web: CodeSpell -> CSpell migration (#20188)

* web: Flesh out CSpell.

* Fix remaining linter warnings.

* Add comments, common names.

* Fix common prefixes.

* Omit trailing commas in jsonc files.

* Format.

* Update command.

* Install before run.

* trim empty lines

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* dont npm ci there

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* setup node in web and root

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Format.

* Rename.

* Install root deps.

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

.github/actions/setup/action.yml

@@ -34,14 +34,26 @@ runs:
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: bash
       run: uv sync --all-extras --dev --frozen
-    - name: Setup node
+    - name: Setup node (web)
       if: ${{ contains(inputs.dependencies, 'node') }}
       uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
-        registry-url: 'https://registry.npmjs.org'
+        registry-url: "https://registry.npmjs.org"
+    - name: Setup node (root)
+      if: ${{ contains(inputs.dependencies, 'node') }}
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
+      with:
+        node-version-file: package.json
+        cache: "npm"
+        cache-dependency-path: package-lock.json
+        registry-url: "https://registry.npmjs.org"
+    - name: Install Node deps
+      if: ${{ contains(inputs.dependencies, 'node') }}
+      shell: bash
+      run: npm ci
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
       uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5

.github/codespell-dictionary.txt

@@ -1 +0,0 @@
-authentic->authentik

.github/codespell-words.txt

@@ -1,32 +0,0 @@
-akadmin
-asgi
-assertIn
-authentik
-authn
-crate
-docstrings
-entra
-goauthentik
-gunicorn
-hass
-jwe
-jwks
-keypair
-keypairs
-kubernetes
-oidc
-ontext
-openid
-passwordless
-plex
-saml
-scim
-singed
-slo
-sso
-totp
-traefik
-# https://github.com/codespell-project/codespell/issues/1224
-upToDate
-warmup
-webauthn

.github/workflows/ci-main.yml

@@ -31,7 +31,7 @@ jobs:
         job:
           - bandit
           - black
-          - codespell
+          - spellcheck
           - pending-migrations
           - ruff
           - mypy

.gitignore

@@ -15,6 +15,9 @@ media
 
 node_modules
 
+.cspellcache
+cspell-report.*
+
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/

.vscode/settings.json

@@ -14,6 +14,10 @@
     "[xml]": {
         "editor.minimap.markSectionHeaderRegex": "<!--\\s*#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\s*-->"
     },
+    "files.associations": {
+        // The built-in "ignore" language gives us enough syntax highlighting to make these files readable.
+        "**/dictionaries/*.txt": "ignore"
+    },
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
@@ -49,13 +53,9 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": [
-        "-count=1"
-    ],
+    "go.testFlags": ["-count=1"],
     "go.testEnvVars": {
         "WORKSPACE_DIR": "${workspaceFolder}"
     },
-    "github-actions.workflows.pinned.workflows": [
-        ".github/workflows/ci-main.yml"
-    ]
+    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
 }

Makefile

@@ -77,12 +77,12 @@ test: ## Run the server tests and produce a coverage report (locally)
 	$(UV) run coverage html
 	$(UV) run coverage report
 
-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix: lint-spellcheck  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	$(UV) run black $(PY_SOURCES)
 	$(UV) run ruff check --fix $(PY_SOURCES)
 
-lint-codespell:  ## Reports spelling errors.
-	$(UV) run codespell -w
+lint-spellcheck:  ## Reports spelling errors.
+	npm run lint:spellcheck
 
 lint: ci-bandit ci-mypy ## Lint the python and golang sources
 	golangci-lint run -v
@@ -286,7 +286,7 @@ docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Au
 docs-install:
 	npm ci --prefix website
 
-docs-lint-fix: lint-codespell
+docs-lint-fix: lint-spellcheck
 	npm run --prefix website prettier
 
 docs-build:
@@ -343,8 +343,8 @@ ci-black: ci--meta-debug
 ci-ruff: ci--meta-debug
 	$(UV) run ruff check $(PY_SOURCES)
 
