Apply suggestion from @dominic-r

Signed-off-by: Dominic R <dominic@goauthentik.io>
2026-05-15 03:16:22 +02:00 · 2026-05-07 13:48:16 -04:00 · 2026-05-07 13:47:49 -04:00 · 2026-05-05 19:28:47 -04:00 · 2026-05-05 19:26:05 -04:00
369 changed files with 9155 additions and 39829 deletions
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -49,7 +49,7 @@ runs:
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: bash
      working-directory: ${{ inputs.working-directory }}
-      run: uv sync --all-extras --dev --locked
+      run: uv sync --all-extras --dev --frozen
    - name: Setup rust (stable)
      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
@@ -64,7 +64,7 @@ runs:
        rustflags: ""
    - name: Setup rust dependencies
      if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@711e1c3275189d76dcc4d34ddea63bf96ac49090 # v2
+      uses: taiki-e/install-action@b5fddbb5361bce8a06fb168c9d403a6cc552b084 # v2
      with:
        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
    - name: Setup node (web)
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,109 @@
+# AGENTS.md
+
+This is **authentik** — an open-source Identity Provider. The codebase spans a
+Django backend, Go outposts, Rust components, and a Lit/TS web UI, with pieces
+wired together through Django signals, Channels, blueprints, flow plans, and a
+generated API client. It's a lot of moving parts. Before changing something
+non-trivial, pause to think about what else touches it: a model edit can ripple
+through serializers, signals, blueprints, and the generated TS client.
+
+## Commits
+
+Format the subject as `area: short message`. Skip the long body unless
+something genuinely needs explaining. The `area` is wherever you worked, e.g.:
+
+- `root:` — repo-wide changes
+- `core:` — `authentik/core` and dependency bumps
+- `api:` — API surface
+- `web:`, `web/admin:`, `web/flows:`, `web/stages:` — frontend
+- `website:`, `website/docs:`, `website/integrations:`
+- `stages/invitation:`, `providers/oauth2:`, `providers/oauth:` — feature modules
+- `enterprise/providers/ssf:`
+- `lifecycle/worker_process:`
+- `tenants:`, `ci:`, `docs:`, `translate:`
+
+When the user gives you a PR or issue for the bug being fixed, add a
+`Closes: #NNN` trailer on its own line — don't tack `(#NNN)` onto the subject.
+
+**Never** include customer information or any potentially sensitive *content*
+taken from internal sources — verbatim or reworded — anywhere in the repo
+(code, comments, commit messages, PR descriptions, docs) unless explicitly
+allowed. This covers customer names, support ticket contents, quoted Slack
+messages, private incident details, and similar.
+
+Links are fine. A Slack permalink, a GitHub issue link, or an internal ticket
+URL in a commit message or PR description is good context — it's the
+sensitive *content* that must not be copied into the repo. When in doubt,
+leave the content out and link instead.
+
+A commit should be a finished, working unit. Don't commit half-done work.
+Before committing, run whatever applies:
+
+- `make lint-fix`
+- `make gen` if you touched models or serializers
+- `make web` if you touched `web/`
+- `make docs` if you touched `website/docs/`
+- `make integrations` if you touched `website/integrations/`
+- `./manage.py makemigrations --check` — no pending migrations
+
+The `Makefile` has more targets per area (tests, Go, Rust) — use them when
+relevant.
+
+## Don't hand-edit generated or vendored files
+
+Run `make gen` instead. Off-limits:
+
+- `schema.yml` (OpenAPI)
+- `gen-ts-api/`
+- `packages/client-go/`, `packages/client-ts/`, `packages/client-rust/`
+- `schemas/` — these are upstream SAML / SCIM / WS-* specs, not ours
+
+If the output looks wrong, fix the source (models, serializers, generator
+config) and regenerate.
+
+## Migrations
+
+Generate them with `./manage.py makemigrations`. Don't hand-write or hand-edit
+migration files unless the user specifically asks (data migrations, squashes,
+or repairing a bad one). Read what Django produced before committing — autogen
+sometimes catches more than you intended.
+
+## Localization
+
+Anything user-visible needs to be translatable:
+
+- Python: `from django.utils.translation import gettext_lazy as _`, then `_("...")`
+- TS / Lit: `msg("...")` from `@lit/localize`
+- Django templates: `{% trans %}` / `{% blocktrans %}`
+
+No raw English strings in user-facing surfaces.
+
+## Tests, proportionate
+
+Size tests to the code. A 28-line function doesn't need a 400-line test file.
+Cover meaningful behavior and obvious edge cases; don't pad for coverage or
+re-test the framework. Mechanical changes (renames, type tweaks) usually ride
+on existing tests.
+
+## Reuse what's already there
+
+There's a large pool of helpers — find them before writing new ones.
+
+- **Django first.** `django.utils`, `django.shortcuts`, the ORM, the auth
+  framework — most generic things already exist there.
+- **Then authentik.** `authentik/lib/`, `authentik/core/`, and the feature
+  module you're working in.
+- **Call helpers, don't inline them.** If `plan.to_redirect()` exists, use it
+  instead of rebuilding the redirect at every call site. Same goes for
+  permission checks, flow plan helpers, event logging, serializer mixins, etc.
+
+## DRY, with judgment
+
+Deduplicate behavior, not boilerplate. Some things are cheap to restate and
+often clearer that way — serializers, simple model definitions, view glue,
+short config blocks — don't twist them through inheritance or shared bases
+just to save lines. But duplicated *behavior* — a function body copy-pasted
+across modules, a permission check reimplemented inline, a redirect built from
+scratch next to a helper that already does it — should collapse to one place.
+If changing the logic later would mean hunting down every copy, it belongs in
+one spot.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+AGENTS.md
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2057,7 +2057,7 @@ dependencies = [
 "hashbrown 0.16.1",
 "metrics",
 "quanta",
- "rand 0.9.4",
+ "rand 0.9.2",
 "rand_xoshiro",
 "sketches-ddsketch",
 ]
@@ -2744,7 +2744,7 @@ dependencies = [
 "bytes",
 "getrandom 0.3.4",
 "lru-slab",
- "rand 0.9.4",
+ "rand 0.9.2",
 "ring",
 "rustc-hash",
 "rustls",
@@ -2804,9 +2804,9 @@ dependencies = [

 [[package]]
 name = "rand"
-version = "0.9.4"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
 dependencies = [
 "rand_chacha 0.9.0",
 "rand_core 0.9.5",
@@ -3203,9 +3203,9 @@ checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"

 [[package]]
 name = "sentry"
-version = "0.48.0"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e8ac94aab850a23d7507307cc505332ed2bafd36c65930dfc5c43610f9e9b477"
+checksum = "eb25f439f97d26fea01d717fa626167ceffcd981addaa670001e70505b72acbb"
 dependencies = [
 "cfg_aliases",
 "httpdate",
@@ -3224,9 +3224,9 @@ dependencies = [

 [[package]]
 name = "sentry-backtrace"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc84c325ace9ca2388e510fe7d6672b5d60cd8b3bd0eb4bb4ee8314c323cd686"
+checksum = "46a8c2c1bd5c1f735e84f28b48e7d72efcaafc362b7541bc8253e60e8fcdffc6"
 dependencies = [
 "backtrace",
 "regex",
@@ -3235,9 +3235,9 @@ dependencies = [

 [[package]]
 name = "sentry-contexts"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "896c1ab62dbfe1746fb262bbf72e6feb2fb9dfb2c14709077bf71beb532e44b2"
+checksum = "9b88a90baa654d7f0e1f4b667f6b434293d9f72c71bef16b197c76af5b7d5803"
 dependencies = [
 "hostname",
 "libc",
@@ -3249,11 +3249,11 @@ dependencies = [

 [[package]]
 name = "sentry-core"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5f5abf20c42cb1593ec1638976e2647da55f79bccac956444c1707b6cce259a"
+checksum = "0ac170a5bba8bec6e3339c90432569d89641fa7a3d3e4f44987d24f0762e6adf"
 dependencies = [
- "rand 0.9.4",
+ "rand 0.9.2",
 "sentry-types",
 "serde",
 "serde_json",
@@ -3262,9 +3262,9 @@ dependencies = [

 [[package]]
 name = "sentry-debug-images"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b88bbe6a760d5724bb40689827e82e8db1e275947df2c59abe171bfc30bb671"
+checksum = "dd9646a972b57896d4a92ed200cf76139f8e30b3cfd03b6662ae59926d26633c"
 dependencies = [
 "findshlibs",
 "sentry-core",
@@ -3272,9 +3272,9 @@ dependencies = [

 [[package]]
 name = "sentry-panic"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0260dcb52562b6a79ae7702312a26dba94b79fb5baee7301087529e5ca4e872e"
+checksum = "6127d3d304ba5ce0409401e85aae538e303a569f8dbb031bf64f9ba0f7174346"
 dependencies = [
 "sentry-backtrace",
 "sentry-core",
@@ -3282,9 +3282,9 @@ dependencies = [

 [[package]]
 name = "sentry-tower"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d669616d5d5279b5712febfc80c343acc3695e499de0d101ed70fceacadf37f2"
+checksum = "61c5253dc4ad89863a866b93aeaaac1c9d60f2f774663b5024afe2d57e0a101c"
 dependencies = [
 "sentry-core",
 "tower-layer",
@@ -3293,9 +3293,9 @@ dependencies = [

 [[package]]
 name = "sentry-tracing"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1c035f3a0a8671ae1a231c5b457abb68b71acba2bf3054dab2a09a9d4ea487e"
+checksum = "27701acc51e68db5281802b709010395bfcbcb128b1d0a4e5873680d3b47ff0c"
 dependencies = [
 "bitflags 2.11.0",
 "sentry-backtrace",
@@ -3306,13 +3306,13 @@ dependencies = [

 [[package]]
 name = "sentry-types"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82d8e81058ec155992191f61c7b29bfa7b2cf12012131e7cdc0678020898a7c9"
+checksum = "56780cb5597d676bf22e6c11d1f062eb4def46390ea3bfb047bcbcf7dfd19bdb"
 dependencies = [
 "debugid",
 "hex",
- "rand 0.9.4",
+ "rand 0.9.2",
 "serde",
 "serde_json",
 "thiserror 2.0.18",
@@ -4214,7 +4214,7 @@ dependencies = [
 "http",
 "httparse",
 "log",
- "rand 0.9.4",
+ "rand 0.9.2",
 "sha1",
 "thiserror 2.0.18",
 ]
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -67,7 +67,7 @@ reqwest-middleware = { version = "= 0.5.1", features = [
  "rustls",
 ] }
 rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.48.0", default-features = false, features = [
+sentry = { version = "= 0.47.0", default-features = false, features = [
  "backtrace",
  "contexts",
  "debug-images",
--- a/authentik/api/ordering.py
+++ b/authentik/api/ordering.py
@@ -1,36 +0,0 @@
-from django.db.models import F, QuerySet
-from rest_framework.filters import OrderingFilter
-from rest_framework.request import Request
-from rest_framework.views import APIView
-
-
-class NullsAwareOrderingFilter(OrderingFilter):
-    """OrderingFilter that sorts NULL values consistently.
-
-    For any nullable field, NULLs are treated as the smallest possible value:
-    - ascending  → NULLs appear first  (nulls_first=True)
-    - descending → NULLs appear last   (nulls_last=True)
-    """
-
-    def _nullable_field_names(self, queryset: QuerySet) -> set[str]:
-        return {f.name for f in queryset.model._meta.get_fields() if hasattr(f, "null") and f.null}
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view: APIView):
-        queryset = super().filter_queryset(request, queryset, view)
-        ordering = queryset.query.order_by
-        if not ordering:
-            return queryset
-        nullable = self._nullable_field_names(queryset)
-        new_ordering = []
-        changed = False
-        for term in ordering:
-            name = term.lstrip("-")
-            if name in nullable:
-                changed = True
-                if term.startswith("-"):
-                    new_ordering.append(F(name).desc(nulls_last=True))
-                else:
-                    new_ordering.append(F(name).asc(nulls_first=True))
-            else:
-                new_ordering.append(term)
-        return queryset.order_by(*new_ordering) if changed else queryset
--- a/authentik/api/tests/test_ordering.py
+++ b/authentik/api/tests/test_ordering.py
@@ -1,59 +0,0 @@
-from django.db.models import OrderBy
-from django.test import TestCase
-from rest_framework.request import Request
-from rest_framework.test import APIRequestFactory
-
-from authentik.api.ordering import NullsAwareOrderingFilter
-from authentik.core.models import Token, User
-
-
-class MockView:
-    ordering_fields = "__all__"
-    ordering = None
-
-
-class TestNullsAwareOrderingFilter(TestCase):
-
-    def setUp(self):
-        self.filter = NullsAwareOrderingFilter()
-        self.view = MockView()
-        factory = APIRequestFactory()
-        self._req = lambda ordering: Request(factory.get("/", {"ordering": ordering}))
-
-    def _order_by(self, model, ordering):
-        qs = model.objects.all()
-        return self.filter.filter_queryset(self._req(ordering), qs, self.view).query.order_by
-
-    def test_nullable_asc_nulls_first(self):
-        """Ascending sort on a nullable field rewrites to nulls_first=True."""
-        (expr,) = self._order_by(User, "last_login")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertFalse(expr.descending)
-        self.assertTrue(expr.nulls_first)
-
-    def test_nullable_desc_nulls_last(self):
-        """Descending sort on a nullable field rewrites to nulls_last=True."""
-        (expr,) = self._order_by(User, "-last_login")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertTrue(expr.descending)
-        self.assertTrue(expr.nulls_last)
-
-    def test_non_nullable_passes_through(self):
-        """Non-nullable fields are left as plain string terms."""
-        (expr,) = self._order_by(User, "username")
-        self.assertEqual(expr, "username")
-
-    def test_mixed_ordering(self):
-        """Only nullable terms are rewritten; non-nullable terms pass through unchanged."""
-        first, second = self._order_by(User, "username,-last_login")
-        self.assertEqual(first, "username")
-        self.assertIsInstance(second, OrderBy)
-        self.assertTrue(second.descending)
-        self.assertTrue(second.nulls_last)
-
-    def test_expires_nullable(self):
-        """expires on ExpiringModel is nullable and is rewritten correctly."""
-        (expr,) = self._order_by(Token, "-expires")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertTrue(expr.descending)
-        self.assertTrue(expr.nulls_last)
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -221,7 +221,7 @@ REST_FRAMEWORK = {
        "authentik.api.search.ql.QLSearch",
        "authentik.rbac.filters.ObjectFilter",
        "django_filters.rest_framework.DjangoFilterBackend",
-        "authentik.api.ordering.NullsAwareOrderingFilter",
+        "rest_framework.filters.OrderingFilter",
    ],
    "DEFAULT_PERMISSION_CLASSES": ("authentik.rbac.permissions.ObjectPermissions",),
    "DEFAULT_AUTHENTICATION_CLASSES": (
--- a/authentik/stages/authenticator/models.py
+++ b/authentik/stages/authenticator/models.py
@@ -389,19 +389,17 @@ class ThrottlingMixin(models.Model):
        """Check if throttling is enabled"""
        return self.get_throttle_factor() > 0

-    def get_throttle_factor(self) -> float:  # pragma: no cover
+    def get_throttle_factor(self):  # pragma: no cover
        """
-        Returns the throttling factor.
-        """
-        return getattr(self, "_throttle_factor", 1.0)
-
-    def set_throttle_factor(self, throttle_factor: float) -> None:
-        """
-        Sets the throttle factor to use. Call this to override the default value of 1.
+        This must be implemented to return the throttle factor.

        The number of seconds required between verification attempts will be
        :math:`c2^{n-1}` where `c` is this factor and `n` is the number of
        previous failures. A factor of 1 translates to delays of 1, 2, 4, 8,
        etc. seconds. A factor of 0 disables the throttling.
+
+        Normally this is just a wrapper for a plugin-specific setting like
+        :setting:`OTP_EMAIL_THROTTLE_FACTOR`.
+
        """
-        self._throttle_factor = throttle_factor
+        raise NotImplementedError()
--- a/authentik/stages/authenticator/tests.py
+++ b/authentik/stages/authenticator/tests.py
@@ -6,6 +6,7 @@ from threading import Thread
 from django.contrib.auth.models import AnonymousUser
 from django.db import connection
 from django.test import TestCase, TransactionTestCase
+from django.test.utils import override_settings
 from django.utils import timezone
 from freezegun import freeze_time

@@ -109,24 +110,8 @@ class ThrottlingTestMixin:
            self.assertEqual(verify_is_allowed3, True)
            self.assertEqual(data3, None)

-    def test_set_throttle_factor_is_reflected(self):
-        """`set_throttle_factor` must drive `get_throttle_factor`."""
-        self.device.set_throttle_factor(5.5)
-        self.assertEqual(self.device.get_throttle_factor(), 5.5)
-        self.device.set_throttle_factor(0)
-        self.assertEqual(self.device.get_throttle_factor(), 0)
-
-    def test_throttling_disabled_by_factor_zero(self):
-        """Setting the throttle factor to 0 must actually disable throttling.
-
-        A failed attempt followed by a successful one must succeed. The lockout
-        path must not kick in when the factor is 0.
-        """
-        self.device.set_throttle_factor(0)
-        self.assertFalse(self.device.verify_token(self.invalid_token()))
-        self.assertTrue(self.device.verify_token(self.valid_token()))
-

+@override_settings(OTP_STATIC_THROTTLE_FACTOR=0)
 class APITestCase(TestCase):
    """Test API"""

@@ -134,7 +119,6 @@ class APITestCase(TestCase):
        self.alice = create_test_admin_user("alice")
        self.bob = create_test_admin_user("bob")
        device = self.alice.staticdevice_set.create()
-        device.set_throttle_factor(0)
        self.valid = generate_id(length=16)
        device.token_set.create(token=self.valid)

@@ -154,8 +138,6 @@ class APITestCase(TestCase):
        verified = verify_token(self.alice, device.persistent_id, "bogus")
        self.assertIsNone(verified)

-        self.alice.staticdevice_set.get().throttle_reset()
-
        verified = verify_token(self.alice, device.persistent_id, self.valid)
        self.assertIsNotNone(verified)

@@ -164,12 +146,11 @@ class APITestCase(TestCase):
        verified = match_token(self.alice, "bogus")
        self.assertIsNone(verified)

-        self.alice.staticdevice_set.get().throttle_reset()
-
        verified = match_token(self.alice, self.valid)
        self.assertEqual(verified, self.alice.staticdevice_set.first())


+@override_settings(OTP_STATIC_THROTTLE_FACTOR=0)
 class ConcurrencyTestCase(TransactionTestCase):
    """Test concurrent verifications"""

--- a/authentik/stages/authenticator_email/migrations/0003_emaildevice_throttling_failure_count_and_more.py
+++ b/authentik/stages/authenticator_email/migrations/0003_emaildevice_throttling_failure_count_and_more.py
@@ -1,33 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-02 15:14
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_stages_authenticator_email",
-            "0002_alter_authenticatoremailstage_friendly_name",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="emaildevice",
-            name="throttling_failure_count",
-            field=models.PositiveIntegerField(
-                default=0, help_text="Number of successive failed attempts."
-            ),
-        ),
-        migrations.AddField(
-            model_name="emaildevice",
-            name="throttling_failure_timestamp",
-            field=models.DateTimeField(
-                blank=True,
-                default=None,
-                help_text="A timestamp of the last failed verification attempt. Null if last attempt succeeded.",
-                null=True,
-            ),
-        ),
-    ]
--- a/authentik/stages/authenticator_email/models.py
+++ b/authentik/stages/authenticator_email/models.py
@@ -14,7 +14,7 @@ from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
-from authentik.stages.authenticator.models import SideChannelDevice, ThrottlingMixin
+from authentik.stages.authenticator.models import SideChannelDevice
 from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage

@@ -116,7 +116,7 @@ class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
        verbose_name_plural = _("Email Authenticator Setup Stages")


-class EmailDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):
+class EmailDevice(SerializerModel, SideChannelDevice):
    """Email Device"""

    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
@@ -130,20 +130,6 @@ class EmailDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):

        return EmailDeviceSerializer

-    def verify_token(self, token: str) -> bool:
-        verify_allowed, _ = self.verify_is_allowed()
-        if verify_allowed:
-            verified = super().verify_token(token)
-
-            if verified:
-                self.throttle_reset()
-            else:
-                self.throttle_increment()
-        else:
-            verified = False
-
-        return verified
-
    def _compose_email(self) -> TemplateEmailMessage:
        try:
            pending_user = self.user
--- a/authentik/stages/authenticator_email/tests.py
+++ b/authentik/stages/authenticator_email/tests.py
@@ -8,7 +8,6 @@ from django.core.mail.backends.locmem import EmailBackend
 from django.core.mail.backends.smtp import EmailBackend as SMTPEmailBackend
 from django.db.utils import IntegrityError
 from django.template.exceptions import TemplateDoesNotExist
-from django.test import TestCase
 from django.urls import reverse
 from django.utils.timezone import now

@@ -17,7 +16,6 @@ from authentik.flows.models import FlowStageBinding
 from authentik.flows.tests import FlowTestCase
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.email import mask_email
-from authentik.stages.authenticator.tests import ThrottlingTestMixin
 from authentik.stages.authenticator_email.api import (
    AuthenticatorEmailStageSerializer,
    EmailDeviceSerializer,
@@ -81,7 +79,6 @@ class TestAuthenticatorEmailStage(FlowTestCase):
        self.assertFalse(self.device.verify_token("000000"))

        # Verify correct token (should clear token after verification)
-        self.device.throttle_reset(commit=False)
        self.assertTrue(self.device.verify_token(token))
        self.assertIsNone(self.device.token)

@@ -332,27 +329,3 @@ class TestAuthenticatorEmailStage(FlowTestCase):
        # Test AuthenticatorEmailStage send method
        self.stage.send(self.device)
        self.assertEqual(len(mail.outbox), 1)
-
-
-class TestEmailDeviceThrottling(ThrottlingTestMixin, TestCase):
-    def setUp(self):
-        super().setUp()
-        flow = create_test_flow()
-        user = create_test_user()
-        stage = AuthenticatorEmailStage.objects.create(
-            name="email-authenticator-throttle",
-            use_global_settings=True,
-            from_address="test@authentik.local",
-            configure_flow=flow,
-            token_expiry="minutes=30",
-        )  # nosec
-        self.device = EmailDevice.objects.create(
-            user=user, stage=stage, email="throttle@authentik.local"
-        )
-        self.device.generate_token()
-
-    def valid_token(self):
-        return self.device.token
-
-    def invalid_token(self):
-        return "000000" if self.device.token != "000000" else "111111"
--- a/authentik/stages/authenticator_sms/migrations/0009_smsdevice_throttling_failure_count_and_more.py
+++ b/authentik/stages/authenticator_sms/migrations/0009_smsdevice_throttling_failure_count_and_more.py
@@ -1,30 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-16 17:28
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_stages_authenticator_sms", "0008_alter_authenticatorsmsstage_friendly_name"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="smsdevice",
-            name="throttling_failure_count",
-            field=models.PositiveIntegerField(
-                default=0, help_text="Number of successive failed attempts."
-            ),
-        ),
-        migrations.AddField(
-            model_name="smsdevice",
-            name="throttling_failure_timestamp",
-            field=models.DateTimeField(
-                blank=True,
-                default=None,
-                help_text="A timestamp of the last failed verification attempt. Null if last attempt succeeded.",
-                null=True,
-            ),
-        ),
-    ]
--- a/authentik/stages/authenticator_sms/models.py
+++ b/authentik/stages/authenticator_sms/models.py
@@ -20,7 +20,7 @@ from authentik.events.utils import sanitize_item
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.http import get_http_session
-from authentik.stages.authenticator.models import SideChannelDevice, ThrottlingMixin
+from authentik.stages.authenticator.models import SideChannelDevice

 LOGGER = get_logger()

@@ -197,7 +197,7 @@ def hash_phone_number(phone_number: str) -> str:
    return "hash:" + sha256(phone_number.encode()).hexdigest()


-class SMSDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):
+class SMSDevice(SerializerModel, SideChannelDevice):
    """SMS Device"""

    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
@@ -224,19 +224,11 @@ class SMSDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):

        return SMSDeviceSerializer

-    def verify_token(self, token: str) -> bool:
-        verify_allowed, _ = self.verify_is_allowed()
-        if verify_allowed:
-            verified = super().verify_token(token)
-
-            if verified:
-                self.throttle_reset()
-            else:
-                self.throttle_increment()
-        else:
-            verified = False
-
-        return verified
+    def verify_token(self, token):
+        valid = super().verify_token(token)
+        if valid:
+            self.save()
+        return valid

    def __str__(self):
        return str(self.name) or str(self.user_id)
--- a/authentik/stages/authenticator_sms/tests.py
+++ b/authentik/stages/authenticator_sms/tests.py
@@ -3,7 +3,6 @@
 from unittest.mock import MagicMock, patch
 from urllib.parse import parse_qsl

-from django.test import TestCase
 from django.urls import reverse
 from requests_mock import Mocker

@@ -13,7 +12,6 @@ from authentik.flows.planner import FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
-from authentik.stages.authenticator.tests import ThrottlingTestMixin
 from authentik.stages.authenticator_sms.models import (
    AuthenticatorSMSStage,
    SMSDevice,
@@ -359,30 +357,3 @@ class AuthenticatorSMSStageTests(FlowTestCase):
            },
            phone_number_required=False,
        )
-
-
-class TestSMSDeviceThrottling(ThrottlingTestMixin, TestCase):
-    """Test ThrottlingMixin behaviour on SMSDevice.verify_token"""
-
-    def setUp(self):
-        super().setUp()
-        flow = create_test_flow()
-        user = create_test_admin_user()
-        stage = AuthenticatorSMSStage.objects.create(
-            flow=flow,
-            name="sms-throttle",
-            provider=SMSProviders.GENERIC,
-            from_number="1234",
-        )
-        self.device = SMSDevice.objects.create(
-            user=user,
-            stage=stage,
-            phone_number="+15551230001",
-        )
-        self.device.generate_token()
-
-    def valid_token(self):
-        return self.device.token
-
-    def invalid_token(self):
-        return "000000" if self.device.token != "000000" else "111111"
--- a/authentik/stages/authenticator_static/models.py
+++ b/authentik/stages/authenticator_static/models.py
@@ -3,6 +3,7 @@
 from base64 import b32encode
 from os import urandom

+from django.conf import settings
 from django.core.validators import MaxValueValidator
 from django.db import models
 from django.utils.translation import gettext_lazy as _
@@ -77,6 +78,9 @@ class StaticDevice(SerializerModel, ThrottlingMixin, Device):

        return StaticDeviceSerializer

+    def get_throttle_factor(self):
+        return getattr(settings, "OTP_STATIC_THROTTLE_FACTOR", 1)
+
    def verify_token(self, token):
        verify_allowed, _ = self.verify_is_allowed()
        if verify_allowed:
--- a/authentik/stages/authenticator_static/tests.py
+++ b/authentik/stages/authenticator_static/tests.py
@@ -1,5 +1,6 @@
 """Test Static API"""

+from django.test.utils import override_settings
 from django.urls import reverse
 from rest_framework.test import APITestCase

@@ -43,6 +44,9 @@ class DeviceTest(TestCase):
        str(device)


+@override_settings(
+    OTP_STATIC_THROTTLE_FACTOR=1,
+)
 class ThrottlingTestCase(ThrottlingTestMixin, TestCase):
    """Test static device throttling"""

--- a/authentik/stages/authenticator_totp/models.py
+++ b/authentik/stages/authenticator_totp/models.py
@@ -194,6 +194,9 @@ class TOTPDevice(SerializerModel, ThrottlingMixin, Device):

        return verified

+    def get_throttle_factor(self):
+        return getattr(settings, "OTP_TOTP_THROTTLE_FACTOR", 1)
+
    @property
    def config_url(self):
        """
--- a/authentik/stages/authenticator_totp/tests.py
+++ b/authentik/stages/authenticator_totp/tests.py
@@ -63,14 +63,11 @@ class TOTPDeviceMixin:

@override_settings(
    OTP_TOTP_SYNC=False,
+    OTP_TOTP_THROTTLE_FACTOR=0,
 )
 class TOTPTest(TOTPDeviceMixin, TestCase):
    """TOTP tests"""

-    def setUp(self):
-        super().setUp()
-        self.device.set_throttle_factor(0)
-
    def test_default_key(self):
        """Ensure default_key is valid"""
        device = self.alice.totpdevice_set.create()
@@ -193,6 +190,9 @@ class TOTPTest(TOTPDeviceMixin, TestCase):
        self.assertEqual(params["image"][0], image_url)


+@override_settings(
+    OTP_TOTP_THROTTLE_FACTOR=1,
+)
 class ThrottlingTestCase(TOTPDeviceMixin, ThrottlingTestMixin, TestCase):
    """Test TOTP Throttling"""

--- a/authentik/stages/authenticator_validate/api.py
+++ b/authentik/stages/authenticator_validate/api.py
@@ -39,10 +39,6 @@ class AuthenticatorValidateStageSerializer(StageSerializer):
            "webauthn_hints",
            "webauthn_allowed_device_types",
            "webauthn_allowed_device_types_obj",
-            "email_otp_throttling_factor",
-            "sms_otp_throttling_factor",
-            "totp_otp_throttling_factor",
-            "static_otp_throttling_factor",
        ]


--- a/authentik/stages/authenticator_validate/challenge.py
+++ b/authentik/stages/authenticator_validate/challenge.py
@@ -3,7 +3,6 @@
 from typing import TYPE_CHECKING
 from urllib.parse import urlencode

-from django.db import transaction
 from django.http import HttpRequest
 from django.http.response import Http404
 from django.shortcuts import get_object_or_404
@@ -30,8 +29,8 @@ from authentik.flows.stage import StageView
 from authentik.lib.utils.email import mask_email
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.root.middleware import ClientIPMiddleware
-from authentik.stages.authenticator import devices_for_user
-from authentik.stages.authenticator.models import Device, ThrottlingMixin
+from authentik.stages.authenticator import match_token
+from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_email.models import EmailDevice
 from authentik.stages.authenticator_sms.models import SMSDevice
@@ -144,20 +143,7 @@ def select_challenge_email(request: HttpRequest, device: EmailDevice):
 def validate_challenge_code(code: str, stage_view: StageView, user: User) -> Device:
    """Validate code-based challenges. We test against every device, on purpose, as
    the user mustn't choose between totp and static devices."""
-
-    with transaction.atomic():
-        for device in devices_for_user(user, for_verify=True):
-            if isinstance(device, ThrottlingMixin):
-                throttling_factor = stage_view.executor.current_stage.get_throttling_factor(
-                    DeviceClasses.from_model_label(device.model_label())
-                )
-                if throttling_factor is not None:
-                    device.set_throttle_factor(throttling_factor)
-            if device.verify_token(code):
-                break
-        else:
-            device = None
-
+    device = match_token(user, code)
    if not device:
        login_failed.send(
            sender=__name__,
--- a/authentik/stages/authenticator_validate/migrations/0016_authenticatorvalidatestage_email_otp_throttling_factor_and_more.py
+++ b/authentik/stages/authenticator_validate/migrations/0016_authenticatorvalidatestage_email_otp_throttling_factor_and_more.py
@@ -1,36 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-16 16:33
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_stages_authenticator_validate",
-            "0015_authenticatorvalidatestage_webauthn_hints",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="authenticatorvalidatestage",
-            name="email_otp_throttling_factor",
-            field=models.FloatField(default=1),
-        ),
-        migrations.AddField(
-            model_name="authenticatorvalidatestage",
-            name="sms_otp_throttling_factor",
-            field=models.FloatField(default=1),
-        ),
-        migrations.AddField(
-            model_name="authenticatorvalidatestage",
-            name="static_otp_throttling_factor",
-            field=models.FloatField(default=1),
-        ),
-        migrations.AddField(
-            model_name="authenticatorvalidatestage",
-            name="totp_otp_throttling_factor",
-            field=models.FloatField(default=1),
-        ),
-    ]
--- a/authentik/stages/authenticator_validate/models.py
+++ b/authentik/stages/authenticator_validate/models.py
@@ -22,12 +22,6 @@ class DeviceClasses(models.TextChoices):
    SMS = "sms", _("SMS")
    EMAIL = "email", _("Email")

