf2pGJmOpDB7yknqhVkJQkAQOcW/ccVOtfx05LkbWOaRAtn5SaqXypeKQra1QaEa841PgrSL9ubSPQ==}
+  '@esbuild/sunos-x64@0.25.12':
+    resolution: {integrity: sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [sunos]
 
-  '@esbuild/win32-arm64@0.25.10':
-    resolution: {integrity: sha512-ah+9b59KDTSfpaCg6VdJoOQvKjI33nTaQr4UluQwW7aEwZQsbMCfTmfEO4VyewOxx4RaDT/xCy9ra2GPWmO7Kw==}
+  '@esbuild/win32-arm64@0.25.12':
+    resolution: {integrity: sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [win32]
 
-  '@esbuild/win32-ia32@0.25.10':
-    resolution: {integrity: sha512-QHPDbKkrGO8/cz9LKVnJU22HOi4pxZnZhhA2HYHez5Pz4JeffhDjf85E57Oyco163GnzNCVkZK0b/n4Y0UHcSw==}
+  '@esbuild/win32-ia32@0.25.12':
+    resolution: {integrity: sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ==}
     engines: {node: '>=18'}
     cpu: [ia32]
     os: [win32]
 
-  '@esbuild/win32-x64@0.25.10':
-    resolution: {integrity: sha512-9KpxSVFCu0iK1owoez6aC/s/EdUQLDN3adTxGCqxMVhrPDj6bt5dbrHDXUuq+Bs2vATFBBrQS5vdQ/Ed2P+nbw==}
+  '@esbuild/win32-x64@0.25.12':
+    resolution: {integrity: sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA==}
     engines: {node: '>=18'}
     cpu: [x64]
     os: [win32]
@@ -725,8 +725,8 @@ packages:
       react: '>=16.8.0'
       rxjs: '>=7'
 
-  '@reduxjs/toolkit@2.9.0':
-    resolution: {integrity: sha512-fSfQlSRu9Z5yBkvsNhYF2rPS8cGXn/TZVrlwN1948QyZ8xMZ0JvP50S2acZNaf+o63u6aEeMjipFyksjIcWrog==}
+  '@reduxjs/toolkit@2.9.2':
+    resolution: {integrity: sha512-ZAYu/NXkl/OhqTz7rfPaAhY0+e8Fr15jqNxte/2exKUxvHyQ/hcqmdekiN1f+Lcw3pE+34FCgX+26zcUE3duCg==}
     peerDependencies:
       react: ^16.9.0 || ^17.0.0 || ^18 || ^19
       react-redux: ^7.2.1 || ^8.1.3 || ^9.0.0
@@ -740,116 +740,116 @@ packages:
     resolution: {integrity: sha512-O3rHJzAQKamUz1fvE0Qaw0xSFqsA/yafi2iqeE0pvdFtCO1viYx8QL6f3Ln/aCCTLxs68SLf0KPM9eSeM8yBnA==}
     engines: {node: '>=14.0.0'}
 
-  '@rolldown/pluginutils@1.0.0-beta.35':
-    resolution: {integrity: sha512-slYrCpoxJUqzFDDNlvrOYRazQUNRvWPjXA17dAOISY3rDMxX6k8K4cj2H+hEYMHF81HO3uNd5rHVigAWRM5dSg==}
+  '@rolldown/pluginutils@1.0.0-beta.43':
+    resolution: {integrity: sha512-5Uxg7fQUCmfhax7FJke2+8B6cqgeUJUD9o2uXIKXhD+mG0mL6NObmVoi9wXEU1tY89mZKgAYA6fTbftx3q2ZPQ==}
 
-  '@rollup/rollup-android-arm-eabi@4.52.2':
-    resolution: {integrity: sha512-o3pcKzJgSGt4d74lSZ+OCnHwkKBeAbFDmbEm5gg70eA8VkyCuC/zV9TwBnmw6VjDlRdF4Pshfb+WE9E6XY1PoQ==}
+  '@rollup/rollup-android-arm-eabi@4.52.5':
+    resolution: {integrity: sha512-8c1vW4ocv3UOMp9K+gToY5zL2XiiVw3k7f1ksf4yO1FlDFQ1C2u72iACFnSOceJFsWskc2WZNqeRhFRPzv+wtQ==}
     cpu: [arm]
     os: [android]
 
-  '@rollup/rollup-android-arm64@4.52.2':
-    resolution: {integrity: sha512-cqFSWO5tX2vhC9hJTK8WAiPIm4Q8q/cU8j2HQA0L3E1uXvBYbOZMhE2oFL8n2pKB5sOCHY6bBuHaRwG7TkfJyw==}
+  '@rollup/rollup-android-arm64@4.52.5':
+    resolution: {integrity: sha512-mQGfsIEFcu21mvqkEKKu2dYmtuSZOBMmAl5CFlPGLY94Vlcm+zWApK7F/eocsNzp8tKmbeBP8yXyAbx0XHsFNA==}
     cpu: [arm64]
     os: [android]
 
-  '@rollup/rollup-darwin-arm64@4.52.2':
-    resolution: {integrity: sha512-vngduywkkv8Fkh3wIZf5nFPXzWsNsVu1kvtLETWxTFf/5opZmflgVSeLgdHR56RQh71xhPhWoOkEBvbehwTlVA==}
+  '@rollup/rollup-darwin-arm64@4.52.5':
+    resolution: {integrity: sha512-takF3CR71mCAGA+v794QUZ0b6ZSrgJkArC+gUiG6LB6TQty9T0Mqh3m2ImRBOxS2IeYBo4lKWIieSvnEk2OQWA==}
     cpu: [arm64]
     os: [darwin]
 
-  '@rollup/rollup-darwin-x64@4.52.2':
-    resolution: {integrity: sha512-h11KikYrUCYTrDj6h939hhMNlqU2fo/X4NB0OZcys3fya49o1hmFaczAiJWVAFgrM1NCP6RrO7lQKeVYSKBPSQ==}
+  '@rollup/rollup-darwin-x64@4.52.5':
+    resolution: {integrity: sha512-W901Pla8Ya95WpxDn//VF9K9u2JbocwV/v75TE0YIHNTbhqUTv9w4VuQ9MaWlNOkkEfFwkdNhXgcLqPSmHy0fA==}
     cpu: [x64]
     os: [darwin]
 
-  '@rollup/rollup-freebsd-arm64@4.52.2':
-    resolution: {integrity: sha512-/eg4CI61ZUkLXxMHyVlmlGrSQZ34xqWlZNW43IAU4RmdzWEx0mQJ2mN/Cx4IHLVZFL6UBGAh+/GXhgvGb+nVxw==}
+  '@rollup/rollup-freebsd-arm64@4.52.5':
+    resolution: {integrity: sha512-QofO7i7JycsYOWxe0GFqhLmF6l1TqBswJMvICnRUjqCx8b47MTo46W8AoeQwiokAx3zVryVnxtBMcGcnX12LvA==}
     cpu: [arm64]
     os: [freebsd]
 
-  '@rollup/rollup-freebsd-x64@4.52.2':
-    resolution: {integrity: sha512-QOWgFH5X9+p+S1NAfOqc0z8qEpJIoUHf7OWjNUGOeW18Mx22lAUOiA9b6r2/vpzLdfxi/f+VWsYjUOMCcYh0Ng==}
+  '@rollup/rollup-freebsd-x64@4.52.5':
+    resolution: {integrity: sha512-jr21b/99ew8ujZubPo9skbrItHEIE50WdV86cdSoRkKtmWa+DDr6fu2c/xyRT0F/WazZpam6kk7IHBerSL7LDQ==}
     cpu: [x64]
     os: [freebsd]
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.52.2':
-    resolution: {integrity: sha512-kDWSPafToDd8LcBYd1t5jw7bD5Ojcu12S3uT372e5HKPzQt532vW+rGFFOaiR0opxePyUkHrwz8iWYEyH1IIQA==}
+  '@rollup/rollup-linux-arm-gnueabihf@4.52.5':
+    resolution: {integrity: sha512-PsNAbcyv9CcecAUagQefwX8fQn9LQ4nZkpDboBOttmyffnInRy8R8dSg6hxxl2Re5QhHBf6FYIDhIj5v982ATQ==}
     cpu: [arm]
     os: [linux]
 
-  '@rollup/rollup-linux-arm-musleabihf@4.52.2':
-    resolution: {integrity: sha512-gKm7Mk9wCv6/rkzwCiUC4KnevYhlf8ztBrDRT9g/u//1fZLapSRc+eDZj2Eu2wpJ+0RzUKgtNijnVIB4ZxyL+w==}
+  '@rollup/rollup-linux-arm-musleabihf@4.52.5':
+    resolution: {integrity: sha512-Fw4tysRutyQc/wwkmcyoqFtJhh0u31K+Q6jYjeicsGJJ7bbEq8LwPWV/w0cnzOqR2m694/Af6hpFayLJZkG2VQ==}
     cpu: [arm]
     os: [linux]
 
-  '@rollup/rollup-linux-arm64-gnu@4.52.2':
-    resolution: {integrity: sha512-66lA8vnj5mB/rtDNwPgrrKUOtCLVQypkyDa2gMfOefXK6rcZAxKLO9Fy3GkW8VkPnENv9hBkNOFfGLf6rNKGUg==}
+  '@rollup/rollup-linux-arm64-gnu@4.52.5':
+    resolution: {integrity: sha512-a+3wVnAYdQClOTlyapKmyI6BLPAFYs0JM8HRpgYZQO02rMR09ZcV9LbQB+NL6sljzG38869YqThrRnfPMCDtZg==}
     cpu: [arm64]
     os: [linux]
 
-  '@rollup/rollup-linux-arm64-musl@4.52.2':
-    resolution: {integrity: sha512-s+OPucLNdJHvuZHuIz2WwncJ+SfWHFEmlC5nKMUgAelUeBUnlB4wt7rXWiyG4Zn07uY2Dd+SGyVa9oyLkVGOjA==}
+  '@rollup/rollup-linux-arm64-musl@4.52.5':
+    resolution: {integrity: sha512-AvttBOMwO9Pcuuf7m9PkC1PUIKsfaAJ4AYhy944qeTJgQOqJYJ9oVl2nYgY7Rk0mkbsuOpCAYSs6wLYB2Xiw0Q==}
     cpu: [arm64]
     os: [linux]
 
-  '@rollup/rollup-linux-loong64-gnu@4.52.2':
-    resolution: {integrity: sha512-8wTRM3+gVMDLLDdaT6tKmOE3lJyRy9NpJUS/ZRWmLCmOPIJhVyXwjBo+XbrrwtV33Em1/eCTd5TuGJm4+DmYjw==}
+  '@rollup/rollup-linux-loong64-gnu@4.52.5':
+    resolution: {integrity: sha512-DkDk8pmXQV2wVrF6oq5tONK6UHLz/XcEVow4JTTerdeV1uqPeHxwcg7aFsfnSm9L+OO8WJsWotKM2JJPMWrQtA==}
     cpu: [loong64]
     os: [linux]
 
-  '@rollup/rollup-linux-ppc64-gnu@4.52.2':
-    resolution: {integrity: sha512-6yqEfgJ1anIeuP2P/zhtfBlDpXUb80t8DpbYwXQ3bQd95JMvUaqiX+fKqYqUwZXqdJDd8xdilNtsHM2N0cFm6A==}
+  '@rollup/rollup-linux-ppc64-gnu@4.52.5':
+    resolution: {integrity: sha512-W/b9ZN/U9+hPQVvlGwjzi+Wy4xdoH2I8EjaCkMvzpI7wJUs8sWJ03Rq96jRnHkSrcHTpQe8h5Tg3ZzUPGauvAw==}
     cpu: [ppc64]
     os: [linux]
 
-  '@rollup/rollup-linux-riscv64-gnu@4.52.2':
-    resolution: {integrity: sha512-sshYUiYVSEI2B6dp4jMncwxbrUqRdNApF2c3bhtLAU0qA8Lrri0p0NauOsTWh3yCCCDyBOjESHMExonp7Nzc0w==}
+  '@rollup/rollup-linux-riscv64-gnu@4.52.5':
+    resolution: {integrity: sha512-sjQLr9BW7R/ZiXnQiWPkErNfLMkkWIoCz7YMn27HldKsADEKa5WYdobaa1hmN6slu9oWQbB6/jFpJ+P2IkVrmw==}
     cpu: [riscv64]
     os: [linux]
 
-  '@rollup/rollup-linux-riscv64-musl@4.52.2':
-    resolution: {integrity: sha512-duBLgd+3pqC4MMwBrKkFxaZerUxZcYApQVC5SdbF5/e/589GwVvlRUnyqMFbM8iUSb1BaoX/3fRL7hB9m2Pj8Q==}
+  '@rollup/rollup-linux-riscv64-musl@4.52.5':
+    resolution: {integrity: sha512-hq3jU/kGyjXWTvAh2awn8oHroCbrPm8JqM7RUpKjalIRWWXE01CQOf/tUNWNHjmbMHg/hmNCwc/Pz3k1T/j/Lg==}
     cpu: [riscv64]
     os: [linux]
 
-  '@rollup/rollup-linux-s390x-gnu@4.52.2':
-    resolution: {integrity: sha512-tzhYJJidDUVGMgVyE+PmxENPHlvvqm1KILjjZhB8/xHYqAGeizh3GBGf9u6WdJpZrz1aCpIIHG0LgJgH9rVjHQ==}
+  '@rollup/rollup-linux-s390x-gnu@4.52.5':
+    resolution: {integrity: sha512-gn8kHOrku8D4NGHMK1Y7NA7INQTRdVOntt1OCYypZPRt6skGbddska44K8iocdpxHTMMNui5oH4elPH4QOLrFQ==}
     cpu: [s390x]
     os: [linux]
 
-  '@rollup/rollup-linux-x64-gnu@4.52.2':
-    resolution: {integrity: sha512-opH8GSUuVcCSSyHHcl5hELrmnk4waZoVpgn/4FDao9iyE4WpQhyWJ5ryl5M3ocp4qkRuHfyXnGqg8M9oKCEKRA==}
+  '@rollup/rollup-linux-x64-gnu@4.52.5':
+    resolution: {integrity: sha512-hXGLYpdhiNElzN770+H2nlx+jRog8TyynpTVzdlc6bndktjKWyZyiCsuDAlpd+j+W+WNqfcyAWz9HxxIGfZm1Q==}
     cpu: [x64]
     os: [linux]
 
-  '@rollup/rollup-linux-x64-musl@4.52.2':
-    resolution: {integrity: sha512-LSeBHnGli1pPKVJ79ZVJgeZWWZXkEe/5o8kcn23M8eMKCUANejchJbF/JqzM4RRjOJfNRhKJk8FuqL1GKjF5oQ==}
+  '@rollup/rollup-linux-x64-musl@4.52.5':
+    resolution: {integrity: sha512-arCGIcuNKjBoKAXD+y7XomR9gY6Mw7HnFBv5Rw7wQRvwYLR7gBAgV7Mb2QTyjXfTveBNFAtPt46/36vV9STLNg==}
     cpu: [x64]
     os: [linux]
 
-  '@rollup/rollup-openharmony-arm64@4.52.2':
-    resolution: {integrity: sha512-uPj7MQ6/s+/GOpolavm6BPo+6CbhbKYyZHUDvZ/SmJM7pfDBgdGisFX3bY/CBDMg2ZO4utfhlApkSfZ92yXw7Q==}
+  '@rollup/rollup-openharmony-arm64@4.52.5':
+    resolution: {integrity: sha512-QoFqB6+/9Rly/RiPjaomPLmR/13cgkIGfA40LHly9zcH1S0bN2HVFYk3a1eAyHQyjs3ZJYlXvIGtcCs5tko9Cw==}
     cpu: [arm64]
     os: [openharmony]
 
-  '@rollup/rollup-win32-arm64-msvc@4.52.2':
-    resolution: {integrity: sha512-Z9MUCrSgIaUeeHAiNkm3cQyst2UhzjPraR3gYYfOjAuZI7tcFRTOD+4cHLPoS/3qinchth+V56vtqz1Tv+6KPA==}
+  '@rollup/rollup-win32-arm64-msvc@4.52.5':
+    resolution: {integrity: sha512-w0cDWVR6MlTstla1cIfOGyl8+qb93FlAVutcor14Gf5Md5ap5ySfQ7R9S/NjNaMLSFdUnKGEasmVnu3lCMqB7w==}
     cpu: [arm64]
     os: [win32]
 
-  '@rollup/rollup-win32-ia32-msvc@4.52.2':
-    resolution: {integrity: sha512-+GnYBmpjldD3XQd+HMejo+0gJGwYIOfFeoBQv32xF/RUIvccUz20/V6Otdv+57NE70D5pa8W/jVGDoGq0oON4A==}
+  '@rollup/rollup-win32-ia32-msvc@4.52.5':
+    resolution: {integrity: sha512-Aufdpzp7DpOTULJCuvzqcItSGDH73pF3ko/f+ckJhxQyHtp67rHw3HMNxoIdDMUITJESNE6a8uh4Lo4SLouOUg==}
     cpu: [ia32]
     os: [win32]
 
-  '@rollup/rollup-win32-x64-gnu@4.52.2':
-    resolution: {integrity: sha512-ApXFKluSB6kDQkAqZOKXBjiaqdF1BlKi+/eqnYe9Ee7U2K3pUDKsIyr8EYm/QDHTJIM+4X+lI0gJc3TTRhd+dA==}
+  '@rollup/rollup-win32-x64-gnu@4.52.5':
+    resolution: {integrity: sha512-UGBUGPFp1vkj6p8wCRraqNhqwX/4kNQPS57BCFc8wYh0g94iVIW33wJtQAx3G7vrjjNtRaxiMUylM0ktp/TRSQ==}
     cpu: [x64]
     os: [win32]
 
-  '@rollup/rollup-win32-x64-msvc@4.52.2':
-    resolution: {integrity: sha512-ARz+Bs8kY6FtitYM96PqPEVvPXqEZmPZsSkXvyX19YzDqkCaIlhCieLLMI5hxO9SRZ2XtCtm8wxhy0iJ2jxNfw==}
+  '@rollup/rollup-win32-x64-msvc@4.52.5':
+    resolution: {integrity: sha512-TAcgQh2sSkykPRWLrdyy2AiceMckNf5loITqXxFI5VuQjS5tSuw3WlwdN8qv8vzjLAUTvYaH/mVjSFpbkFbpTg==}
     cpu: [x64]
     os: [win32]
 
@@ -888,68 +888,68 @@ packages:
   '@standard-schema/utils@0.3.0':
     resolution: {integrity: sha512-e7Mew686owMaPJVNNLs55PUvgz371nKgwsc4vxE49zsODpJEnxgxRo2y/OKrqueavXgZNMDVj3DdHFlaSAeU8g==}
 
-  '@swc/core-darwin-arm64@1.13.19':
-    resolution: {integrity: sha512-NxDyte9tCJSJ8+R62WDtqwg8eI57lubD52sHyGOfezpJBOPr36bUSGGLyO3Vod9zTGlOu2CpkuzA/2iVw92u1g==}
+  '@swc/core-darwin-arm64@1.14.0':
+    resolution: {integrity: sha512-uHPC8rlCt04nvYNczWzKVdgnRhxCa3ndKTBBbBpResOZsRmiwRAvByIGh599j+Oo6Z5eyTPrgY+XfJzVmXnN7Q==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [darwin]
 
-  '@swc/core-darwin-x64@1.13.19':
-    resolution: {integrity: sha512-+w5DYrJndSygFFRDcuPYmx5BljD6oYnAohZ15K1L6SfORHp/BTSIbgSFRKPoyhjuIkDiq3W0um8RoMTOBAcQjQ==}
+  '@swc/core-darwin-x64@1.14.0':
+    resolution: {integrity: sha512-2SHrlpl68vtePRknv9shvM9YKKg7B9T13tcTg9aFCwR318QTYo+FzsKGmQSv9ox/Ua0Q2/5y2BNjieffJoo4nA==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [darwin]
 
-  '@swc/core-linux-arm-gnueabihf@1.13.19':
-    resolution: {integrity: sha512-7LlfgpdwwYq2q7himNkAAFo4q6jysMLFNoBH6GRP7WL29NcSsl5mPMJjmYZymK+sYq/9MTVieDTQvChzYDsapw==}
+  '@swc/core-linux-arm-gnueabihf@1.14.0':
+    resolution: {integrity: sha512-SMH8zn01dxt809svetnxpeg/jWdpi6dqHKO3Eb11u4OzU2PK7I5uKS6gf2hx5LlTbcJMFKULZiVwjlQLe8eqtg==}
     engines: {node: '>=10'}
     cpu: [arm]
     os: [linux]
 
-  '@swc/core-linux-arm64-gnu@1.13.19':
-    resolution: {integrity: sha512-ml3I6Lm2marAQ3UC/TS9t/yILBh/eDSVHAdPpikp652xouWAVW1znUeV6bBSxe1sSZIenv+p55ubKAWq/u84sQ==}
+  '@swc/core-linux-arm64-gnu@1.14.0':
+    resolution: {integrity: sha512-q2JRu2D8LVqGeHkmpVCljVNltG0tB4o4eYg+dElFwCS8l2Mnt9qurMCxIeo9mgoqz0ax+k7jWtIRHktnVCbjvQ==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
 
-  '@swc/core-linux-arm64-musl@1.13.19':
-    resolution: {integrity: sha512-M/otFc3/rWWkbF6VgbOXVzUKVoE7MFcphTaStxJp4bwb7oP5slYlxMZN51Dk/OTOfvCDo9pTAFDKNyixbkXMDQ==}
+  '@swc/core-linux-arm64-musl@1.14.0':
+    resolution: {integrity: sha512-uofpVoPCEUjYIv454ZEZ3sLgMD17nIwlz2z7bsn7rl301Kt/01umFA7MscUovFfAK2IRGck6XB+uulMu6aFhKQ==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
 
-  '@swc/core-linux-x64-gnu@1.13.19':
-    resolution: {integrity: sha512-NoMUKaOJEdouU4tKF88ggdDHFiRRING+gYLxDqnTfm+sUXaizB5OGBRzvSVDYSXQb1SuUuChnXFPFzwTWbt3ZQ==}
+  '@swc/core-linux-x64-gnu@1.14.0':
+    resolution: {integrity: sha512-quTTx1Olm05fBfv66DEBuOsOgqdypnZ/1Bh3yGXWY7ANLFeeRpCDZpljD9BSjdsNdPOlwJmEUZXMHtGm3v1TZQ==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
 
-  '@swc/core-linux-x64-musl@1.13.19':
-    resolution: {integrity: sha512-r6krlZwyu8SBaw24QuS1lau2I9q8M+eJV6ITz0rpb6P1Bx0elf9ii5Bhh8ddmIqXXH8kOGSjC/dwcdHbZqAhgw==}
+  '@swc/core-linux-x64-musl@1.14.0':
+    resolution: {integrity: sha512-caaNAu+aIqT8seLtCf08i8C3/UC5ttQujUjejhMcuS1/LoCKtNiUs4VekJd2UGt+pyuuSrQ6dKl8CbCfWvWeXw==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
 
-  '@swc/core-win32-arm64-msvc@1.13.19':
-    resolution: {integrity: sha512-awcZSIuxyVn0Dw28VjMvgk1qiDJ6CeQwHkZNUjg2UxVlq23zE01NMMp+zkoGFypmLG9gaGmJSzuoqvk/WCQ5tw==}
+  '@swc/core-win32-arm64-msvc@1.14.0':
+    resolution: {integrity: sha512-EeW3jFlT3YNckJ6V/JnTfGcX7UHGyh6/AiCPopZ1HNaGiXVCKHPpVQZicmtyr/UpqxCXLrTgjHOvyMke7YN26A==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [win32]
 
-  '@swc/core-win32-ia32-msvc@1.13.19':
-    resolution: {integrity: sha512-H5d+KO7ISoLNgYvTbOcCQjJZNM3R7yaYlrMAF13lUr6GSiOUX+92xtM31B+HvzAWI7HtvVe74d29aC1b1TpXFA==}
+  '@swc/core-win32-ia32-msvc@1.14.0':
+    resolution: {integrity: sha512-dPai3KUIcihV5hfoO4QNQF5HAaw8+2bT7dvi8E5zLtecW2SfL3mUZipzampXq5FHll0RSCLzlrXnSx+dBRZIIQ==}
     engines: {node: '>=10'}
     cpu: [ia32]
     os: [win32]
 
-  '@swc/core-win32-x64-msvc@1.13.19':
-    resolution: {integrity: sha512-qNoyCpXvv2O3JqXKanRIeoMn03Fho/As+N4Fhe7u0FsYh4VYqGQah4DGDzEP/yjl4Gx1IElhqLGDhCCGMwWaDw==}
+  '@swc/core-win32-x64-msvc@1.14.0':
+    resolution: {integrity: sha512-nm+JajGrTqUA6sEHdghDlHMNfH1WKSiuvljhdmBACW4ta4LC3gKurX2qZuiBARvPkephW9V/i5S8QPY1PzFEqg==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [win32]
 
-  '@swc/core@1.13.19':
-    resolution: {integrity: sha512-V1r4wFdjaZIUIZZrV2Mb/prEeu03xvSm6oatPxsvnXKF9lNh5Jtk9QvUdiVfD9rrvi7bXrAVhg9Wpbmv/2Fl1g==}
+  '@swc/core@1.14.0':
+    resolution: {integrity: sha512-oExhY90bes5pDTVrei0xlMVosTxwd/NMafIpqsC4dMbRYZ5KB981l/CX8tMnGsagTplj/RcG9BeRYmV6/J5m3w==}
     engines: {node: '>=10'}
     peerDependencies:
       '@swc/helpers': '>=0.5.17'
@@ -963,8 +963,8 @@ packages:
   '@swc/types@0.1.25':
     resolution: {integrity: sha512-iAoY/qRhNH8a/hBvm3zKj9qQ4oc2+3w1unPJa2XvTK3XjeLXtzcCingVPw/9e5mn1+0yPqxcBGp9Jf0pkfMb1g==}
 
-  '@tanstack/query-core@5.90.2':
-    resolution: {integrity: sha512-k/TcR3YalnzibscALLwxeiLUub6jN5EDLwKDiO7q5f4ICEoptJ+n9+7vcEFy5/x/i6Q+Lb/tXrsKCggf5uQJXQ==}
+  '@tanstack/query-core@5.90.6':
+    resolution: {integrity: sha512-AnZSLF26R8uX+tqb/ivdrwbVdGemdEDm1Q19qM6pry6eOZ6bEYiY7mWhzXT1YDIPTNEVcZ5kYP9nWjoxDLiIVw==}
 
   '@tanstack/query-devtools@5.90.1':
     resolution: {integrity: sha512-GtINOPjPUH0OegJExZ70UahT9ykmAhmtNVcmtdnOZbxLwT7R5OmRztR5Ahe3/Cu7LArEmR6/588tAycuaWb1xQ==}
@@ -975,8 +975,8 @@ packages:
       '@tanstack/react-query': ^5.90.2
       react: ^18 || ^19
 
-  '@tanstack/react-query@5.90.2':
-    resolution: {integrity: sha512-CLABiR+h5PYfOWr/z+vWFt5VsOA2ekQeRQBFSKlcoW6Ndx/f8rfyVmq4LbgOM4GG2qtxAxjLYLOpCNTYm4uKzw==}
+  '@tanstack/react-query@5.90.6':
+    resolution: {integrity: sha512-gB1sljYjcobZKxjPbKSa31FUTyr+ROaBdoH+wSSs9Dk+yDCmMs+TkTV3PybRRVLC7ax7q0erJ9LvRWnMktnRAw==}
     peerDependencies:
       react: ^18 || ^19
 
@@ -1055,8 +1055,8 @@ packages:
   '@types/ms@2.1.0':
     resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
 
-  '@types/node@24.5.2':
-    resolution: {integrity: sha512-FYxk1I7wPv3K2XBaoyH2cTnocQEu8AOZ60hPbsyukMPLv5/5qr7V1i8PLHdl6Zf87I+xZXFvPCXYjiTFq+YSDQ==}
+  '@types/node@24.10.0':
+    resolution: {integrity: sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A==}
 
   '@types/normalize-package-data@2.4.4':
     resolution: {integrity: sha512-37i+OaWTh9qeK4LSHPsyRC7NahnGotNuZvjLSgcPzblpHB3rrCJxAOgI5gCdKm7coonsaX1Of0ILiTcnZjbfxA==}
@@ -1067,10 +1067,10 @@ packages:
   '@types/qs@6.14.0':
     resolution: {integrity: sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==}
 
-  '@types/react-dom@19.1.9':
-    resolution: {integrity: sha512-qXRuZaOsAdXKFyOhRBg6Lqqc0yay13vN7KrIg4L7N4aaHN68ma9OK3NE1BoDFgFOTfM7zg+3/8+2n8rLUH3OKQ==}
+  '@types/react-dom@19.2.2':
+    resolution: {integrity: sha512-9KQPoO6mZCi7jcIStSnlOWn2nEF3mNmyr3rIAsGnAbQKYbRLyqmeSc39EVgtxXVia+LMT8j3knZLAZAh+xLmrw==}
     peerDependencies:
-      '@types/react': ^19.0.0
+      '@types/react': ^19.2.0
 
   '@types/react-router-dom@5.3.3':
     resolution: {integrity: sha512-kpqnYK4wcdm5UaWI3fLcELopqLrHgLqNsdpHauzlQktfkHL3npOSwtj1Uz9oKBAzs7lFtVkV8j83voAz2D8fhw==}
@@ -1078,8 +1078,8 @@ packages:
   '@types/react-router@5.1.20':
     resolution: {integrity: sha512-jGjmu/ZqS7FjSH6owMcD5qpq19+1RS9DeVRqfl1FeBMxTDQAGwlMWOcs52NDoXaNKyG3d1cYQFMs9rCrb88o9Q==}
 
-  '@types/react@19.1.13':
-    resolution: {integrity: sha512-hHkbU/eoO3EG5/MZkuFSKmYqPbSVk5byPFa3e7y/8TybHiLMACgI8seVYlicwk7H5K/rI2px9xrQp/C+AUDTiQ==}
+  '@types/react@19.2.2':
+    resolution: {integrity: sha512-6mDvHUFSjyT2B2yeNx2nUgMxh9LtOWvkhIU3uePn2I2oyNymUAX1NIsdgviM4CH+JSrp2D2hsMvJOkxY+0wNRA==}
 
   '@types/unist@2.0.11':
     resolution: {integrity: sha512-CmBKiL6NNo/OqgmMn95Fk9Whlp2mtvIv+KNpQKN2F4SjvrEesubTRWGYSg+BnWZOnlCaSTU1sMpsBOzgbYhnsA==}
@@ -1101,8 +1101,8 @@ packages:
     peerDependencies:
       react: '>= 16.8.0'
 
-  '@vitejs/plugin-react-swc@4.1.0':
-    resolution: {integrity: sha512-Ff690TUck0Anlh7wdIcnsVMhofeEVgm44Y4OYdeeEEPSKyZHzDI9gfVBvySEhDfXtBp8tLCbfsVKPWEMEjq8/g==}
+  '@vitejs/plugin-react-swc@4.2.0':
+    resolution: {integrity: sha512-/tesahXD1qpkGC6FzMoFOJj0RyZdw9xLELOL+6jbElwmWfwOnIVy+IfpY+o9JfD9PKaR/Eyb6DNrvbXpuvA+8Q==}
     engines: {node: ^20.19.0 || >=22.12.0}
     peerDependencies:
       vite: ^4 || ^5 || ^6 || ^7
@@ -1152,8 +1152,8 @@ packages:
     peerDependencies:
       postcss: ^8.1.0
 
-  axios@1.12.2:
-    resolution: {integrity: sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==}
+  axios@1.13.1:
+    resolution: {integrity: sha512-hU4EGxxt+j7TQijx1oYdAjw4xuIp1wRQSsbMFwSthCWeBQur1eF+qJ5iQ5sN3Tw8YRzQNKb8jszgBdMDVqwJcw==}
 
   babel-plugin-macros@3.1.0:
     resolution: {integrity: sha512-Cg7TFGpIr01vOQNODXOOaGz2NpCU5gl8x1qJFbb6hbZxR7XrcE2vtbAsTAbJ7/xwJtUuJEw8K8Zr/AE0LHlesg==}
@@ -1165,8 +1165,8 @@ packages:
   balanced-match@1.0.2:
     resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
 
-  baseline-browser-mapping@2.8.7:
-    resolution: {integrity: sha512-bxxN2M3a4d1CRoQC//IqsR5XrLh0IJ8TCv2x6Y9N0nckNz/rTjZB3//GGscZziZOxmjP55rzxg/ze7usFI9FqQ==}
+  baseline-browser-mapping@2.8.23:
+    resolution: {integrity: sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ==}
     hasBin: true
 
   bignumber.js@9.3.1:
@@ -1183,8 +1183,8 @@ packages:
     resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
     engines: {node: '>=8'}
 
-  browserslist@4.26.2:
-    resolution: {integrity: sha512-ECFzp6uFOSB+dcZ5BK/IBaGWssbSYBHvuMeMt3MMFyhI0Z8SqGgEkBLARgpRH3hutIgPVsALcMwbDrJqPxQ65A==}
+  browserslist@4.27.0:
+    resolution: {integrity: sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw==}
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
     hasBin: true
 
@@ -1220,8 +1220,8 @@ packages:
     resolution: {integrity: sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==}
     engines: {node: '>=6'}
 
-  caniuse-lite@1.0.30001745:
-    resolution: {integrity: sha512-ywt6i8FzvdgrrrGbr1jZVObnVv6adj+0if2/omv9cmR2oiZs30zL4DIyaptKcbOrBdOIc74QTMoJvSE2QHh5UQ==}
+  caniuse-lite@1.0.30001753:
+    resolution: {integrity: sha512-Bj5H35MD/ebaOV4iDLqPEtiliTN29qkGtEHCwawWn4cYm+bPJM2NsaP30vtZcnERClMzp52J4+aw2UNbK4o+zw==}
 
   ccount@2.0.1:
     resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
@@ -1445,8 +1445,8 @@ packages:
   dateformat@3.0.3:
     resolution: {integrity: sha512-jyCETtSl3VMZMWeRo7iY1FL19ges1t55hMo5yaam4Jrsm5EPL89UQkoQRyiI+Yf4k8r2ZpdngkV8hr1lIdjb3Q==}
 
-  dayjs@1.11.18:
-    resolution: {integrity: sha512-zFBQ7WFRvVRhKcWoUh+ZA1g2HVgUbsZm9sbddh8EC5iv93sui8DVVz1Npvz+r6meo9VKfa8NyLWBsQK1VvIKPA==}
+  dayjs@1.11.19:
+    resolution: {integrity: sha512-t5EcLVS6QPBNqM2z8fakk/NKel+Xzshgt8FFKAn+qwlD1pzZWxh0nVCrvFK7ZDb6XucZeF9z8C7CBWTRIVApAw==}
 
   debug@4.4.3:
     resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
@@ -1521,8 +1521,8 @@ packages:
     resolution: {integrity: sha512-QM8q3zDe58hqUqjraQOmzZ1LIH9SWQJTlEKCH4kJ2oQvLZk7RbQXvtDM2XEq3fwkV9CCvvH4LA0AV+ogFsBM2Q==}
     engines: {node: '>=8'}
 
-  dotenv@17.2.2:
-    resolution: {integrity: sha512-Sf2LSQP+bOlhKWWyhFsn0UsfdK/kCWRv1iuA2gXAwt3dyNabr6QSj00I2V10pidqz69soatm9ZwZvpQMTIOd5Q==}
+  dotenv@17.2.3:
+    resolution: {integrity: sha512-JVUnt+DUIzu87TABbhPmNfVdBDt18BLOWjMUFJMSi/Qqg7NTYtabbvSNJGOJ7afbRuv9D/lngizHtP7QyLQ+9w==}
     engines: {node: '>=12'}
 
   dotgitignore@2.1.0:
@@ -1533,8 +1533,8 @@ packages:
     resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
     engines: {node: '>= 0.4'}
 
-  electron-to-chromium@1.5.224:
-    resolution: {integrity: sha512-kWAoUu/bwzvnhpdZSIc6KUyvkI1rbRXMT0Eq8pKReyOyaPZcctMli+EgvcN1PAvwVc7Tdo4Fxi2PsLNDU05mdg==}
+  electron-to-chromium@1.5.244:
+    resolution: {integrity: sha512-OszpBN7xZX4vWMPJwB9illkN/znA8M36GQqQxi6MNy9axWxhOfJyZZJtSLQCpEFLHP2xK33BiWx9aIuIEXVCcw==}
 
   emoji-regex@8.0.0:
     resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
@@ -1566,11 +1566,11 @@ packages:
     resolution: {integrity: sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==}
     engines: {node: '>= 0.4'}
 
-  es-toolkit@1.39.10:
-    resolution: {integrity: sha512-E0iGnTtbDhkeczB0T+mxmoVlT4YNweEKBLq7oaU4p11mecdsZpNWOglI4895Vh4usbQ+LsJiuLuI2L0Vdmfm2w==}
+  es-toolkit@1.41.0:
+    resolution: {integrity: sha512-bDd3oRmbVgqZCJS6WmeQieOrzpl3URcWBUVDXxOELlUW2FuW+0glPOz1n0KnRie+PdyvUZcXz2sOn00c6pPRIA==}
 
-  esbuild@0.25.10:
-    resolution: {integrity: sha512-9RiGKvCwaqxO2owP61uQ4BgNborAQskMR6QusfWzQqv7AZOg5oGehdY2pRJMTKuwxd1IDBP4rSbI5lHzU7SMsQ==}
+  esbuild@0.25.12:
+    resolution: {integrity: sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg==}
     engines: {node: '>=18'}
     hasBin: true
 
@@ -1657,8 +1657,8 @@ packages:
   fraction.js@4.3.7:
     resolution: {integrity: sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==}
 
-  framer-motion@12.23.22:
-    resolution: {integrity: sha512-ZgGvdxXCw55ZYvhoZChTlG6pUuehecgvEAJz0BHoC5pQKW1EC5xf1Mul1ej5+ai+pVY0pylyFfdl45qnM1/GsA==}
+  framer-motion@12.23.24:
+    resolution: {integrity: sha512-HMi5HRoRCTou+3fb3h9oTLyJGBxHfW+HnNE25tAXOvVx/IvwMHK0cx7IR4a2ZU6sh3IX1Z+4ts32PcYBOqka8w==}
     peerDependencies:
       '@emotion/is-prop-valid': '*'
       react: ^18.0.0 || ^19.0.0
@@ -1728,8 +1728,8 @@ packages:
     resolution: {integrity: sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==}
     engines: {node: '>= 6'}
 
-  globals@16.4.0:
-    resolution: {integrity: sha512-ob/2LcVVaVGCYN+r14cnwnoDPUufjiYgSqRhiFD0Q1iI4Odora5RE8Iv1D24hAz5oMophRGkGz+yuvQmmUMnMw==}
+  globals@16.5.0:
+    resolution: {integrity: sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ==}
     engines: {node: '>=18'}
 
   gopd@1.2.0:
@@ -1812,8 +1812,8 @@ packages:
   html-dom-parser@5.1.1:
     resolution: {integrity: sha512-+o4Y4Z0CLuyemeccvGN4bAO20aauB2N9tFEAep5x4OW34kV4PTarBHm6RL02afYt2BMKcr0D2Agep8S3nJPIBg==}
 
-  html-react-parser@5.2.6:
-    resolution: {integrity: sha512-qcpPWLaSvqXi+TndiHbCa+z8qt0tVzjMwFGFBAa41ggC+ZA5BHaMIeMJla9g3VSp4SmiZb9qyQbmbpHYpIfPOg==}
+  html-react-parser@5.2.7:
+    resolution: {integrity: sha512-WzIAcqQoZoF49J9aev8NBDLz9TJvt2RmipeYA+/5+5x0sWCwFxqKiq0lysieiSA/G6dbUZ6KGGy65Cx2fjie5Q==}
     peerDependencies:
       '@types/react': 0.14 || 15 || 16 || 17 || 18 || 19
       react: 0.14 || 15 || 16 || 17 || 18 || 19
@@ -1833,8 +1833,8 @@ packages:
   humanize-duration@3.33.1:
     resolution: {integrity: sha512-hwzSCymnRdFx9YdRkQQ0OYequXiVAV6ZGQA2uzocwB0F4309Ke6pO8dg0P8LHhRQJyVjGteRTAA/zNfEcpXn8A==}
 
-  immer@10.1.3:
-    resolution: {integrity: sha512-tmjF/k8QDKydUlm3mZU+tjM6zeq9/fFpPqH9SzWmBnVVKsPBg/V66qsMwb3/Bo90cgUN+ghdVBess+hPsxUyRw==}
+  immer@10.2.0:
+    resolution: {integrity: sha512-d/+XTN3zfODyjr89gM3mPq1WNX2B8pYsu7eORitdwyA2sBubnTl3laYlBk4sXY5FUa5qTZGBDPJICVbvqzjlbw==}
 
   immutable@4.3.7:
     resolution: {integrity: sha512-1hqclzwYwjRDFLjcFxOM5AYkkG0rpFPpr1RLPMEuGczoS7YA8gLhy8SWXYRAA/XwfEHpfo3cw5JGioS32fnMRw==}
@@ -1856,6 +1856,9 @@ packages:
   inline-style-parser@0.2.4:
     resolution: {integrity: sha512-0aO8FkhNZlj/ZIbNi7Lxxr12obT7cL1moPfE4tg1LkX7LlLfC6DeX4l2ZEud1ukP9jNQyNnfzQVqwbwmAATY4Q==}
 
+  inline-style-parser@0.2.6:
+    resolution: {integrity: sha512-gtGXVaBdl5mAes3rPcMedEBm12ibjt1kDMFfheul1wUAOVEJW60voNdMVzVkfLN06O7ZaD/rxhfKgtlgtTbMjg==}
+
   internmap@2.0.3:
     resolution: {integrity: sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==}
     engines: {node: '>=12'}
@@ -2158,14 +2161,14 @@ packages:
     resolution: {integrity: sha512-xV2bxeN6F7oYjZWTe/YPAy6MN2M+sL4u/Rlm2AHCIVGfo2p1yGmBHQ6vHehl4bRTZBdHu3TSkWdYgkwpYzAGSw==}
     engines: {node: '>=0.10.0'}
 
-  motion-dom@12.23.21:
-    resolution: {integrity: sha512-5xDXx/AbhrfgsQmSE7YESMn4Dpo6x5/DTZ4Iyy4xqDvVHWvFVoV+V2Ri2S/ksx+D40wrZ7gPYiMWshkdoqNgNQ==}
+  motion-dom@12.23.23:
+    resolution: {integrity: sha512-n5yolOs0TQQBRUFImrRfs/+6X4p3Q4n1dUEqt/H58Vx7OW6RF+foWEgmTVDhIWJIMXOuNNL0apKH2S16en9eiA==}
 
   motion-utils@12.23.6:
     resolution: {integrity: sha512-eAWoPgr4eFEOFfg2WjIsMoqJTW6Z8MTUCgn/GZ3VRpClWBdnbjryiA3ZSNLyxCTmCQx4RmYX6jX1iWHbenUPNQ==}
 
-  motion@12.23.22:
-    resolution: {integrity: sha512-iSq6X9vLHbeYwmHvhK//+U74ROaPnZmBuy60XZzqNl0QtZkWfoZyMDHYnpKuWFv0sNMqHgED8aCXk94LCoQPGg==}
+  motion@12.23.24:
+    resolution: {integrity: sha512-Rc5E7oe2YZ72N//S3QXGzbnXgqNrTESv8KKxABR20q2FLch9gHLo0JLyYo2hZ238bZ9Gx6cWhj9VO0IgwbMjCw==}
     peerDependencies:
       '@emotion/is-prop-valid': '*'
       react: ^18.0.0 || ^19.0.0
@@ -2192,8 +2195,8 @@ packages:
   neo-async@2.6.2:
     resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==}
 
-  node-releases@2.0.21:
-    resolution: {integrity: sha512-5b0pgg78U3hwXkCM8Z9b2FJdPZlr9Psr9V2gQPESdGHqbntyFJKFW4r5TeWGFzafGY3hzs1JC62VEQMbl1JFkw==}
+  node-releases@2.0.27:
+    resolution: {integrity: sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==}
 
   normalize-package-data@2.5.0:
     resolution: {integrity: sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==}
@@ -2381,19 +2384,19 @@ packages:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
       react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
-  react-datepicker@8.7.0:
-    resolution: {integrity: sha512-r5OJbiLWc3YiVNy69Kau07/aVgVGsFVMA6+nlqCV7vyQ8q0FUOnJ+wAI4CgVxHejG3i5djAEiebrF8/Eip4rIw==}
+  react-datepicker@8.8.0:
+    resolution: {integrity: sha512-rIJLhww1B5cQY7GYEfSEXvldlGp+GIVU5oE7lxqeK4fmdv5F9bVndplDmblMCvfSMazXmeJ6OHBvRs/PkEhwUQ==}
     peerDependencies:
       react: ^16.9.0 || ^17 || ^18 || ^19 || ^19.0.0-rc
       react-dom: ^16.9.0 || ^17 || ^18 || ^19 || ^19.0.0-rc
 
-  react-dom@19.1.1:
-    resolution: {integrity: sha512-Dlq/5LAZgF0Gaz6yiqZCf6VCcZs1ghAJyrsu84Q/GT0gV+mCxbfmKNoGRKBYMJ8IEdGPqu49YWXD02GCknEDkw==}
+  react-dom@19.2.0:
+    resolution: {integrity: sha512-UlbRu4cAiGaIewkPyiRGJk0imDN2T3JjieT6spoL2UeSf5od4n5LB/mQ4ejmxhCFT1tYe8IvaFulzynWovsEFQ==}
     peerDependencies:
-      react: ^19.1.1
+      react: ^19.2.0
 
-  react-hook-form@7.63.0:
-    resolution: {integrity: sha512-ZwueDMvUeucovM2VjkCf7zIHcs1aAlDimZu2Hvel5C5907gUzMpm4xCrQXtRzCvsBqFjonB4m3x4LzCFI1ZKWA==}
+  react-hook-form@7.66.0:
+    resolution: {integrity: sha512-xXBqsWGKrY46ZqaHDo+ZUYiMUgi8suYu5kdrS20EG8KiL7VRQitEbNjm+UcrDYrNi1YLyfpmAeGjCZYXLT9YBw==}
     engines: {node: '>=18.0.0'}
     peerDependencies:
       react: ^16.8.0 || ^17 || ^18 || ^19
@@ -2416,8 +2419,8 @@ packages:
   react-is@16.13.1:
     resolution: {integrity: sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==}
 
-  react-is@19.1.1:
-    resolution: {integrity: sha512-tr41fA15Vn8p4X9ntI+yCyeGSf1TlYaY5vlTZfQmeLBrFo3psOPX6HhTDnFNL9uj3EhP0KAQ80cugCl4b4BERA==}
+  react-is@19.2.0:
+    resolution: {integrity: sha512-x3Ax3kNSMIIkyVYhWPyO09bu0uttcAIoecO/um/rKGQ4EltYWVYtyiGkS/3xMynrbVQdS69Jhlv8FXUEZehlzA==}
 
   react-loading-skeleton@3.5.0:
     resolution: {integrity: sha512-gxxSyLbrEAdXTKgfbpBEFZCO/P153DnqSCQau2+o6lNy1jgMRr2MmRmOzMmyrwSaSYLRB8g7b0waYPmUjz7IhQ==}
@@ -2485,8 +2488,8 @@ packages:
       react: ^15.3.0 || ^16.0.0-alpha || ^17.0.0 || ^18.0.0 || ^19.0.0
       react-dom: ^15.3.0 || ^16.0.0-alpha || ^17.0.0 || ^18.0.0 || ^19.0.0
 
-  react@19.1.1:
-    resolution: {integrity: sha512-w8nqGImo45dmMIfljjMwOGtbmC/mk4CMYhWIicdSflH91J9TyCyczcPFXJzrZ/ZXcgGRFeP6BU0BEJTw6tZdfQ==}
+  react@19.2.0:
+    resolution: {integrity: sha512-tmbWg6W31tQLeB5cdIBOicJDJRR2KzXsV7uSK9iNfLWQ5bIZfxuPEHp7M8wiHyHnn0DD1i7w3Zmin0FtkrwoCQ==}
     engines: {node: '>=0.10.0'}
 
   read-pkg-up@3.0.0:
@@ -2516,8 +2519,8 @@ packages:
     resolution: {integrity: sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==}
     engines: {node: '>=8.10.0'}
 
-  recharts@3.2.1:
-    resolution: {integrity: sha512-0JKwHRiFZdmLq/6nmilxEZl3pqb4T+aKkOkOi/ZISRZwfBhVMgInxzlYU9D4KnCH3KINScLy68m/OvMXoYGZUw==}
+  recharts@3.3.0:
+    resolution: {integrity: sha512-Vi0qmTB0iz1+/Cz9o5B7irVyUjX2ynvEgImbgMt/3sKRREcUM07QiYjS1QpAVrkmVlXqy5gykq4nGWMz9AS4Rg==}
     engines: {node: '>=18'}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
@@ -2565,13 +2568,13 @@ packages:
     resolution: {integrity: sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==}
     engines: {node: '>=4'}
 
-  resolve@1.22.10:
-    resolution: {integrity: sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==}
+  resolve@1.22.11:
+    resolution: {integrity: sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==}
     engines: {node: '>= 0.4'}
     hasBin: true
 
-  rollup@4.52.2:
-    resolution: {integrity: sha512-I25/2QgoROE1vYV+NQ1En9T9UFB9Cmfm2CJ83zZOlaDpvz29wGQSZXWKw7MiNXau7wYgB/T9fVIdIuEQ+KbiiA==}
+  rollup@4.52.5:
+    resolution: {integrity: sha512-3GuObel8h7Kqdjt0gxkEzaifHTqLVW56Y/bjN7PSQtkKr0w3V/QYSdt6QWYtd7A1xUtYQigtdUfgj1RvWVtorw==}
     engines: {node: '>=18.0.0', npm: '>=8.0.0'}
     hasBin: true
 
@@ -2592,6 +2595,9 @@ packages:
   scheduler@0.26.0:
     resolution: {integrity: sha512-NlHwttCI/l5gCPR3D1nNXtWABUmBwvZpEQiD4IXSbIDq8BzLIK/7Ir5gTFSGZDUu37K5cMNp0hFtzO38sC7gWA==}
 
+  scheduler@0.27.0:
+    resolution: {integrity: sha512-eNv+WrVbKu1f3vbYJT/xtiF5syA5HPIMtf9IgY/nKg0sWqzAUEvqY/xm7OcZc/qafLx/iO9FgOmeSAp4v5ti/Q==}
+
   semver@5.7.2:
     resolution: {integrity: sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==}
     hasBin: true
@@ -2600,8 +2606,8 @@ packages:
     resolution: {integrity: sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==}
     hasBin: true
 
-  semver@7.7.2:
-    resolution: {integrity: sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==}
+  semver@7.7.3:
+    resolution: {integrity: sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==}
     engines: {node: '>=10'}
     hasBin: true
 
@@ -2698,11 +2704,17 @@ packages:
     resolution: {integrity: sha512-laJTa3Jb+VQpaC6DseHhF7dXVqHTfJPCRDaEbid/drOhgitgYku/letMUqOXFoWV0zIIUbjpdH2t+tYj4bQMRQ==}
     engines: {node: '>=8'}
 
-  style-to-js@1.1.17:
-    resolution: {integrity: sha512-xQcBGDxJb6jjFCTzvQtfiPn6YvvP2O8U1MDIPNfJQlWMYfktPy+iGsHE7cssjs7y84d9fQaK4UF3RIJaAHSoYA==}
+  style-to-js@1.1.18:
+    resolution: {integrity: sha512-JFPn62D4kJaPTnhFUI244MThx+FEGbi+9dw1b9yBBQ+1CZpV7QAT8kUtJ7b7EUNdHajjF/0x8fT+16oLJoojLg==}
+
+  style-to-js@1.1.19:
+    resolution: {integrity: sha512-Ev+SgeqiNGT1ufsXyVC5RrJRXdrkRJ1Gol9Qw7Pb72YCKJXrBvP0ckZhBeVSrw2m06DJpei2528uIpjMb4TsoQ==}
+
+  style-to-object@1.0.11:
+    resolution: {integrity: sha512-5A560JmXr7wDyGLK12Nq/EYS38VkGlglVzkis1JEdbGWSnbQIEhZzTJhzURXN5/8WwwFCs/f/VVcmkTppbXLow==}
 
-  style-to-object@1.0.9:
-    resolution: {integrity: sha512-G4qppLgKu/k6FwRpHiGiKPaPTFcG3g4wNVX/Qsfu+RqQM30E7Tyu/TEgxcL9PNLF5pdRLwQdE3YKKf+KF2Dzlw==}
+  style-to-object@1.0.12:
+    resolution: {integrity: sha512-ddJqYnoT4t97QvN2C95bCgt+m7AAgXjVnkk/jxAfmp7EAB8nnqqZYEbMd3em7/vEomDb2LAQKAy1RFfv41mdNw==}
 
   stylis@4.2.0:
     resolution: {integrity: sha512-Orov6g6BB1sDfYgzWfTHDOxamtX1bE/zo104Dh9e6fqJ3PooipYyfJ0pUmrZO2wAvO8YbEyeFrkV91XTsGMSrw==}
@@ -2723,8 +2735,8 @@ packages:
     resolution: {integrity: sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==}
     engines: {node: '>= 0.4'}
 
-  tabbable@6.2.0:
-    resolution: {integrity: sha512-Cat63mxsVJlzYvN51JmVXIgNoUokrIaT2zLclCXjRd8boZ0004U4KCs/sToJ75C6sdlByWxpYnb5Boif1VSFew==}
+  tabbable@6.3.0:
+    resolution: {integrity: sha512-EIHvdY5bPLuWForiR/AN2Bxngzpuwn1is4asboytXtpTgsArc+WmSJKVLlhdh71u7jFcryDqB2A8lQvj78MkyQ==}
 
   terser@5.37.0:
     resolution: {integrity: sha512-B8wRRkmre4ERucLM/uXx4MOV5cbnOlVAqUst+1+iLKPI0dOgFO28f84ptoQt9HEI537PMzfYa/d+GEPKTRXmYA==}
@@ -2860,8 +2872,8 @@ packages:
     peerDependencies:
       typescript: '>=3.5.1'
 
-  typescript@5.9.2:
-    resolution: {integrity: sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==}
+  typescript@5.9.3:
+    resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
     engines: {node: '>=14.17'}
     hasBin: true
 
@@ -2870,14 +2882,14 @@ packages:
     engines: {node: '>=0.8.0'}
     hasBin: true
 
-  undici-types@7.12.0:
-    resolution: {integrity: sha512-goOacqME2GYyOZZfb5Lgtu+1IDmAlAEu5xnD3+xTzS10hT0vzpf0SPjkXwAw9Jm+4n/mQGDP3LO8CPbYROeBfQ==}
+  undici-types@7.16.0:
+    resolution: {integrity: sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==}
 
   unified@11.0.5:
     resolution: {integrity: sha512-xKvGhPWw3k84Qjh8bI3ZeJjqnyadK+GEFtazSfZv/rKeTkTjOJho6mFqh2SM96iIcZokxiOpg78GazTSg8+KHA==}
 
-  unist-util-is@6.0.0:
-    resolution: {integrity: sha512-2qCTHimwdxLfz+YzdGfkqNlH0tLi9xjTnHddPmJwtIG9MGsdbutfTc4P+haPD7l7Cjxf/WZj+we5qfVPvvxfYw==}
+  unist-util-is@6.0.1:
+    resolution: {integrity: sha512-LsiILbtBETkDz8I9p1dQ0uyRUWuaQzd/cuEeS1hoRSyW5E5XGmTzlwY1OrNzzakGowI9Dr/I8HVaw4hTtnxy8g==}
 
   unist-util-position@5.0.0:
     resolution: {integrity: sha512-fucsC7HjXvkB5R3kTCO7kUjRdrS0BJt3M/FPxmHMBOm8JQi2BsHAHFsy27E0EolP8rp0NzXsJ+jNPyDWvOJZPA==}
@@ -2885,20 +2897,20 @@ packages:
   unist-util-stringify-position@4.0.0:
     resolution: {integrity: sha512-0ASV06AAoKCDkS2+xw5RXJywruurpbC4JZSm7nr7MOt1ojAzvyyaO+UxZf18j8FCF6kmzCZKcAgN/yu2gm2XgQ==}
 