-ci-codespell: ci--meta-debug
-	$(UV) run codespell -s
+ci-spellcheck: ci--meta-debug
+	npm run lint:spellcheck
 
 ci-bandit: ci--meta-debug
 	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES) -iii

cspell.config.jsonc

@@ -0,0 +1,289 @@
+{
+    "$schema": "https://raw.githubusercontent.com/streetsidesoftware/cspell/refs/heads/main/cspell.schema.json",
+    "name": "authentik-cspell",
+    "description": "authentik's monorepo spell checker configuration",
+    "version": "0.2",
+    "readonly": true,
+    "language": "en-US",
+    "cache": {
+        "useCache": true,
+        "cacheLocation": "./.cspellcache",
+        "cacheStrategy": "content"
+    },
+    "reporters": [
+        "default",
+        ["@cspell/cspell-json-reporter", { "outFile": "./cspell-report.json" }]
+    ],
+    "dictionaryDefinitions": [
+        {
+            "name": "en-x-authentik-software-terms",
+            "path": "./locale/en/dictionaries/software-terms.txt",
+            "description": "English software-related terms",
+            "addWords": true
+        },
+        {
+            "name": "en-x-authentik-idp",
+            "path": "./locale/en/dictionaries/idp.txt",
+            "description": "English IdP words",
+            "addWords": true
+        },
+        {
+            "name": "en-x-authentik-python",
+            "path": "./locale/en/dictionaries/python.txt",
+            "addWords": true
+        },
+        {
+            "name": "en-x-authentik-golang",
+            "path": "./locale/en/dictionaries/golang.txt",
+            "addWords": true
+        },
+
+        {
+            "name": "en-x-authentik-people",
+            "path": "./locale/en/dictionaries/people.txt",
+            "description": "People names relevant to authentik",
+            "addWords": true
+        },
+        {
+            "name": "en-x-authentik-integrations",
+            "path": "./locale/en/dictionaries/integrations.txt",
+            "description": "English integration names",
+            "addWords": true
+        },
+        {
+            "name": "en-x-authentik-ignore",
+            "path": "./locale/en/dictionaries/ignore.txt",
+            "description": "English ignore list for authentik",
+            "addWords": true,
+            "noSuggest": true
+        }
+    ],
+    "dictionaries": [
+        "en-x-authentik-software-terms",
+        "en-x-authentik-idp",
+        "en-x-authentik-ignore",
+        "en-x-authentik-people",
+        "en-x-authentik-integrations",
+        "node",
+        "softwareTerms",
+        "software-tools",
+        "computing-acronyms",
+        "companies",
+        "cpp-compound-words"
+    ],
+    "allowCompoundWords": true,
+    "patterns": [
+        {
+            "name": "EncodedURI",
+            "description": "Encoded URIs, which are common in authentik's codebase and often contain many false positives.",
+            "pattern": "[a-zA-Z]+%3A%2F%2F.+"
+        },
+        {
+            "name": "ConfSuffix",
+            "description": "Variables with `conf` or `config` suffix",
+            "pattern": ["\\w+(conf|config)\\b", "\\b(conf|config)\\w+"]
+        }
+    ],
+    "ignoreRegExpList": [
+        // DB Migrations
+        "authentik_c_\\w+_[0-9a-fA-F]+_idx",
+        // Google Analytics
+        "/G-[0-9A-Z]+/",
+        // Github Usernames
+        "@[a-zA-Z0-9_-]+",
+        // GitHub repositories
+        "github\\.com/[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+",
+        // Docker images
+        "docker\\.io/[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+",
+        // Suffix "change", which is common in migration files
+        "\\w+change\\b",
+        // Prefix "on", which is common in event handlers
+        "\\bon\\w+\\b",
+        // Prefix "pg", which is common in PostgreSQL-related code
+        "\\bpg\\w+\\b",
+        // Prefix "pf", which is common in PatternFly-related code
+        "\\bpf\\w+\\b",
+        // Prefix "ws", which is common in WebSocket-related code
+        "\\bws\\w+\\b",
+        // Suffix "propertymapping"
+        "\\w+propertymapping\\b",
+        // Words that end with "source", "provider", "user", "group", or "connection",
+        // which are common in authentik's codebase and often contain many false positives.
+        "\\w+(source|provider)(user|group|connection)\\b",
+        "\\w+(source|provider)(user|group|connection)",
+        // Basic auth header
+        "Basic [a-zA-Z0-9+/=]+",
+        // "ify" suffix, e.g. "stringify", "classify".
+        "\\w+l?ify\\b",
+        // "ified" suffix, e.g. "stringified", "classified".
+        "\\w+l?ified\\b",
+        // "ifying" suffix, e.g. "stringifying", "classifying".
+        "\\w+l?ifying\\b",
+
+        "SpellCheckerIgnoreInDocSetting",
+        "EncodedURI",
+        "Urls",
+        "href",
+        "Base64",
+        "PublicKey",
+        "RsaCert",
+        "SshRsa",
+        "UnicodeRef",
+        "Email",
+        "HashStrings"
+    ],
+    "languageSettings": [
+        {
+            "languageId": "markdown,mdx",
+            "dictionaries": ["en-x-authentik-python", "en-x-authentik-golang"],