-    @staticmethod
-    def from_model_label(model_label: str) -> DeviceClasses:
-        return getattr(
-            DeviceClasses, model_label.rsplit(".", maxsplit=1)[-1][: -len("device")].upper()
-        )
-

 def default_device_classes() -> list:
    """By default, accept all device classes"""
@@ -88,11 +82,6 @@ class AuthenticatorValidateStage(Stage):
        "authentik_stages_authenticator_webauthn.WebAuthnDeviceType", blank=True
    )

-    email_otp_throttling_factor = models.FloatField(default=1)
-    sms_otp_throttling_factor = models.FloatField(default=1)
-    totp_otp_throttling_factor = models.FloatField(default=1)
-    static_otp_throttling_factor = models.FloatField(default=1)
-
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
@@ -109,17 +98,6 @@ class AuthenticatorValidateStage(Stage):
    def component(self) -> str:
        return "ak-stage-authenticator-validate-form"

-    def get_throttling_factor(self, device_class: DeviceClasses) -> float | None:
-        if device_class == DeviceClasses.EMAIL:
-            return self.email_otp_throttling_factor
-        elif device_class == DeviceClasses.SMS:
-            return self.sms_otp_throttling_factor
-        elif device_class == DeviceClasses.TOTP:
-            return self.totp_otp_throttling_factor
-        elif device_class == DeviceClasses.STATIC:
-            return self.static_otp_throttling_factor
-        return None
-
    class Meta:
        verbose_name = _("Authenticator Validation Stage")
        verbose_name_plural = _("Authenticator Validation Stages")
--- a/authentik/stages/authenticator_validate/tests/test_throttling.py
+++ b/authentik/stages/authenticator_validate/tests/test_throttling.py
@@ -1,247 +0,0 @@
-from django.test import TestCase
-from django.test.client import RequestFactory
-from django.urls.base import reverse
-from rest_framework.exceptions import ValidationError
-
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.flows.models import FlowStageBinding
-from authentik.flows.stage import StageView
-from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import FlowExecutorView
-from authentik.lib.generators import generate_id
-from authentik.stages.authenticator_email.models import AuthenticatorEmailStage, EmailDevice
-from authentik.stages.authenticator_sms.models import (
-    AuthenticatorSMSStage,
-    SMSDevice,
-    SMSProviders,
-)
-from authentik.stages.authenticator_validate.challenge import validate_challenge_code
-from authentik.stages.authenticator_validate.models import (
-    AuthenticatorValidateStage,
-    DeviceClasses,
-)
-from authentik.stages.identification.models import IdentificationStage, UserFields
-
-
-class DeviceClassesHelperTests(TestCase):
-    """Tests for the DeviceClasses.from_model_label helper."""
-
-    def test_from_model_label_all_classes(self):
-        cases = {
-            "authentik_stages_authenticator_email.emaildevice": DeviceClasses.EMAIL,
-            "authentik_stages_authenticator_sms.smsdevice": DeviceClasses.SMS,
-            "authentik_stages_authenticator_totp.totpdevice": DeviceClasses.TOTP,
-            "authentik_stages_authenticator_static.staticdevice": DeviceClasses.STATIC,
-            "authentik_stages_authenticator_duo.duodevice": DeviceClasses.DUO,
-            "authentik_stages_authenticator_webauthn.webauthndevice": DeviceClasses.WEBAUTHN,
-        }
-        for label, expected in cases.items():
-            with self.subTest(label=label):
-                self.assertEqual(DeviceClasses.from_model_label(label), expected)
-
-
-class AuthenticatorValidateStageFactorTests(TestCase):
-    """Tests for AuthenticatorValidateStage.get_throttling_factor."""
-
-    def test_per_class_factors_returned(self):
-        stage = AuthenticatorValidateStage.objects.create(
-            name=generate_id(),
-            email_otp_throttling_factor=5,
-            sms_otp_throttling_factor=6,
-            totp_otp_throttling_factor=7,
-            static_otp_throttling_factor=8,
-        )
-        self.assertEqual(stage.get_throttling_factor(DeviceClasses.EMAIL), 5)
-        self.assertEqual(stage.get_throttling_factor(DeviceClasses.SMS), 6)
-        self.assertEqual(stage.get_throttling_factor(DeviceClasses.TOTP), 7)
-        self.assertEqual(stage.get_throttling_factor(DeviceClasses.STATIC), 8)
-
-    def test_no_factor_for_webauthn_or_duo(self):
-        stage = AuthenticatorValidateStage.objects.create(name=generate_id())
-        self.assertIsNone(stage.get_throttling_factor(DeviceClasses.WEBAUTHN))
-        self.assertIsNone(stage.get_throttling_factor(DeviceClasses.DUO))
-
-
-class ValidateChallengeCodeThrottlingTests(FlowTestCase):
-    """Tests for validate_challenge_code throttling behavior."""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.user = create_test_admin_user()
-        self.request_factory = RequestFactory()
-        self.email_stage = AuthenticatorEmailStage.objects.create(
-            name="email-stage-validate-throttle",
-            use_global_settings=True,
-            from_address="test@authentik.local",
-            token_expiry="minutes=30",
-        )  # nosec
-        self.sms_stage = AuthenticatorSMSStage.objects.create(
-            name="sms-stage-validate-throttle",
-            provider=SMSProviders.GENERIC,
-            from_number="1234",
-        )
-
-    def _validate_stage(self, **factors) -> AuthenticatorValidateStage:
-        return AuthenticatorValidateStage.objects.create(
-            name=generate_id(),
-            device_classes=[
-                DeviceClasses.EMAIL,
-                DeviceClasses.SMS,
-                DeviceClasses.TOTP,
-                DeviceClasses.STATIC,
-            ],
-            **factors,
-        )
-
-    def _stage_view(self, validate_stage: AuthenticatorValidateStage) -> StageView:
-        request = self.request_factory.get("/")
-        return StageView(FlowExecutorView(current_stage=validate_stage), request=request)
-
-    def _email_device(self, email: str = "throttle@authentik.local") -> EmailDevice:
-        return EmailDevice.objects.create(
-            user=self.user,
-            stage=self.email_stage,
-            confirmed=True,
-            email=email,
-        )
-
-    def _sms_device(self, phone_number: str = "+15551230101") -> SMSDevice:
-        return SMSDevice.objects.create(
-            user=self.user,
-            stage=self.sms_stage,
-            confirmed=True,
-            phone_number=phone_number,
-        )
-
-    def test_stage_factor_applied_to_email_device(self):
-        """The stage's email_otp_throttling_factor is pushed onto the device before verify."""
-        stage = self._validate_stage(email_otp_throttling_factor=3)
-        device = self._email_device()
-        device.generate_token()
-        with self.assertRaises(ValidationError):
-            validate_challenge_code("000000", self._stage_view(stage), self.user)
-        device.refresh_from_db()
-        self.assertEqual(device.throttling_failure_count, 1)
-        # verify_is_allowed must compute the delay using factor=3 (3 * 2^0 = 3s).
-        device.set_throttle_factor(3)
-        allowed, data = device.verify_is_allowed()
-        self.assertFalse(allowed)
-        required = data["locked_until"] - device.throttling_failure_timestamp
-        self.assertAlmostEqual(required.total_seconds(), 3, places=3)
-
-    def test_factor_zero_disables_throttling_end_to_end(self):
-        """With email_otp_throttling_factor=0, repeated failures do not lock the device."""
-        stage = self._validate_stage(email_otp_throttling_factor=0)
-        device = self._email_device()
-        device.generate_token()
-        token = device.token
-        for _ in range(10):
-            with self.assertRaises(ValidationError):
-                validate_challenge_code("000000", self._stage_view(stage), self.user)
-        matched = validate_challenge_code(token, self._stage_view(stage), self.user)
-        self.assertEqual(matched.pk, device.pk)
-
-    def test_lockout_persists_across_calls(self):
-        """
-        A correct token on the second call is still blocked and does not increment the counter.
-        """
-        stage = self._validate_stage(email_otp_throttling_factor=1)
-        device = self._email_device()
-        device.generate_token()
-        token = device.token
-        invalid_token = "000000" if token != "000000" else "111111"  # nosec
-        with self.assertRaises(ValidationError):
-            validate_challenge_code(invalid_token, self._stage_view(stage), self.user)
-        # Immediately try with the correct token: lockout still active, attempt must be rejected.
-        with self.assertRaises(ValidationError):
-            validate_challenge_code(token, self._stage_view(stage), self.user)
-        device.refresh_from_db()
-        # Token wasn't consumed (verification never ran), and counter didn't get incremented.
-        self.assertEqual(device.token, token)
-        self.assertEqual(device.throttling_failure_count, 1)
-
-
-class ValidateStageThrottlingFlowTests(FlowTestCase):
-    """End-to-end lockout behavior through the flow executor HTTP API."""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.user = create_test_admin_user()
-        self.email_stage = AuthenticatorEmailStage.objects.create(
-            name="email-stage-flow-throttle",
-            use_global_settings=True,
-            from_address="test@authentik.local",
-            token_expiry="minutes=30",
-        )  # nosec
-        self.ident_stage = IdentificationStage.objects.create(
-            name=generate_id(),
-            user_fields=[UserFields.USERNAME],
-        )
-        self.validate_stage = AuthenticatorValidateStage.objects.create(
-            name=generate_id(),
-            device_classes=[DeviceClasses.EMAIL],
-            email_otp_throttling_factor=1,
-        )
-        self.flow = create_test_flow()
-        FlowStageBinding.objects.create(target=self.flow, stage=self.ident_stage, order=0)
-        FlowStageBinding.objects.create(target=self.flow, stage=self.validate_stage, order=1)
-
-    def _identify(self):
-        response = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {"uid_field": self.user.username},
-            follow=True,
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def _select_email(self, device: EmailDevice):
-        self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {
-                "component": "ak-stage-authenticator-validate",
-                "selected_challenge": {
-                    "device_class": "email",
-                    "device_uid": str(device.pk),
-                    "challenge": {},
-                    "last_used": None,
-                },
-            },
-        )
-
-    def test_bad_code_then_correct_code_is_still_blocked(self):
-        """After a bad code over HTTP, a subsequent correct code is still rejected
-        because the lockout persists in the database."""
-        device = EmailDevice.objects.create(
-            user=self.user,
-            confirmed=True,
-            stage=self.email_stage,
-            email="throttle-flow@authentik.local",
-        )
-        self._identify()
-        self._select_email(device)
-        # Server generated and stored the token - grab it from DB.
-        device.refresh_from_db()
-        token = device.token
-        # First attempt: bad code - must increment the DB counter.
-        self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {"component": "ak-stage-authenticator-validate", "code": "000000"},
-        )
-        device.refresh_from_db()
-        self.assertEqual(device.throttling_failure_count, 1)
-        self.assertEqual(device.token, token)
-        # Second attempt with the correct token - still blocked.
-        response = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {"component": "ak-stage-authenticator-validate", "code": token},
-        )
-        self.assertStageResponse(
-            response,
-            flow=self.flow,
-            component="ak-stage-authenticator-validate",
-        )
-        device.refresh_from_db()
-        # Counter wasn't incremented on a blocked attempt
-        self.assertEqual(device.throttling_failure_count, 1)
-        # Token wasn't consumed.
-        self.assertEqual(device.token, token)
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/tasks/test.py
+++ b/authentik/tasks/test.py
@@ -7,7 +7,7 @@ from dramatiq.broker import Broker, MessageProxy, get_broker
 from dramatiq.middleware.middleware import Middleware
 from dramatiq.middleware.retries import Retries
 from dramatiq.results.middleware import Results
-from dramatiq.worker import ConsumerThread, Worker, WorkerThread
+from dramatiq.worker import Worker, _ConsumerThread, _WorkerThread

 from authentik.tasks.broker import PostgresBroker

@@ -20,7 +20,7 @@ class TestWorker(Worker):
        self.worker_id = 1000
        self.work_queue = PriorityQueue()
        self.consumers = {
-            TESTING_QUEUE: ConsumerThread(
+            TESTING_QUEUE: _ConsumerThread(
                broker=self.broker,
                queue_name=TESTING_QUEUE,
                prefetch=2,
@@ -33,7 +33,7 @@ class TestWorker(Worker):
            prefetch=2,
            timeout=1,
        )
-        self._worker = WorkerThread(
+        self._worker = _WorkerThread(
            broker=self.broker,
            consumers=self.consumers,
            work_queue=self.work_queue,
@@ -78,18 +78,17 @@ def use_test_broker():
        actor.broker = broker
        actor.broker.declare_actor(actor)

-    for middleware_class_path, middleware_kwargs in Conf().middlewares:
-        middleware_class = import_string(middleware_class_path)
-        if issubclass(middleware_class, Results):
-            middleware_kwargs["backend"] = import_string(Conf().result_backend)(
-                *Conf().result_backend_args,
-                **Conf().result_backend_kwargs,
-            )
-        middleware: Middleware = middleware_class(
+    for middleware_class, middleware_kwargs in Conf().middlewares:
+        middleware: Middleware = import_string(middleware_class)(
            **middleware_kwargs,
        )
        if isinstance(middleware, Retries):
            middleware.max_retries = 0
+        if isinstance(middleware, Results):
+            middleware.backend = import_string(Conf().result_backend)(
+                *Conf().result_backend_args,
+                **Conf().result_backend_kwargs,
+            )
        broker.add_middleware(middleware)

    broker.start()
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@@ -14936,22 +14936,6 @@
                        "format": "uuid"
                    },
                    "title": "Webauthn allowed device types"
-                },
-                "email_otp_throttling_factor": {
-                    "type": "number",
-                    "title": "Email otp throttling factor"
-                },
-                "sms_otp_throttling_factor": {
-                    "type": "number",
-                    "title": "Sms otp throttling factor"
-                },
-                "totp_otp_throttling_factor": {
-                    "type": "number",
-                    "title": "Totp otp throttling factor"
-                },
-                "static_otp_throttling_factor": {
-                    "type": "number",
-                    "title": "Static otp throttling factor"
                }
            },
            "required": []
--- a/lifecycle/ak
+++ b/lifecycle/ak
@@ -79,7 +79,7 @@ function prepare_debug {
    apt-get update
    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
    source "${VENV_PATH}/bin/activate"
-    uv sync --active --locked
+    uv sync --active --frozen
    touch /unittest.xml
    chown authentik:authentik /unittest.xml
 }
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1120.0",
+                "aws-cdk": "^2.1119.0",
                "cross-env": "^10.1.0"
            },
            "engines": {
@@ -25,9 +25,9 @@
            "license": "MIT"
        },
        "node_modules/aws-cdk": {
-            "version": "2.1120.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1120.0.tgz",
-            "integrity": "sha512-vDVa0IX0FhizARdY/GLSParFglKbdHCIhM8IDmynrAv9w8uLLljzWMeLUOhC1XpMErDZ/npYEihAOjfKxTaMIw==",
+            "version": "2.1119.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1119.0.tgz",
+            "integrity": "sha512-XBxZEKH3BY4M1EX6x0qBkmOAj8viErjpww14iH6Z3z6nI0YzjZeJ05eEl7eJwzUgv7NTGagWBS9m/eDJW5+dAg==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@@ -7,7 +7,7 @@
        "aws-cfn": "cross-env CI=false cdk synth --version-reporting=false > template.yaml"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1120.0",
+        "aws-cdk": "^2.1119.0",
        "cross-env": "^10.1.0"
    },
    "engines": {
--- a/lifecycle/container/Dockerfile
+++ b/lifecycle/container/Dockerfile
@@ -200,7 +200,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
    --mount=type=bind,target=packages/django-postgres-cache,src=packages/django-postgres-cache \
    --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
    --mount=type=cache,id=uv-python-deps-$TARGETARCH$TARGETVARIANT,target=/root/.cache/uv \
-    uv sync --locked --no-install-project --no-dev
+    uv sync --frozen --no-install-project --no-dev

 # Stage: Run
 FROM python-base AS final-image
--- a/lifecycle/worker_process.py
+++ b/lifecycle/worker_process.py
@@ -28,7 +28,12 @@ class HttpHandler(BaseHTTPRequestHandler):
            _ = db_conn.cursor()

    def do_GET(self):
-        from django.db import DatabaseError, InterfaceError, OperationalError, connections
+        from django.db import (
+            DatabaseError,
+            InterfaceError,
+            OperationalError,
+            connections,
+        )
        from psycopg.errors import AdminShutdown

        from authentik.root.monitoring import monitoring_set
@@ -37,6 +42,7 @@ class HttpHandler(BaseHTTPRequestHandler):
            AdminShutdown,
            InterfaceError,
            DatabaseError,
+            ConnectionError,
            OperationalError,
        )

--- a/locale/bg_BG/LC_MESSAGES/django.mo
+++ b/locale/bg_BG/LC_MESSAGES/django.mo
--- a/locale/bg_BG/LC_MESSAGES/django.po
+++ b/locale/bg_BG/LC_MESSAGES/django.po
--- a/locale/cs_CZ/LC_MESSAGES/django.mo
+++ b/locale/cs_CZ/LC_MESSAGES/django.mo
--- a/locale/cs_CZ/LC_MESSAGES/django.po
+++ b/locale/cs_CZ/LC_MESSAGES/django.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Václav Nováček <waclaw661@gmail.com>, 2026\n"
 "Language-Team: Czech (Czech Republic) (https://app.transifex.com/authentik/teams/119923/cs_CZ/)\n"
@@ -106,14 +106,6 @@ msgstr "Chyba validace"
 msgid "Blueprint file does not exist"
 msgstr "Soubor s konfigurační šablonou neexistuje"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Ověřování konfigurační šablony selhalo"
@@ -122,11 +114,6 @@ msgstr "Ověřování konfigurační šablony selhalo"
 msgid "Either path or content must be set."
 msgstr "Musí být nastavena buď cesta, nebo obsah."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "Uživatel nemá oprávnění vytvořit {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Spravuje authentik"
@@ -257,13 +244,10 @@ msgstr ""
 "pouze poskytovatele backchannel. Pokud je vypnuto, backchannel poskytovatelé"
 " nejsou zahrnuti."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "Uživatel nemá oprávnění vytvořit {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -325,12 +309,6 @@ msgstr ""
 msgid "This field is required."
 msgstr "Toto pole je povinné."

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "Jméno"
@@ -437,10 +415,6 @@ msgstr "Interní název aplikace, používaný v URI."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Otevřít úvodní URL v novém okně nebo kartě prohlížeče."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplikace"
@@ -632,14 +606,6 @@ msgstr "Odstranit dočasné uživatele vytvořené zdroji SAML."
 msgid "Go home"
 msgstr "Přejít domů"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -746,10 +712,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Objevit, importovat a aktualizovat certifikáty na souborovém systému."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -804,14 +766,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -883,12 +837,6 @@ msgstr ""
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -906,19 +854,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Ověřuji Váš prohlížeč..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -935,6 +870,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -962,8 +901,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -977,7 +915,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1220,14 +1158,6 @@ msgstr "Pro použití EAP-TLS je nutná Enterprise licence."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "Pro použití OAuth režimu je vyžadována Enterprise licence."

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1309,78 +1239,6 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Fáze konektoru Endpoint Authenticator Google Device Trust"
@@ -1397,6 +1255,10 @@ msgstr "Koncové zařízení"
 msgid "Endpoint Devices"
 msgstr "Koncová zařízení"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Ověřuji Váš prohlížeč..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1479,12 +1341,6 @@ msgstr ""
 "Odeslat oznámení pouze jednou, například při posílání webhooku do kanálu "
 "chatu."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1655,15 +1511,6 @@ msgstr "Zásady před tokem"
 msgid "Flow"
 msgstr "Tok"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Tok se nevztahuje na aktuálního uživatele."
@@ -1773,8 +1620,8 @@ msgstr "Token Toku"
 msgid "Flow Tokens"
 msgstr "Tokeny Toků"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2159,6 +2006,22 @@ msgstr "Reputační skóre"
 msgid "Reputation Scores"
 msgstr "Reputační skóre"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "Čeká se na ověření..."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Už se přihlašujete na jiné záložce. Stránka se obnoví, jakmile bude ověření "
+"dokončeno."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Ověřit na této záložce"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Nedostatečná oprávnění"
@@ -2284,14 +2147,6 @@ msgstr "Striktní porovnání URL"
 msgid "Regular Expression URL matching"
 msgstr "Porovnání URL regulárním výrazem"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Back-channel"
@@ -2649,6 +2504,10 @@ msgstr "Poskytovatel proxy"
 msgid "Proxy Providers"
 msgstr "Poskytovatelé proxy"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Ukončit relaci na outpostu proxy."
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2776,10 +2635,8 @@ msgstr ""
 "omezení publika nebude přidáno."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Také známé jako EntityID."

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2997,10 +2854,6 @@ msgstr "Hodnota SAML NameID pro tuto relaci"
 msgid "SAML NameID format"
 msgstr "Formát SAML NameID"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Relace SAML"
@@ -3029,14 +2882,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3313,7 +3158,7 @@ msgstr ""
 "                    Prosím, kontaktujte správce.\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "Je dovolen pouze jeden zdroj LDAP se synchronizací hesel"

@@ -3843,12 +3688,6 @@ msgstr ""
 "Povolit autentikační tok iniciovaný Identity Providerem. Může představovat "
 "bezpečnostní riziko, protože se nekontroluje request ID."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4269,10 +4108,6 @@ msgstr "Kroky validace autentikátoru"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Žádný (povolený) MFA autentikátor nebyl nastaven."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Krok nastavení autentikátoru WebAuthn"
@@ -4408,10 +4243,6 @@ msgstr "Email OTP"
 msgid "Event Notification"
 msgstr "Oznámení o události"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Pozvánka"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4530,62 +4361,6 @@ msgstr ""
 "\n"
 "Tento email byl odeslán z transportu oznámení %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4763,6 +4538,10 @@ msgstr "Pokud je povoleno, pozvánka bude po použití smazána."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr ""

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Pozvánka"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Pozvánky"
@@ -4875,18 +4654,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr ""

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Výběr jazyků, které authentik podporuje"
--- a/locale/de_DE/LC_MESSAGES/django.po
+++ b/locale/de_DE/LC_MESSAGES/django.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-04-23 00:25+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Lukas Nielsen, 2026\n"
 "Language-Team: German (Germany) (https://app.transifex.com/authentik/teams/119923/de_DE/)\n"
@@ -111,14 +111,6 @@ msgstr "Validierungsfehler"
 msgid "Blueprint file does not exist"
 msgstr "Vorlagendatei existiert nicht"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Fehler bei der Validierung der Vorlage"
@@ -265,14 +257,6 @@ msgstr ""
 "werden nur die backchannel Provider zurück gegeben. Zudem werden bei "
 "Deaktivierung die backchannel Provider ausgeschlossen."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "Es sind keine führenden oder abschließenden Schrägstriche erlaubt."
@@ -451,10 +435,6 @@ msgstr "Interner Anwendungsname, wird in URLs verwendet."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Start-URL in einem neuen Browser-Fenster öffnen."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Anwendung"
@@ -954,6 +934,10 @@ msgstr "Es muss entweder eine Prüfergruppe oder ein Prüfer festgelegt werden."
 msgid "Grace period must be shorter than the interval."
 msgstr "Die Nachfrist muss kürzer sein als das Intervall."

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr "Für jeden Objekttyp ist nur eine typweite Regel zulässig."
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -984,9 +968,10 @@ msgid "Go to {self._get_model_name()}"
 msgstr "Gehe zu {self._get_model_name()}"

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""
+"Die Zugriffsüberprüfung für {self.content_type.name} {str(self.object)} "
+"steht an"

 #: authentik/enterprise/lifecycle/models.py
 msgid ""
@@ -1003,8 +988,8 @@ msgstr ""
 "erledigt"

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
-msgstr ""
+msgid "Dispatch tasks to validate lifecycle rules."
+msgstr "Aufgaben zur Überprüfung von Lebenszyklusregeln zuweisen."

 #: authentik/enterprise/lifecycle/tasks.py
 msgid "Apply lifecycle rule."
@@ -1347,78 +1332,6 @@ msgstr "Download"
 msgid "Generate data export."
 msgstr "Datenexport generieren."

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Endpunkt-Authenticator für Google Gerätevertrauen Verbindungs Stage"
@@ -2864,10 +2777,8 @@ msgstr ""
 "Feld leer, wird keine Zielgruppenbeschränkung hinzugefügt."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Auch bekannt als EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3089,10 +3000,6 @@ msgstr "SAML-NameID-Wert für diese Sitzung"
 msgid "SAML NameID format"
 msgstr "SAML-NameID-Format"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML Sitzung"
@@ -3125,10 +3032,6 @@ msgstr "Salesforce"
 msgid "Webex"
 msgstr "Webex"

-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -5043,18 +4946,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Statisch: Statischer Wert, wird so angezeigt, wie er ist."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "Authentik: Auswahl der von Authentik unterstützten Gebietsschemata"
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-05-01 03:47+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -101,14 +101,6 @@ msgstr ""
 msgid "Blueprint file does not exist"
 msgstr ""

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr ""
--- a/locale/en/dictionaries/integrations.txt
+++ b/locale/en/dictionaries/integrations.txt
@@ -22,7 +22,6 @@ Gestionnaire
 ghec
 Gitea
 Gravitee
-HACS
 Homarr
 Informatique
 Kimai
--- a/locale/es_ES/LC_MESSAGES/django.mo
+++ b/locale/es_ES/LC_MESSAGES/django.mo
--- a/locale/es_ES/LC_MESSAGES/django.po
+++ b/locale/es_ES/LC_MESSAGES/django.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Spanish (Spain) (https://app.transifex.com/authentik/teams/119923/es_ES/)\n"
@@ -105,14 +105,6 @@ msgstr "Error de validación"
 msgid "Blueprint file does not exist"
 msgstr "El archivo de plantilla(blueprint) no existe"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "No se pudo validar la plantilla(blueprint)"
@@ -121,11 +113,6 @@ msgstr "No se pudo validar la plantilla(blueprint)"
 msgid "Either path or content must be set."
 msgstr "Se debe establecer una ruta o contenido."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "El usuario carece de permisos para crear {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Administrado por authentik"
@@ -261,13 +248,10 @@ msgstr ""
 "secundario. Cuando se configura como falso, se excluyen los proveedores de "
 "canal secundario."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "El usuario carece de permisos para crear {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -329,12 +313,6 @@ msgstr ""
 msgid "This field is required."
 msgstr ""

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "nombre"
@@ -441,10 +419,6 @@ msgstr "Nombre de la aplicación interna, utilizado en las URL."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Abrir la URL de inicio en una nueva pestaña o ventana del navegador."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplicación"
@@ -635,14 +609,6 @@ msgstr "Eliminar usuarios temporales creados por SAML Sources."
 msgid "Go home"
 msgstr "Ir al inicio"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -750,10 +716,6 @@ msgid "Discover, import and update certificates from the filesystem."
 msgstr ""
 "Descubra, importe y actualice certificados desde el sistema de archivos."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -808,14 +770,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -886,12 +840,6 @@ msgstr "Se requiere de Enterprise para crear/actualizar este objeto."
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -909,19 +857,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verificando tu navegador..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -938,6 +873,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -965,8 +904,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -980,7 +918,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1221,14 +1159,6 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1310,78 +1240,6 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1402,6 +1260,10 @@ msgstr "Dispositivo de Punto de Conexión"
 msgid "Endpoint Devices"
 msgstr "Dispositivos de Punto de Conexión"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Verificando tu navegador..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1485,12 +1347,6 @@ msgstr ""
 "Envía notificaciones solo una vez, por ejemplo, al enviar un webhook a un "
 "canal de chat."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1662,15 +1518,6 @@ msgstr "Políticas pre-flujo"
 msgid "Flow"
 msgstr "Flujo"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "El flujo no aplica al usuario actual."
@@ -1783,8 +1630,8 @@ msgstr "Token de flujo"
 msgid "Flow Tokens"
 msgstr "Tokens de flujo"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2175,6 +2022,22 @@ msgstr "Puntuación de Reputacion"
 msgid "Reputation Scores"
 msgstr "Puntuaciones de Reputacion"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "Esperando autenticación"
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Ya estás autenticándote en otra pestaña. Esta página se actualizará una vez "
+"que la autenticación se haya completado."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Autenticar en esta pestaña"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permiso denegado"
@@ -2303,14 +2166,6 @@ msgstr "Comparación de URL estricta"
 msgid "Regular Expression URL matching"
 msgstr "Coincidencia de URL con Expresiones Regulares"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2673,6 +2528,10 @@ msgstr "Proveedor de Proxy"
 msgid "Proxy Providers"
 msgstr "Proveedores de Proxy"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Terminar sesión en Proxy outpost."
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2804,10 +2663,8 @@ msgstr ""
 "vacío, no se agregará ninguna restricción de audiencia."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "También conocido como EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3020,10 +2877,6 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -3052,14 +2905,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3343,7 +3188,7 @@ msgstr ""
 "                    Por favor, contacta a tu administrador.\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "Solo está permitida una Fuente de LDAP con sincronización de contraseña"
@@ -3877,12 +3722,6 @@ msgstr ""
 " un riesgo para la seguridad, ya que no se valida el identificador de la "
 "solicitud."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4311,10 +4150,6 @@ msgstr "Etapas de Validación del Autenticador"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "No hay un autenticador MFA (permitido) configurado."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Etapa de Configuración del Autenticador WebAuthn"
@@ -4453,10 +4288,6 @@ msgstr "OTP por Correo Electrónico"
 msgid "Event Notification"
 msgstr ""

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Invitación"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4577,62 +4408,6 @@ msgstr ""
 "\n"
 "Este correo electrónico fue enviado desde el transporte de notificaciones %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4816,6 +4591,10 @@ msgstr "Cuando se habilita, la invitación se eliminará después de su uso."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Datos fijos opcionales para aplicar en la inscripción de usuarios."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Invitación"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Invitaciones"
@@ -4940,18 +4719,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Estático: valor estático, que se muestra tal cual."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr ""
--- a/locale/fi_FI/LC_MESSAGES/django.mo
+++ b/locale/fi_FI/LC_MESSAGES/django.mo
--- a/locale/fi_FI/LC_MESSAGES/django.po
+++ b/locale/fi_FI/LC_MESSAGES/django.po
@@ -5,18 +5,18 @@
 # 
 # Translators:
 # Marc Schmitt, 2025
+# Skyler Mäntysaari, 2025
 # Jiri Grönroos <jiri.gronroos@iki.fi>, 2025
-# Uumas, 2026
-# Skyler Mäntysaari, 2026
+# Viima Veteläinen, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Skyler Mäntysaari, 2026\n"
+"Last-Translator: Viima Veteläinen, 2026\n"
 "Language-Team: Finnish (Finland) (https://app.transifex.com/authentik/teams/119923/fi_FI/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -113,14 +113,6 @@ msgstr "Vahvistusvirhe"
 msgid "Blueprint file does not exist"
 msgstr "Suunnitelman tiedostoa ei löydetty"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Suunnitelman validointi ei onnistunut"
@@ -129,11 +121,6 @@ msgstr "Suunnitelman validointi ei onnistunut"
 msgid "Either path or content must be set."
 msgstr "Joko polku tai sisältö on määritettävä."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "Käyttäjältä puuttuu oikeus luoda {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Authentikin hallinnoima"
@@ -261,13 +248,10 @@ msgstr ""
 "true, vain taustakanava-tarjoajat palautetaan. Kun asetus on false, "
 "takakanava-tarjoajat suljetaan pois."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "Käyttäjältä puuttuu oikeus luoda {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -329,12 +313,6 @@ msgstr "Sähköpostivaihetta ei löydetty."
 msgid "This field is required."
 msgstr "Tämä kenttä on pakollinen."