-  unist-util-visit-parents@6.0.1:
-    resolution: {integrity: sha512-L/PqWzfTP9lzzEa6CKs0k2nARxTdZduw3zyh8d2NVBnsyvHjSX4TWse388YrrQKbvI8w20fGjGlhgT96WwKykw==}
+  unist-util-visit-parents@6.0.2:
+    resolution: {integrity: sha512-goh1s1TBrqSqukSc8wrjwWhL0hiJxgA8m4kFxGlQ+8FYQ3C/m11FcTs4YYem7V664AhHVvgoQLk890Ssdsr2IQ==}
 
   unist-util-visit@5.0.0:
     resolution: {integrity: sha512-MR04uvD+07cwl/yhVuVWAtw+3GOR/knlL55Nd/wAdblk27GCVt3lqpTivy/tkJcZoNPzTwS1Y+KMojlLDhoTzg==}
 
-  update-browserslist-db@1.1.3:
-    resolution: {integrity: sha512-UxhIZQ+QInVdunkDAaiazvvT/+fXL5Osr0JZlJulepYu6Jd7qJtDZjlur0emRlT71EN3ScPoE7gvsuIKKNavKw==}
+  update-browserslist-db@1.1.4:
+    resolution: {integrity: sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A==}
     hasBin: true
     peerDependencies:
       browserslist: '>= 4.21.0'
 
-  use-breakpoint@4.0.6:
-    resolution: {integrity: sha512-1s7vUjf36eeZYTgY1KkmPNXrTbKJVRA9cjBFQdYjK8+pDr0qJgH6/cuX5qQ2zcfkqxN5LieVd/DTVK6ofnwRTQ==}
+  use-breakpoint@4.0.10:
+    resolution: {integrity: sha512-rnUpZwCQCTtexbpM8S5aiJrfIx6NTvt0WwATiH4hCBN6gQNgkYPFoFt6g/3pAuyqU9D9tLKwXfsVqEWMBnwo6A==}
     peerDependencies:
       react: '>=18'
       react-dom: '>=18'
@@ -2915,8 +2927,8 @@ packages:
     peerDependencies:
       react: '>=16.13'
 
-  use-sync-external-store@1.5.0:
-    resolution: {integrity: sha512-Rb46I4cGGVBmjamjphe8L/UnvJD+uPPtTkNvX5mZgqdbavhI4EbgIWJiIHXJ8bc/i9EQGPRh4DwEURJ552Do0A==}
+  use-sync-external-store@1.6.0:
+    resolution: {integrity: sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
@@ -2947,8 +2959,8 @@ packages:
     peerDependencies:
       vite: '>=2.0.0-beta.69'
 
-  vite@7.1.7:
-    resolution: {integrity: sha512-VbA8ScMvAISJNJVbRDTJdCwqQoAareR/wutevKanhR2/1EkoXVZVkkORaYm/tNVCjP/UDTKtcw3bAkwOUdedmA==}
+  vite@7.1.12:
+    resolution: {integrity: sha512-ZWyE8YXEXqJrrSLvYgrRP7p62OziLW7xI5HYGWFzOvupfAlrLvURSzv/FyGyy0eidogEM3ujU+kUG1zuHgb6Ug==}
     engines: {node: ^20.19.0 || >=22.12.0}
     hasBin: true
     peerDependencies:
@@ -3086,23 +3098,23 @@ snapshots:
 
   '@babel/code-frame@7.27.1':
     dependencies:
-      '@babel/helper-validator-identifier': 7.27.1
+      '@babel/helper-validator-identifier': 7.28.5
       js-tokens: 4.0.0
       picocolors: 1.1.1
 
-  '@babel/compat-data@7.28.4': {}
+  '@babel/compat-data@7.28.5': {}
 
-  '@babel/core@7.28.4':
+  '@babel/core@7.28.5':
     dependencies:
       '@babel/code-frame': 7.27.1
-      '@babel/generator': 7.28.3
+      '@babel/generator': 7.28.5
       '@babel/helper-compilation-targets': 7.27.2
-      '@babel/helper-module-transforms': 7.28.3(@babel/core@7.28.4)
+      '@babel/helper-module-transforms': 7.28.3(@babel/core@7.28.5)
       '@babel/helpers': 7.28.4
-      '@babel/parser': 7.28.4
+      '@babel/parser': 7.28.5
       '@babel/template': 7.27.2
-      '@babel/traverse': 7.28.4
-      '@babel/types': 7.28.4
+      '@babel/traverse': 7.28.5
+      '@babel/types': 7.28.5
       '@jridgewell/remapping': 2.3.5
       convert-source-map: 2.0.0
       debug: 4.4.3
@@ -3112,19 +3124,19 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/generator@7.28.3':
+  '@babel/generator@7.28.5':
     dependencies:
-      '@babel/parser': 7.28.4
-      '@babel/types': 7.28.4
+      '@babel/parser': 7.28.5
+      '@babel/types': 7.28.5
       '@jridgewell/gen-mapping': 0.3.13
       '@jridgewell/trace-mapping': 0.3.31
       jsesc: 3.1.0
 
   '@babel/helper-compilation-targets@7.27.2':
     dependencies:
-      '@babel/compat-data': 7.28.4
+      '@babel/compat-data': 7.28.5
       '@babel/helper-validator-option': 7.27.1
-      browserslist: 4.26.2
+      browserslist: 4.27.0
       lru-cache: 5.1.1
       semver: 6.3.1
 
@@ -3132,59 +3144,59 @@ snapshots:
 
   '@babel/helper-module-imports@7.27.1':
     dependencies:
-      '@babel/traverse': 7.28.4
-      '@babel/types': 7.28.4
+      '@babel/traverse': 7.28.5
+      '@babel/types': 7.28.5
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/helper-module-transforms@7.28.3(@babel/core@7.28.4)':
+  '@babel/helper-module-transforms@7.28.3(@babel/core@7.28.5)':
     dependencies:
-      '@babel/core': 7.28.4
+      '@babel/core': 7.28.5
       '@babel/helper-module-imports': 7.27.1
-      '@babel/helper-validator-identifier': 7.27.1
-      '@babel/traverse': 7.28.4
+      '@babel/helper-validator-identifier': 7.28.5
+      '@babel/traverse': 7.28.5
     transitivePeerDependencies:
       - supports-color
 
   '@babel/helper-string-parser@7.27.1': {}
 
-  '@babel/helper-validator-identifier@7.27.1': {}
+  '@babel/helper-validator-identifier@7.28.5': {}
 
   '@babel/helper-validator-option@7.27.1': {}
 
   '@babel/helpers@7.28.4':
     dependencies:
       '@babel/template': 7.27.2
-      '@babel/types': 7.28.4
+      '@babel/types': 7.28.5
 
-  '@babel/parser@7.28.4':
+  '@babel/parser@7.28.5':
     dependencies:
-      '@babel/types': 7.28.4
+      '@babel/types': 7.28.5
 
   '@babel/runtime@7.28.4': {}
 
   '@babel/template@7.27.2':
     dependencies:
       '@babel/code-frame': 7.27.1
-      '@babel/parser': 7.28.4
-      '@babel/types': 7.28.4
+      '@babel/parser': 7.28.5
+      '@babel/types': 7.28.5
 
-  '@babel/traverse@7.28.4':
+  '@babel/traverse@7.28.5':
     dependencies:
       '@babel/code-frame': 7.27.1
-      '@babel/generator': 7.28.3
+      '@babel/generator': 7.28.5
       '@babel/helper-globals': 7.28.0
-      '@babel/parser': 7.28.4
+      '@babel/parser': 7.28.5
       '@babel/template': 7.27.2
-      '@babel/types': 7.28.4
+      '@babel/types': 7.28.5
       debug: 4.4.3
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/types@7.28.4':
+  '@babel/types@7.28.5':
     dependencies:
       '@babel/helper-string-parser': 7.27.1
-      '@babel/helper-validator-identifier': 7.27.1
+      '@babel/helper-validator-identifier': 7.28.5
 
   '@biomejs/biome@2.2.2':
     optionalDependencies:
@@ -3259,19 +3271,19 @@ snapshots:
 
   '@emotion/memoize@0.9.0': {}
 
-  '@emotion/react@11.14.0(@types/react@19.1.13)(react@19.1.1)':
+  '@emotion/react@11.14.0(@types/react@19.2.2)(react@19.2.0)':
     dependencies:
       '@babel/runtime': 7.28.4
       '@emotion/babel-plugin': 11.13.5
       '@emotion/cache': 11.14.0
       '@emotion/serialize': 1.3.3
-      '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.1.1)
+      '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.2.0)
       '@emotion/utils': 1.4.2
       '@emotion/weak-memoize': 0.4.0
       hoist-non-react-statics: 3.3.2
-      react: 19.1.1
+      react: 19.2.0
     optionalDependencies:
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
     transitivePeerDependencies:
       - supports-color
 
@@ -3285,107 +3297,107 @@ snapshots:
 
   '@emotion/sheet@1.4.0': {}
 
-  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.1.13)(react@19.1.1))(@types/react@19.1.13)(react@19.1.1)':
+  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.2)(react@19.2.0))(@types/react@19.2.2)(react@19.2.0)':
     dependencies:
       '@babel/runtime': 7.28.4
       '@emotion/babel-plugin': 11.13.5
       '@emotion/is-prop-valid': 1.4.0
-      '@emotion/react': 11.14.0(@types/react@19.1.13)(react@19.1.1)
+      '@emotion/react': 11.14.0(@types/react@19.2.2)(react@19.2.0)
       '@emotion/serialize': 1.3.3
-      '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.1.1)
+      '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.2.0)
       '@emotion/utils': 1.4.2
-      react: 19.1.1
+      react: 19.2.0
     optionalDependencies:
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
     transitivePeerDependencies:
       - supports-color
 
   '@emotion/unitless@0.10.0': {}
 
-  '@emotion/use-insertion-effect-with-fallbacks@1.2.0(react@19.1.1)':
+  '@emotion/use-insertion-effect-with-fallbacks@1.2.0(react@19.2.0)':
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
 
   '@emotion/utils@1.4.2': {}
 
   '@emotion/weak-memoize@0.4.0': {}
 
-  '@esbuild/aix-ppc64@0.25.10':
+  '@esbuild/aix-ppc64@0.25.12':
     optional: true
 
-  '@esbuild/android-arm64@0.25.10':
+  '@esbuild/android-arm64@0.25.12':
     optional: true
 
-  '@esbuild/android-arm@0.25.10':
+  '@esbuild/android-arm@0.25.12':
     optional: true
 
-  '@esbuild/android-x64@0.25.10':
+  '@esbuild/android-x64@0.25.12':
     optional: true
 
-  '@esbuild/darwin-arm64@0.25.10':
+  '@esbuild/darwin-arm64@0.25.12':
     optional: true
 
-  '@esbuild/darwin-x64@0.25.10':
+  '@esbuild/darwin-x64@0.25.12':
     optional: true
 
-  '@esbuild/freebsd-arm64@0.25.10':
+  '@esbuild/freebsd-arm64@0.25.12':
     optional: true
 
-  '@esbuild/freebsd-x64@0.25.10':
+  '@esbuild/freebsd-x64@0.25.12':
     optional: true
 
-  '@esbuild/linux-arm64@0.25.10':
+  '@esbuild/linux-arm64@0.25.12':
     optional: true
 
-  '@esbuild/linux-arm@0.25.10':
+  '@esbuild/linux-arm@0.25.12':
     optional: true
 
-  '@esbuild/linux-ia32@0.25.10':
+  '@esbuild/linux-ia32@0.25.12':
     optional: true
 
-  '@esbuild/linux-loong64@0.25.10':
+  '@esbuild/linux-loong64@0.25.12':
     optional: true
 
-  '@esbuild/linux-mips64el@0.25.10':
+  '@esbuild/linux-mips64el@0.25.12':
     optional: true
 
-  '@esbuild/linux-ppc64@0.25.10':
+  '@esbuild/linux-ppc64@0.25.12':
     optional: true
 
-  '@esbuild/linux-riscv64@0.25.10':
+  '@esbuild/linux-riscv64@0.25.12':
     optional: true
 
-  '@esbuild/linux-s390x@0.25.10':
+  '@esbuild/linux-s390x@0.25.12':
     optional: true
 
-  '@esbuild/linux-x64@0.25.10':
+  '@esbuild/linux-x64@0.25.12':
     optional: true
 
-  '@esbuild/netbsd-arm64@0.25.10':
+  '@esbuild/netbsd-arm64@0.25.12':
     optional: true
 
-  '@esbuild/netbsd-x64@0.25.10':
+  '@esbuild/netbsd-x64@0.25.12':
     optional: true
 
-  '@esbuild/openbsd-arm64@0.25.10':
+  '@esbuild/openbsd-arm64@0.25.12':
     optional: true
 
-  '@esbuild/openbsd-x64@0.25.10':
+  '@esbuild/openbsd-x64@0.25.12':
     optional: true
 
-  '@esbuild/openharmony-arm64@0.25.10':
+  '@esbuild/openharmony-arm64@0.25.12':
     optional: true
 
-  '@esbuild/sunos-x64@0.25.10':
+  '@esbuild/sunos-x64@0.25.12':
     optional: true
 
-  '@esbuild/win32-arm64@0.25.10':
+  '@esbuild/win32-arm64@0.25.12':
     optional: true
 
-  '@esbuild/win32-ia32@0.25.10':
+  '@esbuild/win32-ia32@0.25.12':
     optional: true
 
-  '@esbuild/win32-x64@0.25.10':
+  '@esbuild/win32-x64@0.25.12':
     optional: true
 
   '@floating-ui/core@1.7.3':
@@ -3397,44 +3409,44 @@ snapshots:
       '@floating-ui/core': 1.7.3
       '@floating-ui/utils': 0.2.10
 
-  '@floating-ui/react-dom@2.1.6(react-dom@19.1.1(react@19.1.1))(react@19.1.1)':
+  '@floating-ui/react-dom@2.1.6(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
     dependencies:
       '@floating-ui/dom': 1.7.4
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
-  '@floating-ui/react@0.27.16(react-dom@19.1.1(react@19.1.1))(react@19.1.1)':
+  '@floating-ui/react@0.27.16(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
     dependencies:
-      '@floating-ui/react-dom': 2.1.6(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+      '@floating-ui/react-dom': 2.1.6(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       '@floating-ui/utils': 0.2.10
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
-      tabbable: 6.2.0
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
+      tabbable: 6.3.0
 
   '@floating-ui/utils@0.2.10': {}
 
   '@github/webauthn-json@2.1.1': {}
 
-  '@hookform/devtools@4.4.0(@types/react@19.1.13)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)':
+  '@hookform/devtools@4.4.0(@types/react@19.2.2)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
     dependencies:
-      '@emotion/react': 11.14.0(@types/react@19.1.13)(react@19.1.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.1.13)(react@19.1.1))(@types/react@19.1.13)(react@19.1.1)
+      '@emotion/react': 11.14.0(@types/react@19.2.2)(react@19.2.0)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.2)(react@19.2.0))(@types/react@19.2.2)(react@19.2.0)
       '@types/lodash': 4.17.20
-      little-state-machine: 4.8.1(react@19.1.1)
+      little-state-machine: 4.8.1(react@19.2.0)
       lodash: 4.17.21
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
-      react-simple-animate: 3.5.3(react-dom@19.1.1(react@19.1.1))
-      use-deep-compare-effect: 1.8.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
+      react-simple-animate: 3.5.3(react-dom@19.2.0(react@19.2.0))
+      use-deep-compare-effect: 1.8.1(react@19.2.0)
       uuid: 8.3.2
     transitivePeerDependencies:
       - '@types/react'
       - supports-color
 
-  '@hookform/resolvers@5.2.2(react-hook-form@7.63.0(react@19.1.1))':
+  '@hookform/resolvers@5.2.2(react-hook-form@7.66.0(react@19.2.0))':
     dependencies:
       '@standard-schema/utils': 0.3.0
-      react-hook-form: 7.63.0(react@19.1.1)
+      react-hook-form: 7.66.0(react@19.2.0)
 
   '@hutson/parse-repository-url@3.0.2': {}
 
@@ -3463,107 +3475,107 @@ snapshots:
       '@jridgewell/resolve-uri': 3.1.2
       '@jridgewell/sourcemap-codec': 1.5.5
 
-  '@react-hook/latest@1.0.3(react@19.1.1)':
+  '@react-hook/latest@1.0.3(react@19.2.0)':
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
 
-  '@react-hook/passive-layout-effect@1.2.1(react@19.1.1)':
+  '@react-hook/passive-layout-effect@1.2.1(react@19.2.0)':
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
 
-  '@react-hook/resize-observer@2.0.2(react@19.1.1)':
+  '@react-hook/resize-observer@2.0.2(react@19.2.0)':
     dependencies:
-      '@react-hook/latest': 1.0.3(react@19.1.1)
-      '@react-hook/passive-layout-effect': 1.2.1(react@19.1.1)
-      react: 19.1.1
+      '@react-hook/latest': 1.0.3(react@19.2.0)
+      '@react-hook/passive-layout-effect': 1.2.1(react@19.2.0)
+      react: 19.2.0
 
-  '@react-rxjs/core@0.10.8(react@19.1.1)(rxjs@7.8.2)':
+  '@react-rxjs/core@0.10.8(react@19.2.0)(rxjs@7.8.2)':
     dependencies:
       '@rx-state/core': 0.1.4(rxjs@7.8.2)
-      react: 19.1.1
+      react: 19.2.0
       rxjs: 7.8.2
-      use-sync-external-store: 1.5.0(react@19.1.1)
+      use-sync-external-store: 1.6.0(react@19.2.0)
 
-  '@reduxjs/toolkit@2.9.0(react-redux@9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1))(react@19.1.1)':
+  '@reduxjs/toolkit@2.9.2(react-redux@9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1))(react@19.2.0)':
     dependencies:
       '@standard-schema/spec': 1.0.0
       '@standard-schema/utils': 0.3.0
-      immer: 10.1.3
+      immer: 10.2.0
       redux: 5.0.1
       redux-thunk: 3.1.0(redux@5.0.1)
       reselect: 5.1.1
     optionalDependencies:
-      react: 19.1.1
-      react-redux: 9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1)
+      react: 19.2.0
+      react-redux: 9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1)
 
   '@remix-run/router@1.23.0': {}
 
-  '@rolldown/pluginutils@1.0.0-beta.35': {}
+  '@rolldown/pluginutils@1.0.0-beta.43': {}
 
-  '@rollup/rollup-android-arm-eabi@4.52.2':
+  '@rollup/rollup-android-arm-eabi@4.52.5':
     optional: true
 
-  '@rollup/rollup-android-arm64@4.52.2':
+  '@rollup/rollup-android-arm64@4.52.5':
     optional: true
 
-  '@rollup/rollup-darwin-arm64@4.52.2':
+  '@rollup/rollup-darwin-arm64@4.52.5':
     optional: true
 
-  '@rollup/rollup-darwin-x64@4.52.2':
+  '@rollup/rollup-darwin-x64@4.52.5':
     optional: true
 
-  '@rollup/rollup-freebsd-arm64@4.52.2':
+  '@rollup/rollup-freebsd-arm64@4.52.5':
     optional: true
 
-  '@rollup/rollup-freebsd-x64@4.52.2':
+  '@rollup/rollup-freebsd-x64@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.52.2':
+  '@rollup/rollup-linux-arm-gnueabihf@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-arm-musleabihf@4.52.2':
+  '@rollup/rollup-linux-arm-musleabihf@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-arm64-gnu@4.52.2':
+  '@rollup/rollup-linux-arm64-gnu@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-arm64-musl@4.52.2':
+  '@rollup/rollup-linux-arm64-musl@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-loong64-gnu@4.52.2':
+  '@rollup/rollup-linux-loong64-gnu@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-ppc64-gnu@4.52.2':
+  '@rollup/rollup-linux-ppc64-gnu@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-gnu@4.52.2':
+  '@rollup/rollup-linux-riscv64-gnu@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-musl@4.52.2':
+  '@rollup/rollup-linux-riscv64-musl@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-s390x-gnu@4.52.2':
+  '@rollup/rollup-linux-s390x-gnu@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-x64-gnu@4.52.2':
+  '@rollup/rollup-linux-x64-gnu@4.52.5':
     optional: true
 
-  '@rollup/rollup-linux-x64-musl@4.52.2':
+  '@rollup/rollup-linux-x64-musl@4.52.5':
     optional: true
 
-  '@rollup/rollup-openharmony-arm64@4.52.2':
+  '@rollup/rollup-openharmony-arm64@4.52.5':
     optional: true
 
-  '@rollup/rollup-win32-arm64-msvc@4.52.2':
+  '@rollup/rollup-win32-arm64-msvc@4.52.5':
     optional: true
 
-  '@rollup/rollup-win32-ia32-msvc@4.52.2':
+  '@rollup/rollup-win32-ia32-msvc@4.52.5':
     optional: true
 
-  '@rollup/rollup-win32-x64-gnu@4.52.2':
+  '@rollup/rollup-win32-x64-gnu@4.52.5':
     optional: true
 
-  '@rollup/rollup-win32-x64-msvc@4.52.2':
+  '@rollup/rollup-win32-x64-msvc@4.52.5':
     optional: true
 
   '@rx-state/core@0.1.4(rxjs@7.8.2)':
@@ -3601,51 +3613,51 @@ snapshots:
 
   '@standard-schema/utils@0.3.0': {}
 
-  '@swc/core-darwin-arm64@1.13.19':
+  '@swc/core-darwin-arm64@1.14.0':
     optional: true
 
-  '@swc/core-darwin-x64@1.13.19':
+  '@swc/core-darwin-x64@1.14.0':
     optional: true
 
-  '@swc/core-linux-arm-gnueabihf@1.13.19':
+  '@swc/core-linux-arm-gnueabihf@1.14.0':
     optional: true
 
-  '@swc/core-linux-arm64-gnu@1.13.19':
+  '@swc/core-linux-arm64-gnu@1.14.0':
     optional: true
 
-  '@swc/core-linux-arm64-musl@1.13.19':
+  '@swc/core-linux-arm64-musl@1.14.0':
     optional: true
 
-  '@swc/core-linux-x64-gnu@1.13.19':
+  '@swc/core-linux-x64-gnu@1.14.0':
     optional: true
 
-  '@swc/core-linux-x64-musl@1.13.19':
+  '@swc/core-linux-x64-musl@1.14.0':
     optional: true
 
-  '@swc/core-win32-arm64-msvc@1.13.19':
+  '@swc/core-win32-arm64-msvc@1.14.0':
     optional: true
 
-  '@swc/core-win32-ia32-msvc@1.13.19':
+  '@swc/core-win32-ia32-msvc@1.14.0':
     optional: true
 
-  '@swc/core-win32-x64-msvc@1.13.19':
+  '@swc/core-win32-x64-msvc@1.14.0':
     optional: true
 
-  '@swc/core@1.13.19':
+  '@swc/core@1.14.0':
     dependencies:
       '@swc/counter': 0.1.3
       '@swc/types': 0.1.25
     optionalDependencies:
-      '@swc/core-darwin-arm64': 1.13.19
-      '@swc/core-darwin-x64': 1.13.19
-      '@swc/core-linux-arm-gnueabihf': 1.13.19
-      '@swc/core-linux-arm64-gnu': 1.13.19
-      '@swc/core-linux-arm64-musl': 1.13.19
-      '@swc/core-linux-x64-gnu': 1.13.19
-      '@swc/core-linux-x64-musl': 1.13.19
-      '@swc/core-win32-arm64-msvc': 1.13.19
-      '@swc/core-win32-ia32-msvc': 1.13.19
-      '@swc/core-win32-x64-msvc': 1.13.19
+      '@swc/core-darwin-arm64': 1.14.0
+      '@swc/core-darwin-x64': 1.14.0
+      '@swc/core-linux-arm-gnueabihf': 1.14.0
+      '@swc/core-linux-arm64-gnu': 1.14.0
+      '@swc/core-linux-arm64-musl': 1.14.0
+      '@swc/core-linux-x64-gnu': 1.14.0
+      '@swc/core-linux-x64-musl': 1.14.0
+      '@swc/core-win32-arm64-msvc': 1.14.0
+      '@swc/core-win32-ia32-msvc': 1.14.0
+      '@swc/core-win32-x64-msvc': 1.14.0
 
   '@swc/counter@0.1.3': {}
 
@@ -3653,26 +3665,26 @@ snapshots:
     dependencies:
       '@swc/counter': 0.1.3
 
-  '@tanstack/query-core@5.90.2': {}
+  '@tanstack/query-core@5.90.6': {}
 
   '@tanstack/query-devtools@5.90.1': {}
 
-  '@tanstack/react-query-devtools@5.90.2(@tanstack/react-query@5.90.2(react@19.1.1))(react@19.1.1)':
+  '@tanstack/react-query-devtools@5.90.2(@tanstack/react-query@5.90.6(react@19.2.0))(react@19.2.0)':
     dependencies:
       '@tanstack/query-devtools': 5.90.1
-      '@tanstack/react-query': 5.90.2(react@19.1.1)
-      react: 19.1.1
+      '@tanstack/react-query': 5.90.6(react@19.2.0)
+      react: 19.2.0
 
-  '@tanstack/react-query@5.90.2(react@19.1.1)':
+  '@tanstack/react-query@5.90.6(react@19.2.0)':
     dependencies:
-      '@tanstack/query-core': 5.90.2
-      react: 19.1.1
+      '@tanstack/query-core': 5.90.6
+      react: 19.2.0
 
-  '@tanstack/react-virtual@3.13.12(react-dom@19.1.1(react@19.1.1))(react@19.1.1)':
+  '@tanstack/react-virtual@3.13.12(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
     dependencies:
       '@tanstack/virtual-core': 3.13.12
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
   '@tanstack/virtual-core@3.13.12': {}
 
@@ -3736,9 +3748,9 @@ snapshots:
 
   '@types/ms@2.1.0': {}
 
-  '@types/node@24.5.2':
+  '@types/node@24.10.0':
     dependencies:
-      undici-types: 7.12.0
+      undici-types: 7.16.0
 
   '@types/normalize-package-data@2.4.4': {}
 
@@ -3746,22 +3758,22 @@ snapshots:
 
   '@types/qs@6.14.0': {}
 
-  '@types/react-dom@19.1.9(@types/react@19.1.13)':
+  '@types/react-dom@19.2.2(@types/react@19.2.2)':
     dependencies:
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
 
   '@types/react-router-dom@5.3.3':
     dependencies:
       '@types/history': 4.7.11
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
       '@types/react-router': 5.1.20
 
   '@types/react-router@5.1.20':
     dependencies:
       '@types/history': 4.7.11
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
 
-  '@types/react@19.1.13':
+  '@types/react@19.2.2':
     dependencies:
       csstype: 3.1.3
 
@@ -3775,16 +3787,16 @@ snapshots:
 
   '@use-gesture/core@10.3.1': {}
 
-  '@use-gesture/react@10.3.1(react@19.1.1)':
+  '@use-gesture/react@10.3.1(react@19.2.0)':
     dependencies:
       '@use-gesture/core': 10.3.1
-      react: 19.1.1
+      react: 19.2.0
 
-  '@vitejs/plugin-react-swc@4.1.0(vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))':
+  '@vitejs/plugin-react-swc@4.2.0(vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))':
     dependencies:
-      '@rolldown/pluginutils': 1.0.0-beta.35
-      '@swc/core': 1.13.19
-      vite: 7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+      '@rolldown/pluginutils': 1.0.0-beta.43
+      '@swc/core': 1.14.0
+      vite: 7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
     transitivePeerDependencies:
       - '@swc/helpers'
 
@@ -3821,15 +3833,15 @@ snapshots:
 
   autoprefixer@10.4.21(postcss@8.5.6):
     dependencies:
-      browserslist: 4.26.2
-      caniuse-lite: 1.0.30001745
+      browserslist: 4.27.0
+      caniuse-lite: 1.0.30001753
       fraction.js: 4.3.7
       normalize-range: 0.1.2
       picocolors: 1.1.1
       postcss: 8.5.6
       postcss-value-parser: 4.2.0
 
-  axios@1.12.2:
+  axios@1.13.1:
     dependencies:
       follow-redirects: 1.15.11
       form-data: 4.0.4
@@ -3841,13 +3853,13 @@ snapshots:
     dependencies:
       '@babel/runtime': 7.28.4
       cosmiconfig: 7.1.0
-      resolve: 1.22.10
+      resolve: 1.22.11
 
   bail@2.0.2: {}
 
   balanced-match@1.0.2: {}
 
-  baseline-browser-mapping@2.8.7: {}
+  baseline-browser-mapping@2.8.23: {}
 
   bignumber.js@9.3.1: {}
 
@@ -3862,13 +3874,13 @@ snapshots:
     dependencies:
       fill-range: 7.1.1
 
-  browserslist@4.26.2:
+  browserslist@4.27.0:
     dependencies:
-      baseline-browser-mapping: 2.8.7
-      caniuse-lite: 1.0.30001745
-      electron-to-chromium: 1.5.224
-      node-releases: 2.0.21
-      update-browserslist-db: 1.1.3(browserslist@4.26.2)
+      baseline-browser-mapping: 2.8.23
+      caniuse-lite: 1.0.30001753
+      electron-to-chromium: 1.5.244
+      node-releases: 2.0.27
+      update-browserslist-db: 1.1.4(browserslist@4.27.0)
 
   buffer-from@1.1.2: {}
 
@@ -3894,7 +3906,7 @@ snapshots:
 
   camelcase@5.3.1: {}
 
-  caniuse-lite@1.0.30001745: {}
+  caniuse-lite@1.0.30001753: {}
 
   ccount@2.0.1: {}
 
@@ -4167,7 +4179,7 @@ snapshots:
 
   dateformat@3.0.3: {}
 
-  dayjs@1.11.18: {}
+  dayjs@1.11.19: {}
 
   debug@4.4.3:
     dependencies:
@@ -4230,7 +4242,7 @@ snapshots:
     dependencies:
       is-obj: 2.0.0
 
-  dotenv@17.2.2: {}
+  dotenv@17.2.3: {}
 
   dotgitignore@2.1.0:
     dependencies:
@@ -4243,7 +4255,7 @@ snapshots:
       es-errors: 1.3.0
       gopd: 1.2.0
 
-  electron-to-chromium@1.5.224: {}
+  electron-to-chromium@1.5.244: {}
 
   emoji-regex@8.0.0: {}
 
@@ -4270,36 +4282,36 @@ snapshots:
       has-tostringtag: 1.0.2
       hasown: 2.0.2
 
-  es-toolkit@1.39.10: {}
+  es-toolkit@1.41.0: {}
 
-  esbuild@0.25.10:
+  esbuild@0.25.12:
     optionalDependencies:
-      '@esbuild/aix-ppc64': 0.25.10
-      '@esbuild/android-arm': 0.25.10
-      '@esbuild/android-arm64': 0.25.10
-      '@esbuild/android-x64': 0.25.10
-      '@esbuild/darwin-arm64': 0.25.10
-      '@esbuild/darwin-x64': 0.25.10
-      '@esbuild/freebsd-arm64': 0.25.10
-      '@esbuild/freebsd-x64': 0.25.10
-      '@esbuild/linux-arm': 0.25.10
-      '@esbuild/linux-arm64': 0.25.10
-      '@esbuild/linux-ia32': 0.25.10
-      '@esbuild/linux-loong64': 0.25.10
-      '@esbuild/linux-mips64el': 0.25.10
-      '@esbuild/linux-ppc64': 0.25.10
-      '@esbuild/linux-riscv64': 0.25.10
-      '@esbuild/linux-s390x': 0.25.10
-      '@esbuild/linux-x64': 0.25.10
-      '@esbuild/netbsd-arm64': 0.25.10
-      '@esbuild/netbsd-x64': 0.25.10
-      '@esbuild/openbsd-arm64': 0.25.10
-      '@esbuild/openbsd-x64': 0.25.10
-      '@esbuild/openharmony-arm64': 0.25.10
-      '@esbuild/sunos-x64': 0.25.10
-      '@esbuild/win32-arm64': 0.25.10
-      '@esbuild/win32-ia32': 0.25.10
-      '@esbuild/win32-x64': 0.25.10
+      '@esbuild/aix-ppc64': 0.25.12
+      '@esbuild/android-arm': 0.25.12
+      '@esbuild/android-arm64': 0.25.12
+      '@esbuild/android-x64': 0.25.12
+      '@esbuild/darwin-arm64': 0.25.12
+      '@esbuild/darwin-x64': 0.25.12
+      '@esbuild/freebsd-arm64': 0.25.12
+      '@esbuild/freebsd-x64': 0.25.12
+      '@esbuild/linux-arm': 0.25.12
+      '@esbuild/linux-arm64': 0.25.12
+      '@esbuild/linux-ia32': 0.25.12
+      '@esbuild/linux-loong64': 0.25.12
+      '@esbuild/linux-mips64el': 0.25.12
+      '@esbuild/linux-ppc64': 0.25.12
+      '@esbuild/linux-riscv64': 0.25.12
+      '@esbuild/linux-s390x': 0.25.12
+      '@esbuild/linux-x64': 0.25.12
+      '@esbuild/netbsd-arm64': 0.25.12
+      '@esbuild/netbsd-x64': 0.25.12
+      '@esbuild/openbsd-arm64': 0.25.12
+      '@esbuild/openbsd-x64': 0.25.12
+      '@esbuild/openharmony-arm64': 0.25.12
+      '@esbuild/sunos-x64': 0.25.12
+      '@esbuild/win32-arm64': 0.25.12
+      '@esbuild/win32-ia32': 0.25.12
+      '@esbuild/win32-x64': 0.25.12
 
   escalade@3.2.0: {}
 
@@ -4363,15 +4375,15 @@ snapshots:
 
   fraction.js@4.3.7: {}
 
-  framer-motion@12.23.22(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  framer-motion@12.23.24(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      motion-dom: 12.23.21
+      motion-dom: 12.23.23
       motion-utils: 12.23.6
       tslib: 2.8.1
     optionalDependencies:
       '@emotion/is-prop-valid': 1.4.0
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
   fsevents@2.3.3:
     optional: true
@@ -4437,7 +4449,7 @@ snapshots:
     dependencies:
       is-glob: 4.0.3
 
-  globals@16.4.0: {}
+  globals@16.5.0: {}
 
   gopd@1.2.0: {}
 
@@ -4523,7 +4535,7 @@ snapshots:
       mdast-util-mdxjs-esm: 2.0.1
       property-information: 7.1.0
       space-separated-tokens: 2.0.2
-      style-to-js: 1.1.17
+      style-to-js: 1.1.19
       unist-util-position: 5.0.0
       vfile-message: 4.0.3
     transitivePeerDependencies:
@@ -4568,15 +4580,15 @@ snapshots:
       domhandler: 5.0.3
       htmlparser2: 10.0.0
 
-  html-react-parser@5.2.6(@types/react@19.1.13)(react@19.1.1):
+  html-react-parser@5.2.7(@types/react@19.2.2)(react@19.2.0):
     dependencies:
       domhandler: 5.0.3
       html-dom-parser: 5.1.1
-      react: 19.1.1
+      react: 19.2.0
       react-property: 2.0.2
-      style-to-js: 1.1.17
+      style-to-js: 1.1.18
     optionalDependencies:
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
 
   html-url-attributes@3.0.1: {}
 
@@ -4591,7 +4603,7 @@ snapshots:
 
   humanize-duration@3.33.1: {}
 
-  immer@10.1.3: {}
+  immer@10.2.0: {}
 
   immutable@4.3.7: {}
 
@@ -4608,6 +4620,8 @@ snapshots:
 
   inline-style-parser@0.2.4: {}
 
+  inline-style-parser@0.2.6: {}
+
   internmap@2.0.3: {}
 
   ipaddr.js@2.2.0: {}
@@ -4682,9 +4696,9 @@ snapshots:
 
   lines-and-columns@1.2.4: {}
 
-  little-state-machine@4.8.1(react@19.1.1):
+  little-state-machine@4.8.1(react@19.2.0):
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
 
   load-json-file@4.0.0:
     dependencies:
@@ -4796,7 +4810,7 @@ snapshots:
   mdast-util-phrasing@4.1.0:
     dependencies:
       '@types/mdast': 4.0.4
-      unist-util-is: 6.0.0
+      unist-util-is: 6.0.1
 
   mdast-util-to-hast@13.2.0:
     dependencies:
@@ -4840,9 +4854,9 @@ snapshots:
       type-fest: 0.18.1
       yargs-parser: 20.2.9
 
-  merge-refs@2.0.0(@types/react@19.1.13):
+  merge-refs@2.0.0(@types/react@19.2.2):
     optionalDependencies:
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
 
   micromark-core-commonmark@2.0.3:
     dependencies:
@@ -5003,20 +5017,20 @@ snapshots:
 
   modify-values@1.0.1: {}
 
-  motion-dom@12.23.21:
+  motion-dom@12.23.23:
     dependencies:
       motion-utils: 12.23.6
 
   motion-utils@12.23.6: {}
 
-  motion@12.23.22(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  motion@12.23.24(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      framer-motion: 12.23.22(@emotion/is-prop-valid@1.4.0)(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+      framer-motion: 12.23.24(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       tslib: 2.8.1
     optionalDependencies:
       '@emotion/is-prop-valid': 1.4.0
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
   ms@2.1.3: {}
 
@@ -5026,12 +5040,12 @@ snapshots:
 
   neo-async@2.6.2: {}
 
-  node-releases@2.0.21: {}
+  node-releases@2.0.27: {}
 
   normalize-package-data@2.5.0:
     dependencies:
       hosted-git-info: 2.8.9
-      resolve: 1.22.10
+      resolve: 1.22.11
       semver: 5.7.2
       validate-npm-package-license: 3.0.4
 
@@ -5039,7 +5053,7 @@ snapshots:
     dependencies:
       hosted-git-info: 4.1.0
       is-core-module: 2.16.1
-      semver: 7.7.2
+      semver: 7.7.3
       validate-npm-package-license: 3.0.4
 
   normalize-path@3.0.0: {}
@@ -5184,57 +5198,57 @@ snapshots:
 
   radash@12.1.1: {}
 
-  react-click-away-listener@2.4.0(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  react-click-away-listener@2.4.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
-  react-datepicker@8.7.0(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  react-datepicker@8.8.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      '@floating-ui/react': 0.27.16(react-dom@19.1.1(react@19.1.1))(react@19.1.1)
+      '@floating-ui/react': 0.27.16(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       clsx: 2.1.1
       date-fns: 4.1.0
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
-  react-dom@19.1.1(react@19.1.1):
+  react-dom@19.2.0(react@19.2.0):
     dependencies:
-      react: 19.1.1
-      scheduler: 0.26.0
+      react: 19.2.0
+      scheduler: 0.27.0
 
-  react-hook-form@7.63.0(react@19.1.1):
+  react-hook-form@7.66.0(react@19.2.0):
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
 
-  react-idle-timer@5.7.2(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  react-idle-timer@5.7.2(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
-  react-intersection-observer@9.16.0(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  react-intersection-observer@9.16.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
     optionalDependencies:
-      react-dom: 19.1.1(react@19.1.1)
+      react-dom: 19.2.0(react@19.2.0)
 
   react-is@16.13.1: {}
 
-  react-is@19.1.1: {}
+  react-is@19.2.0: {}
 
-  react-loading-skeleton@3.5.0(react@19.1.1):
+  react-loading-skeleton@3.5.0(react@19.2.0):
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
 
-  react-markdown@10.1.0(@types/react@19.1.13)(react@19.1.1):
+  react-markdown@10.1.0(@types/react@19.2.2)(react@19.2.0):
     dependencies:
       '@types/hast': 3.0.4
       '@types/mdast': 4.0.4
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
       devlop: 1.1.0
       hast-util-to-jsx-runtime: 2.3.6
       html-url-attributes: 3.0.1
       mdast-util-to-hast: 13.2.0
-      react: 19.1.1
+      react: 19.2.0
       remark-parse: 11.0.0
       remark-rehype: 11.1.2
       unified: 11.0.5
@@ -5245,55 +5259,55 @@ snapshots:
 
   react-property@2.0.2: {}
 
-  react-qr-code@2.0.18(react@19.1.1):
+  react-qr-code@2.0.18(react@19.2.0):
     dependencies:
       prop-types: 15.8.1
       qr.js: 0.0.0
-      react: 19.1.1
+      react: 19.2.0
 
-  react-redux@9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1):
+  react-redux@9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1):
     dependencies:
       '@types/use-sync-external-store': 0.0.6
-      react: 19.1.1
-      use-sync-external-store: 1.5.0(react@19.1.1)
+      react: 19.2.0
+      use-sync-external-store: 1.6.0(react@19.2.0)
     optionalDependencies:
-      '@types/react': 19.1.13
+      '@types/react': 19.2.2
       redux: 5.0.1
 
-  react-resize-detector@12.3.0(react@19.1.1):
+  react-resize-detector@12.3.0(react@19.2.0):
     dependencies:
-      es-toolkit: 1.39.10
-      react: 19.1.1
+      es-toolkit: 1.41.0
+      react: 19.2.0
 
-  react-router-dom@6.30.1(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  react-router-dom@6.30.1(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
       '@remix-run/router': 1.23.0
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
-      react-router: 6.30.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
+      react-router: 6.30.1(react@19.2.0)
 
-  react-router@6.30.1(react@19.1.1):
+  react-router@6.30.1(react@19.2.0):
     dependencies:
       '@remix-run/router': 1.23.0
-      react: 19.1.1
+      react: 19.2.0
 
-  react-simple-animate@3.5.3(react-dom@19.1.1(react@19.1.1)):
+  react-simple-animate@3.5.3(react-dom@19.2.0(react@19.2.0)):
     dependencies:
-      react-dom: 19.1.1(react@19.1.1)
+      react-dom: 19.2.0(react@19.2.0)
 
-  react-tracked@2.0.1(react@19.1.1)(scheduler@0.26.0):
+  react-tracked@2.0.1(react@19.2.0)(scheduler@0.26.0):
     dependencies:
       proxy-compare: 3.0.1
-      react: 19.1.1
+      react: 19.2.0
       scheduler: 0.26.0
-      use-context-selector: 2.0.0(react@19.1.1)(scheduler@0.26.0)
+      use-context-selector: 2.0.0(react@19.2.0)(scheduler@0.26.0)
 
-  react-virtualized-auto-sizer@1.0.26(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  react-virtualized-auto-sizer@1.0.26(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
-  react@19.1.1: {}
+  react@19.2.0: {}
 
   read-pkg-up@3.0.0:
     dependencies:
@@ -5339,21 +5353,21 @@ snapshots:
     dependencies:
       picomatch: 2.3.1
 
-  recharts@3.2.1(@types/react@19.1.13)(react-dom@19.1.1(react@19.1.1))(react-is@19.1.1)(react@19.1.1)(redux@5.0.1):
+  recharts@3.3.0(@types/react@19.2.2)(react-dom@19.2.0(react@19.2.0))(react-is@19.2.0)(react@19.2.0)(redux@5.0.1):
     dependencies:
-      '@reduxjs/toolkit': 2.9.0(react-redux@9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1))(react@19.1.1)
+      '@reduxjs/toolkit': 2.9.2(react-redux@9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1))(react@19.2.0)
       clsx: 2.1.1
       decimal.js-light: 2.5.1
-      es-toolkit: 1.39.10
+      es-toolkit: 1.41.0
       eventemitter3: 5.0.1
-      immer: 10.1.3
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
-      react-is: 19.1.1
-      react-redux: 9.2.0(@types/react@19.1.13)(react@19.1.1)(redux@5.0.1)
+      immer: 10.2.0
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
+      react-is: 19.2.0
+      react-redux: 9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1)
       reselect: 5.1.1
       tiny-invariant: 1.3.3
-      use-sync-external-store: 1.5.0(react@19.1.1)
+      use-sync-external-store: 1.6.0(react@19.2.0)
       victory-vendor: 37.3.6
     transitivePeerDependencies:
       - '@types/react'
@@ -5415,38 +5429,38 @@ snapshots:
 
   resolve-from@4.0.0: {}
 
-  resolve@1.22.10:
+  resolve@1.22.11:
     dependencies:
       is-core-module: 2.16.1
       path-parse: 1.0.7
       supports-preserve-symlinks-flag: 1.0.0
 
-  rollup@4.52.2:
+  rollup@4.52.5:
     dependencies:
       '@types/estree': 1.0.8
     optionalDependencies:
-      '@rollup/rollup-android-arm-eabi': 4.52.2
-      '@rollup/rollup-android-arm64': 4.52.2
-      '@rollup/rollup-darwin-arm64': 4.52.2
-      '@rollup/rollup-darwin-x64': 4.52.2
-      '@rollup/rollup-freebsd-arm64': 4.52.2
-      '@rollup/rollup-freebsd-x64': 4.52.2
-      '@rollup/rollup-linux-arm-gnueabihf': 4.52.2
-      '@rollup/rollup-linux-arm-musleabihf': 4.52.2
-      '@rollup/rollup-linux-arm64-gnu': 4.52.2
-      '@rollup/rollup-linux-arm64-musl': 4.52.2
-      '@rollup/rollup-linux-loong64-gnu': 4.52.2
-      '@rollup/rollup-linux-ppc64-gnu': 4.52.2
-      '@rollup/rollup-linux-riscv64-gnu': 4.52.2
-      '@rollup/rollup-linux-riscv64-musl': 4.52.2
-      '@rollup/rollup-linux-s390x-gnu': 4.52.2
-      '@rollup/rollup-linux-x64-gnu': 4.52.2
-      '@rollup/rollup-linux-x64-musl': 4.52.2
-      '@rollup/rollup-openharmony-arm64': 4.52.2
-      '@rollup/rollup-win32-arm64-msvc': 4.52.2
-      '@rollup/rollup-win32-ia32-msvc': 4.52.2
-      '@rollup/rollup-win32-x64-gnu': 4.52.2
-      '@rollup/rollup-win32-x64-msvc': 4.52.2
+      '@rollup/rollup-android-arm-eabi': 4.52.5
+      '@rollup/rollup-android-arm64': 4.52.5
+      '@rollup/rollup-darwin-arm64': 4.52.5
+      '@rollup/rollup-darwin-x64': 4.52.5
+      '@rollup/rollup-freebsd-arm64': 4.52.5
+      '@rollup/rollup-freebsd-x64': 4.52.5
+      '@rollup/rollup-linux-arm-gnueabihf': 4.52.5
+      '@rollup/rollup-linux-arm-musleabihf': 4.52.5
+      '@rollup/rollup-linux-arm64-gnu': 4.52.5
+      '@rollup/rollup-linux-arm64-musl': 4.52.5
+      '@rollup/rollup-linux-loong64-gnu': 4.52.5
+      '@rollup/rollup-linux-ppc64-gnu': 4.52.5
+      '@rollup/rollup-linux-riscv64-gnu': 4.52.5
+      '@rollup/rollup-linux-riscv64-musl': 4.52.5
+      '@rollup/rollup-linux-s390x-gnu': 4.52.5
+      '@rollup/rollup-linux-x64-gnu': 4.52.5
+      '@rollup/rollup-linux-x64-musl': 4.52.5
+      '@rollup/rollup-openharmony-arm64': 4.52.5
+      '@rollup/rollup-win32-arm64-msvc': 4.52.5
+      '@rollup/rollup-win32-ia32-msvc': 4.52.5
+      '@rollup/rollup-win32-x64-gnu': 4.52.5
+      '@rollup/rollup-win32-x64-msvc': 4.52.5
       fsevents: 2.3.3
 
   rxjs@7.8.2:
@@ -5465,11 +5479,13 @@ snapshots:
 
   scheduler@0.26.0: {}
 
+  scheduler@0.27.0: {}
+
   semver@5.7.2: {}
 
   semver@6.3.1: {}
 
-  semver@7.7.2: {}
+  semver@7.7.3: {}
 
   set-blocking@2.0.0: {}
 
@@ -5552,7 +5568,7 @@ snapshots:
       figures: 3.2.0
       find-up: 5.0.0
       git-semver-tags: 4.1.1
-      semver: 7.7.2
+      semver: 7.7.3
       stringify-package: 1.0.1
       yargs: 16.2.0
 
@@ -5587,14 +5603,22 @@ snapshots:
     dependencies:
       min-indent: 1.0.1
 
-  style-to-js@1.1.17:
+  style-to-js@1.1.18:
     dependencies:
-      style-to-object: 1.0.9
+      style-to-object: 1.0.11
 
-  style-to-object@1.0.9:
+  style-to-js@1.1.19:
+    dependencies:
+      style-to-object: 1.0.12
+
+  style-to-object@1.0.11:
     dependencies:
       inline-style-parser: 0.2.4
 
+  style-to-object@1.0.12:
+    dependencies:
+      inline-style-parser: 0.2.6
+
   stylis@4.2.0: {}
 
   supports-color@5.5.0:
@@ -5611,7 +5635,7 @@ snapshots:
 
   supports-preserve-symlinks-flag@1.0.0: {}
 
-  tabbable@6.2.0: {}
+  tabbable@6.3.0: {}
 
   terser@5.37.0:
     dependencies:
@@ -5758,16 +5782,16 @@ snapshots:
 
   typedarray@0.0.6: {}
 
-  typesafe-i18n@5.26.2(typescript@5.9.2):
+  typesafe-i18n@5.26.2(typescript@5.9.3):
     dependencies:
-      typescript: 5.9.2
+      typescript: 5.9.3
 
-  typescript@5.9.2: {}
+  typescript@5.9.3: {}
 
   uglify-js@3.19.3:
     optional: true
 
-  undici-types@7.12.0: {}
+  undici-types@7.16.0: {}
 
   unified@11.0.5:
     dependencies:
@@ -5779,7 +5803,7 @@ snapshots:
       trough: 2.2.0
       vfile: 6.0.3
 
-  unist-util-is@6.0.0:
+  unist-util-is@6.0.1:
     dependencies:
       '@types/unist': 3.0.3
 
@@ -5791,42 +5815,42 @@ snapshots:
     dependencies:
       '@types/unist': 3.0.3
 
-  unist-util-visit-parents@6.0.1:
+  unist-util-visit-parents@6.0.2:
     dependencies:
       '@types/unist': 3.0.3
-      unist-util-is: 6.0.0
+      unist-util-is: 6.0.1
 
   unist-util-visit@5.0.0:
     dependencies:
       '@types/unist': 3.0.3
-      unist-util-is: 6.0.0
-      unist-util-visit-parents: 6.0.1
+      unist-util-is: 6.0.1
+      unist-util-visit-parents: 6.0.2
 
-  update-browserslist-db@1.1.3(browserslist@4.26.2):
+  update-browserslist-db@1.1.4(browserslist@4.27.0):
     dependencies:
-      browserslist: 4.26.2
+      browserslist: 4.27.0
       escalade: 3.2.0
       picocolors: 1.1.1
 
-  use-breakpoint@4.0.6(react-dom@19.1.1(react@19.1.1))(react@19.1.1):
+  use-breakpoint@4.0.10(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      react: 19.1.1
-      react-dom: 19.1.1(react@19.1.1)
+      react: 19.2.0
+      react-dom: 19.2.0(react@19.2.0)
 
-  use-context-selector@2.0.0(react@19.1.1)(scheduler@0.26.0):
+  use-context-selector@2.0.0(react@19.2.0)(scheduler@0.26.0):
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
       scheduler: 0.26.0
 
-  use-deep-compare-effect@1.8.1(react@19.1.1):
+  use-deep-compare-effect@1.8.1(react@19.2.0):
     dependencies:
       '@babel/runtime': 7.28.4
       dequal: 2.0.3
-      react: 19.1.1
+      react: 19.2.0
 
-  use-sync-external-store@1.5.0(react@19.1.1):
+  use-sync-external-store@1.6.0(react@19.2.0):
     dependencies:
-      react: 19.1.1
+      react: 19.2.0
 
   util-deprecate@1.0.2: {}
 
@@ -5869,20 +5893,20 @@ snapshots:
       d3-time: 3.1.0
       d3-timer: 3.0.1
 
-  vite-plugin-package-version@1.1.0(vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)):
+  vite-plugin-package-version@1.1.0(vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)):
     dependencies:
-      vite: 7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+      vite: 7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
 
-  vite@7.1.7(@types/node@24.5.2)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1):
+  vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1):
     dependencies:
-      esbuild: 0.25.10
+      esbuild: 0.25.12
       fdir: 6.5.0(picomatch@4.0.3)
       picomatch: 4.0.3
       postcss: 8.5.6
-      rollup: 4.52.2
+      rollup: 4.52.5
       tinyglobby: 0.2.15
     optionalDependencies:
-      '@types/node': 24.5.2
+      '@types/node': 24.10.0
       fsevents: 2.3.3
       jiti: 2.4.2
       sass: 1.70.0
@@ -5969,11 +5993,11 @@ snapshots:
 
   zod@3.25.76: {}
 
-  zustand@5.0.8(@types/react@19.1.13)(immer@10.1.3)(react@19.1.1)(use-sync-external-store@1.5.0(react@19.1.1)):
+  zustand@5.0.8(@types/react@19.2.2)(immer@10.2.0)(react@19.2.0)(use-sync-external-store@1.6.0(react@19.2.0)):
     optionalDependencies:
-      '@types/react': 19.1.13
-      immer: 10.1.3
-      react: 19.1.1
-      use-sync-external-store: 1.5.0(react@19.1.1)
+      '@types/react': 19.2.2
+      immer: 10.2.0
+      react: 19.2.0
+      use-sync-external-store: 1.6.0(react@19.2.0)
 
   zwitch@2.0.4: {}

From 5c9c893816ed507aab6bcf908c7a58cf98a53ebb Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Mon, 3 Nov 2025 12:30:46 +0100
Subject: [PATCH 32/50] allow use of deprecated generic_array imports - used by
 sha1 dependency

---
 crates/defguard_core/src/enterprise/ldap/hash.rs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crates/defguard_core/src/enterprise/ldap/hash.rs b/crates/defguard_core/src/enterprise/ldap/hash.rs
index ddb6d4c8d6..86aec6fa7a 100644
--- a/crates/defguard_core/src/enterprise/ldap/hash.rs
+++ b/crates/defguard_core/src/enterprise/ldap/hash.rs
@@ -2,6 +2,7 @@ use base64::Engine;
 use defguard_common::hex::to_lower_hex;
 use md4::Md4;
 use rand::{RngCore, rngs::OsRng};
+#[allow(deprecated)]
 use sha1::{
     Digest, Sha1,
     digest::generic_array::{GenericArray, sequence::Concat},
@@ -18,6 +19,7 @@ pub fn salted_sha1_hash(password: &str) -> String {
     pass.extend_from_slice(&salt);
 
     let checksum = Sha1::digest(pass);
+    #[allow(deprecated)]
     let checksum = checksum.concat(GenericArray::from(salt));
 
     format!(

From fa273a418c42a35921469cc8259f1b621e65b13e Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Mon, 3 Nov 2025 13:08:46 +0100
Subject: [PATCH 33/50] use aws docker repository for e2e

---
 docker-compose.e2e.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.e2e.yaml b/docker-compose.e2e.yaml
index 7009e3ee17..c3fa1d0393 100644
--- a/docker-compose.e2e.yaml
+++ b/docker-compose.e2e.yaml
@@ -24,7 +24,7 @@ services:
       - db
 
   db:
-    image: postgres:17-alpine
+    image: public.ecr.aws/docker/library/postgres:17-alpine
     environment:
       POSTGRES_DB: defguard
       POSTGRES_USER: defguard

From 45496e4e5c3fe4aa118989e836ba0229754a5858 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 7 Nov 2025 11:52:00 +0100
Subject: [PATCH 34/50] Basic client version reporting (#1688)

