update node version

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>

.devcontainer/Dockerfile

@@ -0,0 +1,63 @@
+# syntax=docker/dockerfile:1
+
+# Start from the same FIPS Python base as production (python-base stage)
+FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff
+
+USER root
+
+# Setup environment matching production python-base stage
+ENV VENV_PATH="/ak-root/.venv" \
+    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
+    UV_COMPILE_BYTECODE=1 \
+    UV_LINK_MODE=copy \
+    UV_NATIVE_TLS=1 \
+    UV_PYTHON_DOWNLOADS=0
+
+WORKDIR /ak-root
+
+# Copy uv package manager
+COPY --from=ghcr.io/astral-sh/uv:0.9.7@sha256:ba4857bf2a068e9bc0e64eed8563b065908a4cd6bfb66b531a9c424c8e25e142 /uv /uvx /bin/
+
+# Install build dependencies
+RUN rm -f /etc/apt/apt.conf.d/docker-clean && \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+    # Build essentials
+    build-essential pkg-config libffi-dev git binutils \
+    # cryptography
+    curl \
+    # libxml
+    libxslt-dev zlib1g-dev \
+    # postgresql
+    libpq-dev \
+    # python-kadmin-rs and kerberos testing
+    clang libkrb5-dev sccache krb5-kdc krb5-admin-server \
+    # xmlsec
+    libltdl-dev \
+    # runit (for chpst command used by lifecycle/ak)
+    runit \
+    # sudo (required by devcontainer features)
+    sudo && \
+    rm -rf /var/lib/apt/lists/*
+
+# Environment for building native Python packages
+ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" \
+    RUSTUP_PERMIT_COPY_RENAME="true"
+
+# Create authentik user with proper home directory (required for devcontainer features)
+RUN adduser --disabled-password --gecos "" --uid 1000 --home /home/authentik authentik && \
+    mkdir -p /certs /media /ak-root && \
+    chown -R authentik:authentik /certs /media /ak-root /home/authentik && \
+    echo "authentik ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/authentik
+
+# FIPS configuration for Go development
+# Don't set GOFIPS/GOFIPS140 globally to avoid breaking Go tools like docker-compose
+# These will be set when building/running authentik Go code (see lifecycle/ak and Makefile)
+ENV CGO_ENABLED=1
+
+# Set TMPDIR for PID files and temp data
+# Use /tmp instead of /dev/shm for development because go run needs to execute binaries
+ENV TMPDIR=/tmp
+
+USER authentik

.devcontainer/devcontainer.json

@@ -0,0 +1,68 @@
+{
+    "name": "authentik",
+    "dockerComposeFile": "docker-compose.yml",
+    "service": "app",
+    "workspaceFolder": "/ak-root",
+    "containerUser": "authentik",
+    "remoteUser": "authentik",
+    "shutdownAction": "stopCompose",
+    "containerEnv": {
+        "LOCAL_PROJECT_DIR": "/ak-root"
+    },
+    "features": {
+        "ghcr.io/devcontainers/features/go:1": {
+            "version": "1.24"
+        },
+        "ghcr.io/devcontainers/features/node:1": {
+            "version": "24"
+        },
+        "ghcr.io/devcontainers/features/rust:1": {
+            "version": "latest"
+        },
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {
+            "version": "latest",
+            "moby": false
+        }
+    },
+    "mounts": [],
+    "forwardPorts": [9000, 9443],
+    "portsAttributes": {
+        "8000": {
+            "onAutoForward": "ignore"
+        },
+        "3963": {
+            "onAutoForward": "ignore"
+        },
+        "35151": {
+            "onAutoForward": "ignore"
+        },
+        "9901": {
+            "onAutoForward": "ignore"
+        }
+    },
+    "postCreateCommand": "bash .devcontainer/setup.sh",
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "EditorConfig.EditorConfig",
+                "bashmish.es6-string-css",
+                "dbaeumer.vscode-eslint",
+                "esbenp.prettier-vscode",
+                "golang.go",
+                "Gruntfuggly.todo-tree",
+                "ms-python.black-formatter",
+                "ms-python.isort",
+                "ms-python.pylint",
+                "ms-python.python",
+                "ms-python.vscode-pylance",
+                "redhat.vscode-yaml",
+                "Tobermory.es6-string-html",
+                "charliermarsh.ruff"
+            ],
+            "settings": {
+                "python.defaultInterpreterPath": "/ak-root/.venv/bin/python",
+                "python.terminal.activateEnvironment": true
+            }
+        }
+    }
+}

.devcontainer/docker-compose.yml

@@ -0,0 +1,50 @@
+services:
+  app:
+    build:
+      context: ..
+      dockerfile: .devcontainer/Dockerfile
+    user: authentik
+    privileged: true
+    volumes:
+      - ../:/ak-root
+    entrypoint: []
+    command: sleep infinity
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    env_file: .env
+    environment:
+      PATH: "/ak-root/.venv/bin:${PATH}"
+    ports:
+      - "9000:9000"
+      - "9443:9443"
+
+  postgresql:
+    image: docker.io/library/postgres:16
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d authentik -U postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    env_file: .env
+    command: ["postgres", "-c", "log_statement=all", "-c", "log_destination=stderr"]
+
+  s3:
+    image: docker.io/zenko/cloudserver
+    env_file: .env
+    environment:
+      REMOTE_MANAGEMENT_DISABLE: "1"
+    ports:
+      - "8020:8000"
+    volumes:
+      - s3-data:/usr/src/app/localData
+      - s3-metadata:/usr/src/app/localMetadata
+
+volumes:
+  postgres-data:
+  s3-data:
+  s3-metadata:

.devcontainer/setup.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -e
+
+echo "======================================"
+echo "Running authentik devcontainer setup"
+echo "======================================"
+
+echo ""
+echo "Step 1/5: Installing dependencies"
+make install
+
+echo ""
+echo "Step 2/5: Generating development config"
+make gen-dev-config
+
+echo ""
+echo "Step 3/5: Running database migrations"
+make migrate
+
+echo ""
+echo "Step 4/5: Generating API clients"
+make gen
+
+echo ""
+echo "Step 5/5: Building web assets"
+make web
+
+echo ""
+echo "======================================"
+echo "Setup complete!"
+echo "======================================"
+echo ""
+echo "You can now run:"
+echo "  - 'make run-server' to start the backend server"
+echo "  - 'make run-worker' to start the worker (must be ran once after initial setup)"
+echo "  - 'make web-watch' for live web development"
+echo ""

Makefile

@@ -46,7 +46,7 @@ help:  ## Show this help
 	@echo ""
 
 go-test:
-	go test -timeout 0 -v -race -cover ./...
+	GOFIPS140=latest CGO_ENABLED=1 go test -timeout 0 -v -race -cover ./...
 
