web/e2e: fix three regressions blocking the parallel suite

Locally and in CI the new `e2e (playwright)` job appeared to "hang"
under `fullyParallel: true` + `workers: "50%"`. The hang was actually
five tests sharing two unrelated bugs that all manifest as 30s test
timeouts; the cluster only *looks* like a parallelism issue because
multiple workers stall on the same wall-clock window. With these three
fixes the full suite is green in 1m48s on `--workers=2` (was: 5 failed
/ 17 passed in 5m30s).

1. `web/test/browser/600-providers.test.ts`
   PR #21647 dropped the `to:` argument on the `session.login()` call
   in this file's `beforeEach`. Without it, `SessionFixture.login()`
   waits for the auth-flow URL pattern to re-appear — which it does
   immediately, since we just navigated there — so the helper returns
   *before* the post-login redirect lands. The wizard buttons probed
   afterward live on `/if/admin/#/core/providers`, which the user never
   actually reaches; every test in the file then hits the 30s
   `beforeEach` timeout. Pin the destination explicitly, matching the
   shape of every other test file.

2. `web/src/admin/roles/ak-role-list.ts`
   The role-list row anchor had no aria-label, so its accessible name
   was the (random, generated) role name. `500-roles.test.ts` searches
   for that anchor with `getByRole("link", { name: "view details" })`
   — the same selector `400-groups.test.ts` uses against the group
   list, where `GroupListPage.row()` *does* set
   `aria-label="View details of group ..."`. Bring the role row to
   parity with groups; the test wasn't wrong, the UI was missing the
   accessibility hook.

3. `web/test/browser/500-roles.test.ts` ("Edit role from view page")
   The post-edit verification used `page.getByText(updatedName)`, but
   on the role view page the new name renders in two places (the
   "Role <name>" page-navbar heading and the description-list value),
   so the bare text match resolves to two elements and trips
   strict-mode. Add `{ exact: true }` so we assert the canonical value
   the edit wrote rather than the heading template.

Co-Authored-By: Agent (authentik-i21996-internal-achievable-raisin) <279763771+playpen-agent@users.noreply.github.com>

.github/actions/setup-node/action.yml

@@ -0,0 +1,81 @@
+name: "Setup Node.js and NPM"
+description: "Sets up Node.js with a specific NPM version via Corepack"
+inputs:
+  working-directory:
+    description: "Path to the working directory containing the package.json file"
+    required: false
+    default: "."
+  dependencies:
+    required: false
+    description: "List of dependencies to setup"
+    default: "monorepo,working-directory"
+  node-version-file:
+    description: "Path to file containing the Node.js version"
+    required: false
+    default: "package.json"
+  cache-dependency-path:
+    description: "Path to dependency lock file for caching"
+    required: false
+    default: "package-lock.json"
+  cache:
+    description: "Package manager to cache"
+    default: "npm"
+  registry-url:
+    description: "npm registry URL"
+    default: "https://registry.npmjs.org"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node.js (Corepack bootstrap)
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      with:
+        node-version-file: ${{ inputs.node-version-file }}
+        registry-url: ${{ inputs.registry-url }}
+        # The setup-node action will attempt to create a cache using a version of
+        # npm that may not be compatible with the range specified in package.json.
+        # This can be enabled **after** corepack is installed and the correct npm version is available.
+        package-manager-cache: false
+    - name: Install Corepack
+      working-directory: ${{ github.workspace}}
+      shell: bash
+      run: | #shell
+        node ./scripts/node/lint-runtime.mjs
+        node ./scripts/node/setup-corepack.mjs --force
+        corepack enable
+    - name: Lint Node.js and NPM versions
+      shell: bash
+      run: node ./scripts/node/lint-runtime.mjs
+    - name: Setup Node.js (Monorepo Root)
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      with:
+        node-version-file: ${{ inputs.node-version-file }}
+        cache: ${{ inputs.cache }}
+        cache-dependency-path: ${{ inputs.cache-dependency-path }}
+        registry-url: ${{ inputs.registry-url }}
+    - name: Install monorepo dependencies
+      if: ${{ contains(inputs.dependencies, 'monorepo') }}
+      shell: bash
+      run: | #shell
+        node ./scripts/node/lint-lockfile.mjs
+        corepack npm ci
+    - name: Setup Node.js (Working Directory)
+      if: ${{ contains(inputs.dependencies, 'working-directory') }}
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      with:
+        node-version-file: ${{ inputs.working-directory }}/${{ inputs.node-version-file }}
+        cache: ${{ inputs.cache }}
+        cache-dependency-path: ${{ inputs.working-directory }}/${{ inputs.cache-dependency-path }}
+        registry-url: ${{ inputs.registry-url }}
+
+    - name: Install working directory dependencies
+      if: ${{ contains(inputs.dependencies, 'working-directory') }}
+      shell: bash
+      run: | # shell
+        corepack install
+
+        echo "node version: $(node --version)"
+        echo "npm version: $(corepack npm --version)"
+
+        node ./scripts/node/lint-lockfile.mjs ${{ inputs.working-directory }}
+        corepack npm ci --prefix ${{ inputs.working-directory }}

.github/actions/setup/action.yml

@@ -18,19 +18,24 @@ runs:
   using: "composite"
   steps:
     - name: Cleanup apt
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
+        'python') }}
       shell: bash
       run: sudo apt-get remove --purge man-db
     - name: Install apt deps
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
+        'python') }}
       uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
       with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev
+          libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user
+          krb5-admin-server
         update: true
         upgrade: false
         install-recommends: false
     - name: Make space on disk
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
+        'python') }}
       shell: bash
       run: |
         sudo mkdir -p /tmp/empty/
@@ -51,7 +56,8 @@ runs:
       working-directory: ${{ inputs.working-directory }}
       run: uv sync --all-extras --dev --frozen
     - name: Setup rust (stable)
-      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
+      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies,
+        'rust-nightly') }}
       uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         rustflags: ""
@@ -64,30 +70,14 @@ runs:
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2
+      uses: taiki-e/install-action@481c34c1cf3a84c68b5e46f4eccfc82af798415a # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
-    - name: Setup node (web)
+    - name: Setup node (root, web)
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      uses: ./.github/actions/setup-node
       with:
-        node-version-file: "${{ inputs.working-directory }}web/package.json"
-        cache: "npm"
-        cache-dependency-path: "${{ inputs.working-directory }}web/package-lock.json"
-        registry-url: "https://registry.npmjs.org"
-    - name: Setup node (root)
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
-      with:
-        node-version-file: "${{ inputs.working-directory }}package.json"
-        cache: "npm"
-        cache-dependency-path: "${{ inputs.working-directory }}package-lock.json"
-        registry-url: "https://registry.npmjs.org"
-    - name: Install Node deps
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: npm ci
+        working-directory: web
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
@@ -97,15 +87,17 @@ runs:
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
       with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
+        key: docker-images-${{ runner.os }}-${{
+          hashFiles('.github/actions/setup/compose.yml', 'Makefile') }}-${{
+          inputs.postgresql_version }}
     - name: Setup dependencies
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/compose.yml up -d
-        cd web && npm ci
+        docker compose -f .github/actions/setup/compose.yml up -d --wait
+        corepack npm ci --prefix web
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}

.github/actions/setup/compose.yml

@@ -8,8 +8,14 @@ services:
       POSTGRES_USER: authentik
       POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
       POSTGRES_DB: authentik
+      PGDATA: /var/lib/postgresql/data/pgdata
     ports:
       - 5432:5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB} -h 127.0.0.1"]
+      interval: 1s
+      timeout: 5s
+      retries: 60
     restart: always
   s3:
     container_name: s3

.github/workflows/_reusable-docker-build-single.yml

@@ -67,6 +67,16 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: ./.github/actions/setup-node
+        with:
+          working-directory: web
+          dependencies: "monorepo"
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+        with:
+          go-version-file: "go.mod"
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
       - name: Build Docker Image
         uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         id: push
@@ -81,7 +91,8 @@ jobs:
             ${{ steps.ev.outputs.imageBuildArgs }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames
+            }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
       - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest

.github/workflows/api-ts-publish.yml

@@ -0,0 +1,65 @@
+---
+name: API - Publish Typescript client
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "schema.yml"
+  workflow_dispatch:
+
+permissions:
+  # Required for NPM OIDC trusted publisher
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - id: generate_token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - uses: ./.github/actions/setup-node
+        with:
+          working-directory: web
+      - name: Generate API Client
+        run: make gen-client-ts
+      - name: Publish package
+        working-directory: gen-ts-api/
+        run: |
+          npm i
+          npm publish --tag generated
+      - name: Upgrade /web
+        working-directory: web
+        run: |
+          export VERSION=`node -e 'import mod from "./gen-ts-api/package.json" with { type: "json" };console.log(mod.version);'`
+          npm i @goauthentik/api@$VERSION
+      - name: Upgrade /web/packages/sfe
+        working-directory: web/packages/sfe
+        run: |
+          export VERSION=`node -e 'import mod from "./gen-ts-api/package.json" with { type: "json" };console.log(mod.version);'`
+          npm i @goauthentik/api@$VERSION
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        id: cpr
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          branch: update-web-api-client
+          commit-message: "web: bump API Client version"
+          title: "web: bump API Client version"
+          body: "web: bump API Client version"
+          delete-branch: true
+          signoff: true
+          # ID from https://api.github.com/users/authentik-automation[bot]
+          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
+          labels: dependencies
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
+          merge-method: squash

.github/workflows/ci-api-docs.yml

@@ -22,25 +22,19 @@ jobs:
           - prettier-check
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - name: Install Dependencies
-        working-directory: website/
-        run: npm ci
+      - uses: ./.github/actions/setup-node
+        with:
+          working-directory: website
       - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: corepack npm run ${{ matrix.command }} --prefix website
   build:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
+          working-directory: website
       - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
         with:
           path: |
@@ -54,7 +48,7 @@ jobs:
         working-directory: website
         env:
           NODE_ENV: production
-        run: npm run build -w api
+        run: corepack npm run build -w api
       - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
         with:
           name: api-docs
@@ -71,11 +65,9 @@ jobs:
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
+          working-directory: website
       - name: Deploy Netlify (Production)
         working-directory: website/api
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'

.github/workflows/ci-aws-cfn.yml

@@ -24,14 +24,9 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: lifecycle/aws/package.json
-          cache: "npm"
-          cache-dependency-path: lifecycle/aws/package-lock.json
-      - working-directory: lifecycle/aws/
-        run: |
-          npm ci
+          working-directory: lifecycle/aws
       - name: Check changes have been applied
         run: |
           uv run make aws-cfn

.github/workflows/ci-docs.yml

@@ -24,46 +24,34 @@ jobs:
           - prettier-check
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - name: Install dependencies
-        working-directory: website/
-        run: npm ci
+      - uses: ./.github/actions/setup-node
+        with:
+          working-directory: website
       - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: corepack npm run ${{ matrix.command }} --prefix website
   build-docs:
     runs-on: ubuntu-latest
     env:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
+        name: Setup Node.js
         with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
+          working-directory: website
       - name: Build Documentation via Docusaurus
-        working-directory: website/
-        run: npm run build
+        run: corepack npm run build --prefix website
   build-integrations:
     runs-on: ubuntu-latest
     env:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
+          working-directory: website
       - name: Build Integrations via Docusaurus
-        working-directory: website/
-        run: npm run build -w integrations
+        run: corepack npm run build -w integrations --prefix website
   build-container:
     runs-on: ubuntu-latest
     permissions:
@@ -104,7 +92,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' &&
+            'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max'
+            || '' }}
       - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}

.github/workflows/ci-main.yml

@@ -73,7 +73,8 @@ jobs:
       - name: generate API clients
         run: make gen-clients
       - name: ensure schema is up-to-date
-        run: git diff --exit-code -- schema.yml blueprints/schema.json packages/client-go packages/client-rust packages/client-ts
+        run: git diff --exit-code -- schema.yml blueprints/schema.json
+          packages/client-go packages/client-rust packages/client-ts
   test-migrations:
     runs-on: ubuntu-latest
     steps:
@@ -91,7 +92,8 @@ jobs:
     outputs:
       seed: ${{ steps.seed.outputs.seed }}
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{
+      matrix.run_id }}/5
     runs-on: ubuntu-latest
     timeout-minutes: 30
     needs: test-make-seed
@@ -101,7 +103,7 @@ jobs:
         psql:
           - 14-alpine
           - 18-alpine
-        run_id: [1, 2, 3, 4, 5]
+        run_id: [ 1, 2, 3, 4, 5 ]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -109,8 +111,13 @@ jobs:
       - name: checkout stable
         run: |
           set -e -o pipefail
+
           cp -R .github ..
           cp -R scripts ..
+
+          mkdir -p ../packages
+          cp -R packages/logger-js ../packages/logger-js
+
           # Previous stable tag
           prev_stable=$(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
           # Current version family based on
@@ -118,10 +125,13 @@ jobs:
           if [[ -n $current_version_family ]]; then
               prev_stable="version/${current_version_family}"
           fi
+
           echo "::notice::Checking out ${prev_stable} as stable version..."
           git checkout ${prev_stable}
-          rm -rf .github/ scripts/
+
+          rm -rf .github/ scripts/ packages/logger-js/
           mv ../.github ../scripts .
+          mv ../packages/logger-js ./packages/
       - name: Setup authentik env (stable)
         uses: ./.github/actions/setup
         with:
@@ -169,7 +179,7 @@ jobs:
         psql:
           - 14-alpine
           - 18-alpine
-        run_id: [1, 2, 3, 4, 5]
+        run_id: [ 1, 2, 3, 4, 5 ]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
@@ -252,19 +262,22 @@ jobs:
           COMPOSE_PROFILES: ${{ matrix.job.profiles }}
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
+      - uses: ./.github/actions/setup-node
       - id: cache-web
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
         if: contains(matrix.job.profiles, 'selenium')
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json',
+            'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
       - name: prepare web ui
-        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles, 'selenium')
+        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles,
+          'selenium')
         working-directory: web
         run: |
-          npm ci
-          npm run build
-          npm run build:sfe
+          corepack npm ci
+          corepack npm run build
+          corepack npm run build:sfe
       - name: run e2e
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
@@ -302,14 +315,14 @@ jobs:
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**',
+            'web/packages/sfe/src/**') }}-b
       - name: prepare web ui
         if: steps.cache-web.outputs.cache-hit != 'true'
-        working-directory: web
         run: |
-          npm ci
-          npm run build
-          npm run build:sfe
+          corepack npm ci --prefix web
+          corepack npm run build --prefix web
+          corepack npm run build:sfe --prefix web
       - name: run conformance
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
@@ -375,7 +388,9 @@ jobs:
     uses: ./.github/workflows/_reusable-docker-build.yml
     secrets: inherit
     with:
-      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
+      image_name: ${{ github.repository == 'goauthentik/authentik-internal' &&
+        'ghcr.io/goauthentik/internal-server' ||
+        'ghcr.io/goauthentik/dev-server' }}
       release: false
   pr-comment:
     needs:

.github/workflows/ci-outpost.yml

@@ -114,8 +114,11 @@ jobs:
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64
           context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type
+            }}:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' &&
+            format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max',
+            matrix.type) || '' }}
       - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
@@ -136,8 +139,8 @@ jobs:
           - ldap
           - radius
           - rac
-        goos: [linux]
-        goarch: [amd64, arm64]
+        goos: [ linux ]
+        goarch: [ amd64, arm64 ]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -145,16 +148,11 @@ jobs:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
+          working-directory: web
       - name: Build web
-        working-directory: web/
-        run: |
-          npm ci
-          npm run build-proxy
+        run: corepack npm run build-proxy --prefix web
       - name: Build outpost
         run: |
           set -x

.github/workflows/ci-web.yml

@@ -12,51 +12,280 @@ on:
       - main
       - version-*
 
+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+  AUTHENTIK_BLUEPRINTS_DIR: "./blueprints"
+  AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST: "true"
+  # Drives the system/bootstrap.yaml blueprint at startup: creates akadmin with
+  # these credentials and flips the Setup flag (Setup.set(True)) so the SPA's
+  # post-login redirect to "/" doesn't bounce through /setup, which would 500
+  # because the OOBE policy refuses to run once akadmin already has a usable
+  # password. See authentik/core/setup/signals.py and blueprints/default/flow-oobe.yaml.
+  AUTHENTIK_BOOTSTRAP_EMAIL: "test-admin@goauthentik.io"
+  AUTHENTIK_BOOTSTRAP_PASSWORD: "test-runner"
+
 jobs:
   lint:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
-        project:
-          - web
-        include:
-          - command: tsc
-            project: web
-          - command: lit-analyse
-            project: web
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: ${{ matrix.project }}/package.json
-          cache: "npm"
-          cache-dependency-path: ${{ matrix.project }}/package-lock.json
-      - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
+          working-directory: web
       - name: Lint
-        working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: corepack npm run lint --prefix web
+      - name: Check types
+        run: corepack npm run tsc --prefix web
+      - name: Check formatting
+        run: corepack npm run prettier-check --prefix web
+      - name: Lit analyse
+        run: corepack npm run lit-analyse --prefix web
+
   build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
+          working-directory: web
       - name: build
         working-directory: web/
-        run: npm run build
+        run: corepack npm run build
+  e2e:
+    name: e2e (playwright)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    permissions:
+      contents: read
+      # Required so the "Comment Playwright result on PR" step can update its
+      # marker comment via the gh CLI / REST API.
+      pull-requests: write
+      # Required so the optional "Upload HTML report to S3" step can mint OIDC
+      # credentials with aws-actions/configure-aws-credentials. Harmless when
+      # the upload is gated off.
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+        with:
+          dependencies: system,python,node,go,rust,runtime
+      - name: Build web UI
+        run: corepack npm run --prefix web build
+      - name: Build authentik server (Go)
+        run: | # shell
+          go build -o ./bin/authentik-server ./cmd/server
+          sudo install -m 0755 ./bin/authentik-server /usr/local/bin/authentik-server
+      - name: Build authentik worker (Rust)
+        run: | # shell
+          cargo build --release --bin authentik
+          sudo install -m 0755 ./target/release/authentik /usr/local/bin/authentik
+      - name: Apply migrations
+        run: uv run python -m lifecycle.migrate
+      - name: Resolve Playwright version
+        id: playwright-version
+        working-directory: web
+        run: | # shell
+          version=$(node -p "require('@playwright/test/package.json').version")
+          if [ -z "$version" ]; then
+            echo "Failed to resolve @playwright/test version" >&2
+            exit 1
+          fi
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+      - name: Cache Playwright browsers
+        id: playwright-cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}
+      - name: Install Playwright browsers
+        working-directory: web
+        run: | # shell
+          if [ "${{ steps.playwright-cache.outputs.cache-hit }}" = "true" ]; then
+            corepack npm exec -- playwright install-deps chromium
+          else
+            corepack npm exec -- playwright install --with-deps chromium
+          fi
+      - name: Start authentik server and worker
+        run: | # shell
+          set -euo pipefail
+          mkdir -p /tmp/ak-logs
+
+          # The Go server (authentik-server) spawns gunicorn as a child via PATH lookup
+          # and inherits the env that `uv run` set up for it. Verify gunicorn resolves
+          # under the same launcher so we fail fast here instead of waiting for an
+          # empty 200 from the proxy fallback later.
+          uv run --frozen sh -c 'command -v gunicorn' \
+            || { echo "gunicorn not resolvable from uv run"; exit 1; }
+
+          uv run ak server > /tmp/ak-logs/server.log 2>&1 &
+          echo $! > /tmp/ak-logs/server.pid
+
+          # The Rust worker also opens an HTTP/metrics server on listen.http /
+          # listen.metrics (default :9000 / :9300). On a single CI host that races the
+          # Go server's binds and silently steals :9000, leaving Playwright talking to
+          # a healthcheck-only axum router that returns 200/empty for /if/* paths.
+          # Pin the worker to disjoint ports so the Go server keeps the public 9000.
+          AUTHENTIK_LISTEN__HTTP="[::]:9001" \
+          AUTHENTIK_LISTEN__METRICS="[::]:9301" \
+          uv run ak worker > /tmp/ak-logs/worker.log 2>&1 &
+          echo $! > /tmp/ak-logs/worker.pid
+      - name: Wait for authentik to be ready
+        run: | # shell
+          set -euo pipefail
+          # Readiness probes must verify the Go server is actually serving the request,
+          # not just that *something* on :9000 returned 200. The Go proxy stamps
+          # `X-authentik-version` on its static responses and the rendered flow page
+          # contains the <ak-flow-executor> custom element — both are absent from the
+          # worker's axum healthcheck router, so checking either rules out the
+          # port-collision failure mode.
+          timeout 240 bash -c '
+            until curl -fsS -o /dev/null http://localhost:9000/-/health/ready/; do
+              sleep 2
+            done'
+          timeout 300 bash -c '
+            until curl -fsS http://localhost:9000/if/flow/default-authentication-flow/ \
+              | grep -q "ak-flow-executor"; do
+              sleep 3
+            done'
+      - name: Run Playwright tests
+        working-directory: web
+        env:
+          AK_TEST_RUNNER_PAGE_URL: http://localhost:9000
+        run: corepack npm run test:e2e
+      # Reporting / upload steps below intentionally use `!cancelled()` rather
+      # than `failure()`: a cancelled run (e.g. superseded by a newer push) is
+      # not a real result and shouldn't produce reviewer-facing artifacts or
+      # comments. `if-no-files-found: ignore` keeps the "passed" case quiet.
+      - name: Upload Playwright HTML report
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: playwright-report
+          path: web/playwright-report/
+          retention-days: 14
+          if-no-files-found: ignore
+      - name: Upload Playwright traces and videos
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: playwright-traces
+          path: web/test-results/
+          retention-days: 14
+          if-no-files-found: ignore
+      - name: Upload authentik server and worker logs
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: authentik-logs
+          path: /tmp/ak-logs/
+          retention-days: 14
+          if-no-files-found: ignore
+      - name: Parse Playwright results
+        id: playwright-results
+        if: ${{ !cancelled() }}
+        run: | # shell
+          set -euo pipefail
+          report=web/playwright-report/results.json
+          if [ ! -f "$report" ]; then
+            {
+              echo "available=false"
+              echo "passed=0"
+              echo "failed=0"
+              echo "flaky=0"
+              echo "skipped=0"
+            } >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          {
+            echo "available=true"
+            echo "passed=$(jq -r '.stats.expected // 0' "$report")"
+            echo "failed=$(jq -r '.stats.unexpected // 0' "$report")"
+            echo "flaky=$(jq -r '.stats.flaky // 0' "$report")"
+            echo "skipped=$(jq -r '.stats.skipped // 0' "$report")"
+          } >> "$GITHUB_OUTPUT"
+      # The S3 publishing pair below is intentionally gated off until the
+      # `authentik-playwright-artifacts` bucket is provisioned by infra. Flip
+      # the repo variable `PLAYWRIGHT_S3_ENABLED=true` to turn it on; the URL
+      # baked into the PR comment below already points at the eventual key.
+      - name: Configure AWS credentials for HTML report upload
+        if: ${{ !cancelled() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && vars.PLAYWRIGHT_S3_ENABLED == 'true' }}
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
+        with:
+          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
+          aws-region: eu-central-1
+      - name: Upload HTML report to S3
+        if: ${{ !cancelled() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && vars.PLAYWRIGHT_S3_ENABLED == 'true' }}
+        env:
+          S3_BUCKET: authentik-playwright-artifacts
+          S3_KEY_PREFIX: pr-${{ github.event.pull_request.number }}/run-${{ github.run_id }}/attempt-${{ github.run_attempt }}
+        run: | # shell
+          set -euo pipefail
+          if [ ! -d web/playwright-report ]; then
+            echo "No playwright-report/ produced; skipping S3 upload"
+            exit 0
+          fi
+          aws s3 cp \
+            --recursive \
+            --acl=public-read \
+            --cache-control "public, max-age=600" \
+            web/playwright-report/ \
+            "s3://${S3_BUCKET}/${S3_KEY_PREFIX}/"
+      # Same-repo guard: fork PRs run with a read-only GITHUB_TOKEN (even after
+      # maintainer approval), so the comment + edit calls would 403. Skip cleanly
+      # rather than failing the job on every fork PR run.
+      - name: Comment Playwright result on PR
+        if: ${{ !cancelled() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          AVAILABLE: ${{ steps.playwright-results.outputs.available }}
+          PASSED: ${{ steps.playwright-results.outputs.passed }}
+          FAILED: ${{ steps.playwright-results.outputs.failed }}
+          FLAKY: ${{ steps.playwright-results.outputs.flaky }}
+          SKIPPED: ${{ steps.playwright-results.outputs.skipped }}
+          S3_ENABLED: ${{ vars.PLAYWRIGHT_S3_ENABLED }}
+          REPORT_URL: https://authentik-playwright-artifacts.s3.amazonaws.com/pr-${{ github.event.pull_request.number }}/run-${{ github.run_id }}/attempt-${{ github.run_attempt }}/index.html
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}
+        run: | # shell
+          set -euo pipefail
+          marker='<!-- playwright-result -->'
+
+          if [ "$AVAILABLE" = "true" ]; then
+            if [ "$FAILED" -gt 0 ]; then
+              status='❌ Failed'
+            elif [ "$FLAKY" -gt 0 ]; then
+              status='⚠️ Passed with flakes'
+            else
+              status='✅ Passed'
+            fi
+            stats=$(printf '| Result | Count |\n|---|---|\n| ✅ Passed | %s |\n| ❌ Failed | %s |\n| ⚠️ Flaky | %s |\n| ⏭️ Skipped | %s |\n' "$PASSED" "$FAILED" "$FLAKY" "$SKIPPED")
+          else
+            status='⚠️ No results produced'
+            stats='The job did not produce `playwright-report/results.json`. The suite likely crashed before the JSON reporter wrote its output — see the workflow run for setup-step failures.'
+          fi
+
+          if [ "$S3_ENABLED" = "true" ]; then
+            report_line=$(printf '[HTML report](%s) · [Workflow run](%s)' "$REPORT_URL" "$RUN_URL")
+          else
+            report_line=$(printf '[Workflow run](%s) · _HTML report hosting is gated off until the `authentik-playwright-artifacts` S3 bucket is provisioned (`vars.PLAYWRIGHT_S3_ENABLED`). Until then, download the `playwright-report` artifact from the run page._' "$RUN_URL")
+          fi
+
+          body=$(printf '%s\n## Playwright e2e — %s\n\n%s\n\n%s\n' "$marker" "$status" "$stats" "$report_line")
+
+          existing=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \
+            --paginate \
+            --jq "[.[] | select(.body != null and (.body | startswith(\"$marker\")))] | .[0].id // empty")
+
+          if [ -n "$existing" ]; then
+            gh api -X PATCH "repos/${GITHUB_REPOSITORY}/issues/comments/${existing}" -f body="$body" > /dev/null
+            echo "Updated existing comment ${existing}"
+          else
+            gh api -X POST "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -f body="$body" > /dev/null
+            echo "Created new playwright-result comment"
+          fi
   ci-web-mark:
     if: always()
     needs:
@@ -73,13 +302,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
+          working-directory: web
       - name: test
         working-directory: web/
-        run: npm run test || exit 0
+        run: corepack npm run test || exit 0

.github/workflows/packages-npm-publish.yml

@@ -3,7 +3,7 @@ name: Packages - Publish NPM packages
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths:
       - packages/tsconfig/**
       - packages/eslint-config/**
@@ -35,22 +35,19 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: ${{ matrix.package }}/package.json
-          registry-url: "https://registry.npmjs.org"
+          working-directory: ${{ matrix.package }}
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json
-      - name: Install Dependencies
-        run: npm ci
       - name: Publish package
         if: steps.changed-files.outputs.any_changed == 'true'
         working-directory: ${{ matrix.package }}
         run: |
-          npm ci
-          npm run build
-          npm publish
+          corepack npm ci
+          corepack npm run build
+          corepack npm publish

.github/workflows/release-publish.yml

@@ -3,7 +3,7 @@ name: Release - On publish
 
 on:
   release:
-    types: [published, created]
+    types: [ published, created ]
 
 jobs:
   build-server:
@@ -87,11 +87,9 @@ jobs:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
+          working-directory: web
       - name: Set up QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
@@ -144,22 +142,16 @@ jobs:
           - proxy
           - ldap
           - radius
-        goos: [linux, darwin]
-        goarch: [amd64, arm64]
+        goos: [ linux, darwin ]
+        goarch: [ amd64, arm64 ]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
         with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - name: Install web dependencies
-        working-directory: web/
-        run: |
-          npm ci
+          working-directory: web
       - name: Build web
         working-directory: web/
         run: |
@@ -175,8 +167,10 @@ jobs:
         uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
-          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
+          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{
+            matrix.goarch }}
+          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{
+            matrix.goarch }}
           tag: ${{ github.ref }}
   upload-aws-cfn-template:
     permissions:

