web: Normalize usage of private instances over compile-time private keyword.

Flesh out codemod.

Dockerfile

@@ -76,7 +76,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.3 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.4 AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
 
@@ -134,11 +134,16 @@ ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url=https://goauthentik.io
-LABEL org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info."
-LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version=${VERSION}
-LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+    org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info." \
+    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
+    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
+    org.opencontainers.image.revision=${GIT_BUILD_HASH} \
+    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
+    org.opencontainers.image.title="authentik server image" \
+    org.opencontainers.image.url="https://goauthentik.io" \
+    org.opencontainers.image.vendor="Authentik Security Inc." \
+    org.opencontainers.image.version=${VERSION}
 
 WORKDIR /
 

authentik/core/api/groups.py

@@ -49,11 +49,28 @@ class GroupMemberSerializer(ModelSerializer):
         ]
 
 
+class GroupChildSerializer(ModelSerializer):
+    """Stripped down group serializer to show relevant children for groups"""
+
+    attributes = JSONDictField(required=False)
+
+    class Meta:
+        model = Group
+        fields = [
+            "pk",
+            "name",
+            "is_superuser",
+            "attributes",
+            "group_uuid",
+        ]
+
+
 class GroupSerializer(ModelSerializer):
     """Group Serializer"""
 
     attributes = JSONDictField(required=False)
     users_obj = SerializerMethodField(allow_null=True)
+    children_obj = SerializerMethodField(allow_null=True)
     roles_obj = ListSerializer(
         child=RoleSerializer(),
         read_only=True,
@@ -61,7 +78,6 @@ class GroupSerializer(ModelSerializer):
         required=False,
     )
     parent_name = CharField(source="parent.name", read_only=True, allow_null=True)
-
     num_pk = IntegerField(read_only=True)
 
     @property
@@ -71,12 +87,25 @@ class GroupSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_users", "true")).lower() == "true"
 
+    @property
+    def _should_include_children(self) -> bool:
+        request: Request = self.context.get("request", None)
+        if not request:
+            return True
+        return str(request.query_params.get("include_children", "false")).lower() == "true"
+
     @extend_schema_field(GroupMemberSerializer(many=True))
     def get_users_obj(self, instance: Group) -> list[GroupMemberSerializer] | None:
         if not self._should_include_users:
             return None
         return GroupMemberSerializer(instance.users, many=True).data
 
+    @extend_schema_field(GroupChildSerializer(many=True))
+    def get_children_obj(self, instance: Group) -> list[GroupChildSerializer] | None:
+        if not self._should_include_children:
+            return None
+        return GroupChildSerializer(instance.children, many=True).data
+
     def validate_parent(self, parent: Group | None):
         """Validate group parent (if set), ensuring the parent isn't itself"""
         if not self.instance or not parent:
@@ -126,11 +155,17 @@ class GroupSerializer(ModelSerializer):
             "attributes",
             "roles",
             "roles_obj",
+            "children",
+            "children_obj",
         ]
         extra_kwargs = {
             "users": {
                 "default": list,
             },
+            "children": {
+                "required": False,
+                "default": list,
+            },
             # TODO: This field isn't unique on the database which is hard to backport
             # hence we just validate the uniqueness here
             "name": {"validators": [UniqueValidator(Group.objects.all())]},
@@ -203,11 +238,15 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
                 Prefetch("users", queryset=User.objects.all().only("id"))
             )
 
+        if self.serializer_class(context={"request": self.request})._should_include_children:
+            base_qs = base_qs.prefetch_related("children")
+
         return base_qs
 
     @extend_schema(
         parameters=[
             OpenApiParameter("include_users", bool, default=True),
+            OpenApiParameter("include_children", bool, default=False),
         ]
     )
     def list(self, request, *args, **kwargs):
@@ -216,6 +255,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     @extend_schema(
         parameters=[
             OpenApiParameter("include_users", bool, default=True),
+            OpenApiParameter("include_children", bool, default=False),
         ]
     )
     def retrieve(self, request, *args, **kwargs):

authentik/core/api/users.py

@@ -5,7 +5,7 @@ from json import loads
 from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
-from django.contrib.auth.models import Permission
+from django.contrib.auth.models import AnonymousUser, Permission
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@@ -16,6 +16,7 @@ from django.utils.translation import gettext as _
 from django_filters.filters import (
     BooleanFilter,
     CharFilter,
+    IsoDateTimeFilter,
     ModelMultipleChoiceFilter,
     MultipleChoiceFilter,
     UUIDFilter,
@@ -241,6 +242,7 @@ class UserSerializer(ModelSerializer):
             "type",
             "uuid",
             "password_change_date",
+            "last_updated",
         ]
         extra_kwargs = {
             "name": {"allow_blank": True},
@@ -331,6 +333,14 @@ class UsersFilter(FilterSet):
         method="filter_attributes",
     )
 
+    date_joined__lt = IsoDateTimeFilter(field_name="date_joined", lookup_expr="lt")
+    date_joined = IsoDateTimeFilter(field_name="date_joined")
+    date_joined__gt = IsoDateTimeFilter(field_name="date_joined", lookup_expr="gt")
+
+    last_updated__lt = IsoDateTimeFilter(field_name="last_updated", lookup_expr="lt")
+    last_updated = IsoDateTimeFilter(field_name="last_updated")
+    last_updated__gt = IsoDateTimeFilter(field_name="last_updated", lookup_expr="gt")
+
     is_superuser = BooleanFilter(field_name="ak_groups", method="filter_is_superuser")
     uuid = UUIDFilter(field_name="uuid")
 
@@ -376,6 +386,8 @@ class UsersFilter(FilterSet):
         fields = [
             "username",
             "email",
+            "date_joined",
+            "last_updated",
             "name",
             "is_active",
             "is_superuser",
@@ -390,10 +402,19 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     """User Viewset"""
 
     queryset = User.objects.none()
-    ordering = ["username"]
+    ordering = ["username", "date_joined", "last_updated"]
     serializer_class = UserSerializer
     filterset_class = UsersFilter
-    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
+    search_fields = [
+        "username",
+        "name",
+        "is_active",
+        "email",
+        "uuid",
+        "attributes",
+        "date_joined",
+        "last_updated",
+    ]
 
     def get_ql_fields(self):
         from djangoql.schema import BoolField, StrField
@@ -435,6 +456,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         user: User = self.get_object()
         planner = FlowPlanner(flow)
         planner.allow_empty_flows = True
+        self.request._request.user = AnonymousUser()
         try:
             plan = planner.plan(
                 self.request._request,

authentik/core/migrations/0050_user_last_updated_and_more.py

@@ -0,0 +1,27 @@
+# Generated by Django 5.1.11 on 2025-07-15 15:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("auth", "0012_alter_user_first_name_max_length"),
+        ("authentik_core", "0049_alter_token_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="last_updated",
+            field=models.DateTimeField(auto_now=True),
+        ),
+        migrations.AddIndex(
+            model_name="user",
+            index=models.Index(fields=["last_updated"], name="authentik_c_last_up_ed7486_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="user",
+            index=models.Index(fields=["date_joined"], name="authentik_c_date_jo_58c256_idx"),
+        ),
+    ]

authentik/core/models.py

@@ -274,6 +274,8 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
     ak_groups = models.ManyToManyField("Group", related_name="users")
     password_change_date = models.DateTimeField(auto_now_add=True)
 
+    last_updated = models.DateTimeField(auto_now=True)
+
     objects = UserManager()
 
     class Meta:
@@ -293,6 +295,8 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
             models.Index(fields=["uuid"]),
             models.Index(fields=["path"]),
             models.Index(fields=["type"]),
+            models.Index(fields=["date_joined"]),
+            models.Index(fields=["last_updated"]),
         ]
 
     def __str__(self):

authentik/core/tests/test_users_api.py

@@ -21,7 +21,7 @@ from authentik.core.tests.utils import (
     create_test_flow,
     create_test_user,
 )
-from authentik.flows.models import FlowDesignation
+from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage
 
@@ -103,8 +103,11 @@ class TestUsersAPI(APITestCase):
         self.assertTrue(self.admin.check_password(new_pw))
 
     def test_recovery(self):
-        """Test user recovery link (no recovery flow set)"""
-        flow = create_test_flow(FlowDesignation.RECOVERY)
+        """Test user recovery link"""
+        flow = create_test_flow(
+            FlowDesignation.RECOVERY,
+            authentication=FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED,
+        )
         brand: Brand = create_test_brand()
         brand.flow_recovery = flow
         brand.save()
@@ -387,3 +390,72 @@ class TestUsersAPI(APITestCase):
         self.assertFalse(
             AuthenticatedSession.objects.filter(session__session_key=session_id).exists()
         )
+
+    def test_sort_by_last_updated(self):
+        """Test API sorting by last_updated"""
+        User.objects.all().delete()
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+
+        user = create_test_user()
+        admin.first_name = "Sample change"
+        admin.last_name = "To trigger an update"
+        admin.save()
+
+        # Ascending
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            data={
+                "ordering": "last_updated",
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        body = loads(response.content)
+        self.assertEqual(len(body["results"]), 2)
+        self.assertEqual(body["results"][0]["pk"], user.pk)
+
+        # Descending
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            data={
+                "ordering": "-last_updated",
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        body = loads(response.content)
+        self.assertEqual(len(body["results"]), 2)
+        self.assertEqual(body["results"][0]["pk"], admin.pk)
+
+    def test_sort_by_date_joined(self):
+        """Test API sorting by date_joined"""
+        User.objects.all().delete()
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+
+        user = create_test_user()
+
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            data={
+                "ordering": "date_joined",
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        body = loads(response.content)
+        self.assertEqual(len(body["results"]), 2)
+        self.assertEqual(body["results"][0]["pk"], admin.pk)
+
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            data={
+                "ordering": "-date_joined",
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        body = loads(response.content)
+        self.assertEqual(len(body["results"]), 2)
+        self.assertEqual(body["results"][0]["pk"], user.pk)

authentik/enterprise/audit/tests.py

@@ -55,6 +55,7 @@ class TestEnterpriseAudit(APITestCase):
         self.assertIsNotNone(event)
         self.assertIsNotNone(event.context["diff"])
         diff = event.context["diff"]
+        diff.pop("last_updated")
         self.assertEqual(
             diff,
             {
@@ -116,6 +117,7 @@ class TestEnterpriseAudit(APITestCase):
         self.assertIsNotNone(event)
         self.assertIsNotNone(event.context["diff"])
         diff = event.context["diff"]
+        diff.pop("last_updated")
         self.assertEqual(
             diff,
             {

authentik/policies/tests/test_bindings_api.py

@@ -42,7 +42,7 @@ class TestBindingsAPI(APITestCase):
         )
 
     def test_invalid_too_little(self):
-        """Test invvalid binding (too little)"""
+        """Test invalid binding (too little)"""
         response = self.client.post(
             reverse("authentik_api:policybinding-list"),
             data={"target": self.pbm.pk, "order": 0},

authentik/providers/saml/api/providers.py

@@ -190,6 +190,7 @@ class SAMLProviderSerializer(ProviderSerializer):
             "sign_response",
             "sp_binding",
             "default_relay_state",
+            "default_name_id_policy",
             "url_download_metadata",
             "url_sso_post",
             "url_sso_redirect",

authentik/providers/saml/migrations/0019_samlprovider_default_name_id_policy.py

@@ -0,0 +1,31 @@
+# Generated by Django 5.1.11 on 2025-06-18 09:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_saml", "0018_alter_samlprovider_acs_url"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="samlprovider",
+            name="default_name_id_policy",
+            field=models.TextField(
+                choices=[
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "Email"),
+                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "Persistent"),
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", "X509"),
+                    (
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
+                        "Windows",
+                    ),
+                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "Transient"),
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "Unspecified"),
+                ],
+                default="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+            ),
+        ),
+    ]

authentik/providers/saml/models.py

@@ -12,6 +12,7 @@ from authentik.core.models import PropertyMapping, Provider
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.lib.utils.time import timedelta_string_validator
+from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
     DSA_SHA1,
     ECDSA_SHA1,
@@ -179,6 +180,9 @@ class SAMLProvider(Provider):
     default_relay_state = models.TextField(
         default="", blank=True, help_text=_("Default relay_state value for IDP-initiated logins")
     )
+    default_name_id_policy = models.TextField(
+        choices=SAMLNameIDPolicy.choices, default=SAMLNameIDPolicy.UNSPECIFIED
+    )
 
     sign_assertion = models.BooleanField(default=True)
     sign_response = models.BooleanField(default=False)

authentik/providers/saml/processors/assertion.py

@@ -205,6 +205,13 @@ class AssertionProcessor:
     def get_name_id(self) -> Element:
         """Get NameID Element"""
         name_id = Element(f"{{{NS_SAML_ASSERTION}}}NameID")
+        # For requests that don't specify a NameIDPolicy, check if we
+        # can fall back to the provider default
+        if (
+            self.auth_n_request.name_id_policy == SAML_NAME_ID_FORMAT_UNSPECIFIED
+            and self.provider.default_name_id_policy != SAML_NAME_ID_FORMAT_UNSPECIFIED
+        ):
+            self.auth_n_request.name_id_policy = self.provider.default_name_id_policy
         name_id.attrib["Format"] = self.auth_n_request.name_id_policy
         # persistent is used as a fallback, so always generate it
         persistent = self.http_request.user.uid

authentik/providers/saml/processors/authn_request_parser.py

@@ -13,6 +13,7 @@ from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
+from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
     DSA_SHA1,
     NS_MAP,
@@ -175,7 +176,9 @@ class AuthNRequestParser:
 
     def idp_initiated(self) -> AuthNRequest:
         """Create IdP Initiated AuthNRequest"""
-        relay_state = None
+        request = AuthNRequest(relay_state=None)
         if self.provider.default_relay_state != "":
-            relay_state = self.provider.default_relay_state
-        return AuthNRequest(relay_state=relay_state)
+            request.relay_state = self.provider.default_relay_state
+        if self.provider.default_name_id_policy != SAMLNameIDPolicy.UNSPECIFIED:
+            request.name_id_policy = self.provider.default_name_id_policy
+        return request

authentik/providers/saml/processors/metadata_parser.py

@@ -13,6 +13,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.utils.encoding import PEM_FOOTER, PEM_HEADER
+from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import (
     NS_MAP,
     NS_SAML_METADATA,
@@ -46,6 +47,7 @@ class ServiceProviderMetadata:
 
     auth_n_request_signed: bool
     assertion_signed: bool
+    name_id_policy: SAMLNameIDPolicy
 
     signing_keypair: CertificateKeyPair | None = None
 
@@ -60,6 +62,7 @@ class ServiceProviderMetadata:
         provider.issuer = self.entity_id
         provider.sp_binding = self.acs_binding
         provider.acs_url = self.acs_location
+        provider.default_name_id_policy = self.name_id_policy
         if self.signing_keypair and self.auth_n_request_signed:
             self.signing_keypair.name = f"Provider {name} - SAML Signing Certificate"
             self.signing_keypair.save()
@@ -148,6 +151,11 @@ class ServiceProviderMetadataParser:
         if signing_keypair:
             self.check_signature(root, signing_keypair)
 
+        name_id_format = descriptor.findall(f"{{{NS_SAML_METADATA}}}NameIDFormat")
+        name_id_policy = SAMLNameIDPolicy.UNSPECIFIED
+        if len(name_id_format) > 0:
+            name_id_policy = SAMLNameIDPolicy(name_id_format[0].text)
+
         return ServiceProviderMetadata(
             entity_id=entity_id,
             acs_binding=acs_binding,
@@ -155,4 +163,5 @@ class ServiceProviderMetadataParser:
             auth_n_request_signed=auth_n_request_signed,
             assertion_signed=assertion_signed,
             signing_keypair=signing_keypair,
+            name_id_policy=name_id_policy,
         )

authentik/providers/saml/tests/fixtures/simple.xml

@@ -4,7 +4,7 @@
                      cacheDuration="PT604800S"
                      entityID="http://localhost:8080/saml/metadata">
     <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
         <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                      Location="http://localhost:8080/saml/acs"
                                      index="1" />

authentik/providers/saml/tests/test_metadata.py

@@ -14,6 +14,7 @@ from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
+from authentik.sources.saml.models import SAMLNameIDPolicy
 from authentik.sources.saml.processors.constants import ECDSA_SHA256, NS_MAP, NS_SAML_METADATA
 
 
@@ -86,6 +87,7 @@ class TestServiceProviderMetadataParser(TestCase):
         self.assertEqual(provider.acs_url, "http://localhost:8080/saml/acs")
         self.assertEqual(provider.issuer, "http://localhost:8080/saml/metadata")
         self.assertEqual(provider.sp_binding, SAMLBindings.POST)
+        self.assertEqual(provider.default_name_id_policy, SAMLNameIDPolicy.EMAIL)
         self.assertEqual(
             len(provider.property_mappings.all()),
             len(SAMLPropertyMapping.objects.exclude(managed__isnull=True)),

authentik/root/settings.py

@@ -75,7 +75,9 @@ TENANT_APPS = [
     "pgtrigger",
     "authentik.admin",
     "authentik.api",
+    "authentik.core",
     "authentik.crypto",
+    "authentik.enterprise",
     "authentik.events",
     "authentik.flows",
     "authentik.outposts",
@@ -171,6 +173,7 @@ SPECTACULAR_SETTINGS = {
         "PromptTypeEnum": "authentik.stages.prompt.models.FieldTypes",
         "ProxyMode": "authentik.providers.proxy.models.ProxyMode",
         "TaskAggregatedStatusEnum": "authentik.tasks.models.TaskStatus",
+        "SAMLNameIDPolicyEnum": "authentik.sources.saml.models.SAMLNameIDPolicy",
         "UserTypeEnum": "authentik.core.models.UserTypes",
         "UserVerificationEnum": "authentik.stages.authenticator_webauthn.models.UserVerification",
     },
@@ -245,10 +248,12 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 
 MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"
 
+MIDDLEWARE_FIRST = [
+    "django_prometheus.middleware.PrometheusBeforeMiddleware",
+]
 MIDDLEWARE = [
     "django_tenants.middleware.default.DefaultTenantMiddleware",
     "authentik.root.middleware.LoggingMiddleware",
-    "django_prometheus.middleware.PrometheusBeforeMiddleware",
     "authentik.root.middleware.ClientIPMiddleware",
     "authentik.stages.user_login.middleware.BoundSessionMiddleware",
     "authentik.core.middleware.AuthenticationMiddleware",
@@ -261,6 +266,8 @@ MIDDLEWARE = [
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "authentik.core.middleware.ImpersonateMiddleware",
+]
+MIDDLEWARE_LAST = [
     "django_prometheus.middleware.PrometheusAfterMiddleware",
 ]
 
@@ -496,7 +503,9 @@ _DISALLOWED_ITEMS = [
     "SHARED_APPS",
     "TENANT_APPS",
     "INSTALLED_APPS",
+    "MIDDLEWARE_FIRST",
     "MIDDLEWARE",
+    "MIDDLEWARE_LAST",
     "AUTHENTICATION_BACKENDS",
     "SPECTACULAR_SETTINGS",
     "REST_FRAMEWORK",
@@ -514,16 +523,35 @@ SILENCED_SYSTEM_CHECKS = [
 ]
 
 
-def _update_settings(app_path: str):
+def subtract_list(a: list, b: list) -> list:
+    return [item for item in a if item not in b]
+
+
+def _filter_and_update(apps: list[str]) -> None:
+    for _app in set(apps):
+        if not _app.startswith("authentik"):
+            continue
+        _update_settings(f"{_app}.settings")
+
+
+def _update_settings(app_path: str) -> None:
     try:
         settings_module = importlib.import_module(app_path)
         CONFIG.log("debug", "Loaded app settings", path=app_path)
-        SHARED_APPS.extend(getattr(settings_module, "SHARED_APPS", []))
-        TENANT_APPS.extend(getattr(settings_module, "TENANT_APPS", []))
+
+        new_shared_apps = subtract_list(getattr(settings_module, "SHARED_APPS", []), SHARED_APPS)
+        new_tenant_apps = subtract_list(getattr(settings_module, "TENANT_APPS", []), TENANT_APPS)
+        SHARED_APPS.extend(new_shared_apps)
+        TENANT_APPS.extend(new_tenant_apps)
+        _filter_and_update(new_shared_apps + new_tenant_apps)
+
+        MIDDLEWARE_FIRST.extend(getattr(settings_module, "MIDDLEWARE_FIRST", []))
         MIDDLEWARE.extend(getattr(settings_module, "MIDDLEWARE", []))
+
         AUTHENTICATION_BACKENDS.extend(getattr(settings_module, "AUTHENTICATION_BACKENDS", []))
         SPECTACULAR_SETTINGS.update(getattr(settings_module, "SPECTACULAR_SETTINGS", {}))
         REST_FRAMEWORK.update(getattr(settings_module, "REST_FRAMEWORK", {}))
+
         for _attr in dir(settings_module):
             if not _attr.startswith("__") and _attr not in _DISALLOWED_ITEMS:
                 globals()[_attr] = getattr(settings_module, _attr)
@@ -538,26 +566,13 @@ if DEBUG:
     SHARED_APPS.insert(SHARED_APPS.index("django.contrib.staticfiles"), "daphne")
     enable_debug_trace(True)
 
-TENANT_APPS.append("authentik.core")
 
 CONFIG.log("info", "Booting authentik", version=__version__)
 
-# Attempt to load enterprise app, if available
-try:
-    importlib.import_module("authentik.enterprise.apps")
-    CONFIG.log("info", "Enabled authentik enterprise")
-    TENANT_APPS.append("authentik.enterprise")
-    _update_settings("authentik.enterprise.settings")
-except ImportError:
-    pass
-
-
 # Load subapps's settings
-for _app in set(SHARED_APPS + TENANT_APPS):
-    if not _app.startswith("authentik"):
-        continue
-    _update_settings(f"{_app}.settings")
+_filter_and_update(SHARED_APPS + TENANT_APPS)
 _update_settings("data.user_settings")
 
+MIDDLEWARE = list(OrderedDict.fromkeys(MIDDLEWARE_FIRST + MIDDLEWARE + MIDDLEWARE_LAST))
 SHARED_APPS = list(OrderedDict.fromkeys(SHARED_APPS + TENANT_APPS))
 INSTALLED_APPS = list(OrderedDict.fromkeys(SHARED_APPS + TENANT_APPS))

authentik/sources/saml/migrations/0020_alter_samlsource_name_id_policy.py

@@ -0,0 +1,32 @@
+# Generated by Django 5.1.11 on 2025-06-18 09:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_saml", "0019_migrate_usersamlsourceconnection_identifier"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="samlsource",
+            name="name_id_policy",
+            field=models.TextField(
+                choices=[
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "Email"),
+                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "Persistent"),
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", "X509"),
+                    (
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
+                        "Windows",
+                    ),
+                    ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "Transient"),
+                    ("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "Unspecified"),
+                ],
+                default="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+                help_text="NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent.",
+            ),
+        ),
+    ]

authentik/sources/saml/models.py

@@ -39,6 +39,7 @@ from authentik.sources.saml.processors.constants import (
     SAML_NAME_ID_FORMAT_EMAIL,
     SAML_NAME_ID_FORMAT_PERSISTENT,
     SAML_NAME_ID_FORMAT_TRANSIENT,
+    SAML_NAME_ID_FORMAT_UNSPECIFIED,
     SAML_NAME_ID_FORMAT_WINDOWS,
     SAML_NAME_ID_FORMAT_X509,
     SHA1,
@@ -73,6 +74,7 @@ class SAMLNameIDPolicy(models.TextChoices):
     X509 = SAML_NAME_ID_FORMAT_X509
     WINDOWS = SAML_NAME_ID_FORMAT_WINDOWS
     TRANSIENT = SAML_NAME_ID_FORMAT_TRANSIENT
+    UNSPECIFIED = SAML_NAME_ID_FORMAT_UNSPECIFIED
 
 
 class SAMLSource(Source):

blueprints/schema.json

@@ -4689,6 +4689,14 @@
                         "format": "uuid"
                     },
                     "title": "Roles"
+                },
+                "children": {
+                    "type": "array",
+                    "items": {
+                        "type": "string",
+                        "format": "uuid"
+                    },
+                    "title": "Children"
                 }
             },
             "required": []
@@ -9287,6 +9295,18 @@
                     "type": "string",
                     "title": "Default relay state",
                     "description": "Default relay_state value for IDP-initiated logins"
+                },
+                "default_name_id_policy": {
+                    "type": "string",
+                    "enum": [
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName",
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+                    ],
+                    "title": "Default name id policy"
                 }
             },
             "required": []
@@ -11714,7 +11734,8 @@
                         "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
                         "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName",
                         "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName",
-                        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+                        "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+                        "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                     ],
                     "title": "Name id policy",
                     "description": "NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent."