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "nimi"
@@ -441,10 +419,6 @@ msgstr "Sovelluksen sisäinen nimi, jota käytetään URLeissa."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Avaa käynnistys-URL uuteen selainvälilehteen tai -ikkunaan."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Sovellus"
@@ -634,14 +608,6 @@ msgstr "Poista SAML-lähteiden luomat tilapäiset käyttäjät."
 msgid "Go home"
 msgstr "Siirry etusivulle"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr "Sivuston alatunniste"
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -748,10 +714,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Havaitse, tuo ja päivitä sertifikaatteja levyjärjestelmästä."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr "Valittu alusta ei ole tuettu"
@@ -806,14 +768,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -884,12 +838,6 @@ msgstr "Tämän objektin luontiin/päivittämiseen tarvitaan Enterprise-versiota
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -907,19 +855,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Selaintasi varmennetaan..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -936,6 +871,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -963,8 +902,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -978,7 +916,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1222,14 +1160,6 @@ msgstr "EAP-TLS:n käyttöön tarvitaan Enterprise-versiota."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "OAuth-tilan käyttöön tarvitaan Enterprise-versiota."

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1311,78 +1241,6 @@ msgstr "Lataa"
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Päätepisteen todentaja Google Device Trust Connector -vaihe"
@@ -1399,6 +1257,10 @@ msgstr "Päätelaite"
 msgid "Endpoint Devices"
 msgstr "Päätelaitteet"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Selaintasi varmennetaan..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1482,12 +1344,6 @@ msgstr ""
 "Lähetä notifikaatio vain kerran, esimerkiksi kun lähetetään webhook-"
 "tapahtuma pikaviestinkanavalle."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1659,15 +1515,6 @@ msgstr "Prosessia edeltävät käytännöt"
 msgid "Flow"
 msgstr "Prosessi"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Prosessi ei koske nykyistä käyttäjää."
@@ -1777,9 +1624,9 @@ msgstr "Prosessin tunniste"
 msgid "Flow Tokens"
 msgstr "Prosessin tunnisteet"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
-msgstr ""
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
+msgstr "Sivuston alatunniste"

 #: authentik/flows/views/executor.py
 msgid "Invalid next URL"
@@ -2165,6 +2012,22 @@ msgstr "Mainepistemäärä"
 msgid "Reputation Scores"
 msgstr "Mainepistemäärät"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "Odotetaan todennusta..."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Kirjaudut jo toisella välilehdellä. Tämä sivu päivittyy kun todennus on "
+"valmis."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Kirjaudu tällä välilehdellä"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Käyttö evätty"
@@ -2293,14 +2156,6 @@ msgstr "Tiukka URL-vertailu"
 msgid "Regular Expression URL matching"
 msgstr "Regular Expression -pohjainen URL-vertailu"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr "Valtuutus"
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr "Kirjaudu ulos"
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Taustakanava"
@@ -2665,6 +2520,10 @@ msgstr "Välityspalveluntarjoaja"
 msgid "Proxy Providers"
 msgstr "Välityspalveluntarjoajat"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Katkaise istunto välityspalvelutukikohdasta."
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2797,10 +2656,8 @@ msgstr ""
 "yleisörajoitusta ei lisätä."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Tunnetaan myös nimellä EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3023,10 +2880,6 @@ msgstr "SAML NameID:n arvo tälle istunnolle"
 msgid "SAML NameID format"
 msgstr "SAML NameID:n muoto"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML-istunto"
@@ -3055,14 +2908,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3348,7 +3193,7 @@ msgstr ""
 "                    Ota yhteyttä ylläpitäjään.\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "Vain yksi LDAP-lähde salasanojen synkronoinnilla on sallittu"

@@ -3885,12 +3730,6 @@ msgstr ""
 "Sallii IdP-lähtöiset todentamisprosessit. Tämä voi olla tietoturvariski, "
 "koska pyynnön ID:tä ei validoida."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4316,10 +4155,6 @@ msgstr "Todentajan validaatiovaiheet"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Yhtään (sallittua) MFA-todentajaa ei ole määritelty."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn-todentajan asetusvaihe"
@@ -4458,10 +4293,6 @@ msgstr "Sähköposti-OTP"
 msgid "Event Notification"
 msgstr "Tapahtumanotifikaatio"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Kutsu"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4580,62 +4411,6 @@ msgstr ""
 "\n"
 "Tämä viesti on lähetetty notifikaatiokanavasta %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4816,6 +4591,10 @@ msgid "Optional fixed data to enforce on user enrollment."
 msgstr ""
 "Valinnainen kiinteä data joka pakotetaan käyttäjän rekisteröitymisessä."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Kutsu"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Kutsut"
@@ -4940,18 +4719,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Staattinen: Staattinen arvo, näytetään sellaisenaan."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Valittavat kielialueet, joita authentik tukee"
--- a/locale/fr_FR/LC_MESSAGES/django.po
+++ b/locale/fr_FR/LC_MESSAGES/django.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-05-01 03:47+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Sp P, 2026\n"
 "Language-Team: French (France) (https://app.transifex.com/authentik/teams/119923/fr_FR/)\n"
@@ -116,14 +116,6 @@ msgstr "Erreur de Validation"
 msgid "Blueprint file does not exist"
 msgstr "Le fichier de plan n'existe pas"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Échec de validation du plan"
--- a/locale/it_IT/LC_MESSAGES/django.mo
+++ b/locale/it_IT/LC_MESSAGES/django.mo
--- a/locale/it_IT/LC_MESSAGES/django.po
+++ b/locale/it_IT/LC_MESSAGES/django.po
@@ -5,16 +5,15 @@
 # 
 # Translators:
 # Marc Schmitt, 2025
-# Pao P, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Pao P, 2026\n"
+"Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Italian (Italy) (https://app.transifex.com/authentik/teams/119923/it_IT/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -58,14 +57,12 @@ msgstr ""
 #: authentik/admin/files/validation.py
 #, python-brace-format
 msgid "File name too long (max {MAX_FILE_NAME_LENGTH} characters)"
-msgstr "Nome del file troppo lungo (max {MAX_FILE_NAME_LENGTH} caratteri)"
+msgstr ""

 #: authentik/admin/files/validation.py
 #, python-brace-format
 msgid "Path component too long (max {MAX_PATH_COMPONENT_LENGTH} characters)"
 msgstr ""
-"Componente del percorso troppo lungo (max {MAX_PATH_COMPONENT_LENGTH} "
-"caratteri)"

 #: authentik/admin/models.py
 msgid "Version history"
@@ -108,14 +105,6 @@ msgstr "Errore di validazione"
 msgid "Blueprint file does not exist"
 msgstr "File del progetto inesistente"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Impossibile convalidare il progetto"
@@ -124,11 +113,6 @@ msgstr "Impossibile convalidare il progetto"
 msgid "Either path or content must be set."
 msgstr "È necessario impostare il percorso o il contenuto."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "L'utente non ha i diritti per creare {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Gestito da authentik"
@@ -254,13 +238,10 @@ msgstr ""
 " vengono restituiti solo i provider di backchannel. Se impostato su falso, i"
 " provider di backchannel vengono esclusi"

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "L'utente non ha i diritti per creare {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -322,12 +303,6 @@ msgstr ""
 msgid "This field is required."
 msgstr "Questo campo è obbligatorio."

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "nome"
@@ -434,10 +409,6 @@ msgstr "Nome interno dell'applicazione, utilizzato negli URL."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Apri l'URL di avvio in una nuova scheda o finestra del browser."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Applicazione"
@@ -626,14 +597,6 @@ msgstr "Rimuovi gli utenti temporanei creati da SAML Sources."
 msgid "Go home"
 msgstr "Vai alla pagina iniziale"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -740,10 +703,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Scopri, importa e aggiorna i certificati dal file system."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -798,14 +757,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -876,12 +827,6 @@ msgstr "Versione Enterprise richiesta per creare/aggiornare questo oggetto"
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -899,19 +844,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verifica del tuo browser..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -928,6 +860,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -955,8 +891,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -970,7 +905,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1218,14 +1153,6 @@ msgstr "Per Enterprise è tenuta a utilizzare EAP-TLS."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "Per Enterprise è obbligatorio utilizzare la modalità OAuth."

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1307,78 +1234,6 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1397,6 +1252,10 @@ msgstr "Dispositivo di Accesso"
 msgid "Endpoint Devices"
 msgstr "Dispositivi di Accesso"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Verifica del tuo browser..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1480,12 +1339,6 @@ msgstr ""
 "Invia una notifica solo una volta, ad esempio quando invii un webhook in un "
 "canale di chat."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1656,15 +1509,6 @@ msgstr "Politiche pre-flusso"
 msgid "Flow"
 msgstr "Flusso"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Il flusso non si applica all'utente corrente."
@@ -1779,8 +1623,8 @@ msgstr "Token del flusso"
 msgid "Flow Tokens"
 msgstr "Tokens del flusso"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2169,6 +2013,22 @@ msgstr "Punteggio di reputazione"
 msgid "Reputation Scores"
 msgstr "Punteggi di reputazione"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "In attesa di autenticazione..."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Ti stai già autenticando in un'altra scheda. Questa pagina si aggiornerà una"
+" volta completata l'autenticazione."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Autenticati in questa scheda"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permesso negato"
@@ -2296,14 +2156,6 @@ msgstr "Confronto URL rigoroso"
 msgid "Regular Expression URL matching"
 msgstr "Corrispondenza URL espressione regolare"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2666,6 +2518,10 @@ msgstr "Provider Proxy"
 msgid "Proxy Providers"
 msgstr "Providers Proxy"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr ""
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2797,10 +2653,8 @@ msgstr ""
 "vuoto, non verrà aggiunta alcuna restrizione sul pubblico."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Conosciuto anche come EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3014,10 +2868,6 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Sessione SAML "
@@ -3046,14 +2896,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3335,7 +3177,7 @@ msgstr ""
 " e di aver configurato correttamente il browser. \n"
 "Contatta il tuo amministratore."

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "È consentita solo una singola sorgente LDAP con sincronizzazione della "
@@ -3869,12 +3711,6 @@ msgstr ""
 "rappresentare un rischio per la sicurezza, poiché non viene eseguita alcuna "
 "convalida dell'ID richiesta."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4306,10 +4142,6 @@ msgstr "Fasi di convalida dell'autenticatore"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Nessun autenticatore MFA (consentito) configurato."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Fase di configurazione dell'autenticatore WebAuthn"
@@ -4448,10 +4280,6 @@ msgstr "Email OTP"
 msgid "Event Notification"
 msgstr "Notifica evento"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Invito"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4570,62 +4398,6 @@ msgstr ""
 "\n"
 "Questa email è stata inviata dal trasporto delle notifiche %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4805,6 +4577,10 @@ msgstr "Se abilitato, l'invito verrà eliminato dopo l'utilizzo."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Dati fissi facoltativi da applicare alla registrazione dell'utente."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Invito"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Inviti"
@@ -4930,18 +4706,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Statico: Valore statico, visualizzato così com'è."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr ""
--- a/locale/ja_JP/LC_MESSAGES/django.mo
+++ b/locale/ja_JP/LC_MESSAGES/django.mo
--- a/locale/ja_JP/LC_MESSAGES/django.po
+++ b/locale/ja_JP/LC_MESSAGES/django.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Japanese (Japan) (https://app.transifex.com/authentik/teams/119923/ja_JP/)\n"
@@ -105,14 +105,6 @@ msgstr "検証エラー"
 msgid "Blueprint file does not exist"
 msgstr "ブループリントファイルがありません"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "ブループリントの検証に失敗しました"
@@ -121,11 +113,6 @@ msgstr "ブループリントの検証に失敗しました"
 msgid "Either path or content must be set."
 msgstr "パスかコンテンツの設定は必須です。"

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "ユーザーは {model} を作成するための権限がありません"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Managed by authentik"
@@ -241,13 +228,10 @@ msgid ""
 msgstr ""
 "設定されていない場合、すべてのプロバイダーが返されます。trueに設定すると、バックチャネルプロバイダーのみが返されます。falseに設定すると、バックチャネルプロバイダーは除外されます"

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "ユーザーは {model} を作成するための権限がありません"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -309,12 +293,6 @@ msgstr ""
 msgid "This field is required."
 msgstr "このフィールドは必須です。"

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "名前"
@@ -417,10 +395,6 @@ msgstr "URLで使用される内部アプリ名。"
 msgid "Open launch URL in a new browser tab or window."
 msgstr "ブラウザーの新しいタブまたはウィンドウで起動URLを開きます。"

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "アプリ"
@@ -592,14 +566,6 @@ msgstr "SAMLで作成された一時ユーザを削除。"
 msgid "Go home"
 msgstr "ホームに戻る"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -704,10 +670,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "証明書をファイルシステムから検出、インポート、更新する。"

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -762,14 +724,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -840,12 +794,6 @@ msgstr "このオブジェクトの作成/更新にはエンタープライズ
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -861,19 +809,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "ブラウザの確認中...。"
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -890,6 +825,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -917,8 +856,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -932,7 +870,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1157,14 +1095,6 @@ msgstr "EAP-TLSを使用するにはエンタープライズが必要です。"
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "OAuthモードを使用するにはエンタープライズが必要です。"

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1246,78 +1176,6 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "エンドポイント認証器Google Device Trust Connectorステージ"
@@ -1334,6 +1192,10 @@ msgstr "エンドポイントデバイス"
 msgid "Endpoint Devices"
 msgstr "エンドポイントデバイス"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "ブラウザの確認中...。"
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1411,12 +1273,6 @@ msgid ""
 "channel."
 msgstr "チャットチャンネルにWebhookを送るときのような場合に、一度だけ通知を送信します。"

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1576,15 +1432,6 @@ msgstr "事前フローのポリシー"
 msgid "Flow"
 msgstr "フロー"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "フローは現在のユーザーに適用されません。"
@@ -1689,8 +1536,8 @@ msgstr "フロートークン"
 msgid "Flow Tokens"
 msgstr "フロートークン"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2050,6 +1897,20 @@ msgstr "評判スコア"
 msgid "Reputation Scores"
 msgstr "評判スコア"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "認証を待機中...。"
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr "別のタブで既に認証中です。認証が完了するとこのページが更新されます。"
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "このタブで認証"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "権限がありません"
@@ -2170,14 +2031,6 @@ msgstr "厳密な URL 比較"
 msgid "Regular Expression URL matching"
 msgstr "正規表現 URL マッチング"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "バックチャネル"
@@ -2505,6 +2358,10 @@ msgstr "プロキシプロバイダー"
 msgid "Proxy Providers"
 msgstr "プロキシプロバイダー"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Proxy Outpost でセッションを終了。"
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2628,10 +2485,8 @@ msgid ""
 msgstr "アサーションのオーディエンス制限フィールドの値。空の場合、オーディエンス制限は追加されません。"

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "EntityID とも呼ばれる"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2831,10 +2686,6 @@ msgstr "このセッションの SAML NameID 値"
 msgid "SAML NameID format"
 msgstr "SAML NameID フォーマット"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML セッション"
@@ -2863,14 +2714,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3135,7 +2978,7 @@ msgstr ""
 "                    管理者に連絡してください。\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "パスワード同期を備えた単一の LDAP ソースのみが許可されます"

@@ -3648,12 +3491,6 @@ msgid ""
 "risk, as no validation of the request ID is done."
 msgstr "IdP によって開始される認証フローを許可します。リクエスト ID の検証が行われないため、セキュリティリスクになる可能性があります。"

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4057,10 +3894,6 @@ msgstr "認証器検証ステージ"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "（許可された）MFA 認証器が設定されていません。"

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn 認証器セットアップステージ"
@@ -4193,10 +4026,6 @@ msgstr "メール OTP"
 msgid "Event Notification"
 msgstr "イベント通知"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "招待"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4309,62 +4138,6 @@ msgstr ""
 "\n"
 "このメールは通知トランスポート %(name)s から送信されました。\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4528,6 +4301,10 @@ msgstr "有効にすると、招待は使用後に削除されます。"
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "ユーザー登録に強制するオプショナル固定データ。"

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "招待"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "招待"
@@ -4638,18 +4415,6 @@ msgstr "非表示: 非表示フィールド、フォームにデータを挿入
 msgid "Static: Static value, displayed as-is."
 msgstr "静的: 静的値、そのまま表示。"

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: authentik がサポートするロケールの選択"
--- a/locale/no_NO/LC_MESSAGES/django.po
+++ b/locale/no_NO/LC_MESSAGES/django.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-04-23 00:25+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Raphael Cancelliere, 2026\n"
 "Language-Team: Norwegian (Norway) (https://app.transifex.com/authentik/teams/119923/no_NO/)\n"
@@ -109,14 +109,6 @@ msgstr "Valideringsfeil"
 msgid "Blueprint file does not exist"
 msgstr "Blueprint-filen eksisterer ikke"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Klarte ikke å validere blueprint"
@@ -255,14 +247,6 @@ msgstr ""
 " kun backchannel-leverandører. Når satt til false, ekskluderes backchannel-"
 "leverandører."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "Ingen skråstreker i starten eller slutten er tillatt."
@@ -437,10 +421,6 @@ msgstr "Internt applikasjonsnavn, brukt i URL-er."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Åpne start-URL i en ny nettleserfane eller -vindu."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Applikasjon"
@@ -937,6 +917,10 @@ msgstr "Enten en vurderingsgruppe eller en vurderer må være angitt."
 msgid "Grace period must be shorter than the interval."
 msgstr "Respittiden må være kortere enn intervallet."

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr "Kun én type-omfattende regel for hver objekttype er tillatt."
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -966,9 +950,9 @@ msgid "Go to {self._get_model_name()}"
 msgstr "Gå til {self._get_model_name()}"

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""
+"Tilgangsvurdering forfaller for {self.content_type.name} {str(self.object)}"

 #: authentik/enterprise/lifecycle/models.py
 msgid ""
@@ -984,8 +968,8 @@ msgstr ""
 "Tilgangsvurdering fullført for {self.content_type.name} {str(self.object)}"

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
-msgstr ""
+msgid "Dispatch tasks to validate lifecycle rules."
+msgstr "Send ut oppgaver for å validere livssyklusregler."

 #: authentik/enterprise/lifecycle/tasks.py
 msgid "Apply lifecycle rule."
@@ -1321,78 +1305,6 @@ msgstr "Last ned"
 msgid "Generate data export."
 msgstr "Generer eksport av data."

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Trinn for endepunktautentisering via Google Device Trust-kobling"
@@ -2793,10 +2705,8 @@ msgstr ""
 " vil ingen målgrupperestriksjon bli lagt til."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Også kjent som EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3014,10 +2924,6 @@ msgstr "SAML NameID-verdi for denne økten"
 msgid "SAML NameID format"
 msgstr "SAML NameID-format"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML-økt"
@@ -3050,10 +2956,6 @@ msgstr "Salesforce"
 msgid "Webex"
 msgstr "Webex"

-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr "Gruppefiltre brukt for å definere synkroniseringsomfang for grupper."
@@ -4928,18 +4830,6 @@ msgstr "Skjult: Skjult felt, kan brukes til å sette inn data i skjemaet."
 msgid "Static: Static value, displayed as-is."
 msgstr "Statisk: Statisk verdi, vises som den er."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Utvalg av språk som authentik støtter"
--- a/locale/pl_PL/LC_MESSAGES/django.mo
+++ b/locale/pl_PL/LC_MESSAGES/django.mo
--- a/locale/pl_PL/LC_MESSAGES/django.po
+++ b/locale/pl_PL/LC_MESSAGES/django.po
@@ -6,16 +6,16 @@
 # Translators:
 # Marc Schmitt, 2025
 # Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2025
-# Jens L. <jens@goauthentik.io>, 2026
+# Jens L. <jens@goauthentik.io>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Jens L. <jens@goauthentik.io>, 2026\n"
+"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Polish (Poland) (https://app.transifex.com/authentik/teams/119923/pl_PL/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -107,14 +107,6 @@ msgstr "Błąd walidacji"
 msgid "Blueprint file does not exist"
 msgstr "Plik szablonu nie istnieje"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Nie udało się zweryfikować szablonu"
@@ -123,11 +115,6 @@ msgstr "Nie udało się zweryfikować szablonu"
 msgid "Either path or content must be set."
 msgstr "Ścieżka albo treść muszą być ustawione."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr ""
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Zarządzane przez authentik"
@@ -254,12 +241,9 @@ msgstr ""
 "zwracani są tylko dostawcy kanału zwrotnego. Gdy ustawiono na fałsz, "
 "dostawcy kanału zwrotnego są wykluczeni."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
 msgstr ""

 #: authentik/core/api/users.py
@@ -322,12 +306,6 @@ msgstr ""
 msgid "This field is required."
 msgstr ""

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "nazwa"
@@ -434,10 +412,6 @@ msgstr "Wewnętrzna nazwa aplikacji, używana w adresach URL."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Otwórz adres URL uruchamiania w nowej karcie lub oknie przeglądarki."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplikacja"
@@ -622,14 +596,6 @@ msgstr ""
 msgid "Go home"
 msgstr "Przejdź do domu"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -736,10 +702,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr ""

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -794,14 +756,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -873,12 +827,6 @@ msgstr ""
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -894,19 +842,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Weryfikowanie Twojej przeglądarki..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -923,6 +858,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -950,8 +889,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -965,7 +903,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1192,14 +1130,6 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1281,78 +1211,6 @@ msgstr "Pobierz"
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1369,6 +1227,10 @@ msgstr ""
 msgid "Endpoint Devices"
 msgstr ""

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Weryfikowanie Twojej przeglądarki..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1449,12 +1311,6 @@ msgstr ""
 "Wyślij powiadomienie tylko raz, na przykład podczas wysyłania webhooka na "
 "kanał czatu."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1619,15 +1475,6 @@ msgstr "Przed-przepływowe zasady"
 msgid "Flow"
 msgstr "Przepływ"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Przepływ nie dotyczy bieżącego użytkownika."
@@ -1743,8 +1590,8 @@ msgstr "Token przepływu"
 msgid "Flow Tokens"
 msgstr "Tokeny przepływu"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2128,6 +1975,20 @@ msgstr "Punkty reputacji"
 msgid "Reputation Scores"
 msgstr "Punkty reputacji"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "Oczekiwanie na uwierzytelnienie..."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr ""
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Odmowa uprawnień"
@@ -2254,14 +2115,6 @@ msgstr ""
 msgid "Regular Expression URL matching"
 msgstr ""

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr "Autoryzacja"
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr "Wyloguj"
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2612,6 +2465,10 @@ msgstr "Dostawca proxy"
 msgid "Proxy Providers"
 msgstr "Dostawcy proxy"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr ""
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2739,10 +2596,8 @@ msgstr ""
 " ograniczenie odbiorców nie zostanie dodane."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Znany również jako EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2946,10 +2801,6 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -2978,14 +2829,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3246,7 +3089,7 @@ msgid ""
 "                "
 msgstr ""

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""

@@ -3773,12 +3616,6 @@ msgstr ""
 " Może to stanowić zagrożenie bezpieczeństwa, ponieważ nie przeprowadza się "
 "weryfikacji identyfikatora żądania."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4192,10 +4029,6 @@ msgstr "Etapy weryfikacji uwierzytelniacza"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Nie skonfigurowano (dozwolonego) uwierzytelniania MFA."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Etap konfiguracji uwierzytelniacza WebAuthn"
@@ -4332,10 +4165,6 @@ msgstr ""
 msgid "Event Notification"
 msgstr ""

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Zaproszenie"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4451,62 +4280,6 @@ msgstr ""
 "\n"
 "Ta wiadomość e-mail została wysłana z transportu powiadomień %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4683,6 +4456,10 @@ msgstr "Gdy ta opcja jest włączona, zaproszenie zostanie usunięte po użyciu.
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Opcjonalne stałe dane do wymuszenia przy rejestracji użytkownika."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Zaproszenie"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Zaproszenia"
@@ -4806,18 +4583,6 @@ msgstr "Ukryte: Ukryte pole, może służyć do wstawiania danych do formularza.
 msgid "Static: Static value, displayed as-is."
 msgstr "Statyczny: wartość statyczna, wyświetlana w stanie, w jakim jest."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Wybór ustawień regionalnych obsługiwanych przez authentik"
--- a/locale/pt_BR/LC_MESSAGES/django.po
+++ b/locale/pt_BR/LC_MESSAGES/django.po
@@ -6,18 +6,17 @@
 # Translators:
 # Marc Schmitt, 2025
 # André Cristian Neidert, 2025
+# Rafael Mundel, 2025
 # Ariel Amaral, 2025
-# Rafael Mundel, 2026
-# Gil Poiares-Oliveira, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Gil Poiares-Oliveira, 2026\n"
+"Last-Translator: Ariel Amaral, 2025\n"
 "Language-Team: Portuguese (Brazil) (https://app.transifex.com/authentik/teams/119923/pt_BR/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -112,14 +111,6 @@ msgstr "Erro de Validação"
 msgid "Blueprint file does not exist"
 msgstr "Arquivo de Blueprint não existe"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Falha ao validar o projeto"
@@ -128,11 +119,6 @@ msgstr "Falha ao validar o projeto"
 msgid "Either path or content must be set."
 msgstr "O caminho ou o conteúdo devem ser definidos."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "O usuário não tem permissão para criar {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Gerenciado pelo authentik"
@@ -262,13 +248,10 @@ msgstr ""
 "true, somente os provedores de backchannel são retornados. Quando definido "
 "para false, provedores de backchannel são excluídos"

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "O usuário não tem permissão para criar {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -330,12 +313,6 @@ msgstr ""
 msgid "This field is required."
 msgstr "Este campo é obrigatório."

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "nome"
@@ -442,10 +419,6 @@ msgstr "Nome do aplicativo interno, usado em URLs."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Abra o URL de inicialização em uma nova guia ou janela do navegador."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplicativo"
@@ -634,14 +607,6 @@ msgstr "Remover usuários temporários criados por Fontes SAML."
 msgid "Go home"
 msgstr "Ir para casa"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr "Rodapé do site"
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -750,10 +715,6 @@ msgstr "Visualizar chave privada do par de chaves"
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Descobrir, importar e atualizar certificados do sistema de arquivos."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr "A plataforma selecionada não é compatível."
@@ -808,14 +769,6 @@ msgstr "Nonce Apple"
 msgid "Apple Nonces"
 msgstr "Nonces Apple"

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -886,12 +839,6 @@ msgstr "Enterprise é necessário para criar/atualizar esse objeto."
 msgid "Enterprise is required to use this endpoint."
 msgstr "Enterprise é necessário para usar este endpoint."

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -909,19 +856,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verificando seu navegador…"
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -938,6 +872,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -965,8 +903,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -980,7 +917,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1224,14 +1161,6 @@ msgstr "Enterprise é necessário para usar EAP-TLS."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "Enterprise é necessário para usar o modo OAuth."

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1313,78 +1242,6 @@ msgstr "Download"
 msgid "Generate data export."
 msgstr "Gerar exportação de dados."

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Etapa do Conector Google Device Trust do autenticador de endpoint."
@@ -1401,6 +1258,10 @@ msgstr "Dispositivo de endpoint."
 msgid "Endpoint Devices"
 msgstr "Dispositivos de endpoint."

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Verificando seu navegador…"
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1483,12 +1344,6 @@ msgstr ""
 "Envie uma notificação apenas uma vez, por exemplo, ao enviar um webhook para"
 " um canal de bate-papo."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1659,15 +1514,6 @@ msgstr "Políticas de pré-fluxo"
 msgid "Flow"
 msgstr "Fluxo"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "O fluxo não se aplica ao usuário atual."
@@ -1778,9 +1624,9 @@ msgstr "Token de Fluxo"
 msgid "Flow Tokens"
 msgstr "Tokens de Fluxo"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
-msgstr ""
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
+msgstr "Rodapé do site"

 #: authentik/flows/views/executor.py
 msgid "Invalid next URL"
@@ -2164,6 +2010,22 @@ msgstr "Pontuação de reputação"
 msgid "Reputation Scores"
 msgstr "Pontuações de reputação"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "Aguardando autenticação…"
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Você já está autenticando em outra aba. Esta página será atualizada quando a"
+" autenticação for concluída."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Autenticar nesta aba"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permissão negada"
@@ -2288,14 +2150,6 @@ msgstr "Comparação estrita de URL"
 msgid "Regular Expression URL matching"
 msgstr "Correspondência de URL por expressão regular"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr "Autorização"
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr "Sair"
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Back-channel"
@@ -2658,6 +2512,10 @@ msgstr "Provedor de proxy"
 msgid "Proxy Providers"
 msgstr "Provedores de proxy"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Encerrar sessão no outpost Proxy"
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2790,10 +2648,8 @@ msgstr ""
 "branco, nenhuma restrição de público será adicionada."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Também conhecido como EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3014,10 +2870,6 @@ msgstr "Valor do SAML NameID para essa sessão"
 msgid "SAML NameID format"
 msgstr "Formato do SAML NameID"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Sessão SAML"
@@ -3046,14 +2898,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3337,7 +3181,7 @@ msgstr ""
 "e que o navegador esteja configurado corretamente. \n"
 "Contate seu administrador."

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "Somente uma Origem LDAP com sincronização de senha é aceita"

@@ -3872,12 +3716,6 @@ msgstr ""
 "Permite fluxos de autenticação iniciados pelo IdP. Isso pode ser um risco de"
 " segurança, pois nenhuma validação do ID da solicitação é feita."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4303,10 +4141,6 @@ msgstr "Etapas de validação do autenticador"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Nenhum autenticador MFA (permitido) configurado."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Estágio de configuração do autenticador WebAuthn"
@@ -4446,10 +4280,6 @@ msgstr "OTP por Email"
 msgid "Event Notification"
 msgstr "Notificação de Evento"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Convite"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4569,62 +4399,6 @@ msgstr ""
 "\n"
 "Este email foi enviado pelo transporte de notificações %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4803,6 +4577,10 @@ msgstr "Quando ativado, o convite será excluído após o uso."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Dados fixos opcionais para aplicar na inscrição do usuário."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Convite"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Convites"
@@ -4926,18 +4704,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Estático: valor estático, exibido como está."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Seleção de locais suportados pelo authentik"
--- a/locale/pt_PT/LC_MESSAGES/django.po
+++ b/locale/pt_PT/LC_MESSAGES/django.po
@@ -7,18 +7,17 @@
 # Hélder Silva <hsilva@keep.pt>, 2025
 # Sergio Reis, 2025
 # Marc Schmitt, 2025
+# Gil Poiares-Oliveira, 2025
 # Tiago Gaspar, 2025
-# G S, 2026
-# Gil Poiares-Oliveira, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Gil Poiares-Oliveira, 2026\n"
+"Last-Translator: Tiago Gaspar, 2025\n"
 "Language-Team: Portuguese (Portugal) (https://app.transifex.com/authentik/teams/119923/pt_PT/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -110,14 +109,6 @@ msgstr "Erro de validação"
 msgid "Blueprint file does not exist"
 msgstr "Ficheiro de modelos não existe"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Falha na validação de modelo"
@@ -126,11 +117,6 @@ msgstr "Falha na validação de modelo"
 msgid "Either path or content must be set."
 msgstr "O caminho ou o conteúdo devem ser definidos."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "O utilizador não tem permissão para criar {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Gerido por authentik"
@@ -258,13 +244,10 @@ msgstr ""
 "como verdadeiro, apenas os provedores de backchannel são retornados. Quando "
 "definido como falso, os provedores de backchannel são excluídos"

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "O utilizador não tem permissão para criar {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -326,12 +309,6 @@ msgstr ""
 msgid "This field is required."
 msgstr "Este campo é necessário."

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "nome"
@@ -438,10 +415,6 @@ msgstr "Nome interno da aplicação, usado em URLs."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Abrir o URL de inicialização num novo separador ou janela do browser."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplicação"
@@ -629,14 +602,6 @@ msgstr ""
 msgid "Go home"
 msgstr "Ir para início"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -743,10 +708,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Descobrir, importar e atualizar certificados do sistema de arquivos."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -801,14 +762,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -879,12 +832,6 @@ msgstr "Enterprise necessário para criar/atualizar este objeto."
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -902,19 +849,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "A verificar o seu browser..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -931,6 +865,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -958,8 +896,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -973,7 +910,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1203,14 +1140,6 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1292,78 +1221,6 @@ msgstr "Descarregar"
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1382,6 +1239,10 @@ msgstr "Dispositivo do ponto de ligação"
 msgid "Endpoint Devices"
 msgstr "Dispositivos do ponto de ligação"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "A verificar o seu browser..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1462,12 +1323,6 @@ msgstr ""
 "Enviar a notificação apenas uma vez, por exemplo, ao enviar um webhook para "
 "um canal de chat."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1634,15 +1489,6 @@ msgstr "Políticas de pré-fluxo"
 msgid "Flow"
 msgstr "Fluxo"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "O fluxo não se aplica ao utilizador atual."
@@ -1756,8 +1602,8 @@ msgstr "Token do fluxo"
 msgid "Flow Tokens"
 msgstr "Tokens do fluxo"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2145,6 +1991,20 @@ msgstr "Pontuação da reputação"
 msgid "Reputation Scores"
 msgstr "Pontuações da reputação"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "A aguardar autenticação"
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Autenticar nesta aba"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permissão negada"
@@ -2270,14 +2130,6 @@ msgstr "Comparação rigorosa de URL"
 msgid "Regular Expression URL matching"
 msgstr "Correspondência de URL com expressões regulares"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr "Autorização"
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Back-channel"
@@ -2640,6 +2492,10 @@ msgstr "Provedor de Proxy"
 msgid "Proxy Providers"
 msgstr "Provedores de Proxy"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Terminar sessão no Proxy outpost "
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2773,10 +2629,8 @@ msgstr ""
 "branco, nenhuma restrição de audiência será adicionada."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Também conhecido como EntityID."