.gitignore

@@ -14,6 +14,8 @@ media
 # Node
 
 node_modules
+corepack.tgz
+.corepack
 
 .cspellcache
 cspell-report.*

Makefile

@@ -106,8 +106,9 @@ migrate: ## Run the Authentik Django server's migrations
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
-aws-cfn:
-	cd lifecycle/aws && npm i && $(UV) run npm run aws-cfn
+aws-cfn: node-install
+	corepack npm install --prefix lifecycle/aws
+	$(UV) run corepack npm run aws-cfn --prefix lifecycle/aws
 
 run-server:  ## Run the main authentik server process
 	$(UV) run ak server
@@ -118,9 +119,6 @@ run-worker:  ## Run the main authentik worker process
 run-worker-watch:  ## Run the authentik worker, with auto reloading
 	watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- $(UV) run ak worker
 
-debug-attach:  ## Attach pdb to a running authentik Python worker (PEP 768). PID=<pid> to pick; SUDO=1 on macOS.
-	$(UV) run python scripts/debug_attach.py
-
 core-i18n-extract:
 	$(UV) run ak makemessages \
 		--add-location file \
@@ -131,7 +129,7 @@ core-i18n-extract:
 		--ignore website \
 		-l en
 
-install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
+install: node-install web-install core-install  ## Install all requires dependencies for `node`, `web` and `core`
 
 dev-drop-db:
 	$(eval pg_user := $(shell $(UV) run python -m authentik.lib.config postgresql.user 2>/dev/null))
@@ -235,38 +233,46 @@ gen-dev-config:  ## Generate a local development config file
 #########################
 
 node-install:  ## Install the necessary libraries to build Node.js packages
-	npm ci
-	npm ci --prefix web
+	node ./scripts/node/setup-corepack.mjs
+	node ./scripts/node/lint-runtime.mjs
+
+	node ./scripts/node/lint-runtime.mjs
 
 #########################
 ## Web
 #########################
 
-web-build: node-install  ## Build the Authentik UI
-	npm run --prefix web build
+web-install: ## Install the necessary libraries to build the Authentik UI
+	node ./scripts/node/lint-runtime.mjs web
+
+	corepack npm ci
+	corepack npm ci --prefix web
+
+web-build:  ## Build the Authentik UI
+	corepack npm run --prefix web build
 
 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-test: ## Run tests for the Authentik UI
-	npm run --prefix web test
+	corepack npm run --prefix web test
 
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	npm run --prefix web watch
+	corepack npm run --prefix web watch
 web-storybook-watch:  ## Build and run the storybook documentation server
-	npm run --prefix web storybook
+	corepack npm run --prefix web storybook
 
 web-lint-fix:
-	npm run --prefix web prettier
+	corepack npm run --prefix web prettier
 
 web-lint:
-	npm run --prefix web lint
-	npm run --prefix web lit-analyse
+	corepack npm run --prefix web lint
+	corepack npm run --prefix web lit-analyse
 
 web-check-compile:
-	npm run --prefix web tsc
+	corepack npm run --prefix web tsc
 
 web-i18n-extract:
-	npm run --prefix web extract-locales
+	corepack npm run --prefix web extract-locales
 
 #########################
 ## Docs
@@ -274,35 +280,40 @@ web-i18n-extract:
 
 docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it
 
-docs-install:
-	npm ci --prefix website
+docs-install: node-install  ## Install the necessary libraries to build the Authentik documentation
+	node ./scripts/node/lint-runtime.mjs
+
+	corepack npm ci
+
+	corepack npm ci --prefix website
 
 docs-lint-fix: lint-spellcheck
-	npm run --prefix website prettier
+	corepack npm run --prefix website prettier
 
 docs-build:
-	npm run --prefix website build
+	node ./scripts/node/lint-runtime.mjs website
+	corepack npm run --prefix website build
 
 docs-watch:  ## Build and watch the topics documentation
-	npm run --prefix website start
+	corepack npm run --prefix website start
 
 integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
 
 integrations-build:
-	npm run --prefix website -w integrations build
+	corepack npm run --prefix website -w integrations build
 
 integrations-watch:  ## Build and watch the Integrations documentation
-	npm run --prefix website -w integrations start
+	corepack npm run --prefix website -w integrations start
 
 docs-api-build:
-	npm run --prefix website -w api build
+	corepack npm run --prefix website -w api build
 
 docs-api-watch:  ## Build and watch the API documentation
-	npm run --prefix website -w api generate
-	npm run --prefix website -w api start
+	corepack npm run --prefix website -w api generate
+	corepack npm run --prefix website -w api start
 
 docs-api-clean: ## Clean generated API documentation
-	npm run --prefix website -w api build:api:clean
+	corepack npm run --prefix website -w api build:api:clean
 
 #########################
 ## Docker

authentik/api/tests/test_viewsets.py

@@ -1,31 +1,73 @@
 """authentik API Modelviewset tests"""
 
 from collections.abc import Callable
+from urllib.parse import urlencode
 
 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 
+from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.api.v3.urls import router
+from authentik.core.tests.utils import RequestFactory, create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.tenants.api.domains import DomainViewSet
+from authentik.tenants.api.tenants import TenantViewSet
+from authentik.tenants.utils import get_current_tenant
 
 
 class TestModelViewSets(TestCase):
     """Test Viewset"""
 
+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.factory = RequestFactory()
 
-def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
+
+def viewset_tester_factory(test_viewset: type[ModelViewSet], full=True) -> dict[str, Callable]:
     """Test Viewset"""
 
-    def tester(self: TestModelViewSets):
-        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+    def test_attrs(self: TestModelViewSets) -> None:
+        """Test attributes we require on all viewsets"""
         self.assertIsNotNone(getattr(test_viewset, "ordering", None))
+        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
         filterset_class = getattr(test_viewset, "filterset_class", None)
         if not filterset_class:
             self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))
 
-    return tester
+    def test_ordering(self: TestModelViewSets) -> None:
+        """Test that all ordering fields are correct"""
+        view = test_viewset.as_view({"get": "list"})
+        for ordering_field in test_viewset.ordering:
+            with self.subTest(ordering_field):
+                req = self.factory.get(
+                    f"/?{urlencode({'ordering': ordering_field}, doseq=True)}", user=self.user
+                )
+                req.tenant = get_current_tenant()
+                res = view(req)
+                self.assertEqual(res.status_code, 200)
+
+    def test_search(self: TestModelViewSets) -> None:
+        """Test that search fields are correct"""
+        view = test_viewset.as_view({"get": "list"})
+        req = self.factory.get(
+            f"/?{urlencode({'search': generate_id()}, doseq=True)}", user=self.user
+        )
+        req.tenant = get_current_tenant()
+        res = view(req)
+        self.assertEqual(res.status_code, 200)
+
+    cases = {
+        "attrs": test_attrs,
+    }
+    if full:
+        cases["ordering"] = test_ordering
+        cases["search"] = test_search
+    return cases
 
 
 for _, viewset, _ in router.registry:
     if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
         continue
-    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))
+    full = viewset not in [VersionHistoryViewSet, DomainViewSet, TenantViewSet]
+    for test, case in viewset_tester_factory(viewset, full=full).items():
+        setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}_{test}", case)

authentik/blueprints/api.py

@@ -126,7 +126,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
 
 def check_blueprint_perms(blueprint: Blueprint, user: User, explicit_action: str | None = None):
     """Check for individual permissions for each model in a blueprint"""
-    for entry in blueprint.entries:
+    for entry in blueprint.iter_entries():
         full_model = entry.get_model(blueprint)
         app, __, model = full_model.partition(".")
         perms = [

authentik/blueprints/tests/test_v1_conditions.py

@@ -1,8 +1,11 @@
 """Test blueprints v1"""
 
+from unittest.mock import patch
+
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
+from authentik.enterprise.license import LicenseKey
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
@@ -42,3 +45,45 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
         # Ensure objects do not exist
         self.assertFalse(Flow.objects.filter(slug=flow_slug1))
         self.assertFalse(Flow.objects.filter(slug=flow_slug2))
+
+    def test_enterprise_license_context_unlicensed(self):
+        """Test enterprise license context defaults to a false boolean when unlicensed."""
+        license_key = LicenseKey("test", 0, "Test license", 0, 0)
+
+        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
+            importer = Importer.from_string("""
+version: 1
+entries:
+    - identifiers:
+          name: enterprise-test
+          slug: enterprise-test
+      model: authentik_flows.flow
+      conditions:
+          - !Context goauthentik.io/enterprise/licensed
+      attrs:
+          designation: stage_configuration
+          title: foo
+""")
+
+        self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], False)
+
+    def test_enterprise_license_context_licensed(self):
+        """Test enterprise license context defaults to a true boolean when licensed."""
+        license_key = LicenseKey("test", 253402300799, "Test license", 1000, 1000)
+
+        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
+            importer = Importer.from_string("""
+version: 1
+entries:
+    - identifiers:
+          name: enterprise-test
+          slug: enterprise-test
+      model: authentik_flows.flow
+      conditions:
+          - !Context goauthentik.io/enterprise/licensed
+      attrs:
+          designation: stage_configuration
+          title: foo
+""")
+
+        self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], True)

authentik/blueprints/v1/importer.py

@@ -146,9 +146,7 @@ class Importer:
         try:
             from authentik.enterprise.license import LicenseKey
 
-            context["goauthentik.io/enterprise/licensed"] = (
-                LicenseKey.get_total().status().is_valid,
-            )
+            context["goauthentik.io/enterprise/licensed"] = LicenseKey.get_total().status().is_valid
         except ModuleNotFoundError:
             pass
         return context

authentik/brands/api.py

@@ -64,6 +64,7 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
+            "flow_lockdown",
             "default_application",
             "web_certificate",
             "client_certificates",
@@ -117,6 +118,7 @@ class CurrentBrandSerializer(PassiveSerializer):
     flow_unenrollment = CharField(source="flow_unenrollment.slug", required=False)
     flow_user_settings = CharField(source="flow_user_settings.slug", required=False)
     flow_device_code = CharField(source="flow_device_code.slug", required=False)
+    flow_lockdown = CharField(source="flow_lockdown.slug", required=False)
 
     default_locale = CharField(read_only=True)
     flags = SerializerMethodField()
@@ -154,6 +156,7 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "flow_unenrollment",
         "flow_user_settings",
         "flow_device_code",
+        "flow_lockdown",
         "web_certificate",
         "client_certificates",
     ]

authentik/brands/migrations/0012_brand_flow_lockdown.py

@@ -0,0 +1,25 @@
+# Generated by Django 5.2.12 on 2026-03-14 02:58
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0011_alter_brand_branding_default_flow_background_and_more"),
+        ("authentik_flows", "0031_alter_flow_layout"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="flow_lockdown",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="brand_lockdown",
+                to="authentik_flows.flow",
+            ),
+        ),
+    ]

authentik/brands/models.py

@@ -58,6 +58,9 @@ class Brand(SerializerModel):
     flow_device_code = models.ForeignKey(
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
+    flow_lockdown = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_lockdown"
+    )
 
     default_application = models.ForeignKey(
         "authentik_core.Application",

authentik/brands/tests.py

@@ -20,11 +20,16 @@ class TestBrands(APITestCase):
 
     def setUp(self):
         super().setUp()
-        self.default_flags = {}
-        for flag in Flag.available(visibility="public"):
-            self.default_flags[flag().key] = flag.get()
         Brand.objects.all().delete()
 
+    @property
+    def default_flags(self) -> dict[str, object]:
+        """Get current public flags.
+
+        Some tests define temporary Flag subclasses, so this can't be cached in setUp.
+        """
+        return {flag().key: flag.get() for flag in Flag.available(visibility="public")}
+
     def test_current_brand(self):
         """Test Current brand API"""
         brand = create_test_brand()

authentik/core/api/application_entitlements.py

@@ -47,7 +47,8 @@ class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
     search_fields = [
         "pbm_uuid",
         "name",
-        "app",
+        "app__name",
+        "app__slug",
         "attributes",
     ]
     filterset_fields = [

authentik/core/api/users.py

@@ -563,6 +563,9 @@ class UsersFilter(FilterSet):
 
 
 class UserViewSet(
+    ConditionalInheritance(
+        "authentik.enterprise.stages.account_lockdown.api.UserAccountLockdownMixin"
+    ),
     ConditionalInheritance("authentik.enterprise.reports.api.reports.ExportMixin"),
     UsedByMixin,
     ModelViewSet,

authentik/core/templates/login/base_full.html

@@ -12,7 +12,7 @@
 {% block head %}
 <style data-id="static-styles">
     :root {
-        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url }}");
+        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url|iriencode|safe }}");
     }
 </style>
 

authentik/enterprise/lifecycle/api/iterations.py

@@ -1,7 +1,6 @@
 from datetime import datetime
 
-from django.db.models import BooleanField as ModelBooleanField
-from django.db.models import Case, Q, Value, When
+from django.db.models import Exists, OuterRef, Q, Subquery
 from django_filters.rest_framework import BooleanFilter, FilterSet
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
@@ -14,7 +13,7 @@ from rest_framework.viewsets import GenericViewSet
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.lifecycle.api.reviews import ReviewSerializer
-from authentik.enterprise.lifecycle.models import LifecycleIteration, ReviewState
+from authentik.enterprise.lifecycle.models import LifecycleIteration, LifecycleRule, ReviewState
 from authentik.enterprise.lifecycle.utils import (
     ContentTypeField,
     ReviewerGroupSerializer,
@@ -26,20 +25,25 @@ from authentik.enterprise.lifecycle.utils import (
 from authentik.lib.utils.time import timedelta_from_string
 
 
+class RelatedRuleSerializer(EnterpriseRequiredMixin, ModelSerializer):
+    reviewer_groups = ReviewerGroupSerializer(many=True, read_only=True)
+    min_reviewers = IntegerField(read_only=True)
+    reviewers = ReviewerUserSerializer(many=True, read_only=True)
+
+    class Meta:
+        model = LifecycleRule
+        fields = ["id", "name", "reviewer_groups", "min_reviewers", "reviewers"]
+
+
 class LifecycleIterationSerializer(EnterpriseRequiredMixin, ModelSerializer):
     content_type = ContentTypeField()
     object_verbose = SerializerMethodField()
+    rule = RelatedRuleSerializer(read_only=True)
     object_admin_url = SerializerMethodField(read_only=True)
     grace_period_end = SerializerMethodField(read_only=True)
     reviews = ReviewSerializer(many=True, read_only=True, source="review_set.all")
     user_can_review = SerializerMethodField(read_only=True)
 
-    reviewer_groups = ReviewerGroupSerializer(
-        many=True, read_only=True, source="rule.reviewer_groups"
-    )
-    min_reviewers = IntegerField(read_only=True, source="rule.min_reviewers")
-    reviewers = ReviewerUserSerializer(many=True, read_only=True, source="rule.reviewers")
-
     next_review_date = SerializerMethodField(read_only=True)
 
     class Meta:
@@ -55,10 +59,8 @@ class LifecycleIterationSerializer(EnterpriseRequiredMixin, ModelSerializer):
             "grace_period_end",
             "next_review_date",
             "reviews",
+            "rule",
             "user_can_review",
-            "reviewer_groups",
-            "min_reviewers",
-            "reviewers",
         ]
         read_only_fields = fields
 
@@ -88,43 +90,55 @@ class IterationViewSet(EnterpriseRequiredMixin, CreateModelMixin, GenericViewSet
     queryset = LifecycleIteration.objects.all()
     serializer_class = LifecycleIterationSerializer
     ordering = ["-opened_on"]
-    ordering_fields = ["state", "content_type__model", "opened_on", "grace_period_end"]
+    ordering_fields = [
+        "state",
+        "content_type__model",
+        "rule__name",
+        "opened_on",
+        "grace_period_end",
+    ]
     filterset_class = LifecycleIterationFilterSet
 
     def get_queryset(self):
         user = self.request.user
         return self.queryset.annotate(
-            user_is_reviewer=Case(
-                When(
-                    Q(rule__reviewers=user)
-                    | Q(rule__reviewer_groups__in=user.groups.all().with_ancestors()),
-                    then=Value(True),
-                ),
-                default=Value(False),
-                output_field=ModelBooleanField(),
+            user_is_reviewer=Exists(
+                LifecycleRule.objects.filter(
+                    pk=OuterRef("rule_id"),
+                ).filter(
+                    Q(reviewers=user) | Q(reviewer_groups__in=user.groups.all().with_ancestors())
+                )
             )
-        ).distinct()
+        )
 
+    @extend_schema(
+        operation_id="lifecycle_iterations_list_latest",
+        responses={200: LifecycleIterationSerializer(many=True)},
+    )
     @action(
         detail=False,
+        pagination_class=None,
         methods=["get"],
         url_path=r"latest/(?P<content_type>[^/]+)/(?P<object_id>[^/]+)",
     )
-    def latest_iteration(self, request: Request, content_type: str, object_id: str) -> Response:
+    def latest_iterations(self, request: Request, content_type: str, object_id: str) -> Response:
         ct = parse_content_type(content_type)
-        try:
-            obj = (
-                self.get_queryset()
-                .filter(
-                    content_type__app_label=ct["app_label"],
-                    content_type__model=ct["model"],
-                    object_id=object_id,
-                )
-                .latest("opened_on")
+        latest_ids_subquery = (
+            LifecycleIteration.objects.filter(
+                rule=OuterRef("rule"),
+                content_type__app_label=ct["app_label"],
+                content_type__model=ct["model"],
+                object_id=object_id,
             )
-        except LifecycleIteration.DoesNotExist:
-            return Response(status=404)
-        serializer = self.get_serializer(obj)
+            .order_by("-opened_on")
+            .values("id")[:1]
+        )
+        latest_per_rule = LifecycleIteration.objects.filter(
+            content_type__app_label=ct["app_label"],
+            content_type__model=ct["model"],
+            object_id=object_id,
+        ).filter(id=Subquery(latest_ids_subquery))
+        serializer = self.get_serializer(latest_per_rule, many=True)
         return Response(serializer.data)
 
     @extend_schema(

authentik/enterprise/lifecycle/api/rules.py

@@ -84,23 +84,6 @@ class LifecycleRuleSerializer(EnterpriseRequiredMixin, ModelSerializer):
                 raise ValidationError(
                     {"grace_period": _("Grace period must be shorter than the interval.")}
                 )
-        if "content_type" in attrs or "object_id" in attrs:
-            content_type = attrs.get("content_type", getattr(self.instance, "content_type", None))
-            object_id = attrs.get("object_id", getattr(self.instance, "object_id", None))
-            if content_type is not None and object_id is None:
-                existing = LifecycleRule.objects.filter(
-                    content_type=content_type, object_id__isnull=True
-                )
-                if self.instance:
-                    existing = existing.exclude(pk=self.instance.pk)
-                if existing.exists():
-                    raise ValidationError(
-                        {
-                            "content_type": _(
-                                "Only one type-wide rule for each object type is allowed."
-                            )
-                        }
-                    )
         return attrs
 
 

authentik/enterprise/lifecycle/migrations/0003_remove_lifecyclerule_uniq_lifecycle_rule_ct_null_object_and_more.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.2.11 on 2026-03-05 11:27
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_lifecycle", "0002_alter_lifecycleiteration_opened_on"),
+    ]
+
+    operations = [
+        migrations.RemoveConstraint(
+            model_name="lifecyclerule",
+            name="uniq_lifecycle_rule_ct_null_object",
+        ),
+        migrations.AlterUniqueTogether(
+            name="lifecyclerule",
+            unique_together=set(),
+        ),
+    ]

authentik/enterprise/lifecycle/models.py

@@ -56,14 +56,6 @@ class LifecycleRule(SerializerModel):
 
     class Meta:
         indexes = [models.Index(fields=["content_type"])]
-        unique_together = [["content_type", "object_id"]]
-        constraints = [
-            models.UniqueConstraint(
-                fields=["content_type"],
-                condition=Q(object_id__isnull=True),
-                name="uniq_lifecycle_rule_ct_null_object",
-            )
-        ]
 
     @property
     def serializer(self) -> type[BaseSerializer]:
@@ -82,12 +74,6 @@ class LifecycleRule(SerializerModel):
         qs = self.content_type.get_all_objects_for_this_type()
         if self.object_id:
             qs = qs.filter(pk=self.object_id)
-        else:
-            qs = qs.exclude(
-                pk__in=LifecycleRule.objects.filter(
-                    content_type=self.content_type, object_id__isnull=False
-                ).values_list(Cast("object_id", output_field=self._get_pk_field()), flat=True)
-            )
         return qs
 
     def _get_stale_iterations(self) -> QuerySet[LifecycleIteration]:
@@ -107,8 +93,7 @@ class LifecycleRule(SerializerModel):
 
     def _get_newly_due_objects(self) -> QuerySet:
         recent_iteration_ids = LifecycleIteration.objects.filter(
-            content_type=self.content_type,
-            object_id__isnull=False,
+            rule=self,
             opened_on__gte=start_of_day(
                 timezone.now() + timedelta(days=1) - timedelta_from_string(self.interval)
             ),
@@ -214,9 +199,15 @@ class LifecycleIteration(SerializerModel, ManagedModel):
         }
 
     def initialize(self):
+        if (self.content_type.app_label, self.content_type.model) == ("authentik_core", "group"):
+            object_label = self.object.name
+        elif (self.content_type.app_label, self.content_type.model) == ("authentik_rbac", "role"):
+            object_label = self.object.name
+        else:
+            object_label = str(self.object)
         event = Event.new(
             EventAction.REVIEW_INITIATED,
-            message=_(f"Access review is due for {self.content_type.name} {str(self.object)}"),
+            message=_(f"Access review is due for {self.content_type.name.lower()} {object_label}"),
             **self._get_event_args(),
         )
         event.save()

authentik/enterprise/lifecycle/signals.py

@@ -3,6 +3,7 @@ from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 
 from authentik.enterprise.lifecycle.models import LifecycleRule, ReviewState
+from authentik.tasks.schedules.models import Schedule
 
 
 @receiver(post_save, sender=LifecycleRule)
@@ -11,7 +12,9 @@ def post_rule_save(sender, instance: LifecycleRule, created: bool, **_):
 
     apply_lifecycle_rule.send_with_options(
         args=(instance.id,),
-        rel_obj=instance,
+        rel_obj=Schedule.objects.get(
+            actor_name="authentik.enterprise.lifecycle.tasks.apply_lifecycle_rules"
+        ),
     )
 
 

authentik/enterprise/lifecycle/tasks.py

@@ -4,14 +4,17 @@ from dramatiq import actor
 from authentik.core.models import User
 from authentik.enterprise.lifecycle.models import LifecycleRule
 from authentik.events.models import Event, Notification, NotificationTransport
+from authentik.tasks.schedules.models import Schedule
 
 
-@actor(description=_("Dispatch tasks to validate lifecycle rules."))
+@actor(description=_("Dispatch tasks to apply lifecycle rules."))
 def apply_lifecycle_rules():
     for rule in LifecycleRule.objects.all():
         apply_lifecycle_rule.send_with_options(
             args=(rule.id,),
-            rel_obj=rule,
+            rel_obj=Schedule.objects.get(
+                actor_name="authentik.enterprise.lifecycle.tasks.apply_lifecycle_rules"
+            ),
         )
 
 

authentik/enterprise/lifecycle/tests/test_api.py

@@ -1,3 +1,4 @@
+from django.apps import apps
 from django.contrib.contenttypes.models import ContentType
 from django.urls import reverse
 from rest_framework.test import APITestCase
@@ -19,6 +20,11 @@ class TestLifecycleRuleAPI(APITestCase):
         self.content_type = ContentType.objects.get_for_model(Application)
         self.reviewer_group = Group.objects.create(name=generate_id())
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def test_list_rules(self):
         rule = LifecycleRule.objects.create(
             name=generate_id(),
@@ -190,6 +196,11 @@ class TestIterationAPI(APITestCase):
         self.reviewer_group = Group.objects.create(name=generate_id())
         self.reviewer_group.users.add(self.user)
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def test_open_iterations(self):
         rule = LifecycleRule.objects.create(
             name=generate_id(),
@@ -231,7 +242,7 @@ class TestIterationAPI(APITestCase):
 
         response = self.client.get(
             reverse(
-                "authentik_api:lifecycleiteration-latest-iteration",
+                "authentik_api:lifecycleiteration-latest-iterations",
                 kwargs={
                     "content_type": f"{self.content_type.app_label}.{self.content_type.model}",
                     "object_id": str(self.app.pk),
@@ -239,19 +250,20 @@ class TestIterationAPI(APITestCase):
             )
         )
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.data["object_id"], str(self.app.pk))
+        self.assertEqual(len(response.data), 1)
+        self.assertEqual(response.data[0]["object_id"], str(self.app.pk))
 
     def test_latest_iteration_not_found(self):
         response = self.client.get(
             reverse(
-                "authentik_api:lifecycleiteration-latest-iteration",
+                "authentik_api:lifecycleiteration-latest-iterations",
                 kwargs={
                     "content_type": f"{self.content_type.app_label}.{self.content_type.model}",
                     "object_id": "00000000-0000-0000-0000-000000000000",
                 },
             )
         )
-        self.assertEqual(response.status_code, 404)
+        self.assertEqual(response.data, [])
 
     def test_iteration_includes_user_can_review(self):
         rule = LifecycleRule.objects.create(
@@ -279,6 +291,11 @@ class TestReviewAPI(APITestCase):
         self.reviewer_group = Group.objects.create(name=generate_id())
         self.reviewer_group.users.add(self.user)
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def test_create_review(self):
         rule = LifecycleRule.objects.create(
             name=generate_id(),

authentik/enterprise/lifecycle/tests/test_models.py

@@ -2,6 +2,7 @@ import datetime as dt
 from datetime import timedelta
 from unittest.mock import patch
 
+from django.apps import apps
 from django.contrib.contenttypes.models import ContentType
 from django.test import RequestFactory, TestCase
 from django.utils import timezone
@@ -29,6 +30,11 @@ class TestLifecycleModels(TestCase):
     def setUp(self):
         self.factory = RequestFactory()
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def _get_request(self):
         return self.factory.get("/")
 
@@ -438,31 +444,6 @@ class TestLifecycleModels(TestCase):
         self.assertIn(app_one, objects)
         self.assertIn(app_two, objects)
 
-    def test_rule_type_excludes_objects_with_specific_rules(self):
-        app_with_rule = Application.objects.create(name=generate_id(), slug=generate_id())
-        app_without_rule = Application.objects.create(name=generate_id(), slug=generate_id())
-        content_type = ContentType.objects.get_for_model(Application)
-
-        # Create a specific rule for app_with_rule
-        LifecycleRule.objects.create(
-            name=generate_id(),
-            content_type=content_type,
-            object_id=str(app_with_rule.pk),
-            interval="days=30",
-        )
-
-        # Create a type-level rule
-        type_rule = LifecycleRule.objects.create(
-            name=generate_id(),
-            content_type=content_type,
-            object_id=None,
-            interval="days=60",
-        )
-
-        objects = list(type_rule.get_objects())
-        self.assertNotIn(app_with_rule, objects)
-        self.assertIn(app_without_rule, objects)
-
     def test_rule_type_apply_creates_iterations_for_all_objects(self):
         app_one = Application.objects.create(name=generate_id(), slug=generate_id())
         app_two = Application.objects.create(name=generate_id(), slug=generate_id())
@@ -669,6 +650,73 @@ class TestLifecycleModels(TestCase):
         self.assertIn(explicit_reviewer, reviewers)
         self.assertIn(group_member, reviewers)
 