go.mod

@@ -5,12 +5,12 @@ go 1.24.0
 require (
 	beryju.io/ldap v0.1.0
 	github.com/avast/retry-go/v4 v4.6.1
-	github.com/coreos/go-oidc/v3 v3.14.1
-	github.com/getsentry/sentry-go v0.34.1
+	github.com/coreos/go-oidc/v3 v3.15.0
+	github.com/getsentry/sentry-go v0.35.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-openapi/runtime v0.28.0
-	github.com/golang-jwt/jwt/v5 v5.2.3
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
@@ -22,14 +22,14 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
-	github.com/prometheus/client_golang v1.22.0
+	github.com/prometheus/client_golang v1.23.0
 	github.com/redis/go-redis/v9 v9.11.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025064.2
+	goauthentik.io/api/v3 v3.2025064.3
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.16.0
@@ -69,18 +69,17 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/crypto v0.38.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -16,8 +16,8 @@ github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
-github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.15.0 h1:R6Oz8Z4bqWR7VFQ+sPSvZPQv4x8M+sJkDO5ojgwlyAg=
+github.com/coreos/go-oidc/v3 v3.15.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -26,8 +26,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.34.1 h1:HSjc1C/OsnZttohEPrrqKH42Iud0HuLCXpv8cU1pWcw=
-github.com/getsentry/sentry-go v0.34.1/go.mod h1:C55omcY9ChRQIUcVcGcs+Zdy4ZpQGvNJ7JYHIoSWOtE=
+github.com/getsentry/sentry-go v0.35.0 h1:+FJNlnjJsZMG3g0/rmmP7GiKjQoUF5EXfEtBwtPtkzY=
+github.com/getsentry/sentry-go v0.35.0/go.mod h1:C55omcY9ChRQIUcVcGcs+Zdy4ZpQGvNJ7JYHIoSWOtE=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -67,8 +67,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
-github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
-github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
@@ -140,14 +140,14 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc=
+github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
+github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/redis/go-redis/v9 v9.11.0 h1:E3S08Gl/nJNn5vkxd2i78wZxWAPNZgUNTp8WIJUAiIs=
 github.com/redis/go-redis/v9 v9.11.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
@@ -185,8 +185,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025064.2 h1:WFXe12hfsRe29EkLCxWCvrdK6peAkCA6ftdEh04hKLg=
-goauthentik.io/api/v3 v3.2025064.2/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
+goauthentik.io/api/v3 v3.2025064.3 h1:REfDBEjswP2id2WRRDUajRxX+6u+XZ7e/smYq7jw5Z0=
+goauthentik.io/api/v3 v3.2025064.3/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
@@ -211,8 +211,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
 golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

internal/outpost/ldap/group/group.go

@@ -17,6 +17,7 @@ type LDAPGroup struct {
 	Uid            string
 	GidNumber      string
 	Member         []string
+	MemberOf       []string
 	IsSuperuser    bool
 	IsVirtualGroup bool
 	Attributes     map[string]interface{}
@@ -38,6 +39,7 @@ func (lg *LDAPGroup) Entry() *ldap.Entry {
 		"ak-superuser":   {strconv.FormatBool(lg.IsSuperuser)},
 		"objectClass":    objectClass,
 		"member":         lg.Member,
+		"memberOf":       lg.MemberOf,
 		"cn":             {lg.CN},
 		"uid":            {lg.Uid},
 		"sAMAccountName": {lg.CN},
@@ -52,7 +54,8 @@ func FromAPIGroup(g api.Group, si server.LDAPServerInstance) *LDAPGroup {
 		CN:             g.Name,
 		Uid:            string(g.Pk),
 		GidNumber:      si.GetGroupGidNumber(g),
-		Member:         si.UsersForGroup(g),
+		Member:         si.MembersForGroup(g),
+		MemberOf:       si.MemberOfForGroup(g),
 		IsVirtualGroup: false,
 		IsSuperuser:    *g.IsSuperuser,
 		Attributes:     g.Attributes,

internal/outpost/ldap/search/direct/direct.go

@@ -155,7 +155,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 	if needGroups {
 		errs.Go(func() error {
 			gapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_group")
-			searchReq, skip := utils.ParseFilterForGroup(c.CoreApi.CoreGroupsList(gapisp.Context()).IncludeUsers(true), parsedFilter, false)
+			searchReq, skip := utils.ParseFilterForGroup(c.CoreApi.CoreGroupsList(gapisp.Context()).IncludeUsers(true).IncludeChildren(true), parsedFilter, false)
 			if skip {
 				req.Log().Trace("Skip backend request")
 				return nil

internal/outpost/ldap/search/memory/memory.go

@@ -165,7 +165,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 				for _, u := range g.UsersObj {
 					if flag.UserPk == u.Pk {
 						// TODO: Is there a better way to clone this object?
-						fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.ParentName, []api.GroupMember{u}, []api.Role{})
+						fg := api.NewGroup(g.Pk, g.NumPk, g.Name, g.ParentName, []api.GroupMember{u}, []api.Role{}, []api.GroupChild{})
 						fg.SetUsers([]int32{flag.UserPk})
 						if g.Parent.IsSet() {
 							if p := g.Parent.Get(); p != nil {

internal/outpost/ldap/server/base.go

@@ -32,7 +32,8 @@ type LDAPServerInstance interface {
 	GetUserGidNumber(api.User) string
 	GetGroupGidNumber(api.Group) string
 
-	UsersForGroup(api.Group) []string
+	MembersForGroup(api.Group) []string
+	MemberOfForGroup(api.Group) []string
 
 	GetFlags(dn string) *flags.UserFlags
 	SetFlags(dn string, flags *flags.UserFlags)

internal/outpost/ldap/utils.go

@@ -15,12 +15,27 @@ func (pi *ProviderInstance) GroupsForUser(user api.User) []string {
 	return groups
 }
 
-func (pi *ProviderInstance) UsersForGroup(group api.Group) []string {
+func (pi *ProviderInstance) MembersForGroup(group api.Group) []string {
 	users := make([]string, len(group.UsersObj))
 	for i, user := range group.UsersObj {
 		users[i] = pi.GetUserDN(user.Username)
 	}
-	return users
+	children := make([]string, len(group.ChildrenObj))
+	for i, child := range group.ChildrenObj {
+		children[i] = pi.GetGroupDN(child.Name)
+	}
+	return append(users, children...)
+}
+
+func (pi *ProviderInstance) MemberOfForGroup(group api.Group) []string {
+	if group.ParentName.IsSet() {
+		parent := group.ParentName.Get()
+		if parent != nil {
+			return []string{pi.GetGroupDN(*group.ParentName.Get())}
+		}
+	}
+
+	return []string{}
 }
 
 func (pi *ProviderInstance) GetUserDN(user string) string {

ldap.Dockerfile

@@ -37,11 +37,16 @@ ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url=https://goauthentik.io
-LABEL org.opencontainers.image.description="goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
-LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version=${VERSION}
-LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+    org.opencontainers.image.description="goauthentik.io LDAP outpost, see https://goauthentik.io for more info." \
+    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
+    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
+    org.opencontainers.image.revision=${GIT_BUILD_HASH} \
+    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
+    org.opencontainers.image.title="authentik LDAP outpost image" \
+    org.opencontainers.image.url="https://goauthentik.io" \
+    org.opencontainers.image.vendor="Authentik Security Inc." \
+    org.opencontainers.image.version=${VERSION}
 
 RUN apt-get update && \
     apt-get upgrade -y && \

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1022.0",
+                "aws-cdk": "^2.1023.0",
                 "cross-env": "^10.0.0"
             },
             "engines": {
@@ -24,9 +24,9 @@
             "license": "MIT"
         },
         "node_modules/aws-cdk": {
-            "version": "2.1022.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1022.0.tgz",
-            "integrity": "sha512-GHCu+tDtYMqCiElCl7Fad2/Bt2GmtXEV3dynudoAsV9PlL5ETeLmEN7jflDQxhmr7KhKpQeZJo/PM0DoWCvoHw==",
+            "version": "2.1023.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1023.0.tgz",
+            "integrity": "sha512-DWMA+IrAsBUNF2RvH7ujpDp7wSJkqTkRL8yfK4AYpEjoGY1KMaKIfxz3M3+Nk3ogM7VhZiW3OGWEOgyDF47HOQ==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1022.0",
+        "aws-cdk": "^2.1023.0",
         "cross-env": "^10.0.0"
     }
 }

packages/django-dramatiq-postgres/django_dramatiq_postgres/middleware.py

@@ -186,19 +186,19 @@ class MetricsMiddleware(Middleware):
             "The total number of dead-lettered tasks.",
             self.labels,
         )
-        self.inprogress_messages = Gauge(
-            f"{self.prefix}_tasks_inprogress",
+        self.in_progress_messages = Gauge(
+            f"{self.prefix}_tasks_in_progress",
             "The number of tasks in progress.",
             self.labels,
             multiprocess_mode="livesum",
         )
-        self.inprogress_delayed_messages = Gauge(
-            f"{self.prefix}_tasks_delayed_inprogress",
+        self.in_progress_delayed_messages = Gauge(
+            f"{self.prefix}_tasks_delayed_in_progress",
             "The number of delayed tasks in memory.",
             self.labels,
         )
         self.messages_durations = Histogram(
-            f"{self.prefix}_tasks_duration_miliseconds",
+            f"{self.prefix}_tasks_duration_milliseconds",
             "The time spent processing tasks.",
             self.labels,
             buckets=(
@@ -244,15 +244,15 @@ class MetricsMiddleware(Middleware):
 
     def before_delay_message(self, broker: Broker, message: Message):
         self.delayed_messages.add(message.message_id)
-        self.inprogress_delayed_messages.labels(*self._make_labels(message)).inc()
+        self.in_progress_delayed_messages.labels(*self._make_labels(message)).inc()
 
     def before_process_message(self, broker: Broker, message: Message):
         labels = self._make_labels(message)
         if message.message_id in self.delayed_messages:
             self.delayed_messages.remove(message.message_id)
-            self.inprogress_delayed_messages.labels(*labels).dec()
+            self.in_progress_delayed_messages.labels(*labels).dec()
 
-        self.inprogress_messages.labels(*labels).inc()
+        self.in_progress_messages.labels(*labels).inc()
         self.message_start_times[message.message_id] = current_millis()
 
     def after_process_message(
@@ -269,7 +269,7 @@ class MetricsMiddleware(Middleware):
         message_duration = current_millis() - message_start_time
         self.messages_durations.labels(*labels).observe(message_duration)
 
-        self.inprogress_messages.labels(*labels).dec()
+        self.in_progress_messages.labels(*labels).dec()
         self.total_messages.labels(*labels).inc()
         if exception is not None:
             self.total_errored_messages.labels(*labels).inc()

packages/docusaurus-config/package-lock.json

@@ -17958,9 +17958,9 @@
             }
         },
         "node_modules/typescript": {
-            "version": "5.8.3",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
-            "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
+            "version": "5.9.2",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+            "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

packages/esbuild-plugin-live-reload/package-lock.json

@@ -2728,9 +2728,9 @@
             }
         },
         "node_modules/typedoc-plugin-markdown": {
-            "version": "4.7.1",
-            "resolved": "https://registry.npmjs.org/typedoc-plugin-markdown/-/typedoc-plugin-markdown-4.7.1.tgz",
-            "integrity": "sha512-HN/fHLm2S6MD4HX8txfB4eWvVBzX/mEYy5U5s1KTAdh3E5uX5/lilswqTzZlPTT6fNZInAboAdFGpbAuBKnE4A==",
+            "version": "4.8.0",
+            "resolved": "https://registry.npmjs.org/typedoc-plugin-markdown/-/typedoc-plugin-markdown-4.8.0.tgz",
+            "integrity": "sha512-BQqXnT9PETe6WEFf8bcsvvGEGQHbwTo/BFyY+RUIsSB05Y0Wn56iF+fK1PY2OKJJIhV4kp4dp7osaP9Bm5a0Zw==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -2741,9 +2741,9 @@
             }
         },
         "node_modules/typescript": {
-            "version": "5.8.3",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
-            "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
+            "version": "5.9.2",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+            "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

packages/eslint-config/package-lock.json

@@ -500,93 +500,6 @@
             "integrity": "sha512-dRLjCWHYg4oaA77cxO64oO+7JwCwnIzkZPdrrC71jQmQtlhM556pwKo5bUzqvZndkVbeFLIIi+9TC40JNF5hNQ==",
             "license": "MIT"
         },
-        "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.38.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.38.0.tgz",
-            "integrity": "sha512-CPoznzpuAnIOl4nhj4tRr4gIPj5AfKgkiJmGQDaq+fQnRJTYlcBjbX3wbciGmpoPf8DREufuPRe1tNMZnGdanA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@eslint-community/regexpp": "^4.10.0",
-                "@typescript-eslint/scope-manager": "8.38.0",
-                "@typescript-eslint/type-utils": "8.38.0",
-                "@typescript-eslint/utils": "8.38.0",
-                "@typescript-eslint/visitor-keys": "8.38.0",
-                "graphemer": "^1.4.0",
-                "ignore": "^7.0.0",
-                "natural-compare": "^1.4.0",
-                "ts-api-utils": "^2.1.0"
-            },
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "@typescript-eslint/parser": "^8.38.0",
-                "eslint": "^8.57.0 || ^9.0.0",
-                "typescript": ">=4.8.4 <5.9.0"
-            }
-        },
-        "node_modules/@typescript-eslint/eslint-plugin/node_modules/ignore": {
-            "version": "7.0.5",
-            "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
-            "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">= 4"
-            }
-        },
-        "node_modules/@typescript-eslint/parser": {
-            "version": "8.38.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.38.0.tgz",
-            "integrity": "sha512-Zhy8HCvBUEfBECzIl1PKqF4p11+d0aUJS1GeUiuqK9WmOug8YCmC4h4bjyBvMyAMI9sbRczmrYL5lKg/YMbrcQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@typescript-eslint/scope-manager": "8.38.0",
-                "@typescript-eslint/types": "8.38.0",
-                "@typescript-eslint/typescript-estree": "8.38.0",
-                "@typescript-eslint/visitor-keys": "8.38.0",
-                "debug": "^4.3.4"
-            },
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "eslint": "^8.57.0 || ^9.0.0",
-                "typescript": ">=4.8.4 <5.9.0"
-            }
-        },
-        "node_modules/@typescript-eslint/project-service": {
-            "version": "8.38.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.38.0.tgz",
-            "integrity": "sha512-dbK7Jvqcb8c9QfH01YB6pORpqX1mn5gDZc9n63Ak/+jD67oWXn3Gs0M6vddAN+eDXBCS5EmNWzbSxsn9SzFWWg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.38.0",
-                "@typescript-eslint/types": "^8.38.0",
-                "debug": "^4.3.4"
-            },
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "typescript": ">=4.8.4 <5.9.0"
-            }
-        },
         "node_modules/@typescript-eslint/scope-manager": {
             "version": "8.38.0",
             "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.38.0.tgz",
@@ -605,48 +518,6 @@
                 "url": "https://opencollective.com/typescript-eslint"
             }
         },
-        "node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.38.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.38.0.tgz",
-            "integrity": "sha512-Lum9RtSE3EroKk/bYns+sPOodqb2Fv50XOl/gMviMKNvanETUuUcC9ObRbzrJ4VSd2JalPqgSAavwrPiPvnAiQ==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "typescript": ">=4.8.4 <5.9.0"
-            }
-        },
-        "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.38.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.38.0.tgz",
-            "integrity": "sha512-c7jAvGEZVf0ao2z+nnz8BUaHZD09Agbh+DY7qvBQqLiz8uJzRgVPj5YvOh8I8uEiH8oIUGIfHzMwUcGVco/SJg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@typescript-eslint/types": "8.38.0",
-                "@typescript-eslint/typescript-estree": "8.38.0",
-                "@typescript-eslint/utils": "8.38.0",
-                "debug": "^4.3.4",
-                "ts-api-utils": "^2.1.0"
-            },
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "eslint": "^8.57.0 || ^9.0.0",
-                "typescript": ">=4.8.4 <5.9.0"
-            }
-        },
         "node_modules/@typescript-eslint/types": {
             "version": "8.38.0",
             "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.38.0.tgz",
@@ -661,98 +532,6 @@
                 "url": "https://opencollective.com/typescript-eslint"
             }
         },
-        "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.38.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.38.0.tgz",
-            "integrity": "sha512-fooELKcAKzxux6fA6pxOflpNS0jc+nOQEEOipXFNjSlBS6fqrJOVY/whSn70SScHrcJ2LDsxWrneFoWYSVfqhQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@typescript-eslint/project-service": "8.38.0",
-                "@typescript-eslint/tsconfig-utils": "8.38.0",
-                "@typescript-eslint/types": "8.38.0",
-                "@typescript-eslint/visitor-keys": "8.38.0",
-                "debug": "^4.3.4",
-                "fast-glob": "^3.3.2",
-                "is-glob": "^4.0.3",
-                "minimatch": "^9.0.4",
-                "semver": "^7.6.0",
-                "ts-api-utils": "^2.1.0"
-            },
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "typescript": ">=4.8.4 <5.9.0"
-            }
-        },
-        "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
-            "version": "2.0.2",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-            "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "balanced-match": "^1.0.0"
-            }
-        },
-        "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
-            "version": "9.0.5",
-            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-            "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-            "dev": true,
-            "license": "ISC",
-            "dependencies": {
-                "brace-expansion": "^2.0.1"
-            },
-            "engines": {
-                "node": ">=16 || 14 >=14.17"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/isaacs"
-            }
-        },
-        "node_modules/@typescript-eslint/typescript-estree/node_modules/semver": {
-            "version": "7.7.2",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
-            "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
-            "dev": true,
-            "license": "ISC",
-            "bin": {
-                "semver": "bin/semver.js"
-            },
-            "engines": {
-                "node": ">=10"
-            }
-        },
-        "node_modules/@typescript-eslint/utils": {
-            "version": "8.38.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.38.0.tgz",
-            "integrity": "sha512-hHcMA86Hgt+ijJlrD8fX0j1j8w4C92zue/8LOPAFioIno+W0+L7KqE8QZKCcPGc/92Vs9x36w/4MPTJhqXdyvg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@eslint-community/eslint-utils": "^4.7.0",
-                "@typescript-eslint/scope-manager": "8.38.0",
-                "@typescript-eslint/types": "8.38.0",
-                "@typescript-eslint/typescript-estree": "8.38.0"
-            },
-            "engines": {
-                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "eslint": "^8.57.0 || ^9.0.0",
-                "typescript": ">=4.8.4 <5.9.0"
-            }
-        },
         "node_modules/@typescript-eslint/visitor-keys": {
             "version": "8.38.0",
             "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.38.0.tgz",
@@ -4694,9 +4473,9 @@
             }
         },
         "node_modules/typescript": {
-            "version": "5.8.3",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
-            "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
+            "version": "5.9.2",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+            "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {
@@ -4731,6 +4510,227 @@
                 "typescript": ">=4.8.4 <5.9.0"
             }
         },
+        "node_modules/typescript-eslint/node_modules/@typescript-eslint/eslint-plugin": {
+            "version": "8.38.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.38.0.tgz",
+            "integrity": "sha512-CPoznzpuAnIOl4nhj4tRr4gIPj5AfKgkiJmGQDaq+fQnRJTYlcBjbX3wbciGmpoPf8DREufuPRe1tNMZnGdanA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@eslint-community/regexpp": "^4.10.0",
+                "@typescript-eslint/scope-manager": "8.38.0",
+                "@typescript-eslint/type-utils": "8.38.0",
+                "@typescript-eslint/utils": "8.38.0",
+                "@typescript-eslint/visitor-keys": "8.38.0",
+                "graphemer": "^1.4.0",
+                "ignore": "^7.0.0",
+                "natural-compare": "^1.4.0",
+                "ts-api-utils": "^2.1.0"
+            },
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "@typescript-eslint/parser": "^8.38.0",
+                "eslint": "^8.57.0 || ^9.0.0",
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/type-utils": {
+            "version": "8.38.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.38.0.tgz",
+            "integrity": "sha512-c7jAvGEZVf0ao2z+nnz8BUaHZD09Agbh+DY7qvBQqLiz8uJzRgVPj5YvOh8I8uEiH8oIUGIfHzMwUcGVco/SJg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@typescript-eslint/types": "8.38.0",
+                "@typescript-eslint/typescript-estree": "8.38.0",
+                "@typescript-eslint/utils": "8.38.0",
+                "debug": "^4.3.4",
+                "ts-api-utils": "^2.1.0"
+            },
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "eslint": "^8.57.0 || ^9.0.0",
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/@typescript-eslint/parser": {
+            "version": "8.38.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.38.0.tgz",
+            "integrity": "sha512-Zhy8HCvBUEfBECzIl1PKqF4p11+d0aUJS1GeUiuqK9WmOug8YCmC4h4bjyBvMyAMI9sbRczmrYL5lKg/YMbrcQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@typescript-eslint/scope-manager": "8.38.0",
+                "@typescript-eslint/types": "8.38.0",
+                "@typescript-eslint/typescript-estree": "8.38.0",
+                "@typescript-eslint/visitor-keys": "8.38.0",
+                "debug": "^4.3.4"
+            },
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "eslint": "^8.57.0 || ^9.0.0",
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/@typescript-eslint/typescript-estree": {
+            "version": "8.38.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.38.0.tgz",
+            "integrity": "sha512-fooELKcAKzxux6fA6pxOflpNS0jc+nOQEEOipXFNjSlBS6fqrJOVY/whSn70SScHrcJ2LDsxWrneFoWYSVfqhQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@typescript-eslint/project-service": "8.38.0",
+                "@typescript-eslint/tsconfig-utils": "8.38.0",
+                "@typescript-eslint/types": "8.38.0",
+                "@typescript-eslint/visitor-keys": "8.38.0",
+                "debug": "^4.3.4",
+                "fast-glob": "^3.3.2",
+                "is-glob": "^4.0.3",
+                "minimatch": "^9.0.4",
+                "semver": "^7.6.0",
+                "ts-api-utils": "^2.1.0"
+            },
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/@typescript-eslint/typescript-estree/node_modules/@typescript-eslint/project-service": {
+            "version": "8.38.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.38.0.tgz",
+            "integrity": "sha512-dbK7Jvqcb8c9QfH01YB6pORpqX1mn5gDZc9n63Ak/+jD67oWXn3Gs0M6vddAN+eDXBCS5EmNWzbSxsn9SzFWWg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@typescript-eslint/tsconfig-utils": "^8.38.0",
+                "@typescript-eslint/types": "^8.38.0",
+                "debug": "^4.3.4"
+            },
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/@typescript-eslint/typescript-estree/node_modules/@typescript-eslint/tsconfig-utils": {
+            "version": "8.38.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.38.0.tgz",
+            "integrity": "sha512-Lum9RtSE3EroKk/bYns+sPOodqb2Fv50XOl/gMviMKNvanETUuUcC9ObRbzrJ4VSd2JalPqgSAavwrPiPvnAiQ==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/@typescript-eslint/utils": {
+            "version": "8.38.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.38.0.tgz",
+            "integrity": "sha512-hHcMA86Hgt+ijJlrD8fX0j1j8w4C92zue/8LOPAFioIno+W0+L7KqE8QZKCcPGc/92Vs9x36w/4MPTJhqXdyvg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@eslint-community/eslint-utils": "^4.7.0",
+                "@typescript-eslint/scope-manager": "8.38.0",
+                "@typescript-eslint/types": "8.38.0",
+                "@typescript-eslint/typescript-estree": "8.38.0"
+            },
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "eslint": "^8.57.0 || ^9.0.0",
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/brace-expansion": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+            "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "balanced-match": "^1.0.0"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/ignore": {
+            "version": "7.0.5",
+            "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
+            "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">= 4"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/minimatch": {
+            "version": "9.0.5",
+            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+            "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+            "dev": true,
+            "license": "ISC",
+            "dependencies": {
+                "brace-expansion": "^2.0.1"
+            },
+            "engines": {
+                "node": ">=16 || 14 >=14.17"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/isaacs"
+            }
+        },
+        "node_modules/typescript-eslint/node_modules/semver": {
+            "version": "7.7.2",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
+            "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
+            "dev": true,
+            "license": "ISC",
+            "bin": {
+                "semver": "bin/semver.js"
+            },
+            "engines": {
+                "node": ">=10"
+            }
+        },
         "node_modules/unbox-primitive": {
             "version": "1.1.0",
             "resolved": "https://registry.npmjs.org/unbox-primitive/-/unbox-primitive-1.1.0.tgz",

packages/prettier-config/package-lock.json

@@ -1711,9 +1711,9 @@
             }
         },
         "node_modules/typescript": {
-            "version": "5.8.3",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
-            "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
+            "version": "5.9.2",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+            "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
             "license": "Apache-2.0",
             "bin": {
                 "tsc": "bin/tsc",

proxy.Dockerfile

@@ -53,11 +53,16 @@ ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url=https://goauthentik.io
-LABEL org.opencontainers.image.description="goauthentik.io Proxy outpost image, see https://goauthentik.io for more info."
-LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version=${VERSION}
-LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+    org.opencontainers.image.description="goauthentik.io Proxy outpost image, see https://goauthentik.io for more info." \
+    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
+    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
+    org.opencontainers.image.revision=${GIT_BUILD_HASH} \
+    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
+    org.opencontainers.image.title="authentik proxy outpost image" \
+    org.opencontainers.image.url="https://goauthentik.io" \
+    org.opencontainers.image.vendor="Authentik Security Inc." \
+    org.opencontainers.image.version=${VERSION}
 