* client version checking 1

* Apply suggestions from code review

Co-authored-by: Adam <adam@defguard.net>

* Update client_version.rs

* tests

* fix

* update min version

* use encoded protos for passing platform

* fix

* Update proto

* fix tests

---------

Co-authored-by: Adam <adam@defguard.net>
---
 .../src/enterprise/grpc/desktop_client_mfa.rs |   4 +-
 .../src/enterprise/grpc/polling.rs            |  11 +-
 crates/defguard_core/src/grpc/client_mfa.rs   |   4 +-
 .../defguard_core/src/grpc/client_version.rs  | 386 ++++++++++++++++++
 crates/defguard_core/src/grpc/enrollment.rs   |  24 +-
 crates/defguard_core/src/grpc/mod.rs          |  13 +-
 .../defguard_core/src/grpc/password_reset.rs  |   8 +-
 crates/defguard_core/src/grpc/utils.rs        |  25 +-
 crates/defguard_core/src/version.rs           |   2 +-
 proto                                         |   2 +-
 10 files changed, 453 insertions(+), 26 deletions(-)
 create mode 100644 crates/defguard_core/src/grpc/client_version.rs

diff --git a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
index b03d904df9..6e5e8d032d 100644
--- a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
+++ b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
@@ -11,7 +11,7 @@ use crate::{
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, DesktopClientMfaEvent},
     grpc::{
         client_mfa::{ClientLoginSession, ClientMfaServer},
-        utils::parse_client_info,
+        utils::parse_client_ip_agent,
     },
 };
 
@@ -66,7 +66,7 @@ impl ClientMfaServer {
             return Err(Status::invalid_argument("invalid MFA method"));
         }
 
-        let (ip, _user_agent) = parse_client_info(&info).map_err(Status::internal)?;
+        let (ip, _user_agent) = parse_client_ip_agent(&info).map_err(Status::internal)?;
         let context = BidiRequestContext::new(
             user.id,
             user.username.clone(),
diff --git a/crates/defguard_core/src/enterprise/grpc/polling.rs b/crates/defguard_core/src/enterprise/grpc/polling.rs
index ecce3ec2f3..8e04e9a411 100644
--- a/crates/defguard_core/src/enterprise/grpc/polling.rs
+++ b/crates/defguard_core/src/enterprise/grpc/polling.rs
@@ -1,5 +1,5 @@
 use defguard_common::db::Id;
-use defguard_proto::proxy::{InstanceInfoRequest, InstanceInfoResponse};
+use defguard_proto::proxy::{DeviceInfo, InstanceInfoRequest, InstanceInfoResponse};
 use sqlx::PgPool;
 use tonic::Status;
 
@@ -47,7 +47,11 @@ impl PollingServer {
 
     /// Prepares instance info for polling requests. Enterprise only.
     #[instrument(skip_all)]
-    pub async fn info(&self, request: InstanceInfoRequest) -> Result<InstanceInfoResponse, Status> {
+    pub async fn info(
+        &self,
+        request: InstanceInfoRequest,
+        device_info: Option<DeviceInfo>,
+    ) -> Result<InstanceInfoResponse, Status> {
         trace!("Polling info start");
         let token = self.validate_session(&request.token).await?;
         let Some(device) = Device::find_by_id(&self.pool, token.device_id)
@@ -82,7 +86,8 @@ impl PollingServer {
         }
 
         // Build and return polling info.
-        let device_config = build_device_config_response(&self.pool, device, None).await?;
+        let device_config =
+            build_device_config_response(&self.pool, device, None, device_info).await?;
 
         Ok(InstanceInfoResponse {
             device_config: Some(device_config),
diff --git a/crates/defguard_core/src/grpc/client_mfa.rs b/crates/defguard_core/src/grpc/client_mfa.rs
index ea1e6482d6..f688a41a48 100644
--- a/crates/defguard_core/src/grpc/client_mfa.rs
+++ b/crates/defguard_core/src/grpc/client_mfa.rs
@@ -32,7 +32,7 @@ use crate::{
     },
     enterprise::{db::models::openid_provider::OpenIdProvider, is_enterprise_enabled},
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, DesktopClientMfaEvent},
-    grpc::utils::parse_client_info,
+    grpc::utils::parse_client_ip_agent,
     handlers::mail::send_email_mfa_code_email,
 };
 
@@ -395,7 +395,7 @@ impl ClientMfaServer {
         } = session;
 
         // Prepare event context
-        let (ip, _user_agent) = parse_client_info(&info).map_err(Status::internal)?;
+        let (ip, _user_agent) = parse_client_ip_agent(&info).map_err(Status::internal)?;
         let context = BidiRequestContext::new(
             user.id,
             user.username.clone(),
diff --git a/crates/defguard_core/src/grpc/client_version.rs b/crates/defguard_core/src/grpc/client_version.rs
new file mode 100644
index 0000000000..d8bc7be95e
--- /dev/null
+++ b/crates/defguard_core/src/grpc/client_version.rs
@@ -0,0 +1,386 @@
+use base64::{Engine, prelude::BASE64_STANDARD};
+use defguard_proto::proxy::{ClientPlatformInfo, DeviceInfo};
+use prost::Message;
+use semver::Version;
+
+pub(crate) fn parse_client_version_platform(
+    info: Option<&DeviceInfo>,
+) -> (Option<Version>, Option<ClientPlatformInfo>) {
+    let Some(info) = info else {
+        debug!("Device information is missing from the request");
+        return (None, None);
+    };
+
+    let version = info.version.as_ref().map_or_else(
+        || None,
+        |v| {
+            Version::parse(v).map_or_else(
+                |_| {
+                    error!("Invalid version string: {v}");
+                    None
+                },
+                Some,
+            )
+        },
+    );
+
+    let platform = info.platform.as_ref().and_then(|p| {
+        let binary = BASE64_STANDARD
+            .decode(p)
+            .map_err(|e| {
+                error!("Failed to decode base64 platform string: {e}");
+                e
+            })
+            .ok()?;
+        let platform_info = ClientPlatformInfo::decode(&*binary)
+            .map_err(|e| {
+                error!("Failed to decode ClientPlatformInfo from bytes: {e}");
+                e
+            })
+            .ok()?;
+        Some(platform_info)
+    });
+
+    (version, platform)
+}
+
+/// Represents a client feature that may have minimum version and OS family requirements.
+#[derive(Debug)]
+pub(crate) enum ClientFeature {
+    ServiceLocations,
+}
+
+impl ClientFeature {
+    const fn min_version(&self) -> Option<Version> {
+        match self {
+            Self::ServiceLocations => Some(Version::new(1, 6, 0)),
+        }
+    }
+
+    fn required_os_family(&self) -> Option<Vec<&'static str>> {
+        match self {
+            Self::ServiceLocations => Some(vec!["windows"]),
+        }
+    }
+
+    pub(crate) fn is_supported_by_device(&self, info: Option<&DeviceInfo>) -> bool {
+        let (version, platform) = parse_client_version_platform(info);
+
+        // No minimum version = matches all
+        let version_matches = self.min_version().is_none_or(|min_version| {
+            // No version info = does not match
+            version
+                .as_ref()
+                .is_some_and(|version| version >= &min_version)
+        });
+
+        if !version_matches {
+            debug!(
+                "Client version {version:?} does not meet minimum version {:?} for feature {self:?}",
+                self.min_version()
+            );
+        }
+
+        // No required OS family = matches all
+        let platform_matches = self.required_os_family().is_none_or(|platforms| {
+            platforms.iter().any(|p| {
+                platform
+                    .as_ref()
+                    .is_some_and(|platform| platform.os_family.eq_ignore_ascii_case(p))
+            })
+        });
+
+        if !platform_matches {
+            debug!(
+                "Client OS {:?} does not meet required OS {:?} for feature {self:?}",
+                platform.as_ref().map(|p| &p.os_family),
+                self.required_os_family()
+            );
+        }
+
+        version_matches && platform_matches
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // Helper function to create DeviceInfo
+    fn create_device_info(
+        version: Option<String>,
+        platform: Option<ClientPlatformInfo>,
+    ) -> DeviceInfo {
+        let platform = platform.map(|p| {
+            let mut buf = Vec::new();
+            p.encode(&mut buf).unwrap();
+            BASE64_STANDARD.encode(&buf)
+        });
+
+        DeviceInfo {
+            version,
+            platform,
+            ..Default::default()
+        }
+    }
+
+    #[test]
+    fn test_parse_client_version_platform() {
+        // Test with valid version and platform
+        let info = create_device_info(
+            Some("1.5.0".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "windows".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        let (version, platform) = parse_client_version_platform(Some(&info));
+        assert!(version.is_some());
+        assert_eq!(version.unwrap(), Version::new(1, 5, 0));
+        assert!(platform.is_some());
+        assert_eq!(platform.unwrap().os_family, "windows");
+
+        // Test with no DeviceInfo
+        let (version, platform) = parse_client_version_platform(None);
+        assert!(version.is_none());
+        assert!(platform.is_none());
+
+        // Test with invalid version string
+        let info = create_device_info(
+            Some("invalid.version".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "linux".to_string(),
+                os_type: "Ubuntu".to_string(),
+                version: "22.04".to_string(),
+                ..Default::default()
+            }),
+        );
+        let (version, platform) = parse_client_version_platform(Some(&info));
+        assert!(version.is_none());
+        assert!(platform.is_some());
+
+        // Test with missing version field
+        let info = create_device_info(
+            None,
+            Some(ClientPlatformInfo {
+                os_family: "linux".to_string(),
+                os_type: "Ubuntu".to_string(),
+                version: "22.04".to_string(),
+                ..Default::default()
+            }),
+        );
+        let (version, platform) = parse_client_version_platform(Some(&info));
+        assert!(version.is_none());
+        assert!(platform.is_some());
+
+        // Test with missing platform field
+        let info = create_device_info(Some("1.5.0".to_string()), None);
+        let (version, platform) = parse_client_version_platform(Some(&info));
+        assert!(version.is_some());
+        assert!(platform.is_none());
+
+        // Test with both fields missing
+        let info = create_device_info(None, None);
+        let (version, platform) = parse_client_version_platform(Some(&info));
+        assert!(version.is_none());
+        assert!(platform.is_none());
+
+        // Test with pre-release version
+        let info = create_device_info(
+            Some("1.5.0-alpha1".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "macos".to_string(),
+                os_type: "macOS".to_string(),
+                version: "14.0".to_string(),
+                ..Default::default()
+            }),
+        );
+        let (version, platform) = parse_client_version_platform(Some(&info));
+        assert!(version.is_some());
+        assert_eq!(version.unwrap(), Version::parse("1.5.0-alpha1").unwrap());
+        assert!(platform.is_some());
+    }
+
+    #[test]
+    fn test_client_feature_is_supported_by_device() {
+        // Test ServiceLocations feature with supported version and OS
+        let info = create_device_info(
+            Some("1.6.0".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "windows".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should be supported on Windows with version 1.6.0"
+        );
+
+        // Test with exact minimum version
+        let info = create_device_info(
+            Some("1.6.0".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "Windows".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should be supported at minimum version"
+        );
+
+        // Test with higher version
+        let info = create_device_info(
+            Some("2.0.0".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "WINDOWS".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should be supported with higher version"
+        );
+
+        // Test with version below minimum
+        let info = create_device_info(
+            Some("1.5.9".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "windows".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            !ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should not be supported below minimum version"
+        );
+
+        // Test with wrong OS family (linux)
+        let info = create_device_info(
+            Some("1.6.0".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "linux".to_string(),
+                os_type: "Ubuntu".to_string(),
+                version: "22.04".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            !ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should not be supported on Linux"
+        );
+
+        // Test with wrong OS family (macos)
+        let info = create_device_info(
+            Some("1.6.0".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "macos".to_string(),
+                os_type: "macOS".to_string(),
+                version: "14.0".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            !ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should not be supported on macOS"
+        );
+
+        // Test with no DeviceInfo
+        assert!(
+            !ClientFeature::ServiceLocations.is_supported_by_device(None),
+            "ServiceLocations should not be supported without device info"
+        );
+
+        // Test with missing version
+        let info = create_device_info(
+            None,
+            Some(ClientPlatformInfo {
+                os_family: "windows".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            !ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should not be supported without version info"
+        );
+
+        // Test with missing platform
+        let info = create_device_info(Some("1.6.0".to_string()), None);
+        assert!(
+            !ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should not be supported without platform info"
+        );
+
+        // Test with invalid version string
+        let info = create_device_info(
+            Some("invalid".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "windows".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            !ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should not be supported with invalid version"
+        );
+
+        // Test case insensitivity of OS family matching
+        let info = create_device_info(
+            Some("1.6.0".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "WiNdOwS".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should be supported with mixed-case OS family"
+        );
+
+        // Test with pre-release version above minimum
+        let info = create_device_info(
+            Some("1.7.0-alpha1".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "windows".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should be supported with pre-release version above minimum"
+        );
+
+        // Test with pre-release version below minimum
+        let info = create_device_info(
+            Some("1.5.0-alpha1".to_string()),
+            Some(ClientPlatformInfo {
+                os_family: "windows".to_string(),
+                os_type: "Windows".to_string(),
+                version: "11".to_string(),
+                ..Default::default()
+            }),
+        );
+        assert!(
+            !ClientFeature::ServiceLocations.is_supported_by_device(Some(&info)),
+            "ServiceLocations should not be supported with pre-release version below minimum"
+        );
+    }
+}
diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index 639ee3cf7e..c7a43069ba 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -43,7 +43,10 @@ use crate::{
         limits::update_counts,
     },
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, EnrollmentEvent},
-    grpc::utils::{build_device_config_response, new_polling_token, parse_client_info},
+    grpc::{
+        client_version::ClientFeature,
+        utils::{build_device_config_response, new_polling_token, parse_client_ip_agent},
+    },
     handlers::{
         mail::{
             send_email_mfa_activation_email, send_mfa_configured_email, send_new_device_added_email,
@@ -289,7 +292,7 @@ impl EnrollmentServer {
             })?;
 
             // Prepare event context and push the event
-            let (ip, user_agent) = parse_client_info(&info).map_err(Status::internal)?;
+            let (ip, user_agent) = parse_client_ip_agent(&info).map_err(Status::internal)?;
             let context = BidiRequestContext::new(user_id, username, ip, user_agent);
             self.emit_event(context, EnrollmentEvent::EnrollmentStarted)
                 .map_err(|err| {
@@ -479,7 +482,7 @@ impl EnrollmentServer {
         info!("User {} activated", user.username);
 
         // Prepare event context and push the event
-        let (ip, user_agent) = parse_client_info(&req_device_info).map_err(Status::internal)?;
+        let (ip, user_agent) = parse_client_ip_agent(&req_device_info).map_err(Status::internal)?;
         let context = BidiRequestContext::new(user.id, user.username.clone(), ip, user_agent);
         self.emit_event(context, EnrollmentEvent::EnrollmentCompleted)
             .map_err(|err| {
@@ -806,6 +809,16 @@ impl EnrollmentServer {
             Status::internal("unexpected error")
         })?;
 
+        // Don't send them service locations if they don't support it
+        let configs = configs
+            .into_iter()
+            .filter(|config| {
+                config.service_location_mode == ServiceLocationMode::Disabled
+                    || ClientFeature::ServiceLocations
+                        .is_supported_by_device(req_device_info.as_ref())
+            })
+            .collect::<Vec<DeviceConfig>>();
+
         let template_locations: Vec<TemplateLocation> = configs
             .iter()
             .map(|c| TemplateLocation {
@@ -854,7 +867,7 @@ impl EnrollmentServer {
         };
 
         // Prepare event context and push the event
-        let (ip, user_agent) = parse_client_info(&req_device_info).map_err(Status::internal)?;
+        let (ip, user_agent) = parse_client_ip_agent(&req_device_info).map_err(Status::internal)?;
         let context = BidiRequestContext::new(user.id, user.username.clone(), ip, user_agent);
         self.emit_event(context, EnrollmentEvent::EnrollmentDeviceAdded { device })
             .map_err(|err| {
@@ -870,6 +883,7 @@ impl EnrollmentServer {
     pub async fn get_network_info(
         &self,
         request: ExistingDevice,
+        device_info: Option<defguard_proto::proxy::DeviceInfo>,
     ) -> Result<DeviceConfigResponse, Status> {
         debug!("Getting network info for device: {:?}", request.pubkey);
         let token = self.validate_session(request.token.as_ref()).await?;
@@ -896,7 +910,7 @@ impl EnrollmentServer {
         }
 
         let token = new_polling_token(&self.pool, &device).await?;
-        build_device_config_response(&self.pool, device, Some(token)).await
+        build_device_config_response(&self.pool, device, Some(token), device_info).await
     }
 
     // TODO: Add events
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
index 85cf800d95..96dbd24e69 100644
--- a/crates/defguard_core/src/grpc/mod.rs
+++ b/crates/defguard_core/src/grpc/mod.rs
@@ -69,6 +69,7 @@ static VERSION_ZERO: Version = Version::new(0, 0, 0);
 
 mod auth;
 pub(crate) mod client_mfa;
+pub mod client_version;
 pub mod enrollment;
 pub mod gateway;
 mod interceptor;
@@ -234,7 +235,11 @@ async fn handle_proxy_message_loop(
                     }
                     // rpc GetNetworkInfo (ExistingDevice) returns (DeviceConfigResponse)
                     Some(core_request::Payload::ExistingDevice(request)) => {
-                        match context.enrollment_server.get_network_info(request).await {
+                        match context
+                            .enrollment_server
+                            .get_network_info(request, received.device_info)
+                            .await
+                        {
                             Ok(response_payload) => {
                                 Some(core_response::Payload::DeviceConfig(response_payload))
                             }
@@ -345,7 +350,11 @@ async fn handle_proxy_message_loop(
                     }
                     // rpc LocationInfo (LocationInfoRequest) returns (LocationInfoResponse)
                     Some(core_request::Payload::InstanceInfo(request)) => {
-                        match context.polling_server.info(request).await {
+                        match context
+                            .polling_server
+                            .info(request, received.device_info)
+                            .await
+                        {
                             Ok(response_payload) => {
                                 Some(core_response::Payload::InstanceInfo(response_payload))
                             }
diff --git a/crates/defguard_core/src/grpc/password_reset.rs b/crates/defguard_core/src/grpc/password_reset.rs
index 0c1957e713..4e8b35e6d4 100644
--- a/crates/defguard_core/src/grpc/password_reset.rs
+++ b/crates/defguard_core/src/grpc/password_reset.rs
@@ -14,7 +14,7 @@ use crate::{
     },
     enterprise::ldap::utils::ldap_change_password,
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, PasswordResetEvent},
-    grpc::utils::parse_client_info,
+    grpc::utils::parse_client_ip_agent,
     handlers::{
         mail::{send_password_reset_email, send_password_reset_success_email},
         user::check_password_strength,
@@ -169,7 +169,7 @@ impl PasswordResetServer {
         );
 
         // Prepare event context and push the event
-        let (ip, user_agent) = parse_client_info(&req_device_info).map_err(Status::internal)?;
+        let (ip, user_agent) = parse_client_ip_agent(&req_device_info).map_err(Status::internal)?;
         let context = BidiRequestContext::new(user.id, user.username, ip, user_agent);
         self.emit_event(context, PasswordResetEvent::PasswordResetRequested)
             .map_err(|err| {
@@ -235,7 +235,7 @@ impl PasswordResetServer {
             user.username
         );
         // Prepare event context and push the event
-        let (ip, user_agent) = parse_client_info(&info).map_err(Status::internal)?;
+        let (ip, user_agent) = parse_client_ip_agent(&info).map_err(Status::internal)?;
         let context = BidiRequestContext::new(user.id, user.username, ip, user_agent);
         self.emit_event(context, PasswordResetEvent::PasswordResetStarted)
             .map_err(|err| {
@@ -308,7 +308,7 @@ impl PasswordResetServer {
         )?;
 
         // Prepare event context and push the event
-        let (ip, user_agent) = parse_client_info(&req_device_info).map_err(Status::internal)?;
+        let (ip, user_agent) = parse_client_ip_agent(&req_device_info).map_err(Status::internal)?;
         let context = BidiRequestContext::new(user.id, user.username, ip, user_agent);
         self.emit_event(context, PasswordResetEvent::PasswordResetCompleted)
             .map_err(|err| {
diff --git a/crates/defguard_core/src/grpc/utils.rs b/crates/defguard_core/src/grpc/utils.rs
index 1f7ffec69a..b82e91fa1c 100644
--- a/crates/defguard_core/src/grpc/utils.rs
+++ b/crates/defguard_core/src/grpc/utils.rs
@@ -24,6 +24,7 @@ use crate::{
     enterprise::db::models::{
         enterprise_settings::EnterpriseSettings, openid_provider::OpenIdProvider,
     },
+    grpc::client_version::ClientFeature,
 };
 
 // Create a new token for configuration polling.
@@ -72,6 +73,7 @@ pub(crate) async fn build_device_config_response(
     pool: &PgPool,
     device: Device<Id>,
     token: Option<String>,
+    device_info: Option<DeviceInfo>,
 ) -> Result<DeviceConfigResponse, Status> {
     let settings = Settings::get_current_settings();
 
@@ -122,15 +124,17 @@ pub(crate) async fn build_device_config_response(
                     );
                     Status::internal(format!("unexpected error: {err}"))
                 })?;
-            if network.should_prevent_service_location_usage() {
+
+            if network.service_location_mode != ServiceLocationMode::Disabled {
                 error!(
-                    "Tried to use service location {} with disabled enterprise features.",
-                    network.name
+                    "Network device {} tried to fetch config for service location {}, which is unsupported.",
+                    device.name, network.name
                 );
                 return Err(Status::permission_denied(
-                    "service location mode is not available",
+                    "service location mode is not available for network devices",
                 ));
             }
+
             // DEPRECATED(1.5): superseeded by location_mfa_mode
             let mfa_enabled = network.location_mfa_mode == LocationMfaMode::Internal;
             let config =
@@ -182,6 +186,15 @@ pub(crate) async fn build_device_config_response(
                 );
                 continue;
             }
+            if network.service_location_mode != ServiceLocationMode::Disabled
+                && !ClientFeature::ServiceLocations.is_supported_by_device(device_info.as_ref())
+            {
+                info!(
+                    "Device {} does not support service locations feature, skipping sending network {} configuration to device {}.",
+                    device.name, network.name, device.name
+                );
+                continue;
+            }
             // DEPRECATED(1.5): superseeded by location_mfa_mode
             let mfa_enabled = network.location_mfa_mode == LocationMfaMode::Internal;
             if let Some(wireguard_network_device) = wireguard_network_device {
@@ -218,7 +231,7 @@ pub(crate) async fn build_device_config_response(
 
     info!(
         "User {}({}) device {}({}) automatically fetched the newest configuration.",
-        user.username, user.id, device.name, device.id,
+        user.username, user.id, device.name, device.id
     );
 
     Ok(DeviceConfigResponse {
@@ -238,7 +251,7 @@ pub(crate) async fn build_device_config_response(
 }
 
 /// Parses `DeviceInfo` returning client IP address and user agent.
-pub(crate) fn parse_client_info(info: &Option<DeviceInfo>) -> Result<(IpAddr, String), String> {
+pub(crate) fn parse_client_ip_agent(info: &Option<DeviceInfo>) -> Result<(IpAddr, String), String> {
     let Some(info) = info else {
         error!("Missing DeviceInfo in proxy request");
         return Err("missing device info".to_string());
diff --git a/crates/defguard_core/src/version.rs b/crates/defguard_core/src/version.rs
index e61142618e..849c232337 100644
--- a/crates/defguard_core/src/version.rs
+++ b/crates/defguard_core/src/version.rs
@@ -9,7 +9,7 @@ use defguard_version::{ComponentInfo, Version, is_version_lower};
 use serde::Serialize;
 use tonic::{Status, service::Interceptor};
 
-const MIN_PROXY_VERSION: Version = Version::new(1, 5, 0);
+const MIN_PROXY_VERSION: Version = Version::new(1, 6, 0);
 pub const MIN_GATEWAY_VERSION: Version = Version::new(1, 5, 0);
 static OUTDATED_COMPONENT_LIFETIME: TimeDelta = TimeDelta::hours(1);
 
diff --git a/proto b/proto
index fee706013b..96249ebde0 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit fee706013b3bb5452c3c4dbf35bd973d0637ff25
+Subproject commit 96249ebde0556f4ae8c47eebc6015efb04ed0104

From e6a13da35cb95d483e2c6d27c5a065f972d52fa2 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Fri, 7 Nov 2025 11:54:39 +0100
Subject: [PATCH 35/50] add option to pre-fetch OpenID directory users during
 sync (#1689)

* add option to prefetch users to openid provider settings

* handle new option in frontend

* add base prefetch tests

* handle user creation during directory sync

* update log

* make mobile phone optional

* update tests

* hide checkbox for other providers

* Microsoft sync fixes

* adjust logs

* trigger ldap sync for created users

* linter fix

* username validation

* Update crates/defguard_core/src/enterprise/directory_sync/mod.rs

Co-authored-by: Aleksander <170264518+t-aleksander@users.noreply.github.com>

* update query data

---------

Co-authored-by: Aleksander <170264518+t-aleksander@users.noreply.github.com>
---
 ...40b9fa3479c919f1ace2a787470690be9de3.json} |  12 +-
 ...dabb2ca9c2a831cacb7ebc8d696020b0556c.json} |  12 +-
 ...8ddb54a2a673a531cb882aadea3d5aa25d66.json} |   5 +-
 ...4fb6ffac7e6fdd0d9428070cecb68c666cd8.json} |   7 +-
 ...8ad3d3d19b0c4f0e69b9002a6a1fbd46a324.json} |   7 +-
 ...39f45c6da9836f93b67307787851a1804f13.json} |  12 +-
 ...35be58cb652e8287a6f5028421656048b58a.json} |  12 +-
 .../enterprise/db/models/openid_provider.rs   |  15 +-
 .../src/enterprise/directory_sync/google.rs   |   2 +
 .../enterprise/directory_sync/jumpcloud.rs    |   2 +
 .../enterprise/directory_sync/microsoft.rs    |  62 ++++-
 .../src/enterprise/directory_sync/mod.rs      | 257 ++++++++++++++----
 .../src/enterprise/directory_sync/okta.rs     |   2 +
 .../enterprise/directory_sync/testprovider.rs |  15 +
 .../src/enterprise/directory_sync/tests.rs    |  83 ++++++
 .../enterprise/handlers/openid_providers.rs   |   2 +
 .../tests/integration/api/openid_login.rs     |   2 +
 .../tests/integration/api/wireguard.rs        |   2 +
 ...nid_directory_sync_prefetch_users.down.sql |   1 +
 ...penid_directory_sync_prefetch_users.up.sql |   1 +
 web/src/i18n/en/index.ts                      |   4 +
 web/src/i18n/i18n-types.ts                    |  20 ++
 .../components/DirectorySyncSettings.tsx      |  45 +--
 .../components/OpenIdSettingsForm.tsx         |   2 +
 .../OpenIdSettings/components/style.scss      |  10 +-
 25 files changed, 487 insertions(+), 107 deletions(-)
 rename .sqlx/{query-9f98a138560451105b104fc7a4d3d29e22e58f33e902c06bbf6163ee48ae802a.json => query-14302b1c6c7d72d6e6f38c80538040b9fa3479c919f1ace2a787470690be9de3.json} (91%)
 rename .sqlx/{query-06bbd4a7662ea9ec62a0138efa9acb62c4bd9b646846740333d8ae3d154d1d77.json => query-558fb8aa5e223f6fc273c1431410dabb2ca9c2a831cacb7ebc8d696020b0556c.json} (92%)
 rename .sqlx/{query-d4d76206a3eeb48f4c3e06e53e781bab2a0e2020e33653ef34ab1ea7df67a0cb.json => query-796ef2b0b73f5689a592497320b98ddb54a2a673a531cb882aadea3d5aa25d66.json} (90%)
 rename .sqlx/{query-dce467a600d7b0e51d1b75dd5978c56cc1e6b0c6fbf1907cce4bbe0a1bde88ff.json => query-c6ebb402f91d242754872addc3604fb6ffac7e6fdd0d9428070cecb68c666cd8.json} (85%)
 rename .sqlx/{query-187b82f0cc866ff2f1049aa57d9477cbad81d77c2db2b67dca90de198721b483.json => query-c8e9800861c7bc853235858650be8ad3d3d19b0c4f0e69b9002a6a1fbd46a324.json} (90%)
 rename .sqlx/{query-07ac05be4850e0154414090784fc40392f423c16cd326716994fcb1f45c84eee.json => query-d8db674150231de0063227000a8b39f45c6da9836f93b67307787851a1804f13.json} (92%)
 rename .sqlx/{query-6c3bbaa998dbb9d0b3771c546b014818139cdfac6ed6c15603f6e6806c63ac6f.json => query-e28b02ccc616d67fcb1a1aa940ea35be58cb652e8287a6f5028421656048b58a.json} (92%)
 create mode 100644 migrations/20251103105138_openid_directory_sync_prefetch_users.down.sql
 create mode 100644 migrations/20251103105138_openid_directory_sync_prefetch_users.up.sql

diff --git a/.sqlx/query-9f98a138560451105b104fc7a4d3d29e22e58f33e902c06bbf6163ee48ae802a.json b/.sqlx/query-14302b1c6c7d72d6e6f38c80538040b9fa3479c919f1ace2a787470690be9de3.json
similarity index 91%
rename from .sqlx/query-9f98a138560451105b104fc7a4d3d29e22e58f33e902c06bbf6163ee48ae802a.json
rename to .sqlx/query-14302b1c6c7d72d6e6f38c80538040b9fa3479c919f1ace2a787470690be9de3.json
index f847621f43..8ba998d2cb 100644
--- a/.sqlx/query-9f98a138560451105b104fc7a4d3d29e22e58f33e902c06bbf6163ee48ae802a.json
+++ b/.sqlx/query-14302b1c6c7d72d6e6f38c80538040b9fa3479c919f1ace2a787470690be9de3.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"name\",\"base_url\",\"client_id\",\"client_secret\",\"display_name\",\"google_service_account_key\",\"google_service_account_email\",\"admin_email\",\"directory_sync_enabled\",\"directory_sync_interval\",\"directory_sync_user_behavior\" \"directory_sync_user_behavior: _\",\"directory_sync_admin_behavior\" \"directory_sync_admin_behavior: _\",\"directory_sync_target\" \"directory_sync_target: _\",\"okta_private_jwk\",\"okta_dirsync_client_id\",\"directory_sync_group_match\" \"directory_sync_group_match: _\",\"jumpcloud_api_key\" FROM \"openidprovider\" WHERE id = $1",
+  "query": "SELECT id, \"name\",\"base_url\",\"client_id\",\"client_secret\",\"display_name\",\"google_service_account_key\",\"google_service_account_email\",\"admin_email\",\"directory_sync_enabled\",\"directory_sync_interval\",\"directory_sync_user_behavior\" \"directory_sync_user_behavior: _\",\"directory_sync_admin_behavior\" \"directory_sync_admin_behavior: _\",\"directory_sync_target\" \"directory_sync_target: _\",\"okta_private_jwk\",\"okta_dirsync_client_id\",\"directory_sync_group_match\" \"directory_sync_group_match: _\",\"jumpcloud_api_key\",\"prefetch_users\" FROM \"openidprovider\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -125,6 +125,11 @@
         "ordinal": 17,
         "name": "jumpcloud_api_key",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 18,
+        "name": "prefetch_users",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -150,8 +155,9 @@
       true,
       true,
       false,
-      true
+      true,
+      false
     ]
   },
-  "hash": "9f98a138560451105b104fc7a4d3d29e22e58f33e902c06bbf6163ee48ae802a"
+  "hash": "14302b1c6c7d72d6e6f38c80538040b9fa3479c919f1ace2a787470690be9de3"
 }
diff --git a/.sqlx/query-06bbd4a7662ea9ec62a0138efa9acb62c4bd9b646846740333d8ae3d154d1d77.json b/.sqlx/query-558fb8aa5e223f6fc273c1431410dabb2ca9c2a831cacb7ebc8d696020b0556c.json
similarity index 92%
rename from .sqlx/query-06bbd4a7662ea9ec62a0138efa9acb62c4bd9b646846740333d8ae3d154d1d77.json
rename to .sqlx/query-558fb8aa5e223f6fc273c1431410dabb2ca9c2a831cacb7ebc8d696020b0556c.json
index dec553bccb..bfd59988cf 100644
--- a/.sqlx/query-06bbd4a7662ea9ec62a0138efa9acb62c4bd9b646846740333d8ae3d154d1d77.json
+++ b/.sqlx/query-558fb8aa5e223f6fc273c1431410dabb2ca9c2a831cacb7ebc8d696020b0556c.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, name, base_url, client_id, client_secret, display_name, google_service_account_key, google_service_account_email, admin_email, directory_sync_enabled,\n            directory_sync_interval, directory_sync_user_behavior  \"directory_sync_user_behavior: DirectorySyncUserBehavior\", directory_sync_admin_behavior  \"directory_sync_admin_behavior: DirectorySyncUserBehavior\", directory_sync_target  \"directory_sync_target: DirectorySyncTarget\", okta_private_jwk, okta_dirsync_client_id, directory_sync_group_match, jumpcloud_api_key FROM openidprovider WHERE name = $1",
+  "query": "SELECT id, name, base_url, client_id, client_secret, display_name, google_service_account_key, google_service_account_email, admin_email, directory_sync_enabled,\n            directory_sync_interval, directory_sync_user_behavior  \"directory_sync_user_behavior: DirectorySyncUserBehavior\", directory_sync_admin_behavior  \"directory_sync_admin_behavior: DirectorySyncUserBehavior\", directory_sync_target  \"directory_sync_target: DirectorySyncTarget\", okta_private_jwk, okta_dirsync_client_id, directory_sync_group_match, jumpcloud_api_key, prefetch_users FROM openidprovider WHERE name = $1",
   "describe": {
     "columns": [
       {
@@ -125,6 +125,11 @@
         "ordinal": 17,
         "name": "jumpcloud_api_key",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 18,
+        "name": "prefetch_users",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -150,8 +155,9 @@
       true,
       true,
       false,
-      true
+      true,
+      false
     ]
   },
-  "hash": "06bbd4a7662ea9ec62a0138efa9acb62c4bd9b646846740333d8ae3d154d1d77"
+  "hash": "558fb8aa5e223f6fc273c1431410dabb2ca9c2a831cacb7ebc8d696020b0556c"
 }
diff --git a/.sqlx/query-d4d76206a3eeb48f4c3e06e53e781bab2a0e2020e33653ef34ab1ea7df67a0cb.json b/.sqlx/query-796ef2b0b73f5689a592497320b98ddb54a2a673a531cb882aadea3d5aa25d66.json
similarity index 90%
rename from .sqlx/query-d4d76206a3eeb48f4c3e06e53e781bab2a0e2020e33653ef34ab1ea7df67a0cb.json
rename to .sqlx/query-796ef2b0b73f5689a592497320b98ddb54a2a673a531cb882aadea3d5aa25d66.json
index e28198163d..528c633238 100644
--- a/.sqlx/query-d4d76206a3eeb48f4c3e06e53e781bab2a0e2020e33653ef34ab1ea7df67a0cb.json
+++ b/.sqlx/query-796ef2b0b73f5689a592497320b98ddb54a2a673a531cb882aadea3d5aa25d66.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE openidprovider SET name = $1, base_url = $2, client_id = $3, client_secret = $4, display_name = $5, google_service_account_key = $6, google_service_account_email = $7, admin_email = $8, directory_sync_enabled = $9, directory_sync_interval = $10, directory_sync_user_behavior = $11, directory_sync_admin_behavior = $12, directory_sync_target = $13, okta_private_jwk = $14, okta_dirsync_client_id = $15, directory_sync_group_match = $16, jumpcloud_api_key = $17 WHERE id = $18",
+  "query": "UPDATE openidprovider SET name = $1, base_url = $2, client_id = $3, client_secret = $4, display_name = $5, google_service_account_key = $6, google_service_account_email = $7, admin_email = $8, directory_sync_enabled = $9, directory_sync_interval = $10, directory_sync_user_behavior = $11, directory_sync_admin_behavior = $12, directory_sync_target = $13, okta_private_jwk = $14, okta_dirsync_client_id = $15, directory_sync_group_match = $16, jumpcloud_api_key = $17, prefetch_users = $18 WHERE id = $19",
   "describe": {
     "columns": [],
     "parameters": {
@@ -55,10 +55,11 @@
         "Text",
         "TextArray",
         "Text",
+        "Bool",
         "Int8"
       ]
     },
     "nullable": []
   },
-  "hash": "d4d76206a3eeb48f4c3e06e53e781bab2a0e2020e33653ef34ab1ea7df67a0cb"
+  "hash": "796ef2b0b73f5689a592497320b98ddb54a2a673a531cb882aadea3d5aa25d66"
 }
diff --git a/.sqlx/query-dce467a600d7b0e51d1b75dd5978c56cc1e6b0c6fbf1907cce4bbe0a1bde88ff.json b/.sqlx/query-c6ebb402f91d242754872addc3604fb6ffac7e6fdd0d9428070cecb68c666cd8.json
similarity index 85%
rename from .sqlx/query-dce467a600d7b0e51d1b75dd5978c56cc1e6b0c6fbf1907cce4bbe0a1bde88ff.json
rename to .sqlx/query-c6ebb402f91d242754872addc3604fb6ffac7e6fdd0d9428070cecb68c666cd8.json
index 8902fca66f..7994ebf797 100644
--- a/.sqlx/query-dce467a600d7b0e51d1b75dd5978c56cc1e6b0c6fbf1907cce4bbe0a1bde88ff.json
+++ b/.sqlx/query-c6ebb402f91d242754872addc3604fb6ffac7e6fdd0d9428070cecb68c666cd8.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO \"openidprovider\" (\"name\",\"base_url\",\"client_id\",\"client_secret\",\"display_name\",\"google_service_account_key\",\"google_service_account_email\",\"admin_email\",\"directory_sync_enabled\",\"directory_sync_interval\",\"directory_sync_user_behavior\",\"directory_sync_admin_behavior\",\"directory_sync_target\",\"okta_private_jwk\",\"okta_dirsync_client_id\",\"directory_sync_group_match\",\"jumpcloud_api_key\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17) RETURNING id",
+  "query": "INSERT INTO \"openidprovider\" (\"name\",\"base_url\",\"client_id\",\"client_secret\",\"display_name\",\"google_service_account_key\",\"google_service_account_email\",\"admin_email\",\"directory_sync_enabled\",\"directory_sync_interval\",\"directory_sync_user_behavior\",\"directory_sync_admin_behavior\",\"directory_sync_target\",\"okta_private_jwk\",\"okta_dirsync_client_id\",\"directory_sync_group_match\",\"jumpcloud_api_key\",\"prefetch_users\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18) RETURNING id",
   "describe": {
     "columns": [
       {
@@ -60,12 +60,13 @@
         "Text",
         "Text",
         "TextArray",
-        "Text"
+        "Text",
+        "Bool"
       ]
     },
     "nullable": [
       false
     ]
   },
-  "hash": "dce467a600d7b0e51d1b75dd5978c56cc1e6b0c6fbf1907cce4bbe0a1bde88ff"
+  "hash": "c6ebb402f91d242754872addc3604fb6ffac7e6fdd0d9428070cecb68c666cd8"
 }
diff --git a/.sqlx/query-187b82f0cc866ff2f1049aa57d9477cbad81d77c2db2b67dca90de198721b483.json b/.sqlx/query-c8e9800861c7bc853235858650be8ad3d3d19b0c4f0e69b9002a6a1fbd46a324.json
similarity index 90%
rename from .sqlx/query-187b82f0cc866ff2f1049aa57d9477cbad81d77c2db2b67dca90de198721b483.json
rename to .sqlx/query-c8e9800861c7bc853235858650be8ad3d3d19b0c4f0e69b9002a6a1fbd46a324.json
index 3576fdb99b..5c80f34900 100644
--- a/.sqlx/query-187b82f0cc866ff2f1049aa57d9477cbad81d77c2db2b67dca90de198721b483.json
+++ b/.sqlx/query-c8e9800861c7bc853235858650be8ad3d3d19b0c4f0e69b9002a6a1fbd46a324.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"openidprovider\" SET \"name\" = $2,\"base_url\" = $3,\"client_id\" = $4,\"client_secret\" = $5,\"display_name\" = $6,\"google_service_account_key\" = $7,\"google_service_account_email\" = $8,\"admin_email\" = $9,\"directory_sync_enabled\" = $10,\"directory_sync_interval\" = $11,\"directory_sync_user_behavior\" = $12,\"directory_sync_admin_behavior\" = $13,\"directory_sync_target\" = $14,\"okta_private_jwk\" = $15,\"okta_dirsync_client_id\" = $16,\"directory_sync_group_match\" = $17,\"jumpcloud_api_key\" = $18 WHERE id = $1",
+  "query": "UPDATE \"openidprovider\" SET \"name\" = $2,\"base_url\" = $3,\"client_id\" = $4,\"client_secret\" = $5,\"display_name\" = $6,\"google_service_account_key\" = $7,\"google_service_account_email\" = $8,\"admin_email\" = $9,\"directory_sync_enabled\" = $10,\"directory_sync_interval\" = $11,\"directory_sync_user_behavior\" = $12,\"directory_sync_admin_behavior\" = $13,\"directory_sync_target\" = $14,\"okta_private_jwk\" = $15,\"okta_dirsync_client_id\" = $16,\"directory_sync_group_match\" = $17,\"jumpcloud_api_key\" = $18,\"prefetch_users\" = $19 WHERE id = $1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -55,10 +55,11 @@
         "Text",
         "Text",
         "TextArray",
-        "Text"
+        "Text",
+        "Bool"
       ]
     },
     "nullable": []
   },
-  "hash": "187b82f0cc866ff2f1049aa57d9477cbad81d77c2db2b67dca90de198721b483"
+  "hash": "c8e9800861c7bc853235858650be8ad3d3d19b0c4f0e69b9002a6a1fbd46a324"
 }
diff --git a/.sqlx/query-07ac05be4850e0154414090784fc40392f423c16cd326716994fcb1f45c84eee.json b/.sqlx/query-d8db674150231de0063227000a8b39f45c6da9836f93b67307787851a1804f13.json
similarity index 92%
rename from .sqlx/query-07ac05be4850e0154414090784fc40392f423c16cd326716994fcb1f45c84eee.json
rename to .sqlx/query-d8db674150231de0063227000a8b39f45c6da9836f93b67307787851a1804f13.json
index 5a629b4c9f..29d36e4226 100644
--- a/.sqlx/query-07ac05be4850e0154414090784fc40392f423c16cd326716994fcb1f45c84eee.json
+++ b/.sqlx/query-d8db674150231de0063227000a8b39f45c6da9836f93b67307787851a1804f13.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, \"name\",\"base_url\",\"client_id\",\"client_secret\",\"display_name\",\"google_service_account_key\",\"google_service_account_email\",\"admin_email\",\"directory_sync_enabled\",\"directory_sync_interval\",\"directory_sync_user_behavior\" \"directory_sync_user_behavior: _\",\"directory_sync_admin_behavior\" \"directory_sync_admin_behavior: _\",\"directory_sync_target\" \"directory_sync_target: _\",\"okta_private_jwk\",\"okta_dirsync_client_id\",\"directory_sync_group_match\" \"directory_sync_group_match: _\",\"jumpcloud_api_key\" FROM \"openidprovider\"",
+  "query": "SELECT id, \"name\",\"base_url\",\"client_id\",\"client_secret\",\"display_name\",\"google_service_account_key\",\"google_service_account_email\",\"admin_email\",\"directory_sync_enabled\",\"directory_sync_interval\",\"directory_sync_user_behavior\" \"directory_sync_user_behavior: _\",\"directory_sync_admin_behavior\" \"directory_sync_admin_behavior: _\",\"directory_sync_target\" \"directory_sync_target: _\",\"okta_private_jwk\",\"okta_dirsync_client_id\",\"directory_sync_group_match\" \"directory_sync_group_match: _\",\"jumpcloud_api_key\",\"prefetch_users\" FROM \"openidprovider\"",
   "describe": {
     "columns": [
       {
@@ -125,6 +125,11 @@
         "ordinal": 17,
         "name": "jumpcloud_api_key",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 18,
+        "name": "prefetch_users",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -148,8 +153,9 @@
       true,
       true,
       false,
-      true
+      true,
+      false
     ]
   },
-  "hash": "07ac05be4850e0154414090784fc40392f423c16cd326716994fcb1f45c84eee"
+  "hash": "d8db674150231de0063227000a8b39f45c6da9836f93b67307787851a1804f13"
 }
diff --git a/.sqlx/query-6c3bbaa998dbb9d0b3771c546b014818139cdfac6ed6c15603f6e6806c63ac6f.json b/.sqlx/query-e28b02ccc616d67fcb1a1aa940ea35be58cb652e8287a6f5028421656048b58a.json
similarity index 92%
rename from .sqlx/query-6c3bbaa998dbb9d0b3771c546b014818139cdfac6ed6c15603f6e6806c63ac6f.json
rename to .sqlx/query-e28b02ccc616d67fcb1a1aa940ea35be58cb652e8287a6f5028421656048b58a.json
index 8b48d798c8..f59dbf3807 100644
--- a/.sqlx/query-6c3bbaa998dbb9d0b3771c546b014818139cdfac6ed6c15603f6e6806c63ac6f.json
+++ b/.sqlx/query-e28b02ccc616d67fcb1a1aa940ea35be58cb652e8287a6f5028421656048b58a.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, name, base_url, client_id, client_secret, display_name, google_service_account_key, google_service_account_email, admin_email, directory_sync_enabled, directory_sync_interval, directory_sync_user_behavior \"directory_sync_user_behavior: DirectorySyncUserBehavior\", directory_sync_admin_behavior  \"directory_sync_admin_behavior: DirectorySyncUserBehavior\", directory_sync_target  \"directory_sync_target: DirectorySyncTarget\", okta_private_jwk, okta_dirsync_client_id, directory_sync_group_match, jumpcloud_api_key FROM openidprovider LIMIT 1",
+  "query": "SELECT id, name, base_url, client_id, client_secret, display_name, google_service_account_key, google_service_account_email, admin_email, directory_sync_enabled, directory_sync_interval, directory_sync_user_behavior \"directory_sync_user_behavior: DirectorySyncUserBehavior\", directory_sync_admin_behavior  \"directory_sync_admin_behavior: DirectorySyncUserBehavior\", directory_sync_target  \"directory_sync_target: DirectorySyncTarget\", okta_private_jwk, okta_dirsync_client_id, directory_sync_group_match, jumpcloud_api_key, prefetch_users FROM openidprovider LIMIT 1",
   "describe": {
     "columns": [
       {
@@ -125,6 +125,11 @@
         "ordinal": 17,
         "name": "jumpcloud_api_key",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 18,
+        "name": "prefetch_users",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -148,8 +153,9 @@
       true,
       true,
       false,
-      true
+      true,
+      false
     ]
   },
-  "hash": "6c3bbaa998dbb9d0b3771c546b014818139cdfac6ed6c15603f6e6806c63ac6f"
+  "hash": "e28b02ccc616d67fcb1a1aa940ea35be58cb652e8287a6f5028421656048b58a"
 }
diff --git a/crates/defguard_core/src/enterprise/db/models/openid_provider.rs b/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
index 7143b062b3..7a3ef88604 100644
--- a/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
+++ b/crates/defguard_core/src/enterprise/db/models/openid_provider.rs
@@ -115,6 +115,9 @@ pub struct OpenIdProvider<I = NoId> {
     // The groups to sync from the directory, exact match
     pub directory_sync_group_match: Vec<String>,
     pub jumpcloud_api_key: Option<String>,
+    // Fetch all users from directory and create them in Defguard
+    // TODO: currently only supported for Microsoft
+    pub prefetch_users: bool,
 }
 
 impl OpenIdProvider {
@@ -137,6 +140,7 @@ impl OpenIdProvider {
         okta_dirsync_client_id: Option<String>,
         directory_sync_group_match: Vec<String>,
         jumpcloud_api_key: Option<String>,
+        prefetch_users: bool,
     ) -> Self {
         Self {
             id: NoId,
@@ -157,6 +161,7 @@ impl OpenIdProvider {
             okta_dirsync_client_id,
             directory_sync_group_match,
             jumpcloud_api_key,
+            prefetch_users,
         }
     }
 
@@ -169,8 +174,9 @@ impl OpenIdProvider {
                 directory_sync_interval = $10, directory_sync_user_behavior = $11, \
                 directory_sync_admin_behavior = $12, directory_sync_target = $13, \
                 okta_private_jwk = $14, okta_dirsync_client_id = $15, \
-                directory_sync_group_match = $16, jumpcloud_api_key = $17 \
-                WHERE id = $18",
+                directory_sync_group_match = $16, jumpcloud_api_key = $17, \
+                prefetch_users = $18 \
+                WHERE id = $19",
                 self.name,
                 self.base_url,
                 self.client_id,
@@ -188,6 +194,7 @@ impl OpenIdProvider {
                 self.okta_dirsync_client_id,
                 &self.directory_sync_group_match,
                 self.jumpcloud_api_key,
+                self.prefetch_users,
                 provider.id,
             )
             .execute(pool)
@@ -215,7 +222,7 @@ impl OpenIdProvider<Id> {
             directory_sync_interval, directory_sync_user_behavior  \"directory_sync_user_behavior: DirectorySyncUserBehavior\", \
             directory_sync_admin_behavior  \"directory_sync_admin_behavior: DirectorySyncUserBehavior\", \
             directory_sync_target  \"directory_sync_target: DirectorySyncTarget\", \
-            okta_private_jwk, okta_dirsync_client_id, directory_sync_group_match, jumpcloud_api_key \
+            okta_private_jwk, okta_dirsync_client_id, directory_sync_group_match, jumpcloud_api_key, prefetch_users \
             FROM openidprovider WHERE name = $1",
             name
         )
@@ -234,7 +241,7 @@ impl OpenIdProvider<Id> {
             directory_sync_interval, directory_sync_user_behavior \"directory_sync_user_behavior: DirectorySyncUserBehavior\", \
             directory_sync_admin_behavior  \"directory_sync_admin_behavior: DirectorySyncUserBehavior\", \
             directory_sync_target  \"directory_sync_target: DirectorySyncTarget\", \
-            okta_private_jwk, okta_dirsync_client_id, directory_sync_group_match, jumpcloud_api_key \
+            okta_private_jwk, okta_dirsync_client_id, directory_sync_group_match, jumpcloud_api_key, prefetch_users \
             FROM openidprovider LIMIT 1"
         )
         .fetch_optional(executor)
diff --git a/crates/defguard_core/src/enterprise/directory_sync/google.rs b/crates/defguard_core/src/enterprise/directory_sync/google.rs
index 4f7a5139fa..642af28e62 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/google.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/google.rs
@@ -106,6 +106,8 @@ impl From<User> for DirectoryUser {
             email: val.primary_email,
             active: !val.suspended,
             id: None,
+            // TODO: currently not supported for Google
+            user_details: None,
         }
     }
 }
diff --git a/crates/defguard_core/src/enterprise/directory_sync/jumpcloud.rs b/crates/defguard_core/src/enterprise/directory_sync/jumpcloud.rs
index aad95011ae..93d8f78280 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/jumpcloud.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/jumpcloud.rs
@@ -39,6 +39,8 @@ impl From<User> for DirectoryUser {
             email: user.email,
             active: user.activated && !user.account_locked && user.state == UserState::Activated,
             id: Some(user.id),
+            // TODO: currently not supported for Jumpcloud
+            user_details: None,
         }
     }
 }
diff --git a/crates/defguard_core/src/enterprise/directory_sync/microsoft.rs b/crates/defguard_core/src/enterprise/directory_sync/microsoft.rs
index 48ebef13a5..7e02645e7f 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/microsoft.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/microsoft.rs
@@ -6,7 +6,7 @@ use super::{
     DirectoryGroup, DirectorySync, DirectorySyncError, DirectoryUser, REQUEST_PAGINATION_SLOWDOWN,
     make_get_request, parse_response,
 };
-use crate::enterprise::directory_sync::REQUEST_TIMEOUT;
+use crate::enterprise::directory_sync::{DirectoryUserDetails, REQUEST_TIMEOUT};
 
 pub(crate) struct MicrosoftDirectorySync {
     access_token: Option<String>,
@@ -26,7 +26,8 @@ const MICROSOFT_DEFAULT_SCOPE: &str = "https://graph.microsoft.com/.default";
 const GRANT_TYPE: &str = "client_credentials";
 const MAX_RESULTS: &str = "200";
 const MAX_REQUESTS: usize = 50;
-const USER_QUERY_FIELDS: &str = "accountEnabled,displayName,mail,otherMails";
+const USER_QUERY_FIELDS: &str =
+    "accountEnabled,displayName,mail,otherMails,id,givenName,surname,mobilePhone,businessPhones";
 const USER_SEARCH_URL: &str =
     "https://graph.microsoft.com/v1.0/users?$select=id&$filter=mail eq '{email}'";
 const USER_SEARCH_URL_FALLBACK: &str =
@@ -103,6 +104,7 @@ impl From<GroupMembersResponse> for Vec<String> {
 
 #[derive(Debug, Serialize, Deserialize)]
 struct User {
+    id: String,
     #[serde(rename = "displayName")]
     display_name: String,
     mail: Option<String>,
@@ -110,6 +112,13 @@ struct User {
     account_enabled: bool,
     #[serde(rename = "otherMails")]
     other_mails: Vec<String>,
+    #[serde(rename = "givenName")]
+    given_name: Option<String>,
+    surname: Option<String>,
+    #[serde(rename = "mobilePhone")]
+    mobile_phone: Option<String>,
+    #[serde(rename = "businessPhones")]
+    business_phones: Vec<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize, Default)]
@@ -125,11 +134,26 @@ impl From<UsersResponse> for Vec<DirectoryUser> {
             .value
             .into_iter()
             .filter_map(|user| {
+// check if additional user detail data is available
+let user_details = if let ( Some(first_name), Some(last_name)) = ( user.given_name, user.surname) {
+            	// get a phone number if any is available
+            	// prefer mobile phone
+            	let phone_number = match user.mobile_phone {
+            		Some(mobile_phone) => Some(mobile_phone),
+            		None => user.business_phones.into_iter().next()
+            	};
+	Some(DirectoryUserDetails { last_name, first_name, phone_number   })
+} else {
+	debug!("User {} doesn't have all required user details and will be skipped if user creation is required", user.display_name);
+	None
+};
+
+
                 if let Some(email) = user.mail {
-                    Some(DirectoryUser { email, active: user.account_enabled, id: None })
+                    Some(DirectoryUser { email, active: user.account_enabled, id: Some(user.id), user_details })
                 } else if let Some(email) = user.other_mails.into_iter().next() {
                     warn!("User {} doesn't have a primary email address set, his first additional email address will be used: {email}", user.display_name);
-                    Some(DirectoryUser { email, active: user.account_enabled, id: None })
+                    Some(DirectoryUser { email, active: user.account_enabled, id: Some(user.id), user_details  })
                 } else {
                     warn!("User {} doesn't have any email address and will be skipped in synchronization.", user.display_name);
                     None
@@ -621,18 +645,33 @@ mod tests {
                     mail: Some("email@email.com".to_string()),
                     account_enabled: true,
                     other_mails: vec![],
+                    id: "user1-id".into(),
+                    given_name: Some("User".into()),
+                    surname: Some("One".into()),
+                    mobile_phone: Some("555555555".into()),
+                    business_phones: vec![],
                 },
                 User {
                     display_name: "User 2".to_string(),
                     mail: None,
                     account_enabled: true,
                     other_mails: vec!["email2@email.com".to_string()],
+                    id: "user2-id".into(),
+                    given_name: Some("User".into()),
+                    surname: Some("Two".into()),
+                    mobile_phone: None,
+                    business_phones: vec![],
                 },
                 User {
                     display_name: "User 3".to_string(),
                     mail: None,
                     account_enabled: true,
                     other_mails: vec![],
+                    id: "user3-id".into(),
+                    given_name: Some("User".into()),
+                    surname: Some("Three".into()),
+                    mobile_phone: None,
+                    business_phones: vec![],
                 },
             ],
         };
@@ -653,18 +692,33 @@ mod tests {
                     mail: Some("email@email.com".to_string()),
                     account_enabled: true,
                     other_mails: vec![],
+                    id: "user1-id".into(),
+                    given_name: Some("User".into()),
+                    surname: None,
+                    mobile_phone: None,
+                    business_phones: vec![],
                 },
                 User {
                     display_name: "User 2".to_string(),
                     mail: None,
                     account_enabled: true,
                     other_mails: vec!["email2@email.com".to_string()],
+                    id: "user2-id".into(),
+                    given_name: None,
+                    surname: None,
+                    mobile_phone: Some("555555555".into()),
+                    business_phones: vec![],
                 },
                 User {
                     display_name: "User 3".to_string(),
                     mail: None,
                     account_enabled: true,
                     other_mails: vec![],
+                    id: "user3-id".into(),
+                    given_name: Some("User".into()),
+                    surname: Some("Three".into()),
+                    mobile_phone: Some("555555555".into()),
+                    business_phones: vec![],
                 },
             ],
         };
diff --git a/crates/defguard_core/src/enterprise/directory_sync/mod.rs b/crates/defguard_core/src/enterprise/directory_sync/mod.rs
index 70ddd638ce..b37fccba56 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/mod.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/mod.rs
@@ -1,12 +1,13 @@
 use std::{
     collections::{HashMap, HashSet},
+    fmt::Debug,
     time::Duration,
 };
 