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2995,10 +2849,6 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Instância SAML"
@@ -3027,14 +2877,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3314,7 +3156,7 @@ msgstr ""
 "                    Contacte o seu administrador.\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "Apenas é permitida uma única fonte LDAP com sincronização de palavras-passe"
@@ -3846,12 +3688,6 @@ msgstr ""
 "Permite fluxos de autenticação iniciados pelo IdP. Isto pode ser um risco de"
 " segurança uma vez que não é feita nenhuma validação do ID do pedido."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4276,10 +4112,6 @@ msgstr "Etapas de validação do autenticador"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Nenhum autenticador MFA (permitido) configurado."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Etapa de configuração do autenticador WebAuthn"
@@ -4417,10 +4249,6 @@ msgstr "OTP E-mail"
 msgid "Event Notification"
 msgstr "Notificação de Evento"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Convite"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4540,62 +4368,6 @@ msgstr ""
 "\n"
 "Este e-mail foi enviado a partir do transporte de notificações %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4781,6 +4553,10 @@ msgstr "Quando ativado, o convite será eliminado após utilização."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Dados fixos opcionais a aplicar no registo de utilizadores."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Convite"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Convites"
@@ -4906,18 +4682,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Estático: Valor estático, mostrado tal como é."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Seleção de localizações suportadas"
--- a/locale/ru_RU/LC_MESSAGES/django.mo
+++ b/locale/ru_RU/LC_MESSAGES/django.mo
--- a/locale/ru_RU/LC_MESSAGES/django.po
+++ b/locale/ru_RU/LC_MESSAGES/django.po
@@ -6,16 +6,16 @@
 # Translators:
 # Marc Schmitt, 2025
 # Vladimir, 2025
-# Andrey Boyko, 2026
+# Andrey Boyko, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Andrey Boyko, 2026\n"
+"Last-Translator: Andrey Boyko, 2025\n"
 "Language-Team: Russian (Russia) (https://app.transifex.com/authentik/teams/119923/ru_RU/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -107,14 +107,6 @@ msgstr "Ошибка валидации"
 msgid "Blueprint file does not exist"
 msgstr "Файл чертежа не существует"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr ""
@@ -123,11 +115,6 @@ msgstr ""
 msgid "Either path or content must be set."
 msgstr "Путь или содержимое должно быть установлено."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr ""
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Управляется authentik"
@@ -255,12 +242,9 @@ msgstr ""
 "значение true, возвращаются только провайдеры обратного канала. При значении"
 " false провайдеры обратного канала исключаются."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
 msgstr ""

 #: authentik/core/api/users.py
@@ -323,12 +307,6 @@ msgstr ""
 msgid "This field is required."
 msgstr ""

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "имя"
@@ -435,10 +413,6 @@ msgstr "Внутреннее имя приложения, используемо
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Открыть URL-адрес запуска в новой вкладке или окне браузера."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Приложение"
@@ -630,14 +604,6 @@ msgstr ""
 msgid "Go home"
 msgstr "Домой"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -744,10 +710,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr ""

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -802,14 +764,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -880,12 +834,6 @@ msgstr "Для создания/обновления этого объекта
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -901,19 +849,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Проверка вашего браузера..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -930,6 +865,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -957,8 +896,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -972,7 +910,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1198,14 +1136,6 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1287,78 +1217,6 @@ msgstr "Скачать"
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1378,6 +1236,10 @@ msgstr "Конечное устройство"
 msgid "Endpoint Devices"
 msgstr "Конечные устройства"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Проверка вашего браузера..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1458,12 +1320,6 @@ msgstr ""
 "Отправлять уведомление только один раз, например, при отправке вебхука в "
 "чат-канал."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1627,15 +1483,6 @@ msgstr "Предварительные политики потока"
 msgid "Flow"
 msgstr "Поток"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Поток не применяется к текущему пользователю."
@@ -1748,8 +1595,8 @@ msgstr "Токен потока"
 msgid "Flow Tokens"
 msgstr "Токены потока"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2136,6 +1983,20 @@ msgstr "Оценка репутации"
 msgid "Reputation Scores"
 msgstr "Оценка репутации"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr ""
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Доступ запрещен"
@@ -2263,14 +2124,6 @@ msgstr ""
 msgid "Regular Expression URL matching"
 msgstr ""

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr "Авторизация"
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr "Выход"
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2625,6 +2478,10 @@ msgstr "Прокси провайдер"
 msgid "Proxy Providers"
 msgstr "Прокси провайдеры"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr ""
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2754,10 +2611,8 @@ msgstr ""
 " ограничение аудитории не будет добавлено."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Также известен как EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2967,10 +2822,6 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -2999,14 +2850,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3276,7 +3119,7 @@ msgid ""
 "                "
 msgstr ""

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""

@@ -3803,12 +3646,6 @@ msgstr ""
 "угрозу безопасности, так как проверка идентификатора запроса не "
 "производится."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4222,10 +4059,6 @@ msgstr "Этапы проверки аутентификатора"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Не сконфигурирован ни один (разрешенный) MFA аутентификатор"

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Этап настройки аутентификатора WebAuthn"
@@ -4362,10 +4195,6 @@ msgstr ""
 msgid "Event Notification"
 msgstr ""

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Приглашение"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4480,62 +4309,6 @@ msgstr ""
 "\n"
 "Это письмо было отправлено с помощью поставщика уведомления %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4715,6 +4488,10 @@ msgstr ""
 "Необязательные фиксированные данные, которые будут применяться при "
 "регистрации пользователя."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Приглашение"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Приглашения"
@@ -4840,18 +4617,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Статический: Статичное значение, отображается как есть."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Выбор локализаций, которые поддерживает authentik"
--- a/locale/tr_TR/LC_MESSAGES/django.mo
+++ b/locale/tr_TR/LC_MESSAGES/django.mo
--- a/locale/tr_TR/LC_MESSAGES/django.po
+++ b/locale/tr_TR/LC_MESSAGES/django.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Turkish (Turkey) (https://app.transifex.com/authentik/teams/119923/tr_TR/)\n"
@@ -105,14 +105,6 @@ msgstr "Doğrulama Hatası"
 msgid "Blueprint file does not exist"
 msgstr "Plan dosyası mevcut değil"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Plan doğrulanamadı"
@@ -121,11 +113,6 @@ msgstr "Plan doğrulanamadı"
 msgid "Either path or content must be set."
 msgstr "Ya yol ya da içerik ayarlanmalıdır."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr ""
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Authentik tarafından yönetilmektedir"
@@ -252,12 +239,9 @@ msgstr ""
 "yalnızca arka kanal sağlayıcıları döndürülür. false olarak ayarlandığında, "
 "arka kanal sağlayıcıları hariç tutulur"

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
 msgstr ""

 #: authentik/core/api/users.py
@@ -320,12 +304,6 @@ msgstr ""
 msgid "This field is required."
 msgstr ""

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "isim"
@@ -433,10 +411,6 @@ msgid "Open launch URL in a new browser tab or window."
 msgstr ""
 "Başlatma URL'sini yeni bir tarayıcı sekmesinde veya penceresinde açın."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Uygulama"
@@ -623,14 +597,6 @@ msgstr ""
 msgid "Go home"
 msgstr "Başa dön"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -737,10 +703,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr ""

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -795,14 +757,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -873,12 +827,6 @@ msgstr "Bu nesneyi oluşturmak/güncellemek için Kurumsal Paket gereklidir."
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -894,19 +842,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Tarayıcınız doğrulanıyor..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -923,6 +858,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -950,8 +889,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -965,7 +903,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1192,14 +1130,6 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1281,78 +1211,6 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Uç Nokta Kimlik Doğrulayıcı Google Cihaz Güven Bağlayıcısı Aşaması"
@@ -1369,6 +1227,10 @@ msgstr "Uç Nokta Cihazı"
 msgid "Endpoint Devices"
 msgstr "Uç Nokta Cihazları"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Tarayıcınız doğrulanıyor..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1449,12 +1311,6 @@ msgstr ""
 "Örneğin bir sohbet kanalına web kancası gönderirken yalnızca bir kez "
 "bildirim gönderin."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1620,15 +1476,6 @@ msgstr "Akış öncesi ilkeleri"
 msgid "Flow"
 msgstr "Akış"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Akış mevcut kullanıcı için geçerli değildir."
@@ -1742,8 +1589,8 @@ msgstr "Akış Jetonu"
 msgid "Flow Tokens"
 msgstr "Akış Jetonları"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2125,6 +1972,20 @@ msgstr "İtibar Puanı"
 msgid "Reputation Scores"
 msgstr "İtibar Puanları"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr ""
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "İzin reddedildi"
@@ -2251,14 +2112,6 @@ msgstr ""
 msgid "Regular Expression URL matching"
 msgstr ""

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2616,6 +2469,10 @@ msgstr "Vekil Sağlayıcı"
 msgid "Proxy Providers"
 msgstr "Vekil Sağlayıcılar"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr ""
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2748,10 +2605,8 @@ msgstr ""
 "herhangi bir hedef kitle kısıtlaması eklenmez."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "EntityID olarak da bilinir"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2961,10 +2816,6 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -2993,14 +2844,6 @@ msgstr ""
 msgid "Salesforce"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3276,7 +3119,7 @@ msgstr ""
 "                    Lütfen yöneticinizle iletişime geçin.\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "Parola senkronizasyonuna sahip yalnızca tek bir LDAP Kaynağına izin verilir"
@@ -3803,12 +3646,6 @@ msgstr ""
 "IdP tarafından başlatılan kimlik doğrulama akışlarına izin verir. İstek "
 "kimliğinin doğrulanması yapılmadığından, bu bir güvenlik riski olabilir."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4218,10 +4055,6 @@ msgstr "Kimlik Doğrulayıcı Doğrulama Aşamaları"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Yapılandırılmış (izin verilen) MFA kimlik doğrulayıcısı yok."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn Authenticator Kurulum Aşaması"
@@ -4357,10 +4190,6 @@ msgstr ""
 msgid "Event Notification"
 msgstr ""

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Davetiye"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4475,62 +4304,6 @@ msgstr ""
 "\n"
 "Bu e-posta bildirim aktarımından gönderilmiştir %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4697,6 +4470,10 @@ msgstr "Etkinleştirildiğinde, davetiye kullanımdan sonra silinir."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Kullanıcı kaydında zorlamak için isteğe bağlı sabit veriler."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Davetiye"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Davetiyeler"
@@ -4818,18 +4595,6 @@ msgstr "Gizli: Gizli alan, form içine veri eklemek için kullanılabilir."
 msgid "Static: Static value, displayed as-is."
 msgstr "Statik: Statik değer, olduğu gibi görüntülenir."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: authentik'in desteklediği yerel dillerin seçimi"
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@@ -8,19 +8,18 @@
 # 刘松, 2025
 # deluxghost, 2025
 # Marc Schmitt, 2025
+# Jens L. <jens@goauthentik.io>, 2025
 # Kuang Jr, 2025
 # RocketDev, 2026
-# Lei Kou, 2026
-# Jens L. <jens@goauthentik.io>, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Jens L. <jens@goauthentik.io>, 2026\n"
+"Last-Translator: RocketDev, 2026\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -114,14 +113,6 @@ msgstr "校验错误"
 msgid "Blueprint file does not exist"
 msgstr "蓝图文件不存在"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "验证蓝图失败"
@@ -130,11 +121,6 @@ msgstr "验证蓝图失败"
 msgid "Either path or content must be set."
 msgstr "必须设置路径或内容。"

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "用户缺少创建 {model} 的权限"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "由 authentik 管理"
@@ -248,13 +234,10 @@ msgid ""
 "excluded"
 msgstr "如果未设置，则返回所有提供程序。如果启用，仅返回反向通道提供程序。如果禁用，则返回非反向通道提供程序"

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "用户缺少创建 {model} 的权限"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -316,12 +299,6 @@ msgstr "未找到电子邮件阶段。"
 msgid "This field is required."
 msgstr "此字段是必需的。"

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "名称"
@@ -424,10 +401,6 @@ msgstr "应用的内部名称，在 URL 中使用。"
 msgid "Open launch URL in a new browser tab or window."
 msgstr "在新浏览器标签页或窗口中打开启动 URL。"

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "应用程序"
@@ -598,14 +571,6 @@ msgstr "移除由 SAML 源创建的临时用户。"
 msgid "Go home"
 msgstr "前往首页"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr "网站页脚"
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -710,10 +675,6 @@ msgstr "查看证书-密钥对的私钥"
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "从文件系统中发现、导入并更新证书。"

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr "所选平台不受支持"
@@ -768,14 +729,6 @@ msgstr "Apple 随机数"
 msgid "Apple Nonces"
 msgstr "Apple 随机数"

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr "操作系统名称，例如“Server 2022”或“Ubuntu”"
@@ -846,12 +799,6 @@ msgstr "创建/更新此对象需要企业版。"
 msgid "Enterprise is required to use this endpoint."
 msgstr "企业要求使用这个端点。"

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -867,26 +814,13 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "正在验证您的浏览器…"
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
-msgstr "您不能为此对象提交评论。"
+msgstr ""

 #: authentik/enterprise/lifecycle/api/rules.py
 msgid "Object does not exist"
-msgstr "对象不存在"
+msgstr ""

 #: authentik/enterprise/lifecycle/api/rules.py
 msgid "Either a reviewer group or a reviewer must be set."
@@ -896,6 +830,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -904,27 +842,26 @@ msgstr ""

 #: authentik/enterprise/lifecycle/models.py
 msgid "Reviewed"
-msgstr "已审核"
+msgstr ""

 #: authentik/enterprise/lifecycle/models.py
 msgid "Pending"
-msgstr "待处理"
+msgstr ""

 #: authentik/enterprise/lifecycle/models.py
 msgid "Overdue"
-msgstr "逾期"
+msgstr ""

 #: authentik/enterprise/lifecycle/models.py
 msgid "Canceled"
-msgstr "已取消"
+msgstr ""

 #: authentik/enterprise/lifecycle/models.py
 msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -938,7 +875,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1163,14 +1100,6 @@ msgstr "使用 EAP-TLS 需要企业版。"
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "使用 OAuth 模式需要企业版。"

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1252,78 +1181,6 @@ msgstr "下载"
 msgid "Generate data export."
 msgstr "生成数据导出文件。"

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "端点身份验证器 Google 设备信任连接器阶段"
@@ -1340,6 +1197,10 @@ msgstr "端点设备"
 msgid "Endpoint Devices"
 msgstr "端点设备"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "正在验证您的浏览器…"
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1416,12 +1277,6 @@ msgid ""
 "channel."
 msgstr "仅发送一次通知，例如在向聊天频道发送 Webhook 时。"

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1580,15 +1435,6 @@ msgstr "流程前置策略"
 msgid "Flow"
 msgstr "流程"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "流程不应用于当前用户。"
@@ -1690,9 +1536,9 @@ msgstr "流程令牌"
 msgid "Flow Tokens"
 msgstr "流程令牌"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
-msgstr ""
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
+msgstr "网站页脚"

 #: authentik/flows/views/executor.py
 msgid "Invalid next URL"
@@ -1700,7 +1546,7 @@ msgstr "无效的 next URL"

 #: authentik/lib/sync/incoming/models.py
 msgid "When to trigger sync for outgoing providers"
-msgstr "何时触发对外提供商的同步"
+msgstr ""

 #: authentik/lib/sync/outgoing/models.py
 msgid "Controls the number of objects synced in a single task"
@@ -2048,6 +1894,20 @@ msgstr "信誉分数"
 msgid "Reputation Scores"
 msgstr "信誉分数"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "正在等待身份验证…"
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr "您正在另一个标签页中验证身份。身份验证完成后，此页面会刷新。"
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "在此标签页中验证身份"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "权限被拒绝"
@@ -2166,14 +2026,6 @@ msgstr "严格 URL 比较"
 msgid "Regular Expression URL matching"
 msgstr "正则表达式 URL 匹配"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr "授权"
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr "登出"
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "反向通道"
@@ -2500,6 +2352,10 @@ msgstr "代理提供程序"
 msgid "Proxy Providers"
 msgstr "代理提供程序"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "终止代理前哨的会话。"
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2617,10 +2473,8 @@ msgid ""
 msgstr "断言的 Audience 受限字段的值。留空时，不会添加  Audience 限制。"

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "也称为 EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2814,10 +2668,6 @@ msgstr "当前会话的 SAML NameID 值"
 msgid "SAML NameID format"
 msgstr "SAML NameID 格式"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML 会话"
@@ -2846,14 +2696,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr "用于定义组同步范围的组过滤器。"
@@ -3118,7 +2960,7 @@ msgstr ""
 "                    请联系您的管理员。\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "仅允许使用密码同步的单个 LDAP 源"

@@ -3626,12 +3468,6 @@ msgid ""
 "risk, as no validation of the request ID is done."
 msgstr "允许由 IdP 启动的身份验证流程。这可能存在安全风险，因为未对请求 ID 进行验证。"

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4034,10 +3870,6 @@ msgstr "身份验证器验证阶段"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "未配置（允许的）MFA 身份验证器。"

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn 身份验证器设置阶段"
@@ -4168,10 +4000,6 @@ msgstr "电子邮件 OTP"
 msgid "Event Notification"
 msgstr "事件通知"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "邀请"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4284,62 +4112,6 @@ msgstr ""
 "\n"
 "此邮件由通知递送 %(name)s 发送。\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr "接受邀请"
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr "你被邀请了！"
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr "此邀请已失效 %(expires)s"
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr "如果无法点击上方链接，请将以下网址复制并粘贴到浏览器中："
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4500,6 +4272,10 @@ msgstr "启用后，邀请将在使用后被删除。"
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "在用户注册时强制设置的可选固定数据。"

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "邀请"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "邀请"
@@ -4610,18 +4386,6 @@ msgstr "隐藏：隐藏字段，可用于将数据插入表单。"
 msgid "Static: Static value, displayed as-is."
 msgstr "静态：静态值，按原样显示。"

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik：选择 authentik 支持的语言环境。"
--- a/packages/client-ts/package.json
+++ b/packages/client-ts/package.json
@@ -8,8 +8,7 @@
        "url": "https://github.com/goauthentik/authentik.git"
    },
    "scripts": {
-        "clean": "tsc -b --clean tsconfig.json tsconfig.esm.json",
-        "build": "npm run clean && tsc -b tsconfig.json tsconfig.esm.json",
+        "build": "tsc && tsc -p tsconfig.esm.json",
        "prepare": "npm run build"
    },
    "main": "./dist/index.js",
--- a/packages/client-ts/src/models/AuthenticatorValidateStage.ts
+++ b/packages/client-ts/src/models/AuthenticatorValidateStage.ts
@@ -124,30 +124,6 @@ export interface AuthenticatorValidateStage {
     * @memberof AuthenticatorValidateStage
     */
    readonly webauthnAllowedDeviceTypesObj: Array<WebAuthnDeviceType>;
-    /**
-     *
-     * @type {number}
-     * @memberof AuthenticatorValidateStage
-     */
-    emailOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof AuthenticatorValidateStage
-     */
-    smsOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof AuthenticatorValidateStage
-     */
-    totpOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof AuthenticatorValidateStage
-     */
-    staticOtpThrottlingFactor?: number;
 }

 /**
@@ -217,22 +193,6 @@ export function AuthenticatorValidateStageFromJSONTyped(
        webauthnAllowedDeviceTypesObj: (
            json["webauthn_allowed_device_types_obj"] as Array<any>
        ).map(WebAuthnDeviceTypeFromJSON),
-        emailOtpThrottlingFactor:
-            json["email_otp_throttling_factor"] == null
-                ? undefined
-                : json["email_otp_throttling_factor"],
-        smsOtpThrottlingFactor:
-            json["sms_otp_throttling_factor"] == null
-                ? undefined
-                : json["sms_otp_throttling_factor"],
-        totpOtpThrottlingFactor:
-            json["totp_otp_throttling_factor"] == null
-                ? undefined
-                : json["totp_otp_throttling_factor"],
-        staticOtpThrottlingFactor:
-            json["static_otp_throttling_factor"] == null
-                ? undefined
-                : json["static_otp_throttling_factor"],
    };
 }

@@ -272,9 +232,5 @@ export function AuthenticatorValidateStageToJSONTyped(
                ? undefined
                : (value["webauthnHints"] as Array<any>).map(WebAuthnHintEnumToJSON),
        webauthn_allowed_device_types: value["webauthnAllowedDeviceTypes"],
-        email_otp_throttling_factor: value["emailOtpThrottlingFactor"],
-        sms_otp_throttling_factor: value["smsOtpThrottlingFactor"],
-        totp_otp_throttling_factor: value["totpOtpThrottlingFactor"],
-        static_otp_throttling_factor: value["staticOtpThrottlingFactor"],
    };
 }
--- a/packages/client-ts/src/models/AuthenticatorValidateStageRequest.ts
+++ b/packages/client-ts/src/models/AuthenticatorValidateStageRequest.ts
@@ -78,30 +78,6 @@ export interface AuthenticatorValidateStageRequest {
     * @memberof AuthenticatorValidateStageRequest
     */
    webauthnAllowedDeviceTypes?: Array<string>;
-    /**
-     *
-     * @type {number}
-     * @memberof AuthenticatorValidateStageRequest
-     */
-    emailOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof AuthenticatorValidateStageRequest
-     */
-    smsOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof AuthenticatorValidateStageRequest
-     */
-    totpOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof AuthenticatorValidateStageRequest
-     */
-    staticOtpThrottlingFactor?: number;
 }

 /**
@@ -153,22 +129,6 @@ export function AuthenticatorValidateStageRequestFromJSONTyped(
            json["webauthn_allowed_device_types"] == null
                ? undefined
                : json["webauthn_allowed_device_types"],
-        emailOtpThrottlingFactor:
-            json["email_otp_throttling_factor"] == null
-                ? undefined
-                : json["email_otp_throttling_factor"],
-        smsOtpThrottlingFactor:
-            json["sms_otp_throttling_factor"] == null
-                ? undefined
-                : json["sms_otp_throttling_factor"],
-        totpOtpThrottlingFactor:
-            json["totp_otp_throttling_factor"] == null
-                ? undefined
-                : json["totp_otp_throttling_factor"],
-        staticOtpThrottlingFactor:
-            json["static_otp_throttling_factor"] == null
-                ? undefined
-                : json["static_otp_throttling_factor"],
    };
 }

@@ -201,9 +161,5 @@ export function AuthenticatorValidateStageRequestToJSONTyped(
                ? undefined
                : (value["webauthnHints"] as Array<any>).map(WebAuthnHintEnumToJSON),
        webauthn_allowed_device_types: value["webauthnAllowedDeviceTypes"],
-        email_otp_throttling_factor: value["emailOtpThrottlingFactor"],
-        sms_otp_throttling_factor: value["smsOtpThrottlingFactor"],
-        totp_otp_throttling_factor: value["totpOtpThrottlingFactor"],
-        static_otp_throttling_factor: value["staticOtpThrottlingFactor"],
    };
 }
--- a/packages/client-ts/src/models/PatchedAuthenticatorValidateStageRequest.ts
+++ b/packages/client-ts/src/models/PatchedAuthenticatorValidateStageRequest.ts
@@ -78,30 +78,6 @@ export interface PatchedAuthenticatorValidateStageRequest {
     * @memberof PatchedAuthenticatorValidateStageRequest
     */
    webauthnAllowedDeviceTypes?: Array<string>;
-    /**
-     *
-     * @type {number}
-     * @memberof PatchedAuthenticatorValidateStageRequest
-     */
-    emailOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof PatchedAuthenticatorValidateStageRequest
-     */
-    smsOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof PatchedAuthenticatorValidateStageRequest
-     */
-    totpOtpThrottlingFactor?: number;
-    /**
-     *
-     * @type {number}
-     * @memberof PatchedAuthenticatorValidateStageRequest
-     */
-    staticOtpThrottlingFactor?: number;
 }

 /**
@@ -152,22 +128,6 @@ export function PatchedAuthenticatorValidateStageRequestFromJSONTyped(
            json["webauthn_allowed_device_types"] == null
                ? undefined
                : json["webauthn_allowed_device_types"],
-        emailOtpThrottlingFactor:
-            json["email_otp_throttling_factor"] == null
-                ? undefined
-                : json["email_otp_throttling_factor"],
-        smsOtpThrottlingFactor:
-            json["sms_otp_throttling_factor"] == null
-                ? undefined
-                : json["sms_otp_throttling_factor"],
-        totpOtpThrottlingFactor:
-            json["totp_otp_throttling_factor"] == null
-                ? undefined
-                : json["totp_otp_throttling_factor"],
-        staticOtpThrottlingFactor:
-            json["static_otp_throttling_factor"] == null
-                ? undefined
-                : json["static_otp_throttling_factor"],
    };
 }

@@ -200,9 +160,5 @@ export function PatchedAuthenticatorValidateStageRequestToJSONTyped(
                ? undefined
                : (value["webauthnHints"] as Array<any>).map(WebAuthnHintEnumToJSON),
        webauthn_allowed_device_types: value["webauthnAllowedDeviceTypes"],
-        email_otp_throttling_factor: value["emailOtpThrottlingFactor"],
-        sms_otp_throttling_factor: value["smsOtpThrottlingFactor"],
-        totp_otp_throttling_factor: value["totpOtpThrottlingFactor"],
-        static_otp_throttling_factor: value["staticOtpThrottlingFactor"],
    };
 }
--- a/packages/client-ts/templates/tsconfig.mustache
+++ b/packages/client-ts/templates/tsconfig.mustache
@@ -1,7 +1,9 @@
 {
    "$schema": "https://json.schemastore.org/tsconfig",
    "compilerOptions": {
+        "composite": true,
        "isolatedModules": true,
+        "incremental": true,
        "rootDir": "src",
        "strict": true,
        "newLine": "lf",
--- a/packages/client-ts/tsconfig.json
+++ b/packages/client-ts/tsconfig.json
@@ -1,7 +1,9 @@
 {
    "$schema": "https://json.schemastore.org/tsconfig",
    "compilerOptions": {
+        "composite": true,
        "isolatedModules": true,
+        "incremental": true,
        "rootDir": "src",
        "strict": true,
        "newLine": "lf",
--- a/packages/django-dramatiq-postgres/django_dramatiq_postgres/apps.py
+++ b/packages/django-dramatiq-postgres/django_dramatiq_postgres/apps.py
@@ -32,17 +32,16 @@ class DjangoDramatiqPostgres(AppConfig):
            middleware=[],
        )

-        for middleware_class_path, middleware_kwargs in Conf().middlewares:
-            middleware_class = import_string(middleware_class_path)
-            if issubclass(middleware_class, Results):
-                middleware_kwargs["backend"] = import_string(Conf().result_backend)(
+        for middleware_class, middleware_kwargs in Conf().middlewares:
+            middleware: dramatiq.middleware.middleware.Middleware = import_string(middleware_class)(
+                **middleware_kwargs,
+            )
+            if isinstance(middleware, Results):
+                middleware.backend = import_string(Conf().result_backend)(
                    *Conf().result_backend_args,
                    **Conf().result_backend_kwargs,
                )
-            middleware: dramatiq.middleware.middleware.Middleware = middleware_class(
-                **middleware_kwargs,
-            )
-            broker.add_middleware(middleware)
+            broker.add_middleware(middleware)  # type: ignore[no-untyped-call]

        dramatiq.set_broker(broker)

--- a/packages/django-dramatiq-postgres/django_dramatiq_postgres/broker.py
+++ b/packages/django-dramatiq-postgres/django_dramatiq_postgres/broker.py
@@ -23,9 +23,11 @@ from django.utils.functional import cached_property
 from django.utils.module_loading import import_string
 from dramatiq.broker import Broker, Consumer, MessageProxy
 from dramatiq.common import compute_backoff, current_millis, dq_name, q_name, xq_name
-from dramatiq.errors import BrokerConnectionError, DecodeError, QueueJoinTimeout
+from dramatiq.errors import ConnectionError, QueueJoinTimeout
 from dramatiq.message import Message
-from dramatiq.middleware import Middleware
+from dramatiq.middleware import (
+    Middleware,
+)
 from pglock.core import _cast_lock_id
 from psycopg import sql
 from psycopg.errors import AdminShutdown
@@ -44,6 +46,7 @@ DATABASE_ERRORS = (
    AdminShutdown,
    InterfaceError,
    DatabaseError,
+    ConnectionError,
    OperationalError,
 )

@@ -52,7 +55,7 @@ def channel_name(queue_name: str, identifier: ChannelIdentifier) -> str:
    return f"{CHANNEL_PREFIX}.{queue_name}.{identifier.value}"


-def raise_broker_connection_error(func: Callable[P, R]) -> Callable[P, R]:  # noqa: UP047
+def raise_connection_error(func: Callable[P, R]) -> Callable[P, R]:  # noqa: UP047
    @functools.wraps(func)
    def wrapper(*args: P.args, **kwargs: P.kwargs) -> R:
        try:
@@ -63,13 +66,13 @@ def raise_broker_connection_error(func: Callable[P, R]) -> Callable[P, R]:  # no
                connections.close_all()
            except DATABASE_ERRORS:
                pass
-            raise BrokerConnectionError(str(exc)) from exc  # type: ignore[no-untyped-call]
+            raise ConnectionError(str(exc)) from exc  # type: ignore[no-untyped-call]

    return wrapper


 class PostgresBroker(Broker):
-    queues: set[str]
+    queues: set[str]  # type: ignore[assignment]

    def __init__(
        self,
@@ -78,7 +81,7 @@ class PostgresBroker(Broker):
        db_alias: str = DEFAULT_DB_ALIAS,
        **kwargs: Any,
    ) -> None:
-        super().__init__(*args, middleware=[], **kwargs)  # type: ignore[misc]
+        super().__init__(*args, middleware=[], **kwargs)  # type: ignore[no-untyped-call,misc]
        self.logger = get_logger(__name__, type(self))

        self.queues = set()
@@ -119,10 +122,10 @@ class PostgresBroker(Broker):

    def declare_queue(self, queue_name: str) -> None:
        if queue_name not in self.queues:
-            self.emit_before("declare_queue", queue_name)
+            self.emit_before("declare_queue", queue_name)  # type: ignore[no-untyped-call]
            self.queues.add(queue_name)
            # Nothing more to do, all queues are in the same table
-            self.emit_after("declare_queue", queue_name)
+            self.emit_after("declare_queue", queue_name)  # type: ignore[no-untyped-call]

    def model_defaults(self, message: Message[Any]) -> dict[str, Any]:
        eta = None
@@ -138,7 +141,7 @@ class PostgresBroker(Broker):
        }