+    def test_multiple_rules_same_object_create_separate_iterations(self):
+        """Two rules targeting the same object each create their own iteration."""
+        obj = Application.objects.create(name=generate_id(), slug=generate_id())
+        content_type = ContentType.objects.get_for_model(obj)
+
+        rule_one = self._create_rule_for_object(obj, interval="days=30", grace_period="days=10")
+        rule_two = self._create_rule_for_object(obj, interval="days=60", grace_period="days=20")
+
+        iterations = LifecycleIteration.objects.filter(
+            content_type=content_type, object_id=str(obj.pk)
+        )
+        self.assertEqual(iterations.count(), 2)
+
+        iter_one = iterations.get(rule=rule_one)
+        iter_two = iterations.get(rule=rule_two)
+        self.assertEqual(iter_one.state, ReviewState.PENDING)
+        self.assertEqual(iter_two.state, ReviewState.PENDING)
+        self.assertNotEqual(iter_one.pk, iter_two.pk)
+
+    def test_multiple_rules_same_object_reviewed_independently(self):
+        """Reviewing one rule's iteration does not affect the other rule's iteration."""
+        obj = Application.objects.create(name=generate_id(), slug=generate_id())
+        content_type = ContentType.objects.get_for_model(obj)
+
+        reviewer = create_test_user()
+
+        rule_one = self._create_rule_for_object(obj, min_reviewers=1)
+        rule_two = self._create_rule_for_object(obj, min_reviewers=1)
+
+        group = Group.objects.create(name=generate_id())
+        group.users.add(reviewer)
+        rule_one.reviewer_groups.add(group)
+        rule_two.reviewer_groups.add(group)
+
+        iter_one = LifecycleIteration.objects.get(
+            content_type=content_type, object_id=str(obj.pk), rule=rule_one
+        )
+        iter_two = LifecycleIteration.objects.get(
+            content_type=content_type, object_id=str(obj.pk), rule=rule_two
+        )
+
+        request = self._get_request()
+
+        # Review only rule_one's iteration
+        Review.objects.create(iteration=iter_one, reviewer=reviewer)
+        iter_one.on_review(request)
+
+        iter_one.refresh_from_db()
+        iter_two.refresh_from_db()
+        self.assertEqual(iter_one.state, ReviewState.REVIEWED)
+        self.assertEqual(iter_two.state, ReviewState.PENDING)
+
+    def test_type_rule_and_object_rule_both_create_iterations(self):
+        """A type-level rule and an object-level rule both create iterations for the same object."""
+        obj = Application.objects.create(name=generate_id(), slug=generate_id())
+        content_type = ContentType.objects.get_for_model(obj)
+
+        object_rule = self._create_rule_for_object(obj, interval="days=30")
+        type_rule = self._create_rule_for_type(Application, interval="days=60")
+
+        iterations = LifecycleIteration.objects.filter(
+            content_type=content_type, object_id=str(obj.pk)
+        )
+        self.assertEqual(iterations.count(), 2)
+        self.assertTrue(iterations.filter(rule=object_rule).exists())
+        self.assertTrue(iterations.filter(rule=type_rule).exists())
+
 
 class TestLifecycleDateBoundaries(TestCase):
     """Verify that start_of_day normalization ensures correct overdue/due
@@ -679,6 +727,11 @@ class TestLifecycleDateBoundaries(TestCase):
     ensures that the boundary is always at midnight, so millisecond variations
     in task execution time do not affect results."""
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def _create_rule_and_iteration(self, grace_period="days=1", interval="days=365"):
         app = Application.objects.create(name=generate_id(), slug=generate_id())
         content_type = ContentType.objects.get_for_model(Application)

authentik/enterprise/settings.py

@@ -14,6 +14,7 @@ TENANT_APPS = [
     "authentik.enterprise.providers.ssf",
     "authentik.enterprise.providers.ws_federation",
     "authentik.enterprise.reports",
+    "authentik.enterprise.stages.account_lockdown",
     "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.mtls",
     "authentik.enterprise.stages.source",

authentik/enterprise/stages/account_lockdown/api.py

@@ -0,0 +1,141 @@
+"""Account Lockdown Stage API Views"""
+
+from django.utils.translation import gettext as _
+from drf_spectacular.utils import OpenApiExample, OpenApiResponse, extend_schema
+from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import PrimaryKeyRelatedField
+from rest_framework.viewsets import ModelViewSet
+from structlog.stdlib import get_logger
+
+from authentik.api.validation import validate
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import LinkSerializer, PassiveSerializer
+from authentik.core.models import (
+    User,
+)
+from authentik.enterprise.api import EnterpriseRequiredMixin, enterprise_action
+from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
+from authentik.enterprise.stages.account_lockdown.stage import (
+    can_lock_user,
+    get_lockdown_target_users,
+)
+from authentik.flows.api.stages import StageSerializer
+from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
+
+LOGGER = get_logger()
+
+
+class AccountLockdownStageSerializer(EnterpriseRequiredMixin, StageSerializer):
+    """AccountLockdownStage Serializer"""
+
+    class Meta:
+        model = AccountLockdownStage
+        fields = StageSerializer.Meta.fields + [
+            "deactivate_user",
+            "set_unusable_password",
+            "delete_sessions",
+            "revoke_tokens",
+            "self_service_completion_flow",
+        ]
+
+
+class AccountLockdownStageViewSet(UsedByMixin, ModelViewSet):
+    """AccountLockdownStage Viewset"""
+
+    queryset = AccountLockdownStage.objects.all()
+    serializer_class = AccountLockdownStageSerializer
+    filterset_fields = "__all__"
+    ordering = ["name"]
+    search_fields = ["name"]
+
+
+class UserAccountLockdownSerializer(PassiveSerializer):
+    """Choose the target account before starting the lockdown flow."""
+
+    user = PrimaryKeyRelatedField(
+        queryset=get_lockdown_target_users(),
+        required=False,
+        allow_null=True,
+        help_text=_("User to lock. If omitted, locks the current user (self-service)."),
+    )
+
+
+class UserAccountLockdownMixin:
+    """Enterprise account-lockdown API actions for UserViewSet."""
+
+    def _create_lockdown_flow_url(self, request: Request, user: User) -> str:
+        """Create a flow URL for account lockdown.
+
+        The request body selects the target before the flow starts. The API
+        pre-plans the lockdown flow with the target as the pending user, so the
+        account lockdown stage can use the normal flow context.
+        """
+        flow = request._request.brand.flow_lockdown
+        if flow is None:
+            raise ValidationError({"non_field_errors": [_("No lockdown flow configured.")]})
+        planner = FlowPlanner(flow)
+        planner.use_cache = False
+        try:
+            plan = planner.plan(request._request, {PLAN_CONTEXT_PENDING_USER: user})
+        except EmptyFlowException, FlowNonApplicableException:
+            raise ValidationError(
+                {"non_field_errors": [_("Lockdown flow is not applicable.")]}
+            ) from None
+        return plan.to_redirect(request._request, flow).url
+
+    @extend_schema(
+        description=_("Choose the target account, then return a flow link."),
+        request=UserAccountLockdownSerializer,
+        responses={
+            "200": OpenApiResponse(
+                response=LinkSerializer,
+                examples=[
+                    OpenApiExample(
+                        "Lockdown flow URL",
+                        value={
+                            "link": "https://example.invalid/if/flow/default-account-lockdown/",
+                        },
+                        response_only=True,
+                        status_codes=["200"],
+                    )
+                ],
+            ),
+            "400": OpenApiResponse(
+                description=_("No lockdown flow configured or the flow is not applicable")
+            ),
+            "403": OpenApiResponse(
+                description=_("Permission denied (when targeting another user)")
+            ),
+        },
+    )
+    @action(
+        detail=False,
+        methods=["POST"],
+        permission_classes=[IsAuthenticated],
+        url_path="account_lockdown",
+    )
+    @validate(UserAccountLockdownSerializer)
+    @enterprise_action
+    def account_lockdown(self, request: Request, body: UserAccountLockdownSerializer) -> Response:
+        """Trigger account lockdown for a user.
+
+        If no user is specified, locks the current user (self-service).
+        When targeting another user, admin permissions are required.
+
+        Returns a flow link for the frontend to follow. The flow is pre-planned
+        with the target user as pending user for the lockdown stage.
+        """
+        user = body.validated_data.get("user") or request.user
+
+        if not can_lock_user(request.user, user):
+            LOGGER.debug("Permission denied for account lockdown", user=request.user)
+            self.permission_denied(request)
+
+        flow_url = self._create_lockdown_flow_url(request, user)
+        LOGGER.debug("Returning lockdown flow URL", flow_url=flow_url, user=user.username)
+        return Response({"link": flow_url})

authentik/enterprise/stages/account_lockdown/apps.py

@@ -0,0 +1,12 @@
+"""authentik account lockdown stage app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseStageAccountLockdownConfig(EnterpriseConfig):
+    """authentik account lockdown stage config"""
+
+    name = "authentik.enterprise.stages.account_lockdown"
+    label = "authentik_stages_account_lockdown"
+    verbose_name = "authentik Enterprise.Stages.Account Lockdown"
+    default = True

authentik/enterprise/stages/account_lockdown/migrations/0001_initial.py

@@ -0,0 +1,74 @@
+# Generated by Django 5.2.13 on 2026-04-19 21:56
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_flows", "0031_alter_flow_layout"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AccountLockdownStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_flows.stage",
+                    ),
+                ),
+                (
+                    "deactivate_user",
+                    models.BooleanField(
+                        default=True,
+                        help_text="Deactivate the user account (set is_active to False)",
+                    ),
+                ),
+                (
+                    "set_unusable_password",
+                    models.BooleanField(
+                        default=True, help_text="Set an unusable password for the user"
+                    ),
+                ),
+                (
+                    "delete_sessions",
+                    models.BooleanField(
+                        default=True, help_text="Delete all active sessions for the user"
+                    ),
+                ),
+                (
+                    "revoke_tokens",
+                    models.BooleanField(
+                        default=True,
+                        help_text="Revoke all tokens for the user (API, app password, recovery, verification, OAuth)",
+                    ),
+                ),
+                (
+                    "self_service_completion_flow",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="account_lockdown_stages",
+                        to="authentik_flows.flow",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Account Lockdown Stage",
+                "verbose_name_plural": "Account Lockdown Stages",
+            },
+            bases=("authentik_flows.stage",),
+        ),
+    ]

authentik/enterprise/stages/account_lockdown/models.py

@@ -0,0 +1,62 @@
+"""Account lockdown stage models"""
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from django.views import View
+from rest_framework.serializers import BaseSerializer
+
+from authentik.flows.models import Stage
+
+
+class AccountLockdownStage(Stage):
+    """Lock down a target user account."""
+
+    deactivate_user = models.BooleanField(
+        default=True,
+        help_text=_("Deactivate the user account (set is_active to False)"),
+    )
+    set_unusable_password = models.BooleanField(
+        default=True,
+        help_text=_("Set an unusable password for the user"),
+    )
+    delete_sessions = models.BooleanField(
+        default=True,
+        help_text=_("Delete all active sessions for the user"),
+    )
+    revoke_tokens = models.BooleanField(
+        default=True,
+        help_text=_(
+            "Revoke all tokens for the user (API, app password, recovery, verification, OAuth)"
+        ),
+    )
+    self_service_completion_flow = models.ForeignKey(
+        "authentik_flows.Flow",
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="account_lockdown_stages",
+        help_text=_(
+            "Flow to redirect users to after self-service lockdown. "
+            "This flow should not require authentication since the user's session is deleted."
+        ),
+    )
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.enterprise.stages.account_lockdown.api import AccountLockdownStageSerializer
+
+        return AccountLockdownStageSerializer
+
+    @property
+    def view(self) -> type[View]:
+        from authentik.enterprise.stages.account_lockdown.stage import AccountLockdownStageView
+
+        return AccountLockdownStageView
+
+    @property
+    def component(self) -> str:
+        return "ak-stage-account-lockdown-form"
+
+    class Meta:
+        verbose_name = _("Account Lockdown Stage")
+        verbose_name_plural = _("Account Lockdown Stages")

authentik/enterprise/stages/account_lockdown/stage.py

@@ -0,0 +1,345 @@
+"""Account lockdown stage logic"""
+
+from django.apps import apps
+from django.core.exceptions import FieldDoesNotExist
+from django.db.models import Model, QuerySet
+from django.db.models.query_utils import Q
+from django.db.transaction import atomic
+from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
+from django.urls import reverse
+from django.utils.translation import gettext_lazy as _
+from dramatiq.actor import Actor
+from dramatiq.composition import group
+from dramatiq.results.errors import ResultTimeout
+
+from authentik.core.models import (
+    AuthenticatedSession,
+    ExpiringModel,
+    Session,
+    Token,
+    User,
+    UserTypes,
+)
+from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
+from authentik.events.models import Event, EventAction
+from authentik.flows.stage import StageView
+from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
+from authentik.lib.sync.outgoing.signals import sync_outgoing_inhibit_dispatch
+from authentik.lib.utils.reflection import class_to_path
+from authentik.lib.utils.time import timedelta_from_string
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+
+PLAN_CONTEXT_LOCKDOWN_REASON = "lockdown_reason"
+LOCKDOWN_EVENT_ACTION_ID = "account_lockdown"
+
+TARGET_REQUIRED_MESSAGE = _("No target user specified for account lockdown")
+PERMISSION_DENIED_MESSAGE = _("You do not have permission to lock down this account.")
+ACCOUNT_LOCKDOWN_FAILED_MESSAGE = _("Account lockdown failed for this account.")
+SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE = _(
+    "Self-service account lockdown requires a completion flow."
+)
+
+
+def get_lockdown_target_users() -> QuerySet[User]:
+    """Return users that can be targeted by account lockdown."""
+    return User.objects.exclude_anonymous().exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
+
+def _get_model_field(model: type[Model], field_name: str):
+    """Get a model field by name, if present."""
+    try:
+        return model._meta.get_field(field_name)
+    except FieldDoesNotExist:
+        return None
+
+
+def _has_user_field(model: type[Model]) -> bool:
+    """Check if a model has a direct user foreign key."""
+    field = _get_model_field(model, "user")
+    return bool(field and getattr(field, "remote_field", None) and field.remote_field.model is User)
+
+
+def _has_authenticated_session_field(model: type[Model]) -> bool:
+    """Check if a model is linked to an authenticated session."""
+    field = _get_model_field(model, "session")
+    return bool(
+        field
+        and getattr(field, "remote_field", None)
+        and field.remote_field.model is AuthenticatedSession
+    )
+
+
+def _has_provider_field(model: type[Model]) -> bool:
+    """Check if a model is linked to a provider."""
+    return _get_model_field(model, "provider") is not None
+
+
+def get_lockdown_token_models() -> tuple[type[Model], ...]:
+    """Return token, grant, and provider session models removed by account lockdown."""
+    token_models: list[type[Model]] = []
+    for model in apps.get_models():
+        if model._meta.abstract or not issubclass(model, ExpiringModel):
+            continue
+        if model is Token:
+            token_models.append(model)
+        elif _has_user_field(model) and (
+            _has_provider_field(model) or _has_authenticated_session_field(model)
+        ):
+            token_models.append(model)
+        elif _has_authenticated_session_field(model):
+            token_models.append(model)
+    return tuple(token_models)
+
+
+def get_lockdown_token_queryset(model: type[Model], user: User) -> QuerySet:
+    """Return account lockdown artifacts for a model and user."""
+    manager = model.objects.including_expired()
+    if _has_user_field(model):
+        return manager.filter(user=user)
+    return manager.filter(session__user=user)
+
+
+def can_lock_user(actor, user: User) -> bool:
+    """Check whether the actor may lock the target user."""
+    if not actor.is_authenticated:
+        return False
+    if user.pk == actor.pk:
+        return True
+    return actor.has_perm("authentik_core.change_user", user)
+
+
+def get_outgoing_sync_tasks() -> tuple[tuple[type[OutgoingSyncProvider], Actor], ...]:
+    """Return outgoing sync provider types and their direct sync tasks."""
+    from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
+    from authentik.enterprise.providers.google_workspace.tasks import google_workspace_sync_direct
+    from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
+    from authentik.enterprise.providers.microsoft_entra.tasks import microsoft_entra_sync_direct
+    from authentik.providers.scim.models import SCIMProvider
+    from authentik.providers.scim.tasks import scim_sync_direct
+
+    return (
+        (SCIMProvider, scim_sync_direct),
+        (GoogleWorkspaceProvider, google_workspace_sync_direct),
+        (MicrosoftEntraProvider, microsoft_entra_sync_direct),
+    )
+
+
+class AccountLockdownStageView(StageView):
+    """Execute account lockdown actions on the target user."""
+
+    def is_self_service(self, request: HttpRequest, user: User) -> bool:
+        """Check whether the currently authenticated user is locking their own account."""
+        return request.user.is_authenticated and user.pk == request.user.pk
+
+    def get_reason(self) -> str:
+        """Get the lockdown reason from the plan context.
+
+        Priority:
+        1. prompt_data[PLAN_CONTEXT_LOCKDOWN_REASON]
+        2. PLAN_CONTEXT_LOCKDOWN_REASON (explicitly set)
+        3. Empty string as fallback
+        """
+        prompt_data = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {})
+        if PLAN_CONTEXT_LOCKDOWN_REASON in prompt_data:
+            return prompt_data[PLAN_CONTEXT_LOCKDOWN_REASON]
+        return self.executor.plan.context.get(PLAN_CONTEXT_LOCKDOWN_REASON, "")
+
+    def _apply_lockdown_actions(self, stage: AccountLockdownStage, user: User) -> None:
+        """Apply the configured account changes to the target user."""
+        if stage.deactivate_user:
+            user.is_active = False
+        if stage.set_unusable_password:
+            user.set_unusable_password()
+        if stage.deactivate_user:
+            with sync_outgoing_inhibit_dispatch():
+                user.save()
+            return
+        user.save()
+
+    def _sync_deactivated_user_to_outgoing_providers(self, user: User) -> None:
+        """Synchronize a deactivated user to outgoing sync providers."""
+        messages = []
+        wait_timeout = 0
+        model = class_to_path(User)
+        provider_filter = Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+
+        for provider_model, task_sync_direct in get_outgoing_sync_tasks():
+            for provider in provider_model.objects.filter(provider_filter):
+                time_limit = int(
+                    timedelta_from_string(provider.sync_page_timeout).total_seconds() * 1000
+                )
+                messages.append(
+                    task_sync_direct.message_with_options(
+                        args=(model, user.pk, provider.pk),
+                        rel_obj=provider,
+                        time_limit=time_limit,
+                        uid=f"{provider.name}:user:{user.pk}:direct",
+                    )
+                )
+                wait_timeout += time_limit
+
+        if not messages:
+            return
+        try:
+            group(messages).run().wait(timeout=wait_timeout)
+        except ResultTimeout:
+            self.logger.warning(
+                "Timed out waiting for outgoing sync tasks; tasks remain queued",
+                user=user.username,
+                timeout=wait_timeout,
+            )
+
+    def _get_lockdown_artifact_querysets(
+        self, stage: AccountLockdownStage, user: User
+    ) -> tuple[QuerySet, ...]:
+        """Return the configured sessions and tokens targeted by lockdown."""
+        querysets: list[QuerySet] = []
+        if stage.delete_sessions:
+            querysets.append(Session.objects.filter(authenticatedsession__user=user))
+        if stage.revoke_tokens:
+            querysets.extend(
+                get_lockdown_token_queryset(model, user) for model in get_lockdown_token_models()
+            )
+        return tuple(querysets)
+
+    def _delete_lockdown_artifacts(self, stage: AccountLockdownStage, user: User) -> None:
+        """Delete sessions and tokens selected by the lockdown configuration."""
+        for queryset in self._get_lockdown_artifact_querysets(stage, user):
+            queryset.delete()
+
+    def _has_lockdown_artifacts(self, stage: AccountLockdownStage, user: User) -> bool:
+        """Check whether there are still sessions or tokens to remove."""
+        return any(
+            queryset.exists() for queryset in self._get_lockdown_artifact_querysets(stage, user)
+        )
+
+    def _emit_lockdown_event(self, request: HttpRequest, user: User, reason: str) -> None:
+        """Emit the audit event for a completed lockdown."""
+        # Emit the audit event after the transaction commits. If event creation
+        # fails here, dispatch() would otherwise treat the whole lockdown as
+        # failed even though the account changes have already been committed.
+        try:
+            Event.new(
+                EventAction.USER_WRITE,
+                action_id=LOCKDOWN_EVENT_ACTION_ID,
+                reason=reason,
+                affected_user=user.username,
+            ).from_http(request)
+        except Exception as exc:  # noqa: BLE001
+            # Event emission should not make the lockdown itself fail.
+            self.logger.warning(
+                "Failed to emit account lockdown event",
+                user=user.username,
+                exc=exc,
+            )
+
+    def _lockdown_user(
+        self,
+        request: HttpRequest,
+        stage: AccountLockdownStage,
+        user: User,
+        reason: str,
+    ) -> None:
+        """Execute lockdown actions on a single user."""
+        with atomic():
+            user = User.objects.get(pk=user.pk)
+            self._apply_lockdown_actions(stage, user)
+            self._delete_lockdown_artifacts(stage, user)
+
+        # These additional checks/deletes are done to prevent a timing attack that creates tokens
+        # with a compromised token that is simultaneously being deleted.
+        while self._has_lockdown_artifacts(stage, user):
+            with atomic():
+                self._delete_lockdown_artifacts(stage, user)
+
+        if stage.deactivate_user:
+            try:
+                self._sync_deactivated_user_to_outgoing_providers(user)
+            except Exception as exc:  # noqa: BLE001
+                # Local lockdown has already committed. Provider sync failures
+                # must not reopen access or mark the lockdown itself as failed.
+                self.logger.warning(
+                    "Failed to sync account lockdown deactivation to outgoing providers",
+                    user=user.username,
+                    exc=exc,
+                )
+        self._emit_lockdown_event(request, user, reason)
+
+    def dispatch(self, request: HttpRequest) -> HttpResponse:
+        """Execute account lockdown actions."""
+        self.request = request
+        stage: AccountLockdownStage = self.executor.current_stage
+
+        pending_user = self.get_pending_user()
+        if not pending_user.is_authenticated:
+            self.logger.warning("No target user found for account lockdown")
+            return self.executor.stage_invalid(TARGET_REQUIRED_MESSAGE)
+        user = get_lockdown_target_users().filter(pk=pending_user.pk).first()
+        if user is None:
+            self.logger.warning("Target user is not eligible for account lockdown")
+            return self.executor.stage_invalid(TARGET_REQUIRED_MESSAGE)
+        if not can_lock_user(request.user, user):
+            self.logger.warning(
+                "Permission denied for account lockdown",
+                actor=getattr(request.user, "username", None),
+                target=user.username,
+            )
+            return self.executor.stage_invalid(PERMISSION_DENIED_MESSAGE)
+
+        reason = self.get_reason()
+        self_service = self.is_self_service(request, user)
+        if self_service and stage.delete_sessions and not stage.self_service_completion_flow:
+            self.logger.warning("No completion flow configured for self-service account lockdown")
+            return self.executor.stage_invalid(SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE)
+
+        self.logger.info(
+            "Executing account lockdown",
+            user=user.username,
+            reason=reason,
+            self_service=self_service,
+            deactivate_user=stage.deactivate_user,
+            set_unusable_password=stage.set_unusable_password,
+            delete_sessions=stage.delete_sessions,
+            revoke_tokens=stage.revoke_tokens,
+        )
+
+        try:
+            self._lockdown_user(request, stage, user, reason)
+            self.logger.info("Account lockdown completed", user=user.username)
+        except Exception as exc:  # noqa: BLE001
+            # Convert unexpected lockdown errors to a flow-stage failure instead
+            # of leaking an exception through the flow executor.
+            self.logger.warning("Account lockdown failed", user=user.username, exc=exc)
+            return self.executor.stage_invalid(ACCOUNT_LOCKDOWN_FAILED_MESSAGE)
+
+        if self_service:
+            if stage.delete_sessions:
+                return self._self_service_completion_response(request)
+            return self.executor.stage_ok()
+
+        return self.executor.stage_ok()
+
+    def _self_service_completion_response(self, request: HttpRequest) -> HttpResponse:
+        """Redirect to completion flow after self-service lockdown.
+
+        Since all sessions are deleted, the user cannot continue in the flow.
+        Redirect them to an unauthenticated completion flow that shows the
+        lockdown message.
+
+        We use a direct HTTP redirect instead of a challenge because the
+        flow executor's challenge handling may try to access the session
+        which we just deleted.
+        """
+        stage: AccountLockdownStage = self.executor.current_stage
+        completion_flow = stage.self_service_completion_flow
+        if completion_flow:
+            # Flush the current request's session to prevent Django's session
+            # middleware from trying to save a deleted session
+            if hasattr(request, "session"):
+                request.session.flush()
+            redirect_to = reverse(
+                "authentik_core:if-flow",
+                kwargs={"flow_slug": completion_flow.slug},
+            )
+            return HttpResponseRedirect(redirect_to)
+        return self.executor.stage_invalid(SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE)

authentik/enterprise/stages/account_lockdown/tests/test_api.py

@@ -0,0 +1,148 @@
+"""Test Users Account Lockdown API"""
+
+from json import loads
+from unittest.mock import MagicMock, patch
+from urllib.parse import urlparse
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import (
+    create_test_brand,
+    create_test_flow,
+    create_test_user,
+)
+from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
+from authentik.flows.models import FlowDesignation, FlowStageBinding
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.generators import generate_id
+
+# Patch for enterprise license check
+patch_license = patch(
+    "authentik.enterprise.models.LicenseUsageStatus.is_valid",
+    MagicMock(return_value=True),
+)
+
+
+@patch_license
+class AccountLockdownAPITestCase(APITestCase):
+    """Shared helpers for account lockdown API tests."""
+
+    def setUp(self) -> None:
+        self.lockdown_flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
+        self.lockdown_stage = AccountLockdownStage.objects.create(name=generate_id())
+        FlowStageBinding.objects.create(
+            target=self.lockdown_flow,
+            stage=self.lockdown_stage,
+            order=0,
+        )
+        self.brand = create_test_brand()
+        self.brand.flow_lockdown = self.lockdown_flow
+        self.brand.save()
+
+    def create_user_with_email(self):
+        """Create a regular user with a unique email address."""
+        user = create_test_user()
+        user.email = f"{generate_id()}@test.com"
+        user.save()
+        return user
+
+    def assert_redirect_targets(self, response, user):
+        """Assert that a response contains a pre-planned lockdown flow link for a user."""
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertIn(self.lockdown_flow.slug, body["link"])
+        self.assertEqual(urlparse(body["link"]).query, "")
+        plan = self.client.session[SESSION_KEY_PLAN]
+        self.assertEqual(plan.context[PLAN_CONTEXT_PENDING_USER].pk, user.pk)
+
+    def assert_no_flow_configured(self, response):
+        """Assert that the API reports a missing lockdown flow."""
+        self.assertEqual(response.status_code, 400)
+        body = loads(response.content)
+        self.assertIn("No lockdown flow configured", body["non_field_errors"][0])
+
+
+@patch_license
+class TestUsersAccountLockdownAPI(AccountLockdownAPITestCase):
+    """Test Users Account Lockdown API"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.actor = create_test_user()
+        self.user = self.create_user_with_email()
+
+    def test_account_lockdown_with_change_user_returns_redirect(self):
+        """Test that account lockdown allows users with change_user permission."""
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.user)
+        self.client.force_login(self.actor)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assert_redirect_targets(response, self.user)
+
+    def test_account_lockdown_no_flow_configured(self):
+        """Test account lockdown when no flow is configured"""
+        self.brand.flow_lockdown = None
+        self.brand.save()
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.user)
+        self.client.force_login(self.actor)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assert_no_flow_configured(response)
+
+    def test_account_lockdown_unauthenticated(self):
+        """Test account lockdown requires authentication"""
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, 403)
+
+    def test_account_lockdown_without_change_user_denied(self):
+        """Test account lockdown denies users without change_user permission."""
+        self.client.force_login(self.actor)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, 403)
+
+    def test_account_lockdown_self_returns_redirect(self):
+        """Test successful self-service account lockdown returns a direct redirect."""
+        self.client.force_login(self.user)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={},
+            format="json",
+        )
+
+        self.assert_redirect_targets(response, self.user)
+
+    def test_account_lockdown_self_target_without_change_user_returns_redirect(self):
+        """Test self-service does not require change_user permission."""
+        self.client.force_login(self.user)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assert_redirect_targets(response, self.user)

authentik/enterprise/stages/account_lockdown/tests/test_blueprint.py

@@ -0,0 +1,46 @@
+"""Tests for the packaged account-lockdown blueprint."""
+
+from unittest.mock import patch
+
+from django.test import TransactionTestCase
+
+from authentik.blueprints.models import BlueprintInstance
+from authentik.blueprints.v1.importer import Importer
+from authentik.blueprints.v1.tasks import blueprints_find, check_blueprint_v1_file
+from authentik.enterprise.license import LicenseKey
+from authentik.flows.models import Flow
+
+BLUEPRINT_PATH = "example/flow-default-account-lockdown.yaml"
+
+
+class TestAccountLockdownBlueprint(TransactionTestCase):
+    """Test the packaged account-lockdown blueprint behavior."""
+
+    def test_blueprint_is_not_auto_instantiated(self):
+        """Test the packaged blueprint is opt-in and skipped by discovery."""
+        BlueprintInstance.objects.filter(path=BLUEPRINT_PATH).delete()
+        blueprint = next(item for item in blueprints_find() if item.path == BLUEPRINT_PATH)
+
+        check_blueprint_v1_file(blueprint)
+
+        self.assertFalse(BlueprintInstance.objects.filter(path=BLUEPRINT_PATH).exists())
+
+    def test_blueprint_requires_licensed_context(self):
+        """Test manual import only creates flows when enterprise is licensed."""
+        content = BlueprintInstance(path=BLUEPRINT_PATH).retrieve()
+        license_key = LicenseKey("test", 253402300799, "Test license", 1000, 1000)
+
+        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
+            importer = Importer.from_string(content, {"goauthentik.io/enterprise/licensed": False})
+            valid, logs = importer.validate()
+            self.assertTrue(valid, logs)
+            self.assertTrue(importer.apply())
+            self.assertFalse(Flow.objects.filter(slug="default-account-lockdown").exists())
+            self.assertFalse(Flow.objects.filter(slug="default-account-lockdown-complete").exists())
+
+            importer = Importer.from_string(content, {"goauthentik.io/enterprise/licensed": True})
+            valid, logs = importer.validate()
+            self.assertTrue(valid, logs)
+            self.assertTrue(importer.apply())
+            self.assertTrue(Flow.objects.filter(slug="default-account-lockdown").exists())
+            self.assertTrue(Flow.objects.filter(slug="default-account-lockdown-complete").exists())