 RUN apt-get update && \
     apt-get upgrade -y && \

rac.Dockerfile

@@ -37,11 +37,16 @@ ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url=https://goauthentik.io
-LABEL org.opencontainers.image.description="goauthentik.io RAC outpost, see https://goauthentik.io for more info."
-LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version=${VERSION}
-LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+    org.opencontainers.image.description="goauthentik.io RAC outpost, see https://goauthentik.io for more info." \
+    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
+    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
+    org.opencontainers.image.revision=${GIT_BUILD_HASH} \
+    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
+    org.opencontainers.image.title="authentik RAC outpost image" \
+    org.opencontainers.image.url="https://goauthentik.io" \
+    org.opencontainers.image.vendor="Authentik Security Inc." \
+    org.opencontainers.image.version=${VERSION}
 
 USER root
 RUN apt-get update && \

radius.Dockerfile

@@ -37,11 +37,16 @@ ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url=https://goauthentik.io
-LABEL org.opencontainers.image.description="goauthentik.io Radius outpost, see https://goauthentik.io for more info."
-LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version=${VERSION}
-LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+    org.opencontainers.image.description="goauthentik.io Radius outpost, see https://goauthentik.io for more info." \
+    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
+    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
+    org.opencontainers.image.revision=${GIT_BUILD_HASH} \
+    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
+    org.opencontainers.image.title="authentik RADIUS outpost image" \
+    org.opencontainers.image.url="https://goauthentik.io" \
+    org.opencontainers.image.vendor="Authentik Security Inc." \
+    org.opencontainers.image.version=${VERSION}
 
 RUN apt-get update && \
     apt-get upgrade -y && \

schema.yml

@@ -4718,6 +4718,11 @@ paths:
         schema:
           type: string
         description: Attributes
+      - in: query
+        name: include_children
+        schema:
+          type: boolean
+          default: false
       - in: query
         name: include_users
         schema:
@@ -4840,6 +4845,11 @@ paths:
           format: uuid
         description: A UUID string identifying this Group.
         required: true
+      - in: query
+        name: include_children
+        schema:
+          type: boolean
+          default: false
       - in: query
         name: include_users
         schema:
@@ -5654,6 +5664,21 @@ paths:
         schema:
           type: string
         description: Attributes
+      - in: query
+        name: date_joined
+        schema:
+          type: string
+          format: date-time
+      - in: query
+        name: date_joined__gt
+        schema:
+          type: string
+          format: date-time
+      - in: query
+        name: date_joined__lt
+        schema:
+          type: string
+          format: date-time
       - in: query
         name: email
         schema:
@@ -5688,6 +5713,21 @@ paths:
         name: is_superuser
         schema:
           type: boolean
+      - in: query
+        name: last_updated
+        schema:
+          type: string
+          format: date-time
+      - in: query
+        name: last_updated__gt
+        schema:
+          type: string
+          format: date-time
+      - in: query
+        name: last_updated__lt
+        schema:
+          type: string
+          format: date-time
       - in: query
         name: name
         schema:
@@ -22282,6 +22322,17 @@ paths:
         schema:
           type: string
           format: uuid
+      - in: query
+        name: default_name_id_policy
+        schema:
+          type: string
+          enum:
+          - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+          - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+          - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+          - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
+          - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+          - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
       - in: query
         name: default_relay_state
         schema:
@@ -29498,6 +29549,7 @@ paths:
           enum:
           - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
           - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+          - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
           - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
           - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
           - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
@@ -46466,13 +46518,50 @@ components:
           items:
             $ref: '#/components/schemas/Role'
           readOnly: true
+        children:
+          type: array
+          items:
+            type: string
+            format: uuid
+        children_obj:
+          type: array
+          items:
+            $ref: '#/components/schemas/GroupChild'
+          readOnly: true
+          nullable: true
       required:
+      - children_obj
       - name
       - num_pk
       - parent_name
       - pk
       - roles_obj
       - users_obj
+    GroupChild:
+      type: object
+      description: Stripped down group serializer to show relevant children for groups
+      properties:
+        pk:
+          type: string
+          format: uuid
+          readOnly: true
+          title: Group uuid
+        name:
+          type: string
+        is_superuser:
+          type: boolean
+          description: Users added to this group will be superusers.
+        attributes:
+          type: object
+          additionalProperties: {}
+        group_uuid:
+          type: string
+          format: uuid
+          readOnly: true
+      required:
+      - group_uuid
+      - name
+      - pk
     GroupKerberosSourceConnection:
       type: object
       description: Group Source Connection
@@ -46794,6 +46883,11 @@ components:
           items:
             type: string
             format: uuid
+        children:
+          type: array
+          items:
+            type: string
+            format: uuid
       required:
       - name
     GroupSAMLSourceConnection:
@@ -49063,14 +49157,6 @@ components:
       - mode
       - name
       - user_attribute
-    NameIdPolicyEnum:
-      enum:
-      - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-      - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-      - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
-      - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
-      - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
-      type: string
     NetworkBindingEnum:
       enum:
       - no_binding
@@ -53685,6 +53771,11 @@ components:
           items:
             type: string
             format: uuid
+        children:
+          type: array
+          items:
+            type: string
+            format: uuid
     PatchedGroupSAMLSourceConnectionRequest:
       type: object
       description: Group Source Connection
@@ -55289,6 +55380,8 @@ components:
         default_relay_state:
           type: string
           description: Default relay_state value for IDP-initiated logins
+        default_name_id_policy:
+          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
     PatchedSAMLSourcePropertyMappingRequest:
       type: object
       description: SAMLSourcePropertyMapping Serializer
@@ -55382,7 +55475,7 @@ components:
             be a security risk, as no validation of the request ID is done.
         name_id_policy:
           allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
           description: NameID Policy sent to the IdP. Can be unset, in which case
             no Policy is sent.
         binding_type:
@@ -58130,6 +58223,15 @@ components:
       required:
       - download_url
       - metadata
+    SAMLNameIDPolicyEnum:
+      enum:
+      - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+      - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+      - urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+      - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName
+      - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+      - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+      type: string
     SAMLPropertyMapping:
       type: object
       description: SAMLPropertyMapping Serializer
@@ -58347,6 +58449,8 @@ components:
         default_relay_state:
           type: string
           description: Default relay_state value for IDP-initiated logins
+        default_name_id_policy:
+          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
         url_download_metadata:
           type: string
           description: Get metadata download URL
@@ -58519,6 +58623,8 @@ components:
         default_relay_state:
           type: string
           description: Default relay_state value for IDP-initiated logins
+        default_name_id_policy:
+          $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
       required:
       - acs_url
       - authorization_flow
@@ -58627,7 +58733,7 @@ components:
             be a security risk, as no validation of the request ID is done.
         name_id_policy:
           allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
           description: NameID Policy sent to the IdP. Can be unset, in which case
             no Policy is sent.
         binding_type:
@@ -58817,7 +58923,7 @@ components:
             be a security risk, as no validation of the request ID is done.
         name_id_policy:
           allOf:
-          - $ref: '#/components/schemas/NameIdPolicyEnum'
+          - $ref: '#/components/schemas/SAMLNameIDPolicyEnum'
           description: NameID Policy sent to the IdP. Can be unset, in which case
             no Policy is sent.
         binding_type:
@@ -61075,11 +61181,16 @@ components:
           type: string
           format: date-time
           readOnly: true
+        last_updated:
+          type: string
+          format: date-time
+          readOnly: true
       required:
       - avatar
       - date_joined
       - groups_obj
       - is_superuser
+      - last_updated
       - name
       - password_change_date
       - pk

uv.lock

@@ -19,7 +19,7 @@ wheels = [
 
 [[package]]
 name = "aiohttp"
-version = "3.12.14"
+version = "3.12.15"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "aiohappyeyeballs" },
@@ -30,25 +30,25 @@ dependencies = [
     { name = "propcache" },
     { name = "yarl" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/e6/0b/e39ad954107ebf213a2325038a3e7a506be3d98e1435e1f82086eec4cde2/aiohttp-3.12.14.tar.gz", hash = "sha256:6e06e120e34d93100de448fd941522e11dafa78ef1a893c179901b7d66aa29f2", size = 7822921, upload-time = "2025-07-10T13:05:33.968Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/9b/e7/d92a237d8802ca88483906c388f7c201bbe96cd80a165ffd0ac2f6a8d59f/aiohttp-3.12.15.tar.gz", hash = "sha256:4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2", size = 7823716, upload-time = "2025-07-29T05:52:32.215Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/06/48/e0d2fa8ac778008071e7b79b93ab31ef14ab88804d7ba71b5c964a7c844e/aiohttp-3.12.14-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:3143a7893d94dc82bc409f7308bc10d60285a3cd831a68faf1aa0836c5c3c767", size = 695471, upload-time = "2025-07-10T13:04:20.124Z" },
-    { url = "https://files.pythonhosted.org/packages/8d/e7/f73206afa33100804f790b71092888f47df65fd9a4cd0e6800d7c6826441/aiohttp-3.12.14-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:3d62ac3d506cef54b355bd34c2a7c230eb693880001dfcda0bf88b38f5d7af7e", size = 473128, upload-time = "2025-07-10T13:04:21.928Z" },
-    { url = "https://files.pythonhosted.org/packages/df/e2/4dd00180be551a6e7ee979c20fc7c32727f4889ee3fd5b0586e0d47f30e1/aiohttp-3.12.14-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:48e43e075c6a438937c4de48ec30fa8ad8e6dfef122a038847456bfe7b947b63", size = 465426, upload-time = "2025-07-10T13:04:24.071Z" },
-    { url = "https://files.pythonhosted.org/packages/de/dd/525ed198a0bb674a323e93e4d928443a680860802c44fa7922d39436b48b/aiohttp-3.12.14-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:077b4488411a9724cecc436cbc8c133e0d61e694995b8de51aaf351c7578949d", size = 1704252, upload-time = "2025-07-10T13:04:26.049Z" },
-    { url = "https://files.pythonhosted.org/packages/d8/b1/01e542aed560a968f692ab4fc4323286e8bc4daae83348cd63588e4f33e3/aiohttp-3.12.14-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:d8c35632575653f297dcbc9546305b2c1133391089ab925a6a3706dfa775ccab", size = 1685514, upload-time = "2025-07-10T13:04:28.186Z" },
-    { url = "https://files.pythonhosted.org/packages/b3/06/93669694dc5fdabdc01338791e70452d60ce21ea0946a878715688d5a191/aiohttp-3.12.14-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6b8ce87963f0035c6834b28f061df90cf525ff7c9b6283a8ac23acee6502afd4", size = 1737586, upload-time = "2025-07-10T13:04:30.195Z" },
-    { url = "https://files.pythonhosted.org/packages/a5/3a/18991048ffc1407ca51efb49ba8bcc1645961f97f563a6c480cdf0286310/aiohttp-3.12.14-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0a2cf66e32a2563bb0766eb24eae7e9a269ac0dc48db0aae90b575dc9583026", size = 1786958, upload-time = "2025-07-10T13:04:32.482Z" },
-    { url = "https://files.pythonhosted.org/packages/30/a8/81e237f89a32029f9b4a805af6dffc378f8459c7b9942712c809ff9e76e5/aiohttp-3.12.14-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cdea089caf6d5cde975084a884c72d901e36ef9c2fd972c9f51efbbc64e96fbd", size = 1709287, upload-time = "2025-07-10T13:04:34.493Z" },
-    { url = "https://files.pythonhosted.org/packages/8c/e3/bd67a11b0fe7fc12c6030473afd9e44223d456f500f7cf526dbaa259ae46/aiohttp-3.12.14-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8a7865f27db67d49e81d463da64a59365ebd6b826e0e4847aa111056dcb9dc88", size = 1622990, upload-time = "2025-07-10T13:04:36.433Z" },
-    { url = "https://files.pythonhosted.org/packages/83/ba/e0cc8e0f0d9ce0904e3cf2d6fa41904e379e718a013c721b781d53dcbcca/aiohttp-3.12.14-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:0ab5b38a6a39781d77713ad930cb5e7feea6f253de656a5f9f281a8f5931b086", size = 1676015, upload-time = "2025-07-10T13:04:38.958Z" },
-    { url = "https://files.pythonhosted.org/packages/d8/b3/1e6c960520bda094c48b56de29a3d978254637ace7168dd97ddc273d0d6c/aiohttp-3.12.14-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:9b3b15acee5c17e8848d90a4ebc27853f37077ba6aec4d8cb4dbbea56d156933", size = 1707678, upload-time = "2025-07-10T13:04:41.275Z" },
-    { url = "https://files.pythonhosted.org/packages/0a/19/929a3eb8c35b7f9f076a462eaa9830b32c7f27d3395397665caa5e975614/aiohttp-3.12.14-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:e4c972b0bdaac167c1e53e16a16101b17c6d0ed7eac178e653a07b9f7fad7151", size = 1650274, upload-time = "2025-07-10T13:04:43.483Z" },
-    { url = "https://files.pythonhosted.org/packages/22/e5/81682a6f20dd1b18ce3d747de8eba11cbef9b270f567426ff7880b096b48/aiohttp-3.12.14-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:7442488b0039257a3bdbc55f7209587911f143fca11df9869578db6c26feeeb8", size = 1726408, upload-time = "2025-07-10T13:04:45.577Z" },
-    { url = "https://files.pythonhosted.org/packages/8c/17/884938dffaa4048302985483f77dfce5ac18339aad9b04ad4aaa5e32b028/aiohttp-3.12.14-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:f68d3067eecb64c5e9bab4a26aa11bd676f4c70eea9ef6536b0a4e490639add3", size = 1759879, upload-time = "2025-07-10T13:04:47.663Z" },
-    { url = "https://files.pythonhosted.org/packages/95/78/53b081980f50b5cf874359bde707a6eacd6c4be3f5f5c93937e48c9d0025/aiohttp-3.12.14-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:f88d3704c8b3d598a08ad17d06006cb1ca52a1182291f04979e305c8be6c9758", size = 1708770, upload-time = "2025-07-10T13:04:49.944Z" },
-    { url = "https://files.pythonhosted.org/packages/ed/91/228eeddb008ecbe3ffa6c77b440597fdf640307162f0c6488e72c5a2d112/aiohttp-3.12.14-cp313-cp313-win32.whl", hash = "sha256:a3c99ab19c7bf375c4ae3debd91ca5d394b98b6089a03231d4c580ef3c2ae4c5", size = 421688, upload-time = "2025-07-10T13:04:51.993Z" },
-    { url = "https://files.pythonhosted.org/packages/66/5f/8427618903343402fdafe2850738f735fd1d9409d2a8f9bcaae5e630d3ba/aiohttp-3.12.14-cp313-cp313-win_amd64.whl", hash = "sha256:3f8aad695e12edc9d571f878c62bedc91adf30c760c8632f09663e5f564f4baa", size = 448098, upload-time = "2025-07-10T13:04:53.999Z" },
+    { url = "https://files.pythonhosted.org/packages/f2/33/918091abcf102e39d15aba2476ad9e7bd35ddb190dcdd43a854000d3da0d/aiohttp-3.12.15-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:9f922ffd05034d439dde1c77a20461cf4a1b0831e6caa26151fe7aa8aaebc315", size = 696741, upload-time = "2025-07-29T05:51:19.021Z" },
+    { url = "https://files.pythonhosted.org/packages/b5/2a/7495a81e39a998e400f3ecdd44a62107254803d1681d9189be5c2e4530cd/aiohttp-3.12.15-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:2ee8a8ac39ce45f3e55663891d4b1d15598c157b4d494a4613e704c8b43112cd", size = 474407, upload-time = "2025-07-29T05:51:21.165Z" },
+    { url = "https://files.pythonhosted.org/packages/49/fc/a9576ab4be2dcbd0f73ee8675d16c707cfc12d5ee80ccf4015ba543480c9/aiohttp-3.12.15-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:3eae49032c29d356b94eee45a3f39fdf4b0814b397638c2f718e96cfadf4c4e4", size = 466703, upload-time = "2025-07-29T05:51:22.948Z" },
+    { url = "https://files.pythonhosted.org/packages/09/2f/d4bcc8448cf536b2b54eed48f19682031ad182faa3a3fee54ebe5b156387/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b97752ff12cc12f46a9b20327104448042fce5c33a624f88c18f66f9368091c7", size = 1705532, upload-time = "2025-07-29T05:51:25.211Z" },
+    { url = "https://files.pythonhosted.org/packages/f1/f3/59406396083f8b489261e3c011aa8aee9df360a96ac8fa5c2e7e1b8f0466/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:894261472691d6fe76ebb7fcf2e5870a2ac284c7406ddc95823c8598a1390f0d", size = 1686794, upload-time = "2025-07-29T05:51:27.145Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/71/164d194993a8d114ee5656c3b7ae9c12ceee7040d076bf7b32fb98a8c5c6/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5fa5d9eb82ce98959fc1031c28198b431b4d9396894f385cb63f1e2f3f20ca6b", size = 1738865, upload-time = "2025-07-29T05:51:29.366Z" },
+    { url = "https://files.pythonhosted.org/packages/1c/00/d198461b699188a93ead39cb458554d9f0f69879b95078dce416d3209b54/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0fa751efb11a541f57db59c1dd821bec09031e01452b2b6217319b3a1f34f3d", size = 1788238, upload-time = "2025-07-29T05:51:31.285Z" },
+    { url = "https://files.pythonhosted.org/packages/85/b8/9e7175e1fa0ac8e56baa83bf3c214823ce250d0028955dfb23f43d5e61fd/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5346b93e62ab51ee2a9d68e8f73c7cf96ffb73568a23e683f931e52450e4148d", size = 1710566, upload-time = "2025-07-29T05:51:33.219Z" },
+    { url = "https://files.pythonhosted.org/packages/59/e4/16a8eac9df39b48ae102ec030fa9f726d3570732e46ba0c592aeeb507b93/aiohttp-3.12.15-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:049ec0360f939cd164ecbfd2873eaa432613d5e77d6b04535e3d1fbae5a9e645", size = 1624270, upload-time = "2025-07-29T05:51:35.195Z" },
+    { url = "https://files.pythonhosted.org/packages/1f/f8/cd84dee7b6ace0740908fd0af170f9fab50c2a41ccbc3806aabcb1050141/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:b52dcf013b57464b6d1e51b627adfd69a8053e84b7103a7cd49c030f9ca44461", size = 1677294, upload-time = "2025-07-29T05:51:37.215Z" },
+    { url = "https://files.pythonhosted.org/packages/ce/42/d0f1f85e50d401eccd12bf85c46ba84f947a84839c8a1c2c5f6e8ab1eb50/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:9b2af240143dd2765e0fb661fd0361a1b469cab235039ea57663cda087250ea9", size = 1708958, upload-time = "2025-07-29T05:51:39.328Z" },
+    { url = "https://files.pythonhosted.org/packages/d5/6b/f6fa6c5790fb602538483aa5a1b86fcbad66244997e5230d88f9412ef24c/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ac77f709a2cde2cc71257ab2d8c74dd157c67a0558a0d2799d5d571b4c63d44d", size = 1651553, upload-time = "2025-07-29T05:51:41.356Z" },
+    { url = "https://files.pythonhosted.org/packages/04/36/a6d36ad545fa12e61d11d1932eef273928b0495e6a576eb2af04297fdd3c/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:47f6b962246f0a774fbd3b6b7be25d59b06fdb2f164cf2513097998fc6a29693", size = 1727688, upload-time = "2025-07-29T05:51:43.452Z" },
+    { url = "https://files.pythonhosted.org/packages/aa/c8/f195e5e06608a97a4e52c5d41c7927301bf757a8e8bb5bbf8cef6c314961/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:760fb7db442f284996e39cf9915a94492e1896baac44f06ae551974907922b64", size = 1761157, upload-time = "2025-07-29T05:51:45.643Z" },
+    { url = "https://files.pythonhosted.org/packages/05/6a/ea199e61b67f25ba688d3ce93f63b49b0a4e3b3d380f03971b4646412fc6/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ad702e57dc385cae679c39d318def49aef754455f237499d5b99bea4ef582e51", size = 1710050, upload-time = "2025-07-29T05:51:48.203Z" },
+    { url = "https://files.pythonhosted.org/packages/b4/2e/ffeb7f6256b33635c29dbed29a22a723ff2dd7401fff42ea60cf2060abfb/aiohttp-3.12.15-cp313-cp313-win32.whl", hash = "sha256:f813c3e9032331024de2eb2e32a88d86afb69291fbc37a3a3ae81cc9917fb3d0", size = 422647, upload-time = "2025-07-29T05:51:50.718Z" },
+    { url = "https://files.pythonhosted.org/packages/1b/8e/78ee35774201f38d5e1ba079c9958f7629b1fd079459aea9467441dbfbf5/aiohttp-3.12.15-cp313-cp313-win_amd64.whl", hash = "sha256:1a649001580bdb37c6fdb1bebbd7e3bc688e8ec2b5c6f52edbb664662b17dc84", size = 449067, upload-time = "2025-07-29T05:51:52.549Z" },
 ]
 