    @tenacity.retry(
-        retry=tenacity.retry_if_exception_type(BrokerConnectionError),
+        retry=tenacity.retry_if_exception_type(ConnectionError),
        reraise=True,
        wait=tenacity.wait_random_exponential(multiplier=1, max=5),
        stop=tenacity.stop_after_attempt(3),
@@ -146,11 +149,11 @@ class PostgresBroker(Broker):
            cast(logging.Logger, logger), logging.INFO, exc_info=True
        ),
    )
-    @raise_broker_connection_error
+    @raise_connection_error
    def enqueue(self, message: Message[Any], *, delay: int | None = None) -> Message[Any]:
-        queue_name = q_name(message.queue_name)
+        queue_name = q_name(message.queue_name)  # type: ignore[no-untyped-call]
        if delay:
-            message_eta = current_millis() + delay
+            message_eta = current_millis() + delay  # type: ignore[no-untyped-call]
            message.options["eta"] = message_eta

        self.declare_queue(queue_name)
@@ -160,7 +163,7 @@ class PostgresBroker(Broker):

        message.options["model_defaults"] = self.model_defaults(message)
        message.options["model_create_defaults"] = {}
-        self.emit_before("enqueue", message, delay)
+        self.emit_before("enqueue", message, delay)  # type: ignore[no-untyped-call]

        with transaction.atomic(using=self.db_alias):
            query = {
@@ -182,7 +185,7 @@ class PostgresBroker(Broker):
            message.options["task"] = task
            message.options["task_created"] = created

-            self.emit_after("enqueue", message, delay)
+            self.emit_after("enqueue", message, delay)  # type: ignore[no-untyped-call]
        return message

    def get_declared_queues(self) -> set[str]:
@@ -190,7 +193,7 @@ class PostgresBroker(Broker):

    def flush(self, queue_name: str) -> None:
        self.query_set.filter(
-            queue_name__in=(queue_name, dq_name(queue_name), xq_name(queue_name))
+            queue_name__in=(queue_name, dq_name(queue_name), xq_name(queue_name))  # type: ignore[no-untyped-call]
        ).delete()

    def flush_all(self) -> None:
@@ -367,23 +370,12 @@ class _PostgresConsumer(Consumer):
        )
        if task is None:
            return None
-        try:
-            message = Message.decode(cast(bytes, task.message))
-        except DecodeError:
-            self.logger.error(
-                "Failed to decode task, rejecting", queue=self.queue_name, message_id=message_id
-            )
-            self.query_set.filter(message_id=message_id, queue_name=self.queue_name).update(
-                state=TaskState.REJECTED,
-                mtime=timezone.now(),
-                eta=None,
-            )
-            return None
+        message = Message.decode(cast(bytes, task.message))
        message.options["task"] = task
        self.in_processing.add(str(message_id))
        return message

-    @raise_broker_connection_error
+    @raise_connection_error
    def __next__(self) -> MessageProxy | None:
        # This method is called every second

@@ -403,7 +395,7 @@ class _PostgresConsumer(Consumer):
        if processing >= self.prefetch:
            # If we have too many messages already processing, wait and don't consume a message
            # straight away, other workers will be faster.
-            self.misses, backoff_ms = compute_backoff(self.misses, max_backoff=1000)
+            self.misses, backoff_ms = compute_backoff(self.misses, max_backoff=1000)  # type: ignore[no-untyped-call]
            self.logger.debug(
                "Too many messages in processing, Sleeping",
                processing=processing,
@@ -428,7 +420,7 @@ class _PostgresConsumer(Consumer):
                break
            message = self._consume_one(str(message_id))
            if message is not None:
-                return MessageProxy(message)
+                return MessageProxy(message)  # type: ignore[no-untyped-call]
            else:
                self.logger.debug("Message already consumed. Skipping.", message_id=message_id)
                continue
@@ -452,7 +444,7 @@ class _PostgresConsumer(Consumer):
            self.to_unlock.add(str(message_id))
            return False

-    def _post_process_message(self, message: MessageProxy, state: TaskState) -> None:
+    def _post_process_message(self, message: Message[Any], state: TaskState) -> None:
        self.logger.debug("Post-processing message", message=message.message_id, state=state)
        try:
            self.in_processing.remove(str(message.message_id))
@@ -474,16 +466,16 @@ class _PostgresConsumer(Consumer):
        )
        message.options["task"] = task

-    @raise_broker_connection_error
-    def ack(self, message: MessageProxy) -> None:
+    @raise_connection_error
+    def ack(self, message: Message[Any]) -> None:
        self._post_process_message(message, TaskState.DONE)

-    @raise_broker_connection_error
-    def nack(self, message: MessageProxy) -> None:
+    @raise_connection_error
+    def nack(self, message: Message[Any]) -> None:
        self._post_process_message(message, TaskState.REJECTED)

-    @raise_broker_connection_error
-    def requeue(self, messages: Iterable[MessageProxy]) -> None:
+    @raise_connection_error
+    def requeue(self, messages: Iterable[Message[Any]]) -> None:
        self.query_set.filter(
            message_id__in=[message.message_id for message in messages],
        ).update(
@@ -522,7 +514,7 @@ class _PostgresConsumer(Consumer):
        self.logger.info("Purged messages in all queues", count=count)
        self.task_purge_last_run = timezone.now()

-    @raise_broker_connection_error
+    @raise_connection_error
    def close(self) -> None:
        try:
            self._purge_locks()
--- a/packages/django-dramatiq-postgres/django_dramatiq_postgres/forks.py
+++ b/packages/django-dramatiq-postgres/django_dramatiq_postgres/forks.py
@@ -5,7 +5,7 @@ from signal import pause
 from django_dramatiq_postgres.conf import Conf


-def worker_metrics() -> int:
+def worker_metrics() -> None:
    import_module(Conf().autodiscovery["setup_module"])

    from django_dramatiq_postgres.middleware import MetricsMiddleware
@@ -15,4 +15,3 @@ def worker_metrics() -> int:
        int(os.getenv("dramatiq_prom_port", "9191")),
    )
    pause()
-    return 0
--- a/packages/django-dramatiq-postgres/django_dramatiq_postgres/middleware.py
+++ b/packages/django-dramatiq-postgres/django_dramatiq_postgres/middleware.py
@@ -10,7 +10,7 @@ from typing import TYPE_CHECKING, Any, cast

 from django.db import DatabaseError, close_old_connections, connections
 from dramatiq.actor import Actor
-from dramatiq.broker import Broker, MessageProxy
+from dramatiq.broker import Broker
 from dramatiq.common import current_millis
 from dramatiq.message import Message
 from dramatiq.middleware.middleware import Middleware
@@ -79,7 +79,7 @@ class DbConnectionMiddleware(Middleware):


 class TaskStateBeforeMiddleware(Middleware):
-    def before_process_message(self, broker: PostgresBroker, message: Message[Any]) -> None:  # type: ignore[override]
+    def before_process_message(self, broker: PostgresBroker, message: Message[Any]) -> None:
        broker.query_set.filter(
            message_id=message.message_id,
            queue_name=message.queue_name,
@@ -90,7 +90,7 @@ class TaskStateBeforeMiddleware(Middleware):


 class TaskStateAfterMiddleware(Middleware):
-    def before_process_message(self, broker: PostgresBroker, message: MessageProxy) -> None:  # type: ignore[override]
+    def before_process_message(self, broker: PostgresBroker, message: Message[Any]) -> None:
        broker.query_set.filter(
            message_id=message.message_id,
            queue_name=message.queue_name,
@@ -99,7 +99,7 @@ class TaskStateAfterMiddleware(Middleware):
            state=TaskState.RUNNING,
        )

-    def after_skip_message(self, broker: PostgresBroker, message: MessageProxy) -> None:  # type: ignore[override]
+    def after_skip_message(self, broker: PostgresBroker, message: Message[Any]) -> None:
        broker.query_set.filter(
            message_id=message.message_id,
            queue_name=message.queue_name,
@@ -110,11 +110,11 @@ class TaskStateAfterMiddleware(Middleware):

    def after_process_message(
        self,
-        broker: PostgresBroker,  # type: ignore[override]
-        message: MessageProxy,
+        broker: PostgresBroker,
+        message: Message[Any],
        *,
        result: Any | None = None,
-        exception: BaseException | None = None,
+        exception: Exception | None = None,
    ) -> None:
        self.after_skip_message(broker, message)

@@ -147,7 +147,7 @@ class CurrentTask(Middleware):
            raise CurrentTaskNotFound()
        return task[-1]

-    def before_process_message(self, broker: Broker, message: MessageProxy) -> None:
+    def before_process_message(self, broker: Broker, message: Message[Any]) -> None:
        tasks = self._TASKS.get()
        if tasks is None:
            tasks = []
@@ -157,10 +157,10 @@ class CurrentTask(Middleware):
    def after_process_message(
        self,
        broker: Broker,
-        message: MessageProxy,
+        message: Message[Any],
        *,
        result: Any | None = None,
-        exception: BaseException | None = None,
+        exception: Exception | None = None,
    ) -> None:
        tasks: list[TaskBase] | None = self._TASKS.get()
        if tasks is None or len(tasks) == 0:
@@ -194,7 +194,7 @@ class CurrentTask(Middleware):
                pass
        self._TASKS.set(tasks[:-1])

-    def after_skip_message(self, broker: Broker, message: MessageProxy) -> None:
+    def after_skip_message(self, broker: Broker, message: Message[Any]) -> None:
        self.after_process_message(broker, message)


@@ -236,7 +236,7 @@ class MetricsMiddleware(Middleware):
        self.message_start_times: dict[str, int] = {}

    @property
-    def forks(self) -> list[Callable[[], int]]:
+    def forks(self) -> list[Callable[[], None]]:
        from django_dramatiq_postgres.forks import worker_metrics

        return [worker_metrics]
@@ -310,41 +310,41 @@ class MetricsMiddleware(Middleware):
        # TODO: worker_id
        multiprocess.mark_process_dead(os.getpid())  # type: ignore[no-untyped-call]

-    def _make_labels(self, message: MessageProxy | Message[Any]) -> list[str]:
+    def _make_labels(self, message: Message[Any]) -> list[str]:
        return [message.queue_name, message.actor_name]

-    def after_nack(self, broker: Broker, message: MessageProxy) -> None:
+    def after_nack(self, broker: Broker, message: Message[Any]) -> None:
        self.total_rejected_messages.labels(*self._make_labels(message)).inc()

    def after_enqueue(self, broker: Broker, message: Message[Any], delay: int) -> None:
        if "retries" in message.options:
            self.total_retried_messages.labels(*self._make_labels(message)).inc()

-    def before_delay_message(self, broker: Broker, message: MessageProxy) -> None:
+    def before_delay_message(self, broker: Broker, message: Message[Any]) -> None:
        self.delayed_messages.add(message.message_id)
        self.in_progress_delayed_messages.labels(*self._make_labels(message)).inc()

-    def before_process_message(self, broker: Broker, message: MessageProxy) -> None:
+    def before_process_message(self, broker: Broker, message: Message[Any]) -> None:
        labels = self._make_labels(message)
        if message.message_id in self.delayed_messages:
            self.delayed_messages.remove(message.message_id)
            self.in_progress_delayed_messages.labels(*labels).dec()

        self.in_progress_messages.labels(*labels).inc()
-        self.message_start_times[message.message_id] = current_millis()
+        self.message_start_times[message.message_id] = current_millis()  # type: ignore[no-untyped-call]

    def after_process_message(
        self,
        broker: Broker,
-        message: MessageProxy,
+        message: Message[Any],
        *,
        result: Any | None = None,
-        exception: BaseException | None = None,
+        exception: Exception | None = None,
    ) -> None:
        labels = self._make_labels(message)

-        message_start_time = self.message_start_times.pop(message.message_id, current_millis())
-        message_duration = current_millis() - message_start_time
+        message_start_time = self.message_start_times.pop(message.message_id, current_millis())  # type: ignore[no-untyped-call]
+        message_duration = current_millis() - message_start_time  # type: ignore[no-untyped-call]
        self.messages_durations.labels(*labels).observe(message_duration)

        self.in_progress_messages.labels(*labels).dec()
--- a/packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
+++ b/packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
@@ -159,7 +159,7 @@ class ScheduleBase(models.Model):

    def send(self, broker: Broker | None = None) -> Message[Any]:
        broker = broker or get_broker()
-        actor: Actor[Any, Any] = broker.get_actor(self.actor_name)
+        actor: Actor[Any, Any] = broker.get_actor(self.actor_name)  # type: ignore[no-untyped-call]
        return actor.send_with_options(
            args=pickle.loads(self.args),  # nosec
            kwargs=pickle.loads(self.kwargs),  # nosec
--- a/packages/django-dramatiq-postgres/pyproject.toml
+++ b/packages/django-dramatiq-postgres/pyproject.toml
@@ -36,7 +36,7 @@ dependencies = [
  "django >=4.2,<6.0",
  "django-pglock >=1.7,<2",
  "django-pgtrigger >=4,<5",
-  "dramatiq >=2,<3",
+  "dramatiq >=1.17,<1.18",
  "tenacity >=9,<10",
  "structlog >=25,<26",
 ]
--- a/schema.yml
+++ b/schema.yml
@@ -35613,18 +35613,6 @@ components:
          items:
            $ref: '#/components/schemas/WebAuthnDeviceType'
          readOnly: true
-        email_otp_throttling_factor:
-          type: number
-          format: double
-        sms_otp_throttling_factor:
-          type: number
-          format: double
-        totp_otp_throttling_factor:
-          type: number
-          format: double
-        static_otp_throttling_factor:
-          type: number
-          format: double
      required:
      - component
      - flow_set
@@ -35674,18 +35662,6 @@ components:
          items:
            type: string
            format: uuid
-        email_otp_throttling_factor:
-          type: number
-          format: double
-        sms_otp_throttling_factor:
-          type: number
-          format: double
-        totp_otp_throttling_factor:
-          type: number
-          format: double
-        static_otp_throttling_factor:
-          type: number
-          format: double
      required:
      - name
    AuthenticatorValidationChallenge:
@@ -48119,18 +48095,6 @@ components:
          items:
            type: string
            format: uuid
-        email_otp_throttling_factor:
-          type: number
-          format: double
-        sms_otp_throttling_factor:
-          type: number
-          format: double
-        totp_otp_throttling_factor:
-          type: number
-          format: double
-        static_otp_throttling_factor:
-          type: number
-          format: double
    PatchedAuthenticatorWebAuthnStageRequest:
      type: object
      description: AuthenticatorWebAuthnStage Serializer
--- a/tests/e2e/test_flows_enroll.py
+++ b/tests/e2e/test_flows_enroll.py
@@ -111,12 +111,8 @@ class TestFlowsEnroll(SeleniumTestCase):
        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
        wait = WebDriverWait(identification_stage, self.wait_timeout)

-        wait.until(
-            ec.presence_of_element_located((By.CSS_SELECTOR, "a[data-ouia-component-id='enroll']"))
-        )
-        identification_stage.find_element(
-            By.CSS_SELECTOR, "a[data-ouia-component-id='enroll']"
-        ).click()
+        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "a[ouiaId='enroll']")))
+        identification_stage.find_element(By.CSS_SELECTOR, "a[ouiaId='enroll']").click()

        # First prompt stage
        flow_executor = self.get_shadow_root("ak-flow-executor")
--- a/tests/e2e/test_flows_recovery.py
+++ b/tests/e2e/test_flows_recovery.py
@@ -27,14 +27,8 @@ class TestFlowsRecovery(SeleniumTestCase):
        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
        wait = WebDriverWait(identification_stage, self.wait_timeout)

-        wait.until(
-            ec.presence_of_element_located(
-                (By.CSS_SELECTOR, "a[data-ouia-component-id='recovery']")
-            )
-        )
-        identification_stage.find_element(
-            By.CSS_SELECTOR, "a[data-ouia-component-id='recovery']"
-        ).click()
+        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "a[ouiaId='recovery']")))
+        identification_stage.find_element(By.CSS_SELECTOR, "a[ouiaId='recovery']").click()

        # First prompt stage
        flow_executor = self.get_shadow_root("ak-flow-executor")
--- a/uv.lock
+++ b/uv.lock
@@ -1143,7 +1143,7 @@ requires-dist = [
    { name = "django", specifier = ">=4.2,<6.0" },
    { name = "django-pglock", specifier = ">=1.7,<2" },
    { name = "django-pgtrigger", specifier = ">=4,<5" },
-    { name = "dramatiq", specifier = ">=2,<3" },
+    { name = "dramatiq", specifier = ">=1.17,<1.18" },
    { name = "structlog", specifier = ">=25,<26" },
    { name = "tenacity", specifier = ">=9,<10" },
 ]
@@ -1381,11 +1381,14 @@ wheels = [

 [[package]]
 name = "dramatiq"
-version = "2.1.0"
+version = "1.17.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/22/69/02b54e3fc4fe75721b322bc578054b4f03cec258ba614fa98a1a5bbe1efe/dramatiq-2.1.0.tar.gz", hash = "sha256:cf81550729de6cf64234b05bd63970645654aaf38967faa7a2b6e401384bb090", size = 105444, upload-time = "2026-03-03T11:22:10.067Z" }
+dependencies = [
+    { name = "prometheus-client" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/c6/7a/6792ddc64a77d22bfd97261b751a7a76cf2f9d62edc59aafb679ac48b77d/dramatiq-1.17.1.tar.gz", hash = "sha256:2675d2f57e0d82db3a7d2a60f1f9c536365349db78c7f8d80a63e4c54697647a", size = 99071, upload-time = "2024-10-26T05:09:28.283Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c2/91/422960c8c415fd31ca1519d71d6f7e4bcabb2cdcc5872f784467e9fe7237/dramatiq-2.1.0-py3-none-any.whl", hash = "sha256:3ef940c2815722d3679aed79ef96c805f02fd33d4361529b2de30f01511ca44d", size = 125543, upload-time = "2026-03-03T11:22:08.664Z" },
+    { url = "https://files.pythonhosted.org/packages/ee/36/925c7afd5db4f1a3f00676b9c3c58f31ff7ae29a347282d86c8d429280a5/dramatiq-1.17.1-py3-none-any.whl", hash = "sha256:951cdc334478dff8e5150bb02a6f7a947d215ee24b5aedaf738eff20e17913df", size = 120382, upload-time = "2024-10-26T05:09:26.436Z" },
 ]