 test: ## Run the server tests and produce a coverage report (locally)
 	$(KRB_PATH) uv run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2025.12.0-rc1"
+VERSION = "2026.2.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.12.0-rc1 Blueprint schema",
+    "title": "authentik 2026.2.0-rc1 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -14510,7 +14510,8 @@
                     "description": "Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password."
                 },
                 "webauthn_stage": {
-                    "type": "integer",
+                    "type": "string",
+                    "format": "uuid",
                     "title": "Webauthn stage",
                     "description": "When set, and conditional WebAuthn is available, allow the user to use their passkey as a first factor."
                 }

docker-compose.yml

@@ -31,7 +31,7 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.0-rc1}
     ports:
     - ${COMPOSE_PORT_HTTP:-9000}:9000
     - ${COMPOSE_PORT_HTTPS:-9443}:9443
@@ -52,7 +52,7 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.0-rc1}
     restart: unless-stopped
     user: root
     volumes:

internal/constants/VERSION

@@ -1 +1 @@
-2025.12.0-rc1
+2026.2.0-rc1

internal/outpost/proxyv2/refresh.go

@@ -28,7 +28,7 @@ func (ps *ProxyServer) Refresh() error {
 		return err
 	}
 	ps.log.WithField("count", len(providers)).Debug("Fetched providers")
-	if len(providers) == 0 {
+	if len(providers) == 0 && !ps.akAPI.IsEmbedded() {
 		ps.log.Warning("No providers assigned to this outpost, check outpost configuration in authentik")
 	}
 	for i, p := range providers {

lifecycle/ak

@@ -38,14 +38,14 @@ function check_if_root {
     chown -R authentik:authentik /media /certs "${PROMETHEUS_MULTIPROC_DIR}"
     chmod ug+rwx /media
     chmod ug+rx /certs
-    exec chpst -u authentik:$GROUP env HOME=/authentik $1
+    exec chpst -u authentik:$GROUP env HOME=/authentik PATH="$PATH" $1
 }
 
 function run_authentik {
     if [[ -x "$(command -v authentik)" ]]; then
         exec authentik $@
     else
-        exec go run -v ./cmd/server/ $@
+        exec env GOFIPS140=latest CGO_ENABLED=1 go run -v ./cmd/server/ $@
     fi
 }
 

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1033.0",
+                "aws-cdk": "^2.1034.0",
                 "cross-env": "^10.1.0"
             },
             "engines": {
@@ -25,9 +25,9 @@
             "license": "MIT"
         },
         "node_modules/aws-cdk": {
-            "version": "2.1033.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1033.0.tgz",
-            "integrity": "sha512-Pit2k7cVAwxoYI7RMVsOyltuy7/HGENLupJ4KAm/d8mGzOfX+SLOo9YQsx5CKY9J6ErCZ1ViLerklTfjytvQww==",
+            "version": "2.1034.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1034.0.tgz",
+            "integrity": "sha512-YsIeXmMP/9eGml/eoPs64kHzNR0IVezzwuH0XrLOtUCjYNb80cmmjoCNsMn96u9rJOte1Yg3jitrHi1wTqXAqw==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -7,7 +7,7 @@
         "aws-cfn": "cross-env CI=false cdk synth --version-reporting=false > template.yaml"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1033.0",
+        "aws-cdk": "^2.1034.0",
         "cross-env": "^10.1.0"
     },
     "engines": {

lifecycle/aws/template.yaml

@@ -18,7 +18,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.12.0-rc1
+    Default: 2026.2.0-rc1
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.12.0-rc1",
+    "version": "2026.2.0-rc1",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/authentik",
-            "version": "2025.12.0-rc1",
+            "version": "2026.2.0-rc1",
             "dependencies": {
                 "@eslint/js": "^9.39.1",
                 "@goauthentik/eslint-config": "./packages/eslint-config",

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.12.0-rc1",
+    "version": "2026.2.0-rc1",
     "private": true,
     "type": "module",
     "dependencies": {

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.12.0-rc1"
+version = "2026.2.0-rc1"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2025.12.0-rc1
+  version: 2026.2.0-rc1
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

scripts/api/docker-compose.yml

@@ -5,11 +5,11 @@ services:
     restart: never
     network_mode: none
     volumes:
-      - ../../:/local
+      - ${LOCAL_PROJECT_DIR:-../../}:/local
 
   gen:
     image: docker.io/openapitools/openapi-generator-cli:v7.16.0
     restart: never
     network_mode: none
     volumes:
-      - ../../:/local
+      - ${LOCAL_PROJECT_DIR:-../../}:/local

tests/e2e/utils.py

@@ -23,8 +23,10 @@ from docker.models.containers import Container
 from docker.models.networks import Network
 from selenium import webdriver
 from selenium.common.exceptions import (
+    DetachedShadowRootException,
     NoSuchElementException,
     NoSuchShadowRootException,
+    StaleElementReferenceException,
     TimeoutException,
     WebDriverException,
 )
@@ -326,18 +328,23 @@ class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
 
         while attempts < SHADOW_ROOT_RETRIES:
             try:
+                host = container.find_element(By.CSS_SELECTOR, selector)
                 return host.shadow_root
-            except NoSuchShadowRootException:
+            except (
+                NoSuchElementException,
+                NoSuchShadowRootException,
+                DetachedShadowRootException,
+                StaleElementReferenceException,
+            ):
                 attempts += 1
                 sleep(0.2)
-                # re-find host in case it was re-attached
-                try:
-                    host = container.find_element(By.CSS_SELECTOR, selector)
-                except NoSuchElementException:
-                    # loop and retry finding host
-                    pass
 
-        inner_html = host.get_attribute("innerHTML") or "<no host>"
+        inner_html = "<no host>"
+        if host is not None:
+            try:
+                inner_html = host.get_attribute("innerHTML") or "<no host>"
+            except (DetachedShadowRootException, StaleElementReferenceException):
+                inner_html = "<stale host>"
 
         raise RuntimeError(
             f"Failed to obtain shadow root for {selector} after {attempts} attempts. "

uv.lock

@@ -185,7 +185,7 @@ wheels = [
 
 [[package]]
 name = "authentik"
-version = "2025.12.0rc1"
+version = "2026.2.0rc1"
 source = { editable = "." }
 dependencies = [
     { name = "ak-guardian" },