 [[package]]
@@ -111,23 +111,23 @@ wheels = [
 
 [[package]]
 name = "argon2-cffi-bindings"
-version = "21.2.0"
+version = "25.1.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "cffi" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b9/e9/184b8ccce6683b0aa2fbb7ba5683ea4b9c5763f1356347f1312c32e3c66e/argon2-cffi-bindings-21.2.0.tar.gz", hash = "sha256:bb89ceffa6c791807d1305ceb77dbfacc5aa499891d2c55661c6459651fc39e3", size = 1779911, upload-time = "2021-12-01T08:52:55.68Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/5c/2d/db8af0df73c1cf454f71b2bbe5e356b8c1f8041c979f505b3d3186e520a9/argon2_cffi_bindings-25.1.0.tar.gz", hash = "sha256:b957f3e6ea4d55d820e40ff76f450952807013d361a65d7f28acc0acbf29229d", size = 1783441, upload-time = "2025-07-30T10:02:05.147Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d4/13/838ce2620025e9666aa8f686431f67a29052241692a3dd1ae9d3692a89d3/argon2_cffi_bindings-21.2.0-cp36-abi3-macosx_10_9_x86_64.whl", hash = "sha256:ccb949252cb2ab3a08c02024acb77cfb179492d5701c7cbdbfd776124d4d2367", size = 29658, upload-time = "2021-12-01T09:09:17.016Z" },
-    { url = "https://files.pythonhosted.org/packages/b3/02/f7f7bb6b6af6031edb11037639c697b912e1dea2db94d436e681aea2f495/argon2_cffi_bindings-21.2.0-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9524464572e12979364b7d600abf96181d3541da11e23ddf565a32e70bd4dc0d", size = 80583, upload-time = "2021-12-01T09:09:19.546Z" },
-    { url = "https://files.pythonhosted.org/packages/ec/f7/378254e6dd7ae6f31fe40c8649eea7d4832a42243acaf0f1fff9083b2bed/argon2_cffi_bindings-21.2.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b746dba803a79238e925d9046a63aa26bf86ab2a2fe74ce6b009a1c3f5c8f2ae", size = 86168, upload-time = "2021-12-01T09:09:21.445Z" },
-    { url = "https://files.pythonhosted.org/packages/74/f6/4a34a37a98311ed73bb80efe422fed95f2ac25a4cacc5ae1d7ae6a144505/argon2_cffi_bindings-21.2.0-cp36-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:58ed19212051f49a523abb1dbe954337dc82d947fb6e5a0da60f7c8471a8476c", size = 82709, upload-time = "2021-12-01T09:09:18.182Z" },
-    { url = "https://files.pythonhosted.org/packages/74/2b/73d767bfdaab25484f7e7901379d5f8793cccbb86c6e0cbc4c1b96f63896/argon2_cffi_bindings-21.2.0-cp36-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:bd46088725ef7f58b5a1ef7ca06647ebaf0eb4baff7d1d0d177c6cc8744abd86", size = 83613, upload-time = "2021-12-01T09:09:22.741Z" },
-    { url = "https://files.pythonhosted.org/packages/4f/fd/37f86deef67ff57c76f137a67181949c2d408077e2e3dd70c6c42912c9bf/argon2_cffi_bindings-21.2.0-cp36-abi3-musllinux_1_1_i686.whl", hash = "sha256:8cd69c07dd875537a824deec19f978e0f2078fdda07fd5c42ac29668dda5f40f", size = 84583, upload-time = "2021-12-01T09:09:24.177Z" },
-    { url = "https://files.pythonhosted.org/packages/6f/52/5a60085a3dae8fded8327a4f564223029f5f54b0cb0455a31131b5363a01/argon2_cffi_bindings-21.2.0-cp36-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:f1152ac548bd5b8bcecfb0b0371f082037e47128653df2e8ba6e914d384f3c3e", size = 88475, upload-time = "2021-12-01T09:09:26.673Z" },
-    { url = "https://files.pythonhosted.org/packages/8b/95/143cd64feb24a15fa4b189a3e1e7efbaeeb00f39a51e99b26fc62fbacabd/argon2_cffi_bindings-21.2.0-cp36-abi3-win32.whl", hash = "sha256:603ca0aba86b1349b147cab91ae970c63118a0f30444d4bc80355937c950c082", size = 27698, upload-time = "2021-12-01T09:09:27.87Z" },
-    { url = "https://files.pythonhosted.org/packages/37/2c/e34e47c7dee97ba6f01a6203e0383e15b60fb85d78ac9a15cd066f6fe28b/argon2_cffi_bindings-21.2.0-cp36-abi3-win_amd64.whl", hash = "sha256:b2ef1c30440dbbcba7a5dc3e319408b59676e2e039e2ae11a8775ecf482b192f", size = 30817, upload-time = "2021-12-01T09:09:30.267Z" },
-    { url = "https://files.pythonhosted.org/packages/5a/e4/bf8034d25edaa495da3c8a3405627d2e35758e44ff6eaa7948092646fdcc/argon2_cffi_bindings-21.2.0-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:e415e3f62c8d124ee16018e491a009937f8cf7ebf5eb430ffc5de21b900dad93", size = 53104, upload-time = "2021-12-01T09:09:31.335Z" },
+    { url = "https://files.pythonhosted.org/packages/1d/57/96b8b9f93166147826da5f90376e784a10582dd39a393c99bb62cfcf52f0/argon2_cffi_bindings-25.1.0-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:aecba1723ae35330a008418a91ea6cfcedf6d31e5fbaa056a166462ff066d500", size = 54121, upload-time = "2025-07-30T10:01:50.815Z" },
+    { url = "https://files.pythonhosted.org/packages/0a/08/a9bebdb2e0e602dde230bdde8021b29f71f7841bd54801bcfd514acb5dcf/argon2_cffi_bindings-25.1.0-cp39-abi3-macosx_10_9_x86_64.whl", hash = "sha256:2630b6240b495dfab90aebe159ff784d08ea999aa4b0d17efa734055a07d2f44", size = 29177, upload-time = "2025-07-30T10:01:51.681Z" },
+    { url = "https://files.pythonhosted.org/packages/b6/02/d297943bcacf05e4f2a94ab6f462831dc20158614e5d067c35d4e63b9acb/argon2_cffi_bindings-25.1.0-cp39-abi3-macosx_11_0_arm64.whl", hash = "sha256:7aef0c91e2c0fbca6fc68e7555aa60ef7008a739cbe045541e438373bc54d2b0", size = 31090, upload-time = "2025-07-30T10:01:53.184Z" },
+    { url = "https://files.pythonhosted.org/packages/c1/93/44365f3d75053e53893ec6d733e4a5e3147502663554b4d864587c7828a7/argon2_cffi_bindings-25.1.0-cp39-abi3-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:1e021e87faa76ae0d413b619fe2b65ab9a037f24c60a1e6cc43457ae20de6dc6", size = 81246, upload-time = "2025-07-30T10:01:54.145Z" },
+    { url = "https://files.pythonhosted.org/packages/09/52/94108adfdd6e2ddf58be64f959a0b9c7d4ef2fa71086c38356d22dc501ea/argon2_cffi_bindings-25.1.0-cp39-abi3-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:d3e924cfc503018a714f94a49a149fdc0b644eaead5d1f089330399134fa028a", size = 87126, upload-time = "2025-07-30T10:01:55.074Z" },
+    { url = "https://files.pythonhosted.org/packages/72/70/7a2993a12b0ffa2a9271259b79cc616e2389ed1a4d93842fac5a1f923ffd/argon2_cffi_bindings-25.1.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:c87b72589133f0346a1cb8d5ecca4b933e3c9b64656c9d175270a000e73b288d", size = 80343, upload-time = "2025-07-30T10:01:56.007Z" },
+    { url = "https://files.pythonhosted.org/packages/78/9a/4e5157d893ffc712b74dbd868c7f62365618266982b64accab26bab01edc/argon2_cffi_bindings-25.1.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:1db89609c06afa1a214a69a462ea741cf735b29a57530478c06eb81dd403de99", size = 86777, upload-time = "2025-07-30T10:01:56.943Z" },
+    { url = "https://files.pythonhosted.org/packages/74/cd/15777dfde1c29d96de7f18edf4cc94c385646852e7c7b0320aa91ccca583/argon2_cffi_bindings-25.1.0-cp39-abi3-win32.whl", hash = "sha256:473bcb5f82924b1becbb637b63303ec8d10e84c8d241119419897a26116515d2", size = 27180, upload-time = "2025-07-30T10:01:57.759Z" },
+    { url = "https://files.pythonhosted.org/packages/e2/c6/a759ece8f1829d1f162261226fbfd2c6832b3ff7657384045286d2afa384/argon2_cffi_bindings-25.1.0-cp39-abi3-win_amd64.whl", hash = "sha256:a98cd7d17e9f7ce244c0803cad3c23a7d379c301ba618a5fa76a67d116618b98", size = 31715, upload-time = "2025-07-30T10:01:58.56Z" },
+    { url = "https://files.pythonhosted.org/packages/42/b9/f8d6fa329ab25128b7e98fd83a3cb34d9db5b059a9847eddb840a0af45dd/argon2_cffi_bindings-25.1.0-cp39-abi3-win_arm64.whl", hash = "sha256:b0fdbcf513833809c882823f98dc2f931cf659d9a1429616ac3adebb49f5db94", size = 27149, upload-time = "2025-07-30T10:01:59.329Z" },
 ]
 
 [[package]]
@@ -557,30 +557,30 @@ wheels = [
 
 [[package]]
 name = "boto3"
-version = "1.39.15"
+version = "1.40.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "botocore" },
     { name = "jmespath" },
     { name = "s3transfer" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/63/65/ddd4f52d138e52c1345c2d2421281a98449a6e4365290477befe06fa649a/boto3-1.39.15.tar.gz", hash = "sha256:b4483625f0d8c35045254dee46cd3c851bbc0450814f20b9b25bee1b5c0d8409", size = 111856, upload-time = "2025-07-28T19:56:49.504Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/48/4d/70d209fdebf0377db233f80dfdf26ca2bc25d2b2e89d4882e0edccd2227f/boto3-1.40.1.tar.gz", hash = "sha256:985ed4bf64729807f870eadbc46ad98baf93096917f7194ec39d743ff75b3f1d", size = 111817, upload-time = "2025-08-01T19:24:18.017Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/15/c5/27f50a31317041dc3ad79d62f37d5fcfb3f349c2fba8ea3e81de169db870/boto3-1.39.15-py3-none-any.whl", hash = "sha256:38fc54576b925af0075636752de9974e172c8a2cf7133400e3e09b150d20fb6a", size = 139901, upload-time = "2025-07-28T19:56:47.381Z" },
+    { url = "https://files.pythonhosted.org/packages/97/0e/f0cb4f71c40ba07e6ed5b47699a737a080d3c4f4b7b26657d5671de48621/boto3-1.40.1-py3-none-any.whl", hash = "sha256:7c007d5c8ee549e9fcad0927536502da199b27891006ef515330f429aca9671f", size = 139880, upload-time = "2025-08-01T19:24:16.581Z" },
 ]
 
 [[package]]
 name = "botocore"
-version = "1.39.15"
+version = "1.40.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "jmespath" },
     { name = "python-dateutil" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/2f/e2/8cd9560e7e44cf977dc0cc2e48da7634e78b7104ae6e47f4e1dfc1093965/botocore-1.39.15.tar.gz", hash = "sha256:2aa29a717f14f8c7ca058c2e297aaed0aa10ecea24b91514eee802814d1b7600", size = 14237556, upload-time = "2025-07-28T19:56:39.397Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c6/d2/d914999f4a128f0f840f2a9cc8327cd98aa661d6b33b331a81a8111ab970/botocore-1.40.1.tar.gz", hash = "sha256:bdf30e2c0e8cdb939d81fc243182a6d1dd39c416694b406c5f2ea079b1c2f3f5", size = 14280398, upload-time = "2025-08-01T19:24:08.599Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7b/6e/f25b8633e7ab2008de4c27466c9bc39e32dc73816619ffebbea12936135a/botocore-1.39.15-py3-none-any.whl", hash = "sha256:eb9cfe918ebfbfb8654e1b153b29f0c129d586d2c0d7fb4032731d49baf04cff", size = 13894884, upload-time = "2025-07-28T19:56:33.715Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/c1/aa7922c9bf74b6d6594d2430af6f854d234faff23187e269aaba89c326c8/botocore-1.40.1-py3-none-any.whl", hash = "sha256:e039774b55fbd6fe59f0f4fea51d156a2433bd4d8faa64fc1b87aee9a03f415d", size = 13940950, upload-time = "2025-08-01T19:24:03.889Z" },
 ]
 
 [[package]]
@@ -1691,7 +1691,7 @@ wheels = [
 
 [[package]]
 name = "jsii"
-version = "1.112.0"
+version = "1.113.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "attrs" },
@@ -1702,9 +1702,9 @@ dependencies = [
     { name = "typeguard" },
     { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/ad/3e/270b5236035fc7bb2cdd7f55ea25f85489d35d971870cbec32c3d9e99d7f/jsii-1.112.0.tar.gz", hash = "sha256:6b7d19f361c2565b76828ecbe8cbed8b8d6028a82aa98a46b206a4ee5083157e", size = 624533, upload-time = "2025-05-07T14:45:52.574Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/37/9b/ff11800e2edc2860c9eddd7ea7c7a8849f69cbb16b1aae803dae7dafa86e/jsii-1.113.0.tar.gz", hash = "sha256:2dedea9d6006af53467a7a67f1d35a56ab3f75a3d6ed4b4536fffc3e1d1fe476", size = 623541, upload-time = "2025-07-31T12:55:42.888Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/44/af/8554b632e2b82f37a7422782aba5db2a1fbff4887faa7ec850818def8407/jsii-1.112.0-py3-none-any.whl", hash = "sha256:6510c223074d9b206fd0570849a791e4d9ecfff7ffe68428de73870cea9f55a1", size = 600681, upload-time = "2025-05-07T14:45:51.136Z" },
+    { url = "https://files.pythonhosted.org/packages/4f/59/bbbdcc7e0adc32e2362dbb2398949ac013f79dc3468cdf2b5ac411b0f5e8/jsii-1.113.0-py3-none-any.whl", hash = "sha256:62377c651554234ea945693f7c03cb96a969ba425a686950c88d43b0d4d76b07", size = 599669, upload-time = "2025-07-31T12:55:40.874Z" },
 ]
 
 [[package]]
@@ -2154,42 +2154,42 @@ source = { git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d
 
 [[package]]
 name = "opentelemetry-api"
-version = "1.35.0"
+version = "1.36.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "importlib-metadata" },
     { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/99/c9/4509bfca6bb43220ce7f863c9f791e0d5001c2ec2b5867d48586008b3d96/opentelemetry_api-1.35.0.tar.gz", hash = "sha256:a111b959bcfa5b4d7dffc2fbd6a241aa72dd78dd8e79b5b1662bda896c5d2ffe", size = 64778, upload-time = "2025-07-11T12:23:28.804Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/27/d2/c782c88b8afbf961d6972428821c302bd1e9e7bc361352172f0ca31296e2/opentelemetry_api-1.36.0.tar.gz", hash = "sha256:9a72572b9c416d004d492cbc6e61962c0501eaf945ece9b5a0f56597d8348aa0", size = 64780, upload-time = "2025-07-29T15:12:06.02Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/1d/5a/3f8d078dbf55d18442f6a2ecedf6786d81d7245844b2b20ce2b8ad6f0307/opentelemetry_api-1.35.0-py3-none-any.whl", hash = "sha256:c4ea7e258a244858daf18474625e9cc0149b8ee354f37843415771a40c25ee06", size = 65566, upload-time = "2025-07-11T12:23:07.944Z" },
+    { url = "https://files.pythonhosted.org/packages/bb/ee/6b08dde0a022c463b88f55ae81149584b125a42183407dc1045c486cc870/opentelemetry_api-1.36.0-py3-none-any.whl", hash = "sha256:02f20bcacf666e1333b6b1f04e647dc1d5111f86b8e510238fcc56d7762cda8c", size = 65564, upload-time = "2025-07-29T15:11:47.998Z" },
 ]
 
 [[package]]
 name = "opentelemetry-sdk"
-version = "1.35.0"
+version = "1.36.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "opentelemetry-api" },
     { name = "opentelemetry-semantic-conventions" },
     { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/9a/cf/1eb2ed2ce55e0a9aa95b3007f26f55c7943aeef0a783bb006bdd92b3299e/opentelemetry_sdk-1.35.0.tar.gz", hash = "sha256:2a400b415ab68aaa6f04e8a6a9f6552908fb3090ae2ff78d6ae0c597ac581954", size = 160871, upload-time = "2025-07-11T12:23:39.566Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/4c/85/8567a966b85a2d3f971c4d42f781c305b2b91c043724fa08fd37d158e9dc/opentelemetry_sdk-1.36.0.tar.gz", hash = "sha256:19c8c81599f51b71670661ff7495c905d8fdf6976e41622d5245b791b06fa581", size = 162557, upload-time = "2025-07-29T15:12:16.76Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/01/4f/8e32b757ef3b660511b638ab52d1ed9259b666bdeeceba51a082ce3aea95/opentelemetry_sdk-1.35.0-py3-none-any.whl", hash = "sha256:223d9e5f5678518f4842311bb73966e0b6db5d1e0b74e35074c052cd2487f800", size = 119379, upload-time = "2025-07-11T12:23:24.521Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/59/7bed362ad1137ba5886dac8439e84cd2df6d087be7c09574ece47ae9b22c/opentelemetry_sdk-1.36.0-py3-none-any.whl", hash = "sha256:19fe048b42e98c5c1ffe85b569b7073576ad4ce0bcb6e9b4c6a39e890a6c45fb", size = 119995, upload-time = "2025-07-29T15:12:03.181Z" },
 ]
 
 [[package]]
 name = "opentelemetry-semantic-conventions"
-version = "0.56b0"
+version = "0.57b0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "opentelemetry-api" },
     { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/32/8e/214fa817f63b9f068519463d8ab46afd5d03b98930c39394a37ae3e741d0/opentelemetry_semantic_conventions-0.56b0.tar.gz", hash = "sha256:c114c2eacc8ff6d3908cb328c811eaf64e6d68623840be9224dc829c4fd6c2ea", size = 124221, upload-time = "2025-07-11T12:23:40.71Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/7e/31/67dfa252ee88476a29200b0255bda8dfc2cf07b56ad66dc9a6221f7dc787/opentelemetry_semantic_conventions-0.57b0.tar.gz", hash = "sha256:609a4a79c7891b4620d64c7aac6898f872d790d75f22019913a660756f27ff32", size = 124225, upload-time = "2025-07-29T15:12:17.873Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c7/3f/e80c1b017066a9d999efffe88d1cce66116dcf5cb7f80c41040a83b6e03b/opentelemetry_semantic_conventions-0.56b0-py3-none-any.whl", hash = "sha256:df44492868fd6b482511cc43a942e7194be64e94945f572db24df2e279a001a2", size = 201625, upload-time = "2025-07-11T12:23:25.63Z" },
+    { url = "https://files.pythonhosted.org/packages/05/75/7d591371c6c39c73de5ce5da5a2cc7b72d1d1cd3f8f4638f553c01c37b11/opentelemetry_semantic_conventions-0.57b0-py3-none-any.whl", hash = "sha256:757f7e76293294f124c827e514c2a3144f191ef175b069ce8d1211e1e38e9e78", size = 201627, upload-time = "2025-07-29T15:12:04.174Z" },
 ]
 
 [[package]]

web/.gitignore

@@ -25,8 +25,6 @@ lib-cov
 
 # Coverage directory used by tools like istanbul
 coverage
-playwright-report
-test-results
 *.lcov
 
 # nyc test coverage

web/codemods/explicit-member-accessibility.mjs

@@ -0,0 +1,338 @@
+/* eslint-disable max-depth */
+/**
+ * @file TypeScript codemod to add explicit member accessibility modifiers to class methods and properties.
+ *
+ * Given a class like this:
+ *
+ * ```ts
+ * class Foo {
+ *     static styles = [
+ *       css`
+ *         :host {
+ *           display: block;
+ *         }
+ *       `,
+ *     ];
+ *
+ *     @property()
+ *     name?: string;
+ *
+ *     @state()
+ *     isLoading = false;
+ *
+ *     renderHeader() {
+ *         return html`<h1>Hello world</h1>`;
+ *     }
+ *
+ *     render() {
+ *         return html`
+ *           ${this.renderHeader()}
+ *           <div>Content</div>
+ *         `;
+ *     }
+ * }
+ * ```
+ *
+ * This codemod will transform it to this:
+ *
+ * ```ts
+ * class Foo {
+ *     public static styles = [
+ *       css`
+ *         :host {
+ *           display: block;
+ *         }
+ *       `,
+ *     ];
+ *
+ *     @property()
+ *     public name?: string;
+ *
+ *     @state()
+ *     protected isLoading = false;
+ *
+ *     protected renderHeader() {
+ *         return html`<h1>Hello world</h1>`;
+ *     }
+ *
+ *     public render() {
+ *         return html`
+ *           ${this.renderHeader()}
+ *           <div>Content</div>
+ *         `;
+ *     }
+ * }
+ * ```
+ *
+ * Rules:
+ * - Any method which is `render` is given an explicit `public` accessibility modifier.
+ * - Any method which begins with `render` is given an explicit `protected` accessibility modifier.
+ * - Any property which is static is given an explicit `public` accessibility modifier.
+ * - Any property with `@property` decorator is given an explicit `public` accessibility modifier.
+ * - Any property with `@state` decorator is given an explicit `protected` accessibility modifier.
+ * - Methods and properties which already have an accessibility modifier are left alone.
+ * - Private fields (starting with #) are skipped.
+ */
+
+import { readdirSync, readFileSync, writeFileSync } from "node:fs";
+import path from "node:path";
+
+import ts from "typescript";
+
+/**
+ * @param {ts.NodeArray<ts.ModifierLike>} modifiers
+ */
+function hasAccessibilityModifier(modifiers) {
+    if (!modifiers) return false;
+
+    return modifiers.some(
+        (modifier) =>
+            modifier.kind === ts.SyntaxKind.PublicKeyword ||
+            modifier.kind === ts.SyntaxKind.PrivateKeyword ||
+            modifier.kind === ts.SyntaxKind.ProtectedKeyword,
+    );
+}
+
+/**
+ *
+ * @param {ts.NodeArray<ts.ModifierLike>} [modifiers]
+ * @returns
+ */
+function hasStaticModifier(modifiers) {
+    if (!modifiers) return false;
+    return modifiers.some((modifier) => modifier.kind === ts.SyntaxKind.StaticKeyword);
+}
+
+/**
+ * Check if a property has a decorator.
+ * @param {ts.PropertyDeclaration} member
+ * @returns {boolean}
+ */
+function isDecorated(member) {
+    if (!member.modifiers) return false;
+
+    return member.modifiers.some((modifier) => {
+        if (!ts.isDecorator(modifier)) return false;
+
+        // Handle simple decorator like @property
+        if (ts.isIdentifier(modifier.expression)) {
+            return true;
+        }
+
+        // Handle decorator with call like @property() or @property({...})
+        return (
+            ts.isCallExpression(modifier.expression) &&
+            ts.isIdentifier(modifier.expression.expression)
+        );
+    });
+}
+
+/**
+ * Check if a property has a specific decorator
+ * @param {ts.PropertyDeclaration} member
+ * @param {string} decoratorName
+ * @returns {boolean}
+ */
+function hasDecorator(member, decoratorName) {
+    if (!member.modifiers) return false;
+
+    return member.modifiers.some((modifier) => {
+        if (!ts.isDecorator(modifier)) return false;
+
+        // Handle simple decorator like @property
+        if (ts.isIdentifier(modifier.expression)) {
+            return modifier.expression.text === decoratorName;
+        }
+
+        // Handle decorator with call like @property() or @property({...})
+        if (
+            ts.isCallExpression(modifier.expression) &&
+            ts.isIdentifier(modifier.expression.expression)
+        ) {
+            return modifier.expression.expression.text === decoratorName;
+        }
+
+        return false;
+    });
+}
+
+const PublicMethodNames = new Set([
+    "render",
+    "connectedCallback",
+    "disconnectedCallback",
+    "firstUpdated",
+    "updated",
+    "requestUpdate",
+    "willUpdate",
+    "performUpdate",
+    "adoptedCallback",
+    "attributeChangedCallback",
+]);
+
+/**
+ *
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function processFile(filePath) {
+    const source = readFileSync(filePath, "utf-8");
+    const sourceFile = ts.createSourceFile(filePath, source, ts.ScriptTarget.Latest, true);
+
+    /**
+     * @type {{ pos: number; text: string; }[]}
+     */
+    const changes = [];
+
+    /**
+     * @param {ts.Node} node
+     */
+    function collectChanges(node) {
+        if (ts.isClassDeclaration(node)) {
+            for (const member of node.members) {
+                if (ts.isMethodDeclaration(member) || ts.isPropertyDeclaration(member)) {
+                    if (member.modifiers && hasAccessibilityModifier(member.modifiers)) {
+                        continue; // Already has accessibility modifier
+                    }
+
+                    let accessibilityKeyword = null;
+
+                    if (
+                        ts.isMethodDeclaration(member) &&
+                        member.name &&
+                        ts.isIdentifier(member.name)
+                    ) {
+                        const methodName = member.name.text;
+
+                        if (PublicMethodNames.has(methodName)) {
+                            accessibilityKeyword = "public ";
+                        } else if (
+                            methodName.startsWith("render") ||
+                            methodName.startsWith("on") ||
+                            methodName.startsWith("handle") ||
+                            methodName.includes("Handler")
+                        ) {
+                            accessibilityKeyword = "protected ";
+                        }
+                    } else if (ts.isPropertyDeclaration(member)) {
+                        // Skip private fields (starting with #)
+                        if (member.name.getText().includes("#")) {
+                            continue;
+                        }
+
+                        // Static properties get public modifier
+                        if (hasStaticModifier(member.modifiers)) {
+                            accessibilityKeyword = "public ";
+                        }
+                        // Properties with @property decorator get public modifier
+                        else if (hasDecorator(member, "property")) {
+                            accessibilityKeyword = "public ";
+                        }
+                        // Properties with @state decorator get protected modifier
+                        else if (hasDecorator(member, "state")) {
+                            accessibilityKeyword = "protected ";
+                        } else if (isDecorated(member)) {
+                            accessibilityKeyword = "protected ";
+                        }
+                    }
+
+                    if (accessibilityKeyword) {
+                        // Find the position where we should insert the accessibility modifier
+                        // For properties with decorators, we need to insert after the decorators
+                        let insertPos = member.getStart(sourceFile);
+
+                        // If the member has decorators, find the position after the last decorator
+                        if (
+                            member.modifiers &&
+                            member.modifiers.some((modifier) => ts.isDecorator(modifier))
+                        ) {
+                            const decorators = member.modifiers.filter((modifier) =>
+                                ts.isDecorator(modifier),
+                            );
+                            const lastDecorator = decorators[decorators.length - 1];
+                            insertPos = lastDecorator.getEnd();
+
+                            // Find the next non-whitespace character position
+                            const sourceText = sourceFile.getFullText();
+                            while (
+                                insertPos < sourceText.length &&
+                                /\s/.test(sourceText[insertPos])
+                            ) {
+                                insertPos++;
+                            }
+                        }
+
+                        changes.push({
+                            pos: insertPos,
+                            text: accessibilityKeyword,
+                        });
+                    }
+                }
+            }
+        }
+
+        ts.forEachChild(node, collectChanges);
+    }
+
+    collectChanges(sourceFile);
+
+    if (changes.length === 0) {
+        return false;
+    }
+
+    // Sort changes by position in reverse order so we can apply them without affecting positions
+    changes.sort((a, b) => b.pos - a.pos);
+
+    let result = source;
+    for (const change of changes) {
+        result = result.slice(0, change.pos) + change.text + result.slice(change.pos);
+    }
+
+    writeFileSync(filePath, result, "utf-8");
+    // eslint-disable-next-line no-console
+    console.log(`Updated: ${filePath}`);
+    return true;
+}
+
+/**
+ *
+ * @param {string} dir
+ * @param {string[]} files
+ * @returns {string[]}
+ */
+function findTypeScriptFiles(dir = "src", files = []) {
+    const entries = readdirSync(dir, { withFileTypes: true });
+
+    for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+
+        if (entry.isDirectory()) {
+            findTypeScriptFiles(fullPath, files);
+        } else if (
+            entry.name.endsWith(".ts") &&
+            !entry.name.endsWith(".d.ts") &&
+            !entry.name.endsWith(".test.ts") &&
+            !entry.name.endsWith(".spec.ts") &&
+            !entry.name.endsWith(".stories.ts")
+        ) {
+            files.push(fullPath);
+        }
+    }
+
+    return files;
+}
+
+function main() {
+    const files = findTypeScriptFiles();
+    let changedFiles = 0;
+
+    for (const file of files) {
+        if (processFile(file)) {
+            changedFiles++;
+        }
+    }
+
+    // eslint-disable-next-line no-console
+    console.log(`Processed ${files.length} files, updated ${changedFiles} files`);
+}
+
+main();

web/commands.mjs

@@ -15,6 +15,7 @@ export function addCommands(browser) {
         /**
          * @this {HTMLElement}
          */
+        // @ts-ignore
         function () {
             this.focus();
 