authentik/enterprise/stages/account_lockdown/tests/test_stage.py

@@ -0,0 +1,627 @@
+"""Account lockdown stage tests"""
+
+import json
+from dataclasses import asdict
+from threading import Event as ThreadEvent
+from threading import Thread
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+from django.db import connection
+from django.http import HttpResponse
+from django.test import TransactionTestCase
+from django.urls import reverse
+from django.utils import timezone
+from dramatiq.results.errors import ResultTimeout
+
+from authentik.core.models import AuthenticatedSession, Session, Token, TokenIntents
+from authentik.core.tests.utils import (
+    RequestFactory,
+    create_test_admin_user,
+    create_test_cert,
+    create_test_flow,
+    create_test_user,
+)
+from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
+from authentik.enterprise.stages.account_lockdown.stage import (
+    LOCKDOWN_EVENT_ACTION_ID,
+    PLAN_CONTEXT_LOCKDOWN_REASON,
+    AccountLockdownStageView,
+    can_lock_user,
+)
+from authentik.events.models import Event, EventAction
+from authentik.flows.markers import StageMarker
+from authentik.flows.models import FlowDesignation, FlowStageBinding
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.lib.generators import generate_id
+from authentik.lib.utils.reflection import class_to_path
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    AuthorizationCode,
+    DeviceToken,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    RefreshToken,
+)
+from authentik.providers.saml.models import SAMLProvider, SAMLSession
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+
+patch_enterprise_enabled = patch(
+    "authentik.enterprise.apps.AuthentikEnterpriseConfig.check_enabled",
+    return_value=True,
+)
+
+
+class AccountLockdownStageTestMixin:
+    """Shared setup helpers for account lockdown stage tests."""
+
+    @classmethod
+    def setUpClass(cls):
+        cls.patch_enterprise_enabled = patch_enterprise_enabled.start()
+        cls.patch_event_dispatch = patch("authentik.events.tasks.event_trigger_dispatch.send")
+        cls.patch_event_dispatch.start()
+        super().setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.patch_event_dispatch.stop()
+        patch_enterprise_enabled.stop()
+        super().tearDownClass()
+
+    def setUp(self):
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.target_user = create_test_admin_user()
+        self.flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
+        self.stage = AccountLockdownStage.objects.create(
+            name="lockdown",
+        )
+        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=0)
+        self.request_factory = RequestFactory()
+
+    def make_stage_view(self, plan: FlowPlan):
+        def _stage_ok():
+            return HttpResponse(status=204)
+
+        def _stage_invalid(_error_message=None):
+            return HttpResponse(status=400)
+
+        return AccountLockdownStageView(
+            SimpleNamespace(
+                plan=plan,
+                current_stage=self.stage,
+                current_binding=self.binding,
+                flow=self.flow,
+                stage_ok=_stage_ok,
+                stage_invalid=_stage_invalid,
+            )
+        )
+
+    def make_request(self, *, user=None, query=None):
+        return self.request_factory.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            query_params=query or {},
+            user=user,
+        )
+
+    def get_lockdown_event(self):
+        """Return the account-lockdown user-write event."""
+        return Event.objects.filter(
+            action=EventAction.USER_WRITE,
+            context__action_id=LOCKDOWN_EVENT_ACTION_ID,
+        ).first()
+
+
+class TestAccountLockdownStage(AccountLockdownStageTestMixin, FlowTestCase):
+    """Account lockdown stage tests"""
+
+    def test_lockdown_no_target(self):
+        """Test lockdown stage with no pending user fails"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+
+        response = view.dispatch(self.make_request())
+
+        self.assertEqual(response.status_code, 400)
+
+    def test_lockdown_with_pending_user(self):
+        """Test lockdown stage with a pending target user."""
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_LOCKDOWN_REASON] = "Security incident"
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.user)
+
+        self.assertTrue(can_lock_user(request.user, self.target_user))
+        response = view.dispatch(request)
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+        self.assertFalse(self.target_user.has_usable_password())
+        self.assertEqual(response.status_code, 204)
+
+        # Check event was created
+        event = self.get_lockdown_event()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.context["action_id"], LOCKDOWN_EVENT_ACTION_ID)
+        self.assertEqual(event.context["reason"], "Security incident")
+        self.assertEqual(event.context["affected_user"], self.target_user.username)
+
+    def test_lockdown_with_pending_user_reason(self):
+        """Test lockdown stage with a pending target and explicit reason."""
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_LOCKDOWN_REASON] = "Compromised account"
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.user)
+
+        self.assertTrue(can_lock_user(request.user, self.target_user))
+        response = view.dispatch(request)
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+        self.assertEqual(response.status_code, 204)
+
+    def test_lockdown_reason_from_prompt(self):
+        """Test lockdown stage reads the reason from prompt data."""
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PROMPT] = {
+            PLAN_CONTEXT_LOCKDOWN_REASON: "User requested lockdown",
+        }
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.user)
+        view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
+
+        event = self.get_lockdown_event()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.context["reason"], "User requested lockdown")
+
+    def test_lockdown_event_failure_does_not_fail_self_service(self):
+        """Test lockdown still succeeds when event emission fails."""
+        self.stage.delete_sessions = False
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.target_user)
+
+        original_event_new = Event.new
+
+        def _event_new_side_effect(action, *args, **kwargs):
+            if (
+                action == EventAction.USER_WRITE
+                and kwargs.get("action_id") == LOCKDOWN_EVENT_ACTION_ID
+            ):
+                raise RuntimeError("simulated event failure")
+            return original_event_new(action, *args, **kwargs)
+
+        with patch(
+            "authentik.enterprise.stages.account_lockdown.stage.Event.new",
+            side_effect=_event_new_side_effect,
+        ):
+            view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+
+    def test_dispatch_records_success_when_event_emission_fails(self):
+        """Test dispatch still completes if event emission fails."""
+        self.stage.delete_sessions = False
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(
+            user=self.target_user,
+        )
+
+        original_event_new = Event.new
+
+        def _event_new_side_effect(action, *args, **kwargs):
+            if (
+                action == EventAction.USER_WRITE
+                and kwargs.get("action_id") == LOCKDOWN_EVENT_ACTION_ID
+            ):
+                raise RuntimeError("simulated event failure")
+            return original_event_new(action, *args, **kwargs)
+
+        with patch(
+            "authentik.enterprise.stages.account_lockdown.stage.Event.new",
+            side_effect=_event_new_side_effect,
+        ):
+            response = view.dispatch(request)
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+        self.assertEqual(response.status_code, 204)
+
+    def test_lockdown_self_service_redirects_to_completion_flow(self):
+        """Test self-service lockdown redirects to completion flow when sessions are deleted."""
+        completion_flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
+        self.stage.self_service_completion_flow = completion_flow
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.target_user)
+        view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
+        response = view._self_service_completion_response(request)
+
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            response.url,
+            reverse("authentik_core:if-flow", kwargs={"flow_slug": completion_flow.slug}),
+        )
+
+    def test_lockdown_self_service_requires_completion_flow(self):
+        """Test self-service lockdown fails before deleting sessions without a completion flow."""
+        self.stage.self_service_completion_flow = None
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.target_user)
+
+        response = view.dispatch(request)
+
+        self.assertEqual(response.status_code, 400)
+        self.target_user.refresh_from_db()
+        self.assertTrue(self.target_user.is_active)
+
+    def test_lockdown_denies_other_user_without_permission(self):
+        """Test lockdown stage rejects non-self requests without change_user permission."""
+        actor = create_test_user()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=actor)
+
+        self.assertFalse(can_lock_user(request.user, self.target_user))
+        response = view.dispatch(request)
+        self.assertEqual(response.status_code, 400)
+
+    def test_lockdown_revokes_tokens(self):
+        """Test lockdown stage revokes tokens"""
+        Token.objects.create(
+            user=self.target_user,
+            identifier="test-token",
+            intent=TokenIntents.INTENT_API,
+            key=generate_id(),
+            expiring=False,
+        )
+        self.assertEqual(Token.objects.filter(user=self.target_user).count(), 1)
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.assertEqual(Token.objects.filter(user=self.target_user).count(), 0)
+
+    def test_lockdown_revokes_provider_tokens(self):
+        """Test lockdown stage revokes provider tokens and sessions."""
+        oauth_provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver/callback")
+            ],
+            signing_key=create_test_cert(),
+        )
+        saml_provider = SAMLProvider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            acs_url="https://sp.example.com/acs",
+            issuer_override="https://idp.example.com",
+        )
+        session = Session.objects.create(
+            session_key=generate_id(),
+            expires=timezone.now() + timezone.timedelta(hours=1),
+            last_ip="127.0.0.1",
+        )
+        auth_session = AuthenticatedSession.objects.create(
+            session=session,
+            user=self.target_user,
+        )
+        grant_kwargs = {
+            "provider": oauth_provider,
+            "user": self.target_user,
+            "auth_time": timezone.now(),
+            "_scope": "openid profile",
+            "expiring": False,
+        }
+        token_kwargs = grant_kwargs | {"_id_token": json.dumps(asdict(IDToken("foo", "bar")))}
+        AuthorizationCode.objects.create(
+            code=generate_id(),
+            session=auth_session,
+            **grant_kwargs,
+        )
+        AccessToken.objects.create(
+            token=generate_id(),
+            session=auth_session,
+            **token_kwargs,
+        )
+        RefreshToken.objects.create(
+            token=generate_id(),
+            session=auth_session,
+            **token_kwargs,
+        )
+        DeviceToken.objects.create(
+            provider=oauth_provider,
+            user=self.target_user,
+            session=auth_session,
+            _scope="openid profile",
+            expiring=False,
+        )
+        SAMLSession.objects.create(
+            provider=saml_provider,
+            user=self.target_user,
+            session=auth_session,
+            session_index=generate_id(),
+            name_id=self.target_user.email,
+            expires=timezone.now() + timezone.timedelta(hours=1),
+            expiring=True,
+        )
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.assertEqual(AuthorizationCode.objects.filter(user=self.target_user).count(), 0)
+        self.assertEqual(AccessToken.objects.filter(user=self.target_user).count(), 0)
+        self.assertEqual(RefreshToken.objects.filter(user=self.target_user).count(), 0)
+        self.assertEqual(DeviceToken.objects.filter(user=self.target_user).count(), 0)
+        self.assertEqual(SAMLSession.objects.filter(user=self.target_user).count(), 0)
+
+    def test_lockdown_selective_actions(self):
+        """Test lockdown stage with selective actions"""
+        self.stage.deactivate_user = True
+        self.stage.set_unusable_password = False
+        self.stage.delete_sessions = False
+        self.stage.revoke_tokens = False
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.set_password("testpassword")
+        self.target_user.save()
+
+        Token.objects.create(
+            user=self.target_user,
+            identifier="test-token",
+            intent=TokenIntents.INTENT_API,
+            key=generate_id(),
+            expiring=False,
+        )
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.target_user.refresh_from_db()
+        # User should be deactivated
+        self.assertFalse(self.target_user.is_active)
+        # Password should still be usable
+        self.assertTrue(self.target_user.has_usable_password())
+        # Token should still exist
+        self.assertEqual(Token.objects.filter(user=self.target_user).count(), 1)
+
+    def test_lockdown_no_actions(self):
+        """Test lockdown stage with all actions disabled"""
+        self.stage.deactivate_user = False
+        self.stage.set_unusable_password = False
+        self.stage.delete_sessions = False
+        self.stage.revoke_tokens = False
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.set_password("testpassword")
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.target_user.refresh_from_db()
+        # User should still be active
+        self.assertTrue(self.target_user.is_active)
+        # Password should still be usable
+        self.assertTrue(self.target_user.has_usable_password())
+        # Event should still be created
+        event = self.get_lockdown_event()
+        self.assertIsNotNone(event)
+
+    def test_lockdown_deactivation_inhibits_signal_dispatch_until_after_commit(self):
+        """Test lockdown queues explicit outgoing syncs after the deactivation transaction."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+
+        with (
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.sync_outgoing_inhibit_dispatch"
+            ) as inhibit,
+            patch.object(view, "_sync_deactivated_user_to_outgoing_providers") as sync_outgoing,
+        ):
+            view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        inhibit.assert_called_once()
+        sync_outgoing.assert_called_once()
+        synced_user = sync_outgoing.call_args.args[0]
+        self.assertEqual(synced_user.pk, self.target_user.pk)
+        self.assertFalse(synced_user.is_active)
+
+    def test_lockdown_waits_for_direct_outgoing_provider_syncs(self):
+        """Test direct outgoing sync tasks are enqueued and waited on."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        provider = SimpleNamespace(name="outgoing", pk=1, sync_page_timeout="seconds=5")
+        task_sync_direct = MagicMock()
+        task_sync_direct.message_with_options.return_value = "direct-message"
+        provider_model = SimpleNamespace(
+            objects=SimpleNamespace(filter=MagicMock(return_value=[provider]))
+        )
+        task_group = MagicMock()
+
+        with (
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.get_outgoing_sync_tasks",
+                return_value=((provider_model, task_sync_direct),),
+            ),
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.group",
+                return_value=task_group,
+            ) as task_group_cls,
+        ):
+            view._sync_deactivated_user_to_outgoing_providers(self.target_user)
+
+        task_sync_direct.message_with_options.assert_called_once_with(
+            args=(class_to_path(type(self.target_user)), self.target_user.pk, provider.pk),
+            rel_obj=provider,
+            time_limit=5000,
+            uid=f"{provider.name}:user:{self.target_user.pk}:direct",
+        )
+        task_group_cls.assert_called_once_with(["direct-message"])
+        task_group.run.return_value.wait.assert_called_once_with(timeout=5000)
+
+    def test_lockdown_outgoing_provider_sync_timeout_leaves_tasks_running(self):
+        """Test timeout while waiting for direct outgoing syncs does not fail lockdown."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        provider = SimpleNamespace(name="outgoing", pk=1, sync_page_timeout="seconds=5")
+        task_sync_direct = MagicMock()
+        task_sync_direct.message_with_options.return_value = "direct-message"
+        provider_model = SimpleNamespace(
+            objects=SimpleNamespace(filter=MagicMock(return_value=[provider]))
+        )
+        task_group = MagicMock()
+        task_group.run.return_value.wait.side_effect = ResultTimeout("timed out")
+
+        with (
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.get_outgoing_sync_tasks",
+                return_value=((provider_model, task_sync_direct),),
+            ),
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.group",
+                return_value=task_group,
+            ),
+        ):
+            view._sync_deactivated_user_to_outgoing_providers(self.target_user)
+
+        task_group.run.assert_called_once_with()
+        task_group.run.return_value.wait.assert_called_once_with(timeout=5000)
+
+    def test_lockdown_outgoing_provider_sync_failure_does_not_fail_lockdown(self):
+        """Test completed local lockdown still emits an event if outgoing sync fails."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+
+        with patch.object(
+            view,
+            "_sync_deactivated_user_to_outgoing_providers",
+            side_effect=ValueError("sync failed"),
+        ):
+            view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+        event = self.get_lockdown_event()
+        self.assertIsNotNone(event)
+
+
+class TestAccountLockdownStageConcurrency(AccountLockdownStageTestMixin, TransactionTestCase):
+    """Account lockdown concurrency tests."""
+
+    def test_lockdown_retries_when_another_transaction_recreates_a_token(self):
+        """Lockdown should remove a token recreated before the retry check runs."""
+        Token.objects.create(
+            user=self.target_user,
+            identifier=f"initial-token-{generate_id()}",
+            intent=TokenIntents.INTENT_API,
+            key=generate_id(),
+            expiring=False,
+        )
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        original_has_artifacts = view._has_lockdown_artifacts
+        target_user = self.target_user
+        thread_ready = ThreadEvent()
+        start_create = ThreadEvent()
+        thread_done = ThreadEvent()
+        thread_errors = []
+
+        class TokenCreatorThread(Thread):
+            __test__ = False
+
+            def run(self):
+                try:
+                    thread_ready.set()
+                    if not start_create.wait(timeout=5):
+                        thread_errors.append("timed out waiting to recreate token")
+                        return
+                    Token.objects.create(
+                        user=target_user,
+                        identifier=f"concurrent-token-{generate_id()}",
+                        intent=TokenIntents.INTENT_API,
+                        key=generate_id(),
+                        expiring=False,
+                    )
+                except Exception as exc:  # noqa: BLE001
+                    thread_errors.append(exc)
+                finally:
+                    thread_done.set()
+                    connection.close()
+
+        def has_artifacts_after_concurrent_create(stage, user):
+            if not start_create.is_set():
+                start_create.set()
+                self.assertTrue(
+                    thread_done.wait(timeout=30),
+                    (
+                        "Concurrent token creation did not complete "
+                        f"before retry check: {thread_errors}"
+                    ),
+                )
+            return original_has_artifacts(stage, user)
+
+        creator = TokenCreatorThread()
+        with patch.object(
+            view, "_has_lockdown_artifacts", side_effect=has_artifacts_after_concurrent_create
+        ):
+            creator.start()
+            self.assertTrue(
+                thread_ready.wait(timeout=5),
+                "Concurrent token creation thread did not start",
+            )
+            view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+            creator.join()
+
+        self.assertEqual(thread_errors, [])
+        self.assertEqual(Token.objects.filter(user=self.target_user).count(), 0)

authentik/enterprise/stages/account_lockdown/urls.py

@@ -0,0 +1,5 @@
+"""API URLs"""
+
+from authentik.enterprise.stages.account_lockdown.api import AccountLockdownStageViewSet
+
+api_urlpatterns = [("stages/account_lockdown", AccountLockdownStageViewSet)]

authentik/flows/templates/if/flow-sfe.html

@@ -23,7 +23,7 @@
             height: 100%;
           }
           body {
-            background-image: url("{{ flow_background_url }}");
+            background-image: url("{{ flow_background_url|iriencode|safe }}");
             background-repeat: no-repeat;
             background-size: cover;
           }

authentik/flows/templates/if/flow.html

@@ -39,7 +39,7 @@
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style data-id="flow-css">
   :root {
-      --ak-global--background-image: url("{{ flow_background_url }}");
+      --ak-global--background-image: url("{{ flow_background_url|iriencode|safe }}");
   }
 </style>
 {% endblock %}

authentik/flows/tests/test_stage_views.py

@@ -1,12 +1,14 @@
 """stage view tests"""
 
 from collections.abc import Callable
+from unittest.mock import patch
 
 from django.test import RequestFactory, TestCase
+from django.urls import reverse
 
 from authentik.core.tests.utils import RequestFactory as AuthentikRequestFactory
 from authentik.core.tests.utils import create_test_flow
-from authentik.flows.models import FlowStageBinding
+from authentik.flows.models import Flow, FlowStageBinding
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import FlowExecutorView
 from authentik.lib.utils.reflection import all_subclasses
@@ -42,6 +44,46 @@ class TestViews(TestCase):
             "/static/dist/assets/images/flow_background.jpg",
         )
 
+    def test_flow_interface_css_background_preserves_presigned_url_query(self):
+        """Test flow CSS keeps signed URL query separators intact."""
+        flow = create_test_flow()
+        background_url = (
+            "https://s3.ca-central-1.amazonaws.com/example/media/public/background.png"
+            "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=credential"
+            "&X-Amz-Signature=signature"
+        )
+
+        with patch.object(Flow, "background_url", return_value=background_url):
+            response = self.client.get(
+                reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
+            )
+
+        self.assertContains(
+            response,
+            f'--ak-global--background-image: url("{background_url}");',
+            html=False,
+        )
+
+    def test_flow_sfe_css_background_preserves_presigned_url_query(self):
+        """Test SFE flow CSS keeps signed URL query separators intact."""
+        flow = create_test_flow()
+        background_url = (
+            "https://s3.ca-central-1.amazonaws.com/example/media/public/background.png"
+            "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=credential"
+            "&X-Amz-Signature=signature"
+        )
+
+        with patch.object(Flow, "background_url", return_value=background_url):
+            response = self.client.get(
+                reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug}) + "?sfe"
+            )
+
+        self.assertContains(
+            response,
+            f'background-image: url("{background_url}");',
+            html=False,
+        )
+
 
 def view_tester_factory(view_class: type[StageView]) -> Callable:
     """Test a form"""

authentik/root/settings.py

@@ -172,6 +172,7 @@ SPECTACULAR_SETTINGS = {
     },
     "ENUM_NAME_OVERRIDES": {
         "AppEnum": "authentik.lib.api.Apps",
+        "AuthenticationEnum": "authentik.flows.models.FlowAuthenticationRequirement",
         "ConsentModeEnum": "authentik.stages.consent.models.ConsentMode",
         "CountryCodeEnum": "django_countries.countries",
         "DeviceClassesEnum": "authentik.stages.authenticator_validate.models.DeviceClasses",

authentik/stages/prompt/migrations/0012_alter_prompt_type.py

@@ -0,0 +1,64 @@
+# Generated by Django 5.2.12 on 2026-03-14 02:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_prompt",
+            "0011_prompt_initial_value_prompt_initial_value_expression_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="prompt",
+            name="type",
+            field=models.CharField(
+                choices=[
+                    ("text", "Text: Simple Text input"),
+                    ("text_area", "Text area: Multiline Text Input."),
+                    (
+                        "text_read_only",
+                        "Text (read-only): Simple Text input, but cannot be edited.",
+                    ),
+                    (
+                        "text_area_read_only",
+                        "Text area (read-only): Multiline Text input, but cannot be edited.",
+                    ),
+                    (
+                        "username",
+                        "Username: Same as Text input, but checks for and prevents duplicate usernames.",
+                    ),
+                    ("email", "Email: Text field with Email type."),
+                    (
+                        "password",
+                        "Password: Masked input, multiple inputs of this type on the same prompt need to be identical.",
+                    ),
+                    ("number", "Number"),
+                    ("checkbox", "Checkbox"),
+                    (
+                        "radio-button-group",
+                        "Fixed choice field rendered as a group of radio buttons.",
+                    ),
+                    ("dropdown", "Fixed choice field rendered as a dropdown."),
+                    ("date", "Date"),
+                    ("date-time", "Date Time"),
+                    (
+                        "file",
+                        "File: File upload for arbitrary files. File content will be available in flow context as data-URI",
+                    ),
+                    ("separator", "Separator: Static Separator Line"),
+                    ("hidden", "Hidden: Hidden field, can be used to insert data into form."),
+                    ("static", "Static: Static value, displayed as-is."),
+                    ("alert_info", "Alert (Info): Static alert box with info styling"),
+                    ("alert_warning", "Alert (Warning): Static alert box with warning styling"),
+                    ("alert_danger", "Alert (Danger): Static alert box with danger styling"),
+                    ("ak-locale", "authentik: Selection of locales authentik supports"),
+                ],
+                max_length=100,
+            ),
+        ),
+    ]

authentik/stages/prompt/models.py

@@ -87,6 +87,11 @@ class FieldTypes(models.TextChoices):
     HIDDEN = "hidden", _("Hidden: Hidden field, can be used to insert data into form.")
     STATIC = "static", _("Static: Static value, displayed as-is.")
 
+    # Alert box types for displaying styled messages
+    ALERT_INFO = "alert_info", _("Alert (Info): Static alert box with info styling")
+    ALERT_WARNING = "alert_warning", _("Alert (Warning): Static alert box with warning styling")
+    ALERT_DANGER = "alert_danger", _("Alert (Danger): Static alert box with danger styling")
+
     AK_LOCALE = "ak-locale", _("authentik: Selection of locales authentik supports")
 
 
@@ -299,7 +304,12 @@ class Prompt(SerializerModel):
                 field_class = HiddenField
                 kwargs["required"] = False
                 kwargs["default"] = self.placeholder
-            case FieldTypes.STATIC:
+            case (
+                FieldTypes.STATIC
+                | FieldTypes.ALERT_INFO
+                | FieldTypes.ALERT_WARNING
+                | FieldTypes.ALERT_DANGER
+            ):
                 kwargs["default"] = self.placeholder
                 kwargs["required"] = False
                 kwargs["label"] = ""

authentik/stages/prompt/stage.py

@@ -124,6 +124,9 @@ class PromptChallengeResponse(ChallengeResponse):
             type__in=[
                 FieldTypes.HIDDEN,
                 FieldTypes.STATIC,
+                FieldTypes.ALERT_INFO,
+                FieldTypes.ALERT_WARNING,
+                FieldTypes.ALERT_DANGER,
                 FieldTypes.TEXT_READ_ONLY,
                 FieldTypes.TEXT_AREA_READ_ONLY,
             ]

authentik/stages/prompt/tests.py

@@ -330,10 +330,20 @@ class TestPromptStage(FlowTestCase):
 
     def test_static_hidden_overwrite(self):
         """Test that static and hidden fields ignore any value sent to them"""
+        alert_prompt = Prompt.objects.create(
+            name=generate_id(),
+            field_key="alert_prompt",
+            type=FieldTypes.ALERT_INFO,
+            required=True,
+            placeholder="alert fallback",
+            initial_value="alert content",
+        )
+        self.stage.fields.add(alert_prompt)
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
         plan.context[PLAN_CONTEXT_PROMPT] = {"hidden_prompt": "hidden"}
         self.prompt_data["hidden_prompt"] = "foo"
         self.prompt_data["static_prompt"] = "foo"
+        self.prompt_data["alert_prompt"] = "foo"
         challenge_response = PromptChallengeResponse(
             None, stage_instance=self.stage, plan=plan, data=self.prompt_data, stage=self.stage_view
         )
@@ -341,6 +351,7 @@ class TestPromptStage(FlowTestCase):
         self.assertNotEqual(challenge_response.validated_data["hidden_prompt"], "foo")
         self.assertEqual(challenge_response.validated_data["hidden_prompt"], "hidden")
         self.assertNotEqual(challenge_response.validated_data["static_prompt"], "foo")
+        self.assertEqual(challenge_response.validated_data["alert_prompt"], "alert content")
 
     def test_prompt_placeholder(self):
         """Test placeholder and expression"""