+            "ignoreRegExpList": [
+                // Fenced code blocks
+                "/^\\s*```[\\s\\S]*?^\\s*```/gm",
+                // Markdown inline codeblocks
+                "`[^`\\s]+`",
+                "`\\w+[^`]*?\\w+`"
+            ]
+        },
+        {
+            "languageId": "typescript,javascript,typescriptreact,javascriptreact,mdx,astro",
+
+            "ignoreRegExpList": [
+                // Event handlers e.g. onClick, onmouseover
+                "\\bon\\w+\\b",
+                // Custom web component tags e.g. <ak-button>, <ak-toggle-group>
+                "</?ak-[a-z0-9-]+",
+                // Scoped import paths, e.g. @webcomponents/webcomponentsjs
+                "@[a-z0-9-]+/[a-z0-9-]+",
+                // Import paths that end with "js", which are often false positives
+                // and not worth the effort of creating a custom dictionary for.
+                "[a-z0-9-]+js",
+                "ConfSuffix",
+                "js-hex-escape",
+                "js-unicode-escape",
+                "js-regexp-flags",
+                "js-hex-number"
+            ]
+        },
+        {
+            "languageId": "python",
+            "dictionaries": ["en-x-authentik-python"],
+            "includeRegExpList": ["comments"]
+        },
+        {
+            "languageId": "go",
+            "dictionaries": ["en-x-authentik-golang"]
+        },
+        {
+            "languageId": "makefile",
+            "dictionaries": ["en-x-authentik-python", "en-x-authentik-golang"]
+        },
+
+        {
+            "languageId": "css,scss",
+            "ignoreRegExpList": [
+                // data URIs, which are common in CSS and often contain many false positives.
+                "data:.+"
+            ]
+        }
+    ],
+    "ignorePaths": [
+        //#region i18n
+
+        "{cspell.*,cSpell.*,.cspell.*,cspell.config.*}", // CSpell configuration files
+        "cspell-report.{json,html,txt}", // CSpell report files
+        "dictionaries", // Custom dictionary files
+        "ignore.txt", // Custom ignore list files
+
+        "./locale", // Locale files (Django, CSpell)
+        "web/xliff", // XLIFF translation files
+        "web/src/locales", // Generated TypeScript locale
+
+        //#endregion
+
+        //#region Monorepo
+
+        "CODEOWNERS", // GitHub code owners file
+        "LICENSE", // License file
+        ".gitignore", // Git ignore file
+        ".gitattributes", // Git attributes file
+        "*-lock.{json,yaml}", // Lock files (NPM, Yarn, Pip, Cargo)
+        "CHANGELOG*.md", // Changelog files
+        ".vscode/**", // VSCode configuration
+        "out", // TypeScript type-checking output
+        "dist", // Distributed build output
+        "coverage/**", // Coverage output
+        ".env", // Environment files
+        "package-lock.json", // NPM package lock
+        "schema.yml", // OpenAPI schema
+        "./blueprints/schema.json", // Generated blueprint schema
+        "custom-elements.json", // TypeScript custom element definitions
+        "./gen-*-api", // Generated API Client
+        "./schemas/**", // XML Schemas
+        "./authentik/sources/**/schemas", // Source schemas
+        "**vendored**", // Vendored files
+        "fixtures", // Test fixtures
+        "tests/e2e/**/*.php", // PHP fixtures
+        "compose.yml", // Docker Compose files
+
+        //#region JavaScript/TypeScript
+
+        ".eslintignore", // ESLint ignore file
+        ".prettierignore", // Prettier ignore file
+        ".yarn", // Yarn cache and configuration
+        "node_modules", // Node modules
+        "playwright-report", // Playwright test output
+        "package.json", // Package manifest file
+        "storybook-static", // Storybook build output
+        "sampleData.{js,ts}", // Storybook sample data files
+        "*.stories.{ts,tsx}", // Storybook stories
+        "*.min.{js,css}", // Minified JS and CSS files
+        "*.min.{js,css}.map", // Source maps for minified files
+        //#region Python
+
+        "pyproject.toml",
+        "unittest.xml", // Pytest output
+        ".venv", // Python virtual environment
+        "venv", // Python virtual environment
+        "./lifecycle",
+        "blueprints",
+        "mds",
+        //#endregion
+
+        //#region Rust
+
+        "./target", // Rust compilation artifacts
+
+        //#endregion
+
+        //#region Docusaurus
+
+        "*.api.mdx", // Generated API docs
+        ".docusaurus/**", // Cache
+        "./{docs,website}/build", // Topic docs build output
+        "./{docs,website}/**/build", // Workspaces output
+
+        //#endregion
+
+        //#region Golang
+
+        "go.mod", // Go module file
+        "go.sum", // Go module file
+        "htmlcov", // Coverage HTML output
+        "coverage.txt", // Coverage text output
+
+        //#endregion
+
+        //#region Media
+
+        "./data", // Media files
+        "./media", // Legacy media files
+        "*.{png,jpg,pdf,svg}" // Binary files
+
+        //#endregion
+    ],
+    "useGitignore": true,
+    "features": {
+        "weighted-suggestions": true
+    }
+    // "failFast": true,
+}