web/package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/web",
-    "version": "2025.12.0-rc1",
+    "version": "2026.2.0-rc1",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/web",
-            "version": "2025.12.0-rc1",
+            "version": "2026.2.0-rc1",
             "license": "MIT",
             "workspaces": [
                 "./packages/*"
@@ -44,10 +44,10 @@
                 "@patternfly/patternfly": "^4.224.2",
                 "@playwright/test": "^1.57.0",
                 "@sentry/browser": "^10.29.0",
-                "@storybook/addon-docs": "^10.1.6",
-                "@storybook/addon-links": "^10.1.6",
-                "@storybook/web-components": "^10.1.6",
-                "@storybook/web-components-vite": "^10.1.6",
+                "@storybook/addon-docs": "^10.1.7",
+                "@storybook/addon-links": "^10.1.7",
+                "@storybook/web-components": "^10.1.7",
+                "@storybook/web-components-vite": "^10.1.7",
                 "@types/codemirror": "^5.60.17",
                 "@types/grecaptcha": "^3.0.9",
                 "@types/guacamole-common-js": "^1.5.5",
@@ -63,6 +63,7 @@
                 "change-case": "^5.4.4",
                 "chart.js": "^4.5.1",
                 "chartjs-adapter-date-fns": "^3.0.0",
+                "chromedriver": "143.0.1",
                 "codemirror": "^6.0.2",
                 "core-js": "^3.47.0",
                 "country-flag-icons": "^1.6.4",
@@ -91,8 +92,8 @@
                 "prettier": "^3.6.2",
                 "pseudolocale": "^2.2.0",
                 "rapidoc": "^9.3.8",
-                "react": "^19.2.0",
-                "react-dom": "^19.2.0",
+                "react": "^19.2.3",
+                "react-dom": "^19.2.3",
                 "rehype-highlight": "^7.0.2",
                 "rehype-mermaid": "^3.0.0",
                 "rehype-parse": "^9.0.1",
@@ -127,7 +128,7 @@
                 "@rollup/rollup-darwin-arm64": "^4.53.3",
                 "@rollup/rollup-linux-arm64-gnu": "^4.53.3",
                 "@rollup/rollup-linux-x64-gnu": "^4.53.3",
-                "chromedriver": "^143.0.0"
+                "chromedriver": "^143.0.1"
             }
         },
         "node_modules/@adobe/css-tools": {
@@ -3170,15 +3171,15 @@
             "license": "MIT"
         },
         "node_modules/@storybook/addon-docs": {
-            "version": "10.1.6",
-            "resolved": "https://registry.npmjs.org/@storybook/addon-docs/-/addon-docs-10.1.6.tgz",
-            "integrity": "sha512-+/hTCxh+qTgAmUKkGGwD3oQ+VKj9Li8TTU0jQl8tcUxX1490fo0q2Eov8dOnfV66cxHxd3RgKaB4KHOaHoj0jQ==",
+            "version": "10.1.7",
+            "resolved": "https://registry.npmjs.org/@storybook/addon-docs/-/addon-docs-10.1.7.tgz",
+            "integrity": "sha512-RNwz5jDjBhjST70BoxUCYVfT2sexTKsDSN2FcnBBJ2/sAtjKbTpX3p4PfFaeFqwhDc+6TCBUTxfO4BsAQXf5jw==",
             "license": "MIT",
             "dependencies": {
                 "@mdx-js/react": "^3.0.0",
-                "@storybook/csf-plugin": "10.1.6",
+                "@storybook/csf-plugin": "10.1.7",
                 "@storybook/icons": "^2.0.0",
-                "@storybook/react-dom-shim": "10.1.6",
+                "@storybook/react-dom-shim": "10.1.7",
                 "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
                 "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
                 "ts-dedent": "^2.0.0"
@@ -3188,13 +3189,13 @@
                 "url": "https://opencollective.com/storybook"
             },
             "peerDependencies": {
-                "storybook": "^10.1.6"
+                "storybook": "^10.1.7"
             }
         },
         "node_modules/@storybook/addon-links": {
-            "version": "10.1.6",
-            "resolved": "https://registry.npmjs.org/@storybook/addon-links/-/addon-links-10.1.6.tgz",
-            "integrity": "sha512-koOvo7ny1TCVkZ9WCJ3PoOwWOv+mK5UOcWzAuiYf2LBAvMyOObX89dNdjvu+R77J4mRxY45XHJF0tgAzGKeHNQ==",
+            "version": "10.1.7",
+            "resolved": "https://registry.npmjs.org/@storybook/addon-links/-/addon-links-10.1.7.tgz",
+            "integrity": "sha512-Tgfa4FN3id8AoxBk0JbdqtWqEF8ky1FQeC3bkl7TACib9pUQfyvyvtFZKBw4lfOS1LvmrhrGy5cVp7GHmQ1Kfg==",
             "license": "MIT",
             "dependencies": {
                 "@storybook/global": "^5.0.0"
@@ -3205,7 +3206,7 @@
             },
             "peerDependencies": {
                 "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
-                "storybook": "^10.1.6"
+                "storybook": "^10.1.7"
             },
             "peerDependenciesMeta": {
                 "react": {
@@ -3214,12 +3215,12 @@
             }
         },
         "node_modules/@storybook/builder-vite": {
-            "version": "10.1.6",
-            "resolved": "https://registry.npmjs.org/@storybook/builder-vite/-/builder-vite-10.1.6.tgz",
-            "integrity": "sha512-dXfpSFmg8thg3uVCbZMPR36W36Ktd1MBW6Rl3rQOzDWaV2v0Qbp3s0QOgI8VIJ22L+JGN1TlSgsU2FMzH5xDKw==",
+            "version": "10.1.7",
+            "resolved": "https://registry.npmjs.org/@storybook/builder-vite/-/builder-vite-10.1.7.tgz",
+            "integrity": "sha512-UKmym/o20SJFYjbt/X1j39vORXwC1lkGHKD9JlR8UAwkRuGOoEktUIYYfB7cmrOKjdgf3Es8/SIu+lgbWWleew==",
             "license": "MIT",
             "dependencies": {
-                "@storybook/csf-plugin": "10.1.6",
+                "@storybook/csf-plugin": "10.1.7",
                 "@vitest/mocker": "3.2.4",
                 "ts-dedent": "^2.0.0"
             },
@@ -3228,14 +3229,14 @@
                 "url": "https://opencollective.com/storybook"
             },
             "peerDependencies": {
-                "storybook": "^10.1.6",
+                "storybook": "^10.1.7",
                 "vite": "^5.0.0 || ^6.0.0 || ^7.0.0"
             }
         },
         "node_modules/@storybook/csf-plugin": {
-            "version": "10.1.6",
-            "resolved": "https://registry.npmjs.org/@storybook/csf-plugin/-/csf-plugin-10.1.6.tgz",
-            "integrity": "sha512-PAxzfiPCJiEZx/u2AfJ85u+2XpNVs8Aw+MgECpZdFMcX7jUP21MtfAu5L+9sehv1HomFsytbuO+D3C3IkdJRrw==",
+            "version": "10.1.7",
+            "resolved": "https://registry.npmjs.org/@storybook/csf-plugin/-/csf-plugin-10.1.7.tgz",
+            "integrity": "sha512-mUWM3kFSQpm4At6+OJmmqiezjEdq+y9HD2abuiCVvnTDf7ftoMcv4EbKqf6DM5CXcOpqRDlRxwzEum+hbfh5ig==",
             "license": "MIT",
             "dependencies": {
                 "unplugin": "^2.3.5"
@@ -3247,7 +3248,7 @@
             "peerDependencies": {
                 "esbuild": "*",
                 "rollup": "*",
-                "storybook": "^10.1.6",
+                "storybook": "^10.1.7",
                 "vite": "*",
                 "webpack": "*"
             },
@@ -3283,9 +3284,9 @@
             }
         },
         "node_modules/@storybook/react-dom-shim": {
-            "version": "10.1.6",
-            "resolved": "https://registry.npmjs.org/@storybook/react-dom-shim/-/react-dom-shim-10.1.6.tgz",
-            "integrity": "sha512-hJI+mIDKioKMWL8YH32alkULmUW6A1iOljghF6fSLYI2TtGdfMLnoXogEnb0o11J8zhMUBXORrOGO0UL2+T69g==",
+            "version": "10.1.7",
+            "resolved": "https://registry.npmjs.org/@storybook/react-dom-shim/-/react-dom-shim-10.1.7.tgz",
+            "integrity": "sha512-cjIoNbWnGiet3vRjswnnh3ioN+X2ZEqDBIV6b+WN8RpGSUs3vg6V2s7G8IzgSfxFDahIqQ6D7yot3aOOlN+qBw==",
             "license": "MIT",
             "funding": {
                 "type": "opencollective",
@@ -3294,13 +3295,13 @@
             "peerDependencies": {
                 "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
                 "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
-                "storybook": "^10.1.6"
+                "storybook": "^10.1.7"
             }
         },
         "node_modules/@storybook/web-components": {
-            "version": "10.1.6",
-            "resolved": "https://registry.npmjs.org/@storybook/web-components/-/web-components-10.1.6.tgz",
-            "integrity": "sha512-3ACRNRqld88Ev5tVnzUZ1QrHmbtnFe+Hoqe/YJ0LbXHYQU0b6vFGUGgf42Wf2R7A2tfNbDGiqjaHuIkrJdhklA==",
+            "version": "10.1.7",
+            "resolved": "https://registry.npmjs.org/@storybook/web-components/-/web-components-10.1.7.tgz",
+            "integrity": "sha512-qHvIQvVEj4rFBUFA12Y0UAWdlrzHRaEfs2KFXIEciUt1Gjz3VBkl8YSTWUZtrpl4vTYh4GCqne0oZst4lT8DZA==",
             "license": "MIT",
             "dependencies": {
                 "@storybook/global": "^5.0.0",
@@ -3313,24 +3314,24 @@
             },
             "peerDependencies": {
                 "lit": "^2.0.0 || ^3.0.0",
-                "storybook": "^10.1.6"
+                "storybook": "^10.1.7"
             }
         },
         "node_modules/@storybook/web-components-vite": {
-            "version": "10.1.6",
-            "resolved": "https://registry.npmjs.org/@storybook/web-components-vite/-/web-components-vite-10.1.6.tgz",
-            "integrity": "sha512-f/EDYXgzdE5v+qWcuIj9a6d+noG7rpad91St7hCQfleLvo9GBDAIZz6H87VReMjP/u4Bl3EOdcLOoAeU+dG0ZQ==",
+            "version": "10.1.7",
+            "resolved": "https://registry.npmjs.org/@storybook/web-components-vite/-/web-components-vite-10.1.7.tgz",
+            "integrity": "sha512-TEDD0GSelmPGw0me1cWZI/uzzwGbfJT0uDFwNzrOp72FKvcJ9BWeO9H4fDjtcPSORjsWkXHZ+UAelv1JHUzFHg==",
             "license": "MIT",
             "dependencies": {
-                "@storybook/builder-vite": "10.1.6",
-                "@storybook/web-components": "10.1.6"
+                "@storybook/builder-vite": "10.1.7",
+                "@storybook/web-components": "10.1.7"
             },
             "funding": {
                 "type": "opencollective",
                 "url": "https://opencollective.com/storybook"
             },
             "peerDependencies": {
-                "storybook": "^10.1.6"
+                "storybook": "^10.1.7"
             }
         },
         "node_modules/@swagger-api/apidom-ast": {
@@ -6139,6 +6140,21 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
+        "node_modules/bundle-name": {
+            "version": "4.1.0",
+            "resolved": "https://registry.npmjs.org/bundle-name/-/bundle-name-4.1.0.tgz",
+            "integrity": "sha512-tjwM5exMg6BGRI+kNmTntNsvdZS1X8BFYS6tnJ2hdH0kVxM6/eVZ2xy+FqStSWvYmtfFMDLIxurorHwDKfDz5Q==",
+            "license": "MIT",
+            "dependencies": {
+                "run-applescript": "^7.0.0"
+            },
+            "engines": {
+                "node": ">=18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/cacheable-lookup": {
             "version": "7.0.0",
             "resolved": "https://registry.npmjs.org/cacheable-lookup/-/cacheable-lookup-7.0.0.tgz",
@@ -6439,9 +6455,9 @@
             }
         },
         "node_modules/chromedriver": {
-            "version": "143.0.0",
-            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-143.0.0.tgz",
-            "integrity": "sha512-zsDjk9nLeQsMcnFXP4huqCOqneIdox3ECIR4laBOH7sog1+K2rTgrK60ogSeYaHUnx9OTAMFkwJL29ekVgVQgw==",
+            "version": "143.0.1",
+            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-143.0.1.tgz",
+            "integrity": "sha512-qR0DKGV7C3r5Fo6WJD2bqQ1ny9THrJTL4X8JeArBQ6m5Cq6sHXAhIrVgsTZuKi9tL/YUcFoELMI3UTg6dMiKWA==",
             "hasInstallScript": true,
             "license": "Apache-2.0",
             "optional": true,
@@ -7375,6 +7391,34 @@
                 "node": ">=16.0.0"
             }
         },
+        "node_modules/default-browser": {
+            "version": "5.4.0",
+            "resolved": "https://registry.npmjs.org/default-browser/-/default-browser-5.4.0.tgz",
+            "integrity": "sha512-XDuvSq38Hr1MdN47EDvYtx3U0MTqpCEn+F6ft8z2vYDzMrvQhVp0ui9oQdqW3MvK3vqUETglt1tVGgjLuJ5izg==",
+            "license": "MIT",
+            "dependencies": {
+                "bundle-name": "^4.1.0",
+                "default-browser-id": "^5.0.0"
+            },
+            "engines": {
+                "node": ">=18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
+        "node_modules/default-browser-id": {
+            "version": "5.0.1",
+            "resolved": "https://registry.npmjs.org/default-browser-id/-/default-browser-id-5.0.1.tgz",
+            "integrity": "sha512-x1VCxdX4t+8wVfd1so/9w+vQ4vx7lKd2Qp5tDRutErwmR85OgmfX7RlLRMWafRMY7hbEiXIbudNrjOAPa/hL8Q==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/defaults": {
             "version": "2.0.2",
             "resolved": "https://registry.npmjs.org/defaults/-/defaults-2.0.2.tgz",
@@ -7413,6 +7457,18 @@
                 "url": "https://github.com/sponsors/ljharb"
             }
         },
+        "node_modules/define-lazy-prop": {
+            "version": "3.0.0",
+            "resolved": "https://registry.npmjs.org/define-lazy-prop/-/define-lazy-prop-3.0.0.tgz",
+            "integrity": "sha512-N+MeXYoqr3pOgn8xfyRPREN7gHakLYjhsHhWGT3fWAiL4IkAt0iDw14QiiEm2bE30c5XX5q0FtAA3CK5f9/BUg==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=12"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/define-properties": {
             "version": "1.2.1",
             "resolved": "https://registry.npmjs.org/define-properties/-/define-properties-1.2.1.tgz",
@@ -10104,6 +10160,21 @@
                 "url": "https://github.com/sponsors/wooorm"
             }
         },
+        "node_modules/is-docker": {
+            "version": "3.0.0",
+            "resolved": "https://registry.npmjs.org/is-docker/-/is-docker-3.0.0.tgz",
+            "integrity": "sha512-eljcgEDlEns/7AXFosB5K/2nCM4P7FQPkGc/DWLy5rmFEWvZayGrik1d9/QIY5nJ4f9YsVvBkA6kJpHn9rISdQ==",
+            "license": "MIT",
+            "bin": {
+                "is-docker": "cli.js"
+            },
+            "engines": {
+                "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/is-extglob": {
             "version": "2.1.1",
             "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
@@ -10178,6 +10249,24 @@
                 "url": "https://github.com/sponsors/wooorm"
             }
         },
+        "node_modules/is-inside-container": {
+            "version": "1.0.0",
+            "resolved": "https://registry.npmjs.org/is-inside-container/-/is-inside-container-1.0.0.tgz",
+            "integrity": "sha512-KIYLCCJghfHZxqjYBE7rEy0OBuTd5xCHS7tHVgvCLkx7StIoaxwNW3hCALgEUjFfeRk+MG/Qxmp/vtETEF3tRA==",
+            "license": "MIT",
+            "dependencies": {
+                "is-docker": "^3.0.0"
+            },
+            "bin": {
+                "is-inside-container": "cli.js"
+            },
+            "engines": {
+                "node": ">=14.16"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/is-map": {
             "version": "2.0.3",
             "resolved": "https://registry.npmjs.org/is-map/-/is-map-2.0.3.tgz",
@@ -10436,6 +10525,21 @@
                 "url": "https://github.com/sponsors/ljharb"
             }
         },
+        "node_modules/is-wsl": {
+            "version": "3.1.0",
+            "resolved": "https://registry.npmjs.org/is-wsl/-/is-wsl-3.1.0.tgz",
+            "integrity": "sha512-UcVfVfaK4Sc4m7X3dUSoHoozQGBEFeDC+zVo06t98xe8CzHSZZBekNXH+tu0NalHolcJ/QAGqS46Hef7QXBIMw==",
+            "license": "MIT",
+            "dependencies": {
+                "is-inside-container": "^1.0.0"
+            },
+            "engines": {
+                "node": ">=16"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/is2": {
             "version": "2.0.9",
             "resolved": "https://registry.npmjs.org/is2/-/is2-2.0.9.tgz",
@@ -12990,6 +13094,24 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
+        "node_modules/open": {
+            "version": "10.2.0",
+            "resolved": "https://registry.npmjs.org/open/-/open-10.2.0.tgz",
+            "integrity": "sha512-YgBpdJHPyQ2UE5x+hlSXcnejzAvD0b22U2OuAP+8OnlJT+PjWPxtgmGqKKc+RgTM63U9gN0YzrYc71R2WT/hTA==",
+            "license": "MIT",
+            "dependencies": {
+                "default-browser": "^5.2.1",
+                "define-lazy-prop": "^3.0.0",
+                "is-inside-container": "^1.0.0",
+                "wsl-utils": "^0.1.0"
+            },
+            "engines": {
+                "node": ">=18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/openapi-path-templating": {
             "version": "2.2.1",
             "resolved": "https://registry.npmjs.org/openapi-path-templating/-/openapi-path-templating-2.2.1.tgz",
@@ -13927,9 +14049,9 @@
             }
         },
         "node_modules/react": {
-            "version": "19.2.1",
-            "resolved": "https://registry.npmjs.org/react/-/react-19.2.1.tgz",
-            "integrity": "sha512-DGrYcCWK7tvYMnWh79yrPHt+vdx9tY+1gPZa7nJQtO/p8bLTDaHp4dzwEhQB7pZ4Xe3ok4XKuEPrVuc+wlpkmw==",
+            "version": "19.2.3",
+            "resolved": "https://registry.npmjs.org/react/-/react-19.2.3.tgz",
+            "integrity": "sha512-Ku/hhYbVjOQnXDZFv2+RibmLFGwFdeeKHFcOTlrt7xplBnya5OGn/hIRDsqDiSUcfORsDC7MPxwork8jBwsIWA==",
             "license": "MIT",
             "peer": true,
             "engines": {
@@ -13937,16 +14059,16 @@
             }
         },
         "node_modules/react-dom": {
-            "version": "19.2.1",
-            "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.1.tgz",
-            "integrity": "sha512-ibrK8llX2a4eOskq1mXKu/TGZj9qzomO+sNfO98M6d9zIPOEhlBkMkBUBLd1vgS0gQsLDBzA+8jJBVXDnfHmJg==",
+            "version": "19.2.3",
+            "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.3.tgz",
+            "integrity": "sha512-yELu4WmLPw5Mr/lmeEpox5rw3RETacE++JgHqQzd2dg+YbJuat3jH4ingc+WPZhxaoFzdv9y33G+F7Nl5O0GBg==",
             "license": "MIT",
             "peer": true,
             "dependencies": {
                 "scheduler": "^0.27.0"
             },
             "peerDependencies": {
-                "react": "^19.2.1"
+                "react": "^19.2.3"
             }
         },
         "node_modules/react-is": {
@@ -14551,6 +14673,18 @@
                 "points-on-path": "^0.2.1"
             }
         },
+        "node_modules/run-applescript": {
+            "version": "7.1.0",
+            "resolved": "https://registry.npmjs.org/run-applescript/-/run-applescript-7.1.0.tgz",
+            "integrity": "sha512-DPe5pVFaAsinSaV6QjQ6gdiedWDcRCbUuiQfQa2wmWV7+xC9bGulGI8+TdRmoFkAPaBXk8CrAbnlY2ISniJ47Q==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/run-parallel": {
             "version": "1.2.0",
             "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
@@ -15225,9 +15359,9 @@
             }
         },
         "node_modules/storybook": {
-            "version": "10.1.6",
-            "resolved": "https://registry.npmjs.org/storybook/-/storybook-10.1.6.tgz",
-            "integrity": "sha512-IK3iJvOi5rKJzudNN3KDnKu3YPY4WtVZOXU/POBaA/S+J4n3QcDT2XEysm27dLZZQVC8sMSCOqIM83HImIeh0g==",
+            "version": "10.1.7",
+            "resolved": "https://registry.npmjs.org/storybook/-/storybook-10.1.7.tgz",
+            "integrity": "sha512-dK1p2LKzAdea60APGo/vMbF+X/D7eVZsv8ijnLVvfMBjScdDBgxfIn025mRtOwqECb/UN9cIpPs5XEWAeLpYMg==",
             "license": "MIT",
             "peer": true,
             "dependencies": {
@@ -15238,6 +15372,7 @@
                 "@vitest/expect": "3.2.4",
                 "@vitest/spy": "3.2.4",
                 "esbuild": "^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0 || ^0.24.0 || ^0.25.0 || ^0.26.0 || ^0.27.0",
+                "open": "^10.2.0",
                 "recast": "^0.23.5",
                 "semver": "^7.6.2",
                 "use-sync-external-store": "^1.5.0",
@@ -17596,6 +17731,21 @@
                 }
             }
         },
+        "node_modules/wsl-utils": {
+            "version": "0.1.0",
+            "resolved": "https://registry.npmjs.org/wsl-utils/-/wsl-utils-0.1.0.tgz",
+            "integrity": "sha512-h3Fbisa2nKGPxCpm89Hk33lBLsnaGBvctQopaBSOW/uIs6FTe1ATyAnKFJrzVs9vpGdsTe73WF3V4lIsk4Gacw==",
+            "license": "MIT",
+            "dependencies": {
+                "is-wsl": "^3.1.0"
+            },
+            "engines": {
+                "node": ">=18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/xml-but-prettier": {
             "version": "1.0.1",
             "resolved": "https://registry.npmjs.org/xml-but-prettier/-/xml-but-prettier-1.0.1.tgz",