 [[package]]
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -43,7 +43,7 @@
                "@patternfly/elements": "^4.4.0",
                "@patternfly/patternfly": "^4.224.2",
                "@playwright/test": "^1.59.1",
-                "@sentry/browser": "^10.51.0",
+                "@sentry/browser": "^10.50.0",
                "@storybook/addon-docs": "^10.3.6",
                "@storybook/addon-links": "^10.3.6",
                "@storybook/web-components": "^10.3.6",
@@ -66,7 +66,7 @@
                "chartjs-adapter-date-fns": "^3.0.0",
                "codemirror": "^6.0.2",
                "core-js": "^3.49.0",
-                "country-flag-icons": "^1.6.17",
+                "country-flag-icons": "^1.6.16",
                "date-fns": "^4.1.0",
                "deepmerge-ts": "^7.1.5",
                "dompurify": "^3.4.2",
@@ -78,7 +78,7 @@
                "globals": "^17.5.0",
                "guacamole-common-js": "^1.5.0",
                "hastscript": "^9.0.1",
-                "knip": "^6.9.0",
+                "knip": "^6.7.0",
                "lex": "^2025.11.0",
                "lit": "^3.3.2",
                "lit-analyzer": "^2.0.3",
@@ -118,7 +118,7 @@
                "vitest": "^4.1.1",
                "webcomponent-qr-code": "^1.3.0",
                "wireit": "^0.14.12",
-                "yaml": "^2.8.4"
+                "yaml": "^2.8.3"
            },
            "engines": {
                "node": ">=24",
@@ -687,9 +687,9 @@
            }
        },
        "node_modules/@emnapi/core": {
-            "version": "1.10.0",
-            "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
-            "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
+            "version": "1.9.2",
+            "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
+            "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
            "license": "MIT",
            "optional": true,
            "dependencies": {
@@ -698,9 +698,9 @@
            }
        },
        "node_modules/@emnapi/runtime": {
-            "version": "1.10.0",
-            "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
-            "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
+            "version": "1.9.2",
+            "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
+            "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
            "license": "MIT",
            "optional": true,
            "dependencies": {
@@ -2224,9 +2224,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-android-arm-eabi": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.128.0.tgz",
-            "integrity": "sha512-aca6ZvzmCBUGOANQRiRQRZuRKYI3ENhcit6GisnknOOmcezfQc7xJ4dxlPU7MV7mOvrC7RNR1u3LAD7xyaiCxA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.127.0.tgz",
+            "integrity": "sha512-0LC7ye4hvqbIKxAzThzvswgHLFu2AURKzYLeSVvLdu2TBOYWQDmHnTqPLeA597BcUCxiLqLsS4CJ5uoI5WYWCQ==",
            "cpu": [
                "arm"
            ],
@@ -2240,9 +2240,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-android-arm64": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.128.0.tgz",
-            "integrity": "sha512-BbeDmuohoJ7Rz/it5wnkj69i/OsCPS3Z51nLEzwO/Y6YshtC4JU+15oNwhY8v4LRKRYclRc7ggOikwrsJ/eOEQ==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.127.0.tgz",
+            "integrity": "sha512-b5jtVTH6AU5CJXHNdj7Jj9IEiR9yVjjnwHzPJhGyHGPdcsZSzBCkS9GBbV33niRMvKthDwQRFRJfI4a+k4PvYg==",
            "cpu": [
                "arm64"
            ],
@@ -2256,9 +2256,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-darwin-arm64": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.128.0.tgz",
-            "integrity": "sha512-tRUHPt80417QmvNpoSslJT1VY8NUbWdrWR+L14Zn+RbOTcaqB8E6PYE/ZGN8jjWBzqporiA/H4MfO50ew/NCNA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.127.0.tgz",
+            "integrity": "sha512-obCE8B7ISKkJidjlhv9xRGJPOSDG2Yu6PRga9Ruaz35uintHxbp1Ki/Yc71wx4rj3Edrm0a1kzG1TAwit0wFpg==",
            "cpu": [
                "arm64"
            ],
@@ -2272,9 +2272,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-darwin-x64": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.128.0.tgz",
-            "integrity": "sha512-rWI2Hb1Nt3U/vKsjyNvZzDC8i/l144U20DKjhzaTmwIhIiSRGeroPWWiImwypmKLqrw8GuIixbWJkpGWLbkzrQ==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.127.0.tgz",
+            "integrity": "sha512-JL6Xb5IwPQT8rUzlpsX7E+AgfcdNklXNPFp8pjCQQ5MQOQo5rtEB2ui+3Hgg9Sn7Y9Egj6YOLLiHhLpdAe12Aw==",
            "cpu": [
                "x64"
            ],
@@ -2288,9 +2288,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-freebsd-x64": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.128.0.tgz",
-            "integrity": "sha512-hhpdVMaNCLgQxjgNPeeFzSeJMmZPc5lKfv0NGSI3egZq9EdnEGqeC8JsYsQjK7PoQgbvZ17xlj0SO5ziH5Obkg==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.127.0.tgz",
+            "integrity": "sha512-SDQ/3MQFw58fqQz3Z1PhSKFF3JoCF4gmlNjziDm8X02tTahCw0qJbd7FGPDKw1i4VTBZene9JPyC3mHtSvi+wA==",
            "cpu": [
                "x64"
            ],
@@ -2304,9 +2304,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-arm-gnueabihf": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.128.0.tgz",
-            "integrity": "sha512-093zNw0zZ/e/obML+rhlSdmnzR0mVZluPcAkxunEc5E3F0yBVsFn24Y1ILfsEte11Ud041qn/gp2OJ1jxNqUng==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.127.0.tgz",
+            "integrity": "sha512-Av+D1MIqzV0YMGPT9we2SIZaMKD7Cxs4CvXSx/yxaWHewZjYEjScpOf5igc8IILASViw4WTnjlwUdI1KzVtDHQ==",
            "cpu": [
                "arm"
            ],
@@ -2320,9 +2320,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-arm-musleabihf": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.128.0.tgz",
-            "integrity": "sha512-fq7DmKmfC+dvD97IXrgbph6Jzwe0EDu+PYMofmzZ6fv5X1k9vtaqLpDGMuICO9MmUnyKAQmVl+wIv2RNy4Dz8g==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.127.0.tgz",
+            "integrity": "sha512-Cs2fdJ8cPpFdeebj6p4dag8A4+56hPvZ0AhQQzlaLswGz1tz7bXt1nETLeorrM9+AMcWFFkqxcXwDGfTVidY8g==",
            "cpu": [
                "arm"
            ],
@@ -2336,9 +2336,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-arm64-gnu": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.128.0.tgz",
-            "integrity": "sha512-Xvm48jJah8TlIrURIjNOP/gNiGe6aKvCB+r06VliflFo8Kq7VOLE8PxtgShJzZIqubrgdMdYfvuPPozn7F6MbQ==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.127.0.tgz",
+            "integrity": "sha512-qdOfTcT6SY8gsJrrV92uyEUyjqMGPpIB5JZUG6QN5dukYd+7/j0kX6MwK1DgQj39jtUYixxPiaRUiEN1+0CXgQ==",
            "cpu": [
                "arm64"
            ],
@@ -2352,9 +2352,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-arm64-musl": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.128.0.tgz",
-            "integrity": "sha512-M7iwBGmYJTx+pKOYFjI0buop4gJvlmcVzFGaXPt21DKpQkbQZG1f63Yg7LloIYT/t9yLxCw0Lhfx/RFlAlMSjA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.127.0.tgz",
+            "integrity": "sha512-EoTCZneNFU/P2qrpEM+RHmQwt+CvDkyGESG6qhr7KaegXLZwePfbrkCDfAk8/rhxbDUVGsZILX+2tqPzFtoFWA==",
            "cpu": [
                "arm64"
            ],
@@ -2368,9 +2368,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-ppc64-gnu": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.128.0.tgz",
-            "integrity": "sha512-21LGNIZb1Pcfk5/EGsqabrxv4yqQOWis1407JJrClS7XpFCrbvr74YAB1V+m54cYbwvO6UWwQqS4WecxiyfCRg==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.127.0.tgz",
+            "integrity": "sha512-zALjmZYgxFLHjXeudcDF0xFGNydTAtkAeXAr2EuC17ywCyFxcmQra4w0BMde0Yi/re4Bi4iwEoEXtYN7l6eBLQ==",
            "cpu": [
                "ppc64"
            ],
@@ -2384,9 +2384,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-riscv64-gnu": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.128.0.tgz",
-            "integrity": "sha512-gyHjOTFpg9bTTYjxPmQirvufb89+VdZwVfcMtAUyPr6F5H8ZswvCQshK4qOW+Q+2Xyb33hduRgY/eFHJQjU/vQ==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.127.0.tgz",
+            "integrity": "sha512-fPP8M6zQLS7Jz7o9d5ArUSuAuSK3e+WCYVrCpdzeCOejidtZExJ9tjhDrAd3HEPqARBCPmdpqxESPFqy44vkBQ==",
            "cpu": [
                "riscv64"
            ],
@@ -2400,9 +2400,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-riscv64-musl": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.128.0.tgz",
-            "integrity": "sha512-X6Q2oKUrP5GyDd2xniuEBLk6aFQCZ97W2+aVXGgJXdjx5t4/oFuA9ri0wLOUrBIX+qdSuK581snMBio4z910eA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.127.0.tgz",
+            "integrity": "sha512-7IcC4Ao02oGpfnjt+X/oF4U2mllo2qoSkw5xxiXNKL9MCTsTiAC6616beOuehdxGcnz1bRoPC1RQ2f1GQDdN+g==",
            "cpu": [
                "riscv64"
            ],
@@ -2416,9 +2416,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-s390x-gnu": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.128.0.tgz",
-            "integrity": "sha512-BdzTmqxfxoYkpgokoLaSnOX6T+R3/goL42klre2tnG+kHbG2TXS0VN+P5BPofH1axdKOHy5ei4ENZrjmCOt2lA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.127.0.tgz",
+            "integrity": "sha512-pbXIhiNFHoqWeqDNLiJ9JkpHz1IM9k4DXa66x+1GTWMG7iLxtkXgE53iiuKSXwmk3zIYmaPVfBvgcAhS583K4Q==",
            "cpu": [
                "s390x"
            ],
@@ -2432,9 +2432,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-x64-gnu": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.128.0.tgz",
-            "integrity": "sha512-OO1nW2Q7sSYYvJZpDHdvyFSdRaVcQqRijZSSmWVMqFxPYy8cEF45zJ9fcdIYuzIT3jYq6YRhEFm/VMWNWhE22Q==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.127.0.tgz",
+            "integrity": "sha512-MYCguB9RvBvlSd6gbuNI7QwiLoCCAlGnlRJFPrzLI6U1/9wkC/WK6LtBAUln55H1Ctqw45PWmqrobKoMhsYQzQ==",
            "cpu": [
                "x64"
            ],
@@ -2448,9 +2448,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-linux-x64-musl": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.128.0.tgz",
-            "integrity": "sha512-4NehAe404MRdoZVS9DW8C5XbJwbXIc/KfVlYdpi5vE4081zc9Y0YzKVqyOYj/Puye7/Do+ohaONBFWlEHYl9hw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.127.0.tgz",
+            "integrity": "sha512-5eY0B/bxf1xIUxb4NOTvOI3KWtBQfPWYyKAzgcrCt0mDibSZygVpO1Pz8bkeiSZ5Jj9+M09dkggG3H8I5d0Uyg==",
            "cpu": [
                "x64"
            ],
@@ -2464,9 +2464,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-openharmony-arm64": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.128.0.tgz",
-            "integrity": "sha512-kVbqgW9xLL8bh8oc7aYOJilRKXE5G33+tE0jan+duo/9OriaFRpijcCwT2waWs2oqYROYq0GlE7/p3ywoshVeg==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.127.0.tgz",
+            "integrity": "sha512-Gld0ajrFTUXNtdw20fVBuTQx66FA75nIVg+//pPfR3sXkuABB4mTBhl3r9JNzrJpgW//qiwxf0nWXUWGJSL3UQ==",
            "cpu": [
                "arm64"
            ],
@@ -2480,17 +2480,17 @@
            }
        },
        "node_modules/@oxc-parser/binding-wasm32-wasi": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.128.0.tgz",
-            "integrity": "sha512-L38ojghJYHmgiz6fJd7jwLB/ESDBpB02NdFxh+smqVM6P2anCEvHn0jhaSrt5eVNR1Ak8+moOeftUlofeyvniA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.127.0.tgz",
+            "integrity": "sha512-T6KVD7rhLzFlwGRXMnxUFfkCZD8FHnb968wVXW1mXzgRFc5RNXOBY2mPPDZ77x5Ln76ltLMgtPg0cOkU1NSrEQ==",
            "cpu": [
                "wasm32"
            ],
            "license": "MIT",
            "optional": true,
            "dependencies": {
-                "@emnapi/core": "1.10.0",
-                "@emnapi/runtime": "1.10.0",
+                "@emnapi/core": "1.9.2",
+                "@emnapi/runtime": "1.9.2",
                "@napi-rs/wasm-runtime": "^1.1.4"
            },
            "engines": {
@@ -2498,9 +2498,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-win32-arm64-msvc": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.128.0.tgz",
-            "integrity": "sha512-xgvO35GyHBtjlQ5AEpaYr7Rll1rvY7zqIhT6ty8E3ezBW2J1SFLjIDEvI/tcgDg6oaseDAqVcM+jU1HuCekgZw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.127.0.tgz",
+            "integrity": "sha512-Ujvw4X+LD1CCGULcsQcvb4YNVoBGqt+JHgNNzGGaCImELiZLk477ifUH53gIbE7EKd933NdTi25JWEr9K2HwXw==",
            "cpu": [
                "arm64"
            ],
@@ -2514,9 +2514,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-win32-ia32-msvc": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.128.0.tgz",
-            "integrity": "sha512-OY+3eM2SN72prHKRB22mPz8o5A/7dJ+f5DFLBVvggyZhEaNDAH9IB+ElMjmOkOIwf5MDCUAowCK7pAncNxzpBA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.127.0.tgz",
+            "integrity": "sha512-0cwxKO7KHQQQfo4Uf4B2SQrhgm+cJaP9OvFFhx52Tkg4bezsacu83GB2/In5bC415Ueeym+kXdnge/57rbSfTw==",
            "cpu": [
                "ia32"
            ],
@@ -2530,9 +2530,9 @@
            }
        },
        "node_modules/@oxc-parser/binding-win32-x64-msvc": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.128.0.tgz",
-            "integrity": "sha512-NE9ny+cPUCCObXa0IKLfj0tCdPd7pe/dz9ZpkxpUOymB3miNeMPybdlYYTBSGJUalMWeBM85/4JcCErCNTqOXw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.127.0.tgz",
+            "integrity": "sha512-rOrnSQSCbhI2kowr9XxE7m9a8oQXnBHjnS6j95LxxAnEZ0+Fz20WlRXG4ondQb+ejjt2KOsa65sE6++L6kUd+w==",
            "cpu": [
                "x64"
            ],
@@ -3104,6 +3104,27 @@
                "node": "^20.19.0 || >=22.12.0"
            }
        },
+        "node_modules/@rolldown/binding-wasm32-wasi/node_modules/@emnapi/core": {
+            "version": "1.10.0",
+            "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
+            "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
+            "license": "MIT",
+            "optional": true,
+            "dependencies": {
+                "@emnapi/wasi-threads": "1.2.1",
+                "tslib": "^2.4.0"
+            }
+        },
+        "node_modules/@rolldown/binding-wasm32-wasi/node_modules/@emnapi/runtime": {
+            "version": "1.10.0",
+            "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+            "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
+            "license": "MIT",
+            "optional": true,
+            "dependencies": {
+                "tslib": "^2.4.0"
+            }
+        },
        "node_modules/@rolldown/binding-win32-arm64-msvc": {
            "version": "1.0.0-rc.17",
            "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.17.tgz",
@@ -3593,75 +3614,75 @@
            "license": "MIT"
        },
        "node_modules/@sentry-internal/browser-utils": {
-            "version": "10.51.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-10.51.0.tgz",
-            "integrity": "sha512-lNKBS4P7RUvf1niojXQWe9bU3gnBUCbST4Dj0pSiyat1N96cXVyHkeE+uGxowD0RrVWhs+kGHiVX3FcmRWF6sA==",
+            "version": "10.50.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-10.50.0.tgz",
+            "integrity": "sha512-42bxyRTxnCmYlWnvz4CxikuQNanw8UNma2WJrtxJ0f1MAJV2GhQGSHDLnA+lvFlmiz6qct3pfen/NXGyOTegTA==",
            "license": "MIT",
            "dependencies": {
-                "@sentry/core": "10.51.0"
+                "@sentry/core": "10.50.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/feedback": {
-            "version": "10.51.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-10.51.0.tgz",
-            "integrity": "sha512-bCM95bcpphx28e6aU0bwRLxOgwosYsdNzezM1sM0pVOkb0TB3hDFRamramVDK+/Hp1o8qmRxS4c5w/A7YBZGkA==",
+            "version": "10.50.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-10.50.0.tgz",
+            "integrity": "sha512-0k9XZF0wn86f77mIO2U3gNNyDZooy139CnEanRzHinrN106vVzvBZ6TUEQoHtoO1fqQxr+nWWVrqV/PXUqk47w==",
            "license": "MIT",
            "dependencies": {
-                "@sentry/core": "10.51.0"
+                "@sentry/core": "10.50.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/replay": {
-            "version": "10.51.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-10.51.0.tgz",
-            "integrity": "sha512-jCpI5HXSwK6ZT2HX70+mDRciAocHzSiDk4DTgvzV69Wvd+Ei5WLgE+d39eaEPsm8lUC0Ydntb5sJIB6uG9D4bw==",
+            "version": "10.50.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-10.50.0.tgz",
+            "integrity": "sha512-51FYNfnvVLAWw1rrEWPFfwHuMRb9mkVCFGA4J9/un7SpeGBsQDziGB0Di4fsCxI7+EdSBpfLHPF0csKtCCw0oQ==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/browser-utils": "10.51.0",
-                "@sentry/core": "10.51.0"
+                "@sentry-internal/browser-utils": "10.50.0",
+                "@sentry/core": "10.50.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/replay-canvas": {
-            "version": "10.51.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-10.51.0.tgz",
-            "integrity": "sha512-8PW1Pp+Yl3lPwYqhBCr5SgkuhDanu9ZLzUqD2bPKL/ElqbM2eDVIWxq4z4ZzePrmZa6IcCjTv6sVQJ7Z4dLyLA==",
+            "version": "10.50.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-10.50.0.tgz",
+            "integrity": "sha512-jx6RKBmcJSWdI92qDGS/sBv1w+7Cww879Z/moX7bw7ipHa/Ts3iDcB3rgZwvhmi17U+mvYsbJeL2DXkPo3TjPw==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/replay": "10.51.0",
-                "@sentry/core": "10.51.0"
+                "@sentry-internal/replay": "10.50.0",
+                "@sentry/core": "10.50.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry/browser": {
-            "version": "10.51.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-10.51.0.tgz",
-            "integrity": "sha512-Zdc0sKfenxUtW/OGhtJ7xHFN44bXR7YqxJ1zBDzlZfW0nTbeTTUZBq9z5NUw6qdS0Vs/i3V4qzAKTbRKWfqSEA==",
+            "version": "10.50.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-10.50.0.tgz",
+            "integrity": "sha512-1f6rAvET6myiTaSeYqvaaBwvq1LfxqWjAPIoAW/NVC9bPMkeEcuvgDajHrnZMrBeWoJ81NMyoLkyX+iOc7MoFA==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/browser-utils": "10.51.0",
-                "@sentry-internal/feedback": "10.51.0",
-                "@sentry-internal/replay": "10.51.0",
-                "@sentry-internal/replay-canvas": "10.51.0",
-                "@sentry/core": "10.51.0"
+                "@sentry-internal/browser-utils": "10.50.0",
+                "@sentry-internal/feedback": "10.50.0",
+                "@sentry-internal/replay": "10.50.0",
+                "@sentry-internal/replay-canvas": "10.50.0",
+                "@sentry/core": "10.50.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry/core": {
-            "version": "10.51.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.51.0.tgz",
-            "integrity": "sha512-Y45V/YXvVLEXmOdkbD1oG1gkRWFi9guCEGg3PlIlIpRjAbZUrvLGgjRJIc1E7XpSzmOnWbs5BbUxMv4PDaPj2w==",
+            "version": "10.50.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.50.0.tgz",
+            "integrity": "sha512-J4A+vzUO3adl0TkFCjaN1+4miamrjHiEIYuLHiuu1lmAjq5WIVw32ObvAh4yMwNtxyaEMosTrrh5M6f12XSJFg==",
            "license": "MIT",
            "engines": {
                "node": ">=18"
@@ -4556,9 +4577,9 @@
            }
        },
        "node_modules/@swc/core": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core/-/core-1.15.33.tgz",
-            "integrity": "sha512-jOlwnFV2xhuuZeAUILGFULeR6vDPfijEJ57evfocwznQldLU3w2cZ9bSDryY9ip+AsM3r1NJKzf47V2NXebkeQ==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core/-/core-1.15.32.tgz",
+            "integrity": "sha512-/eWL0n43D64QWEUHLtTE+jDqjkJhyidjkDhv6f0uJohOUAhywxQ9wXYp845DNNds0JpCdI4Uo0a9bl+vbXf+ew==",
            "hasInstallScript": true,
            "license": "Apache-2.0",
            "dependencies": {
@@ -4573,18 +4594,18 @@
                "url": "https://opencollective.com/swc"
            },
            "optionalDependencies": {
-                "@swc/core-darwin-arm64": "1.15.33",
-                "@swc/core-darwin-x64": "1.15.33",
-                "@swc/core-linux-arm-gnueabihf": "1.15.33",
-                "@swc/core-linux-arm64-gnu": "1.15.33",
-                "@swc/core-linux-arm64-musl": "1.15.33",
-                "@swc/core-linux-ppc64-gnu": "1.15.33",
-                "@swc/core-linux-s390x-gnu": "1.15.33",
-                "@swc/core-linux-x64-gnu": "1.15.33",
-                "@swc/core-linux-x64-musl": "1.15.33",
-                "@swc/core-win32-arm64-msvc": "1.15.33",
-                "@swc/core-win32-ia32-msvc": "1.15.33",
-                "@swc/core-win32-x64-msvc": "1.15.33"
+                "@swc/core-darwin-arm64": "1.15.32",
+                "@swc/core-darwin-x64": "1.15.32",
+                "@swc/core-linux-arm-gnueabihf": "1.15.32",
+                "@swc/core-linux-arm64-gnu": "1.15.32",
+                "@swc/core-linux-arm64-musl": "1.15.32",
+                "@swc/core-linux-ppc64-gnu": "1.15.32",
+                "@swc/core-linux-s390x-gnu": "1.15.32",
+                "@swc/core-linux-x64-gnu": "1.15.32",
+                "@swc/core-linux-x64-musl": "1.15.32",
+                "@swc/core-win32-arm64-msvc": "1.15.32",
+                "@swc/core-win32-ia32-msvc": "1.15.32",
+                "@swc/core-win32-x64-msvc": "1.15.32"
            },
            "peerDependencies": {
                "@swc/helpers": ">=0.5.17"
@@ -4596,9 +4617,9 @@
            }
        },
        "node_modules/@swc/core-darwin-arm64": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.15.33.tgz",
-            "integrity": "sha512-N+L0uXhuO7FIfzqwgxmzv0zIpV0qEp8wPX3QQs2p4atjMoywup2JTeDlXPw+z9pWJGCae3JjM+tZ6myclI+2gA==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.15.32.tgz",
+            "integrity": "sha512-/YWMvJDPu+AAwuUsM2G+DNQ/7zhodURGzdQyewEqcvgklAdDHs3LwQmLLnyn6SJl8DT8UOxkbzK+D1PmPeelRg==",
            "cpu": [
                "arm64"
            ],
@@ -4612,9 +4633,9 @@
            }
        },
        "node_modules/@swc/core-darwin-x64": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-darwin-x64/-/core-darwin-x64-1.15.33.tgz",
-            "integrity": "sha512-/Il4QHSOhV4FekbsDtkrNmKbsX26oSysvgrRswa/RYOHXAkwXDbB4jaeKq6PsJLSPkzJ2KzQ061gtBnk0vNHfA==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-darwin-x64/-/core-darwin-x64-1.15.32.tgz",
+            "integrity": "sha512-KOTXJXdAhWL+hZ77MYP3z+4pcMFaQhQ74yqyN1uz093q0YnbxpqMtYpPISbYvMHzVRNNx5kN+9RZAXEaadhWVA==",
            "cpu": [
                "x64"
            ],
@@ -4628,9 +4649,9 @@
            }
        },
        "node_modules/@swc/core-linux-arm-gnueabihf": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm-gnueabihf/-/core-linux-arm-gnueabihf-1.15.33.tgz",
-            "integrity": "sha512-C64hBnBxq4viOPQ8hlx+2lJ23bzZBGnjw7ryALmS+0Q3zHmwO8lw1/DArLENw4Q18/0w5wdEO1k3m1wWNtKGqQ==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm-gnueabihf/-/core-linux-arm-gnueabihf-1.15.32.tgz",
+            "integrity": "sha512-oOoxLweljlc0A4X8ybsgxV7cVaYTwBOg2iMDJcFR3Sr48C+lsv9VzSmqdK/IVIXF4W4GjLc3VqTAdSMXlfVLuQ==",
            "cpu": [
                "arm"
            ],
@@ -4644,9 +4665,9 @@
            }
        },
        "node_modules/@swc/core-linux-arm64-gnu": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.15.33.tgz",
-            "integrity": "sha512-TRJfnJbX3jqpxRDRoieMzRiCBS5jOmXNb3iQXmcgjFEHKLnAgK1RZRU8Cq1MsPqO4jAJp/ld1G4O3fXuxv85uw==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.15.32.tgz",
+            "integrity": "sha512-oDzEkdl6D6BAWdMtU5KGO7y3HR5fJcvByNLyEk9+ugj8nP5Ovb7P4kBcStBXc4MPExFGQryehiINMlmY8HlclA==",
            "cpu": [
                "arm64"
            ],
@@ -4660,9 +4681,9 @@
            }
        },
        "node_modules/@swc/core-linux-arm64-musl": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-musl/-/core-linux-arm64-musl-1.15.33.tgz",
-            "integrity": "sha512-il7tYM+CpUNzieQbwAjFT1P8zqAhmGWNAGhQZBnxurXZ0aNn+5nqYFTEUKNZl7QibtT0uQXzTZrNGHCIj6Y1Og==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-musl/-/core-linux-arm64-musl-1.15.32.tgz",
+            "integrity": "sha512-omcqjoZP/b8D8PuczVoRwJieC6ibj7qIxTftNYokz4/aSmKFHvsd7nIFfPk5ZvtzncbH4AY7+Dkr/Lp2gWxYeA==",
            "cpu": [
                "arm64"
            ],
@@ -4676,9 +4697,9 @@
            }
        },
        "node_modules/@swc/core-linux-ppc64-gnu": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-ppc64-gnu/-/core-linux-ppc64-gnu-1.15.33.tgz",
-            "integrity": "sha512-ZtNBwN0Z7CFj9Il0FcPaKdjgP7URyKu/3RfH46vq+0paOBqLj4NYldD6Qo//Duif/7IOtAraUfDOmp0PLAufog==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-ppc64-gnu/-/core-linux-ppc64-gnu-1.15.32.tgz",
+            "integrity": "sha512-KGkTMyz/Tbn3PBNu0AVZ4GTDFKnICrYcTiNPZq8DrvK42pnFsf3GNDrIG9E5AtQlTmC0YigkWKmu0eMcfTrmgA==",
            "cpu": [
                "ppc64"
            ],
@@ -4692,9 +4713,9 @@
            }
        },
        "node_modules/@swc/core-linux-s390x-gnu": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-s390x-gnu/-/core-linux-s390x-gnu-1.15.33.tgz",
-            "integrity": "sha512-De1IyajoOmhOYYjw/lx66bKlyDpHZTueqwpDrWgf5O7T6d1ODeJJO9/OqMBmrBQc5C+dNnlmIufHsp4QVCWufA==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-s390x-gnu/-/core-linux-s390x-gnu-1.15.32.tgz",
+            "integrity": "sha512-G3Aa4tVS/3OGZBkoNIwUF9F6RAy+Osb4GOlo62SinLmDiErz/ykmM7KH0wkz6l9kM8jJq1HyAM6atJTUEbBk7g==",
            "cpu": [
                "s390x"
            ],
@@ -4708,9 +4729,9 @@
            }
        },
        "node_modules/@swc/core-linux-x64-gnu": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.15.33.tgz",
-            "integrity": "sha512-mGTH0YxmUN+x6vRN/I6NOk5X0ogNktkwPnJ94IMvR7QjhRDwL0O8RXEDhyUM0YtwWrryBOqaJQBX4zruxEPRGw==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.15.32.tgz",
+            "integrity": "sha512-ERsjfGcj6CBmj3vJnGDO8m8rTvw6RqMcWo1dogOtNx3/+/0+NNpJiXDobJrr1GwInI/BHAEkvSFIH6d2LqPcUQ==",
            "cpu": [
                "x64"
            ],
@@ -4724,9 +4745,9 @@
            }
        },
        "node_modules/@swc/core-linux-x64-musl": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-musl/-/core-linux-x64-musl-1.15.33.tgz",
-            "integrity": "sha512-hj628ZkSEJf6zMf5VMbYrG2O6QqyTIp2qwY6VlCjvIa9lAEZ5c2lfPblCLVGYubTeLJDxadLB/CxqQYOQABeEQ==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-musl/-/core-linux-x64-musl-1.15.32.tgz",
+            "integrity": "sha512-N4Ggahe/8SUbTX50P6EdhbW9YWcgbZVb52R4cq6MK+zsoMjRq7rGvV5ztA05QnbaCYqMYx8rTY7KAIA3Crdo4Q==",
            "cpu": [
                "x64"
            ],
@@ -4740,9 +4761,9 @@
            }
        },
        "node_modules/@swc/core-win32-arm64-msvc": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-win32-arm64-msvc/-/core-win32-arm64-msvc-1.15.33.tgz",
-            "integrity": "sha512-GV2oohtN2/5+KSccl86VULu3aT+LrISC8uzgSq0FRnikpD+Zwc+sBlXmoKQ+Db6jI57ITUOIB8jRkdGMABC29g==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-win32-arm64-msvc/-/core-win32-arm64-msvc-1.15.32.tgz",
+            "integrity": "sha512-01yN0o9jvo8xBTP12aPK2wW8b41jmOlGbDDlAnoynotc4pO6xA0zby9f1z6j++qXDpGBttLySq1omgVrlQKYcw==",
            "cpu": [
                "arm64"
            ],
@@ -4756,9 +4777,9 @@
            }
        },
        "node_modules/@swc/core-win32-ia32-msvc": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-win32-ia32-msvc/-/core-win32-ia32-msvc-1.15.33.tgz",
-            "integrity": "sha512-gtyvzSNR8DHKfFEA2uqb8Ld1myqi6uEg2jyeUq3ikn5ytYs7H8RpZYC8mdy4NXr8hfcdJfCLXPlYaqqfBXpoEQ==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-win32-ia32-msvc/-/core-win32-ia32-msvc-1.15.32.tgz",
+            "integrity": "sha512-fLagI9XZYNpTcmlqAcp3KBtmj7E19WCmYD80Jxj1Kn5tGNa7yxNLd3NNdWxuZGUPl5iC0/KqZru7g08gF6Fsrw==",
            "cpu": [
                "ia32"
            ],
@@ -4772,9 +4793,9 @@
            }
        },
        "node_modules/@swc/core-win32-x64-msvc": {
-            "version": "1.15.33",
-            "resolved": "https://registry.npmjs.org/@swc/core-win32-x64-msvc/-/core-win32-x64-msvc-1.15.33.tgz",
-            "integrity": "sha512-d6fRqQSkJI+kmMEBWaDQ7TMl8+YjLYbwRUPZQ9DY0ORBJeTzOrG0twvfvlZ2xgw6jA0ScQKgfBm4vHLSLl5Hqg==",
+            "version": "1.15.32",
+            "resolved": "https://registry.npmjs.org/@swc/core-win32-x64-msvc/-/core-win32-x64-msvc-1.15.32.tgz",
+            "integrity": "sha512-gbc2bQ/T2CiR+w0OvcVKwLOFAcPZBvmWmolbwpg1E8UrpeC03DGtyMUApOHNXNYWA3SHFrYXCQtosrcMza1YFg==",
            "cpu": [
                "x64"
            ],
@@ -6623,9 +6644,9 @@
            }
        },
        "node_modules/basic-ftp": {
-            "version": "5.3.1",
-            "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.1.tgz",
-            "integrity": "sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==",
+            "version": "5.3.0",
+            "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.0.tgz",
+            "integrity": "sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==",
            "license": "MIT",
            "optional": true,
            "engines": {
@@ -7454,9 +7475,9 @@
            }
        },
        "node_modules/country-flag-icons": {
-            "version": "1.6.17",
-            "resolved": "https://registry.npmjs.org/country-flag-icons/-/country-flag-icons-1.6.17.tgz",
-            "integrity": "sha512-Nmik0289ZVZSI3c7mJR/amg6DyY7Z59b0sTFSKayeX72mHfPzCPJygwJs2pYgQULzuAyWeCUgwAJ+Dq8OR+JFw==",
+            "version": "1.6.16",
+            "resolved": "https://registry.npmjs.org/country-flag-icons/-/country-flag-icons-1.6.16.tgz",
+            "integrity": "sha512-HxJVoE/aaZGcUMx1vK/u9430uKGB3ODZDDZJJOqVJQzoHk5v42c0fSp1rk4tDfyr1dVOJjwxRiaBPliBMo2Liw==",
            "license": "MIT"
        },
        "node_modules/crelt": {
@@ -10727,9 +10748,9 @@
            }
        },
        "node_modules/ip-address": {
-            "version": "10.2.0",
-            "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz",
-            "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==",
+            "version": "10.1.0",
+            "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz",
+            "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==",
            "license": "MIT",
            "optional": true,
            "engines": {
@@ -11569,9 +11590,9 @@
            }
        },
        "node_modules/knip": {
-            "version": "6.9.0",
-            "resolved": "https://registry.npmjs.org/knip/-/knip-6.9.0.tgz",
-            "integrity": "sha512-2GLjxteBwmsSA3Z5sJZpPDaNPBIMnlm4/9Nx4CZadEK7YccJZ2/4kwKgPWhVYEqxhwhD0WO4txWXNGTO/Odkkg==",
+            "version": "6.7.0",
+            "resolved": "https://registry.npmjs.org/knip/-/knip-6.7.0.tgz",
+            "integrity": "sha512-ckL51NDH1YJxnv1kNB0iUdDngB4f/e9Igz8uIqYfmNDoyOFmmk1V0WFv3LQ7/hzC63b2Z9X41gGUE9eOWrZpaA==",
            "funding": [
                {
                    "type": "github",
@@ -11589,7 +11610,7 @@
                "get-tsconfig": "4.14.0",
                "jiti": "^2.6.0",
                "minimist": "^1.2.8",
-                "oxc-parser": "^0.128.0",
+                "oxc-parser": "^0.127.0",
                "oxc-resolver": "^11.19.1",
                "picomatch": "^4.0.4",
                "smol-toml": "^1.6.1",
@@ -14283,12 +14304,12 @@
            }
        },
        "node_modules/oxc-parser": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.128.0.tgz",
-            "integrity": "sha512-XkOw3eiIxAgQ19WRew/Bq9wc5Ga/guaWIzDBzq80z1PyuDNGvWBpPby9k6YGwV8A8uMw+Nlq3xqlzuDYmUFYUw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.127.0.tgz",
+            "integrity": "sha512-bkgD4qHlN7WxLdX8bLXdaU54TtQtAIg/ZBAfm0aje/mo3MRDo3P0hZSgr4U7O3xfX+fQmR5AP04JS/TGcZLcFA==",
            "license": "MIT",
            "dependencies": {
-                "@oxc-project/types": "^0.128.0"
+                "@oxc-project/types": "^0.127.0"
            },
            "engines": {
                "node": "^20.19.0 || >=22.12.0"
@@ -14297,35 +14318,26 @@
                "url": "https://github.com/sponsors/Boshen"
            },
            "optionalDependencies": {
-                "@oxc-parser/binding-android-arm-eabi": "0.128.0",
-                "@oxc-parser/binding-android-arm64": "0.128.0",
-                "@oxc-parser/binding-darwin-arm64": "0.128.0",
-                "@oxc-parser/binding-darwin-x64": "0.128.0",
-                "@oxc-parser/binding-freebsd-x64": "0.128.0",
-                "@oxc-parser/binding-linux-arm-gnueabihf": "0.128.0",
-                "@oxc-parser/binding-linux-arm-musleabihf": "0.128.0",
-                "@oxc-parser/binding-linux-arm64-gnu": "0.128.0",
-                "@oxc-parser/binding-linux-arm64-musl": "0.128.0",
-                "@oxc-parser/binding-linux-ppc64-gnu": "0.128.0",
-                "@oxc-parser/binding-linux-riscv64-gnu": "0.128.0",
-                "@oxc-parser/binding-linux-riscv64-musl": "0.128.0",
-                "@oxc-parser/binding-linux-s390x-gnu": "0.128.0",
-                "@oxc-parser/binding-linux-x64-gnu": "0.128.0",
-                "@oxc-parser/binding-linux-x64-musl": "0.128.0",
-                "@oxc-parser/binding-openharmony-arm64": "0.128.0",
-                "@oxc-parser/binding-wasm32-wasi": "0.128.0",
-                "@oxc-parser/binding-win32-arm64-msvc": "0.128.0",
-                "@oxc-parser/binding-win32-ia32-msvc": "0.128.0",
-                "@oxc-parser/binding-win32-x64-msvc": "0.128.0"
-            }
-        },
-        "node_modules/oxc-parser/node_modules/@oxc-project/types": {
-            "version": "0.128.0",
-            "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.128.0.tgz",
-            "integrity": "sha512-huv1Y/LzBJkBVHt3OlC7u0zHBW9qXf1FdD7sGmc1rXc2P1mTwHssYv7jyGx5KAACSCH+9B3Bhn6Z9luHRvf7pQ==",
-            "license": "MIT",
-            "funding": {
-                "url": "https://github.com/sponsors/Boshen"
+                "@oxc-parser/binding-android-arm-eabi": "0.127.0",
+                "@oxc-parser/binding-android-arm64": "0.127.0",
+                "@oxc-parser/binding-darwin-arm64": "0.127.0",
+                "@oxc-parser/binding-darwin-x64": "0.127.0",
+                "@oxc-parser/binding-freebsd-x64": "0.127.0",
+                "@oxc-parser/binding-linux-arm-gnueabihf": "0.127.0",
+                "@oxc-parser/binding-linux-arm-musleabihf": "0.127.0",
+                "@oxc-parser/binding-linux-arm64-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-arm64-musl": "0.127.0",
+                "@oxc-parser/binding-linux-ppc64-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-riscv64-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-riscv64-musl": "0.127.0",
+                "@oxc-parser/binding-linux-s390x-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-x64-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-x64-musl": "0.127.0",
+                "@oxc-parser/binding-openharmony-arm64": "0.127.0",
+                "@oxc-parser/binding-wasm32-wasi": "0.127.0",
+                "@oxc-parser/binding-win32-arm64-msvc": "0.127.0",
+                "@oxc-parser/binding-win32-ia32-msvc": "0.127.0",
+                "@oxc-parser/binding-win32-x64-msvc": "0.127.0"
            }
        },
        "node_modules/oxc-resolver": {
@@ -19081,9 +19093,9 @@
            "license": "ISC"
        },
        "node_modules/yaml": {
-            "version": "2.8.4",
-            "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.4.tgz",
-            "integrity": "sha512-ml/JPOj9fOQK8RNnWojA67GbZ0ApXAUlN2UQclwv2eVgTgn7O9gg9o7paZWKMp4g0H3nTLtS9LVzhkpOFIKzog==",
+            "version": "2.8.3",
+            "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+            "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
            "license": "ISC",
            "bin": {
                "yaml": "bin.mjs"
@@ -19268,7 +19280,7 @@
                "@rollup/plugin-node-resolve": "^16.0.3",
                "@rollup/plugin-swc": "^0.4.0",
                "@swc/cli": "^0.8.1",
-                "@swc/core": "^1.15.33",
+                "@swc/core": "^1.15.32",
                "@webcomponents/template": "^1.5.1",
                "base64-js": "^1.5.1",
                "core-js": "^3.49.0",
--- a/web/package.json
+++ b/web/package.json
@@ -119,7 +119,7 @@
        "@patternfly/elements": "^4.4.0",
        "@patternfly/patternfly": "^4.224.2",
        "@playwright/test": "^1.59.1",
-        "@sentry/browser": "^10.51.0",
+        "@sentry/browser": "^10.50.0",
        "@storybook/addon-docs": "^10.3.6",
        "@storybook/addon-links": "^10.3.6",
        "@storybook/web-components": "^10.3.6",
@@ -142,7 +142,7 @@
        "chartjs-adapter-date-fns": "^3.0.0",
        "codemirror": "^6.0.2",
        "core-js": "^3.49.0",
-        "country-flag-icons": "^1.6.17",
+        "country-flag-icons": "^1.6.16",
        "date-fns": "^4.1.0",
        "deepmerge-ts": "^7.1.5",
        "dompurify": "^3.4.2",
@@ -154,7 +154,7 @@
        "globals": "^17.5.0",
        "guacamole-common-js": "^1.5.0",
        "hastscript": "^9.0.1",
-        "knip": "^6.9.0",
+        "knip": "^6.7.0",
        "lex": "^2025.11.0",
        "lit": "^3.3.2",
        "lit-analyzer": "^2.0.3",
@@ -194,7 +194,7 @@
        "vitest": "^4.1.1",
        "webcomponent-qr-code": "^1.3.0",
        "wireit": "^0.14.12",
-        "yaml": "^2.8.4"
+        "yaml": "^2.8.3"
    },
    "optionalDependencies": {
        "@esbuild/darwin-arm64": "^0.28.0",
--- a/web/packages/lex/index.js
+++ b/web/packages/lex/index.js
@@ -7,186 +7,152 @@
 */

 /**
- * A token produced by a {@link LexerAction}. The lexer is agnostic to the
- * concrete token shape; consumers pick whatever representation suits them.
- *
- * @typedef {unknown} Token
+ * @typedef {(this: Lexer, chr: string) => any} DefunctFunction
 */

 /**
- * A rule action. Invoked with the regex match (full match followed by capture
- * groups) bound to the owning {@link Lexer} so it can read or set `state`,
- * `index`, and `reject`.
- *
- * Return values:
- * - `null` (or `undefined` from an implicit return) — discard the match and continue scanning.
- * - a single token — yield it from {@link Lexer.lex}.
- * - an array of tokens — yield the first; queue the rest for subsequent calls.
- *
- * @callback LexerAction
- * @this {Lexer}
- * @param {...string} match
- * @returns {Token | Token[] | null | void}
+ * @typedef {(this: Lexer, ...args: RegExpExecArray) => string | string[] | undefined} RuleAction
 */

 /**
- * @typedef {object} LexerRule
- * @property {RegExp} pattern Sticky-compiled pattern used to probe the input.
- * @property {boolean} global Whether the user-supplied pattern was global.
- * @property {LexerAction} action
- * @property {number[]} start States in which the rule is active. `[0]` is the default state; an empty array means "any state".
+ * @typedef {Object} Rule
+ * @property {RegExp} pattern
+ * @property {boolean} global
+ * @property {RuleAction} action
+ * @property {number[]} start
 */

 /**
- * @typedef {object} LexerMatch
+ * @typedef {Object} Match
 * @property {RegExpExecArray} result
- * @property {LexerAction} action
+ * @property {RuleAction} action
 * @property {number} length
- * @property {boolean} global Whether the producing rule was declared with the `g` flag.
 */

-/**
- * Handler invoked when no rule matches at the current position.
- *
- * @callback DefunctHandler
- * @this {Lexer}
- * @param {string} chr The unexpected character.
- * @returns {Token | Token[] | null | void}
- */
-
-/**
- * @type {DefunctHandler}
- */
-function defaultDefunct(chr) {
-    throw new Error(`Unexpected character at index ${this.index - 1}: ${chr}`);
-}
-
 /**
 * Lexer class for tokenizing input strings.
 */
 export class Lexer {
    /**
-     * Current lexer state. Rules whose `start` array contains this value (or
-     * is empty) are eligible to match. Odd-numbered states are also matched
-     * by rules declared with `start: [0]`, mirroring flex's inclusive states.
-     *
+     * @type {string[]}
+     */
+    tokens = [];
+    /**
+     * @type {Rule[]}
+     */
+    rules = [];
+    /**
+     * @type {number}
+     */
+    remove = 0;
+    /**
     * @type {number}
     */
    state = 0;
-
-    /** @type {number} */
+    /**
+     * @type {number}
+     */
    index = 0;
-
-    /** @type {string} */
+    /**
+     * @type {string}
+     */
    input = "";

    /**
-     * When set to `true` from inside an action, the current match is rolled
-     * back and the next-best match is tried instead.
-     *
-     * @type {boolean}
-     */
-    reject = false;
-
-    /** @type {LexerRule[]} */
-    #rules = [];
-
-    /** @type {Token[]} */
-    #tokens = [];
-
-    /** @type {number} */
-    #remove = 0;
-
-    /** @type {DefunctHandler} */
-    #defunct;
-
-    /**
-     * @param {DefunctHandler} [defunct] Optional handler for unexpected characters.
+     * @param {DefunctFunction} [defunct]
     */
    constructor(defunct) {
-        this.#defunct = typeof defunct === "function" ? defunct : defaultDefunct;
+        defunct ||= function (chr) {
+            throw new Error("Unexpected character at index " + (this.index - 1) + ": " + chr);
+        };
+
+        this.defunct = defunct;
    }

    /**
-     * Register a tokenization rule.
+     * Add a lexing rule.
     *
     * @param {RegExp} pattern
-     * @param {LexerAction} action
-     * @param {number[]} [start] States in which the rule is active. Defaults to `[0]`.
-     * @returns {this}
+     * @param {RuleAction} action
+     * @param {number[]} [start]
+     * @returns {Lexer}
     */
-    addRule(pattern, action, start) {
+    addRule = (pattern, action, start) => {
        const global = pattern.global;

        if (!global || !pattern.sticky) {
            let flags = "gy";
+
            if (pattern.multiline) flags += "m";
            if (pattern.ignoreCase) flags += "i";
            if (pattern.unicode) flags += "u";
            pattern = new RegExp(pattern.source, flags);
        }