locale/en/dictionaries/golang.txt

@@ -0,0 +1,20 @@
+# Golang-specific terms
+gounicorn
+pems
+connm
+Debugf
+Infof
+Warnf
+layeh
+Warningf
+goldap
+goauthentikio
+singlevg
+accsp
+uapisp
+GORMDB
+golangci
+gorm
+gorm
+gorm*
+logger

locale/en/dictionaries/idp.txt

@@ -0,0 +1,6 @@
+# IdP-specific terms
+authentik
+Yubi
+Yubikey
+Yubikeys
+mycorp

locale/en/dictionaries/ignore.txt

@@ -0,0 +1,26 @@
+# Ignored terms that should not be suggested by the spell checker.
+aaguids
+ASGI
+asgi
+azuread
+Azuread
+buildx
+goauthentik
+lxml
+pässwörd
+phlebotinum
+qewr
+quox
+recategorize
+reinject
+tmpfs
+trixie
+XFCC
+xghcr
+xoxb
+xoxe
+xoxp
+foo
+bar
+baz
+qux

locale/en/dictionaries/integrations.txt

@@ -0,0 +1,67 @@
+# Integrations
+appflowy
+Ascensio
+Authy
+Beszel
+Bitnami
+Budibase
+Doki
+Doku
+dokuwiki
+Engomo
+Espo
+espocrm
+ezBookkeeping
+fleetdm
+Flowy
+Forgejo
+Forti
+Fortigate
+Gatus
+Gestionnaire
+Gitea
+Gravitee
+Homarr
+Informatique
+Kimai
+Knoc
+Knocknoc
+Komodo
+Kubeconfig
+Mautic
+Mobilizon
+Observium
+Ofair
+Ollama
+Omada
+omniauth
+openwebui
+OPNsense
+Orchesta
+Organizr
+Packagify
+Palo
+Papra
+pfSense
+phpipam
+Planka
+Plesk
+proftpd
+Qube
+Relatedly
+Sidero
+snipeit
+sonarqube
+Terrakube
+Ueberauth
+Veeam
+Vikunja
+Wazuh
+Wdio
+Weixin
+Kiota
+Wekan
+Xcreds
+Zammad
+Zenko
+Zulip