web/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/web",
-    "version": "2025.12.0-rc1",
+    "version": "2026.2.0-rc1",
     "license": "MIT",
     "private": true,
     "scripts": {
@@ -118,10 +118,10 @@
         "@patternfly/patternfly": "^4.224.2",
         "@playwright/test": "^1.57.0",
         "@sentry/browser": "^10.29.0",
-        "@storybook/addon-docs": "^10.1.6",
-        "@storybook/addon-links": "^10.1.6",
-        "@storybook/web-components": "^10.1.6",
-        "@storybook/web-components-vite": "^10.1.6",
+        "@storybook/addon-docs": "^10.1.7",
+        "@storybook/addon-links": "^10.1.7",
+        "@storybook/web-components": "^10.1.7",
+        "@storybook/web-components-vite": "^10.1.7",
         "@types/codemirror": "^5.60.17",
         "@types/grecaptcha": "^3.0.9",
         "@types/guacamole-common-js": "^1.5.5",
@@ -165,8 +165,8 @@
         "prettier": "^3.6.2",
         "pseudolocale": "^2.2.0",
         "rapidoc": "^9.3.8",
-        "react": "^19.2.0",
-        "react-dom": "^19.2.0",
+        "react": "^19.2.3",
+        "react-dom": "^19.2.3",
         "rehype-highlight": "^7.0.2",
         "rehype-mermaid": "^3.0.0",
         "rehype-parse": "^9.0.1",
@@ -197,7 +197,7 @@
         "@rollup/rollup-darwin-arm64": "^4.53.3",
         "@rollup/rollup-linux-arm64-gnu": "^4.53.3",
         "@rollup/rollup-linux-x64-gnu": "^4.53.3",
-        "chromedriver": "^143.0.0"
+        "chromedriver": "^143.0.1"
     },
     "wireit": {
         "build": {