blueprints/example/flow-default-account-lockdown.yaml

@@ -0,0 +1,306 @@
+version: 1
+metadata:
+  name: Example - Account lockdown flow
+  labels:
+    blueprints.goauthentik.io/instantiate: "false"
+entries:
+  flows:
+    # Main lockdown flow - requires authentication
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        designation: stage_configuration
+        name: Account Lockdown
+        title: Lock Account
+        authentication: require_authenticated
+      identifiers:
+        slug: default-account-lockdown
+      model: authentik_flows.flow
+      id: flow
+    # Self-service completion flow - no authentication required
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        designation: stage_configuration
+        name: Account Lockdown Complete
+        title: Account Locked
+        authentication: none
+      identifiers:
+        slug: default-account-lockdown-complete
+      model: authentik_flows.flow
+      id: completion-flow
+  prompt_fields:
+    # Warning field - danger alert box (content varies based on self-service vs admin)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 50
+        initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          pending_user = None
+          if target_uuid and not is_self_service:
+              from authentik.core.models import User
+
+              pending_user = User.objects.filter(pk=target_uuid).first()
+          if is_self_service:
+              return (
+                  "<p><strong>You are about to lock down your own account.</strong></p>"
+                  "<p>This is an emergency action for cutting off access to your account right away.</p>"
+                  "<p><strong>This will immediately:</strong></p>"
+                  "<ul>"
+                  "<li><strong>Invalidate your password</strong> - Your password will be set to a random value "
+                  "and cannot be recovered</li>"
+                  "<li><strong>Deactivate your account</strong> - Your account will be disabled</li>"
+                  "<li><strong>Terminate all your sessions</strong> - You will be logged out everywhere</li>"
+                  "<li><strong>Revoke all your tokens</strong> - All your API, app password, recovery, "
+                  "verification, and OAuth2 tokens and grants will be revoked</li>"
+                  "</ul>"
+                  "<p><strong>This action cannot be easily undone.</strong></p>"
+              )
+
+          from django.utils.html import escape
+
+          if pending_user:
+              email = escape(pending_user.email or pending_user.name or "No email")
+              user_html = f"<p><code>{escape(pending_user.username)}</code> ({email})</p>"
+          else:
+              user_html = "<p>the account selected when this one-time lockdown link was created</p>"
+
+          return (
+              "<p><strong>You are about to lock down the following account:</strong></p>"
+              f"{user_html}"
+              "<p>This is an emergency action for cutting off access to the account right away. "
+              "It does not lock the administrator who opened this page.</p>"
+              "<p><strong>This will immediately:</strong></p>"
+              "<ul>"
+              "<li>Invalidate the user's password</li>"
+              "<li>Deactivate the user</li>"
+              "<li>Terminate all sessions - All active sessions will be ended</li>"
+              "<li>Revoke all tokens - All API, app password, recovery, verification, and OAuth2 "
+              "tokens and grants will be revoked</li>"
+              "</ul>"
+              "<p><strong>This action cannot be easily undone.</strong></p>"
+          )
+        initial_value_expression: true
+        required: false
+        type: alert_danger
+        field_key: lockdown_warning
+        label: Warning
+        sub_text: ""
+      identifiers:
+        name: default-account-lockdown-field-warning
+      id: prompt-field-warning
+      model: authentik_stages_prompt.prompt
+    # Info field - when to use lockdown (content varies based on self-service vs admin)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 100
+        initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          if is_self_service:
+              info = (
+                  "Use this if you no longer trust your current password or sessions. "
+                  "After lockdown, you will need help from your administrator or security team to regain access."
+              )
+          else:
+              info = (
+                  "Use this for incident response on the listed account, for example after a compromise report "
+                  "or suspicious activity. The reason you enter below will be recorded in the audit log."
+              )
+          return (
+              f"<p>{info}</p>"
+              '<p><a href="https://docs.goauthentik.io/docs/security/'
+              'account-lockdown?utm_source=authentik" '
+              'target="_blank" rel="noopener noreferrer">Learn more about account lockdown</a></p>'
+          )
+        initial_value_expression: true
+        required: false
+        type: alert_info
+        field_key: lockdown_info
+        label: Information
+        sub_text: ""
+      identifiers:
+        name: default-account-lockdown-field-info
+      id: prompt-field-info
+      model: authentik_stages_prompt.prompt
+    # Reason field - text area for lockdown reason
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 200
+        placeholder: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          if is_self_service:
+              return "Describe why you are locking your account..."
+          return "Describe why this account is being locked down..."
+        placeholder_expression: true
+        required: true
+        type: text_area
+        field_key: lockdown_reason
+        label: Reason
+        sub_text: This explanation will be recorded in the audit log.
+      identifiers:
+        name: default-account-lockdown-field-reason
+      id: prompt-field-reason
+      model: authentik_stages_prompt.prompt
+  prompt_stages:
+    # Prompt stage for warnings and reason input
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        fields:
+        - !KeyOf prompt-field-warning
+        - !KeyOf prompt-field-info
+        - !KeyOf prompt-field-reason
+      identifiers:
+        name: default-account-lockdown-prompt
+      id: default-account-lockdown-prompt
+      model: authentik_stages_prompt.promptstage
+  lockdown_stage:
+    # Account lockdown stage - performs the actual lockdown
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        name: default-account-lockdown-stage
+      id: default-account-lockdown-stage
+      model: authentik_stages_account_lockdown.accountlockdownstage
+      attrs:
+        deactivate_user: true
+        set_unusable_password: true
+        delete_sessions: true
+        revoke_tokens: true
+        self_service_completion_flow: !Find [authentik_flows.flow, [slug, default-account-lockdown-complete]]
+  completion_prompt:
+    # Completion message field - confirmation shown after an admin-triggered lockdown
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 300
+        initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          from django.utils.html import escape
+          from authentik.core.models import User
+
+          if target_uuid:
+              target = User.objects.filter(pk=target_uuid).first()
+              if target:
+                  return f"<p><code>{escape(target.username)}</code> has been locked down.</p>"
+
+          return "<p>The selected account has been locked down.</p>"
+        initial_value_expression: true
+        required: false
+        type: alert_info
+        field_key: lockdown_complete
+        label: Result
+        sub_text: ""
+      identifiers:
+        name: default-account-lockdown-field-complete
+      id: prompt-field-complete
+      model: authentik_stages_prompt.prompt
+    # Prompt stage for admin completion message
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        fields:
+        - !KeyOf prompt-field-complete
+      identifiers:
+        name: default-account-lockdown-complete-prompt
+      id: default-account-lockdown-complete-prompt
+      model: authentik_stages_prompt.promptstage
+  policies:
+    # Expression policy to check if this is NOT a self-service lockdown (admin)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        name: default-account-lockdown-admin-policy
+        expression: |
+          target_uuid = (request.http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(request.user, "pk", "") or getattr(request.http_request.user, "pk", ""))
+          return bool(target_uuid) and target_uuid != current_user_uuid
+      identifiers:
+        name: default-account-lockdown-admin-policy
+      id: admin-policy
+      model: authentik_policies_expression.expressionpolicy
+  bindings:
+    # Stage bindings
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        order: 0
+        stage: !KeyOf default-account-lockdown-prompt
+        target: !KeyOf flow
+      model: authentik_flows.flowstagebinding
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        order: 10
+        stage: !KeyOf default-account-lockdown-stage
+        target: !KeyOf flow
+      model: authentik_flows.flowstagebinding
+    # Admin completion stage binding - shown for admin lockdown only
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        order: 20
+        stage: !KeyOf default-account-lockdown-complete-prompt
+        target: !KeyOf flow
+      id: admin-completion-binding
+      model: authentik_flows.flowstagebinding
+    # Bind the admin policy to the admin completion stage
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        enabled: true
+        negate: false
+        order: 0
+      identifiers:
+        policy: !KeyOf admin-policy
+        target: !KeyOf admin-completion-binding
+      model: authentik_policies.policybinding
+  self_service_completion:
+    # Self-service completion message field (for the unauthenticated completion flow)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 100
+        initial_value: |
+          return (
+              "<h1>Your account has been locked</h1>"
+              "<p>You have been logged out of all sessions and your password has been invalidated.</p>"
+              "<p>To regain access to your account, please contact your IT administrator or security team.</p>"
+          )
+        initial_value_expression: true
+        required: false
+        type: alert_warning
+        field_key: self_lockdown_complete
+        label: Account locked
+        sub_text: ""
+      identifiers:
+        name: default-account-lockdown-self-field-complete
+      id: self-prompt-field-complete
+      model: authentik_stages_prompt.prompt
+    # Prompt stage for self-service completion (unauthenticated)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        fields:
+        - !KeyOf self-prompt-field-complete
+      identifiers:
+        name: default-account-lockdown-self-complete-prompt
+      id: default-account-lockdown-self-complete-prompt
+      model: authentik_stages_prompt.promptstage
+    # Bind self-service completion stage to the completion flow
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        order: 0
+        stage: !KeyOf default-account-lockdown-self-complete-prompt
+        target: !Find [authentik_flows.flow, [slug, default-account-lockdown-complete]]
+      model: authentik_flows.flowstagebinding

blueprints/schema.json

@@ -1216,6 +1216,46 @@
                         }
                     }
                 },
+                {
+                    "type": "object",
+                    "required": [
+                        "model",
+                        "identifiers"
+                    ],
+                    "properties": {
+                        "model": {
+                            "const": "authentik_stages_account_lockdown.accountlockdownstage"
+                        },
+                        "id": {
+                            "type": "string"
+                        },
+                        "state": {
+                            "type": "string",
+                            "enum": [
+                                "absent",
+                                "created",
+                                "must_created",
+                                "present"
+                            ],
+                            "default": "present"
+                        },
+                        "conditions": {
+                            "type": "array",
+                            "items": {
+                                "type": "boolean"
+                            }
+                        },
+                        "permissions": {
+                            "$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage_permissions"
+                        },
+                        "attrs": {
+                            "$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage"
+                        },
+                        "identifiers": {
+                            "$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage"
+                        }
+                    }
+                },
                 {
                     "type": "object",
                     "required": [
@@ -5100,6 +5140,11 @@
                     "format": "uuid",
                     "title": "Flow device code"
                 },
+                "flow_lockdown": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Flow lockdown"
+                },
                 "default_application": {
                     "type": "string",
                     "format": "uuid",
@@ -6094,6 +6139,10 @@
                             "authentik_sources_telegram.view_telegramsource",
                             "authentik_sources_telegram.view_telegramsourcepropertymapping",
                             "authentik_sources_telegram.view_usertelegramsourceconnection",
+                            "authentik_stages_account_lockdown.add_accountlockdownstage",
+                            "authentik_stages_account_lockdown.change_accountlockdownstage",
+                            "authentik_stages_account_lockdown.delete_accountlockdownstage",
+                            "authentik_stages_account_lockdown.view_accountlockdownstage",
                             "authentik_stages_authenticator_duo.add_authenticatorduostage",
                             "authentik_stages_authenticator_duo.add_duodevice",
                             "authentik_stages_authenticator_duo.change_authenticatorduostage",
@@ -7757,6 +7806,69 @@
                 }
             }
         },
+        "model_authentik_stages_account_lockdown.accountlockdownstage": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name"
+                },
+                "deactivate_user": {
+                    "type": "boolean",
+                    "title": "Deactivate user",
+                    "description": "Deactivate the user account (set is_active to False)"
+                },
+                "set_unusable_password": {
+                    "type": "boolean",
+                    "title": "Set unusable password",
+                    "description": "Set an unusable password for the user"
+                },
+                "delete_sessions": {
+                    "type": "boolean",
+                    "title": "Delete sessions",
+                    "description": "Delete all active sessions for the user"
+                },
+                "revoke_tokens": {
+                    "type": "boolean",
+                    "title": "Revoke tokens",
+                    "description": "Revoke all tokens for the user (API, app password, recovery, verification, OAuth)"
+                },
+                "self_service_completion_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Self service completion flow",
+                    "description": "Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted."
+                }
+            },
+            "required": []
+        },
+        "model_authentik_stages_account_lockdown.accountlockdownstage_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_accountlockdownstage",
+                            "change_accountlockdownstage",
+                            "delete_accountlockdownstage",
+                            "view_accountlockdownstage"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
         "model_authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage": {
             "type": "object",
             "properties": {
@@ -8952,6 +9064,7 @@
                         "authentik.enterprise.providers.ssf",
                         "authentik.enterprise.providers.ws_federation",
                         "authentik.enterprise.reports",
+                        "authentik.enterprise.stages.account_lockdown",
                         "authentik.enterprise.stages.authenticator_endpoint_gdtc",
                         "authentik.enterprise.stages.mtls",
                         "authentik.enterprise.stages.source"
@@ -9084,6 +9197,7 @@
                         "authentik_providers_ssf.ssfprovider",
                         "authentik_providers_ws_federation.wsfederationprovider",
                         "authentik_reports.dataexport",
+                        "authentik_stages_account_lockdown.accountlockdownstage",
                         "authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
                         "authentik_stages_mtls.mutualtlsstage",
                         "authentik_stages_source.sourcestage"
@@ -11791,6 +11905,10 @@
                             "authentik_sources_telegram.view_telegramsource",
                             "authentik_sources_telegram.view_telegramsourcepropertymapping",
                             "authentik_sources_telegram.view_usertelegramsourceconnection",
+                            "authentik_stages_account_lockdown.add_accountlockdownstage",
+                            "authentik_stages_account_lockdown.change_accountlockdownstage",
+                            "authentik_stages_account_lockdown.delete_accountlockdownstage",
+                            "authentik_stages_account_lockdown.view_accountlockdownstage",
                             "authentik_stages_authenticator_duo.add_authenticatorduostage",
                             "authentik_stages_authenticator_duo.add_duodevice",
                             "authentik_stages_authenticator_duo.change_authenticatorduostage",
@@ -15657,6 +15775,9 @@
                         "separator",
                         "hidden",
                         "static",
+                        "alert_info",
+                        "alert_warning",
+                        "alert_danger",
                         "ak-locale"
                     ],
                     "title": "Type"

lifecycle/aws/package-lock.json

@@ -13,8 +13,8 @@
                 "cross-env": "^10.1.0"
             },
             "engines": {
-                "node": ">=20",
-                "npm": ">=11.6.2"
+                "node": ">=24",
+                "npm": ">=11.10.1"
             }
         },
         "node_modules/@epic-web/invariant": {

lifecycle/aws/package.json

@@ -11,7 +11,20 @@
         "cross-env": "^10.1.0"
     },
     "engines": {
-        "node": ">=20",
-        "npm": ">=11.6.2"
-    }
+        "node": ">=24",
+        "npm": ">=11.10.1"
+    },
+    "devEngines": {
+        "runtime": {
+            "name": "node",
+            "onFail": "warn",
+            "version": ">=24"
+        },
+        "packageManager": {
+            "name": "npm",
+            "version": ">=11.10.1",
+            "onFail": "warn"
+        }
+    },
+    "packageManager": "npm@11.11.0+sha512.f36811c4aae1fde639527368ae44c571d050006a608d67a191f195a801a52637a312d259186254aa3a3799b05335b7390539cf28656d18f0591a1125ba35f973"
 }

lifecycle/container/Dockerfile

@@ -7,6 +7,17 @@ ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production
 
+WORKDIR /work
+
+RUN --mount=type=bind,target=/work/package.json,src=./package.json \
+    --mount=type=bind,target=/work/package-lock.json,src=./package-lock.json \
+    --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
+    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/work/scripts/node/,src=./scripts/node/ \
+    --mount=type=bind,target=/work/packages/logger-js/,src=./packages/logger-js/ \
+    node ./scripts/node/setup-corepack.mjs --force && \
+    node ./scripts/node/lint-runtime.mjs ./web
+
 WORKDIR /work/web
 
 # These files need to be copied and cannot be mounted as `npm ci` will build the client's typescript
@@ -18,7 +29,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
-    npm ci
+    corepack npm ci
 
 COPY ./package.json /work
 COPY ./web /work/web/

lifecycle/container/proxy.Dockerfile

@@ -10,12 +10,22 @@ WORKDIR /static
 COPY ./packages /packages
 COPY ./web/packages /static/packages
 
+RUN --mount=type=bind,target=/static/package.json,src=./package.json \
+    --mount=type=bind,target=/static/package-lock.json,src=./package-lock.json \
+    --mount=type=bind,target=/static/web/package.json,src=./web/package.json \
+    --mount=type=bind,target=/static/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/static/scripts/node/,src=./scripts/node/ \
+    --mount=type=bind,target=/static/packages/logger-js/,src=./packages/logger-js/ \
+    node ./scripts/node/setup-corepack.mjs --force && \
+    node ./scripts/node/lint-runtime.mjs ./web
+
 COPY package.json /
+
 RUN --mount=type=bind,target=/static/package.json,src=./web/package.json \
     --mount=type=bind,target=/static/package-lock.json,src=./web/package-lock.json \
     --mount=type=bind,target=/static/scripts,src=./web/scripts \
     --mount=type=cache,target=/root/.npm \
-    npm ci
+    corepack npm ci
 
 COPY web .
 RUN npm run build-proxy

lifecycle/worker_process.py

@@ -1,6 +1,5 @@
 #!/usr/bin/env python3
 
-import faulthandler
 import os
 import random
 import signal
@@ -77,12 +76,6 @@ def main(worker_id: int, socket_path: str):
     signal.signal(signal.SIGINT, immediate_shutdown)
     signal.signal(signal.SIGQUIT, immediate_shutdown)
     signal.signal(signal.SIGTERM, graceful_shutdown)
-    # SIGUSR1 dumps every thread's traceback to stderr. Without this, the default
-    # action is "terminate", which kills the worker (and trips the Rust supervisor).
-    # Side-benefit: signal delivery wakes the eval loop, so `pdb -p` can attach to
-    # an otherwise-idle worker parked in a C-level syscall.
-    faulthandler.enable()
-    faulthandler.register(signal.SIGUSR1)
 
     random.seed()
 
@@ -104,11 +97,7 @@ def main(worker_id: int, socket_path: str):
     # Notify rust process that we are ready
     os.kill(os.getppid(), signal.SIGUSR2)
 
-    # Poll instead of waiting indefinitely so the main thread's eval loop ticks
-    # periodically — PEP 768's debugger pending hook is serviced on the main
-    # thread, and a permanent Event.wait() never returns to bytecode execution.
-    while not shutdown.wait(timeout=1.0):
-        pass
+    shutdown.wait()
 
     logger.info("Shutting down worker...")
 

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-29 00:28+0000\n"
+"POT-Creation-Date: 2026-04-30 00:27+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -224,6 +224,14 @@ msgid ""
 "providers are returned. When set to false, backchannel providers are excluded"
 msgstr ""
 
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
+
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr ""

locale/en/dictionaries/integrations.txt

@@ -19,6 +19,7 @@ Forti
 Fortigate
 Gatus
 Gestionnaire
+ghec
 Gitea
 Gravitee
 Homarr

packages/ak-common/src/tracing.rs

@@ -100,6 +100,7 @@ mod json {
         );
 
         let mut json_layer = json_subscriber::fmt::layer()
+            .with_level(false)
             .with_timer(LocalTime::new(time_format))
             .with_file(true)
             .with_line_number(true)
@@ -109,6 +110,11 @@ mod json {
         let inner_layer = json_layer.inner_layer_mut();
         inner_layer.with_thread_ids("thread_id");
         inner_layer.with_thread_names("thread_name");
+        inner_layer.add_dynamic_field("level", |event, _| {
+            Some(serde_json::Value::String(
+                event.metadata().level().as_str().to_lowercase(),
+            ))
+        });
         inner_layer.add_dynamic_field("pid", |_, _| {
             Some(serde_json::Value::Number(serde_json::Number::from(
                 std::process::id(),

packages/client-go/api_core.go

@@ -39,6 +39,7 @@ type ApiCoreBrandsListRequest struct {
 	flowAuthentication            *string
 	flowDeviceCode                *string
 	flowInvalidation              *string
+	flowLockdown                  *string
 	flowRecovery                  *string
 	flowUnenrollment              *string
 	flowUserSettings              *string
@@ -104,6 +105,11 @@ func (r ApiCoreBrandsListRequest) FlowInvalidation(flowInvalidation string) ApiC
 	return r
 }
 
+func (r ApiCoreBrandsListRequest) FlowLockdown(flowLockdown string) ApiCoreBrandsListRequest {
+	r.flowLockdown = &flowLockdown
+	return r
+}
+
 func (r ApiCoreBrandsListRequest) FlowRecovery(flowRecovery string) ApiCoreBrandsListRequest {
 	r.flowRecovery = &flowRecovery
 	return r
@@ -230,6 +236,9 @@ func (a *CoreAPIService) CoreBrandsListExecute(r ApiCoreBrandsListRequest) (*Pag
 	if r.flowInvalidation != nil {
 		parameterAddToHeaderOrQuery(localVarQueryParams, "flow_invalidation", r.flowInvalidation, "form", "")
 	}
+	if r.flowLockdown != nil {
+		parameterAddToHeaderOrQuery(localVarQueryParams, "flow_lockdown", r.flowLockdown, "form", "")
+	}
 	if r.flowRecovery != nil {
 		parameterAddToHeaderOrQuery(localVarQueryParams, "flow_recovery", r.flowRecovery, "form", "")
 	}

packages/client-go/model_brand.go

@@ -36,6 +36,7 @@ type Brand struct {
 	FlowUnenrollment              NullableString `json:"flow_unenrollment,omitempty"`
 	FlowUserSettings              NullableString `json:"flow_user_settings,omitempty"`
 	FlowDeviceCode                NullableString `json:"flow_device_code,omitempty"`
+	FlowLockdown                  NullableString `json:"flow_lockdown,omitempty"`
 	// When set, external users will be redirected to this application after authenticating.
 	DefaultApplication NullableString `json:"default_application,omitempty"`
 	// Web Certificate used by the authentik Core webserver.
@@ -565,6 +566,49 @@ func (o *Brand) UnsetFlowDeviceCode() {
 	o.FlowDeviceCode.Unset()
 }
 
+// GetFlowLockdown returns the FlowLockdown field value if set, zero value otherwise (both if not set or set to explicit null).
+func (o *Brand) GetFlowLockdown() string {
+	if o == nil || IsNil(o.FlowLockdown.Get()) {
+		var ret string
+		return ret
+	}
+	return *o.FlowLockdown.Get()
+}
+
+// GetFlowLockdownOk returns a tuple with the FlowLockdown field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+// NOTE: If the value is an explicit nil, `nil, true` will be returned
+func (o *Brand) GetFlowLockdownOk() (*string, bool) {
+	if o == nil {
+		return nil, false
+	}
+	return o.FlowLockdown.Get(), o.FlowLockdown.IsSet()
+}
+
+// HasFlowLockdown returns a boolean if a field has been set.
+func (o *Brand) HasFlowLockdown() bool {
+	if o != nil && o.FlowLockdown.IsSet() {
+		return true
+	}
+
+	return false
+}
+
+// SetFlowLockdown gets a reference to the given NullableString and assigns it to the FlowLockdown field.
+func (o *Brand) SetFlowLockdown(v string) {
+	o.FlowLockdown.Set(&v)
+}
+
+// SetFlowLockdownNil sets the value for FlowLockdown to be an explicit nil
+func (o *Brand) SetFlowLockdownNil() {
+	o.FlowLockdown.Set(nil)
+}
+
+// UnsetFlowLockdown ensures that no value is present for FlowLockdown, not even an explicit nil
+func (o *Brand) UnsetFlowLockdown() {
+	o.FlowLockdown.Unset()
+}
+
 // GetDefaultApplication returns the DefaultApplication field value if set, zero value otherwise (both if not set or set to explicit null).
 func (o *Brand) GetDefaultApplication() string {
 	if o == nil || IsNil(o.DefaultApplication.Get()) {
@@ -763,6 +807,9 @@ func (o Brand) ToMap() (map[string]interface{}, error) {
 	if o.FlowDeviceCode.IsSet() {
 		toSerialize["flow_device_code"] = o.FlowDeviceCode.Get()
 	}
+	if o.FlowLockdown.IsSet() {
+		toSerialize["flow_lockdown"] = o.FlowLockdown.Get()
+	}
 	if o.DefaultApplication.IsSet() {
 		toSerialize["default_application"] = o.DefaultApplication.Get()
 	}
@@ -833,6 +880,7 @@ func (o *Brand) UnmarshalJSON(data []byte) (err error) {
 		delete(additionalProperties, "flow_unenrollment")
 		delete(additionalProperties, "flow_user_settings")
 		delete(additionalProperties, "flow_device_code")
+		delete(additionalProperties, "flow_lockdown")
 		delete(additionalProperties, "default_application")
 		delete(additionalProperties, "web_certificate")
 		delete(additionalProperties, "client_certificates")

packages/client-go/model_prompt_type_enum.go

@@ -38,6 +38,9 @@ const (
 	PROMPTTYPEENUM_SEPARATOR           PromptTypeEnum = "separator"
 	PROMPTTYPEENUM_HIDDEN              PromptTypeEnum = "hidden"
 	PROMPTTYPEENUM_STATIC              PromptTypeEnum = "static"
+	PROMPTTYPEENUM_ALERT_INFO          PromptTypeEnum = "alert_info"
+	PROMPTTYPEENUM_ALERT_WARNING       PromptTypeEnum = "alert_warning"
+	PROMPTTYPEENUM_ALERT_DANGER        PromptTypeEnum = "alert_danger"
 	PROMPTTYPEENUM_AK_LOCALE           PromptTypeEnum = "ak-locale"
 )
 
@@ -60,6 +63,9 @@ var AllowedPromptTypeEnumEnumValues = []PromptTypeEnum{
 	"separator",
 	"hidden",
 	"static",
+	"alert_info",
+	"alert_warning",
+	"alert_danger",
 	"ak-locale",
 }
 

packages/client-rust/src/apis/core_api.rs

@@ -71,6 +71,7 @@ pub async fn core_brands_list(
     flow_authentication: Option<&str>,
     flow_device_code: Option<&str>,
     flow_invalidation: Option<&str>,
+    flow_lockdown: Option<&str>,
     flow_recovery: Option<&str>,
     flow_unenrollment: Option<&str>,
     flow_user_settings: Option<&str>,
@@ -92,6 +93,7 @@ pub async fn core_brands_list(
     let p_query_flow_authentication = flow_authentication;
     let p_query_flow_device_code = flow_device_code;
     let p_query_flow_invalidation = flow_invalidation;
+    let p_query_flow_lockdown = flow_lockdown;
     let p_query_flow_recovery = flow_recovery;
     let p_query_flow_unenrollment = flow_unenrollment;
     let p_query_flow_user_settings = flow_user_settings;
@@ -154,6 +156,9 @@ pub async fn core_brands_list(
     if let Some(ref param_value) = p_query_flow_invalidation {
         req_builder = req_builder.query(&[("flow_invalidation", &param_value.to_string())]);
     }
+    if let Some(ref param_value) = p_query_flow_lockdown {
+        req_builder = req_builder.query(&[("flow_lockdown", &param_value.to_string())]);
+    }
     if let Some(ref param_value) = p_query_flow_recovery {
         req_builder = req_builder.query(&[("flow_recovery", &param_value.to_string())]);
     }

packages/client-rust/src/models/brand.rs

@@ -78,6 +78,13 @@ pub struct Brand {
         skip_serializing_if = "Option::is_none"
     )]
     pub flow_device_code: Option<Option<uuid::Uuid>>,
+    #[serde(
+        rename = "flow_lockdown",
+        default,
+        with = "::serde_with::rust::double_option",
+        skip_serializing_if = "Option::is_none"
+    )]
+    pub flow_lockdown: Option<Option<uuid::Uuid>>,
     /// When set, external users will be redirected to this application after authenticating.
     #[serde(
         rename = "default_application",
@@ -122,6 +129,7 @@ impl Brand {
             flow_unenrollment: None,
             flow_user_settings: None,
             flow_device_code: None,
+            flow_lockdown: None,
             default_application: None,
             web_certificate: None,
             client_certificates: None,

packages/client-rust/src/models/prompt_type_enum.rs

@@ -47,6 +47,12 @@ pub enum PromptTypeEnum {
     Hidden,
     #[serde(rename = "static")]
     Static,
+    #[serde(rename = "alert_info")]
+    AlertInfo,
+    #[serde(rename = "alert_warning")]
+    AlertWarning,
+    #[serde(rename = "alert_danger")]
+    AlertDanger,
     #[serde(rename = "ak-locale")]
     AkLocale,
 }
@@ -71,6 +77,9 @@ impl std::fmt::Display for PromptTypeEnum {
             Self::Separator => write!(f, "separator"),
             Self::Hidden => write!(f, "hidden"),
             Self::Static => write!(f, "static"),
+            Self::AlertInfo => write!(f, "alert_info"),
+            Self::AlertWarning => write!(f, "alert_warning"),
+            Self::AlertDanger => write!(f, "alert_danger"),
             Self::AkLocale => write!(f, "ak-locale"),
         }
     }

packages/client-ts/src/apis/CoreApi.ts

@@ -52,6 +52,7 @@ import type {
     TransactionApplicationResponse,
     UsedBy,
     User,
+    UserAccountLockdownRequest,
     UserAccountRequest,
     UserConsent,
     UserPasswordHashSetRequest,
@@ -102,6 +103,7 @@ import {
     TransactionApplicationRequestToJSON,
     TransactionApplicationResponseFromJSON,
     UsedByFromJSON,
+    UserAccountLockdownRequestToJSON,
     UserAccountRequestToJSON,
     UserConsentFromJSON,
     UserFromJSON,
@@ -245,6 +247,7 @@ export interface CoreBrandsListRequest {
     flowAuthentication?: string;
     flowDeviceCode?: string;
     flowInvalidation?: string;
+    flowLockdown?: string;
     flowRecovery?: string;
     flowUnenrollment?: string;
     flowUserSettings?: string;
@@ -403,6 +406,10 @@ export interface CoreUserConsentUsedByListRequest {
     id: number;
 }
 
+export interface CoreUsersAccountLockdownCreateRequest {
+    userAccountLockdownRequest?: UserAccountLockdownRequest;
+}
+
 export interface CoreUsersCreateRequest {
     userRequest: UserRequest;
 }
@@ -2214,6 +2221,10 @@ export class CoreApi extends runtime.BaseAPI {
             queryParameters["flow_invalidation"] = requestParameters["flowInvalidation"];
         }
 
+        if (requestParameters["flowLockdown"] != null) {
+            queryParameters["flow_lockdown"] = requestParameters["flowLockdown"];
+        }
+
         if (requestParameters["flowRecovery"] != null) {
             queryParameters["flow_recovery"] = requestParameters["flowRecovery"];
         }
@@ -4189,6 +4200,66 @@ export class CoreApi extends runtime.BaseAPI {
         return await response.value();
     }
 
+    /**
+     * Creates request options for coreUsersAccountLockdownCreate without sending the request
+     */
+    async coreUsersAccountLockdownCreateRequestOpts(
+        requestParameters: CoreUsersAccountLockdownCreateRequest,
+    ): Promise<runtime.RequestOpts> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters["Content-Type"] = "application/json";
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/core/users/account_lockdown/`;
+
+        return {
+            path: urlPath,
+            method: "POST",
+            headers: headerParameters,
+            query: queryParameters,
+            body: UserAccountLockdownRequestToJSON(requestParameters["userAccountLockdownRequest"]),
+        };
+    }
+
+    /**
+     * Choose the target account, then return a flow link.
+     */
+    async coreUsersAccountLockdownCreateRaw(
+        requestParameters: CoreUsersAccountLockdownCreateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<Link>> {
+        const requestOptions =
+            await this.coreUsersAccountLockdownCreateRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) => LinkFromJSON(jsonValue));
+    }
+
+    /**
+     * Choose the target account, then return a flow link.
+     */
+    async coreUsersAccountLockdownCreate(
+        requestParameters: CoreUsersAccountLockdownCreateRequest = {},
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<Link> {
+        const response = await this.coreUsersAccountLockdownCreateRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
     /**
      * Creates request options for coreUsersCreate without sending the request
      */

packages/client-ts/src/apis/LifecycleApi.ts

@@ -40,9 +40,12 @@ export interface LifecycleIterationsCreateRequest {
     lifecycleIterationRequest: LifecycleIterationRequest;
 }
 
-export interface LifecycleIterationsLatestRetrieveRequest {
+export interface LifecycleIterationsListLatestRequest {
     contentType: string;
     objectId: string;
+    ordering?: string;
+    search?: string;
+    userIsReviewer?: boolean;
 }
 
 export interface LifecycleIterationsListOpenRequest {
@@ -157,27 +160,39 @@ export class LifecycleApi extends runtime.BaseAPI {
     }
 