-        this.#rules.push({
-            pattern,
-            global,
-            action,
-            start: Array.isArray(start) ? start : [0],
+        if (!Array.isArray(start)) start = [0];
+
+        this.rules.push({
+            pattern: pattern,
+            global: global,
+            action: action,
+            start: start,
        });

        return this;
-    }
+    };

    /**
-     * Reset the lexer and load a new input string.
+     * Set the input string for lexing.
     *
     * @param {string} input
-     * @returns {this}
+     * @returns {Lexer}
     */
-    setInput(input) {
-        this.#remove = 0;
+    setInput = (input) => {
+        this.remove = 0;
        this.state = 0;
        this.index = 0;
-        this.#tokens.length = 0;
+        this.tokens.length = 0;
        this.input = input;
        return this;
-    }
+    };

    /**
-     * Produce the next token from the input, or `null` once exhausted.
+     * Lex the next token from the input.
     *
-     * @returns {Token | null}
+     * @returns {string | string[] | undefined}
     */
-    lex() {
-        if (this.#tokens.length) return /** @type {Token} */ (this.#tokens.shift());
+    lex = () => {
+        if (this.tokens.length) return this.tokens.shift();

        this.reject = true;

        while (this.index <= this.input.length) {
-            const matches = this.#scan().splice(this.#remove);
+            const matches = this.scan().splice(this.remove);
            const index = this.index;

            while (matches.length) {
-                if (!this.reject) break;
+                if (!this.reject) {
+                    break;
+                }
+                const match = matches.shift();

-                const match = /** @type {LexerMatch} */ (matches.shift());
-                const { result, length } = match;
+                if (!match) break;
+
+                const result = match.result;
+                const length = match.length;
                this.index += length;
                this.reject = false;
-                this.#remove++;
+                this.remove++;

-                let token = match.action.apply(
-                    this,
-                    /** @type {string[]} */ (/** @type {unknown} */ (result)),
-                );
+                let token = match.action.apply(this, result);

                if (this.reject) {
                    this.index = result.index;
-                } else if (token !== null && token !== undefined) {
-                    if (Array.isArray(token)) {
-                        this.#tokens = token.slice(1);
-                        token = token[0];
-                    }
-                    if (length) this.#remove = 0;
+                } else if (Array.isArray(token)) {
+                    this.tokens = token.slice(1);
+                    token = token[0];
+                } else {
+                    if (length) this.remove = 0;
                    return token;
                }
            }
@@ -195,82 +161,79 @@ export class Lexer {

            if (index < input.length) {
                if (this.reject) {
-                    this.#remove = 0;
-                    const token = this.#defunct(input.charAt(this.index++));
-                    if (token !== null && token !== undefined) {
+                    this.remove = 0;
+                    const token = this.defunct(input.charAt(this.index++));
+                    if (typeof token !== "undefined") {
                        if (Array.isArray(token)) {
-                            this.#tokens = token.slice(1);
+                            this.tokens = token.slice(1);
                            return token[0];
                        }
+
                        return token;
                    }
                } else {
-                    if (this.index !== index) this.#remove = 0;
+                    if (this.index !== index) this.remove = 0;
                    this.reject = true;
                }
-            } else if (matches.length) {
-                this.reject = true;
-            } else {
-                break;
-            }
+            } else if (matches.length) this.reject = true;
+            else break;
        }
-
-        return null;
-    }
+    };

    /**
-     * Probe every state-eligible rule at the current position, returning the
-     * matches sorted by length (longest first), with global rules pinned
-     * after non-global ones to preserve flex's "longest non-global wins"
-     * tie-breaking.
+     * Scan the input for matches.
     *
-     * @returns {LexerMatch[]}
+     * @returns {Match[]}
     */
-    #scan() {
-        /** @type {LexerMatch[]} */
+    scan = () => {
+        /**
+         * @type {Match[]}
+         */
        const matches = [];
+        let index = 0;

        const state = this.state;
        const lastIndex = this.index;
        const input = this.input;

-        for (const rule of this.#rules) {
+        for (let i = 0, length = this.rules.length; i < length; i++) {
+            const rule = this.rules[i];
            const start = rule.start;
            const states = start.length;
-            const eligible =
-                !states || start.indexOf(state) >= 0 || (state % 2 && states === 1 && !start[0]);

-            if (!eligible) continue;
+            if (!states || start.indexOf(state) >= 0 || (state % 2 && states === 1 && !start[0])) {
+                const pattern = rule.pattern;
+                pattern.lastIndex = lastIndex;
+                const result = pattern.exec(input);

-            const pattern = rule.pattern;
-            pattern.lastIndex = lastIndex;
-            const result = pattern.exec(input);
+                if (!result || result.index !== lastIndex) {
+                    continue;
+                }

-            if (!result || result.index !== lastIndex) continue;
+                let j = matches.push({
+                    result: result,
+                    action: rule.action,
+                    length: result[0].length,
+                });

-            let j = matches.push({
-                result,
-                action: rule.action,
-                length: result[0].length,
-                global: rule.global,
-            });
+                if (rule.global) {
+                    index = j;
+                }

-            while (--j > 0) {
-                const k = j - 1;
-                const cur = matches[j];
-                const prev = matches[k];
-                const longer = cur.length > prev.length;
-                const tieFavorsCur = cur.length === prev.length && prev.global && !cur.global;
+                while (--j > index) {
+                    const k = j - 1;

-                if (!longer && !tieFavorsCur) break;
-
-                matches[j] = prev;
-                matches[k] = cur;
+                    if (matches[j].length > matches[k].length) {
+                        const temple = matches[j];
+                        matches[j] = matches[k];
+                        matches[k] = temple;
+                    }
+                }
            }
        }

        return matches;
-    }
+    };
 }

 export default Lexer;
--- a/web/packages/sfe/package.json
+++ b/web/packages/sfe/package.json
@@ -20,7 +20,7 @@
        "@rollup/plugin-node-resolve": "^16.0.3",
        "@rollup/plugin-swc": "^0.4.0",
        "@swc/cli": "^0.8.1",
-        "@swc/core": "^1.15.33",
+        "@swc/core": "^1.15.32",
        "@webcomponents/template": "^1.5.1",
        "base64-js": "^1.5.1",
        "core-js": "^3.49.0",
--- a/web/src/admin/brands/BrandForm.ts
+++ b/web/src/admin/brands/BrandForm.ts
@@ -23,7 +23,6 @@ import { certificateProvider, certificateSelector } from "#admin/brands/Certific

 import {
    Application,
-    AuthenticationEnum,
    Brand,
    CoreApi,
    CoreApplicationsListRequest,
@@ -32,6 +31,7 @@ import {
    FlowsApi,
    UsageEnum,
 } from "@goauthentik/api";
+import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum.js";

 import YAML from "yaml";

--- a/web/src/admin/flows/FlowForm.ts
+++ b/web/src/admin/flows/FlowForm.ts
@@ -17,7 +17,6 @@ import { DesignationToLabel, LayoutToLabel } from "#admin/flows/utils";
 import { policyEngineModes } from "#admin/policies/PolicyEngineModes";

 import {
-    AuthenticationEnum,
    DeniedActionEnum,
    Flow,
    FlowDesignationEnum,
@@ -25,6 +24,7 @@ import {
    FlowsApi,
    UsageEnum,
 } from "@goauthentik/api";
+import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum.js";

 import { msg } from "@lit/localize";
 import { html, TemplateResult } from "lit";
--- a/web/src/admin/stages/BaseStageForm.ts
+++ b/web/src/admin/stages/BaseStageForm.ts
@@ -1,6 +1,6 @@
 import { ModelForm } from "#elements/forms/ModelForm";

-import type { Stage } from "@goauthentik/api";
+import type { Stage } from "@goauthentik/api/dist/models/Stage";

 import { msg } from "@lit/localize";

--- a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
+++ b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
@@ -232,70 +232,6 @@ export class AuthenticatorValidateStageForm extends BaseStageForm<AuthenticatorV
                        : nothing}
                </div>
            </ak-form-group>
-            <ak-form-group label="${msg("Throttling settings")}">
-                <ak-form-element-horizontal
-                    label=${msg("Email OTP throttling factor")}
-                    required
-                    name="emailOtpThrottlingFactor"
-                >
-                    <input
-                        type="number"
-                        step="0.1"
-                        value=${this.instance?.emailOtpThrottlingFactor || 1}
-                        class="pf-c-form-control pf-m-monospace"
-                        autocomplete="off"
-                        spellcheck="false"
-                        required
-                    />
-                </ak-form-element-horizontal>
-
-                <ak-form-element-horizontal
-                    label=${msg("SMS OTP throttling factor")}
-                    required
-                    name="smsOtpThrottlingFactor"
-                >
-                    <input
-                        type="number"
-                        step="0.1"
-                        value=${this.instance?.smsOtpThrottlingFactor || 1}
-                        class="pf-c-form-control pf-m-monospace"
-                        autocomplete="off"
-                        spellcheck="false"
-                        required
-                    />
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("TOTP throttling factor")}
-                    required
-                    name="totpOtpThrottlingFactor"
-                >
-                    <input
-                        type="number"
-                        step="0.1"
-                        value=${this.instance?.totpOtpThrottlingFactor || 1}
-                        class="pf-c-form-control pf-m-monospace"
-                        autocomplete="off"
-                        spellcheck="false"
-                        required
-                    />
-                </ak-form-element-horizontal>
-
-                <ak-form-element-horizontal
-                    label=${msg("Static OTP throttling factor")}
-                    required
-                    name="staticOtpThrottlingFactor"
-                >
-                    <input
-                        type="number"
-                        step="0.1"
-                        value=${this.instance?.staticOtpThrottlingFactor || 1}
-                        class="pf-c-form-control pf-m-monospace"
-                        autocomplete="off"
-                        spellcheck="false"
-                        required
-                    />
-                </ak-form-element-horizontal>
-            </ak-form-group>
            <ak-form-group open label="${msg("WebAuthn-specific settings")}">
                <div class="pf-c-form">
                    <ak-form-element-horizontal
--- a/web/src/admin/stages/user_write/UserWriteStageForm.ts
+++ b/web/src/admin/stages/user_write/UserWriteStageForm.ts
@@ -19,10 +19,10 @@ import {
    CoreGroupsListRequest,
    Group,
    StagesApi,
-    UserCreationModeEnum,
    UserTypeEnum,
    UserWriteStage,
 } from "@goauthentik/api";
+import { UserCreationModeEnum } from "@goauthentik/api/dist/models/UserCreationModeEnum.js";

 import { msg } from "@lit/localize";
 import { html, TemplateResult } from "lit";
--- a/web/src/admin/users/UserListPage.ts
+++ b/web/src/admin/users/UserListPage.ts
@@ -73,10 +73,6 @@ export class UserListPage extends WithLicenseSummary(
                max-width: var(--pf-c-avatar--Width);
                vertical-align: middle;
            }
-            .pf-c-card.tree .pf-c-card__body {
-                padding-left: 0;
-                padding-right: 0;
-            }
        `,
    ];

@@ -96,7 +92,7 @@ export class UserListPage extends WithLicenseSummary(
    public pageIcon = "pf-icon pf-icon-user";

    @property({ type: String })
-    public order = "-last_login";
+    public order = "last_login";

    @property({ type: String })
    public activePath: string;
@@ -372,7 +368,7 @@ export class UserListPage extends WithLicenseSummary(

    protected renderSidebarBefore(): TemplateResult {
        return html`<aside aria-labelledby="sidebar-left-panel-header" class="pf-c-sidebar__panel">
-            <div class="pf-c-card tree">
+            <div class="pf-c-card">
                <div
                    role="heading"
                    aria-level="2"
--- a/web/src/flow/stages/identification/IdentificationStage.ts
+++ b/web/src/flow/stages/identification/IdentificationStage.ts
@@ -386,7 +386,7 @@ export class IdentificationStage extends BaseStage<
        return html`<a
            href=${url}
            class="pf-c-button pf-m-secondary pf-m-block"
-            data-ouia-component-id="passwordless"
+            ouiaId="passwordless"
        >
            ${msg("Use a security key")}
        </a> `;
@@ -475,12 +475,12 @@ export class IdentificationStage extends BaseStage<
            ${enrollUrl
                ? html`<div class="pf-c-login__main-footer-band-item">
                      ${msg("Need an account?")}
-                      <a href="${enrollUrl}" data-ouia-component-id="enroll">${msg("Sign up.")}</a>
+                      <a href="${enrollUrl}" ouiaId="enroll">${msg("Sign up.")}</a>
                  </div>`
                : nothing}
            ${recoveryUrl
                ? html`<div class="pf-c-login__main-footer-band-item">
-                      <a href="${recoveryUrl}" data-ouia-component-id="recovery"
+                      <a href="${recoveryUrl}" ouiaId="recovery"
                          >${msg("Forgot username or password?")}</a
                      >
                  </div>`
--- a/web/src/rac/index.entrypoint.ts
+++ b/web/src/rac/index.entrypoint.ts
@@ -2,8 +2,6 @@ import "#elements/LoadingOverlay";

 import Styles from "./index.entrypoint.css";

-import { writeToClipboard } from "#common/clipboard";
-
 import { Interface } from "#elements/Interface";
 import { WithBrandConfig } from "#elements/mixins/branding";

@@ -157,35 +155,22 @@ export class RacInterface extends WithBrandConfig(Interface) {
            if (/^text\//.exec(mimetype)) {
                const reader = new Guacamole.StringReader(stream);
                let data = "";
-
                reader.ontext = (text) => {
                    data += text;
                };
-
                reader.onend = () => {
-                    const trimmed = data.trim();
-                    // Some remote sessions (notably SSH) push empty clipboard
-                    // payloads that would otherwise clobber the user's local
-                    // clipboard, breaking subsequent paste attempts. Ignore
-                    // them so the local clipboard remains intact.
-                    if (!trimmed) {
-                        console.debug("authentik/rac: ignored empty remote clipboard payload");
-                        return;
-                    }
-                    this._previousClipboardValue = trimmed;
-                    writeToClipboard(trimmed);
+                    this._previousClipboardValue = data;
+                    navigator.clipboard.writeText(data);
                };
            } else {
                const reader = new Guacamole.BlobReader(stream, mimetype);
-
                reader.onend = () => {
                    const blob = reader.getBlob();
-
-                    const item = new ClipboardItem({
-                        [blob.type]: blob,
-                    });
-
-                    writeToClipboard(item);
+                    navigator.clipboard.write([
+                        new ClipboardItem({
+                            [blob.type]: blob,
+                        }),
+                    ]);
                };
            }
            console.debug("authentik/rac: updated clipboard from remote");
--- a/web/test/unit/lexer.test.ts
+++ b/web/test/unit/lexer.test.ts
@@ -1,317 +0,0 @@
-/* eslint-disable func-names */
-import { Lexer } from "lex";
-import { describe, expect, it, vi } from "vitest";
-
-const drain = (lexer: Lexer): unknown[] => {
-    const out: unknown[] = [];
-    let token: unknown;
-
-    while ((token = lexer.lex()) !== null) {
-        out.push(token);
-    }
-    return out;
-};
-
-describe("Lexer", () => {
-    describe("addRule", () => {
-        it("returns the lexer for chaining", () => {
-            const lexer = new Lexer();
-            expect(lexer.addRule(/a/, () => "a")).toBe(lexer);
-        });
-
-        it("preserves multiline, ignoreCase, and unicode flags when re-compiling", () => {
-            const lexer = new Lexer(() => null);
-            const seen: string[] = [];
-
-            lexer.addRule(/^a/im, (m) => {
-                seen.push(m);
-            });
-            lexer.setInput("A\nA");
-
-            drain(lexer);
-            expect(seen).toEqual(["A", "A"]);
-        });
-
-        it("matches unicode patterns", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/\p{Letter}+/u, (m) => m);
-            lexer.setInput("café");
-
-            expect(lexer.lex()).toBe("café");
-        });
-    });
-
-    describe("setInput", () => {
-        it("resets state, index, and pending tokens", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/./, (c) => c);
-
-            lexer.setInput("ab");
-            expect(lexer.lex()).toBe("a");
-            lexer.state = 7;
-
-            lexer.setInput("xy");
-            expect(lexer.state).toBe(0);
-            expect(lexer.index).toBe(0);
-            expect(lexer.lex()).toBe("x");
-            expect(lexer.lex()).toBe("y");
-        });
-
-        it("returns the lexer for chaining", () => {
-            const lexer = new Lexer();
-            expect(lexer.setInput("")).toBe(lexer);
-        });
-    });
-
-    describe("tokenization", () => {
-        it("tokenizes a simple expression", () => {
-            const lexer = new Lexer();
-            lexer
-                .addRule(/\s+/, () => null)
-                .addRule(/[a-zA-Z]+/, (m) => ({ type: "ident", value: m }))
-                .addRule(/\d+/, (m) => ({ type: "num", value: Number(m) }))
-                .addRule(/[+\-*/]/, (m) => ({ type: "op", value: m }));
-
-            lexer.setInput("foo + 12 * bar");
-            expect(drain(lexer)).toEqual([
-                { type: "ident", value: "foo" },
-                { type: "op", value: "+" },
-                { type: "num", value: 12 },
-                { type: "op", value: "*" },
-                { type: "ident", value: "bar" },
-            ]);
-        });
-
-        it("skips matches whose action returns null", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/\s+/, () => null).addRule(/\S+/, (m) => m);
-
-            lexer.setInput("   foo   bar   ");
-            expect(drain(lexer)).toEqual(["foo", "bar"]);
-        });
-
-        it("returns null once the input is exhausted", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/./, (c) => c);
-            lexer.setInput("a");
-
-            expect(lexer.lex()).toBe("a");
-            expect(lexer.lex()).toBeNull();
-            expect(lexer.lex()).toBeNull();
-        });
-
-        it("passes capture groups to the action", () => {
-            const lexer = new Lexer();
-            const calls: string[][] = [];
-
-            lexer.addRule(/(\w+)=(\w+)/, (...args) => {
-                calls.push(args);
-                return args[0];
-            });
-
-            lexer.setInput("foo=bar");
-            lexer.lex();
-            expect(calls).toEqual([["foo=bar", "foo", "bar"]]);
-        });
-
-        it("binds `this` to the lexer inside the action", () => {
-            const lexer = new Lexer();
-            let captured: Lexer | undefined;
-
-            lexer.addRule(/a/, function () {
-                // eslint-disable-next-line consistent-this, @typescript-eslint/no-this-alias
-                captured = this;
-                return "a";
-            });
-
-            lexer.setInput("a");
-            lexer.lex();
-            expect(captured).toBe(lexer);
-        });
-    });
-
-    describe("longest-match tie-breaking", () => {
-        it("prefers the longer non-global match", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/if/, () => "KW_IF").addRule(/iffy/, () => "IDENT_IFFY");
-
-            lexer.setInput("iffy");
-            expect(lexer.lex()).toBe("IDENT_IFFY");
-        });
-
-        it("treats global rules as fallbacks behind non-global rules of the same length", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/[a-z]+/g, (m) => `g:${m}`).addRule(/foo/, (m) => `s:${m}`);
-
-            lexer.setInput("foo");
-            expect(lexer.lex()).toBe("s:foo");
-        });
-    });
-
-    describe("multi-token return", () => {
-        it("yields the first token immediately and queues the rest", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/a/, () => ["A1", "A2", "A3"]);
-
-            lexer.setInput("a");
-            expect(lexer.lex()).toBe("A1");
-            expect(lexer.lex()).toBe("A2");
-            expect(lexer.lex()).toBe("A3");
-            expect(lexer.lex()).toBeNull();
-        });
-
-        it("drains the queue before scanning further input", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/a/, () => ["A1", "A2"]).addRule(/b/, () => "B");
-
-            lexer.setInput("ab");
-            expect(drain(lexer)).toEqual(["A1", "A2", "B"]);
-        });
-    });
-
-    describe("reject", () => {
-        it("falls through to the next-best match when an action sets reject", () => {
-            const lexer = new Lexer();
-            const order: string[] = [];
-
-            lexer
-                .addRule(/foo/, function () {
-                    order.push("first");
-                    this.reject = true;
-                })
-                .addRule(/foo/, () => {
-                    order.push("second");
-                    return "FOO";
-                });
-
-            lexer.setInput("foo");
-            expect(lexer.lex()).toBe("FOO");
-            expect(order).toEqual(["first", "second"]);
-        });
-
-        it("rolls back the lexer index when an action rejects", () => {
-            const lexer = new Lexer();
-
-            lexer
-                .addRule(/abc/, function () {
-                    this.reject = true;
-                })
-                .addRule(/a/, (m) => m);
-
-            lexer.setInput("abc");
-            expect(lexer.lex()).toBe("a");
-            expect(lexer.index).toBe(1);
-        });
-    });
-
-    describe("defunct handling", () => {
-        it("throws by default on unexpected characters", () => {
-            const lexer = new Lexer();
-            lexer.addRule(/a/, (m) => m);
-
-            lexer.setInput("a@");
-            expect(lexer.lex()).toBe("a");
-            expect(() => lexer.lex()).toThrow(/Unexpected character at index 1: @/);
-        });
-
-        it("invokes a custom defunct handler with the offending character", () => {
-            const defunct = vi.fn((chr: string) => `?${chr}`);
-            const lexer = new Lexer(defunct);
-            lexer.addRule(/a/, (m) => m);
-
-            lexer.setInput("a@b");
-            expect(drain(lexer)).toEqual(["a", "?@", "?b"]);
-            expect(defunct).toHaveBeenCalledTimes(2);
-            expect(defunct.mock.calls[0]?.[0]).toBe("@");
-        });
-
-        it("ignores defunct return values that are null", () => {
-            const lexer = new Lexer((_chr) => null);
-            lexer.addRule(/a/, (m) => m);
-
-            lexer.setInput("@@a");
-            expect(lexer.lex()).toBe("a");
-            expect(lexer.lex()).toBeNull();
-        });
-
-        it("supports array returns from the defunct handler", () => {
-            const lexer = new Lexer((chr) => [`bad:${chr}`, "extra"]);
-            lexer.addRule(/a/, (m) => m);
-
-            lexer.setInput("@");
-            expect(lexer.lex()).toBe("bad:@");
-            expect(lexer.lex()).toBe("extra");
-        });
-
-        it("falls back to the default handler when given a non-function", () => {
-            // @ts-expect-error — exercising the runtime guard
-            const lexer = new Lexer("not a function");
-            lexer.setInput("@");
-            expect(() => lexer.lex()).toThrow(/Unexpected character/);
-        });
-    });
-
-    describe("states", () => {
-        it("only fires rules whose start array includes the current state", () => {
-            const lexer = new Lexer();
-
-            lexer
-                .addRule(/"/, function () {
-                    this.state = 2;
-                })
-                .addRule(
-                    /"/,
-                    function () {
-                        this.state = 0;
-                    },
-                    [2],
-                )
-                .addRule(/[^"]+/, (m) => `STR:${m}`, [2])
-                .addRule(/[a-z]+/, (m) => `ID:${m}`);
-
-            lexer.setInput('foo"hello"bar');
-            expect(drain(lexer)).toEqual(["ID:foo", "STR:hello", "ID:bar"]);
-        });
-
-        it("treats an empty start array as 'active in any state'", () => {
-            const lexer = new Lexer();
-
-            lexer
-                .addRule(/!/, function () {
-                    this.state = 5;
-                    return "BANG";
-                })
-                .addRule(/./, (m) => m, []);
-
-            lexer.setInput("a!b");
-            expect(drain(lexer)).toEqual(["a", "BANG", "b"]);
-        });
-
-        it("matches inclusive `[0]` rules from odd-numbered states", () => {
-            const lexer = new Lexer();
-
-            lexer
-                .addRule(/#/, function () {
-                    this.state = 1;
-                })
-                .addRule(/[a-z]+/, (m) => m);
-
-            lexer.setInput("ab#cd");
-            expect(drain(lexer)).toEqual(["ab", "cd"]);
-        });
-
-        it("does not match `[0]` rules from even non-zero states", () => {
-            const lexer = new Lexer();
-
-            lexer
-                .addRule(/#/, function () {
-                    this.state = 2;
-                })
-                .addRule(/[a-z]+/, (m) => m);
-
-            lexer.setInput("ab#cd");
-            expect(lexer.lex()).toBe("ab");
-            expect(() => lexer.lex()).toThrow(/Unexpected character/);
-        });
-    });
-});
--- a/web/test/unit/tsconfig.json
+++ b/web/test/unit/tsconfig.json
@@ -1,35 +0,0 @@
-// @file TSConfig used by the web package during development.
-{
-    "extends": "@goauthentik/tsconfig",
-    "compilerOptions": {
-        "types": ["node"],
-        "checkJs": true,
-        "allowJs": true,
-        "composite": true,
-        "resolveJsonModule": true,
-        "allowSyntheticDefaultImports": true,
-        "emitDeclarationOnly": true,
-        "target": "esnext",
-        "module": "preserve",
-        "moduleResolution": "bundler",
-        "lib": ["DOM", "DOM.Iterable", "ESNext"],
-
-        "noUncheckedIndexedAccess": true
-    },
-    "include": ["./**/*", "../**/*"],
-    "exclude": [
-        // ---
-        "**/out/**/*",
-        "**/dist/**/*",
-        "storybook-static",
-        // TODO: @lit/localize-tools v0.8.0 has a nullish coalescing typing error.
-        // Remove when we upgrade past that.
-        "scripts/pseudolocalize.mjs",
-        "scripts/build-locales.mjs"
-    ],
-    "references": [
-        {
-            "path": "../.."
-        }
-    ]
-}
--- a/web/test/unit/authenticator-validate-challenge-selection.test.ts
+++ b/web/test/unit/authenticator-validate-challenge-selection.test.ts
--- a/web/vite.config.js
+++ b/web/vite.config.js
@@ -41,12 +41,9 @@ export default defineConfig({
        projects: [
            {
                test: {
-                    include: ["./test/unit/**/*.{test,spec}.ts", "**/*.unit.{test,spec}.ts"],
-                    name: "Unit Tests",
+                    include: ["./unit/**/*.{test,spec}.ts", "**/*.unit.{test,spec}.ts"],
+                    name: "unit",
                    environment: "node",
-                    typecheck: {
-                        tsconfig: "./tsconfig.unit.json",
-                    },
                },
            },
            {
@@ -54,7 +51,7 @@ export default defineConfig({
                    setupFiles: ["./test/lit/setup.js"],