web/src/admin/applications/ApplicationForm.ts

@@ -99,6 +99,9 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
         const alertMsg = msg(
             "Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.",
         );
+        const providerFromInstance = this.instance?.provider;
+        const providerValue = providerFromInstance ?? this.provider;
+        const providerPrefilled = !this.instance && this.provider !== undefined;
 
         return html`
             ${this.instance ? nothing : html`<ak-alert level="pf-m-info">${alertMsg}</ak-alert>`}
@@ -134,9 +137,10 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
             <ak-provider-search-input
                 name="provider"
                 label=${msg("Provider")}
-                value=${ifPresent(this.instance?.provider)}
+                .value=${providerValue}
+                .readOnly=${providerPrefilled}
+                ?blankable=${!providerPrefilled}
                 help=${msg("Select a provider that this application should use.")}
-                blankable
             ></ak-provider-search-input>
             <ak-backchannel-providers-input
                 name="backchannelProviders"

web/src/admin/applications/components/ak-provider-search-input.ts

@@ -13,6 +13,7 @@ import { Provider, ProvidersAllListRequest, ProvidersApi } from "@goauthentik/ap
 
 import { html, nothing } from "lit";
 import { customElement, property } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";
 
 const renderElement = (item: Provider) => item.name;
 const renderValue = (item: Provider | undefined) => item?.pk;
@@ -53,6 +54,9 @@ export class AkProviderInput extends AKElement {
     @property({ type: Number })
     value?: number;
 