@@ -28,6 +29,7 @@ export function addCommands(browser) {
         /**
          * @this {HTMLElement}
          */
+        // @ts-ignore
         function () {
             this.blur();
 

web/e2e/elements/proxy.ts

@@ -1,90 +0,0 @@
-/* eslint-disable @typescript-eslint/no-explicit-any */
-import type { LocatorContext } from "#e2e/selectors/types";
-import { ConsoleLogger } from "#logger/node";
-
-import { expect, Locator } from "@playwright/test";
-import { kebabCase } from "change-case";
-
-export type LocatorMatchers = ReturnType<typeof expect<Locator>>;
-
-export interface LocatorProxy extends Pick<Locator, keyof Locator> {
-    $: Locator;
-    expect: LocatorMatchers;
-}
-
-// Type helpers to extract the shape of the proxy
-export type DeepLocatorProxy<T> =
-    Disposable & T extends Record<string, any>
-        ? T extends HTMLElement
-            ? LocatorProxy
-            : {
-                  [K in keyof T]: DeepLocatorProxy<T[K]>;
-              }
-        : LocatorProxy;
-
-export function createLocatorProxy<T extends Record<string, any>>(
-    ctx: LocatorContext,
-    initialPathPrefix: string[] = [],
-    dataAttribute: string = "test-id",
-): DeepLocatorProxy<T> {
-    dataAttribute = kebabCase(dataAttribute);
-
-    function createProxy(path: string[] = initialPathPrefix): any {
-        const proxyCache = new Map<string, LocatorProxy>();
-
-        return new Proxy({} as any, {
-            get(_, property: string) {
-                // Build the current path
-                const currentPath = [...path, property];
-
-                // Convert the path to kebab-case and join with hyphens
-                const selectorValue = currentPath.map((segment) => kebabCase(segment)).join("-");
-                const selector = `[data-${dataAttribute}="${selectorValue}"]`;
-
-                // Create a locator for the current selector
-                const locator = ctx.locator(selector);
-
-                if (proxyCache.has(selector)) {
-                    ConsoleLogger.debug(`Using cached locator for ${selector}`);
-                    return proxyCache.get(selector)!;
-                }
-
-                // Return a new proxy that also behaves like a Locator
-                // This allows us to either continue chaining or use Locator methods
-                const nextProxy = new Proxy(locator, {
-                    get(target, prop) {
-                        if (typeof prop === "string") {
-                            // The user is likely trying to access a property on the page.
-                            if (prop === "$") {
-                                return target as any;
-                            }
-
-                            if (prop === "expect") {
-                                return expect(target);
-                            }
-                        }
-
-                        // If the property exists on the Locator, use it
-                        if (prop in target) {
-                            const value = (target as any)[prop];
-                            // Bind methods to the locator instance
-                            if (typeof value === "function") {
-                                return value.bind(target);
-                            }
-                            return value;
-                        }
-                        // Otherwise, continue building the path
-
-                        return createProxy(currentPath)[prop];
-                    },
-                });
-
-                proxyCache.set(selector, nextProxy as LocatorProxy);
-
-                return nextProxy;
-            },
-        });
-    }
-
-    return createProxy() as DeepLocatorProxy<T>;
-}

web/e2e/fixtures/FormFixture.ts

@@ -1,175 +0,0 @@
-import { PageFixture } from "#e2e/fixtures/PageFixture";
-import type { LocatorContext } from "#e2e/selectors/types";
-
-import { expect, Page } from "@playwright/test";
-
-export class FormFixture extends PageFixture {
-    static fixtureName = "Form";
-
-    //#region Selector Methods
-
-    //#endregion
-
-    //#region Field Methods
-
-    /**
-     * Set the value of a text input.
-     *
-     * @param fieldName The name of the form element.
-     * @param value the value to set.
-     */
-    public fill = async (
-        fieldName: string,
-        value: string,
-        parent: LocatorContext = this.page,
-    ): Promise<void> => {
-        const control = parent
-            .getByRole("textbox", {
-                name: fieldName,
-            })
-            .or(
-                parent.getByRole("spinbutton", {
-                    name: fieldName,
-                }),
-            )
-            .first();
-
-        await expect(control, `Field (${fieldName}) should be visible`).toBeVisible();
-
-        await control.fill(value);
-    };
-
-    /**
-     * Set the value of a radio or checkbox input.
-     *
-     * @param fieldName The name of the form element.
-     * @param value the value to set.
-     */
-    public setInputCheck = async (
-        fieldName: string,
-        value: boolean = true,
-        parent: LocatorContext = this.page,
-    ): Promise<void> => {
-        const control = parent.locator("ak-switch-input", {
-            hasText: fieldName,
-        });
-
-        await control.scrollIntoViewIfNeeded();
-
-        await expect(control, `Field (${fieldName}) should be visible`).toBeVisible();
-
-        const currentChecked = await control
-            .getAttribute("checked")
-            .then((value) => value !== null);
-
-        if (currentChecked === value) {
-            return;
-        }
-
-        await control.click();
-    };
-
-    /**
-     * Set the value of a radio or checkbox input.
-     *
-     * @param fieldName The name of the form element.
-     * @param pattern the value to set.
-     */
-    public setRadio = async (
-        groupName: string,
-        fieldName: string,
-        parent: LocatorContext = this.page,
-    ): Promise<void> => {
-        const group = parent.getByRole("group", { name: groupName });
-
-        await expect(group, `Field "${groupName}" should be visible`).toBeVisible();
-        const control = parent.getByRole("radio", { name: fieldName });
-
-        await control.setChecked(true, {
-            force: true,
-        });
-    };
-
-    /**
-     * Set the value of a search select input.
-     *
-     * @param fieldLabel The name of the search select element.
-     * @param pattern The text to match against the search select entry.
-     */
-    public selectSearchValue = async (
-        fieldLabel: string,
-        pattern: string | RegExp,
-        parent: LocatorContext = this.page,
-    ): Promise<void> => {
-        const control = parent.getByRole("textbox", { name: fieldLabel });
-
-        await expect(
-            control,
-            `Search select control (${fieldLabel}) should be visible`,
-        ).toBeVisible();
-
-        const fieldName = await control.getAttribute("name");
-
-        if (!fieldName) {
-            throw new Error(`Unable to find name attribute on search select (${fieldLabel})`);
-        }
-
-        // Find the search select input control and activate it.
-        await control.click();
-
-        const button = this.page
-            // ---
-            .locator(`div[data-managed-for*="${fieldName}"] button`, {
-                hasText: pattern,
-            });
-
-        if (!button) {
-            throw new Error(
-                `Unable to find an ak-search-select entry matching ${fieldLabel}:${pattern.toString()}`,
-            );
-        }
-
-        await button.click();
-        await this.page.keyboard.press("Tab");
-        await control.blur();
-    };
-
-    public setFormGroup = async (
-        pattern: string | RegExp,
-        value: boolean = true,
-        parent: LocatorContext = this.page,
-    ) => {
-        const control = parent
-            .locator("ak-form-group", {
-                hasText: pattern,
-            })
-            .first();
-
-        const currentOpen = await control.getAttribute("open").then((value) => value !== null);
-
-        if (currentOpen === value) {
-            this.logger.debug(`Form group ${pattern} is already ${value ? "open" : "closed"}`);
-            return;
-        }
-
-        this.logger.debug(`Toggling form group ${pattern} to ${value ? "open" : "closed"}`);
-
-        await control.click();
-
-        if (value) {
-            await expect(control).toHaveAttribute("open");
-        } else {
-            await expect(control).not.toHaveAttribute("open");
-        }
-    };
-
-    //#endregion
-
-    //#region Lifecycle
-
-    constructor(page: Page, testName: string) {
-        super({ page, testName });
-    }
-
-    //#endregion
-}

web/e2e/fixtures/PageFixture.ts

@@ -1,30 +0,0 @@
-import { ConsoleLogger, FixtureLogger } from "#logger/node";
-
-import { Page } from "@playwright/test";
-
-export interface PageFixtureOptions {
-    page: Page;
-    testName: string;
-}
-
-export abstract class PageFixture {
-    /**
-     * The name of the fixture.
-     *
-     * Used for logging.
-     */
-    static fixtureName: string;
-
-    protected readonly logger: FixtureLogger;
-    protected readonly page: Page;
-    protected readonly testName: string;
-
-    constructor({ page, testName }: PageFixtureOptions) {
-        this.page = page;
-        this.testName = testName;
-
-        const Constructor = this.constructor as typeof PageFixture;
-
-        this.logger = ConsoleLogger.fixture(Constructor.fixtureName, this.testName);
-    }
-}

web/e2e/fixtures/PointerFixture.ts

@@ -1,42 +0,0 @@
-import { PageFixture } from "#e2e/fixtures/PageFixture";
-import type { LocatorContext } from "#e2e/selectors/types";
-
-import { Page } from "@playwright/test";
-
-export type GetByRoleParameters = Parameters<Page["getByRole"]>;
-export type ARIARole = GetByRoleParameters[0];
-export type ARIAOptions = GetByRoleParameters[1];
-
-export type ClickByName = (name: string) => Promise<void>;
-export type ClickByRole = (
-    role: ARIARole,
-    options?: ARIAOptions,
-    context?: LocatorContext,
-) => Promise<void>;
-
-export class PointerFixture extends PageFixture {
-    public static fixtureName = "Pointer";
-
-    public click = (
-        name: string,
-        optionsOrRole?: ARIAOptions | ARIARole,
-        context: LocatorContext = this.page,
-    ): Promise<void> => {
-        if (typeof optionsOrRole === "string") {
-            return context.getByRole(optionsOrRole, { name }).click();
-        }
-
-        const options = {
-            ...optionsOrRole,
-            name,
-        };
-
-        return (
-            context
-                // ---
-                .getByRole("button", options)
-                .or(context.getByRole("link", options))
-                .click()
-        );
-    };
-}

web/e2e/fixtures/SessionFixture.ts

@@ -1,119 +0,0 @@
-import { PageFixture } from "#e2e/fixtures/PageFixture";
-
-import { expect, Page } from "@playwright/test";
-
-export const GOOD_USERNAME = "test-admin@goauthentik.io";
-export const GOOD_PASSWORD = "test-runner";
-
-export const BAD_USERNAME = "bad-username@bad-login.io";
-export const BAD_PASSWORD = "-this-is-a-bad-password-";
-
-export interface LoginInit {
-    username?: string;
-    password?: string;
-    to?: URL | string;
-}
-
-export class SessionFixture extends PageFixture {
-    static fixtureName = "Session";
-
-    public static readonly pathname = "/if/flow/default-authentication-flow/";
-
-    //#region Selectors
-
-    public $identificationStage = this.page.locator("ak-stage-identification");
-
-    /**
-     * The username field on the login page.
-     */
-    public $usernameField = this.$identificationStage.locator('input[name="uidField"]');
-
-    /**
-     * The button to continue with the login process,
-     * typically to the password flow stage.
-     */
-    public $submitUsernameStageButton = this.$identificationStage.locator('button[type="submit"]');
-
-    public $passwordStage = this.page.locator("ak-stage-password");
-    public $passwordField = this.$passwordStage.locator('input[name="password"]');
-    /**
-     * The button to submit the the login flow,
-     * typically redirecting to the authenticated interface.
-     */
-    public $submitPasswordStageButton = this.$passwordStage.locator('button[type="submit"]');
-
-    /**
-     * A possible authentication failure message.
-     */
-    public $authFailureMessage = this.page.locator(".pf-m-error");
-
-    //#endregion
-
-    constructor(page: Page, testName: string) {
-        super({ page, testName });
-    }
-
-    //#region Specific interactions
-
-    public async submitUsernameStage(username: string) {
-        this.logger.info("Submitting username stage", username);
-
-        await this.$usernameField.fill(username);
-
-        await expect(this.$submitUsernameStageButton).toBeEnabled();
-
-        await this.$submitUsernameStageButton.click();
-    }
-
-    public async submitPasswordStage(password: string) {
-        this.logger.info("Submitting password stage");
-
-        await this.$passwordField.fill(password);
-
-        await expect(this.$submitPasswordStageButton).toBeEnabled();
-
-        await this.$submitPasswordStageButton.click();
-    }
-
-    public checkAuthenticated = async (): Promise<boolean> => {
-        // TODO: Check if the user is authenticated via API
-        return true;
-    };
-
-    /**
-     * Log into the application.
-     */
-    public async login({
-        username = GOOD_USERNAME,
-        password = GOOD_PASSWORD,
-        to = SessionFixture.pathname,
-    }: LoginInit = {}) {
-        this.logger.info("Logging in...");
-
-        const initialURL = new URL(this.page.url());
-
-        if (initialURL.pathname === SessionFixture.pathname) {
-            this.logger.info("Skipping navigation because we're already in a authentication flow");
-        } else {
-            await this.page.goto(to.toString());
-        }
-
-        await this.submitUsernameStage(username);
-
-        await this.$passwordField.waitFor({ state: "visible" });
-
-        await this.submitPasswordStage(password);
-
-        const expectedPathname = typeof to === "string" ? to : to.pathname;
-
-        await this.page.waitForURL(`**${expectedPathname}`);
-    }
-
-    //#endregion
-
-    //#region Navigation
-
-    public async toLoginPage() {
-        await this.page.goto(SessionFixture.pathname);
-    }
-}

web/e2e/index.ts

@@ -1,56 +0,0 @@
-/* eslint-disable react-hooks/rules-of-hooks */
-import { createLocatorProxy, DeepLocatorProxy } from "#e2e/elements/proxy";
-import { FormFixture } from "#e2e/fixtures/FormFixture";
-import { PointerFixture } from "#e2e/fixtures/PointerFixture";
-import { SessionFixture } from "#e2e/fixtures/SessionFixture";
-import { createOUIDNameEngine } from "#e2e/selectors/ouid";
-
-import { test as base } from "@playwright/test";
-
-export { expect } from "@playwright/test";
-
-type TestIDLocatorProxy = DeepLocatorProxy<TestIDSelectorMap>;
-
-interface E2EFixturesTestScope {
-    /**
-     * A proxy to retrieve elements by test ID.
-     *
-     * ```ts
-     * const $button = $.button;
-     * ```
-     */
-    $: TestIDLocatorProxy;
-    session: SessionFixture;
-    pointer: PointerFixture;
-    form: FormFixture;
-}
-
-interface E2EWorkerScope {
-    selectorRegistration: void;
-}
-
-export const test = base.extend<E2EFixturesTestScope, E2EWorkerScope>({
-    selectorRegistration: [
-        async ({ playwright }, use) => {
-            await playwright.selectors.register("ouid", createOUIDNameEngine);
-            await use();
-        },
-        { auto: true, scope: "worker" },
-    ],
-
-    $: async ({ page }, use) => {
-        await use(createLocatorProxy<TestIDSelectorMap>(page));
-    },
-
-    session: async ({ page }, use, { title }) => {
-        await use(new SessionFixture(page, title));
-    },
-
-    form: async ({ page }, use, { title }) => {
-        await use(new FormFixture(page, title));
-    },
-
-    pointer: async ({ page }, use, { title }) => {
-        await use(new PointerFixture({ page, testName: title }));
-    },
-});

web/e2e/selectors/ouid.ts

@@ -1,44 +0,0 @@
-/* eslint-disable no-console */
-
-type SelectorRoot = Document | ShadowRoot;
-
-export function createOUIDNameEngine() {
-    const attributeName = "data-ouid-component-name";
-
-    console.log("Creating OUID selector engine!!");
-    return {
-        // Returns all elements matching given selector in the root's subtree.
-        queryAll(scope: SelectorRoot, componentName: string) {
-            const result: Element[] = [];
-
-            const match = (element: Element) => {
-                const name = element.getAttribute(attributeName);
-
-                if (name === componentName) {
-                    result.push(element);
-                }
-            };
-
-            const query = (root: Element | ShadowRoot | Document) => {
-                const shadows: ShadowRoot[] = [];
-
-                if ((root as Element).shadowRoot) {
-                    shadows.push((root as Element).shadowRoot!);
-                }
-
-                for (const element of root.querySelectorAll("*")) {
-                    match(element);
-
-                    if (element.shadowRoot) {
-                        shadows.push(element.shadowRoot);
-                    }
-                }
-
-                shadows.forEach(query);
-            };
-
-            query(scope);
-            return result;
-        },
-    };
-}

web/e2e/selectors/types.ts

@@ -1,13 +0,0 @@
-import type { Locator } from "@playwright/test";
-
-export type LocatorContext = Pick<
-    Locator,
-    | "locator"
-    | "getByRole"
-    | "getByTestId"
-    | "getByText"
-    | "getByLabel"
-    | "getByAltText"
-    | "getByTitle"
-    | "getByPlaceholder"
->;

web/e2e/utils/generators.ts

@@ -1,60 +0,0 @@
-import { IDGenerator } from "@goauthentik/core/id";
-
-import {
-    adjectives,
-    colors,
-    Config as NameConfig,
-    uniqueNamesGenerator,
-} from "unique-names-generator";
-
-/**
- * Given a dictionary of words, slice the dictionary to only include words that start with the given letter.
- */
-export function alliterate(dictionary: string[], letter: string): string[] {
-    let firstIndex = 0;
-
-    for (let i = 0; i < dictionary.length; i++) {
-        if (dictionary[i][0] === letter) {
-            firstIndex = i;
-            break;
-        }
-    }
-
-    let lastIndex = firstIndex;
-
-    for (let i = firstIndex; i < dictionary.length; i++) {
-        if (dictionary[i][0] !== letter) {
-            lastIndex = i;
-            break;
-        }
-    }
-
-    return dictionary.slice(firstIndex, lastIndex);
-}
-
-export function createRandomName({
-    seed = IDGenerator.randomID(),
-    ...config
-}: Partial<NameConfig> = {}) {
-    const randomLetterIndex =
-        typeof seed === "number"
-            ? seed
-            : Array.from(seed).reduce((acc, char) => acc + char.charCodeAt(0), 0);
-
-    const letter = adjectives[randomLetterIndex % adjectives.length][0];
-
-    const availableAdjectives = alliterate(adjectives, letter);
-
-    const availableColors = alliterate(colors, letter);
-
-    const name = uniqueNamesGenerator({
-        dictionaries: [availableAdjectives, availableAdjectives, availableColors],
-        style: "capital",
-        separator: " ",
-        length: 3,
-        seed,
-        ...config,
-    });
-
-    return name;
-}

web/eslint.config.mjs

@@ -29,6 +29,12 @@ export default tseslint.config(
         },
         files: ["packages/**/*"],
     },
+    {
+        rules: {
+            "@typescript-eslint/explicit-member-accessibility": "warn",
+        },
+        files: ["src/**/*.{ts,tsx,mts,cts}"],
+    },
     {
         rules: {
             "no-void": "off",

web/logger/node.js

@@ -1,102 +0,0 @@
-/**
- * Application logger.
- *
- * @import { LoggerOptions, Logger, Level, ChildLoggerOptions } from "pino"
- * @import { PrettyOptions } from "pino-pretty"
- */
-
-import { pino } from "pino";
-
-//#region Constants
-
-/**
- * Default options for creating a Pino logger.
- *
- * @category Logger
- * @satisfies {LoggerOptions<never, false>}
- */
-export const DEFAULT_PINO_LOGGER_OPTIONS = {
-    enabled: true,
-    level: "info",
-    transport: {
-        target: "./transport.js",
-        options: /** @satisfies {PrettyOptions} */ ({
-            colorize: true,
-        }),
-    },
-};
-
-//#endregion
-
-//#region Functions
-
-/**
- * Read the log level from the environment.
- * @return {Level}
- */
-export function readLogLevel() {
-    return process.env.AK_LOG_LEVEL || DEFAULT_PINO_LOGGER_OPTIONS.level;
-}
-
-/**
- * @typedef {Logger} FixtureLogger
- */
-
-/**
- * @this {Logger}
- * @param {string} fixtureName
- * @param {string} [testName]
- * @param {ChildLoggerOptions} [options]
- * @returns {FixtureLogger}
- */
-function createFixtureLogger(fixtureName, testName, options) {
-    return this.child(
-        { name: fixtureName },
-        {
-            msgPrefix: `[${testName}] `,
-            ...options,
-        },
-    );
-}
-
-/**
- * @typedef {object} CustomLoggerMethods
- * @property {typeof createFixtureLogger} fixture
- */
-
-/**
- * @typedef {Logger & CustomLoggerMethods} ConsoleLogger
- */
-
-/**
- * A singleton logger instance for Node.js.
- *
- * ```js
- * import { ConsoleLogger } from "#logger/node";
- *
- * ConsoleLogger.info("Hello, world!");
- * ```
- *
- * @runtime node
- * @type {ConsoleLogger}
- */
-export const ConsoleLogger = Object.assign(
-    pino({
-        ...DEFAULT_PINO_LOGGER_OPTIONS,
-        level: readLogLevel(),
-    }),
-    { fixture: createFixtureLogger },
-);
-
-/**
- * @typedef {ReturnType<ConsoleLogger['child']>} ChildConsoleLogger
- */
-
-//#region Aliases
-
-export const info = ConsoleLogger.info.bind(ConsoleLogger);
-export const debug = ConsoleLogger.debug.bind(ConsoleLogger);
-export const warn = ConsoleLogger.warn.bind(ConsoleLogger);
-export const error = ConsoleLogger.error.bind(ConsoleLogger);
-
-//#endregion

web/logger/transport.js

@@ -1,22 +0,0 @@
-/**
- * @file Pretty transport for Pino
- *
- * @import { PrettyOptions } from "pino-pretty"
- */
-
-import PinoPretty from "pino-pretty";
-
-/**
- * @param {PrettyOptions} options
- */
-function prettyTransporter(options) {
-    const pretty = PinoPretty({
-        ...options,
-        ignore: "pid,hostname",
-        translateTime: "SYS:HH:MM:ss",
-    });
-
-    return pretty;
-}
-
-export default prettyTransporter;

web/package.json

@@ -24,8 +24,8 @@
         "pseudolocalize": "node ./scripts/pseudolocalize.mjs",
         "storybook": "storybook dev -p 6006",
         "storybook:build": "wireit",
-        "test": "vitest",
-        "test:e2e": "playwright test",
+        "test": "wireit",
+        "test:e2e": "wireit",
         "test:e2e:watch": "wireit",
         "test:watch": "wireit",
         "tsc": "wireit",
@@ -69,9 +69,6 @@
         "#flow/*": "./src/flow/*.js",
         "#locales/*": "./src/locales/*.js",
         "#stories/*": "./src/stories/*.js",
-        "#tests/*": "./tests/*.js",
-        "#e2e": "./e2e/index.ts",
-        "#e2e/*": "./e2e/*.ts",
         "#*/browser": {
             "types": "./out/*/browser.d.ts",
             "import": "./*/browser.js"
@@ -94,10 +91,10 @@
         "@codemirror/legacy-modes": "^6.5.1",
         "@codemirror/theme-one-dark": "^6.1.3",
         "@eslint/js": "^9.31.0",
-        "@floating-ui/dom": "^1.7.2",
+        "@floating-ui/dom": "^1.7.3",
         "@formatjs/intl-listformat": "^7.7.11",
         "@fortawesome/fontawesome-free": "^7.0.0",
-        "@goauthentik/api": "^2025.6.4-1753714826",
+        "@goauthentik/api": "^2025.6.4-1754241870",
         "@goauthentik/core": "^1.0.0",
         "@goauthentik/esbuild-plugin-live-reload": "^1.1.0",
         "@goauthentik/eslint-config": "^1.0.5",
@@ -116,13 +113,12 @@
         "@openlayers-elements/maps": "^0.4.0",
         "@patternfly/elements": "^4.1.0",
         "@patternfly/patternfly": "^4.224.2",
-        "@playwright/test": "^1.54.1",
-        "@sentry/browser": "^9.42.1",
+        "@sentry/browser": "^10.0.0",
         "@spotlightjs/spotlight": "^3.0.1",
-        "@storybook/addon-docs": "^9.0.18",
-        "@storybook/addon-links": "^9.0.18",
-        "@storybook/web-components": "^9.0.18",
-        "@storybook/web-components-vite": "^9.0.18",
+        "@storybook/addon-docs": "^9.1.0",
+        "@storybook/addon-links": "^9.1.0",
+        "@storybook/web-components": "^9.1.0",
+        "@storybook/web-components-vite": "^9.1.0",
         "@types/codemirror": "^5.60.16",
         "@types/grecaptcha": "^3.0.9",
         "@types/guacamole-common-js": "^1.5.3",
@@ -132,17 +128,11 @@
         "@types/react-dom": "^19.1.6",
         "@typescript-eslint/eslint-plugin": "^8.38.0",
         "@typescript-eslint/parser": "^8.38.0",
-        "@vitest/browser": "^3.2.4",
-        "@wdio/browser-runner": "^9.18.4",
-        "@wdio/cli": "9.15",
-        "@wdio/spec-reporter": "^9.15.0",
-        "@web/test-runner": "^0.20.2",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "change-case": "^5.4.4",
         "chart.js": "^4.5.0",
         "chartjs-adapter-date-fns": "^3.0.0",
-        "chromedriver": "^138.0.4",
         "codemirror": "^6.0.2",
         "construct-style-sheets-polyfill": "^3.1.0",
         "core-js": "^3.44.0",
@@ -168,9 +158,6 @@
         "md-front-matter": "^1.0.4",
         "mermaid": "^11.9.0",
         "npm-run-all": "^4.1.5",
-        "pino": "^9.7.0",
-        "pino-pretty": "^13.0.0",
-        "playwright": "^1.54.1",
         "prettier": "^3.6.2",
         "pseudolocale": "^2.1.0",
         "rapidoc": "^9.3.8",
@@ -191,10 +178,7 @@
         "turnstile-types": "^1.2.3",
         "typescript": "^5.8.3",
         "typescript-eslint": "^8.38.0",
-        "unique-names-generator": "^4.7.1",
         "unist-util-visit": "^5.0.0",
-        "vite": "^7.0.6",
-        "vitest": "^3.2.4",
         "webcomponent-qr-code": "^1.3.0",
         "wireit": "^0.14.12",
         "yaml": "^2.8.0"
@@ -203,9 +187,13 @@
         "@esbuild/darwin-arm64": "^0.25.4",
         "@esbuild/linux-arm64": "^0.25.4",
         "@esbuild/linux-x64": "^0.25.4",
-        "@rollup/rollup-darwin-arm64": "^4.46.1",
-        "@rollup/rollup-linux-arm64-gnu": "^4.46.1",
-        "@rollup/rollup-linux-x64-gnu": "^4.46.1"
+        "@rollup/rollup-darwin-arm64": "^4.46.2",
+        "@rollup/rollup-linux-arm64-gnu": "^4.46.2",
+        "@rollup/rollup-linux-x64-gnu": "^4.46.2",
+        "@wdio/browser-runner": "^9.18.4",
+        "@wdio/cli": "^9.18.4",
+        "@wdio/spec-reporter": "^9.18.0",
+        "@web/test-runner": "^0.20.2"
     },
     "wireit": {
         "build": {
@@ -278,7 +266,7 @@
             "command": "lit-analyzer src"
         },
         "lint:types:tests": {
-            "command": "tsc --noEmit -p tsconfig.test.json"
+            "command": "tsc --noEmit -p ./tests"
         },
         "lint:types": {
             "command": "tsc -p .",
@@ -327,7 +315,7 @@
             ],
             "env": {
                 "CI": "true",
-                "TS_NODE_PROJECT": "tsconfig.test.json"
+                "TS_NODE_PROJECT": "./tests/tsconfig.test.json"
             }
         },
         "test:e2e:watch": {
@@ -336,7 +324,7 @@
                 "build"
             ],
             "env": {
-                "TS_NODE_PROJECT": "tsconfig.test.json"
+                "TS_NODE_PROJECT": "./tests/tsconfig.test.json"
             }
         },
         "test:watch": {

web/packages/sfe/package.json

@@ -23,7 +23,7 @@
         "formdata-polyfill": "^4.0.10",
         "jquery": "^3.7.1",
         "prettier": "^3.5.3",
-        "rollup": "^4.46.1",
+        "rollup": "^4.46.2",
         "rollup-plugin-copy": "^3.5.0",
         "weakmap-polyfill": "^2.0.4"
     },

web/packages/sfe/src/index.ts

@@ -170,7 +170,7 @@ class Stage<T extends FlowInfoChallenge> {
 const IS_INVALID = "is-invalid";
 
 class IdentificationStage extends Stage<IdentificationChallenge> {
-    render() {
+    override render() {
         this.html(`
             <form id="ident-form">
                 <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
@@ -206,7 +206,7 @@ class IdentificationStage extends Stage<IdentificationChallenge> {
 }
 
 class PasswordStage extends Stage<PasswordChallenge> {
-    render() {
+    override render() {
         this.html(`
             <form id="password-form">
                 <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
@@ -230,13 +230,13 @@ class PasswordStage extends Stage<PasswordChallenge> {
 }
 
 class RedirectStage extends Stage<RedirectChallenge> {
-    render() {
+    override render() {
         window.location.assign(this.challenge.to);
     }
 }
 
 class AutosubmitStage extends Stage<AutosubmitChallenge> {
-    render() {
+    override render() {
         this.html(`
             <form id="autosubmit-form" action="${this.challenge.url}" method="POST">
                 <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
@@ -403,7 +403,7 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
         };
     }
 