                    include: ["./browser/**/*.{test,spec}.ts", "**/*.browser.{test,spec}.ts"],
-                    name: "Browser Tests",
+                    name: "browser",
                    browser: {
                        enabled: true,
                        provider: playwright(),
--- a/web/xliff/bg_BG.xlf
+++ b/web/xliff/bg_BG.xlf
--- a/web/xliff/cs-CZ.xlf
+++ b/web/xliff/cs-CZ.xlf
@@ -6255,6 +6255,18 @@ neprojde, když jedna nebo obě z vybraných možností jsou rovny nebo nad prah
  <source>Authenticator Attachment</source>
  <target>Příloha autentikátoru</target>
 </trans-unit>
+<trans-unit id="s502d2473587032e1">
+  <source>No preference is sent</source>
+  <target>Není odesílána žádná preference</target>
+</trans-unit>
+<trans-unit id="s60cc554fde2676cb">
+  <source>A non-removable authenticator, like TouchID or Windows Hello</source>
+  <target>Neodstranitelný autentikátor, jako TouchID nebo Windows Hello</target>
+</trans-unit>
+<trans-unit id="sdf1d8edef27236f0">
+  <source>A "roaming" authenticator, like a YubiKey</source>
+  <target>„Roamingový" autentikátor, jako YubiKey</target>
+</trans-unit>
 <trans-unit id="sbd65aeeb8a3b9bbc">
  <source>Maximum registration attempts</source>
  <target>Maximální počet pokusů o registraci</target>
@@ -6590,6 +6602,10 @@ neprojde, když jedna nebo obě z vybraných možností jsou rovny nebo nad prah
  <source>Selected policies are executed when the stage is submitted to validate the data.</source>
  <target>Vybrané zásady jsou provedeny při odeslání kroku k ověření dat.</target>
 </trans-unit>
+<trans-unit id="sc487e11d5987dbb4">
+  <source>Redirect the user to another flow, potentially with all gathered context</source>
+  <target>Přesměrovat uživatele na jiný tok, potenciálně se všemi shromážděnými kontextovými informacemi</target>
+</trans-unit>
 <trans-unit id="sad9d5481474d4f5b">
  <source>Static</source>
  <target>Statický</target>
@@ -11048,6 +11064,15 @@ Vazby na skupiny/uživatele jsou kontrolovány vůči uživateli události.</tar
 <trans-unit id="sdcd1a9744efdbd7e">
  <source>Choose Policy Type</source>
 </trans-unit>
+<trans-unit id="sf4eb7c0c8e92e6b2">
+  <source>Whether the launch URL will open in a new browser tab or window from the user's application library.</source>
+</trans-unit>
+<trans-unit id="s8ab0176c9cf77b1a">
+  <source>Hide from User Dashboard</source>
+</trans-unit>
+<trans-unit id="s0b5847edb7150911">
+  <source>Whether this application will be shown on the User Dashboard.</source>
+</trans-unit>
 <trans-unit id="saa5ed8446baaba70">
  <source>Negate Result</source>
 </trans-unit>
@@ -11060,140 +11085,11 @@ Vazby na skupiny/uživatele jsou kontrolovány vůči uživateli události.</tar
 <trans-unit id="s41938ae69656ef53">
  <source>User Fields</source>
 </trans-unit>
-<trans-unit id="s02b73793e5b4e1ba">
-  <source>This flag is deprecated.</source>
+<trans-unit id="s977b2dff8b9def14">
+  <source>User Dashboard - Applications</source>
 </trans-unit>
-<trans-unit id="s8655c52824caac63">
-  <source>If checked, the launch URL will open in a new browser tab or window from the user's application library.</source>
-</trans-unit>
-<trans-unit id="s9eda7101f63a8652">
-  <source>Hide from My applications</source>
-</trans-unit>
-<trans-unit id="s30f30e9c42594a33">
-  <source>If checked, this application will not be shown on the user's My applications page.</source>
-</trans-unit>
-<trans-unit id="sc98037ccab57d329">
-  <source>No preference: the browser may offer any available authenticator</source>
-</trans-unit>
-<trans-unit id="s4611c85865abcba9">
-  <source>Platform: a non-removable authenticator built into the device, such as Touch ID, Face ID, or Windows Hello</source>
-</trans-unit>
-<trans-unit id="s0003d0e3fcdacabc">
-  <source>Cross-platform: a roaming authenticator, such as a YubiKey or Google Titan</source>
-</trans-unit>
-<trans-unit id="sc157c7dcb3d1b096">
-  <source>Controls the authenticatorAttachment parameter sent to the browser during WebAuthn registration. If Hints are configured and this is left as 'No preference', a value is inferred from the selected hints for backward compatibility with older browsers.</source>
-</trans-unit>
-<trans-unit id="s1baea1b8ac34d554">
-  <source>New Invitation</source>
-</trans-unit>
-<trans-unit id="s03eef6107e28d042">
-  <source>New Invitation options</source>
-</trans-unit>
-<trans-unit id="s0832ff81b9665e6f">
-  <source>Opens the new invitation wizard and binds the invitation to an existing enrollment flow.</source>
-</trans-unit>
-<trans-unit id="sc0819dc3d82d9320">
-  <source>with Existing Enrollment Flow...</source>
-</trans-unit>
-<trans-unit id="s79108cb25e7bf07b">
-  <source>Opens the new invitation wizard, which will create a new enrollment flow and invitation stage.</source>
-</trans-unit>
-<trans-unit id="sb7809157a3ccf613">
-  <source>with New Enrollment Flow and Invitation Stage...</source>
-</trans-unit>
-<trans-unit id="seb418067e7d6c6e2">
-  <source>Create a new invitation with an enrollment flow.</source>
-</trans-unit>
-<trans-unit id="sfd74a380e957d0d3">
-  <source>Enrollment Flow</source>
-</trans-unit>
-<trans-unit id="scc869d556216d748">
-  <source>Invitation Details</source>
-</trans-unit>
-<trans-unit id="se1fba44a9b284052">
-  <source>Invitation Link</source>
-</trans-unit>
-<trans-unit id="s967a2db7049dc90e">
-  <source><x id="0" equiv-text="${step}"/> failed</source>
-</trans-unit>
-<trans-unit id="s971d4cc0ecd106b7">
-  <source>Importing enrollment flow blueprint</source>
-</trans-unit>
-<trans-unit id="sf3b89a70e20af6c8">
-  <source>Blueprint validation failed</source>
-</trans-unit>
-<trans-unit id="sa04b7204708f4f74">
-  <source>Flow with slug "<x id="0" equiv-text="${slugToLookup}"/>" not found after import</source>
-</trans-unit>
-<trans-unit id="s3354be88ad29d171">
-  <source>Creating invitation</source>
-</trans-unit>
-<trans-unit id="s07f41353777196ea">
-  <source>The flow selected in the previous step. The invitation will be bound to this flow.</source>
-</trans-unit>
-<trans-unit id="s7209a11f97da9aff">
-  <source>No invitation available to send</source>
-</trans-unit>
-<trans-unit id="s2772d8285b905006">
-  <source>Failed to queue invitation emails</source>
-</trans-unit>
-<trans-unit id="s3b7910ab9c47a2e3">
-  <source>No enrollment flows with invitation stages found</source>
-</trans-unit>
-<trans-unit id="sa3ca03297e00591c">
-  <source>You can create a new enrollment flow and invitation stage right here, or cancel and bind an invitation stage to an existing flow manually.</source>
-</trans-unit>
-<trans-unit id="s06db43e56ca76be8">
-  <source>Create a new enrollment flow</source>
-</trans-unit>
-<trans-unit id="s8acc687c55e8ccbf">
-  <source>Only enrollment flows that have an invitation stage bound to them are listed here.</source>
-</trans-unit>
-<trans-unit id="s5b3bafd8ffe553ec">
-  <source>Flow name</source>
-</trans-unit>
-<trans-unit id="s699cd34b0dcb4c56">
-  <source>Name for the new enrollment flow.</source>
-</trans-unit>
-<trans-unit id="s8fb6d1bb698d32a0">
-  <source>Flow slug</source>
-</trans-unit>
-<trans-unit id="s0211c07612cf8c97">
-  <source>Invitation stage name</source>
-</trans-unit>
-<trans-unit id="s42b97ef63fb1a795">
-  <source>Name for the new invitation stage.</source>
-</trans-unit>
-<trans-unit id="saaa9fd0d3ebc35aa">
-  <source>Enrolled users are created as external (e.g. customers, guests). New users will be placed under users/external.</source>
-</trans-unit>
-<trans-unit id="s726dff63487da085">
-  <source>Enrolled users are created as internal (e.g. employees). New users will be placed under users/internal.</source>
-</trans-unit>
-<trans-unit id="sc1358130ac327120">
-  <source>If enabled, the stage will jump to the next stage when no invitation is given. If disabled, the flow will be cancelled without a valid invitation.</source>
-</trans-unit>
-<trans-unit id="s09fdd952c6eaf7da">
-  <source>No invitation was created.</source>
-</trans-unit>
-<trans-unit id="s00febd85a4889bb1">
-  <source>Redirect the user to a static URL or another flow, optionally with all gathered context.</source>
-</trans-unit>
-<trans-unit id="sdbc1d47f0f0ed54d">
-  <source>The element could not be loaded. This may be due to a missing import or a version mismatch.</source>
-</trans-unit>
-<trans-unit id="scf8a3d48f9969535">
-  <source>An element could not be loaded. Please try refreshing the page or clearing your cache.</source>
-</trans-unit>
-<trans-unit id="se2f00b2619675217">
-  <source>Failed to load element</source>
-</trans-unit>
-<trans-unit id="s1cf2298d92c327a6">
-  <source>My Applications</source>
-</trans-unit>
-<trans-unit id="s2656433a3b1f7e86">
-  <source>My applications</source>
+<trans-unit id="s190cbdd5b62e4746">
+  <source>User Dashboard</source>
 </trans-unit>
 </body>
 </file>
--- a/web/xliff/cs_CZ.xlf
+++ b/web/xliff/cs_CZ.xlf
--- a/web/xliff/de-DE.xlf
+++ b/web/xliff/de-DE.xlf
@@ -6281,6 +6281,18 @@ Beim Erstellen eines festen Auswahlfelds aktiviere „Als Ausdruck interpretiere
  <source>Authenticator Attachment</source>
  <target>Authenticator-Anhang</target>
 </trans-unit>
+<trans-unit id="s502d2473587032e1">
+  <source>No preference is sent</source>
+  <target>Keine Präferenz wird gesendet</target>
+</trans-unit>
+<trans-unit id="s60cc554fde2676cb">
+  <source>A non-removable authenticator, like TouchID or Windows Hello</source>
+  <target>Ein nicht abnehmbarer Authentifikator, wie TouchID oder Windows Hello</target>
+</trans-unit>
+<trans-unit id="sdf1d8edef27236f0">
+  <source>A "roaming" authenticator, like a YubiKey</source>
+  <target>Ein "Roaming"-Authentifikator, wie ein YubiKey</target>
+</trans-unit>
 <trans-unit id="sbd65aeeb8a3b9bbc">
  <source>Maximum registration attempts</source>
  <target>Maximale Registrierungsversuche</target>
@@ -6616,6 +6628,10 @@ Beim Erstellen eines festen Auswahlfelds aktiviere „Als Ausdruck interpretiere
  <source>Selected policies are executed when the stage is submitted to validate the data.</source>
  <target>Ausgewählte Richtlinien werden ausgeführt, wenn die Stage abgeschickt wird, um die Daten zu validieren.</target>
 </trans-unit>
+<trans-unit id="sc487e11d5987dbb4">
+  <source>Redirect the user to another flow, potentially with all gathered context</source>
+  <target>Leitet den Benutzer zu einem anderen Flow weiter, ggf. mit dem gesamten gesammelten Kontext.</target>
+</trans-unit>
 <trans-unit id="sad9d5481474d4f5b">
  <source>Static</source>
  <target>Statisch</target>
@@ -11080,6 +11096,15 @@ Bindings zu Gruppen/Benutzern werden mit dem Benutzer des Ereignisses abgegliche
 <trans-unit id="sdcd1a9744efdbd7e">
  <source>Choose Policy Type</source>
 </trans-unit>
+<trans-unit id="sf4eb7c0c8e92e6b2">
+  <source>Whether the launch URL will open in a new browser tab or window from the user's application library.</source>
+</trans-unit>
+<trans-unit id="s8ab0176c9cf77b1a">
+  <source>Hide from User Dashboard</source>
+</trans-unit>
+<trans-unit id="s0b5847edb7150911">
+  <source>Whether this application will be shown on the User Dashboard.</source>
+</trans-unit>
 <trans-unit id="saa5ed8446baaba70">
  <source>Negate Result</source>
 </trans-unit>
@@ -11092,140 +11117,11 @@ Bindings zu Gruppen/Benutzern werden mit dem Benutzer des Ereignisses abgegliche
 <trans-unit id="s41938ae69656ef53">
  <source>User Fields</source>
 </trans-unit>
-<trans-unit id="s02b73793e5b4e1ba">
-  <source>This flag is deprecated.</source>
+<trans-unit id="s977b2dff8b9def14">
+  <source>User Dashboard - Applications</source>
 </trans-unit>
-<trans-unit id="s8655c52824caac63">
-  <source>If checked, the launch URL will open in a new browser tab or window from the user's application library.</source>
-</trans-unit>
-<trans-unit id="s9eda7101f63a8652">
-  <source>Hide from My applications</source>
-</trans-unit>
-<trans-unit id="s30f30e9c42594a33">
-  <source>If checked, this application will not be shown on the user's My applications page.</source>
-</trans-unit>
-<trans-unit id="sc98037ccab57d329">
-  <source>No preference: the browser may offer any available authenticator</source>
-</trans-unit>
-<trans-unit id="s4611c85865abcba9">
-  <source>Platform: a non-removable authenticator built into the device, such as Touch ID, Face ID, or Windows Hello</source>
-</trans-unit>
-<trans-unit id="s0003d0e3fcdacabc">
-  <source>Cross-platform: a roaming authenticator, such as a YubiKey or Google Titan</source>
-</trans-unit>
-<trans-unit id="sc157c7dcb3d1b096">
-  <source>Controls the authenticatorAttachment parameter sent to the browser during WebAuthn registration. If Hints are configured and this is left as 'No preference', a value is inferred from the selected hints for backward compatibility with older browsers.</source>
-</trans-unit>
-<trans-unit id="s1baea1b8ac34d554">
-  <source>New Invitation</source>
-</trans-unit>
-<trans-unit id="s03eef6107e28d042">
-  <source>New Invitation options</source>
-</trans-unit>
-<trans-unit id="s0832ff81b9665e6f">
-  <source>Opens the new invitation wizard and binds the invitation to an existing enrollment flow.</source>
-</trans-unit>
-<trans-unit id="sc0819dc3d82d9320">
-  <source>with Existing Enrollment Flow...</source>
-</trans-unit>
-<trans-unit id="s79108cb25e7bf07b">
-  <source>Opens the new invitation wizard, which will create a new enrollment flow and invitation stage.</source>
-</trans-unit>
-<trans-unit id="sb7809157a3ccf613">
-  <source>with New Enrollment Flow and Invitation Stage...</source>
-</trans-unit>
-<trans-unit id="seb418067e7d6c6e2">
-  <source>Create a new invitation with an enrollment flow.</source>
-</trans-unit>
-<trans-unit id="sfd74a380e957d0d3">
-  <source>Enrollment Flow</source>
-</trans-unit>
-<trans-unit id="scc869d556216d748">
-  <source>Invitation Details</source>
-</trans-unit>
-<trans-unit id="se1fba44a9b284052">
-  <source>Invitation Link</source>
-</trans-unit>
-<trans-unit id="s967a2db7049dc90e">
-  <source><x id="0" equiv-text="${step}"/> failed</source>
-</trans-unit>
-<trans-unit id="s971d4cc0ecd106b7">
-  <source>Importing enrollment flow blueprint</source>
-</trans-unit>
-<trans-unit id="sf3b89a70e20af6c8">
-  <source>Blueprint validation failed</source>
-</trans-unit>
-<trans-unit id="sa04b7204708f4f74">
-  <source>Flow with slug "<x id="0" equiv-text="${slugToLookup}"/>" not found after import</source>
-</trans-unit>
-<trans-unit id="s3354be88ad29d171">
-  <source>Creating invitation</source>
-</trans-unit>
-<trans-unit id="s07f41353777196ea">
-  <source>The flow selected in the previous step. The invitation will be bound to this flow.</source>
-</trans-unit>
-<trans-unit id="s7209a11f97da9aff">
-  <source>No invitation available to send</source>
-</trans-unit>
-<trans-unit id="s2772d8285b905006">
-  <source>Failed to queue invitation emails</source>
-</trans-unit>
-<trans-unit id="s3b7910ab9c47a2e3">
-  <source>No enrollment flows with invitation stages found</source>
-</trans-unit>
-<trans-unit id="sa3ca03297e00591c">
-  <source>You can create a new enrollment flow and invitation stage right here, or cancel and bind an invitation stage to an existing flow manually.</source>
-</trans-unit>
-<trans-unit id="s06db43e56ca76be8">
-  <source>Create a new enrollment flow</source>
-</trans-unit>
-<trans-unit id="s8acc687c55e8ccbf">
-  <source>Only enrollment flows that have an invitation stage bound to them are listed here.</source>
-</trans-unit>
-<trans-unit id="s5b3bafd8ffe553ec">
-  <source>Flow name</source>
-</trans-unit>
-<trans-unit id="s699cd34b0dcb4c56">
-  <source>Name for the new enrollment flow.</source>
-</trans-unit>
-<trans-unit id="s8fb6d1bb698d32a0">
-  <source>Flow slug</source>
-</trans-unit>
-<trans-unit id="s0211c07612cf8c97">
-  <source>Invitation stage name</source>
-</trans-unit>
-<trans-unit id="s42b97ef63fb1a795">
-  <source>Name for the new invitation stage.</source>
-</trans-unit>
-<trans-unit id="saaa9fd0d3ebc35aa">
-  <source>Enrolled users are created as external (e.g. customers, guests). New users will be placed under users/external.</source>
-</trans-unit>
-<trans-unit id="s726dff63487da085">
-  <source>Enrolled users are created as internal (e.g. employees). New users will be placed under users/internal.</source>
-</trans-unit>
-<trans-unit id="sc1358130ac327120">
-  <source>If enabled, the stage will jump to the next stage when no invitation is given. If disabled, the flow will be cancelled without a valid invitation.</source>
-</trans-unit>
-<trans-unit id="s09fdd952c6eaf7da">
-  <source>No invitation was created.</source>
-</trans-unit>
-<trans-unit id="s00febd85a4889bb1">
-  <source>Redirect the user to a static URL or another flow, optionally with all gathered context.</source>
-</trans-unit>
-<trans-unit id="sdbc1d47f0f0ed54d">
-  <source>The element could not be loaded. This may be due to a missing import or a version mismatch.</source>
-</trans-unit>
-<trans-unit id="scf8a3d48f9969535">
-  <source>An element could not be loaded. Please try refreshing the page or clearing your cache.</source>
-</trans-unit>
-<trans-unit id="se2f00b2619675217">
-  <source>Failed to load element</source>
-</trans-unit>
-<trans-unit id="s1cf2298d92c327a6">
-  <source>My Applications</source>
-</trans-unit>
-<trans-unit id="s2656433a3b1f7e86">
-  <source>My applications</source>
+<trans-unit id="s190cbdd5b62e4746">
+  <source>User Dashboard</source>
 </trans-unit>
 </body>
 </file>
--- a/web/xliff/de_DE.xlf
+++ b/web/xliff/de_DE.xlf
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@@ -4832,6 +4832,15 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s5fbaeb14f42815e5">
  <source>Authenticator Attachment</source>
 </trans-unit>
+<trans-unit id="s502d2473587032e1">
+  <source>No preference is sent</source>
+</trans-unit>
+<trans-unit id="s60cc554fde2676cb">
+  <source>A non-removable authenticator, like TouchID or Windows Hello</source>
+</trans-unit>
+<trans-unit id="sdf1d8edef27236f0">
+  <source>A "roaming" authenticator, like a YubiKey</source>
+</trans-unit>
 <trans-unit id="sbd65aeeb8a3b9bbc">
  <source>Maximum registration attempts</source>
 </trans-unit>
@@ -5084,6 +5093,9 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s59691290a232c687">
  <source>Selected policies are executed when the stage is submitted to validate the data.</source>
 </trans-unit>
+<trans-unit id="sc487e11d5987dbb4">
+  <source>Redirect the user to another flow, potentially with all gathered context</source>
+</trans-unit>
 <trans-unit id="sad9d5481474d4f5b">
  <source>Static</source>
 </trans-unit>
@@ -9065,6 +9077,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sdcd1a9744efdbd7e">
  <source>Choose Policy Type</source>
 </trans-unit>
+<trans-unit id="sf4eb7c0c8e92e6b2">
+  <source>Whether the launch URL will open in a new browser tab or window from the user's application library.</source>
+</trans-unit>
+<trans-unit id="s8ab0176c9cf77b1a">
+  <source>Hide from User Dashboard</source>
+</trans-unit>
+<trans-unit id="s0b5847edb7150911">
+  <source>Whether this application will be shown on the User Dashboard.</source>
+</trans-unit>
 <trans-unit id="saa5ed8446baaba70">
  <source>Negate Result</source>
 </trans-unit>
@@ -9077,140 +9098,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s41938ae69656ef53">
  <source>User Fields</source>
 </trans-unit>
-<trans-unit id="s02b73793e5b4e1ba">
-  <source>This flag is deprecated.</source>
+<trans-unit id="s977b2dff8b9def14">
+  <source>User Dashboard - Applications</source>
 </trans-unit>
-<trans-unit id="s8655c52824caac63">
-  <source>If checked, the launch URL will open in a new browser tab or window from the user's application library.</source>
-</trans-unit>
-<trans-unit id="s9eda7101f63a8652">
-  <source>Hide from My applications</source>
-</trans-unit>
-<trans-unit id="s30f30e9c42594a33">
-  <source>If checked, this application will not be shown on the user's My applications page.</source>
-</trans-unit>
-<trans-unit id="sc98037ccab57d329">
-  <source>No preference: the browser may offer any available authenticator</source>
-</trans-unit>
-<trans-unit id="s4611c85865abcba9">
-  <source>Platform: a non-removable authenticator built into the device, such as Touch ID, Face ID, or Windows Hello</source>
-</trans-unit>
-<trans-unit id="s0003d0e3fcdacabc">
-  <source>Cross-platform: a roaming authenticator, such as a YubiKey or Google Titan</source>
-</trans-unit>
-<trans-unit id="sc157c7dcb3d1b096">
-  <source>Controls the authenticatorAttachment parameter sent to the browser during WebAuthn registration. If Hints are configured and this is left as 'No preference', a value is inferred from the selected hints for backward compatibility with older browsers.</source>
-</trans-unit>
-<trans-unit id="s1baea1b8ac34d554">
-  <source>New Invitation</source>
-</trans-unit>
-<trans-unit id="s03eef6107e28d042">
-  <source>New Invitation options</source>
-</trans-unit>
-<trans-unit id="s0832ff81b9665e6f">
-  <source>Opens the new invitation wizard and binds the invitation to an existing enrollment flow.</source>
-</trans-unit>
-<trans-unit id="sc0819dc3d82d9320">
-  <source>with Existing Enrollment Flow...</source>
-</trans-unit>
-<trans-unit id="s79108cb25e7bf07b">
-  <source>Opens the new invitation wizard, which will create a new enrollment flow and invitation stage.</source>
-</trans-unit>
-<trans-unit id="sb7809157a3ccf613">
-  <source>with New Enrollment Flow and Invitation Stage...</source>
-</trans-unit>
-<trans-unit id="seb418067e7d6c6e2">
-  <source>Create a new invitation with an enrollment flow.</source>
-</trans-unit>
-<trans-unit id="sfd74a380e957d0d3">
-  <source>Enrollment Flow</source>
-</trans-unit>
-<trans-unit id="scc869d556216d748">
-  <source>Invitation Details</source>
-</trans-unit>
-<trans-unit id="se1fba44a9b284052">
-  <source>Invitation Link</source>
-</trans-unit>
-<trans-unit id="s967a2db7049dc90e">
-  <source><x id="0" equiv-text="${step}"/> failed</source>
-</trans-unit>
-<trans-unit id="s971d4cc0ecd106b7">
-  <source>Importing enrollment flow blueprint</source>
-</trans-unit>
-<trans-unit id="sf3b89a70e20af6c8">
-  <source>Blueprint validation failed</source>
-</trans-unit>
-<trans-unit id="sa04b7204708f4f74">
-  <source>Flow with slug "<x id="0" equiv-text="${slugToLookup}"/>" not found after import</source>
-</trans-unit>
-<trans-unit id="s3354be88ad29d171">
-  <source>Creating invitation</source>
-</trans-unit>
-<trans-unit id="s07f41353777196ea">
-  <source>The flow selected in the previous step. The invitation will be bound to this flow.</source>
-</trans-unit>
-<trans-unit id="s7209a11f97da9aff">
-  <source>No invitation available to send</source>
-</trans-unit>
-<trans-unit id="s2772d8285b905006">
-  <source>Failed to queue invitation emails</source>
-</trans-unit>
-<trans-unit id="s3b7910ab9c47a2e3">
-  <source>No enrollment flows with invitation stages found</source>
-</trans-unit>
-<trans-unit id="sa3ca03297e00591c">
-  <source>You can create a new enrollment flow and invitation stage right here, or cancel and bind an invitation stage to an existing flow manually.</source>
-</trans-unit>
-<trans-unit id="s06db43e56ca76be8">
-  <source>Create a new enrollment flow</source>
-</trans-unit>
-<trans-unit id="s8acc687c55e8ccbf">
-  <source>Only enrollment flows that have an invitation stage bound to them are listed here.</source>
-</trans-unit>
-<trans-unit id="s5b3bafd8ffe553ec">
-  <source>Flow name</source>
-</trans-unit>
-<trans-unit id="s699cd34b0dcb4c56">
-  <source>Name for the new enrollment flow.</source>
-</trans-unit>
-<trans-unit id="s8fb6d1bb698d32a0">
-  <source>Flow slug</source>
-</trans-unit>
-<trans-unit id="s0211c07612cf8c97">
-  <source>Invitation stage name</source>
-</trans-unit>
-<trans-unit id="s42b97ef63fb1a795">
-  <source>Name for the new invitation stage.</source>
-</trans-unit>
-<trans-unit id="saaa9fd0d3ebc35aa">
-  <source>Enrolled users are created as external (e.g. customers, guests). New users will be placed under users/external.</source>
-</trans-unit>
-<trans-unit id="s726dff63487da085">
-  <source>Enrolled users are created as internal (e.g. employees). New users will be placed under users/internal.</source>
-</trans-unit>
-<trans-unit id="sc1358130ac327120">
-  <source>If enabled, the stage will jump to the next stage when no invitation is given. If disabled, the flow will be cancelled without a valid invitation.</source>
-</trans-unit>
-<trans-unit id="s09fdd952c6eaf7da">
-  <source>No invitation was created.</source>
-</trans-unit>
-<trans-unit id="s00febd85a4889bb1">
-  <source>Redirect the user to a static URL or another flow, optionally with all gathered context.</source>
-</trans-unit>
-<trans-unit id="sdbc1d47f0f0ed54d">
-  <source>The element could not be loaded. This may be due to a missing import or a version mismatch.</source>
-</trans-unit>
-<trans-unit id="scf8a3d48f9969535">
-  <source>An element could not be loaded. Please try refreshing the page or clearing your cache.</source>
-</trans-unit>
-<trans-unit id="se2f00b2619675217">
-  <source>Failed to load element</source>
-</trans-unit>
-<trans-unit id="s1cf2298d92c327a6">
-  <source>My Applications</source>
-</trans-unit>
-<trans-unit id="s2656433a3b1f7e86">
-  <source>My applications</source>
+<trans-unit id="s190cbdd5b62e4746">
+  <source>User Dashboard</source>
 </trans-unit>
 </body>
 </file>
--- a/web/xliff/es-ES.xlf
+++ b/web/xliff/es-ES.xlf
@@ -6219,6 +6219,18 @@ El valor de este campo se compara con el atributo de pertenencia del usuario.</t
  <source>Authenticator Attachment</source>
  <target>Adjunto de Autenticador</target>
 </trans-unit>
+<trans-unit id="s502d2473587032e1">
+  <source>No preference is sent</source>
+  <target>No se envía ninguna preferencia</target>
+</trans-unit>
+<trans-unit id="s60cc554fde2676cb">
+  <source>A non-removable authenticator, like TouchID or Windows Hello</source>
+  <target>Un autenticador no extraíble, como TouchID o Windows Hello</target>
+</trans-unit>
+<trans-unit id="sdf1d8edef27236f0">
+  <source>A "roaming" authenticator, like a YubiKey</source>
+  <target>Un autenticador "roaming", como una YubiKey</target>
+</trans-unit>
 <trans-unit id="sbd65aeeb8a3b9bbc">
  <source>Maximum registration attempts</source>
  <target>Intentos máximos de registro</target>
@@ -6552,6 +6564,10 @@ El valor de este campo se compara con el atributo de pertenencia del usuario.</t
  <source>Selected policies are executed when the stage is submitted to validate the data.</source>
  <target>Las políticas seleccionadas se ejecutan cuando se envía la etapa para validar los datos.</target>
 </trans-unit>
+<trans-unit id="sc487e11d5987dbb4">
+  <source>Redirect the user to another flow, potentially with all gathered context</source>
+  <target>Redirigir al usuario a otro flujo, potencialmente con todo el contexto recopilado</target>
+</trans-unit>
 <trans-unit id="sad9d5481474d4f5b">
  <source>Static</source>
  <target>Estático</target>
@@ -11005,6 +11021,15 @@ Las vinculaciones a grupos/usuarios se verifican en función del usuario del eve
 <trans-unit id="sdcd1a9744efdbd7e">
  <source>Choose Policy Type</source>
 </trans-unit>
+<trans-unit id="sf4eb7c0c8e92e6b2">
+  <source>Whether the launch URL will open in a new browser tab or window from the user's application library.</source>
+</trans-unit>
+<trans-unit id="s8ab0176c9cf77b1a">
+  <source>Hide from User Dashboard</source>
+</trans-unit>
+<trans-unit id="s0b5847edb7150911">
+  <source>Whether this application will be shown on the User Dashboard.</source>
+</trans-unit>
 <trans-unit id="saa5ed8446baaba70">
  <source>Negate Result</source>
 </trans-unit>
@@ -11017,140 +11042,11 @@ Las vinculaciones a grupos/usuarios se verifican en función del usuario del eve
 <trans-unit id="s41938ae69656ef53">
  <source>User Fields</source>
 </trans-unit>
-<trans-unit id="s02b73793e5b4e1ba">
-  <source>This flag is deprecated.</source>
+<trans-unit id="s977b2dff8b9def14">
+  <source>User Dashboard - Applications</source>
 </trans-unit>
-<trans-unit id="s8655c52824caac63">
-  <source>If checked, the launch URL will open in a new browser tab or window from the user's application library.</source>
-</trans-unit>
-<trans-unit id="s9eda7101f63a8652">
-  <source>Hide from My applications</source>
-</trans-unit>
-<trans-unit id="s30f30e9c42594a33">
-  <source>If checked, this application will not be shown on the user's My applications page.</source>
-</trans-unit>
-<trans-unit id="sc98037ccab57d329">
-  <source>No preference: the browser may offer any available authenticator</source>
-</trans-unit>
-<trans-unit id="s4611c85865abcba9">
-  <source>Platform: a non-removable authenticator built into the device, such as Touch ID, Face ID, or Windows Hello</source>
-</trans-unit>
-<trans-unit id="s0003d0e3fcdacabc">
-  <source>Cross-platform: a roaming authenticator, such as a YubiKey or Google Titan</source>
-</trans-unit>
-<trans-unit id="sc157c7dcb3d1b096">
-  <source>Controls the authenticatorAttachment parameter sent to the browser during WebAuthn registration. If Hints are configured and this is left as 'No preference', a value is inferred from the selected hints for backward compatibility with older browsers.</source>
-</trans-unit>
-<trans-unit id="s1baea1b8ac34d554">
-  <source>New Invitation</source>
-</trans-unit>
-<trans-unit id="s03eef6107e28d042">
-  <source>New Invitation options</source>
-</trans-unit>
-<trans-unit id="s0832ff81b9665e6f">
-  <source>Opens the new invitation wizard and binds the invitation to an existing enrollment flow.</source>
-</trans-unit>
-<trans-unit id="sc0819dc3d82d9320">
-  <source>with Existing Enrollment Flow...</source>
-</trans-unit>
-<trans-unit id="s79108cb25e7bf07b">
-  <source>Opens the new invitation wizard, which will create a new enrollment flow and invitation stage.</source>
-</trans-unit>
-<trans-unit id="sb7809157a3ccf613">
-  <source>with New Enrollment Flow and Invitation Stage...</source>
-</trans-unit>
-<trans-unit id="seb418067e7d6c6e2">
-  <source>Create a new invitation with an enrollment flow.</source>
-</trans-unit>
-<trans-unit id="sfd74a380e957d0d3">
-  <source>Enrollment Flow</source>
-</trans-unit>
-<trans-unit id="scc869d556216d748">
-  <source>Invitation Details</source>
-</trans-unit>
-<trans-unit id="se1fba44a9b284052">
-  <source>Invitation Link</source>
-</trans-unit>
-<trans-unit id="s967a2db7049dc90e">
-  <source><x id="0" equiv-text="${step}"/> failed</source>
-</trans-unit>
-<trans-unit id="s971d4cc0ecd106b7">
-  <source>Importing enrollment flow blueprint</source>
-</trans-unit>
-<trans-unit id="sf3b89a70e20af6c8">
-  <source>Blueprint validation failed</source>
-</trans-unit>
-<trans-unit id="sa04b7204708f4f74">
-  <source>Flow with slug "<x id="0" equiv-text="${slugToLookup}"/>" not found after import</source>
-</trans-unit>
-<trans-unit id="s3354be88ad29d171">
-  <source>Creating invitation</source>
-</trans-unit>
-<trans-unit id="s07f41353777196ea">
-  <source>The flow selected in the previous step. The invitation will be bound to this flow.</source>
-</trans-unit>
-<trans-unit id="s7209a11f97da9aff">
-  <source>No invitation available to send</source>
-</trans-unit>
-<trans-unit id="s2772d8285b905006">
-  <source>Failed to queue invitation emails</source>
-</trans-unit>
-<trans-unit id="s3b7910ab9c47a2e3">
-  <source>No enrollment flows with invitation stages found</source>
-</trans-unit>
-<trans-unit id="sa3ca03297e00591c">
-  <source>You can create a new enrollment flow and invitation stage right here, or cancel and bind an invitation stage to an existing flow manually.</source>
-</trans-unit>
-<trans-unit id="s06db43e56ca76be8">
-  <source>Create a new enrollment flow</source>
-</trans-unit>
-<trans-unit id="s8acc687c55e8ccbf">
-  <source>Only enrollment flows that have an invitation stage bound to them are listed here.</source>
-</trans-unit>
-<trans-unit id="s5b3bafd8ffe553ec">
-  <source>Flow name</source>
-</trans-unit>
-<trans-unit id="s699cd34b0dcb4c56">
-  <source>Name for the new enrollment flow.</source>
-</trans-unit>
-<trans-unit id="s8fb6d1bb698d32a0">
-  <source>Flow slug</source>
-</trans-unit>
-<trans-unit id="s0211c07612cf8c97">
-  <source>Invitation stage name</source>
-</trans-unit>
-<trans-unit id="s42b97ef63fb1a795">
-  <source>Name for the new invitation stage.</source>
-</trans-unit>
-<trans-unit id="saaa9fd0d3ebc35aa">
-  <source>Enrolled users are created as external (e.g. customers, guests). New users will be placed under users/external.</source>
-</trans-unit>
-<trans-unit id="s726dff63487da085">
-  <source>Enrolled users are created as internal (e.g. employees). New users will be placed under users/internal.</source>
-</trans-unit>
-<trans-unit id="sc1358130ac327120">
-  <source>If enabled, the stage will jump to the next stage when no invitation is given. If disabled, the flow will be cancelled without a valid invitation.</source>
-</trans-unit>
-<trans-unit id="s09fdd952c6eaf7da">
-  <source>No invitation was created.</source>
-</trans-unit>
-<trans-unit id="s00febd85a4889bb1">
-  <source>Redirect the user to a static URL or another flow, optionally with all gathered context.</source>
-</trans-unit>
-<trans-unit id="sdbc1d47f0f0ed54d">
-  <source>The element could not be loaded. This may be due to a missing import or a version mismatch.</source>
-</trans-unit>
-<trans-unit id="scf8a3d48f9969535">
-  <source>An element could not be loaded. Please try refreshing the page or clearing your cache.</source>
-</trans-unit>
-<trans-unit id="se2f00b2619675217">
-  <source>Failed to load element</source>
-</trans-unit>
-<trans-unit id="s1cf2298d92c327a6">
-  <source>My Applications</source>
-</trans-unit>
-<trans-unit id="s2656433a3b1f7e86">
-  <source>My applications</source>
+<trans-unit id="s190cbdd5b62e4746">
+  <source>User Dashboard</source>
 </trans-unit>
 </body>
 </file>
--- a/web/xliff/es_ES.xlf
+++ b/web/xliff/es_ES.xlf
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Dominic R	a109569da0	Apply suggestion from @dominic-r Signed-off-by: Dominic R <dominic@goauthentik.io>	2026-05-07 13:48:16 -04:00
Dominic R	5e1f7eaa7a	Apply suggestion from @dominic-r Signed-off-by: Dominic R <dominic@goauthentik.io>	2026-05-07 13:47:49 -04:00
Dominic R	b779673080	root: tighten AGENTS.md guidance on sensitive content	2026-05-05 19:28:47 -04:00
Dominic R	0b6841867f	root: add AGENTS.md	2026-05-05 19:26:05 -04:00