-use defguard_common::db::Id;
+use defguard_common::db::{Id, models::Settings};
 use paste::paste;
 use reqwest::header::AUTHORIZATION;
-use sqlx::{PgPool, error::Error as SqlxError};
+use sqlx::{PgConnection, PgPool, error::Error as SqlxError};
 use thiserror::Error;
 use tokio::sync::broadcast::Sender;
 
@@ -20,8 +21,10 @@ use crate::{
     db::{GatewayEvent, Group, User},
     enterprise::{
         db::models::openid_provider::DirectorySyncUserBehavior,
+        handlers::openid_login::prune_username,
         ldap::utils::{ldap_add_users_to_groups, ldap_delete_users, ldap_remove_users_from_groups},
     },
+    handlers::user::check_username,
 };
 
 const REQUEST_TIMEOUT: Duration = Duration::from_secs(10);
@@ -55,6 +58,8 @@ pub enum DirectorySyncError {
     NetworkUpdateError(String),
     #[error("Failed to update user state: {0}")]
     UserUpdateError(String),
+    #[error("Failed to create user: {0}")]
+    UserCreateError(String),
     #[error("Failed to find user: {0}")]
     UserNotFound(String),
     #[error(
@@ -100,6 +105,16 @@ pub struct DirectoryUser {
     pub email: String,
     // Users may be disabled/suspended in the directory
     pub active: bool,
+    // Currently only supported for Microsoft Entra
+    user_details: Option<DirectoryUserDetails>,
+}
+
+// additional user details required for user creation
+#[derive(Debug, Serialize, Deserialize)]
+pub struct DirectoryUserDetails {
+    last_name: String,
+    first_name: String,
+    phone_number: Option<String>,
 }
 
 #[trait_variant::make(Send)]
@@ -594,71 +609,127 @@ async fn sync_all_users_state(
         .await?
         .ok_or(DirectorySyncError::NotConfigured)?;
 
+    // prepare relevant settings
     let user_behavior = settings.directory_sync_user_behavior;
     let admin_behavior = settings.directory_sync_admin_behavior;
+    let prefetch_users = settings.prefetch_users;
 
-    let emails = all_users
-        .iter()
-        .map(|u| u.email.as_str())
-        .collect::<Vec<&str>>();
-    let missing_users = User::exclude(&mut *transaction, &emails)
-        .await?
-        .into_iter()
-        .collect::<Vec<User<Id>>>();
+    // split directory users into separate lists for active and inactive users
+    let (active_directory_users, inactive_directory_users): (Vec<_>, Vec<_>) =
+        all_users.iter().partition(|user| user.active);
 
-    let disabled_users_emails = all_users
+    // prepare a list of user emails for matching users between directory and Defguard
+    let all_directory_emails = all_users
         .iter()
-        .filter(|u| !u.active)
         .map(|u| u.email.as_str())
         .collect::<Vec<&str>>();
-    let users_to_disable =
-        User::find_many_by_emails(&mut *transaction, &disabled_users_emails).await?;
-
-    let enabled_users_emails = all_users
-        .iter()
-        .filter(|u| u.active)
-        .map(|u| u.email.as_str())
-        .collect::<Vec<&str>>();
-    let users_to_enable =
-        User::find_many_by_emails(&mut *transaction, &enabled_users_emails).await?;
-
-    debug!(
-        "There are {} disabled users in the directory, disabling them in Defguard...",
-        users_to_disable.len()
-    );
 
+    // setup Vecs for tracking user updates
     let mut modified_users = Vec::new();
     let mut deleted_users = Vec::new();
+    let mut created_users = Vec::new();
 
-    for mut user in users_to_disable {
-        if user.is_active {
-            debug!(
-                "Disabling user {} because they are disabled in the directory",
-                user.email
-            );
-            user.disable(&mut transaction, wg_tx).await.map_err(|err| {
-                DirectorySyncError::UserUpdateError(format!(
-                    "Failed to disable user {} during directory synchronization: {err}",
-                    user.email
-                ))
-            })?;
-            modified_users.push(user);
-        } else {
-            debug!("User {} is already disabled, skipping", user.email);
+    sync_inactive_directory_users(
+        &mut transaction,
+        &inactive_directory_users,
+        &mut modified_users,
+        wg_tx,
+    )
+    .await?;
+
+    sync_active_directory_users(
+        &mut transaction,
+        &active_directory_users,
+        &mut modified_users,
+    )
+    .await?;
+
+    // TODO: prefetching users is currently only supported for Microsoft Entra
+    if prefetch_users && ["Microsoft", "Test"].contains(&settings.name.as_str()) {
+        // get emails of all directory users who already exist in Defguard
+        let existing_users =
+            User::find_many_by_emails(&mut *transaction, &all_directory_emails).await?;
+        let existing_user_emails: Vec<&str> = existing_users
+            .iter()
+            .map(|user| user.email.as_str())
+            .collect();
+
+        // find all directory users not present in Defguard
+        let missing_defguard_users: Vec<_> = all_users
+            .iter()
+            .filter(|user| !existing_user_emails.contains(&user.email.as_str()))
+            .collect();
+
+        let core_settings = Settings::get_current_settings();
+
+        // create missing users
+        for directory_user in missing_defguard_users {
+            match &directory_user.user_details {
+                None => {
+                    error!(
+                        "Missing directory user details for user {directory_user:?}. Unable to create missing Defguard user."
+                    );
+                }
+                Some(details) => {
+                    debug!(
+                        "User {directory_user:?} exists in directory but not in Defguard. Creating new Defguard user.",
+                    );
+
+                    // Extract the username from the email address
+                    let email = directory_user.email.clone();
+                    let username =
+                        email
+                            .split('@')
+                            .next()
+                            .ok_or(DirectorySyncError::UserCreateError(format!(
+                                "Failed to extract username from email address {email}"
+                            )))?;
+                    let username = prune_username(username, core_settings.openid_username_handling);
+                    check_username(&username).map_err(|err| {
+                        DirectorySyncError::UserCreateError(format!(
+                            "Username {username} validation failed: {err:?}"
+                        ))
+                    })?;
+
+                    // Check if user with the same username already exists (usernames are unique).
+                    if User::find_by_username(pool, &username).await?.is_some() {
+                        return Err(DirectorySyncError::UserCreateError(format!(
+                            "User with username {username} already exists"
+                        )));
+                    }
+
+                    let mut user = User::new(
+                        username,
+                        None,
+                        details.last_name.clone(),
+                        details.first_name.clone(),
+                        directory_user.email.clone(),
+                        details.phone_number.clone(),
+                    );
+                    user.openid_sub = directory_user.id.clone();
+                    let new_user = user.save(&mut *transaction).await?;
+                    created_users.push(new_user);
+                }
+            }
         }
     }
-    debug!("Done processing disabled users");
+
+    // get all users present in Defguard but not in directory
+    let missing_directory_users = User::exclude(&mut *transaction, &all_directory_emails)
+        .await?
+        .into_iter()
+        .collect::<Vec<User<Id>>>();
 
     debug!(
         "There are {} users missing from the directory but present in Defguard, \
     deciding what to do next based on the following settings: user action: {}, admin action: {}",
-        missing_users.len(),
+        missing_directory_users.len(),
         user_behavior,
         admin_behavior
     );
     // Keep the admin count to prevent deleting the last admin
     let mut admin_count = User::find_admins(&mut *transaction).await?.len();
-    for mut user in missing_users {
+    for mut user in missing_directory_users {
         if user.is_admin(&mut *transaction).await? {
             match admin_behavior {
                 DirectorySyncUserBehavior::Keep => {
@@ -770,8 +841,90 @@ async fn sync_all_users_state(
     }
     debug!("Done processing missing users");
 
+    transaction.commit().await?;
+
+    // trigger LDAP sync
+    ldap_delete_users(deleted_users.iter().collect::<Vec<_>>(), pool).await;
+    Box::pin(ldap_update_users_state(
+        modified_users.iter_mut().collect::<Vec<_>>(),
+        pool,
+    ))
+    .await;
+    Box::pin(ldap_update_users_state(
+        created_users.iter_mut().collect::<Vec<_>>(),
+        pool,
+    ))
+    .await;
+
+    info!("Syncing all users' state with the directory done");
+
+    Ok(())
+}
+
+async fn sync_inactive_directory_users(
+    transaction: &mut PgConnection,
+    inactive_directory_users: &[&DirectoryUser],
+    modified_users: &mut Vec<User<Id>>,
+    wg_tx: &Sender<GatewayEvent>,
+) -> Result<(), DirectorySyncError> {
+    // find all active Defguard users disabled in directory
+    let disabled_users_emails = inactive_directory_users
+        .iter()
+        .map(|u| u.email.as_str())
+        .collect::<Vec<&str>>();
+    let users_to_disable: Vec<User<Id>> =
+        User::find_many_by_emails(&mut *transaction, &disabled_users_emails)
+            .await?
+            .into_iter()
+            .filter(|user| user.is_active)
+            .collect();
+
+    debug!(
+        "There are {} active Defguard users disabled in the directory. Disabling them in Defguard...",
+        users_to_disable.len()
+    );
+
+    for mut user in users_to_disable {
+        if user.is_active {
+            debug!(
+                "Disabling user {} because they are disabled in the directory",
+                user.email
+            );
+            user.disable(transaction, wg_tx).await.map_err(|err| {
+                DirectorySyncError::UserUpdateError(format!(
+                    "Failed to disable user {} during directory synchronization: {err}",
+                    user.email
+                ))
+            })?;
+            modified_users.push(user);
+        } else {
+            debug!("User {} is already disabled, skipping", user.email);
+        }
+    }
+    debug!("Done processing disabled directory users");
+
+    Ok(())
+}
+
+async fn sync_active_directory_users(
+    transaction: &mut PgConnection,
+    active_directory_users: &[&DirectoryUser],
+    modified_users: &mut Vec<User<Id>>,
+) -> Result<(), DirectorySyncError> {
+    // find all inactive Defguard users enabled in directory
+    let enabled_users_emails = active_directory_users
+        .iter()
+        .map(|u| u.email.as_str())
+        .collect::<Vec<&str>>();
+    let users_to_enable: Vec<User<Id>> =
+        User::find_many_by_emails(&mut *transaction, &enabled_users_emails)
+            .await?
+            .into_iter()
+            .filter(|user| !user.is_active)
+            .collect();
+
     debug!(
-        "There are {} enabled users in the directory, enabling them in Defguard if they were previously disabled",
+        "There are {} inactive Defguard users enabled in the directory. Enabling them in Defguard...",
         users_to_enable.len()
     );
     for mut user in users_to_enable {
@@ -787,17 +940,7 @@ async fn sync_all_users_state(
         user.save(&mut *transaction).await?;
         modified_users.push(user);
     }
-    debug!("Done processing enabled users");
-    transaction.commit().await?;
-
-    ldap_delete_users(deleted_users.iter().collect::<Vec<_>>(), pool).await;
-    Box::pin(ldap_update_users_state(
-        modified_users.iter_mut().collect::<Vec<_>>(),
-        pool,
-    ))
-    .await;
-
-    info!("Syncing all users' state with the directory done");
+    debug!("Done processing active directory users");
 
     Ok(())
 }
diff --git a/crates/defguard_core/src/enterprise/directory_sync/okta.rs b/crates/defguard_core/src/enterprise/directory_sync/okta.rs
index bbc168fe16..569f4ee473 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/okta.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/okta.rs
@@ -96,6 +96,8 @@ impl From<User> for DirectoryUser {
             email: val.profile.email,
             active: ACTIVE_STATUS.contains(&val.status.as_str()),
             id: None,
+            // TODO: currently not supported for Okta
+            user_details: None,
         }
     }
 }
diff --git a/crates/defguard_core/src/enterprise/directory_sync/testprovider.rs b/crates/defguard_core/src/enterprise/directory_sync/testprovider.rs
index fc74bdebfd..b73d5abbed 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/testprovider.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/testprovider.rs
@@ -53,16 +53,31 @@ impl DirectorySync for TestProviderDirectorySync {
                 email: "testuser@email.com".into(),
                 active: true,
                 id: Some("testuser-id".into()),
+                user_details: Some(crate::enterprise::directory_sync::DirectoryUserDetails {
+                    last_name: "User".into(),
+                    first_name: "Test".into(),
+                    phone_number: None,
+                }),
             },
             DirectoryUser {
                 email: "testuserdisabled@email.com".into(),
                 active: false,
                 id: Some("testuserdisabled-id".into()),
+                user_details: Some(crate::enterprise::directory_sync::DirectoryUserDetails {
+                    last_name: "UserDisabled".into(),
+                    first_name: "Test".into(),
+                    phone_number: None,
+                }),
             },
             DirectoryUser {
                 email: "testuser2@email.com".into(),
                 active: true,
                 id: Some("testuser2-id".into()),
+                user_details: Some(crate::enterprise::directory_sync::DirectoryUserDetails {
+                    last_name: "User2".into(),
+                    first_name: "Test".into(),
+                    phone_number: None,
+                }),
             },
         ])
     }
diff --git a/crates/defguard_core/src/enterprise/directory_sync/tests.rs b/crates/defguard_core/src/enterprise/directory_sync/tests.rs
index e0d1a5496c..9bac17d281 100644
--- a/crates/defguard_core/src/enterprise/directory_sync/tests.rs
+++ b/crates/defguard_core/src/enterprise/directory_sync/tests.rs
@@ -40,6 +40,7 @@ mod test {
         user_behavior: DirectorySyncUserBehavior,
         admin_behavior: DirectorySyncUserBehavior,
         target: DirectorySyncTarget,
+        prefetch_users: bool,
     ) -> OpenIdProvider<Id> {
         Settings::init_defaults(pool).await.unwrap();
         initialize_current_settings(pool).await.unwrap();
@@ -86,6 +87,7 @@ mod test {
             None,
             vec![],
             None,
+            prefetch_users,
         )
         .save(pool)
         .await
@@ -146,6 +148,7 @@ mod test {
             DirectorySyncUserBehavior::Keep,
             DirectorySyncUserBehavior::Keep,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -185,6 +188,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Keep,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -231,6 +235,7 @@ mod test {
             DirectorySyncUserBehavior::Keep,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -283,6 +288,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         User::init_admin_user(&pool, config.default_admin_password.expose_secret())
@@ -353,6 +359,7 @@ mod test {
             DirectorySyncUserBehavior::Disable,
             DirectorySyncUserBehavior::Keep,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -435,6 +442,7 @@ mod test {
             DirectorySyncUserBehavior::Keep,
             DirectorySyncUserBehavior::Disable,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -512,6 +520,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -568,6 +577,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -596,6 +606,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::Users,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -620,6 +631,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let network = get_test_network(&pool).await;
@@ -675,6 +687,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::Groups,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -702,6 +715,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -748,6 +762,7 @@ mod test {
             DirectorySyncUserBehavior::Delete,
             DirectorySyncUserBehavior::Delete,
             DirectorySyncTarget::All,
+            false,
         )
         .await;
         let mut client = DirectorySyncClient::build(&pool).await.unwrap();
@@ -774,4 +789,72 @@ mod test {
         let user = User::find_by_username(&pool, "defguard").await.unwrap();
         assert!(user.is_none());
     }
+
+    #[sqlx::test]
+    async fn test_users_no_prefetch(_: PgPoolOptions, options: PgConnectOptions) {
+        let pool = setup_pool(options).await;
+
+        let config = DefGuardConfig::new_test_config();
+        let _ = SERVER_CONFIG.set(config.clone());
+        let (wg_tx, mut wg_rx) = broadcast::channel::<GatewayEvent>(16);
+
+        // disable prefetching users
+        make_test_provider(
+            &pool,
+            DirectorySyncUserBehavior::Keep,
+            DirectorySyncUserBehavior::Keep,
+            DirectorySyncTarget::All,
+            false,
+        )
+        .await;
+        let mut client = DirectorySyncClient::build(&pool).await.unwrap();
+        client.prepare().await.unwrap();
+
+        // no users in Defguard before sync
+        let defguard_users = User::all(&pool).await.unwrap();
+        assert!(defguard_users.is_empty());
+
+        do_directory_sync(&pool, &wg_tx).await.unwrap();
+
+        // no users in Defguard after sync
+        let defguard_users = User::all(&pool).await.unwrap();
+        assert!(defguard_users.is_empty());
+
+        // No events
+        assert!(wg_rx.try_recv().is_err());
+    }
+
+    #[sqlx::test]
+    async fn test_users_prefetch(_: PgPoolOptions, options: PgConnectOptions) {
+        let pool = setup_pool(options).await;
+
+        let config = DefGuardConfig::new_test_config();
+        let _ = SERVER_CONFIG.set(config.clone());
+        let (wg_tx, mut wg_rx) = broadcast::channel::<GatewayEvent>(16);
+
+        // enable prefetching users
+        make_test_provider(
+            &pool,
+            DirectorySyncUserBehavior::Keep,
+            DirectorySyncUserBehavior::Keep,
+            DirectorySyncTarget::All,
+            true,
+        )
+        .await;
+        let mut client = DirectorySyncClient::build(&pool).await.unwrap();
+        client.prepare().await.unwrap();
+
+        // no users in Defguard before sync
+        let defguard_users = User::all(&pool).await.unwrap();
+        assert!(defguard_users.is_empty());
+
+        do_directory_sync(&pool, &wg_tx).await.unwrap();
+
+        // all active directory users were synced
+        let defguard_users = User::all(&pool).await.unwrap();
+        assert_eq!(defguard_users.len(), 3);
+
+        // No events
+        assert!(wg_rx.try_recv().is_err());
+    }
 }
diff --git a/crates/defguard_core/src/enterprise/handlers/openid_providers.rs b/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
index 565e573913..01cef376e6 100644
--- a/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
+++ b/crates/defguard_core/src/enterprise/handlers/openid_providers.rs
@@ -43,6 +43,7 @@ pub struct AddProviderData {
     pub directory_sync_group_match: Option<String>,
     pub username_handling: OpenidUsernameHandling,
     pub jumpcloud_api_key: Option<String>,
+    pub prefetch_users: bool,
 }
 
 #[derive(Deserialize, Serialize)]
@@ -160,6 +161,7 @@ pub async fn add_openid_provider(
         provider_data.okta_dirsync_client_id,
         group_match,
         provider_data.jumpcloud_api_key,
+        provider_data.prefetch_users,
     )
     .upsert(&appstate.pool)
     .await?;
diff --git a/crates/defguard_core/tests/integration/api/openid_login.rs b/crates/defguard_core/tests/integration/api/openid_login.rs
index c08353e428..923633fe1a 100644
--- a/crates/defguard_core/tests/integration/api/openid_login.rs
+++ b/crates/defguard_core/tests/integration/api/openid_login.rs
@@ -53,6 +53,7 @@ async fn test_openid_providers(_: PgPoolOptions, options: PgConnectOptions) {
         directory_sync_group_match: None,
         username_handling: OpenidUsernameHandling::PruneEmailDomain,
         jumpcloud_api_key: None,
+        prefetch_users: false,
     };
 
     let response = client
@@ -153,6 +154,7 @@ async fn test_openid_login(_: PgPoolOptions, options: PgConnectOptions) {
         directory_sync_group_match: None,
         username_handling: OpenidUsernameHandling::PruneEmailDomain,
         jumpcloud_api_key: None,
+        prefetch_users: false,
     };
     let response = client
         .post("/api/v1/openid/provider")
diff --git a/crates/defguard_core/tests/integration/api/wireguard.rs b/crates/defguard_core/tests/integration/api/wireguard.rs
index 02d7a73f36..b21295cc22 100644
--- a/crates/defguard_core/tests/integration/api/wireguard.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard.rs
@@ -193,6 +193,7 @@ async fn test_location_mfa_mode_validation_create(_: PgPoolOptions, options: PgC
         directory_sync_group_match: None,
         username_handling: OpenidUsernameHandling::PruneEmailDomain,
         jumpcloud_api_key: None,
+        prefetch_users: false,
     };
 
     let response = client
@@ -288,6 +289,7 @@ async fn test_location_mfa_mode_validation_modify(_: PgPoolOptions, options: PgC
         directory_sync_group_match: None,
         username_handling: OpenidUsernameHandling::PruneEmailDomain,
         jumpcloud_api_key: None,
+        prefetch_users: false,
     };
 
     let response = client
diff --git a/migrations/20251103105138_openid_directory_sync_prefetch_users.down.sql b/migrations/20251103105138_openid_directory_sync_prefetch_users.down.sql
new file mode 100644
index 0000000000..84539f0ec4
--- /dev/null
+++ b/migrations/20251103105138_openid_directory_sync_prefetch_users.down.sql
@@ -0,0 +1 @@
+ALTER TABLE openidprovider DROP COLUMN prefetch_users;
diff --git a/migrations/20251103105138_openid_directory_sync_prefetch_users.up.sql b/migrations/20251103105138_openid_directory_sync_prefetch_users.up.sql
new file mode 100644
index 0000000000..5e93a274fd
--- /dev/null
+++ b/migrations/20251103105138_openid_directory_sync_prefetch_users.up.sql
@@ -0,0 +1 @@
+ALTER TABLE openidprovider ADD COLUMN prefetch_users BOOLEAN NOT NULL DEFAULT FALSE;
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index 76f8484653..f4b94015e6 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -1388,6 +1388,10 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
           enable_directory_sync: {
             label: 'Enable directory synchronization',
           },
+          prefetch_users: {
+            label: 'Prefetch users',
+            helper: 'Fetch users from external provider and create user accounts in Defguard without waiting for them to log in',
+          },
           sync_target: {
             label: 'Synchronize',
             helper:
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index e934c44085..2313f93c1c 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -3416,6 +3416,16 @@ type RootTranslation = {
 						 */
 						label: string
 					}
+					prefetch_users: {
+						/**
+						 * P​r​e​f​e​t​c​h​ ​u​s​e​r​s
+						 */
+						label: string
+						/**
+						 * F​e​t​c​h​ ​u​s​e​r​s​ ​f​r​o​m​ ​e​x​t​e​r​n​a​l​ ​p​r​o​v​i​d​e​r​ ​a​n​d​ ​c​r​e​a​t​e​ ​u​s​e​r​ ​a​c​c​o​u​n​t​s​ ​i​n​ ​D​e​f​g​u​a​r​d​ ​w​i​t​h​o​u​t​ ​w​a​i​t​i​n​g​ ​f​o​r​ ​t​h​e​m​ ​t​o​ ​l​o​g​ ​i​n
+						 */
+						helper: string
+					}
 					sync_target: {
 						/**
 						 * S​y​n​c​h​r​o​n​i​z​e
@@ -10141,6 +10151,16 @@ export type TranslationFunctions = {
 						 */
 						label: () => LocalizedString
 					}
+					prefetch_users: {
+						/**
+						 * Prefetch users
+						 */
+						label: () => LocalizedString
+						/**
+						 * Fetch users from external provider and create user accounts in Defguard without waiting for them to log in
+						 */
+						helper: () => LocalizedString
+					}
 					sync_target: {
 						/**
 						 * Synchronize
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/DirectorySyncSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/components/DirectorySyncSettings.tsx
index a859fbbfca..d60e136342 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/DirectorySyncSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/DirectorySyncSettings.tsx
@@ -5,10 +5,10 @@ import { useMemo, useState } from 'react';
 import { useFormContext, useWatch } from 'react-hook-form';
 
 import { useI18nContext } from '../../../../../i18n/i18n-react';
+import { FormCheckBox } from '../../../../../shared/defguard-ui/components/Form/FormCheckBox/FormCheckBox';
 import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
 import { FormSelect } from '../../../../../shared/defguard-ui/components/Form/FormSelect/FormSelect';
 import { Helper } from '../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
-import { LabeledCheckbox } from '../../../../../shared/defguard-ui/components/Layout/LabeledCheckbox/LabeledCheckbox';
 import SvgIconDownload from '../../../../../shared/defguard-ui/components/svg/IconDownload';
 import { titleCase } from '../../../../../shared/utils/titleCase';
 import { SUPPORTED_SYNC_PROVIDERS } from './SupportedProviders';
@@ -80,16 +80,11 @@ export const DirsyncSettings = ({ isLoading }: { isLoading: boolean }) => {
       <div id="directory-sync-settings">
         {showDirsync ? (
           <>
-            <div id="enable-dir-sync">
-              {/* FIXME: Really buggy when using the controller, investigate why */}
-              <LabeledCheckbox
-                disabled={isLoading || !showDirsync}
-                label={localLL.form.labels.enable_directory_sync.label()}
-                value={dirsyncEnabled}
-                onChange={(val) => setValue('directory_sync_enabled', val)}
-                // controller={{ control, name: 'directory_sync_enabled' }}
-              />
-            </div>
+            <FormCheckBox
+              label={localLL.form.labels.enable_directory_sync.label()}
+              labelPlacement="right"
+              controller={{ control, name: 'directory_sync_enabled' }}
+            />
             <FormSelect
               controller={{ control, name: 'directory_sync_target' }}
               options={syncTarget}
@@ -141,15 +136,25 @@ export const DirsyncSettings = ({ isLoading }: { isLoading: boolean }) => {
               disabled={isLoading}
             />
             {providerName === 'Microsoft' ? (
-              <FormInput
-                controller={{ control, name: 'directory_sync_group_match' }}
-                label={localLL.form.labels.group_match.label()}
-                disabled={isLoading}
-                labelExtras={
-                  <Helper>{parse(localLL.form.labels.group_match.helper())}</Helper>
-                }
-                required={false}
-              ></FormInput>
+              <>
+                <div className="helper-row">
+                  <FormCheckBox
+                    controller={{ control, name: 'prefetch_users' }}
+                    label={localLL.form.labels.prefetch_users.label()}
+                    labelPlacement="right"
+                  />
+                  <Helper>{localLL.form.labels.prefetch_users.helper()}</Helper>
+                </div>
+                <FormInput
+                  controller={{ control, name: 'directory_sync_group_match' }}
+                  label={localLL.form.labels.group_match.label()}
+                  disabled={isLoading}
+                  labelExtras={
+                    <Helper>{parse(localLL.form.labels.group_match.helper())}</Helper>
+                  }
+                  required={false}
+                />
+              </>
             ) : null}
             {providerName === 'Okta' ? (
               <>
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index ec3215c2b4..992c57a543 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -102,6 +102,7 @@ export const OpenIdSettingsForm = () => {
           google_service_account_email: z.string(),
           google_service_account_key: z.string(),
           directory_sync_enabled: z.boolean(),
+          prefetch_users: z.boolean(),
           directory_sync_interval: z.number().min(60, LL.form.error.invalid()),
           directory_sync_user_behavior: z.enum(['keep', 'disable', 'delete']),
           directory_sync_admin_behavior: z.enum(['keep', 'disable', 'delete']),
@@ -175,6 +176,7 @@ export const OpenIdSettingsForm = () => {
       google_service_account_email: '',
       google_service_account_key: '',
       directory_sync_enabled: false,
+      prefetch_users: false,
       directory_sync_interval: 600,
       directory_sync_user_behavior: 'keep',
       directory_sync_admin_behavior: 'keep',
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/style.scss b/web/src/pages/settings/components/OpenIdSettings/components/style.scss
index 017b6c9d4e..0e9f73a849 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/style.scss
+++ b/web/src/pages/settings/components/OpenIdSettings/components/style.scss
@@ -76,8 +76,14 @@
     justify-content: flex-end;
   }
 
-  .labeled-checkbox {
-    padding-bottom: var(--spacing-s);
+  #directory-sync-settings {
+    & > .form-checkbox {
+      padding-bottom: var(--spacing-s);
+    }
+
+    .helper-row {
+      padding-bottom: var(--spacing-s);
+    }
   }
 }
 

From 53eccb8c2732d62575140017bbea10eabcf32394 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Wed, 12 Nov 2025 11:42:12 +0100
Subject: [PATCH 36/50] add option to configure enrollment token duration
 (#1698)

* add option to specify enrollment token expiration time

* add test

* update dependencies
---
 Cargo.lock                                    | 135 +++++++++++-------
 crates/defguard_core/src/handlers/mod.rs      |   1 +
 crates/defguard_core/src/handlers/user.rs     |  14 +-
 .../tests/integration/api/enrollment.rs       |  89 ++++++++++++
 4 files changed, 190 insertions(+), 49 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 436bc1792a..3202580766 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -516,9 +516,9 @@ dependencies = [
 
 [[package]]
 name = "buffer-redux"
-version = "1.0.2"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e8acf87c5b9f5897cd3ebb9a327f420e0cae9dd4e5c1d2e36f2c84c571a58f1"
+checksum = "431a9cc8d7efa49bc326729264537f5e60affce816c66edf434350778c9f4f54"
 dependencies = [
  "memchr",
 ]
@@ -565,9 +565,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.44"
+version = "1.2.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37521ac7aabe3d13122dc382493e20c9416f299d2ccd5b3a5340a2570cdeb0f3"
+checksum = "35900b6c8d709fb1d854671ae27aeaa9eec2f8b01b364e1619a40da3e6fe2afe"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -618,7 +618,7 @@ checksum = "93698b29de5e97ad0ae26447b344c482a7284c737d9ddc5f9e52b74a336671bb"
 dependencies = [
  "chrono",
  "chrono-tz-build",
- "phf",
+ "phf 0.11.3",
 ]
 
 [[package]]
@@ -628,8 +628,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c088aee841df9c3041febbb73934cfc39708749bf96dc827e3359cd39ef11b1"
 dependencies = [
  "parse-zoneinfo",
- "phf",
- "phf_codegen",
+ "phf 0.11.3",
+ "phf_codegen 0.11.3",
 ]
 
 [[package]]
@@ -926,7 +926,7 @@ dependencies = [
  "cssparser-macros",
  "dtoa-short",
  "itoa",
- "phf",
+ "phf 0.11.3",
  "smallvec",
 ]
 
@@ -2202,9 +2202,9 @@ checksum = "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424"
 
 [[package]]
 name = "hyper"
-version = "1.7.0"
+version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb3aa54a13a0dfe7fbe3a59e0c76093041720fdc77b110cc0fc260fafb4dc51e"
+checksum = "1744436df46f0bde35af3eda22aeaba453aada65d8f1c171cd8a5f59030bd69f"
 dependencies = [
  "atomic-waker",
  "bytes",
@@ -2501,9 +2501,9 @@ dependencies = [
 
 [[package]]
 name = "iri-string"
-version = "0.7.8"
+version = "0.7.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dbc5ebe9c3a1a7a5127f920a418f7585e9e758e911d0466ed004f393b0e380b2"
+checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397"
 dependencies = [
  "memchr",
  "serde",
@@ -2741,9 +2741,9 @@ dependencies = [
 
 [[package]]
 name = "libz-sys"
-version = "1.1.22"
+version = "1.1.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b70e7a7df205e92a1a4cd9aaae7898dac0aa555503cc0a649494d0d60e7651d"
+checksum = "15d118bbf3771060e7311cc7bb0545b01d08a8b4a7de949198dec1fa0ca1c0f7"
 dependencies = [
  "cc",
  "libc",
@@ -3190,9 +3190,9 @@ dependencies = [
 
 [[package]]
 name = "openssl"
-version = "0.10.74"
+version = "0.10.75"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24ad14dd45412269e1a30f52ad8f0664f0f4f4a89ee8fe28c3b3527021ebb654"
+checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
 dependencies = [
  "bitflags 2.10.0",
  "cfg-if",
@@ -3222,9 +3222,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.110"
+version = "0.9.111"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a9f0075ba3c21b09f8e8b2026584b1d18d49388648f2fbbf3c97ea8deced8e2"
+checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321"
 dependencies = [
  "cc",
  "libc",
@@ -3526,7 +3526,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fd6780a80ae0c52cc120a26a1a42c1ae51b247a253e4e06113d23d2c2edd078"
 dependencies = [
  "phf_macros",
- "phf_shared",
+ "phf_shared 0.11.3",
+]
+
+[[package]]
+name = "phf"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1562dc717473dbaa4c1f85a36410e03c047b2e7df7f45ee938fbef64ae7fadf"
+dependencies = [
+ "phf_shared 0.13.1",
+ "serde",
 ]
 
 [[package]]
@@ -3535,8 +3545,18 @@ version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aef8048c789fa5e851558d709946d6d79a8ff88c0440c587967f8e94bfb1216a"
 dependencies = [
- "phf_generator",
- "phf_shared",
+ "phf_generator 0.11.3",
+ "phf_shared 0.11.3",
+]
+
+[[package]]
+name = "phf_codegen"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49aa7f9d80421bca176ca8dbfebe668cc7a2684708594ec9f3c0db0805d5d6e1"
+dependencies = [
+ "phf_generator 0.13.1",
+ "phf_shared 0.13.1",
 ]
 
 [[package]]
@@ -3545,18 +3565,28 @@ version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c80231409c20246a13fddb31776fb942c38553c51e871f8cbd687a4cfb5843d"
 dependencies = [
- "phf_shared",
+ "phf_shared 0.11.3",
  "rand 0.8.5",
 ]
 
+[[package]]
+name = "phf_generator"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "135ace3a761e564ec88c03a77317a7c6b80bb7f7135ef2544dbe054243b89737"
+dependencies = [
+ "fastrand",
+ "phf_shared 0.13.1",
+]
+
 [[package]]
 name = "phf_macros"
 version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f84ac04429c13a7ff43785d75ad27569f2951ce0ffd30a3321230db2fc727216"
 dependencies = [
- "phf_generator",
- "phf_shared",
+ "phf_generator 0.11.3",
+ "phf_shared 0.11.3",
  "proc-macro2",
  "quote",
  "syn",
@@ -3571,6 +3601,15 @@ dependencies = [
  "siphasher",
 ]
 
+[[package]]
+name = "phf_shared"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e57fef6bc5981e38c2ce2d63bfa546861309f875b8a75f092d1d54ae2d64f266"
+dependencies = [
+ "siphasher",
+]
+
 [[package]]
 name = "pin-project"
 version = "1.1.10"
@@ -3823,18 +3862,18 @@ checksum = "007d8adb5ddab6f8e3f491ac63566a7d5002cc7ed73901f72057943fa71ae1ae"
 
 [[package]]
 name = "pulldown-cmark-to-cmark"
-version = "21.0.0"
+version = "21.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5b6a0769a491a08b31ea5c62494a8f144ee0987d86d670a8af4df1e1b7cde75"
+checksum = "8246feae3db61428fd0bb94285c690b460e4517d83152377543ca802357785f1"
 dependencies = [
  "pulldown-cmark",
 ]
 
 [[package]]
 name = "quick-xml"
-version = "0.38.3"
+version = "0.38.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42a232e7487fc2ef313d96dde7948e7a3c05101870d8985e4fd8d26aedd27b89"
+checksum = "b66c2058c55a409d601666cffe35f04333cf1013010882cec174a7467cd4e21c"
 dependencies = [
  "memchr",
 ]
@@ -3896,9 +3935,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.41"
+version = "1.0.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f"
 dependencies = [
  "proc-macro2",
 ]
@@ -4227,9 +4266,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.34"
+version = "0.23.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a9586e9ee2b4f8fab52a0048ca7334d7024eef48e2cb9407e3497bb7cab7fa7"
+checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f"
 dependencies = [
  "log",
  "once_cell",
@@ -4317,9 +4356,9 @@ dependencies = [
 
 [[package]]
 name = "schemars"
-version = "1.0.5"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1317c3bf3e7df961da95b0a56a172a02abead31276215a0497241a7624b487ce"
+checksum = "9558e172d4e8533736ba97870c4b2cd63f84b382a3d6eb063da41b91cce17289"
 dependencies = [
  "dyn-clone",
  "ref-cast",
@@ -4555,7 +4594,7 @@ dependencies = [
  "indexmap 1.9.3",
  "indexmap 2.12.0",
  "schemars 0.9.0",
- "schemars 1.0.5",
+ "schemars 1.1.0",
  "serde_core",
  "serde_json",
  "serde_with_macros",
@@ -5059,25 +5098,25 @@ dependencies = [
 
 [[package]]
 name = "string_cache"
-version = "0.8.9"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf776ba3fa74f83bf4b63c3dcbbf82173db2632ed8452cb2d891d33f459de70f"
+checksum = "a18596f8c785a729f2819c0f6a7eae6ebeebdfffbfe4214ae6b087f690e31901"
 dependencies = [
  "new_debug_unreachable",
  "parking_lot",
- "phf_shared",
+ "phf_shared 0.13.1",
  "precomputed-hash",
  "serde",
 ]
 
 [[package]]
 name = "string_cache_codegen"
-version = "0.5.4"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c711928715f1fe0fe509c53b43e993a9a557babc2d0a3567d0a3006f1ac931a0"
+checksum = "585635e46db231059f76c5849798146164652513eb9e8ab2685939dd90f29b69"
 dependencies = [
- "phf_generator",
- "phf_shared",
+ "phf_generator 0.13.1",
+ "phf_shared 0.13.1",
  "proc-macro2",
  "quote",
 ]
@@ -5148,9 +5187,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.108"
+version = "2.0.110"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
+checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -6098,12 +6137,12 @@ dependencies = [
 
 [[package]]
 name = "web_atoms"
-version = "0.1.3"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "57ffde1dc01240bdf9992e3205668b235e59421fd085e8a317ed98da0178d414"
+checksum = "44b72896d90cfd22c495d0ee4960d3dd20ca64180895cb92cd5342ff7482a579"
 dependencies = [
- "phf",
- "phf_codegen",
+ "phf 0.13.1",
+ "phf_codegen 0.13.1",
  "string_cache",
  "string_cache_codegen",
 ]
diff --git a/crates/defguard_core/src/handlers/mod.rs b/crates/defguard_core/src/handlers/mod.rs
index c83fed9a13..93263db869 100644
--- a/crates/defguard_core/src/handlers/mod.rs
+++ b/crates/defguard_core/src/handlers/mod.rs
@@ -330,6 +330,7 @@ pub struct StartEnrollmentRequest {
     #[serde(default)]
     pub send_enrollment_notification: bool,
     pub email: Option<String>,
+    pub token_expiration_time: Option<String>,
 }
 
 #[derive(Deserialize, Serialize, ToSchema)]
diff --git a/crates/defguard_core/src/handlers/user.rs b/crates/defguard_core/src/handlers/user.rs
index d59920919c..128522ddd4 100644
--- a/crates/defguard_core/src/handlers/user.rs
+++ b/crates/defguard_core/src/handlers/user.rs
@@ -5,6 +5,7 @@ use axum::{
     http::StatusCode,
 };
 use defguard_mail::{Mail, templates};
+use humantime::parse_duration;
 use serde_json::json;
 
 use super::{
@@ -428,13 +429,24 @@ pub async fn start_enrollment(
     debug!("Create a new database transaction to save a new enrollment token into the database.");
     let mut transaction = appstate.pool.begin().await?;
 
+    // try to parse token expiration time if provided
     let config = server_config();
+    let token_expiration_time_seconds = match data.token_expiration_time {
+        Some(time) => parse_duration(&time)
+            .map_err(|err| {
+                error!("Failed to parse token expiration time {time}: {err}");
+                WebError::BadRequest("Failed to parse token expiration time".to_owned())
+            })?
+            .as_secs(),
+        None => config.enrollment_token_timeout.as_secs(),
+    };
+
     let enrollment_token = user
         .start_enrollment(
             &mut transaction,
             &session.user,
             data.email,
-            config.enrollment_token_timeout.as_secs(),
+            token_expiration_time_seconds,
             config.enrollment_url.clone(),
             data.send_enrollment_notification,
             appstate.mail_tx.clone(),
diff --git a/crates/defguard_core/tests/integration/api/enrollment.rs b/crates/defguard_core/tests/integration/api/enrollment.rs
index 5b42f7376c..5ca0c8eea5 100644
--- a/crates/defguard_core/tests/integration/api/enrollment.rs
+++ b/crates/defguard_core/tests/integration/api/enrollment.rs
@@ -1,3 +1,4 @@
+use chrono::Duration;
 use defguard_core::{
     db::{User, models::enrollment::Token},
     handlers::{AddUserData, Auth},
@@ -218,6 +219,94 @@ async fn test_request_enrollment(_: PgPoolOptions, options: PgConnectOptions) {
     assert!(token.used_at.is_none());
 }
 
+#[sqlx::test]
+async fn test_enrollment_token_expiration_time(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+
+    let (client, pool) = make_client_with_db(pool).await;
+
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // create user without password
+    let new_user = AddUserData {
+        username: "adumbledore".into(),
+        last_name: "Dumbledore".into(),
+        first_name: "Albus".into(),
+        email: "a.dumbledore@hogwart.edu.uk".into(),
+        phone: Some("1234".into()),
+        password: None,
+    };
+    let response = client.post("/api/v1/user").json(&new_user).send().await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    let user = User::find_by_username(&pool, &new_user.username)
+        .await
+        .unwrap()
+        .unwrap();
+
+    // verify enrollment token was not created
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 0);
+
+    // request enrollment
+    let response = client
+        .post(format!("/api/v1/user/{}/start_enrollment", user.username))
+        .json(&json!({"email": user.email, "send_enrollment_notification": false}))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // verify enrollment token was created with default expiration time (24h)
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 1);
+    let token = tokens.first().unwrap();
+    assert_eq!(token.expires_at, token.created_at + Duration::hours(24));
+
+    // request enrollment with different expiration time
+    let response = client
+        .post(format!("/api/v1/user/{}/start_enrollment", user.username))
+        .json(&json!({"email": user.email, "send_enrollment_notification": false, "token_expiration_time": "3d"}))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // verify enrollment token was created with default expiration time (24h)
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 1);
+    let token = tokens.first().unwrap();
+    assert_eq!(token.expires_at, token.created_at + Duration::hours(72));
+
+    // request enrollment with different expiration time
+    let response = client
+        .post(format!("/api/v1/user/{}/start_enrollment", user.username))
+        .json(&json!({"email": user.email, "send_enrollment_notification": false, "token_expiration_time": "1w"}))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // verify enrollment token was created with default expiration time (24h)
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 1);
+    let token = tokens.first().unwrap();
+    assert_eq!(token.expires_at, token.created_at + Duration::days(7));
+
+    // request enrollment with different expiration time
+    let response = client
+        .post(format!("/api/v1/user/{}/start_enrollment", user.username))
+        .json(&json!({"email": user.email, "send_enrollment_notification": false, "token_expiration_time": "2h"}))
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // verify enrollment token was created with default expiration time (24h)
+    let tokens = Token::fetch_all(&pool).await.unwrap();
+    assert_eq!(tokens.len(), 1);
+    let token = tokens.first().unwrap();
+    assert_eq!(token.expires_at, token.created_at + Duration::hours(2));
+}
+
 #[sqlx::test]
 async fn test_enrollment_pending_unset_for_desktop_client(
     _: PgPoolOptions,

From 465e5ae67703727e4c88e04c511f72627f43a6e7 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Thu, 13 Nov 2025 11:07:12 +0100
Subject: [PATCH 37/50] fix(gRPC): improve handling device pubkey change
 (#1703)

* reproduce issue in test

* don't throw errors if device is not found

* avoid showing private key in debug logs

* update test
---
 .../defguard_core/src/db/models/wireguard.rs  |  25 +++-
 crates/defguard_core/src/grpc/gateway/mod.rs  |  38 +++---
 .../tests/integration/grpc/gateway.rs         | 114 ++++++++++++++++++
 3 files changed, 158 insertions(+), 19 deletions(-)

diff --git a/crates/defguard_core/src/db/models/wireguard.rs b/crates/defguard_core/src/db/models/wireguard.rs
index 83f1b9966c..66ea81f1ed 100644
--- a/crates/defguard_core/src/db/models/wireguard.rs
+++ b/crates/defguard_core/src/db/models/wireguard.rs
@@ -162,7 +162,7 @@ impl From<ServiceLocationMode> for ProtoServiceLocationMode {
 }
 
 /// Stores configuration required to setup a WireGuard network
-#[derive(Clone, Debug, Deserialize, Eq, Hash, Model, PartialEq, Serialize, ToSchema)]
+#[derive(Clone, Deserialize, Eq, Hash, Model, PartialEq, Serialize, ToSchema)]
 #[table(wireguard_network)]
 pub struct WireguardNetwork<I = NoId> {
     pub id: I,
@@ -207,6 +207,29 @@ impl fmt::Display for WireguardNetwork<Id> {
     }
 }
 
+impl fmt::Debug for WireguardNetwork<Id> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("WireguardNetwork")
+            .field("id", &self.id)
+            .field("name", &self.name)
+            .field("address", &self.address)
+            .field("port", &self.port)
+            .field("pubkey", &self.pubkey)
+            .field("prvkey", &"***")
+            .field("endpoint", &self.endpoint)
+            .field("dns", &self.dns)
+            .field("allowed_ips", &self.allowed_ips)
+            .field("connected_at", &self.connected_at)
+            .field("acl_enabled", &self.acl_enabled)
+            .field("acl_default_allow", &self.acl_default_allow)
+            .field("keepalive_interval", &self.keepalive_interval)
+            .field("peer_disconnect_threshold", &self.peer_disconnect_threshold)
+            .field("location_mfa_mode", &self.location_mfa_mode)
+            .field("service_location_mode", &self.service_location_mode)
+            .finish()
+    }
+}
+
 #[cfg(test)]
 impl Default for WireguardNetwork<Id> {
     fn default() -> Self {
diff --git a/crates/defguard_core/src/grpc/gateway/mod.rs b/crates/defguard_core/src/grpc/gateway/mod.rs
index 1fd5ad6f3a..ff119fc0fc 100644
--- a/crates/defguard_core/src/grpc/gateway/mod.rs
+++ b/crates/defguard_core/src/grpc/gateway/mod.rs
@@ -239,25 +239,18 @@ impl GatewayServer {
         Ok(self.grpc_event_tx.send(event)?)
     }
 
-    /// Helper method to fetch `Device` info from DB and return appropriate errors
-    async fn fetch_device_from_db(&self, public_key: &str) -> Result<Device<Id>, Status> {
-        let device = match Device::find_by_pubkey(&self.pool, public_key).await {
-            Ok(Some(device)) => device,
-            Ok(None) => {
-                error!("Device with public key {public_key} not found");
-                return Err(Status::new(
-                    Code::Internal,
-                    format!("Device with public key {public_key} not found"),
-                ));
-            }
-            Err(err) => {
+    /// Helper method to fetch `Device` info from DB by pubkey and return appropriate errors
+    async fn fetch_device_from_db(&self, public_key: &str) -> Result<Option<Device<Id>>, Status> {
+        let device = Device::find_by_pubkey(&self.pool, public_key)
+            .await
+            .map_err(|err| {
                 error!("Failed to retrieve device with public key {public_key}: {err}",);
-                return Err(Status::new(
+                Status::new(
                     Code::Internal,
                     format!("Failed to retrieve device with public key {public_key}: {err}",),
-                ));
-            }
-        };
+                )
+            })?;
+
         Ok(device)
     }
 
@@ -825,8 +818,17 @@ impl gateway_service_server::GatewayService for GatewayServer {
 
             // fetch device from DB
             // TODO: fetch only when device has changed and use client state otherwise
-            let device = self.fetch_device_from_db(&public_key).await?;
-            // copy for easier reference later
+            let device = match self.fetch_device_from_db(&public_key).await? {
+                Some(device) => device,
+                None => {
+                    warn!(
+                        "Received stats update for a device which does not exist: {public_key}, skipping."
+                    );
+                    continue;
+                }
+            };
+
+            // copy device ID for easier reference later
             let device_id = device.id;
 
             // fetch user and location from DB for activity log
diff --git a/crates/defguard_core/tests/integration/grpc/gateway.rs b/crates/defguard_core/tests/integration/grpc/gateway.rs
index 3f35c2007c..d27fca1e72 100644
--- a/crates/defguard_core/tests/integration/grpc/gateway.rs
+++ b/crates/defguard_core/tests/integration/grpc/gateway.rs
@@ -558,3 +558,117 @@ async fn test_gateway_version_validation(_: PgPoolOptions, options: PgConnectOpt
     let status = response.err().unwrap();
     assert_eq!(status.code(), Code::FailedPrecondition);
 }
+
+// https://github.com/DefGuard/defguard/issues/1671
+#[sqlx::test]
+async fn test_device_pubkey_change(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+    let (mut test_server, mut gateway, test_location, test_user) =
+        setup_test_server(pool.clone()).await;
+
+    // initial client map is empty
+    {
+        let client_map = test_server.get_client_map();
+        assert!(client_map.is_empty())
+    }
+
+    // connect stats stream
+    let stats_tx = gateway.setup_stats_update_stream().await;
+    let mut update_id = 1;
+
+    // add user device
+    let device_pubkey = "wYOt6ImBaQ3BEMQ3Xf5P5fTnbqwOvjcqYkkSBt+1xOg=";
+    let mut test_device = Device::new(
+        "test device".into(),
+        device_pubkey.into(),
+        test_user.id,
+        DeviceType::User,
+        None,
+        true,
+    )
+    .save(&pool)
+    .await
+    .unwrap();
+
+    // send stats update for existing device
+    stats_tx
+        .send(StatsUpdate {
+            id: update_id,
+            payload: Some(Payload::PeerStats(PeerStats {
+                public_key: device_pubkey.into(),
+                endpoint: "1.2.3.4:1234".into(),
+                latest_handshake: Utc::now().timestamp() as u64,
+                ..Default::default()
+            })),
+        })
+        .expect("failed to send stats update");
+
+    // wait for event to be emitted
+    sleep(Duration::from_millis(100)).await;
+    let grpc_event = test_server
+        .grpc_event_rx
+        .try_recv()
+        .expect("failed to receive gRPC event");
+    assert_matches!(
+    grpc_event,
+    GrpcEvent::ClientConnected {
+        context: _,
+        location,
+        device
+    } if ((location.id == test_location.id) & (device.id == test_device.id))
+    );
+
+    // change device pubkey
+    let new_device_pubkey = "TJG2T6rhndZtk06KnIIOlD6hhd7wpVkBss8sfyvMCAA=";
+    test_device.wireguard_pubkey = new_device_pubkey.to_owned();
+    test_device.save(&pool).await.unwrap();
+
+    // send stats update with old pubkey
+    update_id += 1;
+    stats_tx
+        .send(StatsUpdate {
+            id: update_id,
+            payload: Some(Payload::PeerStats(PeerStats {
+                public_key: device_pubkey.into(),
+                endpoint: "1.2.3.4:1234".into(),
+                latest_handshake: Utc::now().timestamp() as u64,
+                ..Default::default()
+            })),
+        })
+        .expect("failed to send stats update");
+
+    // no event should be emitted
+    sleep(Duration::from_millis(100)).await;
+    assert_err_eq!(test_server.grpc_event_rx.try_recv(), TryRecvError::Empty);
+
+    // send stats update with new pubkey
+    update_id += 1;
+    stats_tx
+        .send(StatsUpdate {
+            id: update_id,
+            payload: Some(Payload::PeerStats(PeerStats {
+                public_key: new_device_pubkey.into(),
+                endpoint: "1.2.3.4:1234".into(),
+                latest_handshake: Utc::now().timestamp() as u64,
+                ..Default::default()
+            })),
+        })
+        .expect("failed to send stats update");
+
+    // wait for event
+    // FIXME: ideally this should not be emitted; we'll fix it once we implement a more robust VPN session logic
+    sleep(Duration::from_millis(100)).await;
+    let grpc_event = test_server
+        .grpc_event_rx
+        .try_recv()
+        .expect("failed to receive gRPC event");
+
+    assert_matches!(
+        grpc_event,
+        GrpcEvent::ClientConnected {
+            context: _,
+            location,
+            device
+        } if ((location.id == test_location.id) & (device.id == test_device.id))
+    );
+}

From 48a672dfac781b687652c2d7fc38249e7badbba6 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Mon, 17 Nov 2025 13:29:12 +0100
Subject: [PATCH 38/50] add invalid location address validation (#1707)

* don't allow 0 netmask in forms

* validate sizes of all used networks

* update dependencies

* add basic validation test

* improve backend address parsing

* update nix flake inputs

* update deps

* update test

* change approach

* return error when trying to add /0 subnet
---
 Cargo.lock                                    | 397 +++++++-----
 .../defguard_core/src/db/models/wireguard.rs  |  26 +-
 .../defguard_core/src/handlers/wireguard.rs   |  26 +-
 .../tests/integration/api/wireguard.rs        | 139 ++++
 flake.lock                                    |  12 +-
 web/package.json                              |  28 +-
 web/pnpm-lock.yaml                            | 591 +++++++++---------
 web/src/shared/validators.ts                  |   6 +
 8 files changed, 747 insertions(+), 478 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 3202580766..ecb8387668 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -134,22 +134,22 @@ dependencies = [
 
 [[package]]
 name = "anstyle-query"
-version = "1.1.4"
+version = "1.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e231f6134f61b71076a3eab506c379d4f36122f2af15a9ff04415ea4c3339e2"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
 dependencies = [
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
 name = "anstyle-wincon"
-version = "3.0.10"
+version = "3.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3e0633414522a32ffaac8ac6cc8f748e090c5717661fddeea04219e2344f5f2a"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
 dependencies = [
  "anstyle",
  "once_cell_polyfill",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -284,9 +284,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
 [[package]]
 name = "axum"
-version = "0.8.6"
+version = "0.8.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a18ed336352031311f4e0b4dd2ff392d4fbb370777c9d18d7fc9d7359f73871"
+checksum = "5b098575ebe77cb6d14fc7f32749631a6e44edbef6b796f89b020e99ba20d425"
 dependencies = [
  "axum-core",
  "bytes",
@@ -494,6 +494,15 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "block2"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cdeb9d870516001442e364c5220d3574d2da8dc765554b4a617230d33fa58ef5"
+dependencies = [
+ "objc2",
+]
+
 [[package]]
 name = "blowfish"
 version = "0.9.1"
@@ -537,9 +546,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.10.1"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
+checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
 dependencies = [
  "serde",
 ]
@@ -565,9 +574,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.45"
+version = "1.2.46"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35900b6c8d709fb1d854671ae27aeaa9eec2f8b01b364e1619a40da3e6fe2afe"
+checksum = "b97463e1064cb1b1c1384ad0a0b9c8abd0988e2a91f52606c80ef14aadb63e36"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -618,7 +627,7 @@ checksum = "93698b29de5e97ad0ae26447b344c482a7284c737d9ddc5f9e52b74a336671bb"
 dependencies = [
  "chrono",
  "chrono-tz-build",
- "phf 0.11.3",
+ "phf",
 ]
 