locale/en/dictionaries/people.txt

@@ -0,0 +1,13 @@
+# People names.
+Bery
+Beryju
+Teffen
+GirlBossRush
+Gergo
+Marc
+Dewi
+Zwanenburg
+Naur
+Wärting
+Aadit
+Kilby

locale/en/dictionaries/python.txt

@@ -0,0 +1,13 @@
+debugpy
+dramatiq
+kwargs
+pgtrigger
+psycopg
+pyrad
+uvicorn
+pglock
+dicted
+mypy
+klass
+pgactivity
+kinit

locale/en/dictionaries/software-terms.txt

@@ -0,0 +1,166 @@
+# Software-specific terms
+*_c_name_*
+*_c_slug_*
+*ecdsa*
+*entra*
+*id*
+*identities
+*identity
+*ids*
+*idx*
+*mapping*
+*name*
+*named*
+*names*
+*namespace*
+*namespaces
+*plex*
+*provider
++Xmldsig+
+ADFS
+AKMDX
+ASVS
+Algs
+CASB
+CLDR
+DOTADIW
+Docsmg
+GDTC
+GHES
+GHSA
+GLPI
+Guac
+Guacd
+Gunicorn
+HIBP
+HOTP
+Hackathon
+ISPM
+ITDR
+Kadmin
+LDAPCP
+LSPATH
+Liskov
+MDSCIM
+MYNIS
+Moreecdsa
+NGFW
+OCAK
+OCNS
+PEAP
+PKCE
+PSSO
+Pooler
+Pyroscope
+QNAP
+RAC
+RHAAP
+SCIM
+SDKJS
+SMTPD
+SNPEGO
+SPSSO
+SVGOMG
+Sfdc
+TOTP
+Transifex
+Unenrollment
+Unmigrate
+Wsfed
+Xen
+Xmldsig
+XmldsigMore
+ZTNA
+aaguid
+adsi
+akflow
+akprox
+asns
+cbor
+copylefted
+cves
+describedby
+dialector
+docsmg
+doseq
+dsa
+dsquery
+ellipsized
+esbuild
+falsey
+frie
+gcsp
+geoip
+glpi
+grecaptcha
+guac
+guacd
+gunicorn
+hackathon
+haveibeenpwned
+hcaptcha
+hibp
+hotp
+hres
+kadmin
+kiprop
+kubeadm
+labelledby
+mcomplete
+mermaidjs
+microsoft
+mmdb
+noopener
+noreferrer
+openidc
+ouia
+ouid
+peap
+pkce
+plex
+postgresstore
+proxyv
+psso
+pydantic
+pyroscope
+rapi
+rasterizes
+rbcervilla
+recws
+retag
+rnds
+rsa
+RSTR
+sbdocs
+schedulable
+scim
+scsp
+sha
+source
+stringly
+sysd
+tdialector
+templatize
+tgcsp
+tguacd
+tgunicorn
+totp
+tscsp
+ttotp
+tuisp
+uisp
+unenrollment
+unhashed
+unmigrate
+unskippable
+uperm
+uwsgi
+wireit
+wsfed
+wtrealm
+xen+
+xenc
+yamltags
+zxcvbn
+~uuid
+~uuids