+    @property({ type: Boolean, attribute: "readonly" })
+    readOnly = false;
+
     @property({ type: Boolean })
     required = false;
 
@@ -76,6 +80,8 @@ export class AkProviderInput extends AKElement {
     };
 
     render() {
+        const readOnlyValue = this.readOnly && typeof this.value === "number";
+
         return html` <ak-form-element-horizontal name=${this.name}>
             ${AKLabel(
                 {
@@ -86,7 +92,9 @@ export class AkProviderInput extends AKElement {
                 },
                 this.label,
             )}
-
+            ${readOnlyValue
+                ? html`<input type="hidden" name=${this.name} value=${this.value ?? ""} />`
+                : nothing}
             <ak-search-select
                 .fieldID=${this.fieldID}
                 .selected=${this.#selected}
@@ -94,7 +102,9 @@ export class AkProviderInput extends AKElement {
                 .renderElement=${renderElement}
                 .value=${renderValue}
                 .groupBy=${doGroupBy}
-                ?blankable=${!!this.blankable}
+                ?blankable=${readOnlyValue ? false : !!this.blankable}
+                ?readonly=${this.readOnly}
+                name=${ifDefined(readOnlyValue ? undefined : this.name)}
             >
             </ak-search-select>
             ${this.help ? html`<p class="pf-c-form__helper-text">${this.help}</p>` : nothing}

web/src/elements/forms/SearchSelect/SearchSelect.ts

@@ -23,6 +23,7 @@ type Group<T> = [string, T[]];
 
 export interface ISearchSelectBase<T> {
     blankable?: boolean;
+    readOnly?: boolean;
     query?: string;
     objects?: T[];
     selectedObject: T | null;
@@ -93,6 +94,14 @@ export abstract class SearchSelectBase<T>
     @property({ type: Boolean })
     public creatable?: boolean;
 
+    /**
+     * Prevent user interaction while still rendering the current value.
+     * @property
+     * @attr
+     */
+    @property({ type: Boolean, attribute: "readonly" })
+    public readOnly = false;
+
     /**
      * An initial string to filter the search contents,
      * and the value of the input which further serves to restrict the search.
@@ -254,6 +263,8 @@ export abstract class SearchSelectBase<T>
     }
 
     #searchListener = (event: InputEvent) => {
+        if (this.readOnly) return;
+
         const value = (event.target as SearchSelectView).rawValue;
 
         if (!value) {
@@ -277,6 +288,8 @@ export abstract class SearchSelectBase<T>
     };
 
     private onSelect(event: InputEvent) {
+        if (this.readOnly) return;
+
         const value = (event.target as SearchSelectView).value;
 
         if (!value) {
@@ -381,6 +394,7 @@ export abstract class SearchSelectBase<T>
             .options=${options}
             value=${ifPresent(value)}
             ?blankable=${this.blankable}
+            ?readonly=${this.readOnly}
             label=${ifPresent(this.label)}
             name=${ifPresent(this.name)}
             placeholder=${ifPresent(this.placeholder)}

web/src/elements/forms/SearchSelect/ak-search-select-view.ts

@@ -24,6 +24,7 @@ export interface ISearchSelectView {
     value?: string;
     open: boolean;
     blankable: boolean;
+    readOnly: boolean;
     caseSensitive: boolean;
     name?: string;
     placeholder: string;
@@ -126,6 +127,14 @@ export class SearchSelectView extends AKElement implements ISearchSelectView {
     @property({ type: Boolean })
     public blankable = false;
 
+    /**
+     * Prevents user interaction while showing the current value.
+     *
+     * @attr
+     */
+    @property({ type: Boolean, attribute: "readonly" })
+    public readOnly = false;
+
     /**
      * If not managed, make the matcher case-sensitive during interaction.  If managed,
      * the manager must handle this.
@@ -248,6 +257,8 @@ export class SearchSelectView extends AKElement implements ISearchSelectView {
     //#region Event Listeners
 
     #clickListener = (_ev: Event) => {
+        if (this.readOnly) return;
+
         this.open = !this.open;
         this.#inputRef.value?.focus();
     };
@@ -263,6 +274,8 @@ export class SearchSelectView extends AKElement implements ISearchSelectView {
     }
 
     #searchKeyupListener = (event: KeyboardEvent) => {
+        if (this.readOnly) return;
+
         if (event.key === "Escape") {
             event.stopPropagation();
             event.preventDefault();
@@ -277,6 +290,8 @@ export class SearchSelectView extends AKElement implements ISearchSelectView {
     };
 
     #searchKeydownListener = (event: KeyboardEvent) => {
+        if (this.readOnly) return;
+
         if (!this.open) return;
 
         switch (event.key) {
@@ -339,6 +354,8 @@ export class SearchSelectView extends AKElement implements ISearchSelectView {
     }
 
     #inputListener = (_ev: InputEvent) => {
+        if (this.readOnly) return;
+
         if (!this.managed) {
             this.findValueForInput();
             this.requestUpdate();
@@ -356,6 +373,8 @@ export class SearchSelectView extends AKElement implements ISearchSelectView {
     };
 
     #listKeydownListener = (event: KeyboardEvent) => {
+        if (this.readOnly) return;
+
         if (event.key === "Tab" && event.shiftKey) {
             event.preventDefault();
 
@@ -364,6 +383,8 @@ export class SearchSelectView extends AKElement implements ISearchSelectView {
     };
 
     #changeListener = (event: InputEvent) => {
+        if (this.readOnly) return;
+
         if (!event.target) {
             return;
         }
@@ -441,6 +462,7 @@ export class SearchSelectView extends AKElement implements ISearchSelectView {
                             @keyup=${this.#searchKeyupListener}
                             @keydown=${this.#searchKeydownListener}
                             value=${this.displayValue}
+                            ?readonly=${this.readOnly}
                         />
                     </div>
                 </div>

web/xliff/cs-CZ.xlf

@@ -7893,10 +7893,6 @@ neprojde, když jedna nebo obě z vybraných možností jsou rovny nebo nad prah
   <source>Send notification to event user</source>
   <target>Zasílat oznámení původci události</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Pokud je povoleno, oznámení se kromě uživatelů ve skupině výše odešle také původci události. Uživatel, který událost vyvolal, je vždy prvním příjemcem; pokud má být oznámení doručeno pouze jednou, je třeba v transportu notifikací zapnout volbu ‘Poslat jednou’.</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Transporty</target>
@@ -8086,10 +8082,6 @@ Vazby na skupiny/uživatele jsou kontrolovány vůči uživateli události.</tar
   <source>Local</source>
   <target>Místní</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Pokud je povoleno, použije se místní připojení. Vyžaduje Docker socket/Kubernetes integraci.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker URL</target>
@@ -9801,9 +9793,6 @@ Vazby na skupiny/uživatele jsou kontrolovány vůči uživateli události.</tar
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9900,6 +9889,18 @@ Vazby na skupiny/uživatele jsou kontrolovány vůči uživateli události.</tar
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/de-DE.xlf