     /**
-     * Creates request options for lifecycleIterationsLatestRetrieve without sending the request
+     * Creates request options for lifecycleIterationsListLatest without sending the request
      */
-    async lifecycleIterationsLatestRetrieveRequestOpts(
-        requestParameters: LifecycleIterationsLatestRetrieveRequest,
+    async lifecycleIterationsListLatestRequestOpts(
+        requestParameters: LifecycleIterationsListLatestRequest,
     ): Promise<runtime.RequestOpts> {
         if (requestParameters["contentType"] == null) {
             throw new runtime.RequiredError(
                 "contentType",
-                'Required parameter "contentType" was null or undefined when calling lifecycleIterationsLatestRetrieve().',
+                'Required parameter "contentType" was null or undefined when calling lifecycleIterationsListLatest().',
             );
         }
 
         if (requestParameters["objectId"] == null) {
             throw new runtime.RequiredError(
                 "objectId",
-                'Required parameter "objectId" was null or undefined when calling lifecycleIterationsLatestRetrieve().',
+                'Required parameter "objectId" was null or undefined when calling lifecycleIterationsListLatest().',
             );
         }
 
         const queryParameters: any = {};
 
+        if (requestParameters["ordering"] != null) {
+            queryParameters["ordering"] = requestParameters["ordering"];
+        }
+
+        if (requestParameters["search"] != null) {
+            queryParameters["search"] = requestParameters["search"];
+        }
+
+        if (requestParameters["userIsReviewer"] != null) {
+            queryParameters["user_is_reviewer"] = requestParameters["userIsReviewer"];
+        }
+
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.accessToken) {
@@ -210,27 +225,27 @@ export class LifecycleApi extends runtime.BaseAPI {
     /**
      * Mixin to validate that a valid enterprise license exists before allowing to save the object
      */
-    async lifecycleIterationsLatestRetrieveRaw(
-        requestParameters: LifecycleIterationsLatestRetrieveRequest,
+    async lifecycleIterationsListLatestRaw(
+        requestParameters: LifecycleIterationsListLatestRequest,
         initOverrides?: RequestInit | runtime.InitOverrideFunction,
-    ): Promise<runtime.ApiResponse<LifecycleIteration>> {
+    ): Promise<runtime.ApiResponse<Array<LifecycleIteration>>> {
         const requestOptions =
-            await this.lifecycleIterationsLatestRetrieveRequestOpts(requestParameters);
+            await this.lifecycleIterationsListLatestRequestOpts(requestParameters);
         const response = await this.request(requestOptions, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) =>
-            LifecycleIterationFromJSON(jsonValue),
+            jsonValue.map(LifecycleIterationFromJSON),
         );
     }
 
     /**
      * Mixin to validate that a valid enterprise license exists before allowing to save the object
      */
-    async lifecycleIterationsLatestRetrieve(
-        requestParameters: LifecycleIterationsLatestRetrieveRequest,
+    async lifecycleIterationsListLatest(
+        requestParameters: LifecycleIterationsListLatestRequest,
         initOverrides?: RequestInit | runtime.InitOverrideFunction,
-    ): Promise<LifecycleIteration> {
-        const response = await this.lifecycleIterationsLatestRetrieveRaw(
+    ): Promise<Array<LifecycleIteration>> {
+        const response = await this.lifecycleIterationsListLatestRaw(
             requestParameters,
             initOverrides,
         );

packages/client-ts/src/apis/StagesApi.ts

@@ -13,6 +13,8 @@
  */
 
 import type {
+    AccountLockdownStage,
+    AccountLockdownStageRequest,
     AuthenticatorAttachmentEnum,
     AuthenticatorDuoStage,
     AuthenticatorDuoStageDeviceImportResponse,
@@ -61,6 +63,7 @@ import type {
     MutualTLSStageRequest,
     NetworkBindingEnum,
     NotConfiguredActionEnum,
+    PaginatedAccountLockdownStageList,
     PaginatedAuthenticatorDuoStageList,
     PaginatedAuthenticatorEmailStageList,
     PaginatedAuthenticatorEndpointGDTCStageList,
@@ -92,6 +95,7 @@ import type {
     PaginatedWebAuthnDeviceTypeList,
     PasswordStage,
     PasswordStageRequest,
+    PatchedAccountLockdownStageRequest,
     PatchedAuthenticatorDuoStageRequest,
     PatchedAuthenticatorEmailStageRequest,
     PatchedAuthenticatorEndpointGDTCStageRequest,
@@ -150,6 +154,8 @@ import type {
     WebAuthnDeviceType,
 } from "../models/index";
 import {
+    AccountLockdownStageFromJSON,
+    AccountLockdownStageRequestToJSON,
     AuthenticatorDuoStageDeviceImportResponseFromJSON,
     AuthenticatorDuoStageFromJSON,
     AuthenticatorDuoStageManualDeviceImportRequestToJSON,
@@ -190,6 +196,7 @@ import {
     InvitationStageRequestToJSON,
     MutualTLSStageFromJSON,
     MutualTLSStageRequestToJSON,
+    PaginatedAccountLockdownStageListFromJSON,
     PaginatedAuthenticatorDuoStageListFromJSON,
     PaginatedAuthenticatorEmailStageListFromJSON,
     PaginatedAuthenticatorEndpointGDTCStageListFromJSON,
@@ -221,6 +228,7 @@ import {
     PaginatedWebAuthnDeviceTypeListFromJSON,
     PasswordStageFromJSON,
     PasswordStageRequestToJSON,
+    PatchedAccountLockdownStageRequestToJSON,
     PatchedAuthenticatorDuoStageRequestToJSON,
     PatchedAuthenticatorEmailStageRequestToJSON,
     PatchedAuthenticatorEndpointGDTCStageRequestToJSON,
@@ -273,6 +281,46 @@ import {
 } from "../models/index";
 import * as runtime from "../runtime";
 
+export interface StagesAccountLockdownCreateRequest {
+    accountLockdownStageRequest: AccountLockdownStageRequest;
+}
+
+export interface StagesAccountLockdownDestroyRequest {
+    stageUuid: string;
+}
+
+export interface StagesAccountLockdownListRequest {
+    deactivateUser?: boolean;
+    deleteSessions?: boolean;
+    name?: string;
+    ordering?: string;
+    page?: number;
+    pageSize?: number;
+    revokeTokens?: boolean;
+    search?: string;
+    selfServiceCompletionFlow?: string;
+    setUnusablePassword?: boolean;
+    stageUuid?: string;
+}
+
+export interface StagesAccountLockdownPartialUpdateRequest {
+    stageUuid: string;
+    patchedAccountLockdownStageRequest?: PatchedAccountLockdownStageRequest;
+}
+
+export interface StagesAccountLockdownRetrieveRequest {
+    stageUuid: string;
+}
+
+export interface StagesAccountLockdownUpdateRequest {
+    stageUuid: string;
+    accountLockdownStageRequest: AccountLockdownStageRequest;
+}
+
+export interface StagesAccountLockdownUsedByListRequest {
+    stageUuid: string;
+}
+
 export interface StagesAllDestroyRequest {
     stageUuid: string;
 }
@@ -1366,6 +1414,534 @@ export interface StagesUserWriteUsedByListRequest {
  *
  */
 export class StagesApi extends runtime.BaseAPI {
+    /**
+     * Creates request options for stagesAccountLockdownCreate without sending the request
+     */
+    async stagesAccountLockdownCreateRequestOpts(
+        requestParameters: StagesAccountLockdownCreateRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["accountLockdownStageRequest"] == null) {
+            throw new runtime.RequiredError(
+                "accountLockdownStageRequest",
+                'Required parameter "accountLockdownStageRequest" was null or undefined when calling stagesAccountLockdownCreate().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters["Content-Type"] = "application/json";
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/`;
+
+        return {
+            path: urlPath,
+            method: "POST",
+            headers: headerParameters,
+            query: queryParameters,
+            body: AccountLockdownStageRequestToJSON(
+                requestParameters["accountLockdownStageRequest"],
+            ),
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownCreateRaw(
+        requestParameters: StagesAccountLockdownCreateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<AccountLockdownStage>> {
+        const requestOptions = await this.stagesAccountLockdownCreateRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            AccountLockdownStageFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownCreate(
+        requestParameters: StagesAccountLockdownCreateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<AccountLockdownStage> {
+        const response = await this.stagesAccountLockdownCreateRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownDestroy without sending the request
+     */
+    async stagesAccountLockdownDestroyRequestOpts(
+        requestParameters: StagesAccountLockdownDestroyRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownDestroy().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "DELETE",
+            headers: headerParameters,
+            query: queryParameters,
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownDestroyRaw(
+        requestParameters: StagesAccountLockdownDestroyRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<void>> {
+        const requestOptions =
+            await this.stagesAccountLockdownDestroyRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownDestroy(
+        requestParameters: StagesAccountLockdownDestroyRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<void> {
+        await this.stagesAccountLockdownDestroyRaw(requestParameters, initOverrides);
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownList without sending the request
+     */
+    async stagesAccountLockdownListRequestOpts(
+        requestParameters: StagesAccountLockdownListRequest,
+    ): Promise<runtime.RequestOpts> {
+        const queryParameters: any = {};
+
+        if (requestParameters["deactivateUser"] != null) {
+            queryParameters["deactivate_user"] = requestParameters["deactivateUser"];
+        }
+
+        if (requestParameters["deleteSessions"] != null) {
+            queryParameters["delete_sessions"] = requestParameters["deleteSessions"];
+        }
+
+        if (requestParameters["name"] != null) {
+            queryParameters["name"] = requestParameters["name"];
+        }
+
+        if (requestParameters["ordering"] != null) {
+            queryParameters["ordering"] = requestParameters["ordering"];
+        }
+
+        if (requestParameters["page"] != null) {
+            queryParameters["page"] = requestParameters["page"];
+        }
+
+        if (requestParameters["pageSize"] != null) {
+            queryParameters["page_size"] = requestParameters["pageSize"];
+        }
+
+        if (requestParameters["revokeTokens"] != null) {
+            queryParameters["revoke_tokens"] = requestParameters["revokeTokens"];
+        }
+
+        if (requestParameters["search"] != null) {
+            queryParameters["search"] = requestParameters["search"];
+        }
+
+        if (requestParameters["selfServiceCompletionFlow"] != null) {
+            queryParameters["self_service_completion_flow"] =
+                requestParameters["selfServiceCompletionFlow"];
+        }
+
+        if (requestParameters["setUnusablePassword"] != null) {
+            queryParameters["set_unusable_password"] = requestParameters["setUnusablePassword"];
+        }
+
+        if (requestParameters["stageUuid"] != null) {
+            queryParameters["stage_uuid"] = requestParameters["stageUuid"];
+        }
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/`;
+
+        return {
+            path: urlPath,
+            method: "GET",
+            headers: headerParameters,
+            query: queryParameters,
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownListRaw(
+        requestParameters: StagesAccountLockdownListRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<PaginatedAccountLockdownStageList>> {
+        const requestOptions = await this.stagesAccountLockdownListRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            PaginatedAccountLockdownStageListFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownList(
+        requestParameters: StagesAccountLockdownListRequest = {},
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<PaginatedAccountLockdownStageList> {
+        const response = await this.stagesAccountLockdownListRaw(requestParameters, initOverrides);
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownPartialUpdate without sending the request
+     */
+    async stagesAccountLockdownPartialUpdateRequestOpts(
+        requestParameters: StagesAccountLockdownPartialUpdateRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownPartialUpdate().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters["Content-Type"] = "application/json";
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "PATCH",
+            headers: headerParameters,
+            query: queryParameters,
+            body: PatchedAccountLockdownStageRequestToJSON(
+                requestParameters["patchedAccountLockdownStageRequest"],
+            ),
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownPartialUpdateRaw(
+        requestParameters: StagesAccountLockdownPartialUpdateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<AccountLockdownStage>> {
+        const requestOptions =
+            await this.stagesAccountLockdownPartialUpdateRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            AccountLockdownStageFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownPartialUpdate(
+        requestParameters: StagesAccountLockdownPartialUpdateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<AccountLockdownStage> {
+        const response = await this.stagesAccountLockdownPartialUpdateRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownRetrieve without sending the request
+     */
+    async stagesAccountLockdownRetrieveRequestOpts(
+        requestParameters: StagesAccountLockdownRetrieveRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownRetrieve().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "GET",
+            headers: headerParameters,
+            query: queryParameters,
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownRetrieveRaw(
+        requestParameters: StagesAccountLockdownRetrieveRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<AccountLockdownStage>> {
+        const requestOptions =
+            await this.stagesAccountLockdownRetrieveRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            AccountLockdownStageFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownRetrieve(
+        requestParameters: StagesAccountLockdownRetrieveRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<AccountLockdownStage> {
+        const response = await this.stagesAccountLockdownRetrieveRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownUpdate without sending the request
+     */
+    async stagesAccountLockdownUpdateRequestOpts(
+        requestParameters: StagesAccountLockdownUpdateRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownUpdate().',
+            );
+        }
+
+        if (requestParameters["accountLockdownStageRequest"] == null) {
+            throw new runtime.RequiredError(
+                "accountLockdownStageRequest",
+                'Required parameter "accountLockdownStageRequest" was null or undefined when calling stagesAccountLockdownUpdate().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters["Content-Type"] = "application/json";
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "PUT",
+            headers: headerParameters,
+            query: queryParameters,
+            body: AccountLockdownStageRequestToJSON(
+                requestParameters["accountLockdownStageRequest"],
+            ),
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownUpdateRaw(
+        requestParameters: StagesAccountLockdownUpdateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<AccountLockdownStage>> {
+        const requestOptions = await this.stagesAccountLockdownUpdateRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            AccountLockdownStageFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownUpdate(
+        requestParameters: StagesAccountLockdownUpdateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<AccountLockdownStage> {
+        const response = await this.stagesAccountLockdownUpdateRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownUsedByList without sending the request
+     */
+    async stagesAccountLockdownUsedByListRequestOpts(
+        requestParameters: StagesAccountLockdownUsedByListRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownUsedByList().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/used_by/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "GET",
+            headers: headerParameters,
+            query: queryParameters,
+        };
+    }
+
+    /**
+     * Get a list of all objects that use this object
+     */
+    async stagesAccountLockdownUsedByListRaw(
+        requestParameters: StagesAccountLockdownUsedByListRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<Array<UsedBy>>> {
+        const requestOptions =
+            await this.stagesAccountLockdownUsedByListRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) => jsonValue.map(UsedByFromJSON));
+    }
+
+    /**
+     * Get a list of all objects that use this object
+     */
+    async stagesAccountLockdownUsedByList(
+        requestParameters: StagesAccountLockdownUsedByListRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<Array<UsedBy>> {
+        const response = await this.stagesAccountLockdownUsedByListRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
     /**
      * Creates request options for stagesAllDestroy without sending the request
      */

packages/client-ts/src/models/AccountLockdownStage.ts

@@ -0,0 +1,166 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import type { FlowSet } from "./FlowSet";
+import { FlowSetFromJSON } from "./FlowSet";
+
+/**
+ * AccountLockdownStage Serializer
+ * @export
+ * @interface AccountLockdownStage
+ */
+export interface AccountLockdownStage {
+    /**
+     *
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly pk: string;
+    /**
+     *
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    name: string;
+    /**
+     * Get object type so that we know how to edit the object
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly component: string;
+    /**
+     * Return object's verbose_name
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly verboseName: string;
+    /**
+     * Return object's plural verbose_name
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly verboseNamePlural: string;
+    /**
+     * Return internal model name
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly metaModelName: string;
+    /**
+     *
+     * @type {Array<FlowSet>}
+     * @memberof AccountLockdownStage
+     */
+    readonly flowSet: Array<FlowSet>;
+    /**
+     * Deactivate the user account (set is_active to False)
+     * @type {boolean}
+     * @memberof AccountLockdownStage
+     */
+    deactivateUser?: boolean;
+    /**
+     * Set an unusable password for the user
+     * @type {boolean}
+     * @memberof AccountLockdownStage
+     */
+    setUnusablePassword?: boolean;
+    /**
+     * Delete all active sessions for the user
+     * @type {boolean}
+     * @memberof AccountLockdownStage
+     */
+    deleteSessions?: boolean;
+    /**
+     * Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
+     * @type {boolean}
+     * @memberof AccountLockdownStage
+     */
+    revokeTokens?: boolean;
+    /**
+     * Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    selfServiceCompletionFlow?: string | null;
+}
+
+/**
+ * Check if a given object implements the AccountLockdownStage interface.
+ */
+export function instanceOfAccountLockdownStage(value: object): value is AccountLockdownStage {
+    if (!("pk" in value) || value["pk"] === undefined) return false;
+    if (!("name" in value) || value["name"] === undefined) return false;
+    if (!("component" in value) || value["component"] === undefined) return false;
+    if (!("verboseName" in value) || value["verboseName"] === undefined) return false;
+    if (!("verboseNamePlural" in value) || value["verboseNamePlural"] === undefined) return false;
+    if (!("metaModelName" in value) || value["metaModelName"] === undefined) return false;
+    if (!("flowSet" in value) || value["flowSet"] === undefined) return false;
+    return true;
+}
+
+export function AccountLockdownStageFromJSON(json: any): AccountLockdownStage {
+    return AccountLockdownStageFromJSONTyped(json, false);
+}
+
+export function AccountLockdownStageFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): AccountLockdownStage {
+    if (json == null) {
+        return json;
+    }
+    return {
+        pk: json["pk"],
+        name: json["name"],
+        component: json["component"],
+        verboseName: json["verbose_name"],
+        verboseNamePlural: json["verbose_name_plural"],
+        metaModelName: json["meta_model_name"],
+        flowSet: (json["flow_set"] as Array<any>).map(FlowSetFromJSON),
+        deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
+        setUnusablePassword:
+            json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
+        deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
+        revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
+        selfServiceCompletionFlow:
+            json["self_service_completion_flow"] == null
+                ? undefined
+                : json["self_service_completion_flow"],
+    };
+}
+
+export function AccountLockdownStageToJSON(json: any): AccountLockdownStage {
+    return AccountLockdownStageToJSONTyped(json, false);
+}
+
+export function AccountLockdownStageToJSONTyped(
+    value?: Omit<
+        AccountLockdownStage,
+        "pk" | "component" | "verbose_name" | "verbose_name_plural" | "meta_model_name" | "flow_set"
+    > | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        name: value["name"],
+        deactivate_user: value["deactivateUser"],
+        set_unusable_password: value["setUnusablePassword"],
+        delete_sessions: value["deleteSessions"],
+        revoke_tokens: value["revokeTokens"],
+        self_service_completion_flow: value["selfServiceCompletionFlow"],
+    };
+}

packages/client-ts/src/models/AccountLockdownStageRequest.ts

@@ -0,0 +1,114 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ * AccountLockdownStage Serializer
+ * @export
+ * @interface AccountLockdownStageRequest
+ */
+export interface AccountLockdownStageRequest {
+    /**
+     *
+     * @type {string}
+     * @memberof AccountLockdownStageRequest
+     */
+    name: string;
+    /**
+     * Deactivate the user account (set is_active to False)
+     * @type {boolean}
+     * @memberof AccountLockdownStageRequest
+     */
+    deactivateUser?: boolean;
+    /**
+     * Set an unusable password for the user
+     * @type {boolean}
+     * @memberof AccountLockdownStageRequest
+     */
+    setUnusablePassword?: boolean;
+    /**
+     * Delete all active sessions for the user
+     * @type {boolean}
+     * @memberof AccountLockdownStageRequest
+     */
+    deleteSessions?: boolean;
+    /**
+     * Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
+     * @type {boolean}
+     * @memberof AccountLockdownStageRequest
+     */
+    revokeTokens?: boolean;
+    /**
+     * Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
+     * @type {string}
+     * @memberof AccountLockdownStageRequest
+     */
+    selfServiceCompletionFlow?: string | null;
+}
+
+/**
+ * Check if a given object implements the AccountLockdownStageRequest interface.
+ */
+export function instanceOfAccountLockdownStageRequest(
+    value: object,
+): value is AccountLockdownStageRequest {
+    if (!("name" in value) || value["name"] === undefined) return false;
+    return true;
+}
+
+export function AccountLockdownStageRequestFromJSON(json: any): AccountLockdownStageRequest {
+    return AccountLockdownStageRequestFromJSONTyped(json, false);
+}
+
+export function AccountLockdownStageRequestFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): AccountLockdownStageRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        name: json["name"],
+        deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
+        setUnusablePassword:
+            json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
+        deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
+        revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
+        selfServiceCompletionFlow:
+            json["self_service_completion_flow"] == null
+                ? undefined
+                : json["self_service_completion_flow"],
+    };
+}
+
+export function AccountLockdownStageRequestToJSON(json: any): AccountLockdownStageRequest {
+    return AccountLockdownStageRequestToJSONTyped(json, false);
+}
+
+export function AccountLockdownStageRequestToJSONTyped(
+    value?: AccountLockdownStageRequest | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        name: value["name"],
+        deactivate_user: value["deactivateUser"],
+        set_unusable_password: value["setUnusablePassword"],
+        delete_sessions: value["deleteSessions"],
+        revoke_tokens: value["revokeTokens"],
+        self_service_completion_flow: value["selfServiceCompletionFlow"],
+    };
+}

packages/client-ts/src/models/AppEnum.ts

@@ -94,6 +94,7 @@ export const AppEnum = {
     AuthentikEnterpriseProvidersSsf: "authentik.enterprise.providers.ssf",
     AuthentikEnterpriseProvidersWsFederation: "authentik.enterprise.providers.ws_federation",
     AuthentikEnterpriseReports: "authentik.enterprise.reports",
+    AuthentikEnterpriseStagesAccountLockdown: "authentik.enterprise.stages.account_lockdown",
     AuthentikEnterpriseStagesAuthenticatorEndpointGdtc:
         "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     AuthentikEnterpriseStagesMtls: "authentik.enterprise.stages.mtls",

packages/client-ts/src/models/Brand.ts

@@ -102,6 +102,12 @@ export interface Brand {
      * @memberof Brand
      */
     flowDeviceCode?: string | null;
+    /**
+     *
+     * @type {string}
+     * @memberof Brand
+     */
+    flowLockdown?: string | null;
     /**
      * When set, external users will be redirected to this application after authenticating.
      * @type {string}
@@ -166,6 +172,7 @@ export function BrandFromJSONTyped(json: any, ignoreDiscriminator: boolean): Bra
         flowUserSettings:
             json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
         flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
+        flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
         defaultApplication:
             json["default_application"] == null ? undefined : json["default_application"],
         webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -201,6 +208,7 @@ export function BrandToJSONTyped(
         flow_unenrollment: value["flowUnenrollment"],
         flow_user_settings: value["flowUserSettings"],
         flow_device_code: value["flowDeviceCode"],
+        flow_lockdown: value["flowLockdown"],
         default_application: value["defaultApplication"],
         web_certificate: value["webCertificate"],
         client_certificates: value["clientCertificates"],

packages/client-ts/src/models/BrandRequest.ts

@@ -96,6 +96,12 @@ export interface BrandRequest {
      * @memberof BrandRequest
      */
     flowDeviceCode?: string | null;
+    /**
+     *
+     * @type {string}
+     * @memberof BrandRequest
+     */
+    flowLockdown?: string | null;
     /**
      * When set, external users will be redirected to this application after authenticating.
      * @type {string}
@@ -158,6 +164,7 @@ export function BrandRequestFromJSONTyped(json: any, ignoreDiscriminator: boolea
         flowUserSettings:
             json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
         flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
+        flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
         defaultApplication:
             json["default_application"] == null ? undefined : json["default_application"],
         webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -193,6 +200,7 @@ export function BrandRequestToJSONTyped(
         flow_unenrollment: value["flowUnenrollment"],
         flow_user_settings: value["flowUserSettings"],
         flow_device_code: value["flowDeviceCode"],
+        flow_lockdown: value["flowLockdown"],
         default_application: value["defaultApplication"],
         web_certificate: value["webCertificate"],
         client_certificates: value["clientCertificates"],

packages/client-ts/src/models/CurrentBrand.ts

@@ -117,6 +117,12 @@ export interface CurrentBrand {
      * @memberof CurrentBrand
      */
     flowDeviceCode?: string;
+    /**
+     *
+     * @type {string}
+     * @memberof CurrentBrand
+     */
+    flowLockdown?: string;
     /**
      *
      * @type {string}
@@ -177,6 +183,7 @@ export function CurrentBrandFromJSONTyped(json: any, ignoreDiscriminator: boolea
         flowUserSettings:
             json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
         flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
+        flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
         defaultLocale: json["default_locale"],
         flags: CurrentBrandFlagsFromJSON(json["flags"]),
     };
@@ -213,6 +220,7 @@ export function CurrentBrandToJSONTyped(
         flow_unenrollment: value["flowUnenrollment"],
         flow_user_settings: value["flowUserSettings"],
         flow_device_code: value["flowDeviceCode"],
+        flow_lockdown: value["flowLockdown"],
         flags: CurrentBrandFlagsToJSON(value["flags"]),
     };
 }

packages/client-ts/src/models/LifecycleIteration.ts

@@ -16,12 +16,10 @@ import type { ContentTypeEnum } from "./ContentTypeEnum";
 import { ContentTypeEnumFromJSON, ContentTypeEnumToJSON } from "./ContentTypeEnum";
 import type { LifecycleIterationStateEnum } from "./LifecycleIterationStateEnum";
 import { LifecycleIterationStateEnumFromJSON } from "./LifecycleIterationStateEnum";
+import type { RelatedRule } from "./RelatedRule";
+import { RelatedRuleFromJSON } from "./RelatedRule";
 import type { Review } from "./Review";
 import { ReviewFromJSON } from "./Review";
-import type { ReviewerGroup } from "./ReviewerGroup";
-import { ReviewerGroupFromJSON } from "./ReviewerGroup";
-import type { ReviewerUser } from "./ReviewerUser";
-import { ReviewerUserFromJSON } from "./ReviewerUser";
 
 /**
  * Mixin to validate that a valid enterprise license
@@ -90,30 +88,18 @@ export interface LifecycleIteration {
      * @memberof LifecycleIteration
      */
     readonly reviews: Array<Review>;
+    /**
+     *
+     * @type {RelatedRule}
+     * @memberof LifecycleIteration
+     */
+    readonly rule: RelatedRule;
     /**
      *
      * @type {boolean}
      * @memberof LifecycleIteration
      */
     readonly userCanReview: boolean;
-    /**
-     *
-     * @type {Array<ReviewerGroup>}
-     * @memberof LifecycleIteration
-     */
-    readonly reviewerGroups: Array<ReviewerGroup>;
-    /**
-     *
-     * @type {number}
-     * @memberof LifecycleIteration
-     */
-    readonly minReviewers: number;
-    /**
-     *
-     * @type {Array<ReviewerUser>}
-     * @memberof LifecycleIteration
-     */
-    readonly reviewers: Array<ReviewerUser>;
 }
 
 /**
@@ -130,10 +116,8 @@ export function instanceOfLifecycleIteration(value: object): value is LifecycleI
     if (!("gracePeriodEnd" in value) || value["gracePeriodEnd"] === undefined) return false;
     if (!("nextReviewDate" in value) || value["nextReviewDate"] === undefined) return false;
     if (!("reviews" in value) || value["reviews"] === undefined) return false;
+    if (!("rule" in value) || value["rule"] === undefined) return false;
     if (!("userCanReview" in value) || value["userCanReview"] === undefined) return false;
-    if (!("reviewerGroups" in value) || value["reviewerGroups"] === undefined) return false;
-    if (!("minReviewers" in value) || value["minReviewers"] === undefined) return false;
-    if (!("reviewers" in value) || value["reviewers"] === undefined) return false;
     return true;
 }
 
@@ -159,10 +143,8 @@ export function LifecycleIterationFromJSONTyped(
         gracePeriodEnd: new Date(json["grace_period_end"]),
         nextReviewDate: new Date(json["next_review_date"]),
         reviews: (json["reviews"] as Array<any>).map(ReviewFromJSON),
+        rule: RelatedRuleFromJSON(json["rule"]),
         userCanReview: json["user_can_review"],
-        reviewerGroups: (json["reviewer_groups"] as Array<any>).map(ReviewerGroupFromJSON),
-        minReviewers: json["min_reviewers"],
-        reviewers: (json["reviewers"] as Array<any>).map(ReviewerUserFromJSON),
     };
 }
 