 [[package]]
@@ -628,8 +637,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c088aee841df9c3041febbb73934cfc39708749bf96dc827e3359cd39ef11b1"
 dependencies = [
  "parse-zoneinfo",
- "phf 0.11.3",
- "phf_codegen 0.11.3",
+ "phf",
+ "phf_codegen",
 ]
 
 [[package]]
@@ -908,9 +917,9 @@ dependencies = [
 
 [[package]]
 name = "crypto-common"
-version = "0.1.6"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
 dependencies = [
  "generic-array",
  "rand_core 0.6.4",
@@ -926,7 +935,7 @@ dependencies = [
  "cssparser-macros",
  "dtoa-short",
  "itoa",
- "phf 0.11.3",
+ "phf",
  "smallvec",
 ]
 
@@ -1425,6 +1434,16 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "dispatch2"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89a09f22a6c6069a18470eb92d2298acf25463f14256d24778e1230d789a2aec"
+dependencies = [
+ "bitflags 2.10.0",
+ "objc2",
+]
+
 [[package]]
 name = "displaydoc"
 version = "0.2.5"
@@ -1671,9 +1690,9 @@ checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
 
 [[package]]
 name = "find-msvc-tools"
-version = "0.1.4"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52051878f80a721bb68ebfbc930e07b65ba72f2da88968ea5c06fd6ca3d3a127"
+checksum = "3a3076410a55c90011c298b04d0cfa770b00fa04e1e3c97d3f6c9de105a03844"
 
 [[package]]
 name = "fixedbitset"
@@ -1867,9 +1886,9 @@ dependencies = [
 
 [[package]]
 name = "generic-array"
-version = "0.14.9"
+version = "0.14.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4bb6743198531e02858aeaea5398fcc883e71851fcbcb5a2f773e2fb6cb1edf2"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
  "typenum",
  "version_check",
@@ -2202,9 +2221,9 @@ checksum = "135b12329e5e3ce057a9f972339ea52bc954fe1e9358ef27f95e89716fbc5424"
 
 [[package]]
 name = "hyper"
-version = "1.8.0"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1744436df46f0bde35af3eda22aeaba453aada65d8f1c171cd8a5f59030bd69f"
+checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
 dependencies = [
  "atomic-waker",
  "bytes",
@@ -2271,9 +2290,9 @@ dependencies = [
 
 [[package]]
 name = "hyper-util"
-version = "0.1.17"
+version = "0.1.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c6995591a8f1380fcb4ba966a252a4b29188d51d2b89e3a252f5305be65aea8"
+checksum = "52e9a2a24dc5c6821e71a7030e1e14b7b632acac55c40e9d2e082c621261bb56"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -2950,6 +2969,18 @@ version = "1.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "650eef8c711430f1a879fdd01d4745a7deea475becfb90269c06775983bbf086"
 
+[[package]]
+name = "nix"
+version = "0.30.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6"
+dependencies = [
+ "bitflags 2.10.0",
+ "cfg-if",
+ "cfg_aliases",
+ "libc",
+]
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -2996,9 +3027,9 @@ dependencies = [
 
 [[package]]
 name = "num-bigint-dig"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82c79c15c05d4bf82b6f5ef163104cc81a760d8e874d38ac50ab67c8877b647b"
+checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7"
 dependencies = [
  "lazy_static",
  "libm",
@@ -3109,6 +3140,165 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "objc2"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c2599ce0ec54857b29ce62166b0ed9b4f6f1a70ccc9a71165b6154caca8c05"
+dependencies = [
+ "objc2-encode",
+]
+
+[[package]]
+name = "objc2-cloud-kit"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73ad74d880bb43877038da939b7427bba67e9dd42004a18b809ba7d87cee241c"
+dependencies = [
+ "bitflags 2.10.0",
+ "objc2",
+ "objc2-foundation",
+]
+
+[[package]]
+name = "objc2-core-data"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b402a653efbb5e82ce4df10683b6b28027616a2715e90009947d50b8dd298fa"
+dependencies = [
+ "objc2",
+ "objc2-foundation",
+]
+
+[[package]]
+name = "objc2-core-foundation"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a180dd8642fa45cdb7dd721cd4c11b1cadd4929ce112ebd8b9f5803cc79d536"
+dependencies = [
+ "bitflags 2.10.0",
+ "dispatch2",
+ "objc2",
+]
+
+[[package]]
+name = "objc2-core-graphics"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e022c9d066895efa1345f8e33e584b9f958da2fd4cd116792e15e07e4720a807"
+dependencies = [
+ "bitflags 2.10.0",
+ "dispatch2",
+ "objc2",
+ "objc2-core-foundation",
+ "objc2-io-surface",
+]
+
+[[package]]
+name = "objc2-core-image"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5d563b38d2b97209f8e861173de434bd0214cf020e3423a52624cd1d989f006"
+dependencies = [
+ "objc2",
+ "objc2-foundation",
+]
+
+[[package]]
+name = "objc2-core-location"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ca347214e24bc973fc025fd0d36ebb179ff30536ed1f80252706db19ee452009"
+dependencies = [
+ "objc2",
+ "objc2-foundation",
+]
+
+[[package]]
+name = "objc2-core-text"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cde0dfb48d25d2b4862161a4d5fcc0e3c24367869ad306b0c9ec0073bfed92d"
+dependencies = [
+ "bitflags 2.10.0",
+ "objc2",
+ "objc2-core-foundation",
+ "objc2-core-graphics",
+]
+
+[[package]]
+name = "objc2-encode"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef25abbcd74fb2609453eb695bd2f860d389e457f67dc17cafc8b8cbc89d0c33"
+
+[[package]]
+name = "objc2-foundation"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3e0adef53c21f888deb4fa59fc59f7eb17404926ee8a6f59f5df0fd7f9f3272"
+dependencies = [
+ "bitflags 2.10.0",
+ "block2",
+ "libc",
+ "objc2",
+ "objc2-core-foundation",
+]
+
+[[package]]
+name = "objc2-io-surface"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "180788110936d59bab6bd83b6060ffdfffb3b922ba1396b312ae795e1de9d81d"
+dependencies = [
+ "bitflags 2.10.0",
+ "objc2",
+ "objc2-core-foundation",
+]
+
+[[package]]
+name = "objc2-quartz-core"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96c1358452b371bf9f104e21ec536d37a650eb10f7ee379fff67d2e08d537f1f"
+dependencies = [
+ "bitflags 2.10.0",
+ "objc2",
+ "objc2-core-foundation",
+ "objc2-foundation",
+]
+
+[[package]]
+name = "objc2-ui-kit"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d87d638e33c06f577498cbcc50491496a3ed4246998a7fbba7ccb98b1e7eab22"
+dependencies = [
+ "bitflags 2.10.0",
+ "block2",
+ "objc2",
+ "objc2-cloud-kit",
+ "objc2-core-data",
+ "objc2-core-foundation",
+ "objc2-core-graphics",
+ "objc2-core-image",
+ "objc2-core-location",
+ "objc2-core-text",
+ "objc2-foundation",
+ "objc2-quartz-core",
+ "objc2-user-notifications",
+]
+
+[[package]]
+name = "objc2-user-notifications"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9df9128cbbfef73cda168416ccf7f837b62737d748333bfe9ab71c245d76613e"
+dependencies = [
+ "objc2",
+ "objc2-foundation",
+]
+
 [[package]]
 name = "object"
 version = "0.32.2"
@@ -3253,14 +3443,18 @@ dependencies = [
 
 [[package]]
 name = "os_info"
-version = "3.12.0"
+version = "3.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d0e1ac5fde8d43c34139135df8ea9ee9465394b2d8d20f032d38998f64afffc3"
+checksum = "7c39b5918402d564846d5aba164c09a66cc88d232179dfd3e3c619a25a268392"
 dependencies = [
+ "android_system_properties",
  "log",
- "plist",
+ "nix",
+ "objc2",
+ "objc2-foundation",
+ "objc2-ui-kit",
  "serde",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -3526,17 +3720,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fd6780a80ae0c52cc120a26a1a42c1ae51b247a253e4e06113d23d2c2edd078"
 dependencies = [
  "phf_macros",
- "phf_shared 0.11.3",
-]
-
-[[package]]
-name = "phf"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1562dc717473dbaa4c1f85a36410e03c047b2e7df7f45ee938fbef64ae7fadf"
-dependencies = [
- "phf_shared 0.13.1",
- "serde",
+ "phf_shared",
 ]
 
 [[package]]
@@ -3545,18 +3729,8 @@ version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aef8048c789fa5e851558d709946d6d79a8ff88c0440c587967f8e94bfb1216a"
 dependencies = [
- "phf_generator 0.11.3",
- "phf_shared 0.11.3",
-]
-
-[[package]]
-name = "phf_codegen"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49aa7f9d80421bca176ca8dbfebe668cc7a2684708594ec9f3c0db0805d5d6e1"
-dependencies = [
- "phf_generator 0.13.1",
- "phf_shared 0.13.1",
+ "phf_generator",
+ "phf_shared",
 ]
 
 [[package]]
@@ -3565,28 +3739,18 @@ version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c80231409c20246a13fddb31776fb942c38553c51e871f8cbd687a4cfb5843d"
 dependencies = [
- "phf_shared 0.11.3",
+ "phf_shared",
  "rand 0.8.5",
 ]
 
-[[package]]
-name = "phf_generator"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "135ace3a761e564ec88c03a77317a7c6b80bb7f7135ef2544dbe054243b89737"
-dependencies = [
- "fastrand",
- "phf_shared 0.13.1",
-]
-
 [[package]]
 name = "phf_macros"
 version = "0.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f84ac04429c13a7ff43785d75ad27569f2951ce0ffd30a3321230db2fc727216"
 dependencies = [
- "phf_generator 0.11.3",
- "phf_shared 0.11.3",
+ "phf_generator",
+ "phf_shared",
  "proc-macro2",
  "quote",
  "syn",
@@ -3601,15 +3765,6 @@ dependencies = [
  "siphasher",
 ]
 
-[[package]]
-name = "phf_shared"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e57fef6bc5981e38c2ce2d63bfa546861309f875b8a75f092d1d54ae2d64f266"
-dependencies = [
- "siphasher",
-]
-
 [[package]]
 name = "pin-project"
 version = "1.1.10"
@@ -3669,19 +3824,6 @@ version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
 
-[[package]]
-name = "plist"
-version = "1.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "740ebea15c5d1428f910cd1a5f52cebf8d25006245ed8ade92702f4943d91e07"
-dependencies = [
- "base64 0.22.1",
- "indexmap 2.12.0",
- "quick-xml",
- "serde",
- "time",
-]
-
 [[package]]
 name = "polyval"
 version = "0.6.2"
@@ -3869,15 +4011,6 @@ dependencies = [
  "pulldown-cmark",
 ]
 
-[[package]]
-name = "quick-xml"
-version = "0.38.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b66c2058c55a409d601666cffe35f04333cf1013010882cec174a7467cd4e21c"
-dependencies = [
- "memchr",
-]
-
 [[package]]
 name = "quinn"
 version = "0.11.9"
@@ -4162,9 +4295,9 @@ dependencies = [
 
 [[package]]
 name = "rsa"
-version = "0.9.8"
+version = "0.9.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78928ac1ed176a5ca1d17e578a1825f3d81ca54cf41053a592584b020cfd691b"
+checksum = "40a0376c50d0358279d9d643e4bf7b7be212f1f4ff1da9070a7b54d22ef75c88"
 dependencies = [
  "const-oid",
  "digest",
@@ -4584,9 +4717,9 @@ dependencies = [
 
 [[package]]
 name = "serde_with"
-version = "3.15.1"
+version = "3.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aa66c845eee442168b2c8134fec70ac50dc20e760769c8ba0ad1319ca1959b04"
+checksum = "10574371d41b0d9b2cff89418eda27da52bcaff2cc8741db26382a77c29131f1"
 dependencies = [
  "base64 0.22.1",
  "chrono",
@@ -4603,9 +4736,9 @@ dependencies = [
 
 [[package]]
 name = "serde_with_macros"
-version = "3.15.1"
+version = "3.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b91a903660542fced4e99881aa481bdbaec1634568ee02e0b8bd57c64cb38955"
+checksum = "08a72d8216842fdd57820dc78d840bef99248e35fb2554ff923319e60f2d686b"
 dependencies = [
  "darling 0.21.3",
  "proc-macro2",
@@ -5098,25 +5231,25 @@ dependencies = [
 
 [[package]]
 name = "string_cache"
-version = "0.9.0"
+version = "0.8.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a18596f8c785a729f2819c0f6a7eae6ebeebdfffbfe4214ae6b087f690e31901"
+checksum = "bf776ba3fa74f83bf4b63c3dcbbf82173db2632ed8452cb2d891d33f459de70f"
 dependencies = [
  "new_debug_unreachable",
  "parking_lot",
- "phf_shared 0.13.1",
+ "phf_shared",
  "precomputed-hash",
  "serde",
 ]
 
 [[package]]
 name = "string_cache_codegen"
-version = "0.6.1"
+version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "585635e46db231059f76c5849798146164652513eb9e8ab2685939dd90f29b69"
+checksum = "c711928715f1fe0fe509c53b43e993a9a557babc2d0a3567d0a3006f1ac931a0"
 dependencies = [
- "phf_generator 0.13.1",
- "phf_shared 0.13.1",
+ "phf_generator",
+ "phf_shared",
  "proc-macro2",
  "quote",
 ]
@@ -6137,12 +6270,12 @@ dependencies = [
 
 [[package]]
 name = "web_atoms"
-version = "0.1.4"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44b72896d90cfd22c495d0ee4960d3dd20ca64180895cb92cd5342ff7482a579"
+checksum = "57ffde1dc01240bdf9992e3205668b235e59421fd085e8a317ed98da0178d414"
 dependencies = [
- "phf 0.13.1",
- "phf_codegen 0.13.1",
+ "phf",
+ "phf_codegen",
  "string_cache",
  "string_cache_codegen",
 ]
@@ -6285,8 +6418,8 @@ dependencies = [
  "windows-implement",
  "windows-interface",
  "windows-link 0.2.1",
- "windows-result 0.4.1",
- "windows-strings 0.5.1",
+ "windows-result",
+ "windows-strings",
 ]
 
 [[package]]
@@ -6325,22 +6458,13 @@ checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
 [[package]]
 name = "windows-registry"
-version = "0.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b8a9ed28765efc97bbc954883f4e6796c33a06546ebafacbabee9696967499e"
-dependencies = [
- "windows-link 0.1.3",
- "windows-result 0.3.4",
- "windows-strings 0.4.2",
-]
-
-[[package]]
-name = "windows-result"
-version = "0.3.4"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6"
+checksum = "02752bf7fbdcce7f2a27a742f798510f3e5ad88dbe84871e5168e2120c3d5720"
 dependencies = [
- "windows-link 0.1.3",
+ "windows-link 0.2.1",
+ "windows-result",
+ "windows-strings",
 ]
 
 [[package]]
@@ -6352,15 +6476,6 @@ dependencies = [
  "windows-link 0.2.1",
 ]
 
-[[package]]
-name = "windows-strings"
-version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57"
-dependencies = [
- "windows-link 0.1.3",
-]
-
 [[package]]
 name = "windows-strings"
 version = "0.5.1"
diff --git a/crates/defguard_core/src/db/models/wireguard.rs b/crates/defguard_core/src/db/models/wireguard.rs
index 66ea81f1ed..33c26e4989 100644
--- a/crates/defguard_core/src/db/models/wireguard.rs
+++ b/crates/defguard_core/src/db/models/wireguard.rs
@@ -407,18 +407,22 @@ impl WireguardNetwork<Id> {
         &self,
         device_count: usize,
     ) -> Result<(), WireguardNetworkError> {
-        debug!("Checking if {device_count} devices can fit in network {self}");
-        let network_size = self.address[0].size();
-        // include address, network, and broadcast in the calculation
-        match network_size {
-            NetworkSize::V4(size) => {
-                if device_count as u32 > size {
-                    return Err(WireguardNetworkError::NetworkTooSmall);
+        debug!("Checking if {device_count} devices can fit in networks used by location {self}");
+        // if given location uses multiple subnets validate devices can fit them all
+        for subnet in &self.address {
+            debug!("Checking if {device_count} devices can fit in network {subnet}");
+            let network_size = subnet.size();
+            // include address, network, and broadcast in the calculation
+            match network_size {
+                NetworkSize::V4(size) => {
+                    if device_count as u32 > size {
+                        return Err(WireguardNetworkError::NetworkTooSmall);
+                    }
                 }
-            }
-            NetworkSize::V6(size) => {
-                if device_count as u128 > size {
-                    return Err(WireguardNetworkError::NetworkTooSmall);
+                NetworkSize::V6(size) => {
+                    if device_count as u128 > size {
+                        return Err(WireguardNetworkError::NetworkTooSmall);
+                    }
                 }
             }
         }
diff --git a/crates/defguard_core/src/handlers/wireguard.rs b/crates/defguard_core/src/handlers/wireguard.rs
index 4aa617b107..9410134bdd 100644
--- a/crates/defguard_core/src/handlers/wireguard.rs
+++ b/crates/defguard_core/src/handlers/wireguard.rs
@@ -96,6 +96,29 @@ impl WireguardNetworkData {
             .map_or(Vec::new(), |ips| parse_network_address_list(ips))
     }
 
+    pub(crate) fn parse_addresses(&self) -> Result<Vec<IpNetwork>, WebError> {
+        // first parse the addresses
+        let subnets = parse_address_list(self.address.as_ref());
+
+        // check if address list is not empty
+        if subnets.is_empty() {
+            return Err(WebError::BadRequest(
+                "Must provide at least one valid network address".to_owned(),
+            ));
+        }
+
+        // check if any subnet has an invalid /0 netmask
+        for subnet in &subnets {
+            if subnet.prefix() == 0 {
+                return Err(WebError::BadRequest(format!(
+                    "{subnet} is not a valid address"
+                )));
+            }
+        }
+
+        Ok(subnets)
+    }
+
     pub(crate) async fn validate_location_mfa_mode<'e, E: sqlx::PgExecutor<'e>>(
         &self,
         executor: E,
@@ -281,6 +304,8 @@ pub(crate) async fn modify_network(
     let mut network = find_network(network_id, &appstate.pool).await?;
     // store network before mods
     let before = network.clone();
+    network.address = data.parse_addresses()?;
+
     network.allowed_ips = data.parse_allowed_ips();
     network.name = data.name;
 
@@ -290,7 +315,6 @@ pub(crate) async fn modify_network(
     network.endpoint = data.endpoint;
     network.port = data.port;
     network.dns = data.dns;
-    network.address = parse_address_list(&data.address);
     network.keepalive_interval = data.keepalive_interval;
     network.peer_disconnect_threshold = data.peer_disconnect_threshold;
     network.acl_enabled = data.acl_enabled;
diff --git a/crates/defguard_core/tests/integration/api/wireguard.rs b/crates/defguard_core/tests/integration/api/wireguard.rs
index b21295cc22..36c5ac4e2b 100644
--- a/crates/defguard_core/tests/integration/api/wireguard.rs
+++ b/crates/defguard_core/tests/integration/api/wireguard.rs
@@ -840,3 +840,142 @@ async fn test_device_pubkey(_: PgPoolOptions, options: PgConnectOptions) {
     let devices: Vec<Device<Id>> = response.json().await;
     assert_eq!(devices.len(), 1);
 }
+
+#[sqlx::test]
+async fn test_network_size_validation(_: PgPoolOptions, options: PgConnectOptions) {
+    let pool = setup_pool(options).await;
+
+    let (client, _client_state) = make_test_client(pool).await;
+
+    let auth = Auth::new("admin", "pass123");
+    let response = &client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // create network
+    let network = json!({
+        "name": "network",
+        "address": "10.1.1.1/24",
+        "port": 55555,
+        "endpoint": "192.168.4.14",
+        "allowed_ips": "10.1.1.0/24",
+        "dns": "1.1.1.1",
+        "allowed_groups": [],
+        "keepalive_interval": 25,
+        "peer_disconnect_threshold": 300,
+        "acl_enabled": false,
+        "acl_default_allow": false,
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
+    });
+    let response = client.post("/api/v1/network").json(&network).send().await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // network details
+    let response = client.get("/api/v1/network/1").send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+    let network_from_details: WireguardNetwork<Id> = response.json().await;
+
+    // create devices
+    let device = json!({
+        "name": "device1",
+        "wireguard_pubkey": "LQKsT6/3HWKuJmMulH63R8iK+5sI8FyYEL6WDIi6lQU=",
+    });
+    let response = client
+        .post("/api/v1/device/admin")
+        .json(&device)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+    let device = json!({
+        "name": "device2",
+        "wireguard_pubkey": "ZqDlG4LQZRO9v57Sd27AHdtTLxegbMp5oVThjYrg21I=",
+    });
+    let response = client
+        .post("/api/v1/device/admin")
+        .json(&device)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+    let device = json!({
+        "name": "device3",
+        "wireguard_pubkey": "o/8q3kmv5nnbrcb/7aceQWGE44a0yI707wObXRyyWGU=",
+    });
+    let response = client
+        .post("/api/v1/device/admin")
+        .json(&device)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // try to add subnet with not enough IPs
+    let network = json!({
+        "id": network_from_details.id,
+        "name": "network",
+        "address": "10.1.1.1/24,10.2.1.1/30",
+        "port": 55555,
+        "endpoint": "192.168.4.14",
+        "allowed_ips": "10.1.1.0/24",
+        "dns": "1.1.1.1",
+        "allowed_groups": [],
+        "keepalive_interval": 25,
+        "peer_disconnect_threshold": 300,
+        "acl_enabled": false,
+        "acl_default_allow": false,
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
+    });
+    let response = client
+        .put(format!("/api/v1/network/{}", network_from_details.id))
+        .json(&network)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+
+    // try to add subnet with invalid mask
+    let network = json!({
+        "id": network_from_details.id,
+        "name": "network",
+        "address": "10.2.0.1/24,10.1.1.1/0",
+        "port": 55555,
+        "endpoint": "192.168.4.14",
+        "allowed_ips": "10.1.1.0/24",
+        "dns": "1.1.1.1",
+        "allowed_groups": [],
+        "keepalive_interval": 25,
+        "peer_disconnect_threshold": 300,
+        "acl_enabled": false,
+        "acl_default_allow": false,
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
+    });
+    let response = client
+        .put(format!("/api/v1/network/{}", network_from_details.id))
+        .json(&network)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+
+    // try to add no network
+    let network = json!({
+        "id": network_from_details.id,
+        "name": "network",
+        "address": "",
+        "port": 55555,
+        "endpoint": "192.168.4.14",
+        "allowed_ips": "10.1.1.0/24",
+        "dns": "1.1.1.1",
+        "allowed_groups": [],
+        "keepalive_interval": 25,
+        "peer_disconnect_threshold": 300,
+        "acl_enabled": false,
+        "acl_default_allow": false,
+        "location_mfa_mode": "disabled",
+        "service_location_mode": "disabled"
+    });
+    let response = client
+        .put(format!("/api/v1/network/{}", network_from_details.id))
+        .json(&network)
+        .send()
+        .await;
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+}
diff --git a/flake.lock b/flake.lock
index 6b2f9bdad5..3de9f99f55 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1758035966,
-        "narHash": "sha256-qqIJ3yxPiB0ZQTT9//nFGQYn8X/PBoJbofA7hRKZnmE=",
+        "lastModified": 1763283776,
+        "narHash": "sha256-Y7TDFPK4GlqrKrivOcsHG8xSGqQx3A6c+i7novT85Uk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8d4ddb19d03c65a36ad8d189d001dc32ffb0306b",
+        "rev": "50a96edd8d0db6cc8db57dab6bb6d6ee1f3dc49a",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758204348,
-        "narHash": "sha256-jkz/NihbcEwy1EHDv/6g0HEqkpyIWCnQ1siGrhHEtFM=",
+        "lastModified": 1763347184,
+        "narHash": "sha256-6QH8hpCYJxifvyHEYg+Da0BotUn03BwLIvYo3JAxuqQ=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "067b3536e55341f579385ce8593cdcc9d022972b",
+        "rev": "08895cce80433978d5bfd668efa41c5e24578cbd",
         "type": "github"
       },
       "original": {
diff --git a/web/package.json b/web/package.json
index f9871491d5..d3d9ddbd62 100644
--- a/web/package.json
+++ b/web/package.json
@@ -50,12 +50,12 @@
     "@react-rxjs/core": "^0.10.8",
     "@stablelib/base64": "^2.0.1",
     "@stablelib/x25519": "^2.0.1",
-    "@tanstack/query-core": "^5.90.6",
-    "@tanstack/react-query": "^5.90.6",
+    "@tanstack/query-core": "^5.90.9",
+    "@tanstack/react-query": "^5.90.9",
     "@tanstack/react-virtual": "3.13.12",
     "@tanstack/virtual-core": "3.13.12",
     "@use-gesture/react": "^10.3.1",
-    "axios": "^1.13.1",
+    "axios": "^1.13.2",
     "byte-size": "^9.0.1",
     "classnames": "^2.5.1",
     "clsx": "^2.1.1",
@@ -70,7 +70,7 @@
     "fuse.js": "^7.1.0",
     "get-text-width": "^1.0.3",
     "hex-rgb": "^5.0.0",
-    "html-react-parser": "^5.2.7",
+    "html-react-parser": "^5.2.8",
     "humanize-duration": "^3.33.1",
     "ipaddr.js": "^2.2.0",
     "itertools": "^2.5.0",
@@ -85,7 +85,7 @@
     "radash": "^12.1.1",
     "react": "^19.2.0",
     "react-click-away-listener": "^2.4.0",
-    "react-datepicker": "^8.8.0",
+    "react-datepicker": "^8.9.0",
     "react-dom": "^19.2.0",
     "react-hook-form": "^7.66.0",
     "react-idle-timer": "^5.7.2",
@@ -95,11 +95,11 @@
     "react-markdown": "^10.1.0",
     "react-qr-code": "^2.0.18",
     "react-resize-detector": "^12.3.0",
-    "react-router": "^6.30.1",
-    "react-router-dom": "^6.30.1",
+    "react-router": "^6.30.2",
+    "react-router-dom": "^6.30.2",
     "react-tracked": "^2.0.1",
     "react-virtualized-auto-sizer": "^1.0.26",
-    "recharts": "^3.3.0",
+    "recharts": "^3.4.1",
     "rehype-external-links": "^3.0.0",
     "rehype-raw": "^7.0.0",
     "rehype-sanitize": "^6.0.0",
@@ -122,13 +122,13 @@
     "@types/file-saver": "^2.0.7",
     "@types/humanize-duration": "^3.27.4",
     "@types/lodash-es": "^4.17.12",
-    "@types/node": "^24.10.0",
+    "@types/node": "^24.10.1",
     "@types/qs": "^6.14.0",
-    "@types/react": "^19.2.2",
-    "@types/react-dom": "^19.2.2",
+    "@types/react": "^19.2.4",
+    "@types/react-dom": "^19.2.3",
     "@types/react-router-dom": "^5.3.3",
-    "@vitejs/plugin-react-swc": "^4.2.0",
-    "autoprefixer": "^10.4.21",
+    "@vitejs/plugin-react-swc": "^4.2.2",
+    "autoprefixer": "^10.4.22",
     "concurrently": "^9.2.1",
     "dotenv": "^17.2.3",
     "esbuild": "^0.25.12",
@@ -139,7 +139,7 @@
     "standard-version": "^9.5.0",
     "type-fest": "^4.41.0",
     "typescript": "~5.9.3",
-    "vite": "^7.1.12",
+    "vite": "^7.2.2",
     "vite-plugin-package-version": "^1.1.0"
   }
 }
diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml
index da8c3eb2ae..af6ae57457 100644
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml
@@ -30,11 +30,11 @@ importers:
         specifier: ^2.0.1
         version: 2.0.1
       '@tanstack/query-core':
-        specifier: ^5.90.6
-        version: 5.90.6
+        specifier: ^5.90.9
+        version: 5.90.9
       '@tanstack/react-query':
-        specifier: ^5.90.6
-        version: 5.90.6(react@19.2.0)
+        specifier: ^5.90.9
+        version: 5.90.9(react@19.2.0)
       '@tanstack/react-virtual':
         specifier: 3.13.12
         version: 3.13.12(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
@@ -45,8 +45,8 @@ importers:
         specifier: ^10.3.1
         version: 10.3.1(react@19.2.0)
       axios:
-        specifier: ^1.13.1
-        version: 1.13.1
+        specifier: ^1.13.2
+        version: 1.13.2
       byte-size:
         specifier: ^9.0.1
         version: 9.0.1
@@ -90,8 +90,8 @@ importers:
         specifier: ^5.0.0
         version: 5.0.0
       html-react-parser:
-        specifier: ^5.2.7
-        version: 5.2.7(@types/react@19.2.2)(react@19.2.0)
+        specifier: ^5.2.8
+        version: 5.2.8(@types/react@19.2.4)(react@19.2.0)
       humanize-duration:
         specifier: ^3.33.1
         version: 3.33.1
@@ -109,7 +109,7 @@ importers:
         version: 4.17.21
       merge-refs:
         specifier: ^2.0.0
-        version: 2.0.0(@types/react@19.2.2)
+        version: 2.0.0(@types/react@19.2.4)
       millify:
         specifier: ^6.1.0
         version: 6.1.0
@@ -135,8 +135,8 @@ importers:
         specifier: ^2.4.0
         version: 2.4.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       react-datepicker:
-        specifier: ^8.8.0
-        version: 8.8.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+        specifier: ^8.9.0
+        version: 8.9.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       react-dom:
         specifier: ^19.2.0
         version: 19.2.0(react@19.2.0)
@@ -157,7 +157,7 @@ importers:
         version: 3.5.0(react@19.2.0)
       react-markdown:
         specifier: ^10.1.0
-        version: 10.1.0(@types/react@19.2.2)(react@19.2.0)
+        version: 10.1.0(@types/react@19.2.4)(react@19.2.0)
       react-qr-code:
         specifier: ^2.0.18
         version: 2.0.18(react@19.2.0)
@@ -165,11 +165,11 @@ importers:
         specifier: ^12.3.0
         version: 12.3.0(react@19.2.0)
       react-router:
-        specifier: ^6.30.1
-        version: 6.30.1(react@19.2.0)
+        specifier: ^6.30.2
+        version: 6.30.2(react@19.2.0)
       react-router-dom:
-        specifier: ^6.30.1
-        version: 6.30.1(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+        specifier: ^6.30.2
+        version: 6.30.2(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       react-tracked:
         specifier: ^2.0.1
         version: 2.0.1(react@19.2.0)(scheduler@0.26.0)
@@ -177,8 +177,8 @@ importers:
         specifier: ^1.0.26
         version: 1.0.26(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       recharts:
-        specifier: ^3.3.0
-        version: 3.3.0(@types/react@19.2.2)(react-dom@19.2.0(react@19.2.0))(react-is@19.2.0)(react@19.2.0)(redux@5.0.1)
+        specifier: ^3.4.1
+        version: 3.4.1(@types/react@19.2.4)(react-dom@19.2.0(react@19.2.0))(react-is@19.2.0)(react@19.2.0)(redux@5.0.1)
       rehype-external-links:
         specifier: ^3.0.0
         version: 3.0.0
@@ -208,7 +208,7 @@ importers:
         version: 3.25.76
       zustand:
         specifier: ^5.0.8
-        version: 5.0.8(@types/react@19.2.2)(immer@10.2.0)(react@19.2.0)(use-sync-external-store@1.6.0(react@19.2.0))
+        version: 5.0.8(@types/react@19.2.4)(immer@10.2.0)(react@19.2.0)(use-sync-external-store@1.6.0(react@19.2.0))
     devDependencies:
       '@babel/core':
         specifier: ^7.28.5
@@ -224,10 +224,10 @@ importers:
         version: 3.0.4
       '@hookform/devtools':
         specifier: ^4.4.0
-        version: 4.4.0(@types/react@19.2.2)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+        version: 4.4.0(@types/react@19.2.4)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       '@tanstack/react-query-devtools':
         specifier: ^5.90.2
-        version: 5.90.2(@tanstack/react-query@5.90.6(react@19.2.0))(react@19.2.0)
+        version: 5.90.2(@tanstack/react-query@5.90.9(react@19.2.0))(react@19.2.0)
       '@types/byte-size':
         specifier: ^8.1.2
         version: 8.1.2
@@ -241,26 +241,26 @@ importers:
         specifier: ^4.17.12
         version: 4.17.12
       '@types/node':
-        specifier: ^24.10.0
-        version: 24.10.0
+        specifier: ^24.10.1
+        version: 24.10.1
       '@types/qs':
         specifier: ^6.14.0
         version: 6.14.0
       '@types/react':
-        specifier: ^19.2.2
-        version: 19.2.2
+        specifier: ^19.2.4
+        version: 19.2.4
       '@types/react-dom':
-        specifier: ^19.2.2
-        version: 19.2.2(@types/react@19.2.2)
+        specifier: ^19.2.3
+        version: 19.2.3(@types/react@19.2.4)
       '@types/react-router-dom':
         specifier: ^5.3.3
         version: 5.3.3
       '@vitejs/plugin-react-swc':
-        specifier: ^4.2.0
-        version: 4.2.0(vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+        specifier: ^4.2.2
+        version: 4.2.2(vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
       autoprefixer:
-        specifier: ^10.4.21
-        version: 10.4.21(postcss@8.5.6)
+        specifier: ^10.4.22
+        version: 10.4.22(postcss@8.5.6)
       concurrently:
         specifier: ^9.2.1
         version: 9.2.1
@@ -292,11 +292,11 @@ importers:
         specifier: ~5.9.3
         version: 5.9.3
       vite:
-        specifier: ^7.1.12
-        version: 7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+        specifier: ^7.2.2
+        version: 7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
       vite-plugin-package-version:
         specifier: ^1.1.0
-        version: 1.1.0(vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+        version: 1.1.0(vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
 
 packages:
 
@@ -725,8 +725,8 @@ packages:
       react: '>=16.8.0'
       rxjs: '>=7'
 
-  '@reduxjs/toolkit@2.9.2':
-    resolution: {integrity: sha512-ZAYu/NXkl/OhqTz7rfPaAhY0+e8Fr15jqNxte/2exKUxvHyQ/hcqmdekiN1f+Lcw3pE+34FCgX+26zcUE3duCg==}
+  '@reduxjs/toolkit@2.10.1':
+    resolution: {integrity: sha512-/U17EXQ9Do9Yx4DlNGU6eVNfZvFJfYpUtRRdLf19PbPjdWBxNlxGZXywQZ1p1Nz8nMkWplTI7iD/23m07nolDA==}
     peerDependencies:
       react: ^16.9.0 || ^17.0.0 || ^18 || ^19
       react-redux: ^7.2.1 || ^8.1.3 || ^9.0.0
@@ -736,120 +736,120 @@ packages:
       react-redux:
         optional: true
 
-  '@remix-run/router@1.23.0':
-    resolution: {integrity: sha512-O3rHJzAQKamUz1fvE0Qaw0xSFqsA/yafi2iqeE0pvdFtCO1viYx8QL6f3Ln/aCCTLxs68SLf0KPM9eSeM8yBnA==}
+  '@remix-run/router@1.23.1':
+    resolution: {integrity: sha512-vDbaOzF7yT2Qs4vO6XV1MHcJv+3dgR1sT+l3B8xxOVhUC336prMvqrvsLL/9Dnw2xr6Qhz4J0dmS0llNAbnUmQ==}
     engines: {node: '>=14.0.0'}
 
-  '@rolldown/pluginutils@1.0.0-beta.43':
-    resolution: {integrity: sha512-5Uxg7fQUCmfhax7FJke2+8B6cqgeUJUD9o2uXIKXhD+mG0mL6NObmVoi9wXEU1tY89mZKgAYA6fTbftx3q2ZPQ==}
+  '@rolldown/pluginutils@1.0.0-beta.47':
+    resolution: {integrity: sha512-8QagwMH3kNCuzD8EWL8R2YPW5e4OrHNSAHRFDdmFqEwEaD/KcNKjVoumo+gP2vW5eKB2UPbM6vTYiGZX0ixLnw==}
 
-  '@rollup/rollup-android-arm-eabi@4.52.5':
-    resolution: {integrity: sha512-8c1vW4ocv3UOMp9K+gToY5zL2XiiVw3k7f1ksf4yO1FlDFQ1C2u72iACFnSOceJFsWskc2WZNqeRhFRPzv+wtQ==}
+  '@rollup/rollup-android-arm-eabi@4.53.2':
+    resolution: {integrity: sha512-yDPzwsgiFO26RJA4nZo8I+xqzh7sJTZIWQOxn+/XOdPE31lAvLIYCKqjV+lNH/vxE2L2iH3plKxDCRK6i+CwhA==}
     cpu: [arm]
     os: [android]
 
-  '@rollup/rollup-android-arm64@4.52.5':
-    resolution: {integrity: sha512-mQGfsIEFcu21mvqkEKKu2dYmtuSZOBMmAl5CFlPGLY94Vlcm+zWApK7F/eocsNzp8tKmbeBP8yXyAbx0XHsFNA==}
+  '@rollup/rollup-android-arm64@4.53.2':
+    resolution: {integrity: sha512-k8FontTxIE7b0/OGKeSN5B6j25EuppBcWM33Z19JoVT7UTXFSo3D9CdU39wGTeb29NO3XxpMNauh09B+Ibw+9g==}
     cpu: [arm64]
     os: [android]
 
-  '@rollup/rollup-darwin-arm64@4.52.5':
-    resolution: {integrity: sha512-takF3CR71mCAGA+v794QUZ0b6ZSrgJkArC+gUiG6LB6TQty9T0Mqh3m2ImRBOxS2IeYBo4lKWIieSvnEk2OQWA==}
+  '@rollup/rollup-darwin-arm64@4.53.2':
+    resolution: {integrity: sha512-A6s4gJpomNBtJ2yioj8bflM2oogDwzUiMl2yNJ2v9E7++sHrSrsQ29fOfn5DM/iCzpWcebNYEdXpaK4tr2RhfQ==}
     cpu: [arm64]
     os: [darwin]
 
-  '@rollup/rollup-darwin-x64@4.52.5':
-    resolution: {integrity: sha512-W901Pla8Ya95WpxDn//VF9K9u2JbocwV/v75TE0YIHNTbhqUTv9w4VuQ9MaWlNOkkEfFwkdNhXgcLqPSmHy0fA==}
+  '@rollup/rollup-darwin-x64@4.53.2':
+    resolution: {integrity: sha512-e6XqVmXlHrBlG56obu9gDRPW3O3hLxpwHpLsBJvuI8qqnsrtSZ9ERoWUXtPOkY8c78WghyPHZdmPhHLWNdAGEw==}
     cpu: [x64]
     os: [darwin]
 
-  '@rollup/rollup-freebsd-arm64@4.52.5':
-    resolution: {integrity: sha512-QofO7i7JycsYOWxe0GFqhLmF6l1TqBswJMvICnRUjqCx8b47MTo46W8AoeQwiokAx3zVryVnxtBMcGcnX12LvA==}
+  '@rollup/rollup-freebsd-arm64@4.53.2':
+    resolution: {integrity: sha512-v0E9lJW8VsrwPux5Qe5CwmH/CF/2mQs6xU1MF3nmUxmZUCHazCjLgYvToOk+YuuUqLQBio1qkkREhxhc656ViA==}
     cpu: [arm64]
     os: [freebsd]
 
-  '@rollup/rollup-freebsd-x64@4.52.5':
-    resolution: {integrity: sha512-jr21b/99ew8ujZubPo9skbrItHEIE50WdV86cdSoRkKtmWa+DDr6fu2c/xyRT0F/WazZpam6kk7IHBerSL7LDQ==}
+  '@rollup/rollup-freebsd-x64@4.53.2':
+    resolution: {integrity: sha512-ClAmAPx3ZCHtp6ysl4XEhWU69GUB1D+s7G9YjHGhIGCSrsg00nEGRRZHmINYxkdoJehde8VIsDC5t9C0gb6yqA==}
     cpu: [x64]
     os: [freebsd]
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.52.5':
-    resolution: {integrity: sha512-PsNAbcyv9CcecAUagQefwX8fQn9LQ4nZkpDboBOttmyffnInRy8R8dSg6hxxl2Re5QhHBf6FYIDhIj5v982ATQ==}
+  '@rollup/rollup-linux-arm-gnueabihf@4.53.2':
+    resolution: {integrity: sha512-EPlb95nUsz6Dd9Qy13fI5kUPXNSljaG9FiJ4YUGU1O/Q77i5DYFW5KR8g1OzTcdZUqQQ1KdDqsTohdFVwCwjqg==}
     cpu: [arm]
     os: [linux]
 
-  '@rollup/rollup-linux-arm-musleabihf@4.52.5':
-    resolution: {integrity: sha512-Fw4tysRutyQc/wwkmcyoqFtJhh0u31K+Q6jYjeicsGJJ7bbEq8LwPWV/w0cnzOqR2m694/Af6hpFayLJZkG2VQ==}
+  '@rollup/rollup-linux-arm-musleabihf@4.53.2':
+    resolution: {integrity: sha512-BOmnVW+khAUX+YZvNfa0tGTEMVVEerOxN0pDk2E6N6DsEIa2Ctj48FOMfNDdrwinocKaC7YXUZ1pHlKpnkja/Q==}
     cpu: [arm]
     os: [linux]
 
-  '@rollup/rollup-linux-arm64-gnu@4.52.5':
-    resolution: {integrity: sha512-a+3wVnAYdQClOTlyapKmyI6BLPAFYs0JM8HRpgYZQO02rMR09ZcV9LbQB+NL6sljzG38869YqThrRnfPMCDtZg==}
+  '@rollup/rollup-linux-arm64-gnu@4.53.2':
+    resolution: {integrity: sha512-Xt2byDZ+6OVNuREgBXr4+CZDJtrVso5woFtpKdGPhpTPHcNG7D8YXeQzpNbFRxzTVqJf7kvPMCub/pcGUWgBjA==}
     cpu: [arm64]
     os: [linux]
 
-  '@rollup/rollup-linux-arm64-musl@4.52.5':
-    resolution: {integrity: sha512-AvttBOMwO9Pcuuf7m9PkC1PUIKsfaAJ4AYhy944qeTJgQOqJYJ9oVl2nYgY7Rk0mkbsuOpCAYSs6wLYB2Xiw0Q==}
+  '@rollup/rollup-linux-arm64-musl@4.53.2':
+    resolution: {integrity: sha512-+LdZSldy/I9N8+klim/Y1HsKbJ3BbInHav5qE9Iy77dtHC/pibw1SR/fXlWyAk0ThnpRKoODwnAuSjqxFRDHUQ==}
     cpu: [arm64]
     os: [linux]
 
-  '@rollup/rollup-linux-loong64-gnu@4.52.5':
-    resolution: {integrity: sha512-DkDk8pmXQV2wVrF6oq5tONK6UHLz/XcEVow4JTTerdeV1uqPeHxwcg7aFsfnSm9L+OO8WJsWotKM2JJPMWrQtA==}
+  '@rollup/rollup-linux-loong64-gnu@4.53.2':
+    resolution: {integrity: sha512-8ms8sjmyc1jWJS6WdNSA23rEfdjWB30LH8Wqj0Cqvv7qSHnvw6kgMMXRdop6hkmGPlyYBdRPkjJnj3KCUHV/uQ==}
     cpu: [loong64]
     os: [linux]
 
-  '@rollup/rollup-linux-ppc64-gnu@4.52.5':
-    resolution: {integrity: sha512-W/b9ZN/U9+hPQVvlGwjzi+Wy4xdoH2I8EjaCkMvzpI7wJUs8sWJ03Rq96jRnHkSrcHTpQe8h5Tg3ZzUPGauvAw==}
+  '@rollup/rollup-linux-ppc64-gnu@4.53.2':
+    resolution: {integrity: sha512-3HRQLUQbpBDMmzoxPJYd3W6vrVHOo2cVW8RUo87Xz0JPJcBLBr5kZ1pGcQAhdZgX9VV7NbGNipah1omKKe23/g==}
     cpu: [ppc64]
     os: [linux]
 
-  '@rollup/rollup-linux-riscv64-gnu@4.52.5':
-    resolution: {integrity: sha512-sjQLr9BW7R/ZiXnQiWPkErNfLMkkWIoCz7YMn27HldKsADEKa5WYdobaa1hmN6slu9oWQbB6/jFpJ+P2IkVrmw==}
+  '@rollup/rollup-linux-riscv64-gnu@4.53.2':
+    resolution: {integrity: sha512-fMjKi+ojnmIvhk34gZP94vjogXNNUKMEYs+EDaB/5TG/wUkoeua7p7VCHnE6T2Tx+iaghAqQX8teQzcvrYpaQA==}
     cpu: [riscv64]
     os: [linux]
 
-  '@rollup/rollup-linux-riscv64-musl@4.52.5':
-    resolution: {integrity: sha512-hq3jU/kGyjXWTvAh2awn8oHroCbrPm8JqM7RUpKjalIRWWXE01CQOf/tUNWNHjmbMHg/hmNCwc/Pz3k1T/j/Lg==}
+  '@rollup/rollup-linux-riscv64-musl@4.53.2':
+    resolution: {integrity: sha512-XuGFGU+VwUUV5kLvoAdi0Wz5Xbh2SrjIxCtZj6Wq8MDp4bflb/+ThZsVxokM7n0pcbkEr2h5/pzqzDYI7cCgLQ==}
     cpu: [riscv64]
     os: [linux]
 
-  '@rollup/rollup-linux-s390x-gnu@4.52.5':
-    resolution: {integrity: sha512-gn8kHOrku8D4NGHMK1Y7NA7INQTRdVOntt1OCYypZPRt6skGbddska44K8iocdpxHTMMNui5oH4elPH4QOLrFQ==}
+  '@rollup/rollup-linux-s390x-gnu@4.53.2':
+    resolution: {integrity: sha512-w6yjZF0P+NGzWR3AXWX9zc0DNEGdtvykB03uhonSHMRa+oWA6novflo2WaJr6JZakG2ucsyb+rvhrKac6NIy+w==}
     cpu: [s390x]
     os: [linux]
 
-  '@rollup/rollup-linux-x64-gnu@4.52.5':
-    resolution: {integrity: sha512-hXGLYpdhiNElzN770+H2nlx+jRog8TyynpTVzdlc6bndktjKWyZyiCsuDAlpd+j+W+WNqfcyAWz9HxxIGfZm1Q==}
+  '@rollup/rollup-linux-x64-gnu@4.53.2':
+    resolution: {integrity: sha512-yo8d6tdfdeBArzC7T/PnHd7OypfI9cbuZzPnzLJIyKYFhAQ8SvlkKtKBMbXDxe1h03Rcr7u++nFS7tqXz87Gtw==}
     cpu: [x64]
     os: [linux]
 
-  '@rollup/rollup-linux-x64-musl@4.52.5':
-    resolution: {integrity: sha512-arCGIcuNKjBoKAXD+y7XomR9gY6Mw7HnFBv5Rw7wQRvwYLR7gBAgV7Mb2QTyjXfTveBNFAtPt46/36vV9STLNg==}
+  '@rollup/rollup-linux-x64-musl@4.53.2':
+    resolution: {integrity: sha512-ah59c1YkCxKExPP8O9PwOvs+XRLKwh/mV+3YdKqQ5AMQ0r4M4ZDuOrpWkUaqO7fzAHdINzV9tEVu8vNw48z0lA==}
     cpu: [x64]
     os: [linux]
 
-  '@rollup/rollup-openharmony-arm64@4.52.5':
-    resolution: {integrity: sha512-QoFqB6+/9Rly/RiPjaomPLmR/13cgkIGfA40LHly9zcH1S0bN2HVFYk3a1eAyHQyjs3ZJYlXvIGtcCs5tko9Cw==}
+  '@rollup/rollup-openharmony-arm64@4.53.2':
+    resolution: {integrity: sha512-4VEd19Wmhr+Zy7hbUsFZ6YXEiP48hE//KPLCSVNY5RMGX2/7HZ+QkN55a3atM1C/BZCGIgqN+xrVgtdak2S9+A==}
     cpu: [arm64]
     os: [openharmony]
 
-  '@rollup/rollup-win32-arm64-msvc@4.52.5':
-    resolution: {integrity: sha512-w0cDWVR6MlTstla1cIfOGyl8+qb93FlAVutcor14Gf5Md5ap5ySfQ7R9S/NjNaMLSFdUnKGEasmVnu3lCMqB7w==}
+  '@rollup/rollup-win32-arm64-msvc@4.53.2':
+    resolution: {integrity: sha512-IlbHFYc/pQCgew/d5fslcy1KEaYVCJ44G8pajugd8VoOEI8ODhtb/j8XMhLpwHCMB3yk2J07ctup10gpw2nyMA==}
     cpu: [arm64]
     os: [win32]
 
-  '@rollup/rollup-win32-ia32-msvc@4.52.5':
-    resolution: {integrity: sha512-Aufdpzp7DpOTULJCuvzqcItSGDH73pF3ko/f+ckJhxQyHtp67rHw3HMNxoIdDMUITJESNE6a8uh4Lo4SLouOUg==}
+  '@rollup/rollup-win32-ia32-msvc@4.53.2':
+    resolution: {integrity: sha512-lNlPEGgdUfSzdCWU176ku/dQRnA7W+Gp8d+cWv73jYrb8uT7HTVVxq62DUYxjbaByuf1Yk0RIIAbDzp+CnOTFg==}
     cpu: [ia32]
     os: [win32]
 
-  '@rollup/rollup-win32-x64-gnu@4.52.5':
-    resolution: {integrity: sha512-UGBUGPFp1vkj6p8wCRraqNhqwX/4kNQPS57BCFc8wYh0g94iVIW33wJtQAx3G7vrjjNtRaxiMUylM0ktp/TRSQ==}
+  '@rollup/rollup-win32-x64-gnu@4.53.2':
+    resolution: {integrity: sha512-S6YojNVrHybQis2lYov1sd+uj7K0Q05NxHcGktuMMdIQ2VixGwAfbJ23NnlvvVV1bdpR2m5MsNBViHJKcA4ADw==}
     cpu: [x64]
     os: [win32]
 
-  '@rollup/rollup-win32-x64-msvc@4.52.5':
-    resolution: {integrity: sha512-TAcgQh2sSkykPRWLrdyy2AiceMckNf5loITqXxFI5VuQjS5tSuw3WlwdN8qv8vzjLAUTvYaH/mVjSFpbkFbpTg==}
+  '@rollup/rollup-win32-x64-msvc@4.53.2':
+    resolution: {integrity: sha512-k+/Rkcyx//P6fetPoLMb8pBeqJBNGx81uuf7iljX9++yNBVRDQgD04L+SVXmXmh5ZP4/WOp4mWF0kmi06PW2tA==}
     cpu: [x64]
     os: [win32]
 
@@ -888,68 +888,68 @@ packages:
   '@standard-schema/utils@0.3.0':
     resolution: {integrity: sha512-e7Mew686owMaPJVNNLs55PUvgz371nKgwsc4vxE49zsODpJEnxgxRo2y/OKrqueavXgZNMDVj3DdHFlaSAeU8g==}
 
-  '@swc/core-darwin-arm64@1.14.0':
-    resolution: {integrity: sha512-uHPC8rlCt04nvYNczWzKVdgnRhxCa3ndKTBBbBpResOZsRmiwRAvByIGh599j+Oo6Z5eyTPrgY+XfJzVmXnN7Q==}
+  '@swc/core-darwin-arm64@1.15.2':
+    resolution: {integrity: sha512-Ghyz4RJv4zyXzrUC1B2MLQBbppIB5c4jMZJybX2ebdEQAvryEKp3gq1kBksCNsatKGmEgXul88SETU19sMWcrw==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [darwin]
 
-  '@swc/core-darwin-x64@1.14.0':
-    resolution: {integrity: sha512-2SHrlpl68vtePRknv9shvM9YKKg7B9T13tcTg9aFCwR318QTYo+FzsKGmQSv9ox/Ua0Q2/5y2BNjieffJoo4nA==}
+  '@swc/core-darwin-x64@1.15.2':
+    resolution: {integrity: sha512-7n/PGJOcL2QoptzL42L5xFFfXY5rFxLHnuz1foU+4ruUTG8x2IebGhtwVTpaDN8ShEv2UZObBlT1rrXTba15Zw==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [darwin]
 
-  '@swc/core-linux-arm-gnueabihf@1.14.0':
-    resolution: {integrity: sha512-SMH8zn01dxt809svetnxpeg/jWdpi6dqHKO3Eb11u4OzU2PK7I5uKS6gf2hx5LlTbcJMFKULZiVwjlQLe8eqtg==}
+  '@swc/core-linux-arm-gnueabihf@1.15.2':
+    resolution: {integrity: sha512-ZUQVCfRJ9wimuxkStRSlLwqX4TEDmv6/J+E6FicGkQ6ssLMWoKDy0cAo93HiWt/TWEee5vFhFaSQYzCuBEGO6A==}
     engines: {node: '>=10'}
     cpu: [arm]
     os: [linux]
 
-  '@swc/core-linux-arm64-gnu@1.14.0':
-    resolution: {integrity: sha512-q2JRu2D8LVqGeHkmpVCljVNltG0tB4o4eYg+dElFwCS8l2Mnt9qurMCxIeo9mgoqz0ax+k7jWtIRHktnVCbjvQ==}
+  '@swc/core-linux-arm64-gnu@1.15.2':
+    resolution: {integrity: sha512-GZh3pYBmfnpQ+JIg+TqLuz+pM+Mjsk5VOzi8nwKn/m+GvQBsxD5ectRtxuWUxMGNG8h0lMy4SnHRqdK3/iJl7A==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
 
-  '@swc/core-linux-arm64-musl@1.14.0':
-    resolution: {integrity: sha512-uofpVoPCEUjYIv454ZEZ3sLgMD17nIwlz2z7bsn7rl301Kt/01umFA7MscUovFfAK2IRGck6XB+uulMu6aFhKQ==}
+  '@swc/core-linux-arm64-musl@1.15.2':
+    resolution: {integrity: sha512-5av6VYZZeneiYIodwzGMlnyVakpuYZryGzFIbgu1XP8wVylZxduEzup4eP8atiMDFmIm+s4wn8GySJmYqeJC0A==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
 
-  '@swc/core-linux-x64-gnu@1.14.0':
-    resolution: {integrity: sha512-quTTx1Olm05fBfv66DEBuOsOgqdypnZ/1Bh3yGXWY7ANLFeeRpCDZpljD9BSjdsNdPOlwJmEUZXMHtGm3v1TZQ==}
+  '@swc/core-linux-x64-gnu@1.15.2':
+    resolution: {integrity: sha512-1nO/UfdCLuT/uE/7oB3EZgTeZDCIa6nL72cFEpdegnqpJVNDI6Qb8U4g/4lfVPkmHq2lvxQ0L+n+JdgaZLhrRA==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
 
-  '@swc/core-linux-x64-musl@1.14.0':
-    resolution: {integrity: sha512-caaNAu+aIqT8seLtCf08i8C3/UC5ttQujUjejhMcuS1/LoCKtNiUs4VekJd2UGt+pyuuSrQ6dKl8CbCfWvWeXw==}
+  '@swc/core-linux-x64-musl@1.15.2':
+    resolution: {integrity: sha512-Ksfrb0Tx310kr+TLiUOvB/I80lyZ3lSOp6cM18zmNRT/92NB4mW8oX2Jo7K4eVEI2JWyaQUAFubDSha2Q+439A==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
 
-  '@swc/core-win32-arm64-msvc@1.14.0':
-    resolution: {integrity: sha512-EeW3jFlT3YNckJ6V/JnTfGcX7UHGyh6/AiCPopZ1HNaGiXVCKHPpVQZicmtyr/UpqxCXLrTgjHOvyMke7YN26A==}
+  '@swc/core-win32-arm64-msvc@1.15.2':
+    resolution: {integrity: sha512-IzUb5RlMUY0r1A9IuJrQ7Tbts1wWb73/zXVXT8VhewbHGoNlBKE0qUhKMED6Tv4wDF+pmbtUJmKXDthytAvLmg==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [win32]
 