@@ -7927,10 +7927,6 @@ Beim Erstellen eines festen Auswahlfelds aktiviere „Als Ausdruck interpretiere
   <source>Send notification to event user</source>
   <target>Benachrichtigung an Ereignisbenutzer senden</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Wenn aktiviert, wird zusätzlich zu den Benutzern der oben ausgewählten Gruppe auch der Benutzer benachrichtigt, der das Ereignis ausgelöst hat. Der Ereignisbenutzer wird immer als erster benachrichtigt. Um eine Benachrichtigung nur an den Ereignisbenutzer zu senden, aktiviere „Einmal senden“ im Benachrichtigungstransport.</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Zustellungsarten</target>
@@ -8120,10 +8116,6 @@ Bindings zu Gruppen/Benutzern werden mit dem Benutzer des Ereignisses abgegliche
   <source>Local</source>
   <target>Lokal</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Nutze, wenn aktiviert, die lokale Verbindung. Benötigt Docker socket/Kubernetes Integration.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker URL</target>
@@ -9841,9 +9833,6 @@ Bindings zu Gruppen/Benutzern werden mit dem Benutzer des Ereignisses abgegliche
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9940,6 +9929,18 @@ Bindings zu Gruppen/Benutzern werden mit dem Benutzer des Ereignisses abgegliche
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/en.xlf

@@ -6085,9 +6085,6 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
 </trans-unit>
@@ -6227,9 +6224,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se9b1fec72ffd8f48">
   <source>Local</source>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
 </trans-unit>
@@ -7632,9 +7626,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -7731,6 +7722,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/es-ES.xlf

@@ -7855,10 +7855,6 @@ El valor de este campo se compara con el atributo de pertenencia del usuario.</t
   <source>Send notification to event user</source>
   <target>Enviar notificación al usuario del evento</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Cuando está habilitado, se enviará una notificación al usuario que desencadenó el evento, además de a cualquier usuario en el grupo mencionado anteriormente. El usuario del evento siempre será el primer usuario; para enviar una notificación solo a este usuario, active 'Enviar una vez' en el transporte de notificaciones.</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Medios</target>
@@ -8048,10 +8044,6 @@ Las vinculaciones a grupos/usuarios se verifican en función del usuario del eve
   <source>Local</source>
   <target>Local</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Si está habilitada, use la conexión local. Se requiere la integración de Docker Socket/Kubernetes.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>URL de Docker</target>
@@ -9761,9 +9753,6 @@ Las vinculaciones a grupos/usuarios se verifican en función del usuario del eve
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9860,6 +9849,18 @@ Las vinculaciones a grupos/usuarios se verifican en función del usuario del eve
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/fi-FI.xlf

@@ -8058,10 +8058,6 @@ läpäisy estyy kun jompi kumpi tai molemmat vaihtoehdot ylittävät raja-arvon.
   <source>Send notification to event user</source>
   <target>Lähetä notifikaatiot tapahtuman käyttäjälle</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Kun tämä on käytössä, notifikaatio lähetetään sille käyttäjälle, joka laukaisi tapahtuman, niiden käyttäjien lisäksi, jotka ovat yllä olevan ryhmän jäseniä. Tapahtuman käyttäjä on aina ensimmäinen käyttäjä. Lähettääksesi notifikaation vain tapahtuman käyttäjälle, valitse 'Lähetä kerran' notifikaation väylän asetuksissa.</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Väylät</target>
@@ -8251,10 +8247,6 @@ Liitokset käyttäjiin/ryhmiin tarkistetaan tapahtuman käyttäjästä.</target>
   <source>Local</source>
   <target>Paikallinen</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Jos käytössä, käytä paikallista yhteyttä. Pakollinen Docker socket/Kubernetes-integraatio.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker URL</target>
@@ -10024,9 +10016,6 @@ Liitokset käyttäjiin/ryhmiin tarkistetaan tapahtuman käyttäjästä.</target>
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -10123,6 +10112,18 @@ Liitokset käyttäjiin/ryhmiin tarkistetaan tapahtuman käyttäjästä.</target>
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/fr-FR.xlf

@@ -8048,10 +8048,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Send notification to event user</source>
   <target>Envoyer la notification à l'utilisateur associé à l'événement</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Lorsque cette option est activée, une notification sera envoyée à l'utilisateur qui a déclenché l'événement en plus des utilisateurs du groupe ci-dessus. L'utilisateur associé à l'événement sera toujours le premier utilisateur. Pour envoyer une notification uniquement à l'utilisateur de l'événement, activez l'option "Envoyer une seule fois" dans le transport de notification.</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Transports</target>
@@ -8241,10 +8237,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <source>Local</source>
   <target>Local</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Si activé, utiliser la connexion locale. Intégration Docker socket/Kubernetes requise.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>URL Docker</target>
@@ -10009,9 +10001,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -10108,6 +10097,18 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/it-IT.xlf

@@ -7810,10 +7810,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Send notification to event user</source>
   <target>Invia notifica all'utente dell'evento</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Se abilitata, la notifica verrà inviata all'utente che ha attivato l'evento, oltre a tutti gli utenti del gruppo sopra indicato. L'utente dell'evento sarà sempre il primo a inviare una notifica solo all'utente dell'evento che ha abilitato "Invia una volta" nel trasporto delle notifiche.</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Trasporti</target>
@@ -8003,10 +7999,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Local</source>
   <target>Locale</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Se abilitato, utilizzare la connessione locale. Integrazione Docker Cocket Docker/Kubernetes.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker URL</target>
@@ -9709,9 +9701,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9808,6 +9797,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/ja-JP.xlf

@@ -8046,11 +8046,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Send notification to event user</source>
   <target>イベントユーザーに通知を送信</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>有効になると、イベントをトリガーしたユーザーと上記のグループ内のユーザーに通知が送信されます。イベントユーザーは常に最初のユーザーになります。イベントユーザーにのみ通知を送信するには、通知トランスポートで「1
-          回だけ送信」を有効にします。</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>トランスポート</target>
@@ -8236,10 +8231,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Local</source>
   <target>ローカル</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>有効にすると、ローカル接続を使用します。Docker ソケット/Kubernetes 統合が必要です。</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker URL</target>
@@ -10004,9 +9995,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -10103,6 +10091,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/ko-KR.xlf

@@ -7508,9 +7508,6 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>전송</target>
@@ -7692,10 +7689,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Local</source>
   <target>로컬</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>활성화된 경우, 로컬 연결을 사용합니다. 도커/쿠버네티스 통합에 필수적입니다.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>도커 URL</target>
@@ -9333,9 +9326,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9432,6 +9422,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/nl-NL.xlf

@@ -7226,9 +7226,6 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Transporten</target>
@@ -7405,10 +7402,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
   <source>Local</source>
   <target>Lokaal</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Indien ingeschakeld, gebruik de lokale verbinding. Vereist Docker-socket/Kubernetes-integratie.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker-URL</target>
@@ -8981,9 +8974,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9080,6 +9070,18 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/pl-PL.xlf

@@ -7530,9 +7530,6 @@ w toku, tworzony jest nowy użytkownik i zapisywane są do niego dane.</target>
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Transporty</target>
@@ -7719,10 +7716,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
   <source>Local</source>
   <target>Lokalny</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Jeśli jest włączone, użyj połączenia lokalnego. Wymagane socket Docker/Integracja Kubernetes.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>URL Dockera</target>
@@ -9363,9 +9356,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9462,6 +9452,18 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/pt-BR.xlf

@@ -8043,10 +8043,6 @@ retorne uma lista para fornecer várias opções padrão.</target>
   <source>Send notification to event user</source>
   <target>Enviar notificação para o usuário do evento</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Quando ativado, a notificação será enviada ao usuário que acionou o evento, além de quaisquer usuários no grupo acima. O usuário do evento será sempre o primeiro usuário; para enviar uma notificação apenas ao usuário do evento, ative 'Enviar uma vez' no transporte de notificação.</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Transportes</target>
@@ -8233,10 +8229,6 @@ As vinculações a grupos/usuários são verificadas em relação ao usuário do
   <source>Local</source>
   <target>Local</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Se ativado, use a conexão local. Requer integração com Docker socket/Kubernetes.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>URL do Docker</target>
@@ -9992,9 +9984,6 @@ por exemplo: <x id="0" equiv-text="&lt;code&gt;"/>oci://registry.domain.tld/path
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -10091,6 +10080,18 @@ por exemplo: <x id="0" equiv-text="&lt;code&gt;"/>oci://registry.domain.tld/path
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/ru-RU.xlf