package.json

@@ -6,7 +6,7 @@
         "lint": "run-s lint:spellcheck lint:lockfile",
         "lint:lockfile": "echo 'Skipping lockfile linting'",
         "lint:node": "echo 'Skipping node linting'",
-        "lint:spellcheck": "echo 'Skipping spellcheck linting'"
+        "lint:spellcheck": "cspell . --config cspell.config.jsonc"
     },
     "type": "module",
     "imports": {
@@ -20,6 +20,7 @@
         "@goauthentik/tsconfig": "./packages/tsconfig",
         "@typescript-eslint/eslint-plugin": "^8.56.1",
         "@typescript-eslint/parser": "^8.56.1",
+        "cspell": "^9.6.4",
         "eslint": "^9.39.3",
         "npm-run-all": "^4.1.5",
         "pino": "^10.3.1",

packages/prettier-config/lib/constants.js

@@ -36,7 +36,7 @@ const overrides = [
         },
     },
     {
-        files: "tsconfig.json",
+        files: ["tsconfig.json", "*.jsonc"],
         options: {
             trailingComma: "none",
         },

pyproject.toml

@@ -80,7 +80,6 @@ dev = [
   "bandit==1.9.4",
   "black==26.3.0",
   "bpython==0.26",
-  "codespell==2.4.1",
   "colorama==0.4.6",
   "constructs==10.5.1",
   "coverage[toml]==7.13.4",
@@ -149,42 +148,6 @@ build-backend = "hatchling.build"
 [tool.bandit]
 exclude_dirs = ["**/node_modules/**"]
 
-[tool.codespell]
-skip = [
-  "**/.env",                  # Environment files
-  "**/.venv",                 # Python virtual environment
-  "**/node_modules",          # Node modules
-  "**/package-lock.json",     # NPM package lock
-  "schema.yml",               # OpenAPI schema
-  "./blueprints/schema.json", # Generated blueprint schema
-  "go.sum",                   # Go module file
-  "locale",                   # Django locale files
-  "**/web/src/locales",       # Generated TypeScript locale
-  "**/web/xliff",             # XLIFF translation files
-  "**/custom-elements.json",  # TypeScript custom element definitions
-  "**/storybook-static",      # Storybook build output
-  "**/playwright-report",     # Playwright test output
-  "unittest.xml",             # Pytest output
-  "./htmlcov",                # Coverage HTML output
-  "**/out",                   # TypeScript type-checking output
-  "**/dist",                  # Distributed build output
-  "./website/build",          # TODO: Remove this after moving website to docs
-  "./website/**/build",       # TODO: Remove this after moving website to docs
-  "./docs/build",             # Docusaurus Topic docs build output
-  "./docs/**/build",          # Docusaurus workspaces output
-  "*.api.mdx",                # Generated API docs
-  "./gen-ts-api",             # Generated TypeScript API
-  "./gen-py-api",             # Generated Python API
-  "./gen-go-api",             # Generated Go API
-  "./data",                   # Media files
-  "./media",                  # Legacy media files
-  "./schemas/**",             # XML Schemas
-  "./target",                 # Rust compilation artifacts
-  "**vendored**",             # Vendored files
-]
-dictionary = ".github/codespell-dictionary.txt,-"
-ignore-words = ".github/codespell-words.txt"
-
 [tool.black]
 line-length = 100
 target-version = ['py314']

uv.lock

@@ -281,7 +281,6 @@ dev = [
     { name = "bandit" },
     { name = "black" },
     { name = "bpython" },
-    { name = "codespell" },
     { name = "colorama" },
     { name = "constructs" },
     { name = "coverage" },
@@ -390,7 +389,6 @@ dev = [
     { name = "bandit", specifier = "==1.9.4" },
     { name = "black", specifier = "==26.3.0" },
     { name = "bpython", specifier = "==0.26" },
-    { name = "codespell", specifier = "==2.4.1" },
     { name = "colorama", specifier = "==0.4.6" },
     { name = "constructs", specifier = "==10.5.1" },
     { name = "coverage", extras = ["toml"], specifier = "==7.13.4" },
@@ -818,15 +816,6 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/98/78/01c019cdb5d6498122777c1a43056ebb3ebfeef2076d9d026bfe15583b2b/click-8.3.1-py3-none-any.whl", hash = "sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6", size = 108274, upload-time = "2025-11-15T20:45:41.139Z" },
 ]
 