-  '@swc/core-win32-ia32-msvc@1.14.0':
-    resolution: {integrity: sha512-dPai3KUIcihV5hfoO4QNQF5HAaw8+2bT7dvi8E5zLtecW2SfL3mUZipzampXq5FHll0RSCLzlrXnSx+dBRZIIQ==}
+  '@swc/core-win32-ia32-msvc@1.15.2':
+    resolution: {integrity: sha512-kCATEzuY2LP9AlbU2uScjcVhgnCAkRdu62vbce17Ro5kxEHxYWcugkveyBRS3AqZGtwAKYbMAuNloer9LS/hpw==}
     engines: {node: '>=10'}
     cpu: [ia32]
     os: [win32]
 
-  '@swc/core-win32-x64-msvc@1.14.0':
-    resolution: {integrity: sha512-nm+JajGrTqUA6sEHdghDlHMNfH1WKSiuvljhdmBACW4ta4LC3gKurX2qZuiBARvPkephW9V/i5S8QPY1PzFEqg==}
+  '@swc/core-win32-x64-msvc@1.15.2':
+    resolution: {integrity: sha512-iJaHeYCF4jTn7OEKSa3KRiuVFIVYts8jYjNmCdyz1u5g8HRyTDISD76r8+ljEOgm36oviRQvcXaw6LFp1m0yyA==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [win32]
 
-  '@swc/core@1.14.0':
-    resolution: {integrity: sha512-oExhY90bes5pDTVrei0xlMVosTxwd/NMafIpqsC4dMbRYZ5KB981l/CX8tMnGsagTplj/RcG9BeRYmV6/J5m3w==}
+  '@swc/core@1.15.2':
+    resolution: {integrity: sha512-OQm+yJdXxvSjqGeaWhP6Ia264ogifwAO7Q12uTDVYj/Ks4jBTI4JknlcjDRAXtRhqbWsfbZyK/5RtuIPyptk3w==}
     engines: {node: '>=10'}
     peerDependencies:
       '@swc/helpers': '>=0.5.17'
@@ -963,8 +963,8 @@ packages:
   '@swc/types@0.1.25':
     resolution: {integrity: sha512-iAoY/qRhNH8a/hBvm3zKj9qQ4oc2+3w1unPJa2XvTK3XjeLXtzcCingVPw/9e5mn1+0yPqxcBGp9Jf0pkfMb1g==}
 
-  '@tanstack/query-core@5.90.6':
-    resolution: {integrity: sha512-AnZSLF26R8uX+tqb/ivdrwbVdGemdEDm1Q19qM6pry6eOZ6bEYiY7mWhzXT1YDIPTNEVcZ5kYP9nWjoxDLiIVw==}
+  '@tanstack/query-core@5.90.9':
+    resolution: {integrity: sha512-UFOCQzi6pRGeVTVlPNwNdnAvT35zugcIydqjvFUzG62dvz2iVjElmNp/hJkUoM5eqbUPfSU/GJIr/wbvD8bTUw==}
 
   '@tanstack/query-devtools@5.90.1':
     resolution: {integrity: sha512-GtINOPjPUH0OegJExZ70UahT9ykmAhmtNVcmtdnOZbxLwT7R5OmRztR5Ahe3/Cu7LArEmR6/588tAycuaWb1xQ==}
@@ -975,8 +975,8 @@ packages:
       '@tanstack/react-query': ^5.90.2
       react: ^18 || ^19
 
-  '@tanstack/react-query@5.90.6':
-    resolution: {integrity: sha512-gB1sljYjcobZKxjPbKSa31FUTyr+ROaBdoH+wSSs9Dk+yDCmMs+TkTV3PybRRVLC7ax7q0erJ9LvRWnMktnRAw==}
+  '@tanstack/react-query@5.90.9':
+    resolution: {integrity: sha512-Zke2AaXiaSfnG8jqPZR52m8SsclKT2d9//AgE/QIzyNvbpj/Q2ln+FsZjb1j69bJZUouBvX2tg9PHirkTm8arw==}
     peerDependencies:
       react: ^18 || ^19
 
@@ -1055,8 +1055,8 @@ packages:
   '@types/ms@2.1.0':
     resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
 
-  '@types/node@24.10.0':
-    resolution: {integrity: sha512-qzQZRBqkFsYyaSWXuEHc2WR9c0a0CXwiE5FWUvn7ZM+vdy1uZLfCunD38UzhuB7YN/J11ndbDBcTmOdxJo9Q7A==}
+  '@types/node@24.10.1':
+    resolution: {integrity: sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==}
 
   '@types/normalize-package-data@2.4.4':
     resolution: {integrity: sha512-37i+OaWTh9qeK4LSHPsyRC7NahnGotNuZvjLSgcPzblpHB3rrCJxAOgI5gCdKm7coonsaX1Of0ILiTcnZjbfxA==}
@@ -1067,8 +1067,8 @@ packages:
   '@types/qs@6.14.0':
     resolution: {integrity: sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==}
 
-  '@types/react-dom@19.2.2':
-    resolution: {integrity: sha512-9KQPoO6mZCi7jcIStSnlOWn2nEF3mNmyr3rIAsGnAbQKYbRLyqmeSc39EVgtxXVia+LMT8j3knZLAZAh+xLmrw==}
+  '@types/react-dom@19.2.3':
+    resolution: {integrity: sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==}
     peerDependencies:
       '@types/react': ^19.2.0
 
@@ -1078,8 +1078,8 @@ packages:
   '@types/react-router@5.1.20':
     resolution: {integrity: sha512-jGjmu/ZqS7FjSH6owMcD5qpq19+1RS9DeVRqfl1FeBMxTDQAGwlMWOcs52NDoXaNKyG3d1cYQFMs9rCrb88o9Q==}
 
-  '@types/react@19.2.2':
-    resolution: {integrity: sha512-6mDvHUFSjyT2B2yeNx2nUgMxh9LtOWvkhIU3uePn2I2oyNymUAX1NIsdgviM4CH+JSrp2D2hsMvJOkxY+0wNRA==}
+  '@types/react@19.2.4':
+    resolution: {integrity: sha512-tBFxBp9Nfyy5rsmefN+WXc1JeW/j2BpBHFdLZbEVfs9wn3E3NRFxwV0pJg8M1qQAexFpvz73hJXFofV0ZAu92A==}
 
   '@types/unist@2.0.11':
     resolution: {integrity: sha512-CmBKiL6NNo/OqgmMn95Fk9Whlp2mtvIv+KNpQKN2F4SjvrEesubTRWGYSg+BnWZOnlCaSTU1sMpsBOzgbYhnsA==}
@@ -1101,8 +1101,8 @@ packages:
     peerDependencies:
       react: '>= 16.8.0'
 
-  '@vitejs/plugin-react-swc@4.2.0':
-    resolution: {integrity: sha512-/tesahXD1qpkGC6FzMoFOJj0RyZdw9xLELOL+6jbElwmWfwOnIVy+IfpY+o9JfD9PKaR/Eyb6DNrvbXpuvA+8Q==}
+  '@vitejs/plugin-react-swc@4.2.2':
+    resolution: {integrity: sha512-x+rE6tsxq/gxrEJN3Nv3dIV60lFflPj94c90b+NNo6n1QV1QQUTLoL0MpaOVasUZ0zqVBn7ead1B5ecx1JAGfA==}
     engines: {node: ^20.19.0 || >=22.12.0}
     peerDependencies:
       vite: ^4 || ^5 || ^6 || ^7
@@ -1145,15 +1145,15 @@ packages:
   asynckit@0.4.0:
     resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
 
-  autoprefixer@10.4.21:
-    resolution: {integrity: sha512-O+A6LWV5LDHSJD3LjHYoNi4VLsj/Whi7k6zG12xTYaU4cQ8oxQGckXNX8cRHK5yOZ/ppVHe0ZBXGzSV9jXdVbQ==}
+  autoprefixer@10.4.22:
+    resolution: {integrity: sha512-ARe0v/t9gO28Bznv6GgqARmVqcWOV3mfgUPn9becPHMiD3o9BwlRgaeccZnwTpZ7Zwqrm+c1sUSsMxIzQzc8Xg==}
     engines: {node: ^10 || ^12 || >=14}
     hasBin: true
     peerDependencies:
       postcss: ^8.1.0
 
-  axios@1.13.1:
-    resolution: {integrity: sha512-hU4EGxxt+j7TQijx1oYdAjw4xuIp1wRQSsbMFwSthCWeBQur1eF+qJ5iQ5sN3Tw8YRzQNKb8jszgBdMDVqwJcw==}
+  axios@1.13.2:
+    resolution: {integrity: sha512-VPk9ebNqPcy5lRGuSlKx752IlDatOjT9paPlm8A7yOuW2Fbvp4X3JznJtT4f0GzGLLiWE9W8onz51SqLYwzGaA==}
 
   babel-plugin-macros@3.1.0:
     resolution: {integrity: sha512-Cg7TFGpIr01vOQNODXOOaGz2NpCU5gl8x1qJFbb6hbZxR7XrcE2vtbAsTAbJ7/xwJtUuJEw8K8Zr/AE0LHlesg==}
@@ -1165,8 +1165,8 @@ packages:
   balanced-match@1.0.2:
     resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
 
-  baseline-browser-mapping@2.8.23:
-    resolution: {integrity: sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ==}
+  baseline-browser-mapping@2.8.28:
+    resolution: {integrity: sha512-gYjt7OIqdM0PcttNYP2aVrr2G0bMALkBaoehD4BuRGjAOtipg0b6wHg1yNL+s5zSnLZZrGHOw4IrND8CD+3oIQ==}
     hasBin: true
 
   bignumber.js@9.3.1:
@@ -1183,8 +1183,8 @@ packages:
     resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
     engines: {node: '>=8'}
 
-  browserslist@4.27.0:
-    resolution: {integrity: sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw==}
+  browserslist@4.28.0:
+    resolution: {integrity: sha512-tbydkR/CxfMwelN0vwdP/pLkDwyAASZ+VfWm4EOwlB6SWhx1sYnWLqo8N5j0rAzPfzfRaxt0mM/4wPU/Su84RQ==}
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
     hasBin: true
 
@@ -1220,8 +1220,8 @@ packages:
     resolution: {integrity: sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==}
     engines: {node: '>=6'}
 
-  caniuse-lite@1.0.30001753:
-    resolution: {integrity: sha512-Bj5H35MD/ebaOV4iDLqPEtiliTN29qkGtEHCwawWn4cYm+bPJM2NsaP30vtZcnERClMzp52J4+aw2UNbK4o+zw==}
+  caniuse-lite@1.0.30001754:
+    resolution: {integrity: sha512-x6OeBXueoAceOmotzx3PO4Zpt4rzpeIFsSr6AAePTZxSkXiYDUmpypEl7e2+8NCd9bD7bXjqyef8CJYPC1jfxg==}
 
   ccount@2.0.1:
     resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
@@ -1388,8 +1388,8 @@ packages:
     resolution: {integrity: sha512-AdmX6xUzdNASswsFtmwSt7Vj8po9IuqXm0UXz7QKPuEUmPB4XyjGfaAr2PSuELMwkRMVH1EpIkX5bTZGRB3eCA==}
     engines: {node: '>=10'}
 
-  csstype@3.1.3:
-    resolution: {integrity: sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==}
+  csstype@3.2.0:
+    resolution: {integrity: sha512-si++xzRAY9iPp60roQiFta7OFbhrgvcthrhlNAGeQptSY25uJjkfUV8OArC3KLocB8JT8ohz+qgxWCmz8RhjIg==}
 
   d3-array@3.2.4:
     resolution: {integrity: sha512-tdQAmyA18i4J7wprpYq8ClcxZy3SC31QMeByyCFyRt7BVHdREQZ5lpzoe5mFEYZUWe+oq8HBvk9JjpibyEV4Jg==}
@@ -1533,8 +1533,8 @@ packages:
     resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
     engines: {node: '>= 0.4'}
 
-  electron-to-chromium@1.5.244:
-    resolution: {integrity: sha512-OszpBN7xZX4vWMPJwB9illkN/znA8M36GQqQxi6MNy9axWxhOfJyZZJtSLQCpEFLHP2xK33BiWx9aIuIEXVCcw==}
+  electron-to-chromium@1.5.252:
+    resolution: {integrity: sha512-53uTpjtRgS7gjIxZ4qCgFdNO2q+wJt/Z8+xAvxbCqXPJrY6h7ighUkadQmNMXH96crtpa6gPFNP7BF4UBGDuaA==}
 
   emoji-regex@8.0.0:
     resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
@@ -1654,8 +1654,8 @@ packages:
     resolution: {integrity: sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==}
     engines: {node: '>= 6'}
 
-  fraction.js@4.3.7:
-    resolution: {integrity: sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==}
+  fraction.js@5.3.4:
+    resolution: {integrity: sha512-1X1NTtiJphryn/uLQz3whtY6jK3fTqoE3ohKs0tT+Ujr1W59oopxmoEh7Lu5p6vBaPbgoM0bzveAW4Qi5RyWDQ==}
 
   framer-motion@12.23.24:
     resolution: {integrity: sha512-HMi5HRoRCTou+3fb3h9oTLyJGBxHfW+HnNE25tAXOvVx/IvwMHK0cx7IR4a2ZU6sh3IX1Z+4ts32PcYBOqka8w==}
@@ -1812,8 +1812,8 @@ packages:
   html-dom-parser@5.1.1:
     resolution: {integrity: sha512-+o4Y4Z0CLuyemeccvGN4bAO20aauB2N9tFEAep5x4OW34kV4PTarBHm6RL02afYt2BMKcr0D2Agep8S3nJPIBg==}
 
-  html-react-parser@5.2.7:
-    resolution: {integrity: sha512-WzIAcqQoZoF49J9aev8NBDLz9TJvt2RmipeYA+/5+5x0sWCwFxqKiq0lysieiSA/G6dbUZ6KGGy65Cx2fjie5Q==}
+  html-react-parser@5.2.8:
+    resolution: {integrity: sha512-09WaI81tbpwhXWeMe1m9VptZVJUcigo0l59zVt+2HUIQT7+baU38/oNhllj6MKhOuGXqh0nrlwOgxbxbm6xXHw==}
     peerDependencies:
       '@types/react': 0.14 || 15 || 16 || 17 || 18 || 19
       react: 0.14 || 15 || 16 || 17 || 18 || 19
@@ -1853,9 +1853,6 @@ packages:
   ini@1.3.8:
     resolution: {integrity: sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==}
 
-  inline-style-parser@0.2.4:
-    resolution: {integrity: sha512-0aO8FkhNZlj/ZIbNi7Lxxr12obT7cL1moPfE4tg1LkX7LlLfC6DeX4l2ZEud1ukP9jNQyNnfzQVqwbwmAATY4Q==}
-
   inline-style-parser@0.2.6:
     resolution: {integrity: sha512-gtGXVaBdl5mAes3rPcMedEBm12ibjt1kDMFfheul1wUAOVEJW60voNdMVzVkfLN06O7ZaD/rxhfKgtlgtTbMjg==}
 
@@ -2384,8 +2381,8 @@ packages:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
       react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
-  react-datepicker@8.8.0:
-    resolution: {integrity: sha512-rIJLhww1B5cQY7GYEfSEXvldlGp+GIVU5oE7lxqeK4fmdv5F9bVndplDmblMCvfSMazXmeJ6OHBvRs/PkEhwUQ==}
+  react-datepicker@8.9.0:
+    resolution: {integrity: sha512-yoRsGxjqVRjk8iUBssrW9jcinTeyP9mAfTpuzdKvlESOUjdrY0sfDTzIZWJAn38jvNcxW1dnDmW1CinjiFdxYQ==}
     peerDependencies:
       react: ^16.9.0 || ^17 || ^18 || ^19 || ^19.0.0-rc
       react-dom: ^16.9.0 || ^17 || ^18 || ^19 || ^19.0.0-rc
@@ -2458,15 +2455,15 @@ packages:
     peerDependencies:
       react: ^18.0.0 || ^19.0.0
 
-  react-router-dom@6.30.1:
-    resolution: {integrity: sha512-llKsgOkZdbPU1Eg3zK8lCn+sjD9wMRZZPuzmdWWX5SUs8OFkN5HnFVC0u5KMeMaC9aoancFI/KoLuKPqN+hxHw==}
+  react-router-dom@6.30.2:
+    resolution: {integrity: sha512-l2OwHn3UUnEVUqc6/1VMmR1cvZryZ3j3NzapC2eUXO1dB0sYp5mvwdjiXhpUbRb21eFow3qSxpP8Yv6oAU824Q==}
     engines: {node: '>=14.0.0'}
     peerDependencies:
       react: '>=16.8'
       react-dom: '>=16.8'
 
-  react-router@6.30.1:
-    resolution: {integrity: sha512-X1m21aEmxGXqENEPG3T6u0Th7g0aS4ZmoNynhbs+Cn+q+QGTLt+d5IQ2bHAXKzKcxGJjxACpVbnYQSCRcfxHlQ==}
+  react-router@6.30.2:
+    resolution: {integrity: sha512-H2Bm38Zu1bm8KUE5NVWRMzuIyAV8p/JrOaBJAwVmp37AXG72+CZJlEBw6pdn9i5TBgLMhNDgijS4ZlblpHyWTA==}
     engines: {node: '>=14.0.0'}
     peerDependencies:
       react: '>=16.8'
@@ -2519,8 +2516,8 @@ packages:
     resolution: {integrity: sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==}
     engines: {node: '>=8.10.0'}
 
-  recharts@3.3.0:
-    resolution: {integrity: sha512-Vi0qmTB0iz1+/Cz9o5B7irVyUjX2ynvEgImbgMt/3sKRREcUM07QiYjS1QpAVrkmVlXqy5gykq4nGWMz9AS4Rg==}
+  recharts@3.4.1:
+    resolution: {integrity: sha512-35kYg6JoOgwq8sE4rhYkVWwa6aAIgOtT+Ob0gitnShjwUwZmhrmy7Jco/5kJNF4PnLXgt9Hwq+geEMS+WrjU1g==}
     engines: {node: '>=18'}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
@@ -2573,8 +2570,8 @@ packages:
     engines: {node: '>= 0.4'}
     hasBin: true
 
-  rollup@4.52.5:
-    resolution: {integrity: sha512-3GuObel8h7Kqdjt0gxkEzaifHTqLVW56Y/bjN7PSQtkKr0w3V/QYSdt6QWYtd7A1xUtYQigtdUfgj1RvWVtorw==}
+  rollup@4.53.2:
+    resolution: {integrity: sha512-MHngMYwGJVi6Fmnk6ISmnk7JAHRNF0UkuucA0CUW3N3a4KnONPEZz+vUanQP/ZC/iY1Qkf3bwPWzyY84wEks1g==}
     engines: {node: '>=18.0.0', npm: '>=8.0.0'}
     hasBin: true
 
@@ -2704,15 +2701,9 @@ packages:
     resolution: {integrity: sha512-laJTa3Jb+VQpaC6DseHhF7dXVqHTfJPCRDaEbid/drOhgitgYku/letMUqOXFoWV0zIIUbjpdH2t+tYj4bQMRQ==}
     engines: {node: '>=8'}
 
-  style-to-js@1.1.18:
-    resolution: {integrity: sha512-JFPn62D4kJaPTnhFUI244MThx+FEGbi+9dw1b9yBBQ+1CZpV7QAT8kUtJ7b7EUNdHajjF/0x8fT+16oLJoojLg==}
-
   style-to-js@1.1.19:
     resolution: {integrity: sha512-Ev+SgeqiNGT1ufsXyVC5RrJRXdrkRJ1Gol9Qw7Pb72YCKJXrBvP0ckZhBeVSrw2m06DJpei2528uIpjMb4TsoQ==}
 
-  style-to-object@1.0.11:
-    resolution: {integrity: sha512-5A560JmXr7wDyGLK12Nq/EYS38VkGlglVzkis1JEdbGWSnbQIEhZzTJhzURXN5/8WwwFCs/f/VVcmkTppbXLow==}
-
   style-to-object@1.0.12:
     resolution: {integrity: sha512-ddJqYnoT4t97QvN2C95bCgt+m7AAgXjVnkk/jxAfmp7EAB8nnqqZYEbMd3em7/vEomDb2LAQKAy1RFfv41mdNw==}
 
@@ -2959,8 +2950,8 @@ packages:
     peerDependencies:
       vite: '>=2.0.0-beta.69'
 
-  vite@7.1.12:
-    resolution: {integrity: sha512-ZWyE8YXEXqJrrSLvYgrRP7p62OziLW7xI5HYGWFzOvupfAlrLvURSzv/FyGyy0eidogEM3ujU+kUG1zuHgb6Ug==}
+  vite@7.2.2:
+    resolution: {integrity: sha512-BxAKBWmIbrDgrokdGZH1IgkIk/5mMHDreLDmCJ0qpyJaAteP8NvMhkwr/ZCQNqNH97bw/dANTE9PDzqwJghfMQ==}
     engines: {node: ^20.19.0 || >=22.12.0}
     hasBin: true
     peerDependencies:
@@ -3136,7 +3127,7 @@ snapshots:
     dependencies:
       '@babel/compat-data': 7.28.5
       '@babel/helper-validator-option': 7.27.1
-      browserslist: 4.27.0
+      browserslist: 4.28.0
       lru-cache: 5.1.1
       semver: 6.3.1
 
@@ -3271,7 +3262,7 @@ snapshots:
 
   '@emotion/memoize@0.9.0': {}
 
-  '@emotion/react@11.14.0(@types/react@19.2.2)(react@19.2.0)':
+  '@emotion/react@11.14.0(@types/react@19.2.4)(react@19.2.0)':
     dependencies:
       '@babel/runtime': 7.28.4
       '@emotion/babel-plugin': 11.13.5
@@ -3283,7 +3274,7 @@ snapshots:
       hoist-non-react-statics: 3.3.2
       react: 19.2.0
     optionalDependencies:
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
     transitivePeerDependencies:
       - supports-color
 
@@ -3293,22 +3284,22 @@ snapshots:
       '@emotion/memoize': 0.9.0
       '@emotion/unitless': 0.10.0
       '@emotion/utils': 1.4.2
-      csstype: 3.1.3
+      csstype: 3.2.0
 
   '@emotion/sheet@1.4.0': {}
 
-  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.2)(react@19.2.0))(@types/react@19.2.2)(react@19.2.0)':
+  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.4)(react@19.2.0))(@types/react@19.2.4)(react@19.2.0)':
     dependencies:
       '@babel/runtime': 7.28.4
       '@emotion/babel-plugin': 11.13.5
       '@emotion/is-prop-valid': 1.4.0
-      '@emotion/react': 11.14.0(@types/react@19.2.2)(react@19.2.0)
+      '@emotion/react': 11.14.0(@types/react@19.2.4)(react@19.2.0)
       '@emotion/serialize': 1.3.3
       '@emotion/use-insertion-effect-with-fallbacks': 1.2.0(react@19.2.0)
       '@emotion/utils': 1.4.2
       react: 19.2.0
     optionalDependencies:
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
     transitivePeerDependencies:
       - supports-color
 
@@ -3427,10 +3418,10 @@ snapshots:
 
   '@github/webauthn-json@2.1.1': {}
 
-  '@hookform/devtools@4.4.0(@types/react@19.2.2)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
+  '@hookform/devtools@4.4.0(@types/react@19.2.4)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
     dependencies:
-      '@emotion/react': 11.14.0(@types/react@19.2.2)(react@19.2.0)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.2)(react@19.2.0))(@types/react@19.2.2)(react@19.2.0)
+      '@emotion/react': 11.14.0(@types/react@19.2.4)(react@19.2.0)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.4)(react@19.2.0))(@types/react@19.2.4)(react@19.2.0)
       '@types/lodash': 4.17.20
       little-state-machine: 4.8.1(react@19.2.0)
       lodash: 4.17.21
@@ -3496,7 +3487,7 @@ snapshots:
       rxjs: 7.8.2
       use-sync-external-store: 1.6.0(react@19.2.0)
 
-  '@reduxjs/toolkit@2.9.2(react-redux@9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1))(react@19.2.0)':
+  '@reduxjs/toolkit@2.10.1(react-redux@9.2.0(@types/react@19.2.4)(react@19.2.0)(redux@5.0.1))(react@19.2.0)':
     dependencies:
       '@standard-schema/spec': 1.0.0
       '@standard-schema/utils': 0.3.0
@@ -3506,76 +3497,76 @@ snapshots:
       reselect: 5.1.1
     optionalDependencies:
       react: 19.2.0
-      react-redux: 9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1)
+      react-redux: 9.2.0(@types/react@19.2.4)(react@19.2.0)(redux@5.0.1)
 
-  '@remix-run/router@1.23.0': {}
+  '@remix-run/router@1.23.1': {}
 
-  '@rolldown/pluginutils@1.0.0-beta.43': {}
+  '@rolldown/pluginutils@1.0.0-beta.47': {}
 
-  '@rollup/rollup-android-arm-eabi@4.52.5':
+  '@rollup/rollup-android-arm-eabi@4.53.2':
     optional: true
 
-  '@rollup/rollup-android-arm64@4.52.5':
+  '@rollup/rollup-android-arm64@4.53.2':
     optional: true
 
-  '@rollup/rollup-darwin-arm64@4.52.5':
+  '@rollup/rollup-darwin-arm64@4.53.2':
     optional: true
 
-  '@rollup/rollup-darwin-x64@4.52.5':
+  '@rollup/rollup-darwin-x64@4.53.2':
     optional: true
 
-  '@rollup/rollup-freebsd-arm64@4.52.5':
+  '@rollup/rollup-freebsd-arm64@4.53.2':
     optional: true
 
-  '@rollup/rollup-freebsd-x64@4.52.5':
+  '@rollup/rollup-freebsd-x64@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.52.5':
+  '@rollup/rollup-linux-arm-gnueabihf@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-arm-musleabihf@4.52.5':
+  '@rollup/rollup-linux-arm-musleabihf@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-arm64-gnu@4.52.5':
+  '@rollup/rollup-linux-arm64-gnu@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-arm64-musl@4.52.5':
+  '@rollup/rollup-linux-arm64-musl@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-loong64-gnu@4.52.5':
+  '@rollup/rollup-linux-loong64-gnu@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-ppc64-gnu@4.52.5':
+  '@rollup/rollup-linux-ppc64-gnu@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-gnu@4.52.5':
+  '@rollup/rollup-linux-riscv64-gnu@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-musl@4.52.5':
+  '@rollup/rollup-linux-riscv64-musl@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-s390x-gnu@4.52.5':
+  '@rollup/rollup-linux-s390x-gnu@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-x64-gnu@4.52.5':
+  '@rollup/rollup-linux-x64-gnu@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-x64-musl@4.52.5':
+  '@rollup/rollup-linux-x64-musl@4.53.2':
     optional: true
 
-  '@rollup/rollup-openharmony-arm64@4.52.5':
+  '@rollup/rollup-openharmony-arm64@4.53.2':
     optional: true
 
-  '@rollup/rollup-win32-arm64-msvc@4.52.5':
+  '@rollup/rollup-win32-arm64-msvc@4.53.2':
     optional: true
 
-  '@rollup/rollup-win32-ia32-msvc@4.52.5':
+  '@rollup/rollup-win32-ia32-msvc@4.53.2':
     optional: true
 
-  '@rollup/rollup-win32-x64-gnu@4.52.5':
+  '@rollup/rollup-win32-x64-gnu@4.53.2':
     optional: true
 
-  '@rollup/rollup-win32-x64-msvc@4.52.5':
+  '@rollup/rollup-win32-x64-msvc@4.53.2':
     optional: true
 
   '@rx-state/core@0.1.4(rxjs@7.8.2)':
@@ -3613,51 +3604,51 @@ snapshots:
 
   '@standard-schema/utils@0.3.0': {}
 
-  '@swc/core-darwin-arm64@1.14.0':
+  '@swc/core-darwin-arm64@1.15.2':
     optional: true
 
-  '@swc/core-darwin-x64@1.14.0':
+  '@swc/core-darwin-x64@1.15.2':
     optional: true
 
-  '@swc/core-linux-arm-gnueabihf@1.14.0':
+  '@swc/core-linux-arm-gnueabihf@1.15.2':
     optional: true
 
-  '@swc/core-linux-arm64-gnu@1.14.0':
+  '@swc/core-linux-arm64-gnu@1.15.2':
     optional: true
 
-  '@swc/core-linux-arm64-musl@1.14.0':
+  '@swc/core-linux-arm64-musl@1.15.2':
     optional: true
 
-  '@swc/core-linux-x64-gnu@1.14.0':
+  '@swc/core-linux-x64-gnu@1.15.2':
     optional: true
 
-  '@swc/core-linux-x64-musl@1.14.0':
+  '@swc/core-linux-x64-musl@1.15.2':
     optional: true
 
-  '@swc/core-win32-arm64-msvc@1.14.0':
+  '@swc/core-win32-arm64-msvc@1.15.2':
     optional: true
 
-  '@swc/core-win32-ia32-msvc@1.14.0':
+  '@swc/core-win32-ia32-msvc@1.15.2':
     optional: true
 
-  '@swc/core-win32-x64-msvc@1.14.0':
+  '@swc/core-win32-x64-msvc@1.15.2':
     optional: true
 
-  '@swc/core@1.14.0':
+  '@swc/core@1.15.2':
     dependencies:
       '@swc/counter': 0.1.3
       '@swc/types': 0.1.25
     optionalDependencies:
-      '@swc/core-darwin-arm64': 1.14.0
-      '@swc/core-darwin-x64': 1.14.0
-      '@swc/core-linux-arm-gnueabihf': 1.14.0
-      '@swc/core-linux-arm64-gnu': 1.14.0
-      '@swc/core-linux-arm64-musl': 1.14.0
-      '@swc/core-linux-x64-gnu': 1.14.0
-      '@swc/core-linux-x64-musl': 1.14.0
-      '@swc/core-win32-arm64-msvc': 1.14.0
-      '@swc/core-win32-ia32-msvc': 1.14.0
-      '@swc/core-win32-x64-msvc': 1.14.0
+      '@swc/core-darwin-arm64': 1.15.2
+      '@swc/core-darwin-x64': 1.15.2
+      '@swc/core-linux-arm-gnueabihf': 1.15.2
+      '@swc/core-linux-arm64-gnu': 1.15.2
+      '@swc/core-linux-arm64-musl': 1.15.2
+      '@swc/core-linux-x64-gnu': 1.15.2
+      '@swc/core-linux-x64-musl': 1.15.2
+      '@swc/core-win32-arm64-msvc': 1.15.2
+      '@swc/core-win32-ia32-msvc': 1.15.2
+      '@swc/core-win32-x64-msvc': 1.15.2
 
   '@swc/counter@0.1.3': {}
 
@@ -3665,19 +3656,19 @@ snapshots:
     dependencies:
       '@swc/counter': 0.1.3
 
-  '@tanstack/query-core@5.90.6': {}
+  '@tanstack/query-core@5.90.9': {}
 
   '@tanstack/query-devtools@5.90.1': {}
 
-  '@tanstack/react-query-devtools@5.90.2(@tanstack/react-query@5.90.6(react@19.2.0))(react@19.2.0)':
+  '@tanstack/react-query-devtools@5.90.2(@tanstack/react-query@5.90.9(react@19.2.0))(react@19.2.0)':
     dependencies:
       '@tanstack/query-devtools': 5.90.1
-      '@tanstack/react-query': 5.90.6(react@19.2.0)
+      '@tanstack/react-query': 5.90.9(react@19.2.0)
       react: 19.2.0
 
-  '@tanstack/react-query@5.90.6(react@19.2.0)':
+  '@tanstack/react-query@5.90.9(react@19.2.0)':
     dependencies:
-      '@tanstack/query-core': 5.90.6
+      '@tanstack/query-core': 5.90.9
       react: 19.2.0
 
   '@tanstack/react-virtual@3.13.12(react-dom@19.2.0(react@19.2.0))(react@19.2.0)':
@@ -3748,7 +3739,7 @@ snapshots:
 
   '@types/ms@2.1.0': {}
 
-  '@types/node@24.10.0':
+  '@types/node@24.10.1':
     dependencies:
       undici-types: 7.16.0
 
@@ -3758,24 +3749,24 @@ snapshots:
 
   '@types/qs@6.14.0': {}
 
-  '@types/react-dom@19.2.2(@types/react@19.2.2)':
+  '@types/react-dom@19.2.3(@types/react@19.2.4)':
     dependencies:
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
 
   '@types/react-router-dom@5.3.3':
     dependencies:
       '@types/history': 4.7.11
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
       '@types/react-router': 5.1.20
 
   '@types/react-router@5.1.20':
     dependencies:
       '@types/history': 4.7.11
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
 
-  '@types/react@19.2.2':
+  '@types/react@19.2.4':
     dependencies:
-      csstype: 3.1.3
+      csstype: 3.2.0
 
   '@types/unist@2.0.11': {}
 
@@ -3792,11 +3783,11 @@ snapshots:
       '@use-gesture/core': 10.3.1
       react: 19.2.0
 
-  '@vitejs/plugin-react-swc@4.2.0(vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))':
+  '@vitejs/plugin-react-swc@4.2.2(vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))':
     dependencies:
-      '@rolldown/pluginutils': 1.0.0-beta.43
-      '@swc/core': 1.14.0
-      vite: 7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+      '@rolldown/pluginutils': 1.0.0-beta.47
+      '@swc/core': 1.15.2
+      vite: 7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
     transitivePeerDependencies:
       - '@swc/helpers'
 
@@ -3831,17 +3822,17 @@ snapshots:
 
   asynckit@0.4.0: {}
 
-  autoprefixer@10.4.21(postcss@8.5.6):
+  autoprefixer@10.4.22(postcss@8.5.6):
     dependencies:
-      browserslist: 4.27.0
-      caniuse-lite: 1.0.30001753
-      fraction.js: 4.3.7
+      browserslist: 4.28.0
+      caniuse-lite: 1.0.30001754
+      fraction.js: 5.3.4
       normalize-range: 0.1.2
       picocolors: 1.1.1
       postcss: 8.5.6
       postcss-value-parser: 4.2.0
 
-  axios@1.13.1:
+  axios@1.13.2:
     dependencies:
       follow-redirects: 1.15.11
       form-data: 4.0.4
@@ -3859,7 +3850,7 @@ snapshots:
 
   balanced-match@1.0.2: {}
 
-  baseline-browser-mapping@2.8.23: {}
+  baseline-browser-mapping@2.8.28: {}
 
   bignumber.js@9.3.1: {}
 
@@ -3874,13 +3865,13 @@ snapshots:
     dependencies:
       fill-range: 7.1.1
 
-  browserslist@4.27.0:
+  browserslist@4.28.0:
     dependencies:
-      baseline-browser-mapping: 2.8.23
-      caniuse-lite: 1.0.30001753
-      electron-to-chromium: 1.5.244
+      baseline-browser-mapping: 2.8.28
+      caniuse-lite: 1.0.30001754
+      electron-to-chromium: 1.5.252
       node-releases: 2.0.27
-      update-browserslist-db: 1.1.4(browserslist@4.27.0)
+      update-browserslist-db: 1.1.4(browserslist@4.28.0)
 
   buffer-from@1.1.2: {}
 
@@ -3906,7 +3897,7 @@ snapshots:
 
   camelcase@5.3.1: {}
 
-  caniuse-lite@1.0.30001753: {}
+  caniuse-lite@1.0.30001754: {}
 
   ccount@2.0.1: {}
 
@@ -4133,7 +4124,7 @@ snapshots:
       path-type: 4.0.0
       yaml: 1.10.2
 
-  csstype@3.1.3: {}
+  csstype@3.2.0: {}
 
   d3-array@3.2.4:
     dependencies:
@@ -4255,7 +4246,7 @@ snapshots:
       es-errors: 1.3.0
       gopd: 1.2.0
 
-  electron-to-chromium@1.5.244: {}
+  electron-to-chromium@1.5.252: {}
 
   emoji-regex@8.0.0: {}
 
@@ -4373,7 +4364,7 @@ snapshots:
       hasown: 2.0.2
       mime-types: 2.1.35
 
-  fraction.js@4.3.7: {}
+  fraction.js@5.3.4: {}
 
   framer-motion@12.23.24(@emotion/is-prop-valid@1.4.0)(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
@@ -4580,15 +4571,15 @@ snapshots:
       domhandler: 5.0.3
       htmlparser2: 10.0.0
 
-  html-react-parser@5.2.7(@types/react@19.2.2)(react@19.2.0):
+  html-react-parser@5.2.8(@types/react@19.2.4)(react@19.2.0):
     dependencies:
       domhandler: 5.0.3
       html-dom-parser: 5.1.1
       react: 19.2.0
       react-property: 2.0.2
-      style-to-js: 1.1.18
+      style-to-js: 1.1.19
     optionalDependencies:
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
 
   html-url-attributes@3.0.1: {}
 
@@ -4618,8 +4609,6 @@ snapshots:
 
   ini@1.3.8: {}
 
-  inline-style-parser@0.2.4: {}
-
   inline-style-parser@0.2.6: {}
 
   internmap@2.0.3: {}
@@ -4854,9 +4843,9 @@ snapshots:
       type-fest: 0.18.1
       yargs-parser: 20.2.9
 
-  merge-refs@2.0.0(@types/react@19.2.2):
+  merge-refs@2.0.0(@types/react@19.2.4):
     optionalDependencies:
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
 
   micromark-core-commonmark@2.0.3:
     dependencies:
@@ -5203,7 +5192,7 @@ snapshots:
       react: 19.2.0
       react-dom: 19.2.0(react@19.2.0)
 
-  react-datepicker@8.8.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
+  react-datepicker@8.9.0(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
       '@floating-ui/react': 0.27.16(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
       clsx: 2.1.1
@@ -5239,11 +5228,11 @@ snapshots:
     dependencies:
       react: 19.2.0
 
-  react-markdown@10.1.0(@types/react@19.2.2)(react@19.2.0):
+  react-markdown@10.1.0(@types/react@19.2.4)(react@19.2.0):
     dependencies:
       '@types/hast': 3.0.4
       '@types/mdast': 4.0.4
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
       devlop: 1.1.0
       hast-util-to-jsx-runtime: 2.3.6
       html-url-attributes: 3.0.1
@@ -5265,13 +5254,13 @@ snapshots:
       qr.js: 0.0.0
       react: 19.2.0
 
-  react-redux@9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1):
+  react-redux@9.2.0(@types/react@19.2.4)(react@19.2.0)(redux@5.0.1):
     dependencies:
       '@types/use-sync-external-store': 0.0.6
       react: 19.2.0
       use-sync-external-store: 1.6.0(react@19.2.0)
     optionalDependencies:
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
       redux: 5.0.1
 
   react-resize-detector@12.3.0(react@19.2.0):
@@ -5279,16 +5268,16 @@ snapshots:
       es-toolkit: 1.41.0
       react: 19.2.0
 
-  react-router-dom@6.30.1(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
+  react-router-dom@6.30.2(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
     dependencies:
-      '@remix-run/router': 1.23.0
+      '@remix-run/router': 1.23.1
       react: 19.2.0
       react-dom: 19.2.0(react@19.2.0)
-      react-router: 6.30.1(react@19.2.0)
+      react-router: 6.30.2(react@19.2.0)
 
-  react-router@6.30.1(react@19.2.0):
+  react-router@6.30.2(react@19.2.0):
     dependencies:
-      '@remix-run/router': 1.23.0
+      '@remix-run/router': 1.23.1
       react: 19.2.0
 
   react-simple-animate@3.5.3(react-dom@19.2.0(react@19.2.0)):
@@ -5353,9 +5342,9 @@ snapshots:
     dependencies:
       picomatch: 2.3.1
 
-  recharts@3.3.0(@types/react@19.2.2)(react-dom@19.2.0(react@19.2.0))(react-is@19.2.0)(react@19.2.0)(redux@5.0.1):
+  recharts@3.4.1(@types/react@19.2.4)(react-dom@19.2.0(react@19.2.0))(react-is@19.2.0)(react@19.2.0)(redux@5.0.1):
     dependencies:
-      '@reduxjs/toolkit': 2.9.2(react-redux@9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1))(react@19.2.0)
+      '@reduxjs/toolkit': 2.10.1(react-redux@9.2.0(@types/react@19.2.4)(react@19.2.0)(redux@5.0.1))(react@19.2.0)
       clsx: 2.1.1
       decimal.js-light: 2.5.1
       es-toolkit: 1.41.0
@@ -5364,7 +5353,7 @@ snapshots:
       react: 19.2.0
       react-dom: 19.2.0(react@19.2.0)
       react-is: 19.2.0
-      react-redux: 9.2.0(@types/react@19.2.2)(react@19.2.0)(redux@5.0.1)
+      react-redux: 9.2.0(@types/react@19.2.4)(react@19.2.0)(redux@5.0.1)
       reselect: 5.1.1
       tiny-invariant: 1.3.3
       use-sync-external-store: 1.6.0(react@19.2.0)
@@ -5435,32 +5424,32 @@ snapshots:
       path-parse: 1.0.7
       supports-preserve-symlinks-flag: 1.0.0
 
-  rollup@4.52.5:
+  rollup@4.53.2:
     dependencies:
       '@types/estree': 1.0.8
     optionalDependencies:
-      '@rollup/rollup-android-arm-eabi': 4.52.5
-      '@rollup/rollup-android-arm64': 4.52.5
-      '@rollup/rollup-darwin-arm64': 4.52.5
-      '@rollup/rollup-darwin-x64': 4.52.5
-      '@rollup/rollup-freebsd-arm64': 4.52.5
-      '@rollup/rollup-freebsd-x64': 4.52.5
-      '@rollup/rollup-linux-arm-gnueabihf': 4.52.5
-      '@rollup/rollup-linux-arm-musleabihf': 4.52.5
-      '@rollup/rollup-linux-arm64-gnu': 4.52.5
-      '@rollup/rollup-linux-arm64-musl': 4.52.5
-      '@rollup/rollup-linux-loong64-gnu': 4.52.5
-      '@rollup/rollup-linux-ppc64-gnu': 4.52.5
-      '@rollup/rollup-linux-riscv64-gnu': 4.52.5
-      '@rollup/rollup-linux-riscv64-musl': 4.52.5
-      '@rollup/rollup-linux-s390x-gnu': 4.52.5
-      '@rollup/rollup-linux-x64-gnu': 4.52.5
-      '@rollup/rollup-linux-x64-musl': 4.52.5
-      '@rollup/rollup-openharmony-arm64': 4.52.5
-      '@rollup/rollup-win32-arm64-msvc': 4.52.5
-      '@rollup/rollup-win32-ia32-msvc': 4.52.5
-      '@rollup/rollup-win32-x64-gnu': 4.52.5
-      '@rollup/rollup-win32-x64-msvc': 4.52.5
+      '@rollup/rollup-android-arm-eabi': 4.53.2
+      '@rollup/rollup-android-arm64': 4.53.2
+      '@rollup/rollup-darwin-arm64': 4.53.2
+      '@rollup/rollup-darwin-x64': 4.53.2
+      '@rollup/rollup-freebsd-arm64': 4.53.2
+      '@rollup/rollup-freebsd-x64': 4.53.2
+      '@rollup/rollup-linux-arm-gnueabihf': 4.53.2
+      '@rollup/rollup-linux-arm-musleabihf': 4.53.2
+      '@rollup/rollup-linux-arm64-gnu': 4.53.2
+      '@rollup/rollup-linux-arm64-musl': 4.53.2
+      '@rollup/rollup-linux-loong64-gnu': 4.53.2
+      '@rollup/rollup-linux-ppc64-gnu': 4.53.2
+      '@rollup/rollup-linux-riscv64-gnu': 4.53.2
+      '@rollup/rollup-linux-riscv64-musl': 4.53.2
+      '@rollup/rollup-linux-s390x-gnu': 4.53.2
+      '@rollup/rollup-linux-x64-gnu': 4.53.2
+      '@rollup/rollup-linux-x64-musl': 4.53.2
+      '@rollup/rollup-openharmony-arm64': 4.53.2
+      '@rollup/rollup-win32-arm64-msvc': 4.53.2
+      '@rollup/rollup-win32-ia32-msvc': 4.53.2
+      '@rollup/rollup-win32-x64-gnu': 4.53.2
+      '@rollup/rollup-win32-x64-msvc': 4.53.2
       fsevents: 2.3.3
 
   rxjs@7.8.2:
@@ -5603,18 +5592,10 @@ snapshots:
     dependencies:
       min-indent: 1.0.1
 
-  style-to-js@1.1.18:
-    dependencies:
-      style-to-object: 1.0.11
-
   style-to-js@1.1.19:
     dependencies:
       style-to-object: 1.0.12
 
-  style-to-object@1.0.11:
-    dependencies:
-      inline-style-parser: 0.2.4
-
   style-to-object@1.0.12:
     dependencies:
       inline-style-parser: 0.2.6
@@ -5826,9 +5807,9 @@ snapshots:
       unist-util-is: 6.0.1
       unist-util-visit-parents: 6.0.2
 
-  update-browserslist-db@1.1.4(browserslist@4.27.0):
+  update-browserslist-db@1.1.4(browserslist@4.28.0):
     dependencies:
-      browserslist: 4.27.0
+      browserslist: 4.28.0
       escalade: 3.2.0
       picocolors: 1.1.1
 
@@ -5893,20 +5874,20 @@ snapshots:
       d3-time: 3.1.0
       d3-timer: 3.0.1
 
-  vite-plugin-package-version@1.1.0(vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)):
+  vite-plugin-package-version@1.1.0(vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)):
     dependencies:
-      vite: 7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+      vite: 7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
 
-  vite@7.1.12(@types/node@24.10.0)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1):
+  vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1):
     dependencies:
       esbuild: 0.25.12
       fdir: 6.5.0(picomatch@4.0.3)
       picomatch: 4.0.3
       postcss: 8.5.6
-      rollup: 4.52.5
+      rollup: 4.53.2
       tinyglobby: 0.2.15
     optionalDependencies:
-      '@types/node': 24.10.0
+      '@types/node': 24.10.1
       fsevents: 2.3.3
       jiti: 2.4.2
       sass: 1.70.0
@@ -5993,9 +5974,9 @@ snapshots:
 
   zod@3.25.76: {}
 
-  zustand@5.0.8(@types/react@19.2.2)(immer@10.2.0)(react@19.2.0)(use-sync-external-store@1.6.0(react@19.2.0)):
+  zustand@5.0.8(@types/react@19.2.4)(immer@10.2.0)(react@19.2.0)(use-sync-external-store@1.6.0(react@19.2.0)):
     optionalDependencies:
-      '@types/react': 19.2.2
+      '@types/react': 19.2.4
       immer: 10.2.0
       react: 19.2.0
       use-sync-external-store: 1.6.0(react@19.2.0)
diff --git a/web/src/shared/validators.ts b/web/src/shared/validators.ts
index 4bc73aa9df..77df62d88a 100644
--- a/web/src/shared/validators.ts
+++ b/web/src/shared/validators.ts
@@ -69,6 +69,9 @@ export const validateIpOrDomainList = (
 // Returns false when invalid
 export const validateIPv4 = (ip: string, allowMask = false): boolean => {
   if (allowMask) {
+    if (ip.endsWith('/0')) {
+      return false;
+    }
     if (ip.includes('/')) {
       return ipaddr.IPv4.isValidCIDR(ip);
     }
@@ -78,6 +81,9 @@ export const validateIPv4 = (ip: string, allowMask = false): boolean => {
 
 export const validateIPv6 = (ip: string, allowMask = false): boolean => {
   if (allowMask) {
+    if (ip.endsWith('/0')) {
+      return false;
+    }
     if (ip.includes('/')) {
       return ipaddr.IPv6.isValidCIDR(ip);
     }

From 4b7d52327565f1a23d14765c4f7031355507b1ed Mon Sep 17 00:00:00 2001
From: Adam <adam@defguard.net>
Date: Tue, 18 Nov 2025 13:26:21 +0100
Subject: [PATCH 39/50] Attempt to add depends to FreeBSD package (#1709)

---
 .fpm                          |  4 ++--
 .github/workflows/release.yml | 21 ++++++++++-----------
 Cargo.lock                    |  8 ++++----
 3 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/.fpm b/.fpm
index 546ce641cf..062ba199b1 100644
--- a/.fpm
+++ b/.fpm
@@ -1,5 +1,5 @@
 -s dir
 --name defguard
---description "defguard core service"
+--description "Defguard Core service"
 --url "https://defguard.net/"
---maintainer "teonite"
+--maintainer "Defguard"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c03b43890d..9e352b507a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -107,7 +107,7 @@ jobs:
       - name: Install Rust stable
         uses: actions-rs/toolchain@v1
         with:
-          toolchain: 1.89.0
+          toolchain: 1.89.0 # "stable" causes rust-lld: error on aarch64-linux
           target: ${{ matrix.target }}
           override: true
 
@@ -173,12 +173,12 @@ jobs:
           fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.deb"
 
       - name: Run `packer init`
-        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        if: matrix.build == 'linux'
         id: init
         run: "packer init ./images/ami/core.pkr.hcl"
 
       - name: Build AMI images for multiple regions
-        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        if: matrix.build == 'linux'
         run: |
           regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1)
           for region in "${regions[@]}"; do
@@ -216,6 +216,7 @@ jobs:
           COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
 
           deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-${{ env.VERSION }}-${{ matrix.target }}.deb
+
       - name: Build RPM package
         if: matrix.build == 'linux'
         uses: defGuard/fpm-action@main
@@ -239,7 +240,7 @@ jobs:
         uses: defGuard/fpm-action@main
         with:
           fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/local/bin/defguard defguard.service.freebsd=/usr/local/etc/rc.d/defguard"
-          fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'"
+          fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*' --depends openssl"
 
       - name: Upload FreeBSD
         if: matrix.build == 'freebsd'
@@ -253,16 +254,14 @@ jobs:
           asset_content_type: application/octet-stream
 
   apt-sign:
-    needs: 
+    needs:
       - build-binaries
     runs-on:
       - self-hosted
       - Linux
       - X64
-    strategy:
-      fail-fast: false
     steps:
-      - name: Sign APT repository on trixie 
+      - name: Sign APT repository
         run: |
           export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
           export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
@@ -272,15 +271,15 @@ jobs:
 
           for DIST in trixie; do
             aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
-            
+
             curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
               -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
               -F "file=@Release" \
               -o response.json
-            
+
             cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
             cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
-            
+
             aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
             aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
 
diff --git a/Cargo.lock b/Cargo.lock
index ecb8387668..a0722d94d6 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -669,9 +669,9 @@ checksum = "bba18ee93d577a8428902687bcc2b6b45a56b1981a1f6d779731c86cc4c5db18"
 
 [[package]]
 name = "clap"
-version = "4.5.51"
+version = "4.5.52"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c26d721170e0295f191a69bd9a1f93efcdb0aff38684b61ab5750468972e5f5"
+checksum = "aa8120877db0e5c011242f96806ce3c94e0737ab8108532a76a3300a01db2ab8"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -679,9 +679,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.51"
+version = "4.5.52"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75835f0c7bf681bfd05abe44e965760fea999a5286c6eb2d59883634fd02011a"
+checksum = "02576b399397b659c26064fbc92a75fede9d18ffd5f80ca1cd74ddab167016e1"
 dependencies = [
  "anstream",
  "anstyle",

From ac35f5b4280f51e80e972f0a829f8a2126bbd4ff Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 18 Nov 2025 15:38:57 +0100
Subject: [PATCH 40/50] remove ami (#1710)

---
 .github/workflows/release.yml | 20 -----------
 images/ami/core.pkr.hcl       | 62 -----------------------------------
 images/ami/core.sh            | 13 --------
 3 files changed, 95 deletions(-)
 delete mode 100644 images/ami/core.pkr.hcl
 delete mode 100644 images/ami/core.sh

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9e352b507a..1939c92b14 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -172,26 +172,6 @@ jobs:
           fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf"
           fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.deb"
 
-      - name: Run `packer init`
-        if: matrix.build == 'linux'
-        id: init
-        run: "packer init ./images/ami/core.pkr.hcl"
-
-      - name: Build AMI images for multiple regions
-        if: matrix.build == 'linux'
-        run: |
-          regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1)
-          for region in "${regions[@]}"; do
-            echo "Building AMI for region: $region"
-            echo "Running packer validate for $region..."
-            packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl
-            echo "Building AMI image for $region..."
-            packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl
-          done
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-
       - name: Upload DEB
         if: matrix.build == 'linux'
         uses: actions/upload-release-asset@v1.0.2
diff --git a/images/ami/core.pkr.hcl b/images/ami/core.pkr.hcl
deleted file mode 100644
index 477cfea388..0000000000
--- a/images/ami/core.pkr.hcl
+++ /dev/null
@@ -1,62 +0,0 @@
-packer {
-  required_plugins {
-    amazon = {
-      version = ">= 1.2.8"
-      source  = "github.com/hashicorp/amazon"
-    }
-  }
-}
-
-variable "package_version" {
-  type = string
-}
-
-variable "region" {
-  type    = string
-  default = "eu-north-1"
-}
-
-variable "instance_type" {
-  type    = string
-  default = "t3.micro"
-}
-
-source "amazon-ebs" "defguard-core" {
-  ami_name      = "defguard-core-${var.package_version}-amd64"
-  instance_type = var.instance_type
-  region        = var.region
-  source_ami_filter {
-    filters = {
-      name                = "debian-13-amd64-*"
-      root-device-type    = "ebs"
-      virtualization-type = "hvm"
-    }
-    most_recent = true
-    owners      = ["136693071363"]
-  }
-  ssh_username = "admin"
-}
-
-build {
-  name = "defguard-core"
-  sources = [
-    "source.amazon-ebs.defguard-core"
-  ]
-  
-  provisioner "file" {
-    source      = "defguard-${var.package_version}-x86_64-unknown-linux-gnu.deb"
-    destination = "/tmp/defguard-core.deb"
-  }
-
-  provisioner "shell" {
-    script = "./images/ami/core.sh"
-  }
-
-  provisioner "shell" {
-    inline = ["rm /home/admin/.ssh/authorized_keys"]
-  }
-
-  provisioner "shell" {
-    inline = ["sudo rm /root/.ssh/authorized_keys"]
-  }
-}
diff --git a/images/ami/core.sh b/images/ami/core.sh
deleted file mode 100644
index 1203c711ae..0000000000
--- a/images/ami/core.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-echo "Updating apt repositories..."
-sudo apt update
-
-echo "Installing Defguard package..."
-sudo dpkg -i /tmp/defguard-core.deb
-
-echo "Cleaning up..."
-sudo rm -f /tmp/defguard-core.deb
-
-echo "Defguard installation completed successfully."