-    render() {
+    override render() {
         if (this.challenge.deviceChallenges.length === 1) {
             this.deviceChallenge = this.challenge.deviceChallenges[0];
         }

web/playwright.config.js

@@ -1,94 +0,0 @@
-/**
- * @file Playwright configuration.
- *
- * @see https://playwright.dev/docs/test-configuration
- *
- * @import { LogFn, Logger } from "pino"
- */
-
-import { ConsoleLogger } from "#logger/node";
-
-import { defineConfig, devices } from "@playwright/test";
-
-const CI = !!process.env.CI;
-
-/**
- * @type {Map<string, Logger>}
- */
-const LoggerCache = new Map();
-
-const baseURL = process.env.AK_TEST_RUNNER_PAGE_URL ?? "http://localhost:9000";
-
-export default defineConfig({
-    testDir: "./test/browser",
-    fullyParallel: true,
-    forbidOnly: CI,
-    retries: CI ? 2 : 0,
-    workers: CI ? 1 : undefined,
-    reporter: CI
-        ? "github"
-        : [
-              // ---
-              ["list", { printSteps: true }],
-              ["html", { open: "never" }],
-          ],
-    use: {
-        testIdAttribute: "data-test-id",
-        baseURL,
-        trace: "on-first-retry",
-        launchOptions: {
-            logger: {
-                isEnabled() {
-                    return true;
-                },
-                log: (name, severity, message, args) => {
-                    let logger = LoggerCache.get(name);
-
-                    if (!logger) {
-                        logger = ConsoleLogger.child({
-                            name: `Playwright ${name.toUpperCase()}`,
-                        });
-                        LoggerCache.set(name, logger);
-                    }
-
-                    /**
-                     * @type {LogFn}
-                     */
-                    let log;
-
-                    switch (severity) {
-                        case "verbose":
-                            log = logger.debug;
-                            break;
-                        case "warning":
-                            log = logger.warn;
-                            break;
-                        case "error":
-                            log = logger.error;
-                            break;
-                        default:
-                            log = logger.info;
-                            break;
-                    }
-
-                    if (name === "api") {
-                        log = logger.debug;
-                    }
-
-                    log.call(logger, message.toString(), args);
-                },
-            },
-        },
-    },
-
-    /* Configure projects for major browsers */
-    projects: [
-        {
-            name: "chromium",
-
-            use: {
-                ...devices["Desktop Chrome"],
-            },
-        },
-    ],
-});

web/src/admin/AdminInterface/AboutModal.ts

@@ -19,7 +19,7 @@ import PFAbout from "@patternfly/patternfly/components/AboutModalBox/about-modal
 
 @customElement("ak-about-modal")
 export class AboutModal extends WithLicenseSummary(WithBrandConfig(ModalButton)) {
-    static styles = [
+    public static styles = [
         ...ModalButton.styles,
         PFAbout,
         css`
@@ -29,7 +29,7 @@ export class AboutModal extends WithLicenseSummary(WithBrandConfig(ModalButton))
         `,
     ];
 
-    async getAboutEntries(): Promise<[string, string | TemplateResult][]> {
+    protected async getAboutEntries(): Promise<[string, string | TemplateResult][]> {
         const status = await new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
         const version = await new AdminApi(DEFAULT_CONFIG).adminVersionRetrieve();
         let build: string | TemplateResult = msg("Release");

web/src/admin/AdminInterface/index.entrypoint.ts

@@ -79,7 +79,7 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
 
     //#region Styles
 
-    static styles: CSSResult[] = [
+    public static styles: CSSResult[] = [
         PFBase,
         PFPage,
         PFButton,
@@ -126,7 +126,7 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
 
     //#region Lifecycle
 
-    constructor() {
+    public constructor() {
         configureSentry(true);
 
         super();
@@ -137,7 +137,7 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
         this.sidebarOpen = this.#sidebarMatcher.matches;
     }
 
-    public connectedCallback() {
+    public override connectedCallback() {
         super.connectedCallback();
 
         window.addEventListener(EVENT_NOTIFICATION_DRAWER_TOGGLE, () => {
@@ -159,14 +159,14 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
         });
     }
 
-    public disconnectedCallback(): void {
+    public override disconnectedCallback(): void {
         super.disconnectedCallback();
         this.#sidebarMatcher.removeEventListener("change", this.#sidebarMediaQueryListener);
 
         WebsocketClient.close();
     }
 
-    async firstUpdated(): Promise<void> {
+    public override async firstUpdated(): Promise<void> {
         me().then((session) => {
             this.user = session;
 
@@ -181,7 +181,7 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
         });
     }
 
-    render(): TemplateResult {
+    public override render(): TemplateResult {
         const sidebarClasses = {
             "pf-c-page__sidebar": true,
             "pf-m-light": this.activeTheme === UiThemeEnum.Light,

web/src/admin/DebugPage.ts

@@ -22,9 +22,9 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
 @customElement("ak-admin-debug-page")
 export class DebugPage extends AKElement {
-    static styles: CSSResult[] = [PFBase, PFCard, PFPage, PFGrid, PFButton];
+    public static override styles: CSSResult[] = [PFBase, PFCard, PFPage, PFGrid, PFButton];
 
-    render(): TemplateResult {
+    public override render(): TemplateResult {
         return html`
             <ak-page-header icon="pf-icon pf-icon-user" header="Debug"> </ak-page-header>
             <section class="pf-c-page__main-section">

web/src/admin/admin-overview/AdminOverviewPage.ts

@@ -37,7 +37,7 @@ const AdminOverviewBase = WithLicenseSummary(AKElement);
 
 @customElement("ak-admin-overview")
 export class AdminOverviewPage extends AdminOverviewBase {
-    static styles: CSSResult[] = [
+    public static styles: CSSResult[] = [
         PFBase,
         PFGrid,
         PFPage,
@@ -63,7 +63,7 @@ export class AdminOverviewPage extends AdminOverviewBase {
         `,
     ];
 
-    quickActions: QuickAction[] = [
+    protected quickActions: QuickAction[] = [
         [msg("Create a new application"), paramURL("/core/applications", { createWizard: true })],
         [msg("Check the logs"), paramURL("/events/log")],
         [msg("Explore integrations"), "https://goauthentik.io/integrations/", true],
@@ -76,13 +76,13 @@ export class AdminOverviewPage extends AdminOverviewBase {
     ];
 
     @state()
-    user?: SessionUser;
+    protected user?: SessionUser;
 
-    async firstUpdated(): Promise<void> {
+    public override async firstUpdated(): Promise<void> {
         this.user = await me();
     }
 
-    render(): TemplateResult {
+    public override render(): TemplateResult {
         const username = this.user?.user.name || this.user?.user.username;
 
         return html`<ak-page-header
@@ -154,7 +154,7 @@ export class AdminOverviewPage extends AdminOverviewBase {
             </section>`;
     }
 
-    renderCards() {
+    protected renderCards() {
         const isEnterprise = this.hasEnterpriseLicense;
         const classes = {
             "card-container": true,

web/src/admin/admin-overview/DashboardUserPage.ts

@@ -18,7 +18,7 @@ import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 
 @customElement("ak-admin-dashboard-users")
 export class DashboardUserPage extends AKElement {
-    static styles: CSSResult[] = [
+    public static override styles: CSSResult[] = [
         PFGrid,
         PFPage,
         PFContent,
@@ -34,7 +34,7 @@ export class DashboardUserPage extends AKElement {
         `,
     ];
 
-    render(): TemplateResult {
+    public override render(): TemplateResult {
         return html`<ak-page-header icon="pf-icon pf-icon-user" header=${msg("User Statistics")}>
             </ak-page-header>
             <section class="pf-c-page__main-section">

web/src/admin/admin-overview/SystemTasksPage.ts

@@ -25,21 +25,19 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
 @customElement("ak-system-tasks")
 export class SystemTasksPage extends AKElement {
-    static get styles(): CSSResult[] {
-        return [
-            PFBase,
-            PFList,
-            PFBanner,
-            PFPage,
-            PFContent,
-            PFButton,
-            PFDescriptionList,
-            PFGrid,
-            PFCard,
-        ];
-    }
+    public static override styles: CSSResult[] = [
+        PFBase,
+        PFList,
+        PFBanner,
+        PFPage,
+        PFContent,
+        PFButton,
+        PFDescriptionList,
+        PFGrid,
+        PFCard,
+    ];
 
-    render(): TemplateResult {
+    public override render(): TemplateResult {
         return html`<ak-page-header
                 icon="pf-icon pf-icon-automation"
                 header=${msg("System Tasks")}

web/src/admin/admin-overview/TopApplicationsTable.ts

@@ -15,11 +15,11 @@ import PFTable from "@patternfly/patternfly/components/Table/table.css";
 @customElement("ak-top-applications-table")
 export class TopApplicationsTable extends AKElement {
     @property({ attribute: false })
-    topN?: EventTopPerUser[];
+    public topN?: EventTopPerUser[];
 
-    static styles: CSSResult[] = [PFTable];
+    public static override styles: CSSResult[] = [PFTable];
 
-    firstUpdated(): void {
+    public override firstUpdated(): void {
         new EventsApi(DEFAULT_CONFIG)
             .eventsEventsTopPerUserList({
                 action: "authorize_application",
@@ -30,7 +30,7 @@ export class TopApplicationsTable extends AKElement {
             });
     }
 
-    renderRow(event: EventTopPerUser): TemplateResult {
+    protected renderRow(event: EventTopPerUser): TemplateResult {
         return html`<tr role="row">
             <td role="cell">${event.application.name}</td>
             <td role="cell">${event.countedEvents}</td>
@@ -43,7 +43,7 @@ export class TopApplicationsTable extends AKElement {
         </tr>`;
     }
 
-    render(): TemplateResult {
+    public override render(): TemplateResult {
         return html`<table class="pf-c-table pf-m-compact" role="grid">
             <thead>
                 <tr role="row">

web/src/admin/admin-overview/cards/AdminStatusCard.ts

@@ -22,7 +22,7 @@ export interface AdminStatus {
 export abstract class AdminStatusCard<T> extends AggregateCard {
     // Current data value state
     @state()
-    value?: T;
+    public value?: T;
 
     // Current status state derived from value
     @state()
@@ -33,28 +33,27 @@ export abstract class AdminStatusCard<T> extends AggregateCard {
     protected error?: APIError;
 
     // Abstract methods to be implemented by subclasses
-    abstract getPrimaryValue(): Promise<T>;
-    abstract getStatus(value: T): Promise<AdminStatus>;
+    protected abstract getPrimaryValue(): Promise<T>;
 
-    constructor() {
+    protected abstract getStatus(value: T): Promise<AdminStatus>;
+
+    public constructor() {
         super();
-        // Proper binding for event handler
-        this.fetchData = this.fetchData.bind(this);
         // Register refresh event listener
-        this.addEventListener(EVENT_REFRESH, this.fetchData);
+        this.addEventListener(EVENT_REFRESH, this.#fetchData);
     }
 
     // Lifecycle method: Called when component is added to DOM
-    connectedCallback(): void {
+    public override connectedCallback(): void {
         super.connectedCallback();
         // Initial data fetch
-        this.fetchData();
+        this.#fetchData();
     }
 
     /**
      * Fetch primary data and handle errors
      */
-    private fetchData() {
+    #fetchData = () => {
         this.getPrimaryValue()
             .then((value: T) => {
                 this.value = value; // Triggers shouldUpdate
@@ -64,7 +63,7 @@ export abstract class AdminStatusCard<T> extends AggregateCard {
                 this.status = undefined;
                 this.error = await parseAPIResponseError(error);
             });
-    }
+    };
 
     /**
      * Lit lifecycle method: Determine if component should update
@@ -72,7 +71,7 @@ export abstract class AdminStatusCard<T> extends AggregateCard {
      * @param changed - Map of changed properties
      * @returns boolean indicating if update should proceed
      */
-    shouldUpdate(changed: PropertyValues<this>) {
+    public override shouldUpdate(changed: PropertyValues<this>) {
         if (changed.has("value") && this.value !== undefined) {
             // When value changes, fetch new status
             this.getStatus(this.value)
@@ -106,7 +105,7 @@ export abstract class AdminStatusCard<T> extends AggregateCard {
      * @param status - AdminStatus object containing icon and message
      * @returns TemplateResult for status display
      */
-    private renderStatus(status: AdminStatus): SlottedTemplateResult {
+    protected renderStatus(status: AdminStatus): SlottedTemplateResult {
         return html`
             <p><i class="${status.icon}"></i>&nbsp;${this.renderValue()}</p>
             ${status.message ? html`<p class="subtext">${status.message}</p>` : nothing}
@@ -119,7 +118,7 @@ export abstract class AdminStatusCard<T> extends AggregateCard {
      * @param error - Error message to display
      * @returns TemplateResult for error display
      */
-    private renderError(error: string): SlottedTemplateResult {
+    protected renderError(error: string): SlottedTemplateResult {
         return html`
             <p><i aria-hidden="true" class="fa fa-times"></i>&nbsp;${msg("Failed to fetch")}</p>
             <p class="subtext">${error}</p>
@@ -131,7 +130,7 @@ export abstract class AdminStatusCard<T> extends AggregateCard {
      *
      * @returns TemplateResult for loading spinner
      */
-    private renderLoading(): SlottedTemplateResult {
+    protected renderLoading(): SlottedTemplateResult {
         return html`<ak-spinner size="${PFSize.Large}"></ak-spinner>`;
     }
 
@@ -140,7 +139,7 @@ export abstract class AdminStatusCard<T> extends AggregateCard {
      *
      * @returns TemplateResult for current component state
      */
-    renderInner(): SlottedTemplateResult {
+    protected override renderInner(): SlottedTemplateResult {
         return html`
             <p class="center-value">
                 ${

web/src/admin/admin-overview/cards/FipsStatusCard.ts

@@ -12,21 +12,21 @@ type StatusContent = { icon: string; message: TemplateResult };
 
 @customElement("ak-admin-fips-status-system")
 export class FipsStatusCard extends AdminStatusCard<SystemInfo> {
-    icon = "pf-icon pf-icon-server";
+    public override icon = "pf-icon pf-icon-server";
 
     @state()
-    statusSummary?: string;
+    protected statusSummary?: string;
 
-    async getPrimaryValue(): Promise<SystemInfo> {
+    protected async getPrimaryValue(): Promise<SystemInfo> {
         return await new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
     }
 
-    setStatus(summary: string, content: StatusContent): Promise<AdminStatus> {
+    protected setStatus(summary: string, content: StatusContent): Promise<AdminStatus> {
         this.statusSummary = summary;
         return Promise.resolve<AdminStatus>(content);
     }
 
-    getStatus(value: SystemInfo): Promise<AdminStatus> {
+    protected getStatus(value: SystemInfo): Promise<AdminStatus> {
         return value.runtime.opensslFipsEnabled
             ? this.setStatus(msg("OK"), {
                   icon: "fa fa-check-circle pf-m-success",
@@ -38,11 +38,11 @@ export class FipsStatusCard extends AdminStatusCard<SystemInfo> {
               });
     }
 
-    renderHeader(): TemplateResult {
+    protected override renderHeader(): TemplateResult {
         return html`${msg("FIPS Status")}`;
     }
 
-    renderValue(): TemplateResult {
+    protected override renderValue(): TemplateResult {
         return html`${this.statusSummary}`;
     }
 }

web/src/admin/admin-overview/cards/RecentEventsCard.ts

@@ -25,19 +25,19 @@ import PFCard from "@patternfly/patternfly/components/Card/card.css";
 @customElement("ak-recent-events")
 export class RecentEventsCard extends Table<Event> {
     @property()
-    order = "-created";
+    public override order = "-created";
 
     @property({ type: Number })
-    pageSize = 10;
+    public pageSize = 10;
 
-    async apiEndpoint(): Promise<PaginatedResponse<Event>> {
+    protected async apiEndpoint(): Promise<PaginatedResponse<Event>> {
         return new EventsApi(DEFAULT_CONFIG).eventsEventsList({
             ...(await this.defaultEndpointConfig()),
             pageSize: this.pageSize,
         });
     }
 
-    static styles: CSSResult[] = [
+    public static override styles: CSSResult[] = [
         ...super.styles,
         PFCard,
         css`
@@ -52,7 +52,7 @@ export class RecentEventsCard extends Table<Event> {
         `,
     ];
 
-    columns(): TableColumn[] {
+    protected columns(): TableColumn[] {
         return [
             new TableColumn(msg("Action"), "action"),
             new TableColumn(msg("User"), "user"),
@@ -62,13 +62,13 @@ export class RecentEventsCard extends Table<Event> {
         ];
     }
 
-    renderToolbar(): TemplateResult {
+    protected override renderToolbar(): TemplateResult {
         return html`<div class="pf-c-card__title">
             <i class="pf-icon pf-icon-catalog"></i>&nbsp;${msg("Recent events")}
         </div>`;
     }
 
-    row(item: EventWithContext): SlottedTemplateResult[] {
+    protected row(item: EventWithContext): SlottedTemplateResult[] {
         return [
             html`<div><a href="${`#/events/log/${item.pk}`}">${actionToLabel(item.action)}</a></div>
                 <small>${item.app}</small>`,
@@ -81,7 +81,7 @@ export class RecentEventsCard extends Table<Event> {
         ];
     }
 
-    renderEmpty(inner?: SlottedTemplateResult): TemplateResult {
+    protected override renderEmpty(inner?: SlottedTemplateResult): TemplateResult {
         if (this.error) {
             return super.renderEmpty(inner);
         }

web/src/admin/admin-overview/cards/SystemStatusCard.ts

@@ -12,14 +12,14 @@ import { customElement, state } from "lit/decorators.js";
 
 @customElement("ak-admin-status-system")
 export class SystemStatusCard extends AdminStatusCard<SystemInfo> {
-    now?: Date;
+    protected now?: Date;
 
-    icon = "pf-icon pf-icon-server";
+    public override icon = "pf-icon pf-icon-server";
 
     @state()
-    statusSummary?: string;
+    protected statusSummary?: string;
 
-    async getPrimaryValue(): Promise<SystemInfo> {
+    protected async getPrimaryValue(): Promise<SystemInfo> {
         this.now = new Date();
         let status = await new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
         if (
@@ -38,7 +38,7 @@ export class SystemStatusCard extends AdminStatusCard<SystemInfo> {
 
     // Called on fresh installations and whenever the embedded outpost is deleted
     // automatically send the login URL when the user first visits the admin dashboard.
-    async setOutpostHost(): Promise<void> {
+    protected async setOutpostHost(): Promise<void> {
         const outposts = await new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesList({
             managedIexact: "goauthentik.io/outposts/embedded",
         });
@@ -53,7 +53,7 @@ export class SystemStatusCard extends AdminStatusCard<SystemInfo> {
         });
     }
 
-    getStatus(value: SystemInfo): Promise<AdminStatus> {
+    protected getStatus(value: SystemInfo): Promise<AdminStatus> {
         if (!value.embeddedOutpostDisabled && value.embeddedOutpostHost === "") {
             this.statusSummary = msg("Warning");
             return Promise.resolve<AdminStatus>({
@@ -84,11 +84,11 @@ export class SystemStatusCard extends AdminStatusCard<SystemInfo> {
         });
     }
 
-    renderHeader(): SlottedTemplateResult {
+    protected override renderHeader(): SlottedTemplateResult {
         return msg("System status");
     }
 
-    renderValue(): SlottedTemplateResult {
+    protected override renderValue(): SlottedTemplateResult {
         return this.statusSummary ? html`${this.statusSummary}` : nothing;
     }
 }

web/src/admin/admin-overview/cards/VersionStatusCard.ts

@@ -10,13 +10,13 @@ import { customElement } from "lit/decorators.js";
 
 @customElement("ak-admin-status-version")
 export class VersionStatusCard extends AdminStatusCard<Version> {
-    icon = "pf-icon pf-icon-bundle";
+    public override icon = "pf-icon pf-icon-bundle";
 
-    getPrimaryValue(): Promise<Version> {
+    protected getPrimaryValue(): Promise<Version> {
         return new AdminApi(DEFAULT_CONFIG).adminVersionRetrieve();
     }
 
-    getStatus(value: Version): Promise<AdminStatus> {
+    protected getStatus(value: Version): Promise<AdminStatus> {
         if (value.buildHash) {
             return Promise.resolve<AdminStatus>({
                 icon: "fa fa-check-circle pf-m-success",
@@ -48,11 +48,11 @@ export class VersionStatusCard extends AdminStatusCard<Version> {
         });
     }
 
-    renderHeader(): TemplateResult {
+    protected override renderHeader(): TemplateResult {
         return html`${msg("Version")}`;
     }
 
-    renderValue(): TemplateResult {
+    protected override renderValue(): TemplateResult {
         let text = this.value?.versionCurrent;
         const versionFamily = this.value?.versionCurrent.split(".");
         versionFamily?.pop();

web/src/admin/admin-overview/cards/WorkerStatusCard.ts

@@ -10,17 +10,17 @@ import { customElement } from "lit/decorators.js";
 
 @customElement("ak-admin-status-card-workers")
 export class WorkersStatusCard extends AdminStatusCard<Worker[]> {
-    icon = "pf-icon pf-icon-server";
+    public override icon = "pf-icon pf-icon-server";
 
-    getPrimaryValue(): Promise<Worker[]> {
+    protected getPrimaryValue(): Promise<Worker[]> {
         return new TasksApi(DEFAULT_CONFIG).tasksWorkersList();
     }
 
-    renderHeader(): TemplateResult {
+    protected override renderHeader(): TemplateResult {
         return html`${msg("Workers")}`;
     }
 
-    getStatus(value: Worker[]): Promise<AdminStatus> {
+    protected getStatus(value: Worker[]): Promise<AdminStatus> {
         if (value.length < 1) {
             return Promise.resolve<AdminStatus>({
                 icon: "fa fa-times-circle pf-m-danger",
@@ -37,7 +37,7 @@ export class WorkersStatusCard extends AdminStatusCard<Worker[]> {
         });
     }
 