@@ -7588,9 +7588,6 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Поставщики</target>
@@ -7777,10 +7774,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Local</source>
   <target>Местный</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Если включено, используется локальное соединение. Требует Docker сокет/Kubernetes интеграции.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>URL-адрес Docker</target>
@@ -9451,9 +9444,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9550,6 +9540,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/tr-TR.xlf

@@ -7578,9 +7578,6 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>Aktarıcılar</target>
@@ -7766,10 +7763,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
   <source>Local</source>
   <target>Yerel</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>Etkinleştirilirse, yerel bağlantıyı kullanın. Gerekli Docker soketi/Kubernetes Entegrasyonu.</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker URL'si</target>
@@ -9429,9 +9422,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9528,6 +9518,18 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -8010,10 +8010,6 @@ doesn't pass when either or both of the selected options are equal or above the
   <source>Send notification to event user</source>
   <target>发送通知给事件用户</target>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>启用时，通知不仅会发送给触发事件的用户，还会发送到组中的任何用户。事件用户将总是第一个用户，要只向事件用户发送通知，则需要在通知传输中启用“发送一次”。</target>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>传输</target>
@@ -8203,10 +8199,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Local</source>
   <target>本地</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>如果启用，请使用本地连接。需要 Docker Socket/Kubernetes 集成。</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker URL</target>
@@ -9964,9 +9956,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -10063,6 +10052,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hant.xlf

@@ -7292,9 +7292,6 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
 </trans-unit>
-<trans-unit id="sd30f00ff2135589c">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-</trans-unit>
 <trans-unit id="sffa171e11d4ae513">
   <source>Transports</source>
   <target>通道</target>
@@ -7470,10 +7467,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Local</source>
   <target>本機端連線</target>
 </trans-unit>
-<trans-unit id="sc1231049879b8d33">
-  <source>If enabled, use the local connection. Required Docker socket/Kubernetes Integration.</source>
-  <target>啟用時，請使用本機連線。需要整合 docker / Kubernetes 的 socket。</target>
-</trans-unit>
 <trans-unit id="s13de04774ff0f210">
   <source>Docker URL</source>
   <target>Docker 網址</target>
@@ -9044,9 +9037,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7dcfe418b8d601f6">
   <source>Flags allow you to enable new functionality and behaviour in authentik early.</source>
 </trans-unit>
-<trans-unit id="sbaeb8266aac13639">
-  <source>Buffer PolicyAccessVew requests</source>
-</trans-unit>
 <trans-unit id="se20d0be2cece3841">
   <source>When enabled, parallel requests for application authorization will be buffered instead of conflicting with other flows.</source>
 </trans-unit>
@@ -9143,6 +9133,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s567c5a6e42cc5036">
   <source>Maximum page size for API requests.</source>
 </trans-unit>
+<trans-unit id="sed1058bca1c065f7">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
+</trans-unit>
+<trans-unit id="s9864bd5cd7bb4bd0">
+  <source>Local connection</source>
+</trans-unit>
+<trans-unit id="s4a3f19ff6e510c37">
+  <source>Requires Docker socket/Kubernetes Integration.</source>
+</trans-unit>
+<trans-unit id="s46a03121a2c260ea">
+  <source>Buffer PolicyAccessView requests</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

website/docs/developer-docs/setup/devcontainer.md

@@ -0,0 +1,148 @@
+---
+title: Devcontainer development environment
+sidebar_label: Devcontainer development
+tags:
+    - development
+    - contributor
+    - devcontainer
+    - docker
+---
+
+If you prefer a containerized development environment with all dependencies pre-configured, you can use the devcontainer setup. This provides a fully isolated development environment that runs inside Docker. The devcontainer mounts your local workspace into the container, so changes to files are reflected immediately.
+
+### Prerequisites
+
+- [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop)
+- [Visual Studio Code](https://code.visualstudio.com/) with the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers)
+
+Alternatively, you can use any IDE or editor that supports the [devcontainer specification](https://containers.dev/).
+
+### Instructions
+
+1. Clone the Git repo to your development machine and navigate to the authentik directory.
+
+    ```shell
+    git clone https://github.com/goauthentik/authentik
+    cd authentik
+    ```
+
+2. Open the repository in Visual Studio Code.
+
+    ```shell
+    code .
+    ```
+
+3. When prompted, click "Reopen in Container" or run the command "Dev Containers: Reopen in Container" from the command palette (Ctrl+Shift+P / Cmd+Shift+P).
+
+4. VS Code will build the devcontainer image and start the container. This may take several minutes on the first run.
+
+5. Once the container is running, all development tools and dependencies will be available inside the container environment.
+
+### What's included
+
+The devcontainer provides:
+
+- Pre-configured development environment with all required dependencies
+- Python, Go, and Node.js development tools
+- PostgreSQL database
+- All necessary system packages
+
+### Running authentik
+
+After the devcontainer starts, you can run authentik using the standard development commands:
+
+Start the server:
+
+```shell
+make run-server
+```
+
+In a separate terminal, start the worker:
+
+```shell
+make run-worker
+```
+
+For frontend development:
+
+```shell
+make web-watch
+```
+
+authentik will be accessible at http://localhost:9000.
+
+### Initial setup
+
+To set a password for the default admin user (**akadmin**):
+
+1. Navigate to http://localhost:9000/if/flow/initial-setup/ in your browser.
+2. Follow the prompts to set up your admin account.
+
+### Hot-reloading
+
+When `AUTHENTIK_DEBUG` is set to `true` (the default for the development environment), the authentik server automatically reloads whenever changes are made to the code. However, due to instabilities in the reloading process of the worker, that behavior is turned off for the worker. You can enable code reloading in the worker by manually running `uv run ak worker --watch`.
+
+## End-to-End (E2E) Setup
+
+Start the E2E test services with the following command:
+
+```shell
+docker compose -f tests/e2e/docker-compose.yml up -d
+```
+
+You can then view the Selenium Chrome browser via http://localhost:7900/ using the password: `secret`.
+
+Alternatively, you can connect directly via VNC on port `5900` using the password: `secret`.
+
+:::info
+When using Docker Desktop, host networking needs to be enabled via **Docker Settings** > **Resources** > **Network** > **Enable host networking**.
+:::
+
+## 6. Contributing code
+
+### Before submitting a pull request
+
+Ensure your code meets our quality standards by running:
+
+1. **Code linting**:
+
+    ```shell
+    make lint-fix
+    make lint
+    ```
+
+2. **Generate updated API documentation**:
+
+    ```shell
+    make gen
+    ```
+
+3. **Format frontend code**:
+
+    ```shell
+    make web
+    ```
+
+4. **Run tests**:
+
+    ```shell
+    make test
+    ```
+
+You can run all these checks at once with:
+
+```shell
+make all
+```
+
+### Submitting your changes
+
+After your code passes all checks, submit a pull request on [GitHub](https://github.com/goauthentik/authentik/pulls). Be sure to:
+
+- Provide a clear description of your changes
+- Reference any related issues
+- Follow our code style guidelines
+- Update any related documentation
+- Include tests for your changes where appropriate
+
+Thank you for contributing to authentik!

website/docs/sidebar.mjs

@@ -707,6 +707,7 @@ const items = [
                     id: "developer-docs/setup/index",
                 },
                 items: [
+                    "developer-docs/setup/devcontainer",
                     "developer-docs/setup/full-dev-environment",
                     "developer-docs/setup/frontend-dev-environment",
                     "developer-docs/setup/debugging",