-[[package]]
-name = "codespell"
-version = "2.4.1"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/15/e0/709453393c0ea77d007d907dd436b3ee262e28b30995ea1aa36c6ffbccaf/codespell-2.4.1.tar.gz", hash = "sha256:299fcdcb09d23e81e35a671bbe746d5ad7e8385972e65dbb833a2eaac33c01e5", size = 344740, upload-time = "2025-01-28T18:52:39.411Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/20/01/b394922252051e97aab231d416c86da3d8a6d781eeadcdca1082867de64e/codespell-2.4.1-py3-none-any.whl", hash = "sha256:3dadafa67df7e4a3dbf51e0d7315061b80d265f9552ebd699b3dd6834b47e425", size = 344501, upload-time = "2025-01-28T18:52:37.057Z" },
-]
-
 [[package]]
 name = "colorama"
 version = "0.4.6"

web/src/flow/FlowExecutorStages.ts

@@ -46,7 +46,7 @@ export type StageEntry =
  *   function, following the examples already provided.
  *
  * Variants and Tags have a single strong differentiator: Tags refer to web components and so must
- * always have a dash, whereas wariants are from a limited supply of names and do not have a dash.
+ * always have a dash, whereas variants are from a limited supply of names and do not have a dash.
  * The StageFactory will not get confused. If you get confused, the type-checker will explain it.
  *
  * The resolution of the web component tag name is: tag supplied, tag received with import, tag

web/src/styles/locales/ja/globals.css

@@ -4,7 +4,7 @@
 
 html[lang="ja"],
 html[lang^="ja-"] {
-    /* cSpell:disable */
+    /* spellchecker:disable */
 
     --ak-font-family-sans-serif:
         "M PLUS 2", "Noto Sans JP", "Hiragino Kaku Gothic Pro", "ヒラギノ角ゴ Pro W3", メイリオ,
@@ -12,7 +12,7 @@ html[lang^="ja-"] {
 
     --ak-font-family-serif: "Noto Serif JP", var(--ak-generic-serif);
 
-    /* cSpell:enable */
+    /* spellchecker:enable */
 
     --ak-font-family-heading: var(--ak-font-family-sans-serif);
 

web/src/styles/locales/zh/globals.css

@@ -3,7 +3,7 @@
  */
 
 html[lang^="zh"] {
-    /* cSpell:disable */
+    /* spellchecker:disable */
 
     --ak-font-family-sans-serif:
         "Noto Sans SC", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei", "WenQuanYi Micro Hei",
@@ -15,7 +15,7 @@ html[lang^="zh"] {
         "Noto Sans SC", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei", "WenQuanYi Micro Hei",
         sans-serif;
 
-    /* cSpell:enable */
+    /* spellchecker:enable */
 
     --pf-c-content--h1--FontWeight: 500;
 

web/types/rapi-doc/index.d.ts

@@ -2,7 +2,7 @@ declare module "rapidoc" {
     // eslint-disable-next-line @typescript-eslint/no-unused-vars
     type Booleanish = "true" | "false";
 
-    // cSpell:disable
+    // spellchecker:disable
     /**
      * Web Component based Swagger & OpenAPI Spec Viewer
      *
@@ -73,7 +73,7 @@ declare module "rapidoc" {
      * @attr {string} api-key-value - Value of the API key (can be overwritten from UI).
      * @attr {"omit" | "same-origin" | "include"} fetch-credentials - Credentials mode for cross-domain calls.
      */
-    // cSpell:enable
+    // spellchecker:enable
     class RapiDoc extends HTMLElement {
         /**
          * Programmatically load a spec.

website/api/types/api-plugin.d.ts

@@ -1,7 +1,7 @@
 /// <reference types="docusaurus-theme-openapi-docs" />
 /// <reference types="docusaurus-plugin-openapi-docs" />
 