-    renderValue() {
+    protected override renderValue() {
         return html`${this.value?.length}`;
     }
 }

web/src/admin/admin-overview/charts/AdminLoginAuthorizeChart.ts

@@ -11,7 +11,7 @@ import { customElement } from "lit/decorators.js";
 
 @customElement("ak-charts-admin-login-authorization")
 export class AdminLoginAuthorizeChart extends EventChart {
-    async apiRequest(): Promise<EventVolume[]> {
+    protected async apiRequest(): Promise<EventVolume[]> {
         return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
             actions: [
                 EventActions.AuthorizeApplication,
@@ -21,7 +21,7 @@ export class AdminLoginAuthorizeChart extends EventChart {
         });
     }
 
-    getChartData(data: EventVolume[]): ChartData {
+    protected getChartData(data: EventVolume[]): ChartData {
         const optsMap = new Map<EventActions, Partial<ChartDataset>>();
         optsMap.set(EventActions.AuthorizeApplication, {
             label: msg("Authorizations"),

web/src/admin/admin-overview/charts/AdminModelPerDay.ts

@@ -17,15 +17,15 @@ import { customElement, property } from "lit/decorators.js";
 @customElement("ak-charts-admin-model-per-day")
 export class AdminModelPerDay extends EventChart {
     @property()
-    action: EventActions = EventActions.ModelCreated;
+    public action: EventActions = EventActions.ModelCreated;
 
     @property()
-    label?: string;
+    public label?: string;
 
     @property({ attribute: false })
-    query?: EventsEventsVolumeListRequest;
+    public query?: EventsEventsVolumeListRequest;
 
-    async apiRequest(): Promise<EventVolume[]> {
+    protected async apiRequest(): Promise<EventVolume[]> {
         return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
             action: this.action,
             historyDays: 30,
@@ -33,7 +33,7 @@ export class AdminModelPerDay extends EventChart {
         });
     }
 
-    getChartData(data: EventVolume[]): ChartData {
+    protected getChartData(data: EventVolume[]): ChartData {
         return this.eventVolume(data, {
             optsMap: new Map([
                 [

web/src/admin/admin-overview/charts/OutpostStatusChart.ts

@@ -16,11 +16,11 @@ import { customElement } from "lit/decorators.js";
 
 @customElement("ak-admin-status-chart-outpost")
 export class OutpostStatusChart extends AKChart<SummarizedSyncStatus[]> {
-    getChartType(): string {
+    public override getChartType(): string {
         return "doughnut";
     }
 
-    getOptions(): ChartOptions {
+    public override getOptions(): ChartOptions {
         return {
             plugins: {
                 legend: {
@@ -31,7 +31,7 @@ export class OutpostStatusChart extends AKChart<SummarizedSyncStatus[]> {
         };
     }
 
-    async apiRequest(): Promise<SummarizedSyncStatus[]> {
+    protected async apiRequest(): Promise<SummarizedSyncStatus[]> {
         const api = new OutpostsApi(DEFAULT_CONFIG);
         const outposts = await api.outpostsInstancesList({});
         const outpostStats: SummarizedSyncStatus[] = [];
@@ -65,7 +65,7 @@ export class OutpostStatusChart extends AKChart<SummarizedSyncStatus[]> {
         return outpostStats;
     }
 
-    getChartData(data: SummarizedSyncStatus[]): ChartData {
+    protected getChartData(data: SummarizedSyncStatus[]): ChartData {
         return {
             labels: [msg("Healthy outposts"), msg("Outdated outposts"), msg("Unhealthy outposts")],
             datasets: data.map((d) => {

web/src/admin/admin-overview/charts/SyncStatusChart.ts

@@ -29,11 +29,11 @@ export interface SummarizedSyncStatus {
 
 @customElement("ak-admin-status-chart-sync")
 export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
-    getChartType(): string {
+    public override getChartType(): string {
         return "doughnut";
     }
 
-    getOptions(): ChartOptions {
+    public override getOptions(): ChartOptions {
         return {
             plugins: {
                 legend: {
@@ -44,7 +44,7 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
         };
     }
 
-    async fetchStatus<T>(
+    protected async fetchStatus<T>(
         listObjects: () => Promise<PaginatedResponse<T>>,
         fetchSyncStatus: (element: T) => Promise<SyncStatus>,
         label: string,
@@ -92,7 +92,7 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
         };
     }
 
-    async apiRequest(): Promise<SummarizedSyncStatus[]> {
+    protected async apiRequest(): Promise<SummarizedSyncStatus[]> {
         const statuses = [
             await this.fetchStatus(
                 () => {
@@ -158,7 +158,7 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
         return statuses;
     }
 
-    getChartData(data: SummarizedSyncStatus[]): ChartData {
+    protected getChartData(data: SummarizedSyncStatus[]): ChartData {
         return {
             labels: [msg("Healthy"), msg("Failed"), msg("Unsynced / N/A")],
             datasets: data.map((d) => {

web/src/admin/admin-settings/AdminSettingsFooterLinks.ts

@@ -24,7 +24,7 @@ const hasLegalScheme = (url: string) =>
 
 @customElement("ak-admin-settings-footer-link")
 export class FooterLinkInput extends AkControlElement<FooterLink> {
-    static styles = [
+    public static override styles = [
         PFBase,
         PFInputGroup,
         PFFormControl,
@@ -37,26 +37,26 @@ export class FooterLinkInput extends AkControlElement<FooterLink> {
     ];
 
     @property({ type: Object, attribute: false })
-    footerLink: FooterLink = {
+    public footerLink: FooterLink = {
         name: "",
         href: "",
     };
 
     @queryAll(".ak-form-control")
-    controls?: HTMLInputElement[];
+    protected controls?: HTMLInputElement[];
 
-    json() {
+    public override json() {
         return Object.fromEntries(
             Array.from(this.controls ?? []).map((control) => [control.name, control.value]),
         ) as unknown as FooterLink;
     }
 
-    get isValid() {
+    public override get isValid() {
         const href = this.json()?.href ?? "";
         return hasLegalScheme(href) && URL.canParse(href);
     }
 
-    render() {
+    public override render() {
         const onChange = () => {
             this.dispatchEvent(new Event("change", { composed: true, bubbles: true }));
         };

web/src/admin/admin-settings/AdminSettingsForm.ts

@@ -33,19 +33,19 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
     // Custom property accessors in Lit 2 require a manual call to requestUpdate(). See:
     // https://lit.dev/docs/v2/components/properties/#accessors-custom
     //
-    set settings(value: Settings | undefined) {
-        this._settings = value;
+    public set settings(value: Settings | undefined) {
+        this.#settings = value;
         this.requestUpdate();
     }
 
     @property({ type: Object })
-    get settings() {
-        return this._settings;
+    public get settings() {
+        return this.#settings;
     }
 
-    private _settings?: Settings;
+    #settings?: Settings;
 
-    static styles: CSSResult[] = [
+    public static override styles: CSSResult[] = [
         ...super.styles,
         PFList,
         css`
@@ -55,11 +55,11 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
         `,
     ];
 
-    getSuccessMessage(): string {
+    public override getSuccessMessage(): string {
         return msg("Successfully updated settings.");
     }
 
-    async send(data: SettingsRequest): Promise<Settings> {
+    protected async send(data: SettingsRequest): Promise<Settings> {
         const result = await new AdminApi(DEFAULT_CONFIG).adminSettingsUpdate({
             settingsRequest: data,
         });
@@ -67,12 +67,12 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
         return result;
     }
 
-    renderForm(): TemplateResult {
+    protected override renderForm(): TemplateResult {
         return html`
             <ak-text-input
                 name="avatars"
                 label=${msg("Avatars")}
-                value="${ifDefined(this._settings?.avatars)}"
+                value="${ifDefined(this.#settings?.avatars)}"
                 input-hint="code"
                 .bighelp=${html`
                     <p class="pf-c-form__helper-text">
@@ -139,21 +139,21 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
             <ak-switch-input
                 name="defaultUserChangeName"
                 label=${msg("Allow users to change name")}
-                ?checked="${this._settings?.defaultUserChangeName}"
+                ?checked="${this.#settings?.defaultUserChangeName}"
                 help=${msg("Enable the ability for users to change their name.")}
             >
             </ak-switch-input>
             <ak-switch-input
                 name="defaultUserChangeEmail"
                 label=${msg("Allow users to change email")}
-                ?checked="${this._settings?.defaultUserChangeEmail}"
+                ?checked="${this.#settings?.defaultUserChangeEmail}"
                 help=${msg("Enable the ability for users to change their email.")}
             >
             </ak-switch-input>
             <ak-switch-input
                 name="defaultUserChangeUsername"
                 label=${msg("Allow users to change username")}
-                ?checked="${this._settings?.defaultUserChangeUsername}"
+                ?checked="${this.#settings?.defaultUserChangeUsername}"
                 help=${msg("Enable the ability for users to change their username.")}
             >
             </ak-switch-input>
@@ -162,14 +162,14 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 label=${msg("Event retention")}
                 input-hint="code"
                 required
-                value="${ifDefined(this._settings?.eventRetention)}"
+                value="${ifDefined(this.#settings?.eventRetention)}"
                 .bighelp=${html`<p class="pf-c-form__helper-text">
                         ${msg("Duration after which events will be deleted from the database.")}
                     </p>
                     <p class="pf-c-form__helper-text">
                         ${msg(
                             html`When using an external logging solution for archiving, this can be
-                                set to <code>minutes=5</code>.`,
+                                public set to <code>minutes=5</code>.`,
                         )}
                     </p>
                     <p class="pf-c-form__helper-text">
@@ -184,19 +184,19 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 label=${msg("Reputation: lower limit")}
                 required
                 name="reputationLowerLimit"
-                value="${this._settings?.reputationLowerLimit ?? DEFAULT_REPUTATION_LOWER_LIMIT}"
+                value="${this.#settings?.reputationLowerLimit ?? DEFAULT_REPUTATION_LOWER_LIMIT}"
                 help=${msg("Reputation cannot decrease lower than this value. Zero or negative.")}
             ></ak-number-input>
             <ak-number-input
                 label=${msg("Reputation: upper limit")}
                 required
                 name="reputationUpperLimit"
-                value="${this._settings?.reputationUpperLimit ?? DEFAULT_REPUTATION_UPPER_LIMIT}"
+                value="${this.#settings?.reputationUpperLimit ?? DEFAULT_REPUTATION_UPPER_LIMIT}"
                 help=${msg("Reputation cannot increase higher than this value. Zero or positive.")}
             ></ak-number-input>
             <ak-form-element-horizontal label=${msg("Footer links")} name="footerLinks">
                 <ak-array-input
-                    .items=${this._settings?.footerLinks ?? []}
+                    .items=${this.#settings?.footerLinks ?? []}
                     .newItem=${() => ({ name: "", href: "" })}
                     .row=${(f?: FooterLink) =>
                         akFooterLinkInput({
@@ -215,7 +215,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
             <ak-switch-input
                 name="gdprCompliance"
                 label=${msg("GDPR compliance")}
-                ?checked="${this._settings?.gdprCompliance}"
+                ?checked="${this.#settings?.gdprCompliance}"
                 help=${msg(
                     "When enabled, all the events caused by a user will be deleted upon the user's deletion.",
                 )}
@@ -224,14 +224,14 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
             <ak-switch-input
                 name="impersonation"
                 label=${msg("Impersonation")}
-                ?checked="${this._settings?.impersonation}"
+                ?checked="${this.#settings?.impersonation}"
                 help=${msg("Globally enable/disable impersonation.")}
             >
             </ak-switch-input>
             <ak-switch-input
                 name="impersonationRequireReason"
                 label=${msg("Require reason for impersonation")}
-                ?checked="${this._settings?.impersonationRequireReason}"
+                ?checked="${this.#settings?.impersonationRequireReason}"
                 help=${msg("Require administrators to provide a reason for impersonating a user.")}
             >
             </ak-switch-input>
@@ -240,7 +240,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 label=${msg("Default token duration")}
                 input-hint="code"
                 required
-                value="${ifDefined(this._settings?.defaultTokenDuration)}"
+                value="${ifDefined(this.#settings?.defaultTokenDuration)}"
                 .bighelp=${html`<p class="pf-c-form__helper-text">
                         ${msg("Default duration for generated tokens")}
                     </p>
@@ -251,7 +251,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 label=${msg("Default token length")}
                 required
                 name="defaultTokenLength"
-                value="${this._settings?.defaultTokenLength ?? 60}"
+                value="${this.#settings?.defaultTokenLength ?? 60}"
                 help=${msg("Default length of generated tokens")}
             ></ak-number-input>
         `;

web/src/admin/admin-settings/AdminSettingsPage.ts

@@ -33,7 +33,7 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
 @customElement("ak-admin-settings")
 export class AdminSettingsPage extends AKElement {
-    static styles = [
+    public static override styles = [
         PFBase,
         PFButton,
         PFPage,
@@ -52,7 +52,7 @@ export class AdminSettingsPage extends AKElement {
     @state()
     protected settings?: Settings;
 
-    constructor() {
+    public constructor() {
         super();
 
         this.#refresh();
@@ -74,7 +74,7 @@ export class AdminSettingsPage extends AKElement {
         return this.form?.reset();
     };
 
-    render() {
+    public override render() {
         if (!this.settings) return nothing;
 
         return html`

web/src/admin/applications/ApplicationAuthorizeChart.ts

@@ -12,16 +12,16 @@ import { customElement, property } from "lit/decorators.js";
 @customElement("ak-charts-application-authorize")
 export class ApplicationAuthorizeChart extends EventChart {
     @property({ attribute: "application-id" })
-    applicationId!: string;
+    public applicationId!: string;
 
-    async apiRequest(): Promise<EventVolume[]> {
+    protected async apiRequest(): Promise<EventVolume[]> {
         return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
             action: EventActions.AuthorizeApplication,
             contextAuthorizedApp: this.applicationId.replaceAll("-", ""),
         });
     }
 
-    getChartData(data: EventVolume[]): ChartData {
+    protected getChartData(data: EventVolume[]): ChartData {
         return this.eventVolume(data, {
             optsMap: new Map([
                 [

web/src/admin/applications/ApplicationCheckAccessForm.ts

@@ -24,19 +24,19 @@ import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList
 @customElement("ak-application-check-access-form")
 export class ApplicationCheckAccessForm extends Form<{ forUser: number }> {
     @property({ attribute: false })
-    application!: Application;
+    public application!: Application;
 
     @property({ attribute: false })
-    result: PolicyTestResult | null = null;
+    public result: PolicyTestResult | null = null;
 
     @property({ attribute: false })
-    request?: number;
+    public request?: number;
 
-    getSuccessMessage(): string {
+    public override getSuccessMessage(): string {
         return msg("Successfully sent test-request.");
     }
 
-    async send(data: { forUser: number }): Promise<PolicyTestResult> {
+    protected async send(data: { forUser: number }): Promise<PolicyTestResult> {
         this.request = data.forUser;
         const result = await new CoreApi(DEFAULT_CONFIG).coreApplicationsCheckAccessRetrieve({
             slug: this.application?.slug,
@@ -45,14 +45,14 @@ export class ApplicationCheckAccessForm extends Form<{ forUser: number }> {
         return (this.result = result);
     }
 
-    reset(): void {
+    public override reset(): void {
         super.reset();
         this.result = null;
     }
 
-    static styles: CSSResult[] = [...super.styles, PFDescriptionList];
+    public static override styles: CSSResult[] = [...super.styles, PFDescriptionList];
 
-    renderResult(): TemplateResult {
+    protected renderResult(): TemplateResult {
         return html`
             <ak-form-element-horizontal label=${msg("Passing")}>
                 <div class="pf-c-form__group-label">
@@ -92,7 +92,7 @@ export class ApplicationCheckAccessForm extends Form<{ forUser: number }> {
         `;
     }
 
-    renderForm(): TemplateResult {
+    protected override renderForm(): TemplateResult {
         return html`<ak-form-element-horizontal label=${msg("User")} required name="forUser">
                 <ak-search-select
                     .fetchObjects=${async (query?: string): Promise<User[]> => {

web/src/admin/applications/ApplicationForm.ts

@@ -33,14 +33,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 
 @customElement("ak-application-form")
 export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Application, string>) {
-    constructor() {
-        super();
-        this.handleConfirmBackchannelProviders = this.handleConfirmBackchannelProviders.bind(this);
-        this.makeRemoveBackchannelProviderHandler =
-            this.makeRemoveBackchannelProviderHandler.bind(this);
-    }
-
-    async loadInstance(pk: string): Promise<Application> {
+    protected async loadInstance(pk: string): Promise<Application> {
         const app = await new CoreApi(DEFAULT_CONFIG).coreApplicationsRetrieve({
             slug: pk,
         });
@@ -50,21 +43,21 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
     }
 
     @property({ attribute: false })
-    provider?: number;
+    public provider?: number;
 
     @state()
-    backchannelProviders: Provider[] = [];
+    protected backchannelProviders: Provider[] = [];
 
     @property({ type: Boolean })
-    clearIcon = false;
+    public clearIcon = false;
 
-    getSuccessMessage(): string {
+    public override getSuccessMessage(): string {
         return this.instance
             ? msg("Successfully updated application.")
             : msg("Successfully created application.");
     }
 
-    async send(data: Application): Promise<Application | void> {
+    protected async send(data: Application): Promise<Application | void> {
         let app: Application;
         data.backchannelProviders = this.backchannelProviders.map((p) => p.pk);
         if (this.instance) {
@@ -97,21 +90,21 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
         return app;
     }
 
-    handleConfirmBackchannelProviders(items: Provider[]) {
+    #confirmBackchannelProviders = (items: Provider[]) => {
         this.backchannelProviders = items;
         this.requestUpdate();
         return Promise.resolve();
-    }
+    };
 
-    makeRemoveBackchannelProviderHandler(provider: Provider) {
+    #removeBackchannelProvider = (provider: Provider) => {
         return () => {
             const idx = this.backchannelProviders.indexOf(provider);
             this.backchannelProviders.splice(idx, 1);
             this.requestUpdate();
         };
-    }
+    };
 
-    handleClearIcon(ev: Event) {
+    protected handleClearIcon(ev: Event) {
         ev.stopPropagation();
         if (!(ev instanceof InputEvent) || !ev.target) {
             return;
@@ -119,7 +112,7 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
         this.clearIcon = !!(ev.target as HTMLInputElement).checked;
     }
 
-    renderForm(): TemplateResult {
+    protected override renderForm(): TemplateResult {
         const alertMsg = msg(
             "Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.",
         );
@@ -164,8 +157,8 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                     "Select backchannel providers which augment the functionality of the main provider.",
                 )}
                 .providers=${this.backchannelProviders}
-                .confirm=${this.handleConfirmBackchannelProviders}
-                .remover=${this.makeRemoveBackchannelProviderHandler}
+                .confirm=${this.#confirmBackchannelProviders}
+                .remover=${this.#removeBackchannelProvider}
                 .tooltip=${html`<pf-tooltip
                     position="top"
                     content=${msg("Add provider")}

web/src/admin/applications/ApplicationListPage.ts

@@ -43,37 +43,40 @@ export const applicationListStyle = css`
 
 @customElement("ak-application-list")
 export class ApplicationListPage extends WithBrandConfig(TablePage<Application>) {
-    searchEnabled(): boolean {
+    protected override searchEnabled(): boolean {
         return true;
     }
-    pageTitle(): string {
+
+    protected pageTitle(): string {
         return msg("Applications");
     }
-    pageDescription(): string {
+
+    protected pageDescription(): string {
         return msg(
             str`External applications that use ${this.brandingTitle} as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.`,
         );
     }
-    pageIcon(): string {
+
+    protected pageIcon(): string {
         return "pf-icon pf-icon-applications";
     }
 
-    checkbox = true;
-    clearOnRefresh = true;
+    public override checkbox = true;
+    public override clearOnRefresh = true;
 
     @property()
-    order = "name";
+    public override order = "name";
 
-    async apiEndpoint(): Promise<PaginatedResponse<Application>> {
+    protected async apiEndpoint(): Promise<PaginatedResponse<Application>> {
         return new CoreApi(DEFAULT_CONFIG).coreApplicationsList({
             ...(await this.defaultEndpointConfig()),
             superuserFullList: true,
         });
     }
 
-    static styles: CSSResult[] = [...TablePage.styles, PFCard, applicationListStyle];
+    public static styles: CSSResult[] = [...TablePage.styles, PFCard, applicationListStyle];
 
-    columns(): TableColumn[] {
+    protected columns(): TableColumn[] {
         return [
             new TableColumn(""),
             new TableColumn(msg("Name"), "name"),
@@ -84,7 +87,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
         ];
     }
 
-    protected renderSidebarAfter(): TemplateResult {
+    protected override renderSidebarAfter(): TemplateResult {
         return html`<div class="pf-c-sidebar__panel pf-m-width-25">
             <div class="pf-c-card">
                 <div class="pf-c-card__body">
@@ -94,7 +97,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
         </div>`;
     }
 
-    renderToolbarSelected(): TemplateResult {
+    protected override renderToolbarSelected(): TemplateResult {
         const disabled = this.selectedElements.length < 1;
         return html`<ak-forms-delete-bulk
             objectLabel=${msg("Application(s)")}
@@ -116,7 +119,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
         </ak-forms-delete-bulk>`;
     }
 
-    row(item: Application): TemplateResult[] {
+    protected row(item: Application): TemplateResult[] {
         return [
             html`<ak-app-icon
                 name=${item.name}
@@ -154,7 +157,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
         ];
     }
 
-    renderObjectCreate(): TemplateResult {
+    protected override renderObjectCreate(): TemplateResult {
         return html` <ak-application-wizard .open=${getURLParam("createWizard", false)}>
                 <button
                     slot="trigger"
@@ -172,7 +175,7 @@ export class ApplicationListPage extends WithBrandConfig(TablePage<Application>)
             </ak-forms-modal>`;
     }
 
-    renderToolbar(): TemplateResult {
+    protected override renderToolbar(): TemplateResult {
         return html` ${super.renderToolbar()}
             <ak-forms-confirm
                 successMessage=${msg("Successfully cleared application cache")}

web/src/admin/applications/ApplicationViewPage.ts

@@ -41,15 +41,15 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
 @customElement("ak-application-view")
 export class ApplicationViewPage extends AKElement {
     @property({ type: String })
-    applicationSlug?: string;
+    public applicationSlug?: string;
 
     @state()
-    application?: Application;
+    protected application?: Application;
 
     @state()
-    missingOutpost = false;
+    protected missingOutpost = false;
 
-    static styles: CSSResult[] = [
+    public static override styles: CSSResult[] = [
         PFBase,
         PFList,
         PFBanner,
@@ -61,7 +61,7 @@ export class ApplicationViewPage extends AKElement {
         PFCard,
     ];
 
-    fetchIsMissingOutpost(providersByPk: Array<number>) {
+    protected fetchIsMissingOutpost(providersByPk: Array<number>) {
         new OutpostsApi(DEFAULT_CONFIG)
             .outpostsInstancesList({
                 providersByPk,
@@ -74,7 +74,7 @@ export class ApplicationViewPage extends AKElement {
             });
     }
 
-    fetchApplication(slug: string) {
+    protected fetchApplication(slug: string) {
         new CoreApi(DEFAULT_CONFIG).coreApplicationsRetrieve({ slug }).then((app) => {
             this.application = app;
             if (
@@ -89,13 +89,13 @@ export class ApplicationViewPage extends AKElement {
         });
     }
 
-    willUpdate(changedProperties: PropertyValues<this>) {
+    public override willUpdate(changedProperties: PropertyValues<this>) {
         if (changedProperties.has("applicationSlug") && this.applicationSlug) {
             this.fetchApplication(this.applicationSlug);
         }
     }
 
-    render(): TemplateResult {
+    public override render(): TemplateResult {
         return html`<ak-page-header
                 header=${this.application?.name || msg("Loading")}
                 description=${ifDefined(this.application?.metaPublisher)}
@@ -110,7 +110,7 @@ export class ApplicationViewPage extends AKElement {
             ${this.renderApp()}`;
     }
 
-    renderApp(): TemplateResult {
+    protected renderApp(): TemplateResult {
         if (!this.application) {
             return html`<ak-empty-state default-label></ak-empty-state>`;
         }

web/src/admin/applications/ApplicationWizardHint.ts

@@ -35,7 +35,7 @@ const closeButtonIcon = html`<svg
 
 @customElement("ak-application-wizard-hint")
 export class AkApplicationWizardHint extends AKElement implements ShowHintControllerHost {
-    static styles = [
+    public static override styles = [
         PFBase,
         PFButton,
         PFPage,
@@ -51,14 +51,14 @@ export class AkApplicationWizardHint extends AKElement implements ShowHintContro
     ];
 
     @property({ type: Boolean, attribute: "show-hint" })
-    forceHint: boolean = false;
+    public forceHint: boolean = false;
 
     @state()
-    showHint: boolean = true;
+    public showHint: boolean = true;
 
-    showHintController: ShowHintController;
+    public showHintController: ShowHintController;
 
-    constructor() {
+    public constructor() {
         super();
         this.showHintController = new ShowHintController(
             this,
@@ -66,7 +66,7 @@ export class AkApplicationWizardHint extends AKElement implements ShowHintContro
         );
     }
 
-    renderReminder() {
+    protected renderReminder() {
         const sectionStyles = {
             paddingBottom: "0",
             marginBottom: "-0.5rem",
@@ -98,7 +98,7 @@ export class AkApplicationWizardHint extends AKElement implements ShowHintContro
         </section>`;
     }
 
-    renderHint() {
+    protected renderHint() {
         return html` <section class="pf-c-page__main-section pf-m-no-padding-mobile">
             <ak-hint>
                 <ak-hint-body>
@@ -122,7 +122,7 @@ export class AkApplicationWizardHint extends AKElement implements ShowHintContro
         </section>`;
     }
 
-    render() {
+    public override render() {
         return this.showHint || this.forceHint ? this.renderHint() : this.renderReminder();
     }
 }

web/src/admin/applications/ProviderSelectModal.ts

@@ -13,33 +13,33 @@ import { customElement, property } from "lit/decorators.js";
 
 @customElement("ak-provider-select-table")
 export class ProviderSelectModal extends TableModal<Provider> {
-    checkbox = true;
-    checkboxChip = true;
+    public override checkbox = true;
+    public override checkboxChip = true;
 
-    searchEnabled(): boolean {
+    protected override searchEnabled(): boolean {
         return true;
     }
 
     @property({ type: Boolean })
-    backchannel = false;
+    public backchannel = false;
 
     @property()
-    confirm!: (selectedItems: Provider[]) => Promise<unknown>;
+    public confirm!: (selectedItems: Provider[]) => Promise<unknown>;
 
-    order = "name";
+    public override order = "name";
 
-    async apiEndpoint(): Promise<PaginatedResponse<Provider>> {
+    protected async apiEndpoint(): Promise<PaginatedResponse<Provider>> {
         return new ProvidersApi(DEFAULT_CONFIG).providersAllList({
             ...(await this.defaultEndpointConfig()),
             backchannel: this.backchannel,
         });
     }
 
-    columns(): TableColumn[] {
+    protected columns(): TableColumn[] {
         return [new TableColumn(msg("Name"), "username"), new TableColumn(msg("Type"))];
     }
 
-    row(item: Provider): TemplateResult[] {
+    protected row(item: Provider): TemplateResult[] {
         return [
             html`<div>
                 <div>${item.name}</div>
@@ -48,11 +48,11 @@ export class ProviderSelectModal extends TableModal<Provider> {
         ];
     }
 
-    renderSelectedChip(item: Provider): TemplateResult {
+    protected override renderSelectedChip(item: Provider): TemplateResult {
         return html`${item.name}`;
     }
 
-    renderModalInner(): TemplateResult {
+    protected override renderModalInner(): TemplateResult {
         return html`<section class="pf-c-modal-box__header pf-c-page__main-section pf-m-light">
                 <div class="pf-c-content">
                     <h1 class="pf-c-title pf-m-2xl">

web/src/admin/applications/components/ak-backchannel-input.ts

@@ -24,38 +24,38 @@ export class AkBackchannelProvidersInput extends AKElement {
     // visual clutter and legibility issues of ak-form-elemental-horizontal and patternfly in
     // general.
 
-    protected createRenderRoot() {
+    protected override createRenderRoot() {
         return this as HTMLElement;
     }
 
     @property({ type: String })
-    name!: string;
+    public name!: string;
 
     @property({ type: String })
-    label = "";
+    public label = "";
 
     @property({ type: Array })
-    providers: Provider[] = [];
+    public providers: Provider[] = [];
 
     @property({ type: Object })
-    tooltip?: TemplateResult;
+    public tooltip?: TemplateResult;
 
     @property({ attribute: false, type: Object })
-    confirm!: ({ items }: { items: Provider[] }) => Promise<void>;
+    public confirm!: ({ items }: { items: Provider[] }) => Promise<void>;
 
     @property({ attribute: false, type: Object })
-    remover!: (provider: Provider) => () => void;
+    public remover!: (provider: Provider) => () => void;
 
     @property({ type: String })
-    value = "";
+    public value = "";
 
     @property({ type: Boolean })
-    required = false;
+    public required = false;
 
     @property({ type: String })
-    help = "";
+    public help = "";
 
-    render() {
+    public override render() {
         const renderOneChip = (provider: Provider) =>
             html`<ak-chip
                 removable

web/src/admin/applications/components/ak-provider-search-input.ts

@@ -34,38 +34,38 @@ export class AkProviderInput extends AKElement {
     // TODO: This abstraction is wrong; it's putting *more* layers in as a way of managing the
     // visual clutter and legibility issues of ak-form-elemental-horizontal and patternfly in
     // general.
-    protected createRenderRoot() {
+    protected override createRenderRoot() {
         return this;
     }
 
     @property({ type: String })
-    name!: string;
+    public name!: string;
 
     @property({ type: String })
-    label = "";
+    public label = "";
 
     @property({ type: Number })
-    value?: number;
+    public value?: number;
 
     @property({ type: Boolean })
-    required = false;
+    public required = false;
 
     @property({ type: Boolean })
-    blankable = false;
+    public blankable = false;
 
     @property({ type: String })
-    help = "";
+    public help = "";
 
-    constructor() {
+    public constructor() {
         super();
         this.selected = this.selected.bind(this);
     }
 
-    selected(item: Provider) {
+    protected selected(item: Provider) {
         return this.value !== undefined && this.value === item.pk;
     }
 
-    render() {
+    public override render() {
         return html` <ak-form-element-horizontal label=${this.label} name=${this.name}>
             <ak-search-select
                 .selected=${this.selected}

web/src/admin/applications/entitlements/ApplicationEntitlementForm.ts

@@ -20,25 +20,25 @@ import PFContent from "@patternfly/patternfly/components/Content/content.css";
 
 @customElement("ak-application-entitlement-form")
 export class ApplicationEntitlementForm extends ModelForm<ApplicationEntitlement, string> {
-    async loadInstance(pk: string): Promise<ApplicationEntitlement> {
+    protected async loadInstance(pk: string): Promise<ApplicationEntitlement> {
         return new CoreApi(DEFAULT_CONFIG).coreApplicationEntitlementsRetrieve({
             pbmUuid: pk,
         });
     }
 
     @property()
-    targetPk?: string;
+    public targetPk?: string;
 
-    getSuccessMessage(): string {
+    public override getSuccessMessage(): string {
         if (this.instance?.pbmUuid) {
             return msg("Successfully updated entitlement.");
         }
         return msg("Successfully created entitlement.");
     }
 
-    static styles: CSSResult[] = [...super.styles, PFContent];
+    public static override styles: CSSResult[] = [...super.styles, PFContent];
 
-    send(data: ApplicationEntitlement): Promise<unknown> {
+    protected send(data: ApplicationEntitlement): Promise<unknown> {
         if (this.targetPk) {
             data.app = this.targetPk;
         }
@@ -53,7 +53,7 @@ export class ApplicationEntitlementForm extends ModelForm<ApplicationEntitlement
         });
     }
 
-    renderForm(): TemplateResult {
+    protected override renderForm(): TemplateResult {
         return html` <ak-form-element-horizontal label=${msg("Name")} required name="name">
                 <input
                     type="text"

web/src/admin/applications/entitlements/ApplicationEntitlementPage.ts

@@ -28,26 +28,26 @@ import { ifDefined } from "lit/directives/if-defined.js";
 @customElement("ak-application-entitlements-list")
 export class ApplicationEntitlementsPage extends Table<ApplicationEntitlement> {
     @property()
-    app?: string;
+    public app?: string;
 
-    checkbox = true;
-    clearOnRefresh = true;
-    expandable = true;
+    public override checkbox = true;
+    public override clearOnRefresh = true;
+    public override expandable = true;
 
-    order = "order";
+    public override order = "order";
 
-    async apiEndpoint(): Promise<PaginatedResponse<ApplicationEntitlement>> {
+    protected async apiEndpoint(): Promise<PaginatedResponse<ApplicationEntitlement>> {
         return new CoreApi(DEFAULT_CONFIG).coreApplicationEntitlementsList({
             ...(await this.defaultEndpointConfig()),
             app: this.app || "",
         });
     }
 
-    columns(): TableColumn[] {
+    protected columns(): TableColumn[] {
         return [new TableColumn(msg("Name"), "name"), new TableColumn(msg("Actions"))];
     }
 
-    renderToolbarSelected(): TemplateResult {
+    protected override renderToolbarSelected(): TemplateResult {
         const disabled = this.selectedElements.length < 1;
         return html`<ak-forms-delete-bulk
             objectLabel=${msg("Application entitlement(s)")}
@@ -69,7 +69,7 @@ export class ApplicationEntitlementsPage extends Table<ApplicationEntitlement> {
         </ak-forms-delete-bulk>`;
     }
 
-    row(item: ApplicationEntitlement): TemplateResult[] {
+    protected row(item: ApplicationEntitlement): TemplateResult[] {
         return [
             html`${item.name}`,
             html`<ak-forms-modal size=${PFSize.Medium}>
@@ -95,7 +95,7 @@ export class ApplicationEntitlementsPage extends Table<ApplicationEntitlement> {
         ];
     }
 
-    renderExpanded(item: ApplicationEntitlement): TemplateResult {
+    protected override renderExpanded(item: ApplicationEntitlement): TemplateResult {
         return html`<td></td>
             <td role="cell" colspan="4">
                 <div class="pf-c-table__expandable-row-content">
@@ -118,7 +118,7 @@ export class ApplicationEntitlementsPage extends Table<ApplicationEntitlement> {
             </td>`;
     }
 
-    renderEmpty(): TemplateResult {
+    protected override renderEmpty(): TemplateResult {
         return super.renderEmpty(
             html`<ak-empty-state icon="pf-icon-module"
                 ><span>${msg("No app entitlements created.")}</span>
@@ -133,7 +133,7 @@ export class ApplicationEntitlementsPage extends Table<ApplicationEntitlement> {
         );
     }
 
-    renderToolbar(): TemplateResult {
+    protected override renderToolbar(): TemplateResult {
         return html`<ak-forms-modal size=${PFSize.Medium}>
             <span slot="submit"> ${msg("Create")} </span>
             <span slot="header"> ${msg("Create Entitlement")} </span>

web/src/admin/applications/wizard/ApplicationWizardStep.ts

@@ -21,22 +21,24 @@ import { msg } from "@lit/localize";
 import { property, query } from "lit/decorators.js";
 
 export class ApplicationWizardStep<T = Record<string, unknown>> extends WizardStep {
-    static styles = [...WizardStep.styles, ...styles];
+    public static override styles = [...WizardStep.styles, ...styles];
 
     @property({ type: Object, attribute: false })
-    wizard!: ApplicationWizardState;
+    public wizard!: ApplicationWizardState;
 
     // As recommended in [WizardStep](../../../components/ak-wizard/WizardStep.ts), we override
     // these fields and provide them to all the child classes.
-    wizardTitle = msg("New application");
-    wizardDescription = msg("Create a new application and configure a provider for it.");
-    canCancel = true;
+    public override wizardTitle = msg("New application");
+    public override wizardDescription = msg(
+        "Create a new application and configure a provider for it.",
+    );
+    public override canCancel = true;
 
     // This should be overridden in the children for more precise targeting.
     @query("form")
-    form!: HTMLFormElement;
+    protected form!: HTMLFormElement;
 
-    get formValues(): T {
+    public get formValues(): T {
         return serializeForm<T>([
             ...this.form.querySelectorAll("ak-form-element-horizontal"),
             ...this.form.querySelectorAll("[data-ak-control]"),

web/src/admin/applications/wizard/ak-application-wizard-main.ts

@@ -35,19 +35,19 @@ const freshWizardState = (): ApplicationWizardState => ({
 @customElement("ak-application-wizard-main")
 export class AkApplicationWizardMain extends AKElement {
     @state()
-    wizard: ApplicationWizardState = freshWizardState();
+    protected wizard: ApplicationWizardState = freshWizardState();
 
-    wizardProviderProvider = new ContextProvider(this, {
+    protected wizardProviderProvider = new ContextProvider(this, {
         context: applicationWizardProvidersContext,
         initialValue: [],
     });
 
-    constructor() {
+    public constructor() {
         super();
         this.addEventListener(WizardUpdateEvent.eventName, this.handleUpdate);
     }
 
-    connectedCallback() {
+    public override connectedCallback() {
         super.connectedCallback();
         new ProvidersApi(DEFAULT_CONFIG).providersAllTypesList().then((providerTypes) => {
             const wizardReadyProviders = Object.keys(providerTypeRenderers);
@@ -70,7 +70,7 @@ export class AkApplicationWizardMain extends AKElement {
 
     // This is the actual top of the Wizard; so this is where we accept the update information and
     // incorporate it into the wizard.
-    handleUpdate(ev: WizardUpdateEvent<ApplicationWizardStateUpdate>) {
+    protected handleUpdate(ev: WizardUpdateEvent<ApplicationWizardStateUpdate>) {
         ev.stopPropagation();
         const update = ev.content;
         if (update !== undefined) {
@@ -81,7 +81,7 @@ export class AkApplicationWizardMain extends AKElement {
         }
     }
 
-    render() {
+    public override render() {
         return html`<ak-wizard-steps>
             <ak-application-wizard-application-step
                 slot="application"

web/src/admin/applications/wizard/ak-application-wizard.ts

@@ -1,7 +1,6 @@
 import "./ak-application-wizard-main.js";
 
 import { ModalButton } from "#elements/buttons/ModalButton";
-import { bound } from "#elements/decorators/bound";
 
 import { WizardCloseEvent } from "#components/ak-wizard/events";
 
@@ -10,18 +9,17 @@ import { customElement } from "lit/decorators.js";
 
 @customElement("ak-application-wizard")
 export class AkApplicationWizard extends ModalButton {
-    constructor() {
+    public constructor() {
         super();
-        this.addEventListener(WizardCloseEvent.eventName, this.onCloseEvent);
+        this.addEventListener(WizardCloseEvent.eventName, this.#closeListener);
     }
 
-    @bound
-    onCloseEvent(ev: WizardCloseEvent) {
-        ev.stopPropagation();
+    #closeListener = (event: WizardCloseEvent) => {
+        event.stopPropagation();
         this.open = false;
-    }
+    };
 
-    renderModalInner() {
+    protected override renderModalInner() {
         return html` <ak-application-wizard-main> </ak-application-wizard-main>`;
     }
 }

web/src/admin/applications/wizard/ak-wizard-title.ts

@@ -8,7 +8,7 @@ import PFTitle from "@patternfly/patternfly/components/Title/title.css";
 
 @customElement("ak-wizard-title")
 export class AkWizardTitle extends AKElement {
-    static styles = [
+    public static override styles = [
         PFContent,
         PFTitle,
         css`
@@ -18,7 +18,7 @@ export class AkWizardTitle extends AKElement {
         `,
     ];
 
-    render() {
+    public override render() {
         return html`<div class="ak-bottom-spacing pf-c-content">
             <h3><slot></slot></h3>
         </div>`;

web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts

@@ -34,21 +34,21 @@ const isStr = (v: any): v is string => typeof v === "string";
 
 @customElement("ak-application-wizard-application-step")
 export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
-    label = msg("Application");
+    public override label = msg("Application");
 
     @state()
-    errors = new Map<string, string>();
+    protected errors = new Map<string, string>();
 
     @query("form#applicationform")
-    form!: HTMLFormElement;
+    protected override form!: HTMLFormElement;
 
-    constructor() {
+    public constructor() {
         super();
         // This is the first step. Ensure it is always enabled.
         this.enabled = true;
     }
 
-    errorMessages(name: string) {
+    protected errorMessages(name: string) {
         return this.errors.has(name)
             ? [this.errors.get(name)]
             : (this.wizard.errors?.app?.[name] ??
@@ -56,11 +56,11 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
                   []);
     }
 
-    get buttons(): WizardButton[] {
+    public override get buttons(): WizardButton[] {
         return [{ kind: "next", destination: "provider-choice" }, { kind: "cancel" }];
     }
 
-    get valid() {
+    public get valid() {
         this.errors = new Map();
         const values = trimMany(this.formValues ?? {}, ["metaLaunchUrl", "name", "slug"]);
 
@@ -81,7 +81,7 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
         return this.errors.size === 0;
     }
 
-    override handleButton(button: NavigableButton) {
+    protected override handleButton(button: NavigableButton) {
         if (button.kind === "next") {
             if (!this.valid) {
                 this.handleEnabling({
@@ -109,7 +109,7 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
         super.handleButton(button);
     }
 
-    renderForm(app: Partial<ApplicationRequest>, errors: ValidationRecord) {
+    protected renderForm(app: Partial<ApplicationRequest>, errors: ValidationRecord) {
         return html` <ak-wizard-title>${msg("Configure The Application")}</ak-wizard-title>
             <form id="applicationform" class="pf-c-form pf-m-horizontal" slot="form">
                 <ak-text-input
@@ -177,7 +177,7 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
             </form>`;
     }
 
-    renderMain() {
+    protected override renderMain() {
         if (!(this.wizard.app && this.wizard.errors)) {
             throw new Error("Application Step received uninitialized wizard context.");
         }

web/src/admin/applications/wizard/steps/ak-application-wizard-bindings-step.ts

@@ -35,9 +35,9 @@ const COLUMNS = [
 
 @customElement("ak-application-wizard-bindings-step")
 export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
-    label = msg("Configure Bindings");
+    public override label = msg("Configure Bindings");
 
-    get buttons(): WizardButton[] {
+    public override get buttons(): WizardButton[] {
         return [
             { kind: "next", destination: "submit" },
             { kind: "back", destination: "provider" },
@@ -46,9 +46,9 @@ export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
     }
 
     @query("ak-select-table")
-    selectTable!: SelectTable;
+    protected selectTable!: SelectTable;
 
-    static styles = [
+    public static override styles = [
         ...super.styles,
         PFCard,
         css`
@@ -58,7 +58,7 @@ export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
         `,
     ];
 
-    get bindingsAsColumns() {
+    public get bindingsAsColumns() {
         return this.wizard.bindings.map((binding, index) => {
             const { order, enabled, timeout } = binding;
             const isSet = P.union(P.string.minLength(1), P.number);
@@ -85,13 +85,13 @@ export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
 
     // TODO Fix those dispatches so that we handle them here, in this component, and *choose* how to
     // forward them.
-    onBindingEvent(binding?: number) {
+    protected onBindingEvent(binding?: number) {
         this.handleUpdate({ currentBinding: binding ?? -1 }, "edit-binding", {
             enable: "edit-binding",
         });
     }
 
-    onDeleteBindings() {
+    protected onDeleteBindings() {
         const toDelete = this.selectTable
             .json()
             .map((i) => (typeof i === "string" ? parseInt(i, 10) : i));
@@ -99,7 +99,7 @@ export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
         this.handleUpdate({ bindings }, "bindings");
     }
 
-    renderEmptyCollection() {
+    protected renderEmptyCollection() {
         return html`<ak-wizard-title
                 >${msg("Configure Policy/User/Group Bindings")}</ak-wizard-title
             >
@@ -133,7 +133,7 @@ export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
             </div>`;
     }
 
-    renderCollection() {
+    protected renderCollection() {
         return html` <ak-wizard-title>${msg("Configure Policy Bindings")}</ak-wizard-title>
             <h6 class="pf-c-title pf-m-md">
                 ${msg("These policies control which users can access this application.")}
@@ -152,7 +152,7 @@ export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
             ></ak-select-table>`;
     }
 
-    renderMain() {
+    protected override renderMain() {
         if ((this.wizard.bindings ?? []).length === 0) {
             return this.renderEmptyCollection();
         }

web/src/admin/applications/wizard/steps/ak-application-wizard-edit-binding-step.ts

@@ -44,24 +44,27 @@ const PASS_FAIL = [
 
 @customElement("ak-application-wizard-edit-binding-step")
 export class ApplicationWizardEditBindingStep extends ApplicationWizardStep {
-    label = msg("Edit Binding");
+    public override label = msg("Edit Binding");
 
-    hide = true;
+    public override hide = true;
 
     @query("form#bindingform")
-    form!: HTMLFormElement;
+    protected override form!: HTMLFormElement;
 
     @query(".policy-search-select")
-    searchSelect!: SearchSelectBase<Policy> | SearchSelectBase<Group> | SearchSelectBase<User>;
+    protected searchSelect!:
+        | SearchSelectBase<Policy>
+        | SearchSelectBase<Group>
+        | SearchSelectBase<User>;
 
     @state()
-    policyGroupUser: target = target.policy;
+    protected policyGroupUser: target = target.policy;
 
-    instanceId = -1;
+    protected instanceId = -1;
 
-    instance?: PolicyBinding;
+    protected instance?: PolicyBinding;
 
-    get buttons(): WizardButton[] {
+    public override get buttons(): WizardButton[] {
         return [
             { kind: "next", label: msg("Save Binding"), destination: "bindings" },
             { kind: "back", destination: "bindings" },
@@ -69,7 +72,7 @@ export class ApplicationWizardEditBindingStep extends ApplicationWizardStep {
         ];
     }
 
-    override handleButton(button: NavigableButton) {
+    protected override handleButton(button: NavigableButton) {
         if (button.kind === "next") {
             if (!this.form.checkValidity()) {
                 return;
@@ -98,7 +101,7 @@ export class ApplicationWizardEditBindingStep extends ApplicationWizardStep {
 
     // The search select configurations for the three different types of fetches that we care about,
     // policy, user, and group, all using the SearchSelectEZ protocol.
-    searchSelectConfigs(kind: target) {
+    protected searchSelectConfigs(kind: target) {
         switch (kind) {
             case target.policy:
                 return {
@@ -151,7 +154,7 @@ export class ApplicationWizardEditBindingStep extends ApplicationWizardStep {
         }
     }
 
-    renderSearch(title: string, policyKind: target) {
+    protected renderSearch(title: string, policyKind: target) {
         if (policyKind !== this.policyGroupUser) {
             return nothing;
         }
@@ -165,7 +168,7 @@ export class ApplicationWizardEditBindingStep extends ApplicationWizardStep {
         </ak-form-element-horizontal>`;
     }
 
-    renderForm(instance?: PolicyBinding) {
+    protected renderForm(instance?: PolicyBinding) {
         return html`<ak-wizard-title>${msg("Create a Policy/User/Group Binding")}</ak-wizard-title>
             <form id="bindingform" class="pf-c-form pf-m-horizontal" slot="form">
                 <div class="pf-c-card pf-m-selectable pf-m-selected">
@@ -218,7 +221,7 @@ export class ApplicationWizardEditBindingStep extends ApplicationWizardStep {
             </form>`;
     }
 
-    renderMain() {
+    protected override renderMain() {
         if (!(this.wizard.bindings && this.wizard.errors)) {
             throw new Error("Application Step received uninitialized wizard context.");
         }

web/src/admin/applications/wizard/steps/ak-application-wizard-provider-choice-step.ts

@@ -7,7 +7,6 @@ import "#elements/wizard/TypeCreateWizardPage";
 import { applicationWizardProvidersContext } from "../ContextIdentity.js";
 import { type LocalTypeCreate } from "./ProviderChoices.js";
 
-import { bound } from "#elements/decorators/bound";
 import { WithLicenseSummary } from "#elements/mixins/license";
 import { TypeCreateWizardPageLayouts } from "#elements/wizard/TypeCreateWizardPage";
 
@@ -15,8 +14,6 @@ import type { NavigableButton, WizardButton } from "#components/ak-wizard/types"
 
 import { ApplicationWizardStep } from "#admin/applications/wizard/ApplicationWizardStep";
 
-import { TypeCreate } from "@goauthentik/api";
-
 import { consume } from "@lit/context";
 import { msg } from "@lit/localize";
 import { html } from "lit";
@@ -24,15 +21,15 @@ import { customElement, state } from "lit/decorators.js";
 
 @customElement("ak-application-wizard-provider-choice-step")
 export class ApplicationWizardProviderChoiceStep extends WithLicenseSummary(ApplicationWizardStep) {
-    label = msg("Choose a Provider");
+    public override label = msg("Choose a Provider");
 
     @state()
-    failureMessage = "";
+    protected failureMessage = "";
 
     @consume({ context: applicationWizardProvidersContext, subscribe: true })
     public providerModelsList!: LocalTypeCreate[];
 
-    get buttons(): WizardButton[] {
+    public override get buttons(): WizardButton[] {
         return [
             { kind: "next", destination: "provider" },
             { kind: "back", destination: "application" },
@@ -40,7 +37,7 @@ export class ApplicationWizardProviderChoiceStep extends WithLicenseSummary(Appl
         ];
     }
 
-    override handleButton(button: NavigableButton) {
+    protected override handleButton(button: NavigableButton) {
         this.failureMessage = "";
         if (button.kind === "next") {
             if (!this.wizard.providerModel) {
@@ -54,14 +51,7 @@ export class ApplicationWizardProviderChoiceStep extends WithLicenseSummary(Appl
         super.handleButton(button);
     }
 
-    @bound
-    onSelect(ev: CustomEvent<LocalTypeCreate>) {
-        ev.stopPropagation();
-        const detail: TypeCreate = ev.detail;
-        this.handleUpdate({ providerModel: detail.modelName });
-    }
-
-    renderMain() {
+    protected override renderMain() {
         const selectedTypes = this.providerModelsList.filter(
             (t) => t.modelName === this.wizard.providerModel,
         );