@@ -182,10 +164,8 @@ export function LifecycleIterationToJSONTyped(
         | "grace_period_end"
         | "next_review_date"
         | "reviews"
+        | "rule"
         | "user_can_review"
-        | "reviewer_groups"
-        | "min_reviewers"
-        | "reviewers"
     > | null,
     ignoreDiscriminator: boolean = false,
 ): any {

packages/client-ts/src/models/ModelEnum.ts

@@ -175,6 +175,8 @@ export const ModelEnum = {
     AuthentikProvidersWsFederationWsfederationprovider:
         "authentik_providers_ws_federation.wsfederationprovider",
     AuthentikReportsDataexport: "authentik_reports.dataexport",
+    AuthentikStagesAccountLockdownAccountlockdownstage:
+        "authentik_stages_account_lockdown.accountlockdownstage",
     AuthentikStagesAuthenticatorEndpointGdtcAuthenticatorendpointgdtcstage:
         "authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
     AuthentikStagesMtlsMutualtlsstage: "authentik_stages_mtls.mutualtlsstage",

packages/client-ts/src/models/PaginatedAccountLockdownStageList.ts

@@ -0,0 +1,97 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import type { AccountLockdownStage } from "./AccountLockdownStage";
+import { AccountLockdownStageFromJSON, AccountLockdownStageToJSON } from "./AccountLockdownStage";
+import type { Pagination } from "./Pagination";
+import { PaginationFromJSON, PaginationToJSON } from "./Pagination";
+
+/**
+ *
+ * @export
+ * @interface PaginatedAccountLockdownStageList
+ */
+export interface PaginatedAccountLockdownStageList {
+    /**
+     *
+     * @type {Pagination}
+     * @memberof PaginatedAccountLockdownStageList
+     */
+    pagination: Pagination;
+    /**
+     *
+     * @type {Array<AccountLockdownStage>}
+     * @memberof PaginatedAccountLockdownStageList
+     */
+    results: Array<AccountLockdownStage>;
+    /**
+     *
+     * @type {{ [key: string]: any; }}
+     * @memberof PaginatedAccountLockdownStageList
+     */
+    autocomplete: { [key: string]: any };
+}
+
+/**
+ * Check if a given object implements the PaginatedAccountLockdownStageList interface.
+ */
+export function instanceOfPaginatedAccountLockdownStageList(
+    value: object,
+): value is PaginatedAccountLockdownStageList {
+    if (!("pagination" in value) || value["pagination"] === undefined) return false;
+    if (!("results" in value) || value["results"] === undefined) return false;
+    if (!("autocomplete" in value) || value["autocomplete"] === undefined) return false;
+    return true;
+}
+
+export function PaginatedAccountLockdownStageListFromJSON(
+    json: any,
+): PaginatedAccountLockdownStageList {
+    return PaginatedAccountLockdownStageListFromJSONTyped(json, false);
+}
+
+export function PaginatedAccountLockdownStageListFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): PaginatedAccountLockdownStageList {
+    if (json == null) {
+        return json;
+    }
+    return {
+        pagination: PaginationFromJSON(json["pagination"]),
+        results: (json["results"] as Array<any>).map(AccountLockdownStageFromJSON),
+        autocomplete: json["autocomplete"],
+    };
+}
+
+export function PaginatedAccountLockdownStageListToJSON(
+    json: any,
+): PaginatedAccountLockdownStageList {
+    return PaginatedAccountLockdownStageListToJSONTyped(json, false);
+}
+
+export function PaginatedAccountLockdownStageListToJSONTyped(
+    value?: PaginatedAccountLockdownStageList | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        pagination: PaginationToJSON(value["pagination"]),
+        results: (value["results"] as Array<any>).map(AccountLockdownStageToJSON),
+        autocomplete: value["autocomplete"],
+    };
+}

packages/client-ts/src/models/PatchedAccountLockdownStageRequest.ts

@@ -0,0 +1,117 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ * AccountLockdownStage Serializer
+ * @export
+ * @interface PatchedAccountLockdownStageRequest
+ */
+export interface PatchedAccountLockdownStageRequest {
+    /**
+     *
+     * @type {string}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    name?: string;
+    /**
+     * Deactivate the user account (set is_active to False)
+     * @type {boolean}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    deactivateUser?: boolean;
+    /**
+     * Set an unusable password for the user
+     * @type {boolean}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    setUnusablePassword?: boolean;
+    /**
+     * Delete all active sessions for the user
+     * @type {boolean}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    deleteSessions?: boolean;
+    /**
+     * Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
+     * @type {boolean}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    revokeTokens?: boolean;
+    /**
+     * Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
+     * @type {string}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    selfServiceCompletionFlow?: string | null;
+}
+
+/**
+ * Check if a given object implements the PatchedAccountLockdownStageRequest interface.
+ */
+export function instanceOfPatchedAccountLockdownStageRequest(
+    value: object,
+): value is PatchedAccountLockdownStageRequest {
+    return true;
+}
+
+export function PatchedAccountLockdownStageRequestFromJSON(
+    json: any,
+): PatchedAccountLockdownStageRequest {
+    return PatchedAccountLockdownStageRequestFromJSONTyped(json, false);
+}
+
+export function PatchedAccountLockdownStageRequestFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): PatchedAccountLockdownStageRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        name: json["name"] == null ? undefined : json["name"],
+        deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
+        setUnusablePassword:
+            json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
+        deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
+        revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
+        selfServiceCompletionFlow:
+            json["self_service_completion_flow"] == null
+                ? undefined
+                : json["self_service_completion_flow"],
+    };
+}
+
+export function PatchedAccountLockdownStageRequestToJSON(
+    json: any,
+): PatchedAccountLockdownStageRequest {
+    return PatchedAccountLockdownStageRequestToJSONTyped(json, false);
+}
+
+export function PatchedAccountLockdownStageRequestToJSONTyped(
+    value?: PatchedAccountLockdownStageRequest | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        name: value["name"],
+        deactivate_user: value["deactivateUser"],
+        set_unusable_password: value["setUnusablePassword"],
+        delete_sessions: value["deleteSessions"],
+        revoke_tokens: value["revokeTokens"],
+        self_service_completion_flow: value["selfServiceCompletionFlow"],
+    };
+}

packages/client-ts/src/models/PatchedBrandRequest.ts

@@ -96,6 +96,12 @@ export interface PatchedBrandRequest {
      * @memberof PatchedBrandRequest
      */
     flowDeviceCode?: string | null;
+    /**
+     *
+     * @type {string}
+     * @memberof PatchedBrandRequest
+     */
+    flowLockdown?: string | null;
     /**
      * When set, external users will be redirected to this application after authenticating.
      * @type {string}
@@ -160,6 +166,7 @@ export function PatchedBrandRequestFromJSONTyped(
         flowUserSettings:
             json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
         flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
+        flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
         defaultApplication:
             json["default_application"] == null ? undefined : json["default_application"],
         webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -195,6 +202,7 @@ export function PatchedBrandRequestToJSONTyped(
         flow_unenrollment: value["flowUnenrollment"],
         flow_user_settings: value["flowUserSettings"],
         flow_device_code: value["flowDeviceCode"],
+        flow_lockdown: value["flowLockdown"],
         default_application: value["defaultApplication"],
         web_certificate: value["webCertificate"],
         client_certificates: value["clientCertificates"],

packages/client-ts/src/models/PromptTypeEnum.ts

@@ -34,6 +34,9 @@ export const PromptTypeEnum = {
     Separator: "separator",
     Hidden: "hidden",
     Static: "static",
+    AlertInfo: "alert_info",
+    AlertWarning: "alert_warning",
+    AlertDanger: "alert_danger",
     AkLocale: "ak-locale",
     UnknownDefaultOpenApi: "11184809",
 } as const;

packages/client-ts/src/models/RelatedRule.ts

@@ -0,0 +1,103 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import type { ReviewerGroup } from "./ReviewerGroup";
+import { ReviewerGroupFromJSON } from "./ReviewerGroup";
+import type { ReviewerUser } from "./ReviewerUser";
+import { ReviewerUserFromJSON } from "./ReviewerUser";
+
+/**
+ * Mixin to validate that a valid enterprise license
+ * exists before allowing to save the object
+ * @export
+ * @interface RelatedRule
+ */
+export interface RelatedRule {
+    /**
+     *
+     * @type {string}
+     * @memberof RelatedRule
+     */
+    id?: string;
+    /**
+     *
+     * @type {string}
+     * @memberof RelatedRule
+     */
+    name: string;
+    /**
+     *
+     * @type {Array<ReviewerGroup>}
+     * @memberof RelatedRule
+     */
+    readonly reviewerGroups: Array<ReviewerGroup>;
+    /**
+     *
+     * @type {number}
+     * @memberof RelatedRule
+     */
+    readonly minReviewers: number;
+    /**
+     *
+     * @type {Array<ReviewerUser>}
+     * @memberof RelatedRule
+     */
+    readonly reviewers: Array<ReviewerUser>;
+}
+
+/**
+ * Check if a given object implements the RelatedRule interface.
+ */
+export function instanceOfRelatedRule(value: object): value is RelatedRule {
+    if (!("name" in value) || value["name"] === undefined) return false;
+    if (!("reviewerGroups" in value) || value["reviewerGroups"] === undefined) return false;
+    if (!("minReviewers" in value) || value["minReviewers"] === undefined) return false;
+    if (!("reviewers" in value) || value["reviewers"] === undefined) return false;
+    return true;
+}
+
+export function RelatedRuleFromJSON(json: any): RelatedRule {
+    return RelatedRuleFromJSONTyped(json, false);
+}
+
+export function RelatedRuleFromJSONTyped(json: any, ignoreDiscriminator: boolean): RelatedRule {
+    if (json == null) {
+        return json;
+    }
+    return {
+        id: json["id"] == null ? undefined : json["id"],
+        name: json["name"],
+        reviewerGroups: (json["reviewer_groups"] as Array<any>).map(ReviewerGroupFromJSON),
+        minReviewers: json["min_reviewers"],
+        reviewers: (json["reviewers"] as Array<any>).map(ReviewerUserFromJSON),
+    };
+}
+
+export function RelatedRuleToJSON(json: any): RelatedRule {
+    return RelatedRuleToJSONTyped(json, false);
+}
+
+export function RelatedRuleToJSONTyped(
+    value?: Omit<RelatedRule, "reviewer_groups" | "min_reviewers" | "reviewers"> | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        id: value["id"],
+        name: value["name"],
+    };
+}

packages/client-ts/src/models/UserAccountLockdownRequest.ts

@@ -0,0 +1,69 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ * Choose the target account before starting the lockdown flow.
+ * @export
+ * @interface UserAccountLockdownRequest
+ */
+export interface UserAccountLockdownRequest {
+    /**
+     * User to lock. If omitted, locks the current user (self-service).
+     * @type {number}
+     * @memberof UserAccountLockdownRequest
+     */
+    user?: number | null;
+}
+
+/**
+ * Check if a given object implements the UserAccountLockdownRequest interface.
+ */
+export function instanceOfUserAccountLockdownRequest(
+    value: object,
+): value is UserAccountLockdownRequest {
+    return true;
+}
+
+export function UserAccountLockdownRequestFromJSON(json: any): UserAccountLockdownRequest {
+    return UserAccountLockdownRequestFromJSONTyped(json, false);
+}
+
+export function UserAccountLockdownRequestFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): UserAccountLockdownRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        user: json["user"] == null ? undefined : json["user"],
+    };
+}
+
+export function UserAccountLockdownRequestToJSON(json: any): UserAccountLockdownRequest {
+    return UserAccountLockdownRequestToJSONTyped(json, false);
+}
+
+export function UserAccountLockdownRequestToJSONTyped(
+    value?: UserAccountLockdownRequest | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        user: value["user"],
+    };
+}

packages/client-ts/src/models/index.ts

@@ -1,6 +1,8 @@
 /* tslint:disable */
 /* eslint-disable */
 export * from "./AccessDeniedChallenge";
+export * from "./AccountLockdownStage";
+export * from "./AccountLockdownStageRequest";
 export * from "./AgentAuthenticationResponse";
 export * from "./AgentConfig";
 export * from "./AgentConnector";
@@ -352,6 +354,7 @@ export * from "./OutpostHealth";
 export * from "./OutpostRequest";
 export * from "./OutpostTypeEnum";
 export * from "./PKCEMethodEnum";
+export * from "./PaginatedAccountLockdownStageList";
 export * from "./PaginatedAgentConnectorList";
 export * from "./PaginatedAppleIndependentSecureEnclaveList";
 export * from "./PaginatedApplicationEntitlementList";
@@ -518,6 +521,7 @@ export * from "./PasswordPolicy";
 export * from "./PasswordPolicyRequest";
 export * from "./PasswordStage";
 export * from "./PasswordStageRequest";
+export * from "./PatchedAccountLockdownStageRequest";
 export * from "./PatchedAgentConnectorRequest";
 export * from "./PatchedAppleIndependentSecureEnclaveRequest";
 export * from "./PatchedApplicationEntitlementRequest";
@@ -705,6 +709,7 @@ export * from "./RedirectURI";
 export * from "./RedirectURIRequest";
 export * from "./RedirectUriTypeEnum";
 export * from "./RelatedGroup";
+export * from "./RelatedRule";
 export * from "./Reputation";
 export * from "./ReputationPolicy";
 export * from "./ReputationPolicyRequest";
@@ -821,6 +826,7 @@ export * from "./UsageEnum";
 export * from "./UsedBy";
 export * from "./UsedByActionEnum";
 export * from "./User";
+export * from "./UserAccountLockdownRequest";
 export * from "./UserAccountRequest";
 export * from "./UserAccountSerializerForRoleRequest";
 export * from "./UserAttributeEnum";

schema.yml

@@ -3172,6 +3172,11 @@ paths:
         schema:
           type: string
           format: uuid
+      - in: query
+        name: flow_lockdown
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: flow_recovery
         schema:
@@ -4585,6 +4590,35 @@ paths:
           $ref: '#/components/responses/ValidationErrorResponse'
         '403':
           $ref: '#/components/responses/GenericErrorResponse'
+  /core/users/account_lockdown/:
+    post:
+      operationId: core_users_account_lockdown_create
+      description: Choose the target account, then return a flow link.
+      tags:
+      - core
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UserAccountLockdownRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Link'
+              examples:
+                LockdownFlowURL:
+                  value:
+                    link: https://example.invalid/if/flow/default-account-lockdown/
+                  summary: Lockdown flow URL
+          description: ''
+        '400':
+          description: No lockdown flow configured or the flow is not applicable
+        '403':
+          description: Permission denied (when targeting another user)
   /core/users/export/:
     post:
       operationId: core_users_export_create
@@ -9132,7 +9166,7 @@ paths:
           $ref: '#/components/responses/GenericErrorResponse'
   /lifecycle/iterations/latest/{content_type}/{object_id}/:
     get:
-      operationId: lifecycle_iterations_latest_retrieve
+      operationId: lifecycle_iterations_list_latest
       description: |-
         Mixin to validate that a valid enterprise license
         exists before allowing to save the object
@@ -9149,6 +9183,12 @@ paths:
           type: string
           pattern: ^[^/]+$
         required: true
+      - $ref: '#/components/parameters/QueryPaginationOrdering'
+      - $ref: '#/components/parameters/QuerySearch'
+      - in: query
+        name: user_is_reviewer
+        schema:
+          type: boolean
       tags:
       - lifecycle
       security:
@@ -9158,7 +9198,9 @@ paths:
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/LifecycleIteration'
+                type: array
+                items:
+                  $ref: '#/components/schemas/LifecycleIteration'
           description: ''
         '400':
           $ref: '#/components/responses/ValidationErrorResponse'
@@ -26893,6 +26935,222 @@ paths:
           $ref: '#/components/responses/ValidationErrorResponse'
         '403':
           $ref: '#/components/responses/GenericErrorResponse'
+  /stages/account_lockdown/:
+    get:
+      operationId: stages_account_lockdown_list
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: query
+        name: deactivate_user
+        schema:
+          type: boolean
+      - in: query
+        name: delete_sessions
+        schema:
+          type: boolean
+      - $ref: '#/components/parameters/QueryName'
+      - $ref: '#/components/parameters/QueryPaginationOrdering'
+      - $ref: '#/components/parameters/QueryPaginationPage'
+      - $ref: '#/components/parameters/QueryPaginationPageSize'
+      - in: query
+        name: revoke_tokens
+        schema:
+          type: boolean
+      - $ref: '#/components/parameters/QuerySearch'
+      - in: query
+        name: self_service_completion_flow
+        schema:
+          type: string
+          format: uuid
+      - in: query
+        name: set_unusable_password
+        schema:
+          type: boolean
+      - in: query
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+      tags:
+      - stages
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/PaginatedAccountLockdownStageList'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+    post:
+      operationId: stages_account_lockdown_create
+      description: AccountLockdownStage Viewset
+      tags:
+      - stages
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/AccountLockdownStageRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/AccountLockdownStage'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+  /stages/account_lockdown/{stage_uuid}/:
+    get:
+      operationId: stages_account_lockdown_retrieve
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/AccountLockdownStage'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+    put:
+      operationId: stages_account_lockdown_update
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/AccountLockdownStageRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/AccountLockdownStage'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+    patch:
+      operationId: stages_account_lockdown_partial_update
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedAccountLockdownStageRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/AccountLockdownStage'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+    delete:
+      operationId: stages_account_lockdown_destroy
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      security:
+      - authentik: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+  /stages/account_lockdown/{stage_uuid}/used_by/:
+    get:
+      operationId: stages_account_lockdown_used_by_list
+      description: Get a list of all objects that use this object
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/UsedBy'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
   /stages/all/:
     get:
       operationId: stages_all_list
@@ -33661,6 +33919,93 @@ components:
       required:
       - pending_user
       - pending_user_avatar
+    AccountLockdownStage:
+      type: object
+      description: AccountLockdownStage Serializer
+      properties:
+        pk:
+          type: string
+          format: uuid
+          readOnly: true
+          title: Stage uuid
+        name:
+          type: string
+        component:
+          type: string
+          description: Get object type so that we know how to edit the object
+          readOnly: true
+        verbose_name:
+          type: string
+          description: Return object's verbose_name
+          readOnly: true
+        verbose_name_plural:
+          type: string
+          description: Return object's plural verbose_name
+          readOnly: true
+        meta_model_name:
+          type: string
+          description: Return internal model name
+          readOnly: true
+        flow_set:
+          type: array
+          items:
+            $ref: '#/components/schemas/FlowSet'
+          readOnly: true
+        deactivate_user:
+          type: boolean
+          description: Deactivate the user account (set is_active to False)
+        set_unusable_password:
+          type: boolean
+          description: Set an unusable password for the user
+        delete_sessions:
+          type: boolean
+          description: Delete all active sessions for the user
+        revoke_tokens:
+          type: boolean
+          description: Revoke all tokens for the user (API, app password, recovery,
+            verification, OAuth)
+        self_service_completion_flow:
+          type: string
+          format: uuid
+          nullable: true
+          description: Flow to redirect users to after self-service lockdown. This
+            flow should not require authentication since the user's session is deleted.
+      required:
+      - component
+      - flow_set
+      - meta_model_name
+      - name
+      - pk
+      - verbose_name
+      - verbose_name_plural
+    AccountLockdownStageRequest:
+      type: object
+      description: AccountLockdownStage Serializer
+      properties:
+        name:
+          type: string
+          minLength: 1
+        deactivate_user:
+          type: boolean
+          description: Deactivate the user account (set is_active to False)
+        set_unusable_password:
+          type: boolean
+          description: Set an unusable password for the user
+        delete_sessions:
+          type: boolean
+          description: Delete all active sessions for the user
+        revoke_tokens:
+          type: boolean
+          description: Revoke all tokens for the user (API, app password, recovery,
+            verification, OAuth)
+        self_service_completion_flow:
+          type: string
+          format: uuid
+          nullable: true
+          description: Flow to redirect users to after self-service lockdown. This
+            flow should not require authentication since the user's session is deleted.
+      required:
+      - name
     AgentAuthenticationResponse:
       type: object
       description: Base serializer class which doesn't implement create/update methods
@@ -33998,6 +34343,7 @@ components:
       - authentik.enterprise.providers.ssf
       - authentik.enterprise.providers.ws_federation
       - authentik.enterprise.reports
+      - authentik.enterprise.stages.account_lockdown
       - authentik.enterprise.stages.authenticator_endpoint_gdtc
       - authentik.enterprise.stages.mtls
       - authentik.enterprise.stages.source
@@ -35746,6 +36092,10 @@ components:
           type: string
           format: uuid
           nullable: true
+        flow_lockdown:
+          type: string
+          format: uuid
+          nullable: true
         default_application:
           type: string
           format: uuid
@@ -35818,6 +36168,10 @@ components:
           type: string
           format: uuid
           nullable: true
+        flow_lockdown:
+          type: string
+          format: uuid
+          nullable: true
         default_application:
           type: string
           format: uuid
@@ -36806,6 +37160,8 @@ components:
           type: string
         flow_device_code:
           type: string
+        flow_lockdown:
+          type: string
         default_locale:
           type: string
           readOnly: true
@@ -42426,35 +42782,24 @@ components:
           items:
             $ref: '#/components/schemas/Review'
           readOnly: true
+        rule:
+          allOf:
+          - $ref: '#/components/schemas/RelatedRule'
+          readOnly: true
         user_can_review:
           type: boolean
           readOnly: true
-        reviewer_groups:
-          type: array
-          items:
-            $ref: '#/components/schemas/ReviewerGroup'
-          readOnly: true
-        min_reviewers:
-          type: integer
-          readOnly: true
-        reviewers:
-          type: array
-          items:
-            $ref: '#/components/schemas/ReviewerUser'
-          readOnly: true
       required:
       - content_type
       - grace_period_end
       - id
-      - min_reviewers
       - next_review_date
       - object_admin_url
       - object_id
       - object_verbose
       - opened_on
-      - reviewer_groups
-      - reviewers
       - reviews
+      - rule
       - state
       - user_can_review
     LifecycleIterationRequest:
@@ -43145,6 +43490,7 @@ components:
       - authentik_providers_ssf.ssfprovider
       - authentik_providers_ws_federation.wsfederationprovider
       - authentik_reports.dataexport
+      - authentik_stages_account_lockdown.accountlockdownstage
       - authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage
       - authentik_stages_mtls.mutualtlsstage
       - authentik_stages_source.sourcestage
@@ -44587,6 +44933,21 @@ components:
       - plain
       - S256
       type: string
+    PaginatedAccountLockdownStageList:
+      type: object
+      properties:
+        pagination:
+          $ref: '#/components/schemas/Pagination'
+        results:
+          type: array
+          items:
+            $ref: '#/components/schemas/AccountLockdownStage'
+        autocomplete:
+          $ref: '#/components/schemas/Autocomplete'
+      required:
+      - autocomplete
+      - pagination
+      - results
     PaginatedAgentConnectorList:
       type: object
       properties:
@@ -47355,6 +47716,32 @@ components:
       required:
       - backends
       - name
+    PatchedAccountLockdownStageRequest:
+      type: object
+      description: AccountLockdownStage Serializer
+      properties:
+        name:
+          type: string
+          minLength: 1
+        deactivate_user:
+          type: boolean
+          description: Deactivate the user account (set is_active to False)
+        set_unusable_password:
+          type: boolean
+          description: Set an unusable password for the user
+        delete_sessions:
+          type: boolean
+          description: Delete all active sessions for the user
+        revoke_tokens:
+          type: boolean
+          description: Revoke all tokens for the user (API, app password, recovery,
+            verification, OAuth)
+        self_service_completion_flow:
+          type: string
+          format: uuid
+          nullable: true
+          description: Flow to redirect users to after self-service lockdown. This
+            flow should not require authentication since the user's session is deleted.
     PatchedAgentConnectorRequest:
       type: object
       properties:
@@ -47798,6 +48185,10 @@ components:
           type: string
           format: uuid
           nullable: true
+        flow_lockdown:
+          type: string
+          format: uuid
+          nullable: true
         default_application:
           type: string
           format: uuid
@@ -52084,6 +52475,9 @@ components:
       - separator
       - hidden
       - static
+      - alert_info
+      - alert_warning
+      - alert_danger
       - ak-locale
       type: string
     PropertyMapping:
@@ -53285,6 +53679,35 @@ components:
       - group_uuid
       - name
       - pk
+    RelatedRule:
+      type: object
+      description: |-
+        Mixin to validate that a valid enterprise license
+        exists before allowing to save the object
+      properties:
+        id:
+          type: string
+          format: uuid
+        name:
+          type: string
+        reviewer_groups:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReviewerGroup'
+          readOnly: true
+        min_reviewers:
+          type: integer
+          readOnly: true
+        reviewers:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReviewerUser'
+          readOnly: true
+      required:
+      - min_reviewers
+      - name
+      - reviewer_groups
+      - reviewers
     Reputation:
       type: object
       description: Reputation Serializer
@@ -57153,6 +57576,14 @@ components:
       - uid
       - username
       - uuid
+    UserAccountLockdownRequest:
+      type: object
+      description: Choose the target account before starting the lockdown flow.
+      properties:
+        user:
+          type: integer
+          nullable: true
+          description: User to lock. If omitted, locks the current user (self-service).
     UserAccountRequest:
       type: object
       description: Account adding/removing operations

scripts/debug_attach.py

@@ -1,91 +0,0 @@
-"""Attach pdb to a running authentik Python worker via PEP 768."""
-
-import os
-import shutil
-import subprocess  # nosec B404 — needed to launch ps and pdb
-import sys
-
-PS_BIN = shutil.which("ps") or "/bin/ps"
-
-
-def list_python_procs() -> list[tuple[int, int, str]]:
-    # argv is fully controlled, no shell, ps path resolved at startup.
-    out = subprocess.check_output([PS_BIN, "-eo", "pid,ppid,command"], text=True)  # nosec B603
-    procs: list[tuple[int, int, str]] = []
-    for line in out.splitlines()[1:]:
-        try:
-            pid_s, ppid_s, cmd = line.split(None, 2)
-        except ValueError:
-            continue
-        if not pid_s.isdigit() or not ppid_s.isdigit():
-            continue
-        procs.append((int(pid_s), int(ppid_s), cmd))
-    return procs
-
-
-def find_targets() -> list[tuple[int, str]]:
-    # Match any authentik Python process: dev_server / runserver via manage.py,
-    # gunicorn, dramatiq, or the worker_process supervisor. Go/Rust supervisors
-    # and the `uv run` / shell wrappers don't match these patterns.
-    needles = (
-        "manage.py",
-        "manage dev_server",
-        "manage runserver",
-        "gunicorn",
-        "dramatiq",
-        "lifecycle.worker_process",
-        "lifecycle/worker_process",
-    )
-    matches = [(p, pp, c) for p, pp, c in list_python_procs() if any(n in c for n in needles)]
-    matched_pids = {p for p, _, _ in matches}
-    parents_of_matches = {pp for _, pp, _ in matches if pp in matched_pids}
-    # A leaf is a match that isn't itself the parent of another match — this
-    # picks the dev_server reloader child or the gunicorn worker, and still
-    # includes single-process workers (which trivially have no child match).
-    leaves = [(p, c) for p, _, c in matches if p not in parents_of_matches]
-    return leaves
-
-
-def attach(pid: int) -> int:
-    use_sudo = os.environ.get("SUDO") == "1"
-    cmd = [sys.executable, "-m", "pdb", "-p", str(pid)]
-    if use_sudo:
-        cmd = ["sudo", "-E", *cmd]
-    print(f"attaching pdb to pid {pid} (Ctrl-D or `quit` to detach)", file=sys.stderr)
-    # cmd is built from sys.executable plus a digits-only PID.
-    rc = subprocess.call(cmd)  # nosec B603
-    if rc != 0 and not use_sudo and sys.platform == "darwin":
-        print(
-            "\nattach failed. On macOS task_for_pid is restricted; "
-            f"retry with: SUDO=1 make debug-attach PID={pid}",
-            file=sys.stderr,
-        )
-    return rc
-
-
-def main() -> int:
-    env_pid = os.environ.get("PID")
-    if env_pid:
-        if not env_pid.isdigit():
-            print(f"PID={env_pid!r} is not numeric", file=sys.stderr)
-            return 2
-        return attach(int(env_pid))
-
-    targets = find_targets()
-    if not targets:
-        print(
-            "no gunicorn/dramatiq Python workers found — is `make run-server` "
-            "or `make run-worker` running?",
-            file=sys.stderr,
-        )
-        return 1
-    if len(targets) > 1:
-        print("multiple worker candidates — pick one with PID=<pid>:", file=sys.stderr)
-        for pid, cmd in targets:
-            print(f"  {pid}\t{cmd[:120]}", file=sys.stderr)
-        return 1
-    return attach(targets[0][0])
-
-
-if __name__ == "__main__":
-    sys.exit(main())