From b338cc8706f726dd432264e085bf898b38049d7b Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Thu, 20 Nov 2025 17:12:12 +0100
Subject: [PATCH 41/50] Merge pull request #1706 from DefGuard/all-traffic-only

Related issue: https://github.com/DefGuard/defguard/issues/880

Adds "force all traffic" option to enterprise settings. When selected, all clients are forced to route all traffic via the vpn.
---
 ...ba68521649ba86985d45049487ae50d7dfde8.json | 43 +++++++++
 ...b715db1c1df67da573b0f132fea265e42b416.json | 32 -------
 ...b3dbb0fc747ae0843baa001e47ea328e49c25.json | 27 ++++++
 ...a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json | 16 ----
 .../db/models/enterprise_settings.rs          | 33 +++++--
 crates/defguard_core/src/grpc/mod.rs          | 15 ++-
 .../integration/api/enterprise_settings.rs    | 12 +--
 ...51119122424_client_traffic_policy.down.sql | 13 +++
 ...0251119122424_client_traffic_policy.up.sql | 19 ++++
 proto                                         |  2 +-
 web/src/i18n/en/index.ts                      | 23 ++++-
 web/src/i18n/i18n-types.ts                    | 92 +++++++++++++++----
 web/src/i18n/pl/index.ts                      | 23 ++++-
 .../components/EnterpriseForm.tsx             | 14 +--
 .../TrafficPolicySelect.tsx                   | 77 ++++++++++++++++
 .../components/TrafficPolicySelect/style.scss | 59 ++++++++++++
 web/src/shared/types.ts                       |  8 +-
 17 files changed, 399 insertions(+), 109 deletions(-)
 create mode 100644 .sqlx/query-160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8.json
 delete mode 100644 .sqlx/query-283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416.json
 create mode 100644 .sqlx/query-a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25.json
 delete mode 100644 .sqlx/query-ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json
 create mode 100644 migrations/20251119122424_client_traffic_policy.down.sql
 create mode 100644 migrations/20251119122424_client_traffic_policy.up.sql
 create mode 100644 web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/TrafficPolicySelect.tsx
 create mode 100644 web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/style.scss

diff --git a/.sqlx/query-160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8.json b/.sqlx/query-160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8.json
new file mode 100644
index 0000000000..3b31770567
--- /dev/null
+++ b/.sqlx/query-160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8.json
@@ -0,0 +1,43 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT admin_device_management, client_traffic_policy \"client_traffic_policy: ClientTrafficPolicy\", only_client_activation FROM \"enterprisesettings\" WHERE id = 1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "admin_device_management",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 1,
+        "name": "client_traffic_policy: ClientTrafficPolicy",
+        "type_info": {
+          "Custom": {
+            "name": "client_traffic_policy",
+            "kind": {
+              "Enum": [
+                "none",
+                "disable_all_traffic",
+                "force_all_traffic"
+              ]
+            }
+          }
+        }
+      },
+      {
+        "ordinal": 2,
+        "name": "only_client_activation",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": []
+    },
+    "nullable": [
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8"
+}
diff --git a/.sqlx/query-283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416.json b/.sqlx/query-283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416.json
deleted file mode 100644
index c1696c5b03..0000000000
--- a/.sqlx/query-283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416.json
+++ /dev/null
@@ -1,32 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT admin_device_management, disable_all_traffic, only_client_activation FROM \"enterprisesettings\" WHERE id = 1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "admin_device_management",
-        "type_info": "Bool"
-      },
-      {
-        "ordinal": 1,
-        "name": "disable_all_traffic",
-        "type_info": "Bool"
-      },
-      {
-        "ordinal": 2,
-        "name": "only_client_activation",
-        "type_info": "Bool"
-      }
-    ],
-    "parameters": {
-      "Left": []
-    },
-    "nullable": [
-      false,
-      false,
-      false
-    ]
-  },
-  "hash": "283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416"
-}
diff --git a/.sqlx/query-a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25.json b/.sqlx/query-a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25.json
new file mode 100644
index 0000000000..509af4943e
--- /dev/null
+++ b/.sqlx/query-a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25.json
@@ -0,0 +1,27 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE \"enterprisesettings\" SET admin_device_management = $1, client_traffic_policy = $2, only_client_activation = $3 WHERE id = 1",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Bool",
+        {
+          "Custom": {
+            "name": "client_traffic_policy",
+            "kind": {
+              "Enum": [
+                "none",
+                "disable_all_traffic",
+                "force_all_traffic"
+              ]
+            }
+          }
+        },
+        "Bool"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25"
+}
diff --git a/.sqlx/query-ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json b/.sqlx/query-ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json
deleted file mode 100644
index 787a75d7d9..0000000000
--- a/.sqlx/query-ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE \"enterprisesettings\" SET admin_device_management = $1, disable_all_traffic = $2, only_client_activation = $3 WHERE id = 1",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Bool",
-        "Bool",
-        "Bool"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2"
-}
diff --git a/crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs b/crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs
index f2e85ced8b..d1c9be350b 100644
--- a/crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs
+++ b/crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs
@@ -1,4 +1,4 @@
-use sqlx::{PgExecutor, query, query_as};
+use sqlx::{PgExecutor, Type, query, query_as};
 use struct_patch::Patch;
 
 use crate::enterprise::is_enterprise_enabled;
@@ -6,11 +6,11 @@ use crate::enterprise::is_enterprise_enabled;
 #[derive(Debug, Deserialize, Patch, Serialize)]
 #[patch(attribute(derive(Deserialize, Serialize)))]
 pub struct EnterpriseSettings {
-    // If true, only admins can manage devices
+    /// If true, only admins can manage devices
     pub admin_device_management: bool,
-    // If true, the option to route all traffic through the vpn is disabled in the client
-    pub disable_all_traffic: bool,
-    // If true, manual WireGuard setup is disabled
+    /// Describes allowed routing options for clients connecting to the instance.
+    pub client_traffic_policy: ClientTrafficPolicy,
+    /// If true, manual WireGuard setup is disabled
     pub only_client_activation: bool,
 }
 
@@ -20,8 +20,8 @@ impl Default for EnterpriseSettings {
     fn default() -> Self {
         Self {
             admin_device_management: false,
-            disable_all_traffic: false,
             only_client_activation: false,
+            client_traffic_policy: ClientTrafficPolicy::default(),
         }
     }
 }
@@ -39,7 +39,8 @@ impl EnterpriseSettings {
             let settings = query_as!(
                 Self,
                 "SELECT admin_device_management, \
-                disable_all_traffic, only_client_activation \
+				client_traffic_policy \"client_traffic_policy: ClientTrafficPolicy\", \
+				only_client_activation \
                 FROM \"enterprisesettings\" WHERE id = 1",
             )
             .fetch_optional(executor)
@@ -57,11 +58,11 @@ impl EnterpriseSettings {
         query!(
             "UPDATE \"enterprisesettings\" SET \
             admin_device_management = $1, \
-            disable_all_traffic = $2, \
+			client_traffic_policy = $2, \
             only_client_activation = $3 \
             WHERE id = 1",
             self.admin_device_management,
-            self.disable_all_traffic,
+            self.client_traffic_policy as ClientTrafficPolicy,
             self.only_client_activation,
         )
         .execute(executor)
@@ -70,3 +71,17 @@ impl EnterpriseSettings {
         Ok(())
     }
 }
+
+/// Describes allowed traffic options for clients connecting to the instance.
+#[derive(Clone, Deserialize, Serialize, PartialEq, Eq, Type, Debug, Default, Copy)]
+#[sqlx(type_name = "client_traffic_policy", rename_all = "snake_case")]
+#[serde(rename_all = "snake_case")]
+pub enum ClientTrafficPolicy {
+    /// No restrictions
+    #[default]
+    None,
+    /// Clients are not allowed to route all traffic through the VPN.
+    DisableAllTraffic,
+    /// Clients are forced to route all traffic through the VPN.
+    ForceAllTraffic,
+}
diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs
index 96dbd24e69..a4c4ba3dcf 100644
--- a/crates/defguard_core/src/grpc/mod.rs
+++ b/crates/defguard_core/src/grpc/mod.rs
@@ -50,7 +50,10 @@ use crate::{
         models::enrollment::{ENROLLMENT_TOKEN_TYPE, Token},
     },
     enterprise::{
-        db::models::{enterprise_settings::EnterpriseSettings, openid_provider::OpenIdProvider},
+        db::models::{
+            enterprise_settings::{ClientTrafficPolicy, EnterpriseSettings},
+            openid_provider::OpenIdProvider,
+        },
         directory_sync::sync_user_groups_if_configured,
         grpc::polling::PollingServer,
         handlers::openid_login::{
@@ -806,7 +809,7 @@ pub struct InstanceInfo {
     url: Url,
     proxy_url: Url,
     username: String,
-    disable_all_traffic: bool,
+    client_traffic_policy: ClientTrafficPolicy,
     enterprise_enabled: bool,
     openid_display_name: Option<String>,
 }
@@ -829,7 +832,7 @@ impl InstanceInfo {
             url: config.url.clone(),
             proxy_url: config.enrollment_url.clone(),
             username: username.into(),
-            disable_all_traffic: enterprise_settings.disable_all_traffic,
+            client_traffic_policy: enterprise_settings.client_traffic_policy,
             enterprise_enabled: is_enterprise_enabled(),
             openid_display_name,
         }
@@ -844,7 +847,11 @@ impl From<InstanceInfo> for defguard_proto::proxy::InstanceInfo {
             url: instance.url.to_string(),
             proxy_url: instance.proxy_url.to_string(),
             username: instance.username,
-            disable_all_traffic: instance.disable_all_traffic,
+            // Ensure backwards compatibility.
+            #[allow(deprecated)]
+            disable_all_traffic: instance.client_traffic_policy
+                == ClientTrafficPolicy::DisableAllTraffic,
+            client_traffic_policy: Some(instance.client_traffic_policy as i32),
             enterprise_enabled: instance.enterprise_enabled,
             openid_display_name: instance.openid_display_name,
         }
diff --git a/crates/defguard_core/tests/integration/api/enterprise_settings.rs b/crates/defguard_core/tests/integration/api/enterprise_settings.rs
index f24582a659..c065dde6cc 100644
--- a/crates/defguard_core/tests/integration/api/enterprise_settings.rs
+++ b/crates/defguard_core/tests/integration/api/enterprise_settings.rs
@@ -1,6 +1,6 @@
 use defguard_core::{
     enterprise::{
-        db::models::enterprise_settings::EnterpriseSettings,
+        db::models::enterprise_settings::{ClientTrafficPolicy, EnterpriseSettings},
         license::{get_cached_license, set_cached_license},
     },
     handlers::Auth,
@@ -33,7 +33,7 @@ async fn test_only_enterprise_can_modify_enterpise_settings(
     // try to patch enterprise settings
     let settings = EnterpriseSettings {
         admin_device_management: false,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: false,
     };
 
@@ -81,7 +81,7 @@ async fn test_admin_devices_management_is_enforced(_: PgPoolOptions, options: Pg
     // setup admin devices management
     let settings = EnterpriseSettings {
         admin_device_management: true,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: false,
     };
     let response = client
@@ -177,7 +177,7 @@ async fn test_regular_user_device_management(_: PgPoolOptions, options: PgConnec
     // setup admin devices management
     let settings = EnterpriseSettings {
         admin_device_management: false,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: false,
     };
     let response = client
@@ -265,7 +265,7 @@ async fn dg25_12_test_enforce_client_activation_only(_: PgPoolOptions, options:
     // disable manual device management
     let settings = EnterpriseSettings {
         admin_device_management: false,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: true,
     };
     let response = client
@@ -346,7 +346,7 @@ async fn dg25_13_test_disable_device_config(_: PgPoolOptions, options: PgConnect
     // disable manual device management
     let settings = EnterpriseSettings {
         admin_device_management: false,
-        disable_all_traffic: false,
+        client_traffic_policy: ClientTrafficPolicy::None,
         only_client_activation: true,
     };
     let response = client
diff --git a/migrations/20251119122424_client_traffic_policy.down.sql b/migrations/20251119122424_client_traffic_policy.down.sql
new file mode 100644
index 0000000000..db730678d6
--- /dev/null
+++ b/migrations/20251119122424_client_traffic_policy.down.sql
@@ -0,0 +1,13 @@
+-- restore boolean `mfa_enabled` column
+ALTER TABLE enterprisesettings ADD COLUMN "disable_all_traffic" BOOLEAN NOT NULL DEFAULT false;
+
+-- populate based on client traffic policy
+UPDATE enterprisesettings
+SET disable_all_traffic = CASE
+    WHEN client_traffic_policy = 'disable_all_traffic'::client_traffic_policy THEN true
+    ELSE false
+END;
+
+-- drop new column and type
+ALTER TABLE enterprisesettings DROP COLUMN "client_traffic_policy";
+DROP TYPE client_traffic_policy;
diff --git a/migrations/20251119122424_client_traffic_policy.up.sql b/migrations/20251119122424_client_traffic_policy.up.sql
new file mode 100644
index 0000000000..a5bfb8d8ac
--- /dev/null
+++ b/migrations/20251119122424_client_traffic_policy.up.sql
@@ -0,0 +1,19 @@
+-- add enum representing client traffic policy
+CREATE TYPE client_traffic_policy AS ENUM (
+    'none',
+    'disable_all_traffic',
+    'force_all_traffic'
+);
+
+-- add column to `enterprisesettings` table
+ALTER TABLE enterprisesettings ADD COLUMN "client_traffic_policy" client_traffic_policy NOT NULL DEFAULT 'none';
+
+-- populate new column based on value in `disable_all_traffic` column
+UPDATE enterprisesettings
+SET client_traffic_policy = CASE
+    WHEN disable_all_traffic = true THEN 'disable_all_traffic'::client_traffic_policy
+    ELSE 'none'::client_traffic_policy
+END;
+
+-- drop the `disable_all_traffic` column since it's no longer needed
+ALTER TABLE enterprisesettings DROP COLUMN "disable_all_traffic";
diff --git a/proto b/proto
index 96249ebde0..74d60d9171 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit 96249ebde0556f4ae8c47eebc6015efb04ed0104
+Subproject commit 74d60d9171048ba0ccaf8a21b05950fb7a673f09
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index f4b94015e6..ce572bb6bb 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -1708,16 +1708,29 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
           helper:
             "When this option is enabled, only users in the Admin group can manage devices in user profile (it's disabled for all other users)",
         },
-        disableAllTraffic: {
-          label: 'Disable the option to route all traffic through VPN',
-          helper:
-            'When this option is enabled, users will not be able to route all traffic through the VPN using the defguard client.',
-        },
         manualConfig: {
           label: "Disable users' ability to manually configure WireGuard client",
           helper:
             "When this option is enabled, users won't be able to view or download configuration for the manual WireGuard client setup. Only the Defguard desktop client configuration will be available.",
         },
+        clientTrafficPolicy: {
+          header: 'Client traffic policy',
+          none: {
+            label: 'None',
+            helper:
+              'When this option is enabled, users will be able to select all routing options.',
+          },
+          disableAllTraffic: {
+            label: 'Disable the option to route all traffic through VPN',
+            helper:
+              'When this option is enabled, users will not be able to route all traffic through the VPN.',
+          },
+          forceAllTraffic: {
+            label: 'Force the clients to route all traffic through VPN',
+            helper:
+              'When this option is enabled, the users will always route all traffic through the VPN.',
+          },
+        },
       },
     },
     gatewayNotifications: {
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 2313f93c1c..517c50734c 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -4082,16 +4082,6 @@ type RootTranslation = {
 					 */
 					helper: string
 				}
-				disableAllTraffic: {
-					/**
-					 * D​i​s​a​b​l​e​ ​t​h​e​ ​o​p​t​i​o​n​ ​t​o​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​V​P​N
-					 */
-					label: string
-					/**
-					 * W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​u​s​e​r​s​ ​w​i​l​l​ ​n​o​t​ ​b​e​ ​a​b​l​e​ ​t​o​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​t​h​e​ ​V​P​N​ ​u​s​i​n​g​ ​t​h​e​ ​d​e​f​g​u​a​r​d​ ​c​l​i​e​n​t​.
-					 */
-					helper: string
-				}
 				manualConfig: {
 					/**
 					 * D​i​s​a​b​l​e​ ​u​s​e​r​s​'​ ​a​b​i​l​i​t​y​ ​t​o​ ​m​a​n​u​a​l​l​y​ ​c​o​n​f​i​g​u​r​e​ ​W​i​r​e​G​u​a​r​d​ ​c​l​i​e​n​t
@@ -4102,6 +4092,42 @@ type RootTranslation = {
 					 */
 					helper: string
 				}
+				clientTrafficPolicy: {
+					/**
+					 * C​l​i​e​n​t​ ​t​r​a​f​f​i​c​ ​p​o​l​i​c​y
+					 */
+					header: string
+					none: {
+						/**
+						 * N​o​n​e
+						 */
+						label: string
+						/**
+						 * W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​u​s​e​r​s​ ​w​i​l​l​ ​b​e​ ​a​b​l​e​ ​t​o​ ​s​e​l​e​c​t​ ​a​l​l​ ​r​o​u​t​i​n​g​ ​o​p​t​i​o​n​s​.
+						 */
+						helper: string
+					}
+					disableAllTraffic: {
+						/**
+						 * D​i​s​a​b​l​e​ ​t​h​e​ ​o​p​t​i​o​n​ ​t​o​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​V​P​N
+						 */
+						label: string
+						/**
+						 * W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​u​s​e​r​s​ ​w​i​l​l​ ​n​o​t​ ​b​e​ ​a​b​l​e​ ​t​o​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​t​h​e​ ​V​P​N​.
+						 */
+						helper: string
+					}
+					forceAllTraffic: {
+						/**
+						 * F​o​r​c​e​ ​t​h​e​ ​c​l​i​e​n​t​s​ ​t​o​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​V​P​N
+						 */
+						label: string
+						/**
+						 * W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​t​h​e​ ​u​s​e​r​s​ ​w​i​l​l​ ​a​l​w​a​y​s​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​t​h​e​ ​V​P​N​.
+						 */
+						helper: string
+					}
+				}
 			}
 		}
 		gatewayNotifications: {
@@ -10813,16 +10839,6 @@ export type TranslationFunctions = {
 					 */
 					helper: () => LocalizedString
 				}
-				disableAllTraffic: {
-					/**
-					 * Disable the option to route all traffic through VPN
-					 */
-					label: () => LocalizedString
-					/**
-					 * When this option is enabled, users will not be able to route all traffic through the VPN using the defguard client.
-					 */
-					helper: () => LocalizedString
-				}
 				manualConfig: {
 					/**
 					 * Disable users' ability to manually configure WireGuard client
@@ -10833,6 +10849,42 @@ export type TranslationFunctions = {
 					 */
 					helper: () => LocalizedString
 				}
+				clientTrafficPolicy: {
+					/**
+					 * Client traffic policy
+					 */
+					header: () => LocalizedString
+					none: {
+						/**
+						 * None
+						 */
+						label: () => LocalizedString
+						/**
+						 * When this option is enabled, users will be able to select all routing options.
+						 */
+						helper: () => LocalizedString
+					}
+					disableAllTraffic: {
+						/**
+						 * Disable the option to route all traffic through VPN
+						 */
+						label: () => LocalizedString
+						/**
+						 * When this option is enabled, users will not be able to route all traffic through the VPN.
+						 */
+						helper: () => LocalizedString
+					}
+					forceAllTraffic: {
+						/**
+						 * Force the clients to route all traffic through VPN
+						 */
+						label: () => LocalizedString
+						/**
+						 * When this option is enabled, the users will always route all traffic through the VPN.
+						 */
+						helper: () => LocalizedString
+					}
+				}
 			}
 		}
 		gatewayNotifications: {
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 6525901519..7356101f64 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -1494,16 +1494,29 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
           helper:
             'Kiedy ta opcja jest włączona, tylko użytkownicy w grupie "Admin" mogą zarządzać urządzeniami w profilu użytkownika',
         },
-        disableAllTraffic: {
-          label: 'Zablokuj możliwość przekierowania całego ruchu przez VPN',
-          helper:
-            'Kiedy ta opcja jest włączona, użytkownicy nie będą mogli przekierować całego ruchu przez VPN za pomocą klienta Defguard.',
-        },
         manualConfig: {
           label: 'Wyłącz manualną konfigurację WireGuard',
           helper:
             'Kiedy ta opcja jest włączona, użytkownicy nie będą mogli pobrać ani wyświetlić danych do manualnej konfiguracji WireGuard. Możliwe będzie wyłącznie skonfigurowanie klienta Defguard.',
         },
+        clientTrafficPolicy: {
+          header: 'Polityka przekierowania ruchu klientów',
+          none: {
+            label: 'Brak',
+            helper:
+              'Kiedy ta opcja jest włączona, użytkownicy mogą wybierać dowolny typ przekierowania ruchu.',
+          },
+          disableAllTraffic: {
+            label: 'Zablokuj możliwość przekierowania całego ruchu przez VPN',
+            helper:
+              'Kiedy ta opcja jest włączona, użytkownicy nie będą mogli przekierować całego ruchu przez VPN.',
+          },
+          forceAllTraffic: {
+            label: 'Wymuś przekierowanie całego ruchu przez VPN',
+            helper:
+              'Kiedy ta opcja jest włączona, użytkownicy będą zawsze przekierowywać cały ruch przez VPN.',
+          },
+        }
       },
     },
     gatewayNotifications: {
diff --git a/web/src/pages/settings/components/EnterpriseSettings/components/EnterpriseForm.tsx b/web/src/pages/settings/components/EnterpriseSettings/components/EnterpriseForm.tsx
index d7df932dec..c8bcdc885d 100644
--- a/web/src/pages/settings/components/EnterpriseSettings/components/EnterpriseForm.tsx
+++ b/web/src/pages/settings/components/EnterpriseSettings/components/EnterpriseForm.tsx
@@ -12,6 +12,7 @@ import useApi from '../../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../../shared/hooks/useToaster';
 import { MutationKeys } from '../../../../../shared/mutations';
 import { QueryKeys } from '../../../../../shared/queries';
+import { ClientTrafficPolicySelect } from './TrafficPolicySelect/TrafficPolicySelect';
 
 export const EnterpriseForm = () => {
   const { LL } = useI18nContext();
@@ -77,17 +78,10 @@ export const EnterpriseForm = () => {
           </Helper>
         </div>
         <div className="helper-row">
-          <LabeledCheckbox
-            disabled={isLoading}
-            label={LL.settingsPage.enterprise.fields.disableAllTraffic.label()}
-            value={settings.disable_all_traffic}
-            onChange={() =>
-              mutate({ disable_all_traffic: !settings.disable_all_traffic })
-            }
+          <ClientTrafficPolicySelect
+            onChange={(value) => mutate({ client_traffic_policy: value })}
+            fieldValue={settings.client_traffic_policy}
           />
-          <Helper>
-            {parse(LL.settingsPage.enterprise.fields.disableAllTraffic.helper())}
-          </Helper>
         </div>
       </div>
     </section>
diff --git a/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/TrafficPolicySelect.tsx b/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/TrafficPolicySelect.tsx
new file mode 100644
index 0000000000..43fa5f3f9c
--- /dev/null
+++ b/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/TrafficPolicySelect.tsx
@@ -0,0 +1,77 @@
+import './style.scss';
+import clsx from 'clsx';
+import parse from 'html-react-parser';
+import { useMemo } from 'react';
+import { useI18nContext } from '../../../../../../i18n/i18n-react';
+import { Helper } from '../../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
+import { RadioButton } from '../../../../../../shared/defguard-ui/components/Layout/RadioButton/Radiobutton';
+import type { SelectOption } from '../../../../../../shared/defguard-ui/components/Layout/Select/types';
+import { ClientTrafficPolicy } from '../../../../../../shared/types';
+
+type Props = {
+  onChange: (event: ClientTrafficPolicy) => void;
+  fieldValue: ClientTrafficPolicy;
+};
+
+export const ClientTrafficPolicySelect = ({ onChange, fieldValue }: Props) => {
+  const { LL } = useI18nContext();
+  const options = useMemo(
+    (): SelectOption<ClientTrafficPolicy>[] => [
+      {
+        key: ClientTrafficPolicy.NONE,
+        value: ClientTrafficPolicy.NONE,
+        label: LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.label(),
+        meta: LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.helper(),
+      },
+      {
+        key: ClientTrafficPolicy.DISABLE_ALL_TRAFFIC,
+        value: ClientTrafficPolicy.DISABLE_ALL_TRAFFIC,
+        label:
+          LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.label(),
+        meta: LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.helper(),
+      },
+      {
+        key: ClientTrafficPolicy.FORCE_ALL_TRAFFIC,
+        value: ClientTrafficPolicy.FORCE_ALL_TRAFFIC,
+        label:
+          LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.label(),
+        meta: LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.helper(),
+      },
+    ],
+    [
+      LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.label,
+      LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.helper,
+      LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.label,
+      LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.helper,
+      LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.label,
+      LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.helper,
+    ],
+  );
+
+  return (
+    <div className="client-traffic-policy-select">
+      <label>{LL.settingsPage.enterprise.fields.clientTrafficPolicy.header()}</label>
+      {options.map(({ key, value, label, meta, disabled = false }) => {
+        const active = fieldValue === value;
+        return (
+          <div
+            className={clsx(`client-traffic-policy`, {
+              active,
+              disabled,
+            })}
+            key={key}
+            onClick={() => {
+              if (!disabled) {
+                onChange(value);
+              }
+            }}
+          >
+            <p className="label">{label}</p>
+            <RadioButton active={active} />
+            <Helper>{parse(meta)}</Helper>
+          </div>
+        );
+      })}
+    </div>
+  );
+};
diff --git a/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/style.scss b/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/style.scss
new file mode 100644
index 0000000000..692d1123b8
--- /dev/null
+++ b/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/style.scss
@@ -0,0 +1,59 @@
+.client-traffic-policy-select {
+  display: flex;
+  flex-flow: column;
+  row-gap: var(--spacing-s);
+  margin-bottom: 25px;
+
+  .client-traffic-policy {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    column-gap: var(--spacing-xs);
+    min-height: 30px;
+    border: 1px solid var(--border-primary);
+    padding: var(--spacing-xs) var(--spacing-s);
+    border-radius: 10px;
+    cursor: pointer;
+    user-select: none;
+    transition-property: border-color, opacity;
+    @include animate-standard;
+
+    &:not(.active) {
+      &:hover {
+        border-color: var(--border-separator);
+      }
+    }
+
+    &.active {
+      border-color: var(--surface-main-primary);
+    }
+
+    &.active,
+    &:hover {
+      .label {
+        color: var(--text-body-primary);
+      }
+    }
+
+    &.disabled {
+      opacity: 0.6;
+      cursor: not-allowed;
+      background-color: var(--surface-secondary);
+
+      .label {
+        color: var(--text-body-disabled);
+      }
+
+      &:hover {
+        border-color: var(--border-primary);
+      }
+    }
+
+    .label {
+      color: var(--text-body-secondary);
+      transition-property: color;
+      @include typography(app-modal-1);
+      @include animate-standard;
+    }
+  }
+}
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 3c181cb11e..33258f66b6 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -1121,9 +1121,15 @@ export type SettingsGatewayNotifications = {
   gateway_disconnect_notifications_reconnect_notification_enabled: boolean;
 };
 
+export enum ClientTrafficPolicy {
+  NONE = 'none',
+  DISABLE_ALL_TRAFFIC = 'disable_all_traffic',
+  FORCE_ALL_TRAFFIC = 'force_all_traffic',
+}
+
 export type SettingsEnterprise = {
   admin_device_management: boolean;
-  disable_all_traffic: boolean;
+  client_traffic_policy: ClientTrafficPolicy;
   only_client_activation: boolean;
 };
 

From 0659ae1b9fcd5a9d3e03a5c9c7c7f572e86955af Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Fri, 21 Nov 2025 11:18:35 +0100
Subject: [PATCH 42/50] Filter MFA locations on network devices modal, block
 creating devices without name (#1719)

* filter mfa locations, validate ip/domain in wizard

* Reject device without name
---
 crates/defguard_core/src/grpc/enrollment.rs    |  5 +++++
 .../steps/MethodStep/MethodStep.tsx            | 12 +++++++-----
 .../WizardNetworkConfiguration.tsx             |  5 ++++-
 web/src/shared/validators.ts                   | 18 ++++++++++++------
 4 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/crates/defguard_core/src/grpc/enrollment.rs b/crates/defguard_core/src/grpc/enrollment.rs
index c7a43069ba..13b0733ea5 100644
--- a/crates/defguard_core/src/grpc/enrollment.rs
+++ b/crates/defguard_core/src/grpc/enrollment.rs
@@ -695,6 +695,11 @@ impl EnrollmentServer {
                 None,
                 true,
             );
+            if device.name.is_empty() {
+                return Err(Status::invalid_argument(
+                    "Cannot add a new device with no name. You may be trying to add a new user device as a network device. Defguard CLI supports only network devices.",
+                ));
+            }
             let device = device.save(&mut *transaction).await.map_err(|err| {
                 error!(
                     "Failed to save device {}, pubkey {} for user {}({:?}): {err}",
diff --git a/web/src/pages/devices/modals/AddStandaloneDeviceModal/steps/MethodStep/MethodStep.tsx b/web/src/pages/devices/modals/AddStandaloneDeviceModal/steps/MethodStep/MethodStep.tsx
index a054a9150c..ef6b9f0853 100644
--- a/web/src/pages/devices/modals/AddStandaloneDeviceModal/steps/MethodStep/MethodStep.tsx
+++ b/web/src/pages/devices/modals/AddStandaloneDeviceModal/steps/MethodStep/MethodStep.tsx
@@ -88,11 +88,13 @@ export const MethodStep = () => {
   // biome-ignore lint/correctness/useExhaustiveDependencies: migration, checkMeLater
   useEffect(() => {
     if (networks) {
-      const options: SelectOption<number>[] = networks.map((n) => ({
-        key: n.id,
-        value: n.id,
-        label: n.name,
-      }));
+      const options: SelectOption<number>[] = networks
+        .filter((n) => n.location_mfa_mode === 'disabled')
+        .map((n) => ({
+          key: n.id,
+          value: n.id,
+          label: n.name,
+        }));
       setState({
         networks,
         networkOptions: options,
diff --git a/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx b/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
index 8d416e221e..6ecdd20349 100644
--- a/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
+++ b/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
@@ -118,7 +118,10 @@ export const WizardNetworkConfiguration = () => {
           .string()
           .trim()
           .min(1, LL.form.error.required())
-          .refine((val) => validateIpOrDomain(val), LL.form.error.endpoint()),
+          .refine(
+            (val) => validateIpOrDomain(val, false, true),
+            LL.form.error.endpoint(),
+          ),
         port: z
           .number({
             invalid_type_error: LL.form.error.invalid(),
diff --git a/web/src/shared/validators.ts b/web/src/shared/validators.ts
index 77df62d88a..8d99664003 100644
--- a/web/src/shared/validators.ts
+++ b/web/src/shared/validators.ts
@@ -1,6 +1,5 @@
 import ipaddr from 'ipaddr.js';
 import { z } from 'zod';
-
 import { patternValidDomain, patternValidWireguardKey } from './patterns';
 
 export const validateWireguardPublicKey = (props: {
@@ -24,11 +23,13 @@ export const validateIpOrDomain = (
   allowMask = false,
   allowIPv6 = false,
 ): boolean => {
-  return (
-    (allowIPv6 && validateIPv6(val, allowMask)) ||
-    validateIPv4(val, allowMask) ||
-    patternValidDomain.test(val)
-  );
+  const hasLetter = /\p{L}/u.test(val);
+  const hasColon = /:/.test(val);
+  if (!hasLetter || hasColon) {
+    return (allowIPv6 && validateIPv6(val, allowMask)) || validateIPv4(val, allowMask);
+  } else {
+    return patternValidDomain.test(val);
+  }
 };
 
 // Returns false when invalid
@@ -41,6 +42,7 @@ export const validateIpList = (
     .replace(' ', '')
     .split(splitWith)
     .every((el) => {
+      if (!el.includes('/') && allowMasks) return false;
       return validateIPv4(el, allowMasks) || validateIPv6(el, allowMasks);
     });
 };
@@ -76,6 +78,10 @@ export const validateIPv4 = (ip: string, allowMask = false): boolean => {
       return ipaddr.IPv4.isValidCIDR(ip);
     }
   }
+  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}$/;
+  if (!ipv4Pattern.test(ip)) {
+    return false;
+  }
   return ipaddr.IPv4.isValid(ip);
 };
 

From da226a8ca11ab1e8bbb2b6f0fcc3f69cc254b39e Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Mon, 24 Nov 2025 09:56:41 +0100
Subject: [PATCH 43/50] Fix traffic policy settings styling (#1720)

* fix client traffic policy helpers styling

* remove unused useMemo deps

* tweak the header
---
 web/src/i18n/en/index.ts                      |  6 +-
 web/src/i18n/i18n-types.ts                    | 12 +--
 web/src/i18n/pl/index.ts                      |  6 +-
 .../TrafficPolicySelect.tsx                   | 75 +++++++++++--------
 .../components/TrafficPolicySelect/style.scss | 13 ++++
 5 files changed, 69 insertions(+), 43 deletions(-)

diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index ce572bb6bb..fa88c26ca5 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -1718,17 +1718,17 @@ Licensing information: [https://docs.defguard.net/enterprise/license](https://do
           none: {
             label: 'None',
             helper:
-              'When this option is enabled, users will be able to select all routing options.',
+              'None - When this option is enabled, users will be able to select all routing options.',
           },
           disableAllTraffic: {
             label: 'Disable the option to route all traffic through VPN',
             helper:
-              'When this option is enabled, users will not be able to route all traffic through the VPN.',
+              'Disable all traffic - When this option is enabled, users will not be able to route all traffic through the VPN.',
           },
           forceAllTraffic: {
             label: 'Force the clients to route all traffic through VPN',
             helper:
-              'When this option is enabled, the users will always route all traffic through the VPN.',
+              'Force all traffic - When this option is enabled, the users will always route all traffic through the VPN.',
           },
         },
       },
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 517c50734c..a2ce0a2129 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -4103,7 +4103,7 @@ type RootTranslation = {
 						 */
 						label: string
 						/**
-						 * W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​u​s​e​r​s​ ​w​i​l​l​ ​b​e​ ​a​b​l​e​ ​t​o​ ​s​e​l​e​c​t​ ​a​l​l​ ​r​o​u​t​i​n​g​ ​o​p​t​i​o​n​s​.
+						 * N​o​n​e​ ​-​ ​W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​u​s​e​r​s​ ​w​i​l​l​ ​b​e​ ​a​b​l​e​ ​t​o​ ​s​e​l​e​c​t​ ​a​l​l​ ​r​o​u​t​i​n​g​ ​o​p​t​i​o​n​s​.
 						 */
 						helper: string
 					}
@@ -4113,7 +4113,7 @@ type RootTranslation = {
 						 */
 						label: string
 						/**
-						 * W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​u​s​e​r​s​ ​w​i​l​l​ ​n​o​t​ ​b​e​ ​a​b​l​e​ ​t​o​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​t​h​e​ ​V​P​N​.
+						 * D​i​s​a​b​l​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​-​ ​W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​u​s​e​r​s​ ​w​i​l​l​ ​n​o​t​ ​b​e​ ​a​b​l​e​ ​t​o​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​t​h​e​ ​V​P​N​.
 						 */
 						helper: string
 					}
@@ -4123,7 +4123,7 @@ type RootTranslation = {
 						 */
 						label: string
 						/**
-						 * W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​t​h​e​ ​u​s​e​r​s​ ​w​i​l​l​ ​a​l​w​a​y​s​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​t​h​e​ ​V​P​N​.
+						 * F​o​r​c​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​-​ ​W​h​e​n​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​t​h​e​ ​u​s​e​r​s​ ​w​i​l​l​ ​a​l​w​a​y​s​ ​r​o​u​t​e​ ​a​l​l​ ​t​r​a​f​f​i​c​ ​t​h​r​o​u​g​h​ ​t​h​e​ ​V​P​N​.
 						 */
 						helper: string
 					}
@@ -10860,7 +10860,7 @@ export type TranslationFunctions = {
 						 */
 						label: () => LocalizedString
 						/**
-						 * When this option is enabled, users will be able to select all routing options.
+						 * None - When this option is enabled, users will be able to select all routing options.
 						 */
 						helper: () => LocalizedString
 					}
@@ -10870,7 +10870,7 @@ export type TranslationFunctions = {
 						 */
 						label: () => LocalizedString
 						/**
-						 * When this option is enabled, users will not be able to route all traffic through the VPN.
+						 * Disable all traffic - When this option is enabled, users will not be able to route all traffic through the VPN.
 						 */
 						helper: () => LocalizedString
 					}
@@ -10880,7 +10880,7 @@ export type TranslationFunctions = {
 						 */
 						label: () => LocalizedString
 						/**
-						 * When this option is enabled, the users will always route all traffic through the VPN.
+						 * Force all traffic - When this option is enabled, the users will always route all traffic through the VPN.
 						 */
 						helper: () => LocalizedString
 					}
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 7356101f64..3255916235 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -1504,17 +1504,17 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
           none: {
             label: 'Brak',
             helper:
-              'Kiedy ta opcja jest włączona, użytkownicy mogą wybierać dowolny typ przekierowania ruchu.',
+              'Brak - Kiedy ta opcja jest włączona, użytkownicy mogą wybrać dowolny typ przekierowania ruchu.',
           },
           disableAllTraffic: {
             label: 'Zablokuj możliwość przekierowania całego ruchu przez VPN',
             helper:
-              'Kiedy ta opcja jest włączona, użytkownicy nie będą mogli przekierować całego ruchu przez VPN.',
+              'Zablokuj przekierowanie całego ruchu - Kiedy ta opcja jest włączona, użytkownicy nie będą mogli przekierować całego ruchu przez VPN.',
           },
           forceAllTraffic: {
             label: 'Wymuś przekierowanie całego ruchu przez VPN',
             helper:
-              'Kiedy ta opcja jest włączona, użytkownicy będą zawsze przekierowywać cały ruch przez VPN.',
+              'Wymuś przekierowanie całego ruchu - Kiedy ta opcja jest włączona, użytkownicy będą zawsze przekierowywać cały ruch przez VPN.',
           },
         }
       },
diff --git a/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/TrafficPolicySelect.tsx b/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/TrafficPolicySelect.tsx
index 43fa5f3f9c..2faf81784e 100644
--- a/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/TrafficPolicySelect.tsx
+++ b/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/TrafficPolicySelect.tsx
@@ -1,9 +1,8 @@
 import './style.scss';
 import clsx from 'clsx';
-import parse from 'html-react-parser';
 import { useMemo } from 'react';
 import { useI18nContext } from '../../../../../../i18n/i18n-react';
-import { Helper } from '../../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
+import { MessageBox } from '../../../../../../shared/defguard-ui/components/Layout/MessageBox/MessageBox';
 import { RadioButton } from '../../../../../../shared/defguard-ui/components/Layout/RadioButton/Radiobutton';
 import type { SelectOption } from '../../../../../../shared/defguard-ui/components/Layout/Select/types';
 import { ClientTrafficPolicy } from '../../../../../../shared/types';
@@ -21,57 +20,71 @@ export const ClientTrafficPolicySelect = ({ onChange, fieldValue }: Props) => {
         key: ClientTrafficPolicy.NONE,
         value: ClientTrafficPolicy.NONE,
         label: LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.label(),
-        meta: LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.helper(),
       },
       {
         key: ClientTrafficPolicy.DISABLE_ALL_TRAFFIC,
         value: ClientTrafficPolicy.DISABLE_ALL_TRAFFIC,
         label:
           LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.label(),
-        meta: LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.helper(),
       },
       {
         key: ClientTrafficPolicy.FORCE_ALL_TRAFFIC,
         value: ClientTrafficPolicy.FORCE_ALL_TRAFFIC,
         label:
           LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.label(),
-        meta: LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.helper(),
       },
     ],
     [
       LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.label,
-      LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.helper,
       LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.label,
-      LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.helper,
       LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.label,
-      LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.helper,
     ],
   );
 
   return (
-    <div className="client-traffic-policy-select">
-      <label>{LL.settingsPage.enterprise.fields.clientTrafficPolicy.header()}</label>
-      {options.map(({ key, value, label, meta, disabled = false }) => {
-        const active = fieldValue === value;
-        return (
-          <div
-            className={clsx(`client-traffic-policy`, {
-              active,
-              disabled,
-            })}
-            key={key}
-            onClick={() => {
-              if (!disabled) {
-                onChange(value);
-              }
-            }}
-          >
-            <p className="label">{label}</p>
-            <RadioButton active={active} />
-            <Helper>{parse(meta)}</Helper>
-          </div>
-        );
-      })}
+    <div className="client-traffic-policy-settings">
+      <div className="subsection-header">
+        <h3>{LL.settingsPage.enterprise.fields.clientTrafficPolicy.header()}</h3>
+      </div>
+      <div className="client-traffic-policy-select">
+        <MessageBox id="client-traffic-policy-message-box">
+          <ul>
+            <li>
+              <p>{LL.settingsPage.enterprise.fields.clientTrafficPolicy.none.helper()}</p>
+            </li>
+            <li>
+              <p>
+                {LL.settingsPage.enterprise.fields.clientTrafficPolicy.disableAllTraffic.helper()}
+              </p>
+            </li>
+            <li>
+              <p>
+                {LL.settingsPage.enterprise.fields.clientTrafficPolicy.forceAllTraffic.helper()}
+              </p>
+            </li>
+          </ul>
+        </MessageBox>
+        {options.map(({ key, value, label, disabled = false }) => {
+          const active = fieldValue === value;
+          return (
+            <div
+              className={clsx(`client-traffic-policy`, {
+                active,
+                disabled,
+              })}
+              key={key}
+              onClick={() => {
+                if (!disabled) {
+                  onChange(value);
+                }
+              }}
+            >
+              <p className="label">{label}</p>
+              <RadioButton active={active} />
+            </div>
+          );
+        })}
+      </div>
     </div>
   );
 };
diff --git a/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/style.scss b/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/style.scss
index 692d1123b8..ad3f917539 100644
--- a/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/style.scss
+++ b/web/src/pages/settings/components/EnterpriseSettings/components/TrafficPolicySelect/style.scss
@@ -56,4 +56,17 @@
       @include animate-standard;
     }
   }
+
+  #client-traffic-policy-message-box {
+    ul {
+      list-style-position: inside;
+      margin-top: 8px;
+
+      li {
+        p {
+          display: inline;
+        }
+      }
+    }
+  }
 }

From 5aa68b2ea2df81e99af6a9bd237c55ab0036ba0a Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Tue, 25 Nov 2025 12:22:28 +0100
Subject: [PATCH 44/50] Fix validator for ipv4 with port (#1723)

---
 web/src/shared/validators.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/web/src/shared/validators.ts b/web/src/shared/validators.ts
index 8d99664003..0480c722cb 100644
--- a/web/src/shared/validators.ts
+++ b/web/src/shared/validators.ts
@@ -79,9 +79,19 @@ export const validateIPv4 = (ip: string, allowMask = false): boolean => {
     }
   }
   const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}$/;
-  if (!ipv4Pattern.test(ip)) {
+  const ipv4WithPortPattern = /^(\d{1,3}\.){3}\d{1,3}(:\d{1,5})?$/;
+  if (!ipv4Pattern.test(ip) && !ipv4WithPortPattern.test(ip)) {
     return false;
   }
+
+  if (ipv4WithPortPattern.test(ip)) {
+    const [address, port] = ip.split(':');
+    ip = address;
+    if (!validatePort(port)) {
+      return false;
+    }
+  }
+
   return ipaddr.IPv4.isValid(ip);
 };
 

From 3b3dc271ba3096651fca4cba1e735ac6b79bd3e5 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Wed, 26 Nov 2025 10:32:34 +0100
Subject: [PATCH 45/50] fix ipv4 validator (#1726)

---
 flake.lock                   | 12 ++++++------
 flake.nix                    |  1 +
 web/src/shared/validators.ts |  2 +-
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 3de9f99f55..8f18766cd4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763283776,
-        "narHash": "sha256-Y7TDFPK4GlqrKrivOcsHG8xSGqQx3A6c+i7novT85Uk=",
+        "lastModified": 1763966396,
+        "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "50a96edd8d0db6cc8db57dab6bb6d6ee1f3dc49a",
+        "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763347184,
-        "narHash": "sha256-6QH8hpCYJxifvyHEYg+Da0BotUn03BwLIvYo3JAxuqQ=",
+        "lastModified": 1764124769,
+        "narHash": "sha256-vcoOEy3i8AGJi3Y2C48hrf6CuL2h8W1gLe1gNt72Kxg=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "08895cce80433978d5bfd668efa41c5e24578cbd",
+        "rev": "5da8c00313b4434f00aed6b4c94cd3b207bafdc5",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index f2e6a984c1..1ee1a20d86 100644
--- a/flake.nix
+++ b/flake.nix
@@ -49,6 +49,7 @@
         # Specify the rust-src path (many editors rely on this)
         RUST_SRC_PATH = "${rustToolchain}/lib/rustlib/src/rust/library";
         PLAYWRIGHT_BROWSERS_PATH = "${pkgs.playwright-driver.browsers}";
+        PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS = true;
       };
     });
 }
diff --git a/web/src/shared/validators.ts b/web/src/shared/validators.ts
index 0480c722cb..44d3da6c57 100644
--- a/web/src/shared/validators.ts
+++ b/web/src/shared/validators.ts
@@ -79,7 +79,7 @@ export const validateIPv4 = (ip: string, allowMask = false): boolean => {
     }
   }
   const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}$/;
-  const ipv4WithPortPattern = /^(\d{1,3}\.){3}\d{1,3}(:\d{1,5})?$/;
+  const ipv4WithPortPattern = /^(\d{1,3}\.){3}\d{1,3}:\d{1,5}$/;
   if (!ipv4Pattern.test(ip) && !ipv4WithPortPattern.test(ip)) {
     return false;
   }

From 2f1af6bc6c23450fdd7e82f64c3b038c7c9c4d97 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Thu, 27 Nov 2025 13:31:56 +0100
Subject: [PATCH 46/50] RPM config fix (#1730)

---
 .fpm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.fpm b/.fpm
index 062ba199b1..a03eba34a3 100644
--- a/.fpm
+++ b/.fpm
@@ -3,3 +3,4 @@
 --description "Defguard Core service"
 --url "https://defguard.net/"
 --maintainer "Defguard"
+--config-files /etc/defguard/core.conf

From 283ba1223de144bc0a20415c9d62aa54e6684a32 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Fri, 5 Dec 2025 11:26:30 +0100
Subject: [PATCH 47/50] Validator fix, Frontend unit testing (#1733)

* Fix validators

Created new patterns,
Moved validators to Validate.*
Fixed validators in Wizards,smtp configuration

* Unit testing for web, unit tests for validators

* Created Validate.any/all function. Removed logic from zod

* add licenses exceptions
---
 .github/workflows/test-web.yml                |  37 ++
 deny.toml                                     |  20 +-
 web/package.json                              |  14 +-
 web/pnpm-lock.yaml                            | 315 +++++++++++++++++-
 .../NetworkEditForm/NetworkEditForm.tsx       |  43 ++-
 .../SmtpSettingsForm/SmtpSettingsForm.tsx     |  12 +-
 .../WizardNetworkConfiguration.tsx            |  46 ++-
 .../WizardNetworkImport.tsx                   |   7 +-
 web/src/shared/patterns.ts                    |  11 +-
 web/src/shared/types.ts                       |   2 +-
 web/src/shared/validators.ts                  | 225 ++++++++-----
 web/tests/validators.test.ts                  | 301 +++++++++++++++++
 web/vitest.config.mts                         |  16 +
 13 files changed, 907 insertions(+), 142 deletions(-)
 create mode 100644 .github/workflows/test-web.yml
 create mode 100644 web/tests/validators.test.ts
 create mode 100644 web/vitest.config.mts

diff --git a/.github/workflows/test-web.yml b/.github/workflows/test-web.yml
new file mode 100644
index 0000000000..d4085f6c72
--- /dev/null
+++ b/.github/workflows/test-web.yml
@@ -0,0 +1,37 @@
+on:
+  push:
+    branches:
+      - main
+      - dev
+      - "release/**"
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
+  pull_request:
+    branches:
+      - main
+      - dev
+      - "release/**"
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
+
+jobs:
+  test-web:
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: "recursive"
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+      - name: install deps
+        working-directory: ./web
+        run: |
+          npm i -g npm pnpm
+          pnpm i --frozen-lockfile
+      - name: Run tests
+        working-directory: ./web
+        run: pnpm run test
diff --git a/deny.toml b/deny.toml
index 4bbfa288c1..49991da9e5 100644
--- a/deny.toml
+++ b/deny.toml
@@ -110,34 +110,34 @@ confidence-threshold = 0.8
 # aren't accepted for every possible crate as with the normal allow list
 exceptions = [
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard_common" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard_core" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard_mail" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard_proto" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard_web_ui" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard_event_router" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard_event_logger" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "defguard_version" },
     { allow = [
-        "AGPL-3.0-only",
+        "AGPL-3.0-only", "AGPL-3.0-or-later",
     ], crate = "model_derive" },
 ]
 
diff --git a/web/package.json b/web/package.json
index d3d9ddbd62..0311645409 100644
--- a/web/package.json
+++ b/web/package.json
@@ -14,7 +14,10 @@
     "typesafe-i18n": "typesafe-i18n",
     "vite": "vite",
     "prettier": "prettier",
-    "biome": "biome"
+    "biome": "biome",
+    "test": "vitest run",
+    "test:ui": "vitest --ui",
+    "test:watch": "vitest"
   },
   "browserslist": {
     "production": [
@@ -40,7 +43,10 @@
     ],
     "onlyBuiltDependencies": [
       "@swc/core"
-    ]
+    ],
+    "overrides": {
+      "mdast-util-to-hast": "13.2.1"
+    }
   },
   "dependencies": {
     "@floating-ui/react": "^0.27.16",
@@ -128,6 +134,7 @@
     "@types/react-dom": "^19.2.3",
     "@types/react-router-dom": "^5.3.3",
     "@vitejs/plugin-react-swc": "^4.2.2",
+    "@vitest/ui": "^4.0.14",
     "autoprefixer": "^10.4.22",
     "concurrently": "^9.2.1",
     "dotenv": "^17.2.3",
@@ -140,6 +147,7 @@
     "type-fest": "^4.41.0",
     "typescript": "~5.9.3",
     "vite": "^7.2.2",
-    "vite-plugin-package-version": "^1.1.0"
+    "vite-plugin-package-version": "^1.1.0",
+    "vitest": "^4.0.14"
   }
 }
diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml
index af6ae57457..5c11d27296 100644
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml
@@ -4,6 +4,9 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
+overrides:
+  mdast-util-to-hast: 13.2.1
+
 importers:
 
   .:
@@ -258,6 +261,9 @@ importers:
       '@vitejs/plugin-react-swc':
         specifier: ^4.2.2
         version: 4.2.2(vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+      '@vitest/ui':
+        specifier: ^4.0.14
+        version: 4.0.14(vitest@4.0.14)
       autoprefixer:
         specifier: ^10.4.22
         version: 10.4.22(postcss@8.5.6)
@@ -297,6 +303,9 @@ importers:
       vite-plugin-package-version:
         specifier: ^1.1.0
         version: 1.1.0(vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+      vitest:
+        specifier: ^4.0.14
+        version: 4.0.14(@types/node@24.10.1)(@vitest/ui@4.0.14)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
 
 packages:
 
@@ -704,6 +713,9 @@ packages:
   '@jridgewell/trace-mapping@0.3.31':
     resolution: {integrity: sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==}
 
+  '@polka/url@1.0.0-next.29':
+    resolution: {integrity: sha512-wwQAWhWSuHaag8c4q/KN/vCoeOJYshAIvMQwD4GpSb3OiZklFfvAgmj0VCBBImRpuF/aFgIRzllXlVX93Jevww==}
+
   '@react-hook/latest@1.0.3':
     resolution: {integrity: sha512-dy6duzl+JnAZcDbNTfmaP3xHiKtbXYOaz3G51MGVljh548Y8MWzTr+PHLOfvpypEVW9zwvl+VyKjbWKEVbV1Rg==}
     peerDependencies:
@@ -992,6 +1004,9 @@ packages:
   '@types/byte-size@8.1.2':
     resolution: {integrity: sha512-jGyVzYu6avI8yuqQCNTZd65tzI8HZrLjKX9sdMqZrGWVlNChu0rf6p368oVEDCYJe5BMx2Ov04tD1wqtgTwGSA==}
 
+  '@types/chai@5.2.3':
+    resolution: {integrity: sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==}
+
   '@types/d3-array@3.2.2':
     resolution: {integrity: sha512-hOLWVbm7uRza0BYXpIIW5pxfrKe0W+D5lrFiAEYR+pb6w3N2SwSMaJbXdUfSEv+dT4MfHBLtn5js0LAWaO6otw==}
 
@@ -1022,6 +1037,9 @@ packages:
   '@types/debug@4.1.12':
     resolution: {integrity: sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==}
 
+  '@types/deep-eql@4.0.2':
+    resolution: {integrity: sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==}
+
   '@types/estree-jsx@1.0.5':
     resolution: {integrity: sha512-52CcUVNFyfb1A2ALocQw/Dd1BQFNmSdkuC3BkZ6iqhdMfQz7JWOFRuJFloOzjk+6WijU56m9oKXFAXc7o3Towg==}
 
@@ -1107,6 +1125,40 @@ packages:
     peerDependencies:
       vite: ^4 || ^5 || ^6 || ^7
 
+  '@vitest/expect@4.0.14':
+    resolution: {integrity: sha512-RHk63V3zvRiYOWAV0rGEBRO820ce17hz7cI2kDmEdfQsBjT2luEKB5tCOc91u1oSQoUOZkSv3ZyzkdkSLD7lKw==}
+
+  '@vitest/mocker@4.0.14':
+    resolution: {integrity: sha512-RzS5NujlCzeRPF1MK7MXLiEFpkIXeMdQ+rN3Kk3tDI9j0mtbr7Nmuq67tpkOJQpgyClbOltCXMjLZicJHsH5Cg==}
+    peerDependencies:
+      msw: ^2.4.9
+      vite: ^6.0.0 || ^7.0.0-0
+    peerDependenciesMeta:
+      msw:
+        optional: true
+      vite:
+        optional: true
+
+  '@vitest/pretty-format@4.0.14':
+    resolution: {integrity: sha512-SOYPgujB6TITcJxgd3wmsLl+wZv+fy3av2PpiPpsWPZ6J1ySUYfScfpIt2Yv56ShJXR2MOA6q2KjKHN4EpdyRQ==}
+
+  '@vitest/runner@4.0.14':
+    resolution: {integrity: sha512-BsAIk3FAqxICqREbX8SetIteT8PiaUL/tgJjmhxJhCsigmzzH8xeadtp7LRnTpCVzvf0ib9BgAfKJHuhNllKLw==}
+
+  '@vitest/snapshot@4.0.14':
+    resolution: {integrity: sha512-aQVBfT1PMzDSA16Y3Fp45a0q8nKexx6N5Amw3MX55BeTeZpoC08fGqEZqVmPcqN0ueZsuUQ9rriPMhZ3Mu19Ag==}
+
+  '@vitest/spy@4.0.14':
+    resolution: {integrity: sha512-JmAZT1UtZooO0tpY3GRyiC/8W7dCs05UOq9rfsUUgEZEdq+DuHLmWhPsrTt0TiW7WYeL/hXpaE07AZ2RCk44hg==}
+
+  '@vitest/ui@4.0.14':
+    resolution: {integrity: sha512-fvDz8o7SQpFLoSBo6Cudv+fE85/fPCkwTnLAN85M+Jv7k59w2mSIjT9Q5px7XwGrmYqqKBEYxh/09IBGd1E7AQ==}
+    peerDependencies:
+      vitest: 4.0.14
+
+  '@vitest/utils@4.0.14':
+    resolution: {integrity: sha512-hLqXZKAWNg8pI+SQXyXxWCTOpA3MvsqcbVeNgSi8x/CSN2wi26dSzn1wrOhmCmFjEvN9p8/kLFRHa6PI8jHazw==}
+
   JSONStream@1.3.5:
     resolution: {integrity: sha512-E+iruNOY8VV9s4JEbe1aNEm6MiszPRr/UfcHMz0TQh1BXSxHK+ASV1R6W4HpjBhSeS+54PIsAMCBmwD06LLsqQ==}
     hasBin: true
@@ -1142,6 +1194,10 @@ packages:
     resolution: {integrity: sha512-3CYzex9M9FGQjCGMGyi6/31c8GJbgb0qGyrx5HWxPd0aCwh4cB2YjMb2Xf9UuoogrMrlO9cTqnB5rI5GHZTcUA==}
     engines: {node: '>=0.10.0'}
 
+  assertion-error@2.0.1:
+    resolution: {integrity: sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==}
+    engines: {node: '>=12'}
+
   asynckit@0.4.0:
     resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
 
@@ -1226,6 +1282,10 @@ packages:
   ccount@2.0.1:
     resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
 
+  chai@6.2.1:
+    resolution: {integrity: sha512-p4Z49OGG5W/WBCPSS/dH3jQ73kD6tiMmUM+bckNK6Jr5JHMG3k9bg/BvKR8lKmtVBKmOiuVaV2ws8s9oSbwysg==}
+    engines: {node: '>=18'}
+
   chalk@2.4.2:
     resolution: {integrity: sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==}
     engines: {node: '>=4'}
@@ -1558,6 +1618,9 @@ packages:
     resolution: {integrity: sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==}
     engines: {node: '>= 0.4'}
 