-// cspell:ignore persistence
+// spellchecker:ignore persistance
 
 declare module "@docusaurus/plugin-content-docs/src/sidebars/types" {
     export * from "@docusaurus/plugin-content-docs/src/sidebars/types.ts";

website/docs/add-secure-apps/providers/wsfed/index.md

@@ -17,10 +17,10 @@ Note that we only support the SAML2 token type within WS-Federation providers, a
 
 The following URL request parameters are supported in the authentik WS-Federation provider:
 
-- **wa**: This is a required parameter that represents the action being requested, typically wsignin1.0 for signing in. The parameter's value tells the Security Token Service (STS) which operation to execute.
-- **wtrealm**: The unique identifier (realm) of the Relying Party (RP) or application requesting the security token, for example, urn:my-app:rp. It defines the trust relationship between the RP and the Identity Provider (IdP) and indicates which application is initiating the WS-Federation request. This is a required query parameter that tells the Security Token Service (STS) which relying party the token is intended for.
-- **wreply**: The target URL to which the Identity Provider (IdP) sends the WS-Federation response containing the security token. This URL is supplied by the Service Provider (SP). authentik verifies that the received `wreply` parameter matches the URL configured by the administrator and stored in the database.
-- **wctx**: A context value that is used to maintain state between the Relying Party (RP) and the Identity Provider (IdP) across redirects. It serves the same purpose as the `RelayState` parameter in SAML. The RP includes this value in the authentication request, and the IdP returns it unchanged in the response, allowing the RP to validate and restore the original session or request context.
+- **`wa`**: This is a required parameter that represents the action being requested, typically `wsignin1.0` for signing in. The parameter's value tells the Security Token Service (STS) which operation to execute.
+- **`wtrealm`**: The unique identifier (realm) of the Relying Party (RP) or application requesting the security token, for example, urn:my-app:rp. It defines the trust relationship between the RP and the Identity Provider (IdP) and indicates which application is initiating the WS-Federation request. This is a required query parameter that tells the Security Token Service (STS) which relying party the token is intended for.
+- **`wreply`**: The target URL to which the Identity Provider (IdP) sends the WS-Federation response containing the security token. This URL is supplied by the Service Provider (SP). authentik verifies that the received `wreply` parameter matches the URL configured by the administrator and stored in the database.
+- **`wctx`**: A context value that is used to maintain state between the Relying Party (RP) and the Identity Provider (IdP) across redirects. It serves the same purpose as the `RelayState` parameter in SAML. The RP includes this value in the authentication request, and the IdP returns it unchanged in the response, allowing the RP to validate and restore the original session or request context.
 
 ## WS-Federation bindings and endpoints
 

website/docs/releases/2026/v2026.2.md

@@ -3,6 +3,8 @@ title: Release 2026.2
 slug: "/releases/2026.2"
 ---
 
+<!-- spellchecker:ignore πthon -->
+
 ## Highlights
 
 - **Object Lifecycle Management**: :ak-enterprise :ak-preview Admins can now automatically schedule periodic reviews of authentik objects (applications, groups, roles) for compliance and auditing purposes.
@@ -146,7 +148,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.2
 - enterprise/audit: Expanded Diff (#19726)
 - enterprise/lifecycle: implement Object Lifecycle Management (#20015)
 - enterprise/providers: WS-Federation (#19583)
-- enterprise/providers: WSFed configurable realm, default wreply (#19996)
+- enterprise/providers: WSFed configurable realm, default `wreply` (#19996)
 - enterprise/reports: improve export list, confirmation (#18981)
 - enterprise/search: add static autocomplete structure (#19008)
 - events: notifications live update (#18980)
@@ -201,7 +203,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.2
 - security: CVE-2026-25922 (#20232)
 - sources/kerberos: update to new python-kadmin-rs (#19491)
 - sources/oauth: add fallback for id_token when profile URL is not available (#19311)
-- sources/oauth: Fix an issue where wechat may crash duing login. (#18973)
+- sources/oauth: Fix an issue where wechat may crash during login. (#18973)
 - sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
 - sources/saml: Add testcases for PR #19593 (#19647)
 - sources/saml: Fix signature verification order to accommodate encrypted assertions (#19593)