scripts/node/lint-lockfile.mjs

@@ -0,0 +1,278 @@
+#!/usr/bin/env node
+/**
+ * @file Lints the package-lock.json file to ensure it is in sync with package.json.
+ *
+ * Usage:
+ *   lint-lockfile [options] [directory]
+ *
+ * Options:
+ *   --warn    Report issues as warnings instead of failing. The lockfile is
+ *             still regenerated on disk, but the process exits 0.
+ *
+ * Exit codes:
+ *   0  Lockfile is in sync (or --warn was passed)
+ *   1  Unexpected error
+ *   2  Lockfile drift detected
+ */
+
+/// <reference lib="esnext" />
+
+import * as assert from "node:assert/strict";
+import { findPackageJSON } from "node:module";
+import { dirname } from "node:path";
+import { isDeepStrictEqual, parseArgs } from "node:util";
+
+import { ConsoleLogger } from "../../packages/logger-js/lib/node.js";
+import { parseCWD, reportAndExit } from "./utils/commands.mjs";
+import { corepack } from "./utils/corepack.mjs";
+import { gitStatus } from "./utils/git.mjs";
+import { findNPMPackage, loadJSON, npm, pluckDependencyFields } from "./utils/node.mjs";
+
+//#region Constants
+
+const logger = ConsoleLogger.prefix("lint:lockfile");
+
+const { values: options, positionals } = parseArgs({
+    options: {
+        "warn": {
+            type: "boolean",
+            default: false,
+            description: "Report issues as warnings instead of failing",
+        },
+        "skip-git": {
+            type: "boolean",
+            default: !!process.env.CI,
+            description:
+                "Skip checking for uncommitted changes (use with --warn to ignore drift without reporting)",
+        },
+    },
+    allowPositionals: true,
+});
+
+const cwd = parseCWD(positionals);
+
+const ignoredProperties = new Set([
+    // ---
+    "peer",
+    "engines",
+    "optional",
+]);
+
+//#region Utilities
+
+/**
+ * @param {Record<string, unknown>} actual
+ * @param {Record<string, unknown>} expected
+ * @param {string[]} [prefix]
+ * @returns {Set<string>[]}
+ */
+function extractDiffedProperties(actual, expected, prefix = []) {
+    const a = actual ?? {};
+    const b = expected ?? {};
+    const keys = new Set([...Object.keys(a), ...Object.keys(b)]);
+    /** @type {Set<string>[]} */
+    const diffs = [];
+
+    for (const key of keys) {
+        const path = [...prefix, key];
+        const valA = a[key];
+        const valB = b[key];
+
+        if (
+            valA !== null &&
+            valB !== null &&
+            typeof valA === "object" &&
+            typeof valB === "object" &&
+            !Array.isArray(valA) &&
+            !Array.isArray(valB)
+        ) {
+            // @ts-ignore
+            diffs.push(...extractDiffedProperties(valA, valB, path));
+        } else if (!isDeepStrictEqual(valA, valB)) {
+            diffs.push(new Set(path));
+        }
+    }
+
+    return diffs;
+}
+
+//#endregion
+
+/**
+ * Exit code when lockfile drift is detected (distinct from general errors)
+ */
+const EXIT_DRIFT = 2;
+
+/**
+ * @returns {Promise<string[]>} The list of issues detected.
+ */
+async function run() {
+    /** @type {string[]} */
+    const issues = [];
+
+    /**
+     * Records an issue. In strict mode, throws immediately.
+     * In warn mode, collects the message for later reporting.
+     *
+     * @param {boolean} ok
+     * @param {string} message
+     */
+    const check = (ok, message) => {
+        if (ok) return;
+
+        if (options.warn) {
+            issues.push(message);
+            return;
+        }
+
+        assert.fail(message);
+    };
+
+    /**
+     * Checks deep equality of two values. In strict mode, throws if they are not equal.
+     * In warn mode, records an issue instead.
+     *
+     * @param {unknown} actual
+     * @param {unknown} expected
+     * @param {string} message
+     */
+    const checkDeep = (actual, expected, message) => {
+        if (options.warn) {
+            if (!isDeepStrictEqual(actual, expected)) {
+                issues.push(message);
+            }
+
+            return;
+        }
+
+        assert.deepStrictEqual(actual, expected, message);
+    };
+
+    logger.info(`Linting lockfile integrity in: ${cwd}`);
+
+    // MARK: Locate files
+
+    const resolvedPath = import.meta.resolve(cwd);
+    const packageJSONPath = findPackageJSON(resolvedPath);
+
+    assert.ok(
+        packageJSONPath,
+        "Could not find package.json in the current directory or any parent directories",
+    );
+
+    const packageDir = dirname(packageJSONPath);
+    const { packageLockPath } = await findNPMPackage(packageDir);
+    const lockfileDir = dirname(packageLockPath);
+    const isWorkspace = lockfileDir !== packageDir;
+
+    const corepackVersion = await corepack`--version`().catch(() => null);
+    const useCorepack = !!corepackVersion;
+    logger.info(`corepack: ${corepackVersion || "disabled"}`);
+
+    const expected = {
+        lockfile: await loadJSON(packageLockPath),
+        package: await loadJSON(packageJSONPath).then(pluckDependencyFields),
+    };
+
+    logger.info(`package.json: ${packageJSONPath} (${expected.package.name})`);
+    logger.info(`package-lock.json: ${packageLockPath}${isWorkspace ? " (workspace root)" : ""}`);
+
+    // MARK: Uncommitted changes
+
+    if (options["skip-git"]) {
+        logger.warn("Skipping git status check");
+    } else {
+        const packageStatus = await gitStatus(packageJSONPath);
+        const lockfileStatus = await gitStatus(packageLockPath);
+
+        if (!packageStatus.available || !lockfileStatus.available) {
+            logger.warn("Git is not available; skipping uncommitted change detection.");
+        } else {
+            check(packageStatus.clean, `package.json has uncommitted changes: ${packageJSONPath}`);
+
+            check(
+                lockfileStatus.clean,
+                `package-lock.json has uncommitted changes: ${packageLockPath}`,
+            );
+        }
+    }
+
+    // MARK: Regenerate
+
+    const npmVersion = await npm`--version`({ useCorepack });
+
+    logger.info(`Detected npm version: ${npmVersion}`);
+
+    await npm`install --package-lock-only`({
+        cwd: lockfileDir,
+        useCorepack,
+    });
+
+    logger.info("npm install complete.");
+
+    const actual = {
+        lockfile: await loadJSON(packageLockPath),
+        package: await loadJSON(packageJSONPath).then(pluckDependencyFields),
+    };
+
+    // MARK: Compare
+
+    assert.deepStrictEqual(
+        actual.package,
+        expected.package,
+        `package.json was unexpectedly modified during lockfile check: ${packageJSONPath}`,
+    );
+
+    try {
+        checkDeep(
+            actual.lockfile,
+            expected.lockfile,
+            `package-lock.json is out of sync with package.json`,
+        );
+    } catch (error) {
+        if (!(error instanceof assert.AssertionError)) {
+            throw error;
+        }
+
+        // NPM versions <=11.10 has issues with deterministic lockfile generation,
+        // especially around optional peer dependencies.
+        const diffedProperties = extractDiffedProperties(actual.lockfile, expected.lockfile).filter(
+            (segments) => segments.isDisjointFrom(ignoredProperties),
+        );
+
+        if (diffedProperties.length) {
+            const formatted = diffedProperties
+                .map((segments) => Array.from(segments).join("."))
+                .join("\n");
+
+            throw new Error(`Lockfile drift detected:\n${formatted}`, { cause: error });
+        }
+
+        logger.warn(
+            "Permissible dependency differences detected. Run `npm install` to update the lockfile.",
+        );
+    }
+
+    return issues;
+}
+
+run()
+    .then((issues) => {
+        if (issues.length) {
+            logger.warn(`⚠️  ${issues.length} issue(s) detected:`);
+
+            for (const issue of issues) {
+                logger.warn(`  - ${issue}`);
+            }
+
+            if (options.warn) {
+                logger.warn(
+                    "The lockfile on disk has been regenerated. Review and commit the changes.",
+                );
+                process.exit(EXIT_DRIFT);
+            }
+        } else {
+            logger.info("✅ Lockfile is in sync.");
+        }
+    })
+    .catch((error) => reportAndExit(error, logger));

scripts/node/lint-runtime.mjs

@@ -0,0 +1,114 @@
+#!/usr/bin/env node
+/**
+ * @file Lints the installed Node.js and npm versions against the requirements specified in package.json.
+ *
+ * Usage:
+ *   lint-node [options] [directory]
+ *
+ * Exit codes:
+ *   0  Versions are in sync
+ *   1  Version mismatch detected
+ */
+
+import * as assert from "node:assert/strict";
+import { parseArgs } from "node:util";
+
+import { ConsoleLogger } from "../../packages/logger-js/lib/node.js";
+import { CommandError, parseCWD, reportAndExit } from "./utils/commands.mjs";
+import { corepack } from "./utils/corepack.mjs";
+import { resolveRepoRoot } from "./utils/git.mjs";
+import { compareVersions, findNPMPackage, loadJSON, node, npm, parseRange } from "./utils/node.mjs";
+
+const logger = ConsoleLogger.prefix("lint-runtime");
+
+/**
+ * @param {string} start
+ */
+async function readRequirements(start) {
+    const { packageJSONPath } = await findNPMPackage(start);
+
+    logger.info(`Checking versions in ${packageJSONPath}`);
+
+    const packageJSONData = await loadJSON(packageJSONPath);
+
+    const nodeVersion = await node`--version`().then((output) => output.replace(/^v/, ""));
+
+    const requiredNpmVersion = packageJSONData.engines?.npm;
+    const requiredNodeVersion = packageJSONData.engines?.node;
+
+    return { nodeVersion, requiredNpmVersion, requiredNodeVersion };
+}
+
+async function main() {
+    const parsedArgs = parseArgs({
+        allowPositionals: true,
+    });
+
+    const cwd = parseCWD(parsedArgs.positionals);
+    const repoRoot = await resolveRepoRoot(cwd).catch(() => null);
+
+    logger.info(`cwd ${cwd}`);
+    logger.info(`repository ${repoRoot || "not found"}`);
+
+    const corepackVersion = await corepack`--version`().catch(() => null);
+    const useCorepack = !!corepackVersion;
+    logger.info(`corepack ${corepackVersion || "disabled"}`);
+
+    const npmVersion = await npm`--version`({ cwd, useCorepack })
+        .then((version) => {
+            logger.info(`npm${corepackVersion ? " (via Corepack)" : ""} ${version}`);
+
+            return version;
+        })
+        .catch((error) => {
+            if (error instanceof CommandError && corepackVersion) {
+                logger.warn(`Failed to read npm version via Corepack ${error.message}`);
+
+                logger.info(`Attempting to read npm version directly without Corepack...`);
+                // Corepack might be misconfigured or outdated.
+                // Attempting a second read without Corepack can help us distinguish
+                // between a general npm issue and a Corepack-specific one.
+                return npm`--version`({ cwd }).then((version) => {
+                    logger.info(`npm (direct) ${version}`);
+
+                    return version;
+                });
+            }
+
+            throw error;
+        });
+
+    const { nodeVersion, requiredNpmVersion, requiredNodeVersion } = await readRequirements(cwd);
+
+    logger.info(`node ${nodeVersion}`);
+
+    if (requiredNpmVersion) {
+        logger.info(`package.json npm ${requiredNpmVersion}`);
+
+        const { operator, version: required } = parseRange(requiredNpmVersion);
+        const result = compareVersions(npmVersion, required);
+
+        assert.ok(
+            operator === ">=" ? result >= 0 : result === 0,
+            `npm version ${npmVersion} does not satisfy required version ${requiredNpmVersion}`,
+        );
+    }
+
+    if (requiredNodeVersion) {
+        logger.info(`package.json node ${requiredNodeVersion}`);
+
+        const { operator, version: required } = parseRange(requiredNodeVersion);
+        const result = compareVersions(nodeVersion, required);
+
+        assert.ok(
+            operator === ">=" ? result >= 0 : result === 0,
+            `Node.js version ${nodeVersion} does not satisfy required version ${requiredNodeVersion}`,
+        );
+    }
+}
+
+main()
+    .then(() => {
+        logger.info("✅ Node.js and npm versions are in sync.");
+    })
+    .catch((error) => reportAndExit(error, logger));

scripts/node/setup-corepack.mjs

@@ -0,0 +1,94 @@
+#!/usr/bin/env node
+
+/**
+ * @file Downloads the latest corepack tarball from the npm registry.
+ */
+
+import * as fs from "node:fs/promises";
+import { parseArgs } from "node:util";
+
+import { ConsoleLogger } from "../../packages/logger-js/lib/node.js";
+import { $, parseCWD, reportAndExit } from "./utils/commands.mjs";
+import { corepack, pullLatestCorepack } from "./utils/corepack.mjs";
+import { resolveRepoRoot } from "./utils/git.mjs";
+import { findNPMPackage, loadJSON, npm } from "./utils/node.mjs";
+
+const FALLBACK_NPM_VERSION = "11.11.0";
+const logger = ConsoleLogger.prefix("setup-corepack");
+
+async function main() {
+    const parsedArgs = parseArgs({
+        options: {
+            force: {
+                type: "boolean",
+                default: false,
+                description: "Force re-download of corepack even if a version is already installed",
+            },
+        },
+        allowPositionals: true,
+    });
+
+    const cwdArg = parseCWD(parsedArgs.positionals);
+
+    const repoRoot = await resolveRepoRoot(cwdArg).catch(() => null);
+    const cwd = repoRoot || cwdArg;
+
+    const npmVersion = await npm`--version`({ cwd });
+
+    logger.info(`npm ${npmVersion}`);
+
+    const corepackVersion = await corepack`--version`({ cwd }).catch(() => null);
+
+    logger.info(`corepack ${corepackVersion || "not found"}`);
+
+    if (corepackVersion && !parsedArgs.values.force) {
+        logger.info("Corepack is already installed, skipping download (use --force to override)");
+        return;
+    }
+
+    await pullLatestCorepack(cwd);
+
+    await npm`install --force -g corepack@latest`({ cwd });
+    logger.info("Corepack installed successfully");
+
+    const { packageJSONPath } = await findNPMPackage(cwd);
+
+    logger.info(`Checking versions in ${packageJSONPath}`);
+
+    const packageJSONData = await loadJSON(packageJSONPath);
+
+    const packageManager = packageJSONData.packageManager || `npm@${FALLBACK_NPM_VERSION}`;
+
+    await $`corepack install -g ${packageManager}`({ cwd });
+
+    logger.info(`Setting up Corepack to use ${packageManager}...`);
+
+    const writablePackageJSON = await fs.access(packageJSONPath, fs.constants.W_OK).then(
+        () => true,
+        () => false,
+    );
+
+    /**
+     * @type {string}
+     */
+    let subcommand;
+
+    if (!writablePackageJSON) {
+        if (!packageJSONData.packageManager) {
+            throw new Error(
+                `package.json is not writable and does not specify a packageManager field. Was the package.json file mounted via Docker?`,
+            );
+        }
+
+        subcommand = "install -g";
+    } else {
+        logger.info("package.json is writable");
+        subcommand = "use";
+    }
+
+    await $`corepack ${subcommand} ${packageManager}`({ cwd });
+
+    logger.info("Corepack installed npm successfully");
+}
+
+main().catch((error) => reportAndExit(error, logger));

scripts/node/utils/commands.mjs

@@ -0,0 +1,116 @@
+/**
+ * Utility functions for running shell commands and handling their results.
+ *
+ * @import { ExecOptions } from "node:child_process"
+ */
+
+import { exec } from "node:child_process";
+import { resolve, sep } from "node:path";
+import { promisify } from "node:util";
+
+import { ConsoleLogger } from "../../../packages/logger-js/lib/node.js";
+
+const logger = ConsoleLogger.prefix("commands");
+
+export class CommandError extends Error {
+    name = "CommandError";
+
+    /**
+     * @param {string} command
+     * @param {ErrorOptions & ExecOptions} options
+     */
+    constructor(command, { cause, cwd, shell } = {}) {
+        const cwdInfo = cwd ? ` in directory ${cwd}` : "";
+        const shellInfo = shell ? ` using shell ${shell}` : "";
+
+        super(`Command failed: ${command}${cwdInfo}${shellInfo}`, { cause });
+    }
+}
+
+/**
+ * @param {string[]} positionals
+ * @returns {string} The resolved current working directory for the script
+ */
+export function parseCWD(positionals) {
+    // `INIT_CWD` is present only if the script is run via npm.
+    const initCWD = process.env.INIT_CWD || process.cwd();
+
+    const cwd = (positionals.length ? resolve(initCWD, positionals[0]) : initCWD) + sep;
+
+    return cwd;
+}
+
+const execAsync = promisify(exec);
+
+/**
+ * @param {Awaited<ReturnType<typeof execAsync>>} result
+ */
+export const trimResult = (result) => String(result.stdout).trim();
+
+/**
+ * @typedef {(strings: TemplateStringsArray, ...expressions: unknown[]) =>
+ *   (options?: ExecOptions) => Promise<string>
+ * } CommandTag
+ */
+
+function createTag(prefix = "") {
+    /** @type {CommandTag} */
+    return (strings, ...expressions) => {
+        const command = (prefix ? prefix + " " : "") + String.raw(strings, ...expressions);
+
+        logger.debug(command);
+
+        return (options) =>
+            execAsync(command, options)
+                .then(trimResult)
+                .catch((cause) => {
+                    throw new CommandError(command, { ...options, cause });
+                });
+    };
+}
+
+/**
+ * A tagged template function for running shell commands.
+ * @type {CommandTag & { bind(prefix: string): CommandTag }}
+ */
+export const $ = createTag();
+
+/**
+ * @param {string} prefix
+ * @returns {CommandTag}
+ */
+$.bind = (prefix) => createTag(prefix);
+
+/**
+ * Promisified version of {@linkcode exec} for easier async/await usage.
+ *
+ * @param {string} command The command to run, with space-separated arguments.
+ * @param {ExecOptions} [options] Optional execution options.
+ * @throws {CommandError} If the command fails to execute.
+ */
+export function $2(command, options) {
+    return execAsync(command, options)
+        .then(trimResult)
+        .catch((cause) => {
+            throw new CommandError(command, { ...options, cause });
+        });
+}
+
+/**
+ * Logs the given error and its cause (if any) and exits the process with a failure code.
+ * @param {unknown} error
+ * @param {typeof ConsoleLogger} logger
+ * @returns {never}
+ */
+export function reportAndExit(error, logger = ConsoleLogger) {
+    const message = error instanceof Error ? error.message : String(error);
+    const cause = error instanceof Error && error.cause instanceof Error ? error.cause : null;
+
+    logger.error(`❌ ${message}`);
+
+    if (cause) {
+        logger.error(`Caused by: ${cause.message}`);
+    }
+
+    process.exit(1);
+}

scripts/node/utils/corepack.mjs

@@ -0,0 +1,84 @@
+import * as crypto from "node:crypto";
+import * as fs from "node:fs/promises";
+import { join, relative } from "node:path";
+
+import { ConsoleLogger } from "../../../packages/logger-js/lib/node.js";
+import { $ } from "./commands.mjs";
+
+const REGISTRY_URL = "https://registry.npmjs.org/corepack";
+const OUTPUT_DIR = join(".corepack", "releases");
+const OUTPUT_FILENAME = "latest.tgz";
+
+export const corepack = $.bind("corepack");
+
+/**
+ * Reads the installed Corepack version.
+ *
+ * @param {string} [cwd] The directory to run the command in.
+ * @returns {Promise<string | null>} The installed Corepack version
+ */
+export function readCorepackVersion(cwd = process.cwd()) {
+    return $`corepack --version`({ cwd });
+}
+
+const logger = ConsoleLogger.prefix("setup-corepack");
+
+/**
+ * @param {string} baseDirectory
+ */
+export async function pullLatestCorepack(baseDirectory = process.cwd()) {
+    logger.info("Fetching corepack metadata from registry...");
+
+    const outputDir = join(baseDirectory, OUTPUT_DIR);
+    const outputPath = join(outputDir, OUTPUT_FILENAME);
+
+    const res = await fetch(REGISTRY_URL, { signal: AbortSignal.timeout(1000 * 60) });
+
+    if (!res.ok) {
+        throw new Error(`Failed to fetch registry metadata: ${res.status} ${res.statusText}`);
+    }
+
+    const metadata = await res.json();
+
+    const latestVersion = metadata["dist-tags"].latest;
+    const versionData = metadata.versions[latestVersion];
+    const tarballUrl = versionData.dist.tarball;
+    const expectedIntegrity = versionData.dist.integrity;
+
+    logger.info(`Latest corepack version: ${latestVersion}`);
+    logger.info(`Tarball URL: ${tarballUrl}`);
+    logger.info(`Expected integrity: ${expectedIntegrity}`);
+
+    logger.info({ url: tarballUrl }, "Downloading tarball...");
+
+    const tarballRes = await fetch(tarballUrl, {
+        signal: AbortSignal.timeout(1000 * 60),
+    });
+
+    if (!tarballRes.ok) {
+        throw new Error(
+            `Failed to download tarball: ${tarballRes.status} ${tarballRes.statusText}`,
+        );
+    }
+
+    const tarballBuffer = Buffer.from(await tarballRes.arrayBuffer());
+
+    logger.info("Verifying integrity...");
+
+    const [algorithm, expectedHash] = expectedIntegrity.split("-");
+    const actualHash = crypto.createHash(algorithm).update(tarballBuffer).digest("base64");
+
+    if (actualHash !== expectedHash) {
+        throw new Error(
+            `Integrity mismatch!\n  Expected: ${expectedHash}\n  Actual:   ${actualHash}`,
+        );
+    }
+
+    logger.info("Integrity verified.");
+
+    await fs.mkdir(outputDir, { recursive: true });
+    await fs.writeFile(outputPath, tarballBuffer);
+
+    logger.info(`Saved to ${relative(baseDirectory, outputPath)}`);
+    logger.info(`corepack@${latestVersion} (${expectedIntegrity})`);
+}

scripts/node/utils/git.mjs

@@ -0,0 +1,25 @@
+import { $ } from "./commands.mjs";
+
+/**
+ * Checks whether the given file has uncommitted changes in git.
+ *
+ * @param {string} filePath
+ * @param {string} [cwd]
+ * @returns {Promise<{ clean: boolean, available: boolean }>}
+ */
+export async function gitStatus(filePath, cwd = process.cwd()) {
+    return $`git status --porcelain ${filePath}`({ cwd })
+        .then((output) => ({ clean: !output, available: true }))
+        .catch(() => ({ clean: false, available: false }));
+}
+
+/**
+ * Finds the root directory of the git repository containing the given directory.
+ *
+ * @param {string} cwd
+ * @returns {Promise<string>} The path to the git repository root.
+ * @throws {Error} If the command fails (e.g., not a git repository).
+ */
+export function resolveRepoRoot(cwd = process.cwd()) {
+    return $`git rev-parse --show-toplevel`({ cwd });
+}

scripts/node/utils/node.mjs

@@ -0,0 +1,175 @@
+/**
+ * Utility functions for working with npm packages and versions.
+ *
+ * @import { ExecOptions } from "node:child_process"
+ */
+
+import * as fs from "node:fs/promises";
+import { dirname, join } from "node:path";
+
+import { $ } from "./commands.mjs";
+
+/**
+ * Find the nearest directory containing both package.json and package-lock.json,
+ * starting from the given directory and walking upward.
+ *
+ * @param {string} start The directory to start searching from.
+ * @returns {Promise<{ packageJSONPath: string, packageLockPath: string }>}
+ * @throws {Error} If no co-located package.json and package-lock.json are found.
+ */
+export async function findNPMPackage(start) {
+    let currentDir = start;
+
+    while (currentDir !== dirname(currentDir)) {
+        const packageJSONPath = join(currentDir, "package.json");
+        const packageLockPath = join(currentDir, "package-lock.json");
+
+        try {
+            await Promise.all([fs.access(packageJSONPath), fs.access(packageLockPath)]);
+            return {
+                packageJSONPath,
+                packageLockPath,
+            };
+        } catch {
+            // Continue searching up the directory tree
+        }
+
+        currentDir = dirname(currentDir);
+    }
+
+    throw new Error(`No co-located package.json and package-lock.json found above ${start}`);
+}
+
+/**
+ * @typedef {object} PackageJSON
+ * @property {string} name
+ * @property {string} version
+ * @property {Record<string, string>} [dependencies]
+ * @property {Record<string, string>} [devDependencies]
+ * @property {Record<string, string>} [peerDependencies]
+ * @property {Record<string, string>} [optionalDependencies]
+ * @property {Record<string, string>} [peerDependenciesMeta]
+ * @property {Record<string, string>} [engines]
+ * @property {Record<string, string>} [devEngines]
+ * @property {string} [packageManager]
+ */
+
+/**
+ * @param {string} jsonPath
+ * @returns {Promise<PackageJSON>}
+ */
+export function loadJSON(jsonPath) {
+    return fs
+        .readFile(jsonPath, "utf-8")
+        .then(JSON.parse)
+        .catch((cause) => {
+            throw new Error(`Failed to load JSON file at ${jsonPath}`, { cause });
+        });
+}
+
+const PackageJSONComparisionFields = /** @type {const} */ ([
+    "name",
+    "dependencies",
+    "devDependencies",
+    "optionalDependencies",
+    "peerDependencies",
+    "peerDependenciesMeta",
+]);
+
+/**
+ * @typedef {typeof PackageJSONComparisionFields[number]} PackageJSONComparisionField
+ */
+
+/**
+ * Extracts only the dependency fields from a package.json object for comparison purposes.
+ *
+ * @param {PackageJSON} data
+ * @returns {Pick<PackageJSON, PackageJSONComparisionField>}
+ */
+export function pluckDependencyFields(data) {
+    /**
+     * @type {Record<string, unknown>}
+     */
+    const result = {};
+
+    for (const field of PackageJSONComparisionFields) {
+        if (data[field]) {
+            result[field] = data[field];
+        }
+    }
+
+    return /** @type {Pick<PackageJSON, PackageJSONComparisionField>} */ (result);
+}
+
+//#region Versioning
+
+/**
+ * Compares two semantic version strings (e.g., "14.17.0").
+ *
+ * @param {string} a The first version string.
+ * @param {string} b The second version string.
+ * @returns {number}
+ */
+export function compareVersions(a, b) {
+    const pa = a.split(".").map(Number);
+    const pb = b.split(".").map(Number);
+    for (let i = 0; i < 3; i++) {
+        if (pa[i] > pb[i]) return 1;
+        if (pa[i] < pb[i]) return -1;
+    }
+    return 0;
+}
+
+/**
+ * Runs a Node.js command and returns its stdout output as a string.
+ *
+ * @param {TemplateStringsArray} strings
+ * @param  {...unknown} expressions
+ * @returns {(options?: ExecOptions) => Promise<string>}
+ */
+export const node = $.bind("node");
+
+/**
+ * @typedef {object} NPMCommandOptions
+ * @property {boolean} [useCorepack] Whether to prefix the command with "corepack " to use Corepack's shims.
+ * @returns {Promise<string>}
+ */
+
+/**
+ * Runs an npm command and returns its stdout output as a string.
+ *
+ * @param {TemplateStringsArray} strings
+ * @param  {...unknown} expressions
+ * @returns {(options?: ExecOptions & NPMCommandOptions) => Promise<string>}
+ */
+export function npm(strings, ...expressions) {
+    const subcommand = String.raw(strings, ...expressions);
+
+    return ({ useCorepack, ...options } = {}) => {
+        const command = [useCorepack ? "corepack" : "", "npm", subcommand]
+            .filter(Boolean)
+            .join(" ");
+
+        return $`${command}`(options);
+    };
+}
+
+/**
+ * Parses a version range string, stripping any leading >= and normalizing to three parts.
+ * @param {string} range
+ * @returns {{ operator: ">=" | "=", version: string }}
+ */
+export function parseRange(range) {
+    const hasGte = range.startsWith(">=");
+    const raw = hasGte ? range.slice(2) : range;
+    const parts = raw.split(".").map(Number);
+
+    while (parts.length < 3) parts.push(0);
+
+    return {
+        operator: hasGte ? ">=" : "=",
+        version: parts.join("."),
+    };
+}
+
+//#endregion

src/metrics/mod.rs

@@ -83,7 +83,8 @@ pub(crate) fn start(tasks: &mut Tasks) -> Result<Arc<Metrics>> {
             "metrics",
             router.clone(),
             addr,
-            true, // Allow failure in case the server is running on the same machine, like in dev
+            config::get().debug, /* Allow failure in case the server is running on the same
+                                  * machine, like in dev */
         )?;
     }
 
@@ -92,7 +93,8 @@ pub(crate) fn start(tasks: &mut Tasks) -> Result<Arc<Metrics>> {
         "metrics",
         router,
         unix::net::SocketAddr::from_pathname(socket_path())?,
-        true, // Allow failure in case the server is running on the same machine, like in dev
+        config::get().debug, /* Allow failure in case the server is running on the same machine,
+                              * like in dev */
     )?;
 
     Ok(metrics)

src/worker/mod.rs

@@ -328,8 +328,8 @@ pub(crate) fn start(_cli: Cli, tasks: &mut Tasks) -> Result<Arc<Workers>> {
                 "worker",
                 router.clone(),
                 addr,
-                true, /* Allow failure in case the server is running on the same machine, like
-                       * in dev. */
+                config::get().debug, /* Allow failure in case the server is running on the same
+                                      * machine, like in dev. */
             )?;
         }
 
@@ -338,7 +338,8 @@ pub(crate) fn start(_cli: Cli, tasks: &mut Tasks) -> Result<Arc<Workers>> {
             "worker",
             router,
             unix::net::SocketAddr::from_pathname(socket_path())?,
-            true, // Allow failure in case the server is running on the same machine, like in dev.
+            config::get().debug, /* Allow failure in case the server is running on the same
+                                  * machine, like in dev. */
         )?;
     }