+  es-module-lexer@1.7.0:
+    resolution: {integrity: sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==}
+
   es-object-atoms@1.1.1:
     resolution: {integrity: sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==}
     engines: {node: '>= 0.4'}
@@ -1589,6 +1652,9 @@ packages:
   estree-util-is-identifier-name@3.0.0:
     resolution: {integrity: sha512-hFtqIDZTIUZ9BXLb8y4pYGyk6+wekIivNVTcmvk8NoOh+VeRn5y6cEHzbURrWbfp1fIqdVipilzj+lfaadNZmg==}
 
+  estree-walker@3.0.3:
+    resolution: {integrity: sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==}
+
   eventemitter3@5.0.1:
     resolution: {integrity: sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==}
 
@@ -1596,6 +1662,10 @@ packages:
     resolution: {integrity: sha512-mQw+2fkQbALzQ7V0MY0IqdnXNOeTtP4r0lN9z7AAawCXgqea7bDii20AYrIBrFd/Hx0M2Ocz6S111CaFkUcb0Q==}
     engines: {node: '>=0.8.x'}
 
+  expect-type@1.2.2:
+    resolution: {integrity: sha512-JhFGDVJ7tmDJItKhYgJCGLOWjuK9vPxiXoUFLwLDc99NlmklilbiQJwoctZtt13+xMw91MCk/REan6MWHqDjyA==}
+    engines: {node: '>=12.0.0'}
+
   extend@3.0.2:
     resolution: {integrity: sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==}
 
@@ -1611,6 +1681,9 @@ packages:
       picomatch:
         optional: true
 
+  fflate@0.8.2:
+    resolution: {integrity: sha512-cPJU47OaAoCbg0pBvzsgpTPhmhqI5eJjh/JIu8tPj5q+T7iLvW/JAYUqmE7KOB4R1ZyEhzBaIQpQpardBF5z8A==}
+
   figures@3.2.0:
     resolution: {integrity: sha512-yaduQFRKLXYOGgEn6AZau90j3ggSOyiqXU0F9JZfeXYhNa+Jk4X+s45A2zg5jns87GAFa34BBm2kXw4XpNcbdg==}
     engines: {node: '>=8'}
@@ -1641,6 +1714,9 @@ packages:
     resolution: {integrity: sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==}
     engines: {node: '>=10'}
 
+  flatted@3.3.3:
+    resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==}
+
   follow-redirects@1.15.11:
     resolution: {integrity: sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==}
     engines: {node: '>=4.0'}
@@ -2017,6 +2093,9 @@ packages:
     resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
     engines: {node: '>=10'}
 
+  magic-string@0.30.21:
+    resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==}
+
   map-obj@1.0.1:
     resolution: {integrity: sha512-7N/q3lyZ+LVCp7PzuxrJr4KMbBE2hW7BT7YNia330OFxIf4d3r5zVpicP2650l7CPN6RM9zOJRl3NGpqSiw3Eg==}
     engines: {node: '>=0.10.0'}
@@ -2044,8 +2123,8 @@ packages:
   mdast-util-phrasing@4.1.0:
     resolution: {integrity: sha512-TqICwyvJJpBwvGAMZjj4J2n0X8QWp21b9l0o7eXyVJ25YNWYbJDVIyD1bZXE6WtV6RmKJVYmQAKWa0zWOABz2w==}
 
-  mdast-util-to-hast@13.2.0:
-    resolution: {integrity: sha512-QGYKEuUsYT9ykKBCMOEDLsU5JRObWQusAolFMeko/tYPufNkRffBAQjIE+99jbA87xv6FgmjLtwjh9wBWajwAA==}
+  mdast-util-to-hast@13.2.1:
+    resolution: {integrity: sha512-cctsq2wp5vTsLIcaymblUriiTcZd0CwWtCbLvrOzYCDZoWyMNV8sZ7krj09FSnsiJi3WVsHLM4k6Dq/yaPyCXA==}
 
   mdast-util-to-markdown@2.1.2:
     resolution: {integrity: sha512-xj68wMTvGXVOKonmog6LwyJKrYXZPvlwabaryTjLh9LuvovB/KAH+kvi8Gjj+7rJjsFi23nkUxRQv1KqSroMqA==}
@@ -2178,6 +2257,10 @@ packages:
       react-dom:
         optional: true
 
+  mrmime@2.0.1:
+    resolution: {integrity: sha512-Y3wQdFg2Va6etvQ5I82yUhGdsKrcYox6p7FfL1LbK2J4V01F9TGlepTIhnK24t7koZibmg82KGglhA1XK5IsLQ==}
+    engines: {node: '>=10'}
+
   ms@2.1.3:
     resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
 
@@ -2221,6 +2304,9 @@ packages:
     resolution: {integrity: sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==}
     engines: {node: '>= 0.4'}
 
+  obug@2.1.1:
+    resolution: {integrity: sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==}
+
   p-limit@1.3.0:
     resolution: {integrity: sha512-vvcXsLAJ9Dr5rQOPk7toZQZJApBl2K4J6dANSsEuh6QI41JYcsS/qhTGa9ErIUUgK3WNQoJYvylxvjqmiqEA9Q==}
     engines: {node: '>=4'}
@@ -2294,6 +2380,9 @@ packages:
     resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==}
     engines: {node: '>=8'}
 
+  pathe@2.0.3:
+    resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==}
+
   picocolors@1.1.1:
     resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==}
 
@@ -2631,6 +2720,13 @@ packages:
     resolution: {integrity: sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==}
     engines: {node: '>= 0.4'}
 
+  siginfo@2.0.0:
+    resolution: {integrity: sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==}
+
+  sirv@3.0.2:
+    resolution: {integrity: sha512-2wcC/oGxHis/BoHkkPwldgiPSYcpZK3JU28WoMVv55yHJgcZ8rlXvuG9iZggz+sU1d4bRgIGASwyWqjxu3FM0g==}
+    engines: {node: '>=18'}
+
   source-map-js@1.2.1:
     resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==}
     engines: {node: '>=0.10.0'}
@@ -2667,11 +2763,17 @@ packages:
   split@1.0.1:
     resolution: {integrity: sha512-mTyOoPbrivtXnwnIxZRFYRrPNtEFKlpB2fvjSnCQUiAA6qAZzqwna5envK4uk6OIeP17CsdF3rSBGYVBsU0Tkg==}
 
+  stackback@0.0.2:
+    resolution: {integrity: sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==}
+
   standard-version@9.5.0:
     resolution: {integrity: sha512-3zWJ/mmZQsOaO+fOlsa0+QK90pwhNd042qEcw6hKFNoLFs7peGyvPffpEBbK/DSGPbyOvli0mUIFv5A4qTjh2Q==}
     engines: {node: '>=10'}
     hasBin: true
 
+  std-env@3.10.0:
+    resolution: {integrity: sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==}
+
   string-width@4.2.3:
     resolution: {integrity: sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==}
     engines: {node: '>=8'}
@@ -2813,14 +2915,28 @@ packages:
   tiny-invariant@1.3.3:
     resolution: {integrity: sha512-+FbBPE1o9QAYvviau/qC5SE3caw21q3xkvWKBtja5vgqOWIHHJ3ioaq1VPfn/Szqctz2bU/oYeKd9/z5BL+PVg==}
 
+  tinybench@2.9.0:
+    resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==}
+
+  tinyexec@0.3.2:
+    resolution: {integrity: sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA==}
+
   tinyglobby@0.2.15:
     resolution: {integrity: sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==}
     engines: {node: '>=12.0.0'}
 
+  tinyrainbow@3.0.3:
+    resolution: {integrity: sha512-PSkbLUoxOFRzJYjjxHJt9xro7D+iilgMX/C9lawzVuYiIdcihh9DXmVibBe8lmcFrRi/VzlPjBxbN7rH24q8/Q==}
+    engines: {node: '>=14.0.0'}
+
   to-regex-range@5.0.1:
     resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==}
     engines: {node: '>=8.0'}
 
+  totalist@3.0.1:
+    resolution: {integrity: sha512-sf4i37nQ2LBx4m3wB74y+ubopq6W/dIzXg0FDGjsYnZHVa1Da8FH853wlL2gtUhg+xJXjfk3kUZS3BRoQeoQBQ==}
+    engines: {node: '>=6'}
+
   tree-kill@1.2.2:
     resolution: {integrity: sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==}
     hasBin: true
@@ -2990,12 +3106,51 @@ packages:
       yaml:
         optional: true
 
+  vitest@4.0.14:
+    resolution: {integrity: sha512-d9B2J9Cm9dN9+6nxMnnNJKJCtcyKfnHj15N6YNJfaFHRLua/d3sRKU9RuKmO9mB0XdFtUizlxfz/VPbd3OxGhw==}
+    engines: {node: ^20.0.0 || ^22.0.0 || >=24.0.0}
+    hasBin: true
+    peerDependencies:
+      '@edge-runtime/vm': '*'
+      '@opentelemetry/api': ^1.9.0
+      '@types/node': ^20.0.0 || ^22.0.0 || >=24.0.0
+      '@vitest/browser-playwright': 4.0.14
+      '@vitest/browser-preview': 4.0.14
+      '@vitest/browser-webdriverio': 4.0.14
+      '@vitest/ui': 4.0.14
+      happy-dom: '*'
+      jsdom: '*'
+    peerDependenciesMeta:
+      '@edge-runtime/vm':
+        optional: true
+      '@opentelemetry/api':
+        optional: true
+      '@types/node':
+        optional: true
+      '@vitest/browser-playwright':
+        optional: true
+      '@vitest/browser-preview':
+        optional: true
+      '@vitest/browser-webdriverio':
+        optional: true
+      '@vitest/ui':
+        optional: true
+      happy-dom:
+        optional: true
+      jsdom:
+        optional: true
+
   web-namespaces@2.0.1:
     resolution: {integrity: sha512-bKr1DkiNa2krS7qxNtdrtHAmzuYGFQLiQ13TsorsdT6ULTkPLKuu5+GsFpDlg6JFjUTwX2DyhMPG2be8uPrqsQ==}
 
   which-module@2.0.1:
     resolution: {integrity: sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==}
 
+  why-is-node-running@2.3.0:
+    resolution: {integrity: sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==}
+    engines: {node: '>=8'}
+    hasBin: true
+
   wordwrap@1.0.0:
     resolution: {integrity: sha512-gvVzJFlPycKc5dZN4yPkP8w7Dc37BtP1yczEneOb4uq34pXZcvrtRTmWV8W+Ume+XCxKgbjM+nevkyFPMybd4Q==}
 
@@ -3466,6 +3621,8 @@ snapshots:
       '@jridgewell/resolve-uri': 3.1.2
       '@jridgewell/sourcemap-codec': 1.5.5
 
+  '@polka/url@1.0.0-next.29': {}
+
   '@react-hook/latest@1.0.3(react@19.2.0)':
     dependencies:
       react: 19.2.0
@@ -3681,6 +3838,11 @@ snapshots:
 
   '@types/byte-size@8.1.2': {}
 
+  '@types/chai@5.2.3':
+    dependencies:
+      '@types/deep-eql': 4.0.2
+      assertion-error: 2.0.1
+
   '@types/d3-array@3.2.2': {}
 
   '@types/d3-color@3.1.3': {}
@@ -3709,6 +3871,8 @@ snapshots:
     dependencies:
       '@types/ms': 2.1.0
 
+  '@types/deep-eql@4.0.2': {}
+
   '@types/estree-jsx@1.0.5':
     dependencies:
       '@types/estree': 1.0.8
@@ -3791,6 +3955,56 @@ snapshots:
     transitivePeerDependencies:
       - '@swc/helpers'
 
+  '@vitest/expect@4.0.14':
+    dependencies:
+      '@standard-schema/spec': 1.0.0
+      '@types/chai': 5.2.3
+      '@vitest/spy': 4.0.14
+      '@vitest/utils': 4.0.14
+      chai: 6.2.1
+      tinyrainbow: 3.0.3
+
+  '@vitest/mocker@4.0.14(vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))':
+    dependencies:
+      '@vitest/spy': 4.0.14
+      estree-walker: 3.0.3
+      magic-string: 0.30.21
+    optionalDependencies:
+      vite: 7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+
+  '@vitest/pretty-format@4.0.14':
+    dependencies:
+      tinyrainbow: 3.0.3
+
+  '@vitest/runner@4.0.14':
+    dependencies:
+      '@vitest/utils': 4.0.14
+      pathe: 2.0.3
+
+  '@vitest/snapshot@4.0.14':
+    dependencies:
+      '@vitest/pretty-format': 4.0.14
+      magic-string: 0.30.21
+      pathe: 2.0.3
+
+  '@vitest/spy@4.0.14': {}
+
+  '@vitest/ui@4.0.14(vitest@4.0.14)':
+    dependencies:
+      '@vitest/utils': 4.0.14
+      fflate: 0.8.2
+      flatted: 3.3.3
+      pathe: 2.0.3
+      sirv: 3.0.2
+      tinyglobby: 0.2.15
+      tinyrainbow: 3.0.3
+      vitest: 4.0.14(@types/node@24.10.1)(@vitest/ui@4.0.14)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+
+  '@vitest/utils@4.0.14':
+    dependencies:
+      '@vitest/pretty-format': 4.0.14
+      tinyrainbow: 3.0.3
+
   JSONStream@1.3.5:
     dependencies:
       jsonparse: 1.3.1
@@ -3820,6 +4034,8 @@ snapshots:
 
   arrify@1.0.1: {}
 
+  assertion-error@2.0.1: {}
+
   asynckit@0.4.0: {}
 
   autoprefixer@10.4.22(postcss@8.5.6):
@@ -3901,6 +4117,8 @@ snapshots:
 
   ccount@2.0.1: {}
 
+  chai@6.2.1: {}
+
   chalk@2.4.2:
     dependencies:
       ansi-styles: 3.2.1
@@ -4262,6 +4480,8 @@ snapshots:
 
   es-errors@1.3.0: {}
 
+  es-module-lexer@1.7.0: {}
+
   es-object-atoms@1.1.1:
     dependencies:
       es-errors: 1.3.0
@@ -4312,10 +4532,16 @@ snapshots:
 
   estree-util-is-identifier-name@3.0.0: {}
 
+  estree-walker@3.0.3:
+    dependencies:
+      '@types/estree': 1.0.8
+
   eventemitter3@5.0.1: {}
 
   events@3.3.0: {}
 
+  expect-type@1.2.2: {}
+
   extend@3.0.2: {}
 
   fast-deep-equal@3.1.3: {}
@@ -4324,6 +4550,8 @@ snapshots:
     optionalDependencies:
       picomatch: 4.0.3
 
+  fflate@0.8.2: {}
+
   figures@3.2.0:
     dependencies:
       escape-string-regexp: 1.0.5
@@ -4354,6 +4582,8 @@ snapshots:
       locate-path: 6.0.0
       path-exists: 4.0.0
 
+  flatted@3.3.3: {}
+
   follow-redirects@1.15.11: {}
 
   form-data@4.0.4:
@@ -4498,7 +4728,7 @@ snapshots:
       hast-util-from-parse5: 8.0.3
       hast-util-to-parse5: 8.0.0
       html-void-elements: 3.0.0
-      mdast-util-to-hast: 13.2.0
+      mdast-util-to-hast: 13.2.1
       parse5: 7.3.0
       unist-util-position: 5.0.0
       unist-util-visit: 5.0.0
@@ -4734,6 +4964,10 @@ snapshots:
     dependencies:
       yallist: 4.0.0
 
+  magic-string@0.30.21:
+    dependencies:
+      '@jridgewell/sourcemap-codec': 1.5.5
+
   map-obj@1.0.1: {}
 
   map-obj@4.3.0: {}
@@ -4801,7 +5035,7 @@ snapshots:
       '@types/mdast': 4.0.4
       unist-util-is: 6.0.1
 
-  mdast-util-to-hast@13.2.0:
+  mdast-util-to-hast@13.2.1:
     dependencies:
       '@types/hast': 3.0.4
       '@types/mdast': 4.0.4
@@ -5021,6 +5255,8 @@ snapshots:
       react: 19.2.0
       react-dom: 19.2.0(react@19.2.0)
 
+  mrmime@2.0.1: {}
+
   ms@2.1.3: {}
 
   n-gram@2.0.2: {}
@@ -5057,6 +5293,8 @@ snapshots:
 
   object-inspect@1.13.4: {}
 
+  obug@2.1.1: {}
+
   p-limit@1.3.0:
     dependencies:
       p-try: 1.0.0
@@ -5131,6 +5369,8 @@ snapshots:
 
   path-type@4.0.0: {}
 
+  pathe@2.0.3: {}
+
   picocolors@1.1.1: {}
 
   picomatch@2.3.1: {}
@@ -5236,7 +5476,7 @@ snapshots:
       devlop: 1.1.0
       hast-util-to-jsx-runtime: 2.3.6
       html-url-attributes: 3.0.1
-      mdast-util-to-hast: 13.2.0
+      mdast-util-to-hast: 13.2.1
       react: 19.2.0
       remark-parse: 11.0.0
       remark-rehype: 11.1.2
@@ -5406,7 +5646,7 @@ snapshots:
     dependencies:
       '@types/hast': 3.0.4
       '@types/mdast': 4.0.4
-      mdast-util-to-hast: 13.2.0
+      mdast-util-to-hast: 13.2.1
       unified: 11.0.5
       vfile: 6.0.3
 
@@ -5508,6 +5748,14 @@ snapshots:
       side-channel-map: 1.0.1
       side-channel-weakmap: 1.0.2
 
+  siginfo@2.0.0: {}
+
+  sirv@3.0.2:
+    dependencies:
+      '@polka/url': 1.0.0-next.29
+      mrmime: 2.0.1
+      totalist: 3.0.1
+
   source-map-js@1.2.1: {}
 
   source-map-support@0.5.21:
@@ -5544,6 +5792,8 @@ snapshots:
     dependencies:
       through: 2.3.8
 
+  stackback@0.0.2: {}
+
   standard-version@9.5.0:
     dependencies:
       chalk: 2.4.2
@@ -5561,6 +5811,8 @@ snapshots:
       stringify-package: 1.0.1
       yargs: 16.2.0
 
+  std-env@3.10.0: {}
+
   string-width@4.2.3:
     dependencies:
       emoji-regex: 8.0.0
@@ -5734,15 +5986,23 @@ snapshots:
 
   tiny-invariant@1.3.3: {}
 
+  tinybench@2.9.0: {}
+
+  tinyexec@0.3.2: {}
+
   tinyglobby@0.2.15:
     dependencies:
       fdir: 6.5.0(picomatch@4.0.3)
       picomatch: 4.0.3
 
+  tinyrainbow@3.0.3: {}
+
   to-regex-range@5.0.1:
     dependencies:
       is-number: 7.0.0
 
+  totalist@3.0.1: {}
+
   tree-kill@1.2.2: {}
 
   trim-lines@3.0.1: {}
@@ -5894,10 +6154,53 @@ snapshots:
       terser: 5.37.0
       yaml: 2.6.1
 
+  vitest@4.0.14(@types/node@24.10.1)(@vitest/ui@4.0.14)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1):
+    dependencies:
+      '@vitest/expect': 4.0.14
+      '@vitest/mocker': 4.0.14(vite@7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1))
+      '@vitest/pretty-format': 4.0.14
+      '@vitest/runner': 4.0.14
+      '@vitest/snapshot': 4.0.14
+      '@vitest/spy': 4.0.14
+      '@vitest/utils': 4.0.14
+      es-module-lexer: 1.7.0
+      expect-type: 1.2.2
+      magic-string: 0.30.21
+      obug: 2.1.1
+      pathe: 2.0.3
+      picomatch: 4.0.3
+      std-env: 3.10.0
+      tinybench: 2.9.0
+      tinyexec: 0.3.2
+      tinyglobby: 0.2.15
+      tinyrainbow: 3.0.3
+      vite: 7.2.2(@types/node@24.10.1)(jiti@2.4.2)(sass@1.70.0)(terser@5.37.0)(yaml@2.6.1)
+      why-is-node-running: 2.3.0
+    optionalDependencies:
+      '@types/node': 24.10.1
+      '@vitest/ui': 4.0.14(vitest@4.0.14)
+    transitivePeerDependencies:
+      - jiti
+      - less
+      - lightningcss
+      - msw
+      - sass
+      - sass-embedded
+      - stylus
+      - sugarss
+      - terser
+      - tsx
+      - yaml
+
   web-namespaces@2.0.1: {}
 
   which-module@2.0.1: {}
 
+  why-is-node-running@2.3.0:
+    dependencies:
+      siginfo: 2.0.0
+      stackback: 0.0.2
+
   wordwrap@1.0.0: {}
 
   wrap-ansi@6.2.0:
diff --git a/web/src/pages/network/NetworkEditForm/NetworkEditForm.tsx b/web/src/pages/network/NetworkEditForm/NetworkEditForm.tsx
index 772c97a2a1..8968939c1e 100644
--- a/web/src/pages/network/NetworkEditForm/NetworkEditForm.tsx
+++ b/web/src/pages/network/NetworkEditForm/NetworkEditForm.tsx
@@ -31,11 +31,7 @@ import {
 } from '../../../shared/types';
 import { titleCase } from '../../../shared/utils/titleCase';
 import { trimObjectStrings } from '../../../shared/utils/trimObjectStrings.ts';
-import {
-  validateIpList,
-  validateIpOrDomain,
-  validateIpOrDomainList,
-} from '../../../shared/validators';
+import { Validate } from '../../../shared/validators';
 import { useNetworkPageStore } from '../hooks/useNetworkPageStore';
 import { DividerHeader } from './components/DividerHeader.tsx';
 
@@ -124,15 +120,15 @@ export const NetworkEditForm = () => {
           .string()
           .trim()
           .min(1, LL.form.error.required())
-          .refine((value) => {
-            return validateIpList(value, ',', true);
+          .refine((val) => {
+            return Validate.any(val, [Validate.CIDRv4, Validate.CIDRv6], true);
           }, LL.form.error.addressNetmask()),
         endpoint: z
           .string()
           .trim()
           .min(1, LL.form.error.required())
           .refine(
-            (val) => validateIpOrDomain(val, false, true),
+            (val) => Validate.any(val, [Validate.IPv4, Validate.IPv6, Validate.Domain]),
             LL.form.error.endpoint(),
           ),
         port: z
@@ -140,17 +136,34 @@ export const NetworkEditForm = () => {
             invalid_type_error: LL.form.error.required(),
           })
           .max(65535, LL.form.error.portMax()),
-        allowed_ips: z.string(),
+        allowed_ips: z
+          .string()
+          .trim()
+          .optional()
+          .refine(
+            (val) =>
+              Validate.any(
+                val,
+                [
+                  Validate.CIDRv4,
+                  Validate.IPv4,
+                  Validate.CIDRv6,
+                  Validate.IPv6,
+                  Validate.Empty,
+                ],
+                true,
+              ),
+            LL.form.error.address(),
+          ),
         dns: z
           .string()
           .trim()
           .optional()
-          .refine((val) => {
-            if (val === '' || !val) {
-              return true;
-            }
-            return validateIpOrDomainList(val, ',', false, true);
-          }, LL.form.error.allowedIps()),
+          .refine(
+            (val) =>
+              Validate.any(val, [Validate.IPv4, Validate.IPv6, Validate.Empty], true),
+            LL.form.error.address(),
+          ),
         allowed_groups: z.array(z.string().min(1, LL.form.error.minimumLength())),
         keepalive_interval: z
           .number({
diff --git a/web/src/pages/settings/components/SmtpSettings/components/SmtpSettingsForm/SmtpSettingsForm.tsx b/web/src/pages/settings/components/SmtpSettings/components/SmtpSettingsForm/SmtpSettingsForm.tsx
index 55db9997b5..f28d33c025 100644
--- a/web/src/pages/settings/components/SmtpSettings/components/SmtpSettingsForm/SmtpSettingsForm.tsx
+++ b/web/src/pages/settings/components/SmtpSettings/components/SmtpSettingsForm/SmtpSettingsForm.tsx
@@ -27,7 +27,7 @@ import { patternValidEmail } from '../../../../../../shared/patterns';
 import { QueryKeys } from '../../../../../../shared/queries';
 import type { SettingsSMTP } from '../../../../../../shared/types';
 import { invalidateMultipleQueries } from '../../../../../../shared/utils/invalidateMultipleQueries';
-import { validateIpOrDomain } from '../../../../../../shared/validators';
+import { Validate } from '../../../../../../shared/validators';
 import { useSettingsPage } from '../../../../hooks/useSettingsPage';
 import { SmtpTestModal } from '../SmtpTest/SmtpTestModal';
 import { useSmtpTestModal } from '../SmtpTest/useSmtpTestModal';
@@ -112,8 +112,14 @@ export const SmtpSettingsForm = () => {
           .trim()
           .min(1, LL.form.error.required())
           .refine(
-            (val) => (!val ? true : validateIpOrDomain(val, false, true)),
-            LL.form.error.endpoint(),
+            (val) =>
+              Validate.any(val, [
+                Validate.IPv4,
+                Validate.IPv6,
+                Validate.Domain,
+                Validate.Empty,
+              ]),
+            LL.form.error.address(),
           ),
         smtp_port: z
           .number({
diff --git a/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx b/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
index 6ecdd20349..993154b893 100644
--- a/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
+++ b/web/src/pages/wizard/components/WizardNetworkConfiguration/WizardNetworkConfiguration.tsx
@@ -26,11 +26,7 @@ import { QueryKeys } from '../../../../shared/queries';
 import { LocationMfaMode, ServiceLocationMode } from '../../../../shared/types.ts';
 import { titleCase } from '../../../../shared/utils/titleCase';
 import { trimObjectStrings } from '../../../../shared/utils/trimObjectStrings.ts';
-import {
-  validateIpList,
-  validateIpOrDomain,
-  validateIpOrDomainList,
-} from '../../../../shared/validators';
+import { Validate } from '../../../../shared/validators';
 import { useWizardStore } from '../../hooks/useWizardStore';
 import { DividerHeader } from './components/DividerHeader.tsx';
 
@@ -111,15 +107,17 @@ export const WizardNetworkConfiguration = () => {
           .string()
           .trim()
           .min(1, LL.form.error.required())
-          .refine((value) => {
-            return validateIpList(value, ',', true);
-          }, LL.form.error.addressNetmask()),
+          .refine(
+            (val) => Validate.any(val, [Validate.CIDRv4, Validate.CIDRv6]),
+            LL.form.error.addressNetmask(),
+          ),
         endpoint: z
           .string()
           .trim()
           .min(1, LL.form.error.required())
           .refine(
-            (val) => validateIpOrDomain(val, false, true),
+            (val) =>
+              Validate.any(val, [Validate.IPv4, Validate.IPv6, Validate.Domain], true),
             LL.form.error.endpoint(),
           ),
         port: z
@@ -128,17 +126,33 @@ export const WizardNetworkConfiguration = () => {
           })
           .max(65535, LL.form.error.portMax())
           .nonnegative(),
-        allowed_ips: z.string().trim(),
+        allowed_ips: z
+          .string()
+          .trim()
+          .refine(
+            (val) =>
+              Validate.any(
+                val,
+                [
+                  Validate.CIDRv4,
+                  Validate.IPv4,
+                  Validate.CIDRv6,
+                  Validate.IPv6,
+                  Validate.Empty,
+                ],
+                true,
+              ),
+            LL.form.error.address(),
+          ),
         dns: z
           .string()
           .trim()
           .optional()
-          .refine((val) => {
-            if (val === '' || !val) {
-              return true;
-            }
-            return validateIpOrDomainList(val, ',', true);
-          }, LL.form.error.allowedIps()),
+          .refine(
+            (val) =>
+              Validate.any(val, [Validate.IPv4, Validate.IPv6, Validate.Empty], true),
+            LL.form.error.address(),
+          ),
         allowed_groups: z.array(z.string().trim().min(1, LL.form.error.minimumLength())),
         keepalive_interval: z
           .number({
diff --git a/web/src/pages/wizard/components/WizardNetworkImport/WizardNetworkImport.tsx b/web/src/pages/wizard/components/WizardNetworkImport/WizardNetworkImport.tsx
index 52c798c0ee..7f38c6d255 100644
--- a/web/src/pages/wizard/components/WizardNetworkImport/WizardNetworkImport.tsx
+++ b/web/src/pages/wizard/components/WizardNetworkImport/WizardNetworkImport.tsx
@@ -27,7 +27,7 @@ import { QueryKeys } from '../../../../shared/queries';
 import type { ImportNetworkRequest } from '../../../../shared/types';
 import { invalidateMultipleQueries } from '../../../../shared/utils/invalidateMultipleQueries';
 import { titleCase } from '../../../../shared/utils/titleCase';
-import { validateIpOrDomain } from '../../../../shared/validators';
+import { Validate } from '../../../../shared/validators';
 import { useWizardStore } from '../../hooks/useWizardStore';
 
 interface FormInputs extends Omit<ImportNetworkRequest, 'allowed_groups'> {
@@ -70,7 +70,10 @@ export const WizardNetworkImport = () => {
           .string()
           .trim()
           .min(1, LL.form.error.required())
-          .refine((val) => validateIpOrDomain(val), LL.form.error.endpoint()),
+          .refine(
+            (val) => Validate.any(val, [Validate.IPv4, Validate.IPv6, Validate.Domain]),
+            LL.form.error.endpoint(),
+          ),
         fileName: z.string().trim().min(1, LL.form.error.required()),
         config: z.string().trim().min(1, LL.form.error.required()),
         allowed_groups: z.array(z.string().min(1, LL.form.error.minimumLength())),
diff --git a/web/src/shared/patterns.ts b/web/src/shared/patterns.ts
index cfb5db0bdb..b9c4d6cb7b 100644
--- a/web/src/shared/patterns.ts
+++ b/web/src/shared/patterns.ts
@@ -63,9 +63,14 @@ export const patternValidUrl = new RegExp(
     '$',
   'i',
 );
-
-export const patternValidDomain =
-  /^(?:(?:(?:[A-Za-z-]+):\/{1,3})?(?:[A-Za-z0-9])(?:[A-Za-z0-9\-.]){1,61}(?:\.[A-Za-z]{2,})+|\[(?:(?:(?:[a-fA-F0-9]){1,4})(?::(?:[a-fA-F0-9]){1,4}){7}|::1|::)\]|(?:(?:[0-9]{1,3})(?:\.[0-9]{1,3}){3}))(?::[0-9]{1,5})?$/;
+export const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}$/;
+export const ipv4WithPortPattern = /^(\d{1,3}\.){3}\d{1,3}:\d{1,5}$/;
+export const ipv4WithCIDRPattern = /^(\d{1,3}\.){3}\d{1,3}\/([0-9]|[1-2][0-9]|3[0-2])$/;
+export const domainPattern =
+  /^(?:(?:(?:[A-Za-z-]+):\/{1,3})?(?:[A-Za-z0-9])(?:[A-Za-z0-9-]*[A-Za-z0-9])?(?:\.[A-Za-z0-9](?:[A-Za-z0-9-]*[A-Za-z0-9])?)*(?:\.[A-Za-z]{2,})+|\[(?:(?:(?:[a-fA-F0-9]){1,4})(?::(?:[a-fA-F0-9]){1,4}){7}|::1|::)\]|(?:(?:[0-9]{1,3})(?:\.[0-9]{1,3}){3}))$/;
+
+export const domainWithPortPattern =
+  /^(?:(?:(?:[A-Za-z-]+):\/{1,3})?(?:[A-Za-z0-9])(?:[A-Za-z0-9\-.]){1,61}(?:\.[A-Za-z]{2,})+|\[(?:(?:(?:[a-fA-F0-9]){1,4})(?::(?:[a-fA-F0-9]){1,4}){7}|::1|::)\]|(?:(?:[0-9]{1,3})(?:\.[0-9]{1,3}){3})):[0-9]{1,5}$/;
 
 export const patternSafeUsernameCharacters = /^[a-zA-Z0-9]+[a-zA-Z0-9.\-_]*$/;
 
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 33258f66b6..86bf0baca2 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -171,7 +171,7 @@ export type ModifyNetworkRequest = {
     Network,
     'gateways' | 'connected' | 'id' | 'connected_at' | 'allowed_ips'
   > & {
-    allowed_ips: string;
+    allowed_ips?: string;
   };
 };
 
diff --git a/web/src/shared/validators.ts b/web/src/shared/validators.ts
index 44d3da6c57..23b24bbfc0 100644
--- a/web/src/shared/validators.ts
+++ b/web/src/shared/validators.ts
@@ -1,6 +1,12 @@
 import ipaddr from 'ipaddr.js';
 import { z } from 'zod';
-import { patternValidDomain, patternValidWireguardKey } from './patterns';
+import {
+  domainPattern,
+  ipv4Pattern,
+  ipv4WithCIDRPattern,
+  ipv4WithPortPattern,
+  patternValidWireguardKey,
+} from './patterns';
 
 export const validateWireguardPublicKey = (props: {
   requiredError: string;
@@ -17,102 +23,155 @@ export const validateWireguardPublicKey = (props: {
     .max(44, props.maxError)
     .regex(patternValidWireguardKey, props.validKeyError);
 
-// Returns false when invalid
-export const validateIpOrDomain = (
-  val: string,
-  allowMask = false,
-  allowIPv6 = false,
-): boolean => {
-  const hasLetter = /\p{L}/u.test(val);
-  const hasColon = /:/.test(val);
-  if (!hasLetter || hasColon) {
-    return (allowIPv6 && validateIPv6(val, allowMask)) || validateIPv4(val, allowMask);
-  } else {
-    return patternValidDomain.test(val);
-  }
-};
-
-// Returns false when invalid
-export const validateIpList = (
-  val: string,
-  splitWith = ',',
-  allowMasks = false,
-): boolean => {
-  return val
-    .replace(' ', '')
-    .split(splitWith)
-    .every((el) => {
-      if (!el.includes('/') && allowMasks) return false;
-      return validateIPv4(el, allowMasks) || validateIPv6(el, allowMasks);
-    });
-};
-
-// Returns false when invalid
-export const validateIpOrDomainList = (
-  val: string,
-  splitWith = ',',
-  allowMasks = false,
-  allowIPv6 = false,
-): boolean => {
-  const trimmed = val.replace(' ', '');
-  const split = trimmed.split(splitWith);
-  for (const value of split) {
-    if (
-      !validateIPv4(value, allowMasks) &&
-      !patternValidDomain.test(value) &&
-      (!allowIPv6 || !validateIPv6(value, allowMasks))
-    ) {
-      return false;
-    }
-  }
-  return true;
-};
-
-// Returns false when invalid
-export const validateIPv4 = (ip: string, allowMask = false): boolean => {
-  if (allowMask) {
+export const Validate = {
+  IPv4: (ip: string): boolean => {
+    if (!ipv4Pattern.test(ip)) {
+      return false;
+    }
+    if (!ipaddr.IPv4.isValid(ip)) {
+      return false;
+    }
+    return true;
+  },
+  IPv4withPort: (ip: string): boolean => {
+    if (!ipv4WithPortPattern.test(ip)) {
+      return false;
+    }
+    const addr = ip.split(':');
+    if (!ipaddr.IPv4.isValid(addr[0]) || !Validate.Port(addr[1])) {
+      return false;
+    }
+    return true;
+  },
+  IPv6: (ip: string): boolean => {
+    if (!ipaddr.IPv6.isValid(ip)) {
+      return false;
+    }
+    return true;
+  },
+  IPv6withPort: (ip: string): boolean => {
+    if (ip.includes(']')) {
+      const address = ip.split(']');
+      const ipv6 = address[0].replaceAll('[', '').replaceAll(']', '');
+      const port = address[1].replaceAll(']', '').replaceAll(':', '');
+      if (!ipaddr.IPv6.isValid(ipv6)) {
+        return false;
+      }
+      if (!Validate.Port(port)) {
+        return false;
+      }
+    } else {
+      return false;
+    }
+    return true;
+  },
+  CIDRv4: (ip: string): boolean => {
+    if (!ipv4WithCIDRPattern.test(ip)) {
+      return false;
+    }
     if (ip.endsWith('/0')) {
       return false;
     }
-    if (ip.includes('/')) {
-      return ipaddr.IPv4.isValidCIDR(ip);
+    if (!ipaddr.IPv4.isValidCIDR(ip)) {
+      return false;
+    }
+    return true;
+  },
+  CIDRv6: (ip: string): boolean => {
+    if (ip.endsWith('/0')) {
+      return false;
+    }
+    if (!ipaddr.IPv6.isValidCIDR(ip)) {
+      return false;
+    }
+    return true;
+  },
+  Domain: (ip: string): boolean => {
+    if (!domainPattern.test(ip)) {
+      return false;
+    }
+    return true;
+  },
+  DomainWithPort: (ip: string): boolean => {
+    const splitted = ip.split(':');
+    const domain = splitted[0];
+    const port = splitted[1];
+    if (!Validate.Port(port)) {
+      return false;
+    }
+    if (!domainPattern.test(domain)) {
+      return false;
+    }
+    return true;
+  },
+  Port: (val: string): boolean => {
+    const parsed = Number(val);
+    if (Number.isNaN(parsed) || !Number.isInteger(parsed)) {
+      return false;
+    }
+    return 0 < parsed && parsed <= 65535;
+  },
+  Empty: (val: string): boolean => {
+    if (val === '' || !val) {
+      return true;
     }
-  }
-  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}$/;
-  const ipv4WithPortPattern = /^(\d{1,3}\.){3}\d{1,3}:\d{1,5}$/;
-  if (!ipv4Pattern.test(ip) && !ipv4WithPortPattern.test(ip)) {
     return false;
-  }
+  },
+  any: (
+    value: string | undefined,
+    validators: Array<(val: string) => boolean>,
+    allowList: boolean = false,
+    splitWith = ',',
+  ): boolean => {
+    if (!value) {
+      return true;
+    }
+    const items = value.replaceAll(' ', '').split(splitWith);
 
-  if (ipv4WithPortPattern.test(ip)) {
-    const [address, port] = ip.split(':');
-    ip = address;
-    if (!validatePort(port)) {
+    if (items.length > 1 && !allowList) {
       return false;
     }
-  }
 
-  return ipaddr.IPv4.isValid(ip);
-};
+    for (const item of items) {
+      let valid = false;
+      for (const validator of validators) {
+        if (validator(item)) {
+          valid = true;
+          break;
+        }
+      }
+      if (!valid) {
+        return false;
+      }
+    }
 
-export const validateIPv6 = (ip: string, allowMask = false): boolean => {
-  if (allowMask) {
-    if (ip.endsWith('/0')) {
+    return true;
+  },
+  all: (
+    value: string | undefined,
+    validators: Array<(val: string) => boolean>,
+    allowList: boolean = false,
+    splitWith = ',',
+  ): boolean => {
+    if (!value) {
+      return true;
+    }
+    const items = value.replaceAll(' ', '').split(splitWith);
+
+    if (items.length > 1 && !allowList) {
       return false;
     }
-    if (ip.includes('/')) {
-      return ipaddr.IPv6.isValidCIDR(ip);
+    for (const item of items) {
+      for (const validator of validators) {
+        if (!validator(item)) {
+          return false;
+        }
+      }
     }
-  }
-  return ipaddr.IPv6.isValid(ip);
-};
 
-export const validatePort = (val: string) => {
-  const parsed = parseInt(val, 10);
-  if (!Number.isNaN(parsed)) {
-    return parsed <= 65535;
-  }
-};
+    return true;
+  },
+} as const;
 
 export const numericString = (val: string) => /^\d+$/.test(val);
 
diff --git a/web/tests/validators.test.ts b/web/tests/validators.test.ts
new file mode 100644
index 0000000000..08f8000998
--- /dev/null
+++ b/web/tests/validators.test.ts
@@ -0,0 +1,301 @@
+import { describe, expect, it } from 'vitest';
+import { Validate } from '../src/shared/validators';
+
+describe('Validate.IPv4', () => {
+  it('should accept valid IPv4 addresses', () => {
+    expect(Validate.IPv4('192.168.1.1')).toBe(true);
+    expect(Validate.IPv4('10.0.0.1')).toBe(true);
+    expect(Validate.IPv4('172.16.0.1')).toBe(true);
+    expect(Validate.IPv4('255.255.255.255')).toBe(true);
+    expect(Validate.IPv4('0.0.0.0')).toBe(true);
+  });
+
+  it('should reject invalid IPv4 addresses', () => {
+    expect(Validate.IPv4('1')).toBe(false);
+    expect(Validate.IPv4('256.1.1.1')).toBe(false);
+    expect(Validate.IPv4('192.168.1')).toBe(false);
+    expect(Validate.IPv4('192.168.1.1.1')).toBe(false);
+    expect(Validate.IPv4('abc.def.ghi.jkl')).toBe(false);
+    expect(Validate.IPv4('192.168.1.1/24')).toBe(false);
+  });
+
+  it('should reject empty strings', () => {
+    expect(Validate.IPv4('')).toBe(false);
+  });
+});
+
+describe('Validate.IPv4withPort', () => {
+  it('should accept valid IPv4 with port', () => {
+    expect(Validate.IPv4withPort('192.168.1.1:8080')).toBe(true);
+    expect(Validate.IPv4withPort('10.0.0.1:80')).toBe(true);
+    expect(Validate.IPv4withPort('127.0.0.1:5051')).toBe(true);
+    expect(Validate.IPv4withPort('192.168.1.1:65535')).toBe(true);
+  });
+
+  it('should reject IPv4 without port', () => {
+    expect(Validate.IPv4withPort('192.168.1.1')).toBe(false);
+  });
+
+  it('should reject invalid port numbers', () => {
+    expect(Validate.IPv4withPort('192.168.1.1:0')).toBe(false);
+    expect(Validate.IPv4withPort('192.168.1.1:65536')).toBe(false);
+    expect(Validate.IPv4withPort('192.168.1.1:99999')).toBe(false);
+  });
+
+  it('should reject invalid IPv4 format', () => {
+    expect(Validate.IPv4withPort('256.1.1.1:8080')).toBe(false);
+    expect(Validate.IPv4withPort('192.168.1:8080')).toBe(false);
+  });
+});
+
+describe('Validate.IPv6', () => {
+  it('should accept valid IPv6 addresses', () => {
+    expect(Validate.IPv6('2001:db8::1')).toBe(true);
+    expect(Validate.IPv6('::1')).toBe(true);
+    expect(Validate.IPv6('::')).toBe(true);
+    expect(Validate.IPv6('2001:0db8:0000:0000:0000:0000:0000:0001')).toBe(true);
+    expect(Validate.IPv6('fe80::1')).toBe(true);
+  });
+
+  it('should reject invalid IPv6 addresses', () => {
+    expect(Validate.IPv6('192.168.1.1')).toBe(false);
+    expect(Validate.IPv6('gggg::1')).toBe(false);
+    expect(Validate.IPv6('invalid')).toBe(false);
+  });
+});
+
+describe('Validate.IPv6withPort', () => {
+  it('should accept valid IPv6 with port in brackets', () => {
+    expect(Validate.IPv6withPort('[::1]:8080')).toBe(true);
+    expect(Validate.IPv6withPort('[2001:db8::1]:80')).toBe(true);
+    expect(Validate.IPv6withPort('[fe80::1]:65535')).toBe(true);
+  });
+
+  it('should reject IPv6 without brackets', () => {
+    expect(Validate.IPv6withPort('::1:8080')).toBe(false);
+    expect(Validate.IPv6withPort('2001:db8::1:8080')).toBe(false);
+  });
+
+  it('should reject IPv6 without port', () => {
+    expect(Validate.IPv6withPort('[::1]')).toBe(false);
+  });
+
+  it('should reject invalid port numbers', () => {
+    expect(Validate.IPv6withPort('[::1]:0')).toBe(false);
+    expect(Validate.IPv6withPort('[::1]:65536')).toBe(false);
+  });
+});
+
+describe('Validate.CIDRv4', () => {
+  it('should accept valid IPv4 CIDR notation', () => {
+    expect(Validate.CIDRv4('192.168.1.0/24')).toBe(true);
+    expect(Validate.CIDRv4('10.0.0.0/8')).toBe(true);
+    expect(Validate.CIDRv4('172.16.0.0/12')).toBe(true);
+    expect(Validate.CIDRv4('192.168.1.1/32')).toBe(true);
+    expect(Validate.CIDRv4('192.168.1.0/1')).toBe(true);
+  });
+
+  it('should reject CIDR with /0 mask', () => {
+    expect(Validate.CIDRv4('192.168.1.0/0')).toBe(false);
+  });
+
+  it('should reject invalid CIDR masks', () => {
+    expect(Validate.CIDRv4('192.168.1.0/33')).toBe(false);
+    expect(Validate.CIDRv4('192.168.1.0/99')).toBe(false);
+  });
+
+  it('should reject IPv4 without CIDR mask', () => {
+    expect(Validate.CIDRv4('192.168.1.1')).toBe(false);
+  });
+
+  it('should reject invalid IPv4 in CIDR', () => {
+    expect(Validate.CIDRv4('256.1.1.1/24')).toBe(false);
+    expect(Validate.CIDRv4('192.168.1/24')).toBe(false);
+  });
+});
+
+describe('Validate.CIDRv6', () => {
+  it('should accept valid IPv6 CIDR notation', () => {
+    expect(Validate.CIDRv6('2001:db8::/32')).toBe(true);
+    expect(Validate.CIDRv6('fe80::/10')).toBe(true);
+    expect(Validate.CIDRv6('::1/128')).toBe(true);
+  });
+
+  it('should reject CIDR with /0 mask', () => {
+    expect(Validate.CIDRv6('2001:db8::/0')).toBe(false);
+  });
+
+  it('should reject invalid CIDR masks', () => {
+    expect(Validate.CIDRv6('2001:db8::/129')).toBe(false);
+  });
+
+  it('should reject IPv6 without CIDR mask', () => {
+    expect(Validate.CIDRv6('2001:db8::1')).toBe(false);
+  });
+});
+
+describe('Validate.Domain', () => {
+  it('should accept valid domain names', () => {
+    expect(Validate.Domain('example.com')).toBe(true);
+    expect(Validate.Domain('sub.example.com')).toBe(true);
+    expect(Validate.Domain('my-domain.co.uk')).toBe(true);
+    expect(Validate.Domain('test123.example.org')).toBe(true);
+  });
+
+  it('should reject domains with port', () => {
+    expect(Validate.Domain('example.com:8080')).toBe(false);
+  });
+
+  it('should reject invalid domain formats', () => {
+    expect(Validate.Domain('invalid domain')).toBe(false);
+    expect(Validate.Domain('example..com')).toBe(false);
+    expect(Validate.Domain('domain.secret.com')).toBe(true);
+  });
+});
+
+describe('Validate.DomainWithPort', () => {
+  it('should accept valid domains with port', () => {
+    expect(Validate.DomainWithPort('example.com:8080')).toBe(true);
+    expect(Validate.DomainWithPort('sub.example.com:443')).toBe(true);
+    expect(Validate.DomainWithPort('test.org:3000')).toBe(true);
+  });
+
+  it('should reject domains without port', () => {
+    expect(Validate.DomainWithPort('example.com')).toBe(false);
+  });
+
+  it('should reject invalid port numbers', () => {
+    expect(Validate.DomainWithPort('example.com:0')).toBe(false);
+    expect(Validate.DomainWithPort('example.com:65536')).toBe(false);
+    expect(Validate.DomainWithPort('example.com:99999')).toBe(false);
+  });
+});
+
+describe('Validate.Port', () => {
+  it('should accept valid port numbers', () => {
+    expect(Validate.Port('1')).toBe(true);
+    expect(Validate.Port('80')).toBe(true);
+    expect(Validate.Port('443')).toBe(true);
+    expect(Validate.Port('8080')).toBe(true);
+    expect(Validate.Port('65535')).toBe(true);
+  });
+
+  it('should reject port 0', () => {
+    expect(Validate.Port('0')).toBe(false);
+  });
+
+  it('should reject ports above 65535', () => {
+    expect(Validate.Port('65536')).toBe(false);
+    expect(Validate.Port('99999')).toBe(false);
+  });
+
+  it('should reject non-numeric values', () => {
+    expect(Validate.Port('abc')).toBe(false);
+    expect(Validate.Port('12.34')).toBe(false);
+    expect(Validate.Port('')).toBe(false);
+  });
+
+  it('should reject negative numbers', () => {
+    expect(Validate.Port('-1')).toBe(false);
+  });
+});
+
+describe('Validate.any', () => {
+  it('should accept single valid value matching any validator', () => {
+    expect(Validate.any('192.168.1.1', [Validate.IPv4, Validate.IPv6])).toBe(true);
+    expect(Validate.any('2001:db8::1', [Validate.IPv4, Validate.IPv6])).toBe(true);
+    expect(Validate.any('example.com', [Validate.Domain, Validate.IPv4])).toBe(true);
+  });
+
+  it('should reject single value not matching any validator', () => {
+    expect(Validate.any('invalid', [Validate.IPv4, Validate.IPv6])).toBe(false);
+    expect(Validate.any('256.1.1.1', [Validate.IPv4, Validate.IPv6])).toBe(false);
+  });
+
+  it('should reject multiple values when allowList is false (default)', () => {
+    expect(Validate.any('192.168.1.1,10.0.0.1', [Validate.IPv4])).toBe(false);
+    expect(Validate.any('example.com,test.com', [Validate.Domain])).toBe(false);
+  });
+
+  it('should accept multiple valid values when allowList is true', () => {
+    expect(Validate.any('192.168.1.1,10.0.0.1', [Validate.IPv4], true)).toBe(true);
+    expect(
+      Validate.any('192.168.1.1,2001:db8::1', [Validate.IPv4, Validate.IPv6], true),
+    ).toBe(true);
+    expect(Validate.any('example.com,test.org', [Validate.Domain], true)).toBe(true);
+  });
+
+  it('should reject list with any invalid value when allowList is true', () => {
+    expect(Validate.any('192.168.1.1,invalid', [Validate.IPv4], true)).toBe(false);
+    expect(Validate.any('192.168.1.1,256.1.1.1', [Validate.IPv4], true)).toBe(false);
+  });
+
+  it('should handle mixed valid values with allowList', () => {
+    expect(
+      Validate.any(
+        '192.168.1.1,2001:db8::1,10.0.0.1',
+        [Validate.IPv4, Validate.IPv6],
+        true,
+      ),
+    ).toBe(true);
+    expect(
+      Validate.any('example.com,192.168.1.1', [Validate.Domain, Validate.IPv4], true),
+    ).toBe(true);
+  });
+
+  it('should handle custom split character', () => {
+    expect(Validate.any('192.168.1.1;10.0.0.1', [Validate.IPv4], true, ';')).toBe(true);
+    expect(Validate.any('192.168.1.1|10.0.0.1', [Validate.IPv4], true, '|')).toBe(true);
+  });
+
+  it('should handle whitespace in list', () => {
+    expect(Validate.any('192.168.1.1, 10.0.0.1', [Validate.IPv4], true)).toBe(true);
+    expect(Validate.any('192.168.1.1 , 10.0.0.1', [Validate.IPv4], true)).toBe(true);
+  });
+
+  it('should accept empty string with Empty validator in list', () => {
+    expect(Validate.any('', [Validate.IPv4, Validate.Empty], true)).toBe(true);
+  });
+});
+
+describe('Validate.all', () => {
+  it('should accept single value matching all validators', () => {
+    expect(Validate.all('192.168.1.1', [Validate.IPv4])).toBe(true);
+  });
+
+  it('should reject single value not matching all validators', () => {
+    expect(Validate.all('192.168.1.1', [Validate.IPv4, Validate.IPv6])).toBe(false);
+    expect(Validate.all('invalid', [Validate.IPv4])).toBe(false);
+  });
+
+  it('should accept empty string or undefined', () => {
+    expect(Validate.all('', [Validate.IPv4])).toBe(true);
+    expect(Validate.all(undefined, [Validate.IPv4])).toBe(true);
+  });
+
+  it('should reject multiple values when allowList is false (default)', () => {
+    expect(Validate.all('192.168.1.1,10.0.0.1', [Validate.IPv4])).toBe(false);
+  });
+
+  it('should accept multiple valid values when allowList is true', () => {
+    expect(Validate.all('192.168.1.1,10.0.0.1', [Validate.IPv4], true)).toBe(true);
+    expect(Validate.all('example.com,test.org', [Validate.Domain], true)).toBe(true);
+  });
+
+  it('should reject if any value does not match all validators when allowList is true', () => {
+    expect(Validate.all('192.168.1.1,invalid', [Validate.IPv4], true)).toBe(false);
+    expect(Validate.all('192.168.1.1,256.1.1.1', [Validate.IPv4], true)).toBe(false);
+  });
+
+  it('should handle custom split character', () => {
+    expect(Validate.all('192.168.1.1;10.0.0.1', [Validate.IPv4], true, ';')).toBe(true);
+    expect(Validate.all('192.168.1.1|10.0.0.1', [Validate.IPv4], true, '|')).toBe(true);
+  });
+
+  it('should handle whitespace in list', () => {
+    expect(Validate.all('192.168.1.1, 10.0.0.1', [Validate.IPv4], true)).toBe(true);
+    expect(
+      Validate.all('192.168.1.1 , 10.0.0.1 , 172.16.0.1', [Validate.IPv4], true),
+    ).toBe(true);
+  });
+});
diff --git a/web/vitest.config.mts b/web/vitest.config.mts
new file mode 100644
index 0000000000..06e004bc54
--- /dev/null
+++ b/web/vitest.config.mts
@@ -0,0 +1,16 @@
+import { defineConfig } from 'vitest/config';
+import * as path from 'path';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+    include: ['tests/**/*.test.ts'],
+  },
+  resolve: {
+    alias: {
+      '@scss': path.resolve(__dirname, './src/shared/scss'),
+      '@scssutils': path.resolve(__dirname, './src/shared/scss/global'),
+    },
+  },
+});

From c15367f085c196eab4d882d3433de4e713ed37cd Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 5 Dec 2025 12:41:36 +0100
Subject: [PATCH 48/50] Fix e2e test (#1742)

---
 e2e/tests/vpn/wizard.spec.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/e2e/tests/vpn/wizard.spec.ts b/e2e/tests/vpn/wizard.spec.ts
index 1f9f8c48cd..bd6756cc6e 100644
--- a/e2e/tests/vpn/wizard.spec.ts
+++ b/e2e/tests/vpn/wizard.spec.ts
@@ -44,7 +44,7 @@ test.describe('Setup VPN (wizard) ', () => {
     await page.getByTestId('setup-option-import').click();
     await navNext.click();
     await page.getByTestId('field-name').fill('test network');
-    await page.getByTestId('field-endpoint').fill('127.0.0.1:5051');
+    await page.getByTestId('field-endpoint').fill('127.0.0.1');
     const fileChooserPromise = page.waitForEvent('filechooser');
     await page.getByTestId('upload-config').click();
     const responseImportConfigPromise = page.waitForResponse('**/import');

From 94a6e2ad52e5f33f53efa1a69827300fee20376e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciej@defguard.net>
Date: Tue, 9 Dec 2025 09:03:50 +0100
Subject: [PATCH 49/50] update protos submodule

---
 proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proto b/proto
index 74d60d9171..5dfc8c8d23 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit 74d60d9171048ba0ccaf8a21b05950fb7a673f09
+Subproject commit 5dfc8c8d23ac0613108a2b7b921fd9a97613bb3a

From a9cf75c4416c9b777b8ca4ce687a060a1ebaec69 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Tue, 9 Dec 2025 09:35:26 +0100
Subject: [PATCH 50/50] Potential fix for code scanning alert no. 60: Workflow
 does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/test-web.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/test-web.yml b/.github/workflows/test-web.yml
index d4085f6c72..2c1b813278 100644
--- a/.github/workflows/test-web.yml
+++ b/.github/workflows/test-web.yml
@@ -16,6 +16,8 @@ on:
       - "*.md"
       - "LICENSE"
 
+permissions:
+  contents: read
 jobs:
   test-web:
     runs-on: