🎉 Release 4.2.0

Merge branch 'origin/main' into 'next-release/main'
Merge pull request #2043 from fschade/issue-2009-run-single-service
2025-12-24 14:50:39 -05:00 · 2025-12-24 08:37:50 +00:00 · 2025-12-24 08:37:49 +00:00 · 2025-12-24 09:34:36 +01:00 · 2025-12-23 11:25:36 +00:00 · 2025-12-23 11:25:35 +00:00
1607 changed files with 99935 additions and 80751 deletions
--- a/.backportrc.json
+++ b/.backportrc.json
@@ -0,0 +1,6 @@
+{
+  "repoOwner": "opencloud-eu",
+  "repoName": "opencloud",
+  "targetBranchChoices": ["main", "stable-2.0", "stable-4.0"],
+  "fork": false
+}
--- a/.codacy.yml
+++ b/.codacy.yml
@@ -16,7 +16,7 @@ exclude_paths:
  - 'tests/acceptance/expected-failures-*.md'
  - 'tests/acceptance/bootstrap/**'
  - 'tests/acceptance/TestHelpers/**'
-  - 'tests/acceptance/run.sh'
+  - 'tests/acceptance/scripts/run.sh'
  - 'vendor/**/*'
  - 'tests/ocwrapper/vendor/**'
 ...
--- a/.gitignore
+++ b/.gitignore
@@ -38,6 +38,7 @@ vendor-php
 # API acceptance tests - auto-generated files
 .php-cs-fixer.cache
 suite-logs
+tests/acceptance/filesForUpload/filesWithVirus/

 # QA activity reports
 tests/qa-activity-report/reports/
--- a/.make/go.mk
+++ b/.make/go.mk
@@ -36,8 +36,18 @@ ifndef DATE
 	DATE := $(shell date -u '+%Y%m%d')
 endif

-LDFLAGS += -X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn -s -w -X "$(OC_REPO)/pkg/version.String=$(STRING)" -X "$(OC_REPO)/pkg/version.Tag=$(VERSION)" -X "$(OC_REPO)/pkg/version.Date=$(DATE)"
-DEBUG_LDFLAGS += -X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn -X "$(OC_REPO)/pkg/version.String=$(STRING)" -X "$(OC_REPO)/pkg/version.Tag=$(VERSION)" -X "$(OC_REPO)/pkg/version.Date=$(DATE)"
+LDFLAGS += -X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn -s -w \
+	-X "$(OC_REPO)/pkg/version.Edition=$(EDITION)" \
+	-X "$(OC_REPO)/pkg/version.String=$(STRING)" \
+	-X "$(OC_REPO)/pkg/version.Tag=$(VERSION)" \
+	-X "$(OC_REPO)/pkg/version.Date=$(DATE)"
+
+DEBUG_LDFLAGS += -X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn \
+	-X "$(OC_REPO)/pkg/version.Edition=$(EDITION)" \
+	-X "$(OC_REPO)/pkg/version.String=$(STRING)" \
+	-X "$(OC_REPO)/pkg/version.Tag=$(VERSION)" \
+	-X "$(OC_REPO)/pkg/version.Date=$(DATE)"
+
 DOCKER_LDFLAGS += -X "$(OC_REPO)/pkg/config/defaults.BaseDataPathType=path" -X "$(OC_REPO)/pkg/config/defaults.BaseDataPathValue=/var/lib/opencloud"
 DOCKER_LDFLAGS += -X "$(OC_REPO)/pkg/config/defaults.BaseConfigPathType=path" -X "$(OC_REPO)/pkg/config/defaults.BaseConfigPathValue=/etc/opencloud"

--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -53,7 +53,7 @@
        "OC_MACHINE_AUTH_API_KEY": "some-opencloud-machine-auth-api-key",
        "OC_TRANSFER_SECRET": "some-opencloud-transfer-secret",
        // collaboration
-        "COLLABORATION_WOPIAPP_SECRET": "some-wopi-secret",
+        "COLLABORATION_WOPI_SECRET": "some-wopi-secret",
        // idm ldap
        "IDM_SVC_PASSWORD": "some-ldap-idm-password",
        "GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
@@ -193,20 +193,21 @@
        "OC_LOG_COLOR": "true",
        "PROXY_ENABLE_BASIC_AUTH": "true",
        "IDM_CREATE_DEMO_USERS": "true",
-        "OC_ADMIN_USER_ID": "some-admin-user-id-0000-000000000000",
+        "OC_ADMIN_USER_ID": "fed-admin-user-id-0000-000000000000",
        "IDM_ADMIN_PASSWORD": "admin",
-        "OC_SYSTEM_USER_ID": "some-system-user-id-000-000000000000",
-        "OC_SYSTEM_USER_API_KEY": "some-system-user-machine-auth-api-key",
-        "OC_JWT_SECRET": "some-opencloud-jwt-secret",
-        "OC_MACHINE_AUTH_API_KEY": "some-opencloud-machine-auth-api-key",
-        "OC_TRANSFER_SECRET": "some-opencloud-transfer-secret",
-        "IDM_SVC_PASSWORD": "some-ldap-idm-password",
-        "GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
-        "IDM_REVASVC_PASSWORD": "some-ldap-reva-password",
-        "GROUPS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
-        "USERS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
-        "AUTH_BASIC_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
-        "IDM_IDPSVC_PASSWORD": "some-ldap-idp-password",
+        "OC_SYSTEM_USER_ID": "fed-system-user-id-000-000000000000",
+        "OC_SYSTEM_USER_API_KEY": "fed-system-user-machine-auth-api-key",
+        "OC_JWT_SECRET": "fed-opencloud-jwt-secret",
+        "OC_MACHINE_AUTH_API_KEY": "fed-opencloud-machine-auth-api-key",
+        "OC_TRANSFER_SECRET": "fed-opencloud-transfer-secret",
+        "COLLABORATION_WOPI_SECRET": "fed-wopi-secret",
+        "IDM_SVC_PASSWORD": "fed-ldap-idm-password",
+        "GRAPH_LDAP_BIND_PASSWORD": "fed-ldap-idm-password",
+        "IDM_REVASVC_PASSWORD": "fed-ldap-reva-password",
+        "GROUPS_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
+        "USERS_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
+        "AUTH_BASIC_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
+        "IDM_IDPSVC_PASSWORD": "fed-ldap-idp-password",
        "IDP_LDAP_BIND_PASSWORD": "some-ldap-idp-password",
        "GRAPH_APPLICATION_ID": "application-1"
      }
--- a/.woodpecker.env
+++ b/.woodpecker.env
@@ -1,4 +1,4 @@
 # The test runner source for UI tests
-WEB_COMMITID=6abffcc9cff31c46a341105eb6030fec56338126
+WEB_COMMITID=3120ea384c7a9d1f1ea0c328965951fc06d66900
 WEB_BRANCH=main

--- a/.woodpecker.star
+++ b/.woodpecker.star
@@ -3,12 +3,12 @@

 # Repository

-repo_slug = "opencloud-eu/opencloud"
+repo_slug = "${CI_REPO}"
 docker_repo_slug = "opencloudeu/opencloud"

 # images
 ALPINE_GIT = "alpine/git:latest"
-APACHE_TIKA = "apache/tika:2.8.0.0"
+APACHE_TIKA = "apache/tika:3.2.3.0-full"
 CHKO_DOCKER_PUSHRM = "chko/docker-pushrm:1"
 COLLABORA_CODE = "collabora/code:24.04.5.1.1"
 OPEN_SEARCH = "opensearchproject/opensearch:2"
@@ -18,7 +18,7 @@ OC_CI_ALPINE = "owncloudci/alpine:latest"
 OC_CI_BAZEL_BUILDIFIER = "owncloudci/bazel-buildifier:latest"
 OC_CI_CLAMAVD = "owncloudci/clamavd"
 OC_CI_DRONE_ANSIBLE = "owncloudci/drone-ansible:latest"
-OC_CI_GOLANG = "docker.io/golang:1.24"
+OC_CI_GOLANG = "registry.heinlein.group/opencloud/golang-ci:1.25"
 OC_CI_NODEJS = "owncloudci/nodejs:%s"
 OC_CI_PHP = "owncloudci/php:%s"
 OC_CI_WAIT_FOR = "owncloudci/wait-for:latest"
@@ -27,6 +27,7 @@ OC_LITMUS = "owncloudci/litmus:latest"
 OC_UBUNTU = "owncloud/ubuntu:20.04"
 ONLYOFFICE_DOCUMENT_SERVER = "onlyoffice/documentserver:7.5.1"
 PLUGINS_DOCKER_BUILDX = "woodpeckerci/plugin-docker-buildx:latest"
+PLUGINS_NOTATION = "registry.heinlein.group/opencloud/notation-wp-plugin:latest"
 PLUGINS_GITHUB_RELEASE = "woodpeckerci/plugin-release"
 PLUGINS_GIT_ACTION = "quay.io/thegeeklab/wp-git-action"
 PLUGINS_S3 = "plugins/s3:1"
@@ -40,22 +41,21 @@ DEFAULT_PHP_VERSION = "8.2"
 DEFAULT_NODEJS_VERSION = "20"

 CACHE_S3_SERVER = "https://s3.ci.opencloud.eu"
-INSTALL_LIBVIPS_COMMAND = "apt-get update; apt-get install libvips42 -y"

 dirs = {
-    "base": "/woodpecker/src/github.com/opencloud-eu/opencloud",
-    "web": "/woodpecker/src/github.com/opencloud-eu/opencloud/webTestRunner",
-    "zip": "/woodpecker/src/github.com/opencloud-eu/opencloud/zip",
-    "webZip": "/woodpecker/src/github.com/opencloud-eu/opencloud/zip/web.tar.gz",
-    "webPnpmZip": "/woodpecker/src/github.com/opencloud-eu/opencloud/zip/web-pnpm.tar.gz",
-    "playwrightBrowsersArchive": "/woodpecker/src/github.com/opencloud-eu/opencloud/zip/playwright-browsers.tar.gz",
-    "baseGo": "/go/src/github.com/opencloud-eu/opencloud",
+    "base": "/woodpecker/src/github.com/%s" % repo_slug,
+    "web": "/woodpecker/src/github.com/%s/webTestRunner" % repo_slug,
+    "zip": "/woodpecker/src/github.com/%s/zip" % repo_slug,
+    "webZip": "/woodpecker/src/github.com/%s/zip/web.tar.gz" % repo_slug,
+    "webPnpmZip": "/woodpecker/src/github.com/%s/zip/web-pnpm.tar.gz" % repo_slug,
+    "playwrightBrowsersArchive": "/woodpecker/src/github.com/%s/zip/playwright-browsers.tar.gz" % repo_slug,
+    "baseGo": "/go/src/github.com/%s" % repo_slug,
    "gobinTar": "go-bin.tar.gz",
-    "gobinTarPath": "/go/src/github.com/opencloud-eu/opencloud/go-bin.tar.gz",
+    "gobinTarPath": "/go/src/github.com/%s/go-bin.tar.gz" % repo_slug,
    "opencloudConfig": "tests/config/woodpecker/opencloud-config.json",
-    "opencloudRevaDataRoot": "/woodpecker/src/github.com/opencloud-eu/opencloud/srv/app/tmp/ocis/owncloud/data",
-    "multiServiceOcBaseDataPath": "/woodpecker/src/github.com/opencloud-eu/opencloud/multiServiceData",
-    "ocWrapper": "/woodpecker/src/github.com/opencloud-eu/opencloud/tests/ocwrapper",
+    "opencloudRevaDataRoot": "/woodpecker/src/github.com/%s/srv/app/tmp/ocis/owncloud/data" % repo_slug,
+    "multiServiceOcBaseDataPath": "/woodpecker/src/github.com/%s/multiServiceData" % repo_slug,
+    "ocWrapper": "/woodpecker/src/github.com/%s/tests/ocwrapper" % repo_slug,
    "bannedPasswordList": "tests/config/woodpecker/banned-password-list.txt",
    "ocmProviders": "tests/config/woodpecker/providers.json",
    "opencloudBinPath": "opencloud/bin",
@@ -137,7 +137,8 @@ config = {
            "suites": [
                "apiGraph",
                "apiServiceAvailability",
-                "collaborativePosix",
+                # skip tests for collaborativePosix. see https://github.com/opencloud-eu/opencloud/issues/2036
+                #"collaborativePosix",
            ],
            "skip": False,
            "withRemotePhp": [True],
@@ -233,6 +234,7 @@ config = {
            ],
            "skip": False,
            "antivirusNeeded": True,
+            "generateVirusFiles": True,
            "extraServerEnvironment": {
                "ANTIVIRUS_SCANNER_TYPE": "clamav",
                "ANTIVIRUS_CLAMAV_SOCKET": "tcp://clamav:3310",
@@ -299,6 +301,7 @@ config = {
            "skip": False,
            "withRemotePhp": [True],
            "antivirusNeeded": True,
+            "generateVirusFiles": True,
            "extraServerEnvironment": {
                "ANTIVIRUS_SCANNER_TYPE": "clamav",
                "ANTIVIRUS_CLAMAV_SOCKET": "tcp://clamav:3310",
@@ -385,7 +388,9 @@ config = {
        "architectures": ["arm64", "amd64"],
        "production": {
            # NOTE: need to be updated if new production releases are determined
-            "tags": ["2.0"],
+            "tags": ["2.0", "4.0"],
+            # NOTE: need to be set to true if patch releases are made from stable-X-branches
+            "skip_rolling": "false",
            "repo": docker_repo_slug,
            "build_type": "production",
        },
@@ -409,7 +414,7 @@ GRAPH_AVAILABLE_ROLES = "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d
 workspace = \
    {
        "base": "/go",
-        "path": "src/github.com/opencloud-eu/opencloud/",
+        "path": "src/github.com/%s/" % repo_slug,
    }

 # minio mc environment variables
@@ -477,6 +482,10 @@ def main(ctx):
    if ctx.build.event == "cron" and ctx.build.sender == "translation-sync":
        return translation_sync(ctx)

+    is_release_pr = (ctx.build.event == "pull_request" and ctx.build.sender == "openclouders" and "🎉 release" in ctx.build.title.lower())
+    if is_release_pr:
+        return [licenseCheck(ctx)]
+
    build_release_helpers = \
        readyReleaseGo()

@@ -547,7 +556,6 @@ def main(ctx):
 def cachePipeline(ctx, name, steps):
    return {
        "name": "build-%s-cache" % name,
-        "skip_clone": True,
        "steps": steps,
        "when": [
            {
@@ -606,7 +614,7 @@ def testPipelines(ctx):
        pipelines += apiTests(ctx)

    enable_watch_fs = [False]
-    if ctx.build.event == "cron" or "full-ci" in ctx.build.title.lower():
+    if ctx.build.event == "cron":
        enable_watch_fs.append(True)

    for run_with_watch_fs_enabled in enable_watch_fs:
@@ -703,7 +711,7 @@ def restoreGoBinCache():
            "name": "extract-go-bin-cache",
            "image": OC_UBUNTU,
            "commands": [
-                "tar -xmf %s -C /" % dirs["gobinTarPath"],
+                "tar -xvmf %s -C /" % dirs["gobinTarPath"],
            ],
        },
    ]
@@ -992,7 +1000,7 @@ def localApiTestPipeline(ctx):

    with_remote_php = [True]
    enable_watch_fs = [False]
-    if ctx.build.event == "cron" or "full-ci" in ctx.build.title.lower():
+    if ctx.build.event == "cron":
        with_remote_php.append(False)
        enable_watch_fs.append(True)

@@ -1016,6 +1024,7 @@ def localApiTestPipeline(ctx):
        "withRemotePhp": with_remote_php,
        "enableWatchFs": enable_watch_fs,
        "ldapNeeded": False,
+        "generateVirusFiles": False,
    }

    if "localApiTests" in config:
@@ -1040,7 +1049,7 @@ def localApiTestPipeline(ctx):
                                         (opencloudServer(storage, params["accounts_hash_difficulty"], deploy_type = "federation", extra_server_environment = params["extraServerEnvironment"], watch_fs_enabled = run_with_watch_fs_enabled) if params["federationServer"] else []) +
                                         ((wopiCollaborationService("fakeoffice") + wopiCollaborationService("collabora") + wopiCollaborationService("onlyoffice")) if params["collaborationServiceNeeded"] else []) +
                                         (openCloudHealthCheck("wopi", ["wopi-collabora:9304", "wopi-onlyoffice:9304", "wopi-fakeoffice:9304"]) if params["collaborationServiceNeeded"] else []) +
-                                         localApiTests(name, params["suites"], storage, params["extraTestEnvironment"], run_with_remote_php) +
+                                         localApiTests(name, params["suites"], storage, params["extraTestEnvironment"], run_with_remote_php, params["generateVirusFiles"]) +
                                         logRequests(),
                                "services": (emailService() if params["emailNeeded"] else []) +
                                            (clamavService() if params["antivirusNeeded"] else []) +
@@ -1060,7 +1069,7 @@ def localApiTestPipeline(ctx):
                        pipelines.append(pipeline)
    return pipelines

-def localApiTests(name, suites, storage = "decomposed", extra_environment = {}, with_remote_php = False):
+def localApiTests(name, suites, storage = "decomposed", extra_environment = {}, with_remote_php = False, generate_virus_files = False):
    test_dir = "%s/tests/acceptance" % dirs["base"]
    expected_failures_file = "%s/expected-failures-localAPI-on-%s-storage.md" % (test_dir, storage)

@@ -1083,15 +1092,25 @@ def localApiTests(name, suites, storage = "decomposed", extra_environment = {},
    for item in extra_environment:
        environment[item] = extra_environment[item]

+    commands = []
+
+    # Generate EICAR virus test files if needed
+    if generate_virus_files:
+        commands.append("chmod +x %s/tests/acceptance/scripts/generate-virus-files.sh" % dirs["base"])
+        commands.append("bash %s/tests/acceptance/scripts/generate-virus-files.sh" % dirs["base"])
+
+    # Merge expected failures
+    if not with_remote_php:
+        commands.append("cat %s/expected-failures-without-remotephp.md >> %s" % (test_dir, expected_failures_file))
+
+    # Run tests
+    commands.append("make -C %s test-acceptance-api" % (dirs["base"]))
+
    return [{
        "name": "localApiTests-%s" % name,
        "image": OC_CI_PHP % DEFAULT_PHP_VERSION,
        "environment": environment,
-        "commands": [
-            # merge the expected failures
-            "" if with_remote_php else "cat %s/expected-failures-without-remotephp.md >> %s" % (test_dir, expected_failures_file),
-            "make -C %s test-acceptance-api" % (dirs["base"]),
-        ],
+        "commands": commands,
    }]

 def cs3ApiTests(ctx, storage, accounts_hash_difficulty = 4):
@@ -1212,7 +1231,7 @@ def wopiValidatorTests(ctx, storage, wopiServerType, accounts_hash_difficulty =
                         "commands": [
                             "curl -v -X PUT '%s/remote.php/webdav/test.wopitest' -k --fail --retry-connrefused --retry 7 --retry-all-errors -u admin:admin -D headers.txt" % OC_URL,
                             "cat headers.txt",
-                             "export FILE_ID=$(cat headers.txt | sed -n -e 's/^.*Oc-Fileid: //p')",
+                             "export FILE_ID=$(cat headers.txt | sed -n -e 's/^.*oc-fileid: //Ip')",
                             "export URL=\"%s/app/open?app_name=FakeOffice&file_id=$FILE_ID\"" % OC_URL,
                             "export URL=$(echo $URL | tr -d '[:cntrl:]')",
                             "curl -v -X POST \"$URL\" -k --fail --retry-connrefused --retry 7 --retry-all-errors -u admin:admin > open.json",
@@ -1297,7 +1316,7 @@ def apiTests(ctx):

    with_remote_php = [True]
    enable_watch_fs = [False]
-    if ctx.build.event == "cron" or "full-ci" in ctx.build.title.lower():
+    if ctx.build.event == "cron":
        with_remote_php.append(False)
        enable_watch_fs.append(True)

@@ -1595,31 +1614,40 @@ def uploadTracingResult(ctx):

 def dockerReleases(ctx):
    pipelines = []
-    docker_repos = []
+    docker_releases = []
    build_type = ""

+    # only make realeases on tag events
    if ctx.build.event == "tag":
        tag = ctx.build.ref.replace("refs/tags/v", "").lower()

+        # iterate over production tags to see if this is a production release
        is_production = False
+        skip_rolling = False
        for prod_tag in config["dockerReleases"]["production"]["tags"]:
            if tag.startswith(prod_tag):
                is_production = True
+                skip_rolling = config["dockerReleases"]["production"]["skip_rolling"]
                break

        if is_production:
-            docker_repos.append(config["dockerReleases"]["production"]["repo"])
-            build_type = config["dockerReleases"]["production"]["build_type"]
+            docker_releases.append("production")
+
+            # a new production realease is also a rolling release
+            # unless skip_rolling is set in the config, i.e. for patch-releases on stable-branch
+            if not skip_rolling:
+                docker_releases.append("rolling")

        else:
-            docker_repos.append(config["dockerReleases"]["rolling"]["repo"])
-            build_type = config["dockerReleases"]["rolling"]["build_type"]
+            docker_releases.append("rolling")

+        # on non tag events, do daily build
    else:
-        docker_repos.append(config["dockerReleases"]["daily"]["repo"])
-        build_type = config["dockerReleases"]["daily"]["build_type"]
+        docker_releases.append("daily")

-    for repo in docker_repos:
+    for releaseConfigName in docker_releases:
+        repo = config["dockerReleases"][releaseConfigName]["repo"]
+        build_type = config["dockerReleases"][releaseConfigName]["build_type"]
        repo_pipelines = []
        repo_pipelines.append(dockerRelease(ctx, repo, build_type))

@@ -1639,8 +1667,19 @@ def dockerRelease(ctx, repo, build_type):
    build_args = {
        "REVISION": "%s" % ctx.build.commit,
        "VERSION": "%s" % (ctx.build.ref.replace("refs/tags/", "") if ctx.build.event == "tag" else "daily"),
+        "EDITION": "stable" if build_type == "production" else "rolling",
    }

+    # if no additional tag is given, the build-plugin adds latest
+    hard_tag = "daily"
+    if ctx.build.event == "tag":
+        tag_version = ctx.build.ref.replace("refs/tags/v", "")
+        tag_parts = tag_version.split("-")
+
+        # if a tag has something appended with "-" i.e. alpha, beta, rc1...
+        # set the entire string as tag, else tag with latest (same as empty with current plugin)
+        hard_tag = tag_version if len(tag_parts) > 1 else "latest"
+
    depends_on = getPipelineNames(getGoBinForTesting(ctx))

    if ctx.build.event == "tag":
@@ -1654,11 +1693,12 @@ def dockerRelease(ctx, repo, build_type):
                "name": "dryrun",
                "image": PLUGINS_DOCKER_BUILDX,
                "settings": {
+                    "context": "..",
                    "dry_run": True,
                    "platforms": "linux/amd64",  # do dry run only on the native platform
-                    "repo": "%s,quay.io/%s" % (repo, repo),
+                    "repo": "%s,quay.io/%s,registry.heinlein.group/%s" % (repo, repo, repo),
                    "auto_tag": False if build_type == "daily" else True,
-                    "tag": "daily" if build_type == "daily" else "",
+                    "tag": hard_tag,
                    "default_tag": "daily",
                    "dockerfile": "opencloud/docker/Dockerfile.multiarch",
                    "build_args": build_args,
@@ -1676,10 +1716,11 @@ def dockerRelease(ctx, repo, build_type):
                "name": "build-and-push",
                "image": PLUGINS_DOCKER_BUILDX,
                "settings": {
-                    "repo": "%s,quay.io/%s" % (repo, repo),
+                    "context": "..",
+                    "repo": "%s,quay.io/%s,registry.heinlein.group/%s" % (repo, repo, repo),
                    "platforms": "linux/amd64,linux/arm64",  # we can add remote builders
                    "auto_tag": False if build_type == "daily" else True,
-                    "tag": "daily" if build_type == "daily" else "",
+                    "tag": hard_tag,
                    "default_tag": "daily",
                    "dockerfile": "opencloud/docker/Dockerfile.multiarch",
                    "build_args": build_args,
@@ -1709,6 +1750,45 @@ def dockerRelease(ctx, repo, build_type):
                                "from_secret": "quay_password",
                            },
                        },
+                        {
+                            "registry": "https://registry.heinlein.group",
+                            "username": {
+                                "from_secret": "harbor_opencloudeu_user",
+                            },
+                            "password": {
+                                "from_secret": "harbor_opencloudeu_password",
+                            },
+                        },
+                    ],
+                },
+                "when": [
+                    event["cron"],
+                    event["base"],
+                    event["tag"],
+                ],
+            },
+            {
+                "name": "notation-signing",
+                "image": PLUGINS_NOTATION,
+                "settings": {
+                    "key": {
+                        "from_secret": "notation_key",
+                    },
+                    "crt": {
+                        "from_secret": "notation_cert",
+                    },
+                    "target": "registry.heinlein.group/%s:%s" % (repo, hard_tag),
+                    "pull_image": True,
+                    "logins": [
+                        {
+                            "registry": "https://registry.heinlein.group",
+                            "username": {
+                                "from_secret": "harbor_opencloudeu_user",
+                            },
+                            "password": {
+                                "from_secret": "harbor_opencloudeu_password",
+                            },
+                        },
                    ],
                },
                "when": [
@@ -1751,6 +1831,7 @@ def binaryRelease(ctx, arch, depends_on = []):
                "image": OC_CI_GOLANG,
                "environment": {
                    "VERSION": (ctx.build.ref.replace("refs/tags/", "") if ctx.build.event == "tag" else "daily"),
+                    "EDITION": "rolling",
                    "HTTP_PROXY": {
                        "from_secret": "ci_http_proxy",
                    },
@@ -1996,7 +2077,9 @@ def notifyMatrix(ctx):
                    },
                    "QA_REPO": "https://github.com/opencloud-eu/qa.git",
                    "QA_REPO_BRANCH": "main",
-                    "CI_WOODPECKER_URL": "https://ci.opencloud.eu/",
+                    "CI_WOODPECKER_URL": {
+                        "from_secret": "oc_ci_url",
+                    },
                    "CI_REPO_ID": "3",
                    "CI_WOODPECKER_TOKEN": "no-auth-needed-on-this-repo",
                },
@@ -2158,9 +2241,6 @@ def opencloudServer(storage = "decomposed", accounts_hash_difficulty = 4, depend
            },
        },
        "commands": [
-            "apt-get update",
-            "apt-get install -y inotify-tools xattr",
-            INSTALL_LIBVIPS_COMMAND,
            "%s init --insecure true" % dirs["opencloudBin"],
            "cat $OC_CONFIG_DIR/opencloud.yaml",
            "cp tests/config/woodpecker/app-registry.yaml $OC_CONFIG_DIR/app-registry.yaml",
@@ -2204,7 +2284,6 @@ def startOpenCloudService(service = None, name = None, environment = {}):
            "detach": True,
            "environment": environment,
            "commands": [
-                INSTALL_LIBVIPS_COMMAND,
                "%s %s server" % (dirs["opencloudBin"], service),
            ],
        },
@@ -2230,7 +2309,6 @@ def build():
            "name": "build",
            "image": OC_CI_GOLANG,
            "commands": [
-                "apt-get update; apt-get install libvips-dev -y",
                "for i in $(seq 3); do make -C opencloud build ENABLE_VIPS=1 && break || sleep 1; done",
            ],
            "environment": CI_HTTP_PROXY_ENV,
@@ -2279,11 +2357,12 @@ def translation_sync(ctx):
                "image": OC_CI_GOLANG,
                "commands": [
                    "make l10n-read",
+                    "mkdir tx && cd tx",
                    "curl -o- https://raw.githubusercontent.com/transifex/cli/master/install.sh | bash",
-                    ". ~/.profile",
+                    "export PATH=$PATH:$(pwd) && cd ..",
                    "make l10n-push",
                    "make l10n-pull",
-                    "rm tx",
+                    "rm -rf tx",
                    "make l10n-clean",
                ],
                "environment": {
@@ -2420,7 +2499,7 @@ def genericBuildArtifactCache(ctx, name, action, path):
        return genericCache(name, action, [path], cache_path)

    if action == "purge":
-        return purgeCache("purge_opencloud_build_artifact_cache", "cache/opencloud-eu/opencloud", 1)
+        return purgeCache("purge_opencloud_build_artifact_cache", "cache/%s" % repo_slug, 1)
    return []

 def restoreBuildArtifactCache(ctx, name, path):
@@ -2626,15 +2705,13 @@ def setupForLitmus():
    }]

 def getWoodpeckerEnvAndCheckScript(ctx):
-    opencloud_git_base_url = "https://raw.githubusercontent.com/opencloud-eu/opencloud"
-    path_to_woodpecker_env = "%s/%s/.woodpecker.env" % (opencloud_git_base_url, ctx.build.commit)
-    path_to_check_script = "%s/%s/tests/config/woodpecker/check_web_cache.sh" % (opencloud_git_base_url, ctx.build.commit)
+    path_to_woodpecker_env = "%s/.woodpecker.env" % dirs["base"]
+    path_to_check_script = "%s/tests/config/woodpecker/check_web_cache.sh" % dirs["base"]
    return {
        "name": "get-woodpecker-env-and-check-script",
        "image": OC_UBUNTU,
        "commands": [
-            "curl -s -o .woodpecker.env %s" % path_to_woodpecker_env,
-            "curl -s -o check_web_cache.sh %s" % path_to_check_script,
+            "cp %s check_web_cache.sh" % path_to_check_script,
        ],
    }

@@ -2868,7 +2945,7 @@ def restoreBrowsersCache():
            "name": "unzip-browsers-cache",
            "image": OC_UBUNTU,
            "commands": [
-                "tar -xf /woodpecker/src/github.com/opencloud-eu/opencloud/webTestRunner/playwright-browsers.tar.gz -C .",
+                "tar -xf /woodpecker/src/github.com/%s/webTestRunner/playwright-browsers.tar.gz -C ." % repo_slug,
            ],
        },
    ]
@@ -3056,7 +3133,7 @@ def k6LoadTests(ctx):
    if "skip" in config["k6LoadTests"] and config["k6LoadTests"]["skip"]:
        return []

-    opencloud_git_base_url = "https://raw.githubusercontent.com/opencloud-eu/opencloud"
+    opencloud_git_base_url = "https://raw.githubusercontent.com/%s" % repo_slug
    script_link = "%s/%s/tests/config/woodpecker/run_k6_tests.sh" % (opencloud_git_base_url, ctx.build.commit)

    event_array = ["cron"]
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,146 @@
 # Changelog

+## [4.2.0](https://github.com/opencloud-eu/opencloud/releases/tag/v4.2.0) - 2025-12-24
+
+### ❤️ Thanks to all contributors! ❤️
+
+@ScharfViktor, @butonic, @dragonchaser, @fschade, @rhafer, @saw-jan
+
+### 🐛 Bug Fixes
+
+- Remove sub-service binary entrypoints and fix antivirus only server cmd [[#2043](https://github.com/opencloud-eu/opencloud/pull/2043)]
+- fix(thumbnailer): respect image boundaries and text wrappings [[#2062](https://github.com/opencloud-eu/opencloud/pull/2062)]
+- fix: cobra viper flags and env [[#2047](https://github.com/opencloud-eu/opencloud/pull/2047)]
+- fix service name in suture logs [[#2052](https://github.com/opencloud-eu/opencloud/pull/2052)]
+
+### ✅ Tests
+
+- [full-ci] use graph api in the enforcePasswordPublicLink.feature [[#2050](https://github.com/opencloud-eu/opencloud/pull/2050)]
+- [full-ci][tests-only] test: check last email content with retries as emails can be delayed [[#2038](https://github.com/opencloud-eu/opencloud/pull/2038)]
+- skip collaborativePosix tests in CI [[#2039](https://github.com/opencloud-eu/opencloud/pull/2039)]
+
+### 📈 Enhancement
+
+- allow http2 connections to proxy [[#2040](https://github.com/opencloud-eu/opencloud/pull/2040)]
+- migrate from urfave/cli to spf13/cobra [[#1954](https://github.com/opencloud-eu/opencloud/pull/1954)]
+
+### 📦️ Dependencies
+
+- build(deps): bump github.com/testcontainers/testcontainers-go/modules/opensearch from 0.39.0 to 0.40.0 [[#1967](https://github.com/opencloud-eu/opencloud/pull/1967)]
+- build(deps): bump golang.org/x/net from 0.47.0 to 0.48.0 [[#2061](https://github.com/opencloud-eu/opencloud/pull/2061)]
+- build(deps): bump github.com/open-policy-agent/opa from 1.10.1 to 1.11.0 [[#1930](https://github.com/opencloud-eu/opencloud/pull/1930)]
+
+## [4.1.0](https://github.com/opencloud-eu/opencloud/releases/tag/v4.1.0) - 2025-12-15
+
+### ❤️ Thanks to all contributors! ❤️
+
+@JammingBen, @ScharfViktor, @Svanvith, @butonic, @flimmy, @fschade, @individual-it, @kulmann, @micbar, @prashant-gurung899, @saw-jan
+
+### 📚 Documentation
+
+- fix typo [[#2024](https://github.com/opencloud-eu/opencloud/pull/2024)]
+- [docs] update policies link [[#1996](https://github.com/opencloud-eu/opencloud/pull/1996)]
+- fix the link in quickstart script for itself [[#1956](https://github.com/opencloud-eu/opencloud/pull/1956)]
+
+### ✅ Tests
+
+- [full-ci][tests-only] test: fix some test flakiness [[#2003](https://github.com/opencloud-eu/opencloud/pull/2003)]
+- [tests-only] Skip test related pipelines for ready-release-go PRs [[#2011](https://github.com/opencloud-eu/opencloud/pull/2011)]
+- [full-ci][tests-only] test: add test to check mismatch offset during TUS upload [[#1993](https://github.com/opencloud-eu/opencloud/pull/1993)]
+- [full-ci][tests-only] test: proper resource existence check [[#1990](https://github.com/opencloud-eu/opencloud/pull/1990)]
+- check propfing after renaming data in file system [[#1809](https://github.com/opencloud-eu/opencloud/pull/1809)]
+- fix-get-attribute-test [[#1974](https://github.com/opencloud-eu/opencloud/pull/1974)]
+
+### 📈 Enhancement
+
+- Show edition in opencloud version command [[#2019](https://github.com/opencloud-eu/opencloud/pull/2019)]
+
+### 🐛 Bug Fixes
+
+- fix: enforce trailing slash for server url [[#1995](https://github.com/opencloud-eu/opencloud/pull/1995)]
+- fix: enhance resource creation with detailed process information [[#1978](https://github.com/opencloud-eu/opencloud/pull/1978)]
+
+### 📦️ Dependencies
+
+- chore: bump web to v4.3.0 [[#2030](https://github.com/opencloud-eu/opencloud/pull/2030)]
+- reva-bump-2.41.0 [[#2032](https://github.com/opencloud-eu/opencloud/pull/2032)]
+- build(deps): bump github.com/testcontainers/testcontainers-go from 0.39.0 to 0.40.0 [[#1931](https://github.com/opencloud-eu/opencloud/pull/1931)]
+
+## [4.0.0](https://github.com/opencloud-eu/opencloud/releases/tag/v4.0.0) - 2025-12-01
+
+### ❤️ Thanks to all contributors! ❤️
+
+@AlexAndBear, @MahdiBaghbani, @ScharfViktor, @butonic, @dragonchaser, @flimmy, @fschade, @individual-it, @jnweiger, @kulmann, @micbar, @mikelolasagasti, @pbleser-oc, @rhafer, @schweigisito
+
+### 💥 Breaking changes
+
+- collaboration: Enable `InsertRemoteImage` option [[#1692](https://github.com/opencloud-eu/opencloud/pull/1692)]
+
+### 📚 Documentation
+
+- Fix typos in antivirus README documentation [[#1940](https://github.com/opencloud-eu/opencloud/pull/1940)]
+- fix: add missing service README.md files with basic description [[#1859](https://github.com/opencloud-eu/opencloud/pull/1859)]
+- Fix README.md files which contain broken or missing links [[#1854](https://github.com/opencloud-eu/opencloud/pull/1854)]
+
+### 🐛 Bug Fixes
+
+- introduce OC_EVENTS_TLS_INSECURE [[#1936](https://github.com/opencloud-eu/opencloud/pull/1936)]
+- kill unused env vars [[#1888](https://github.com/opencloud-eu/opencloud/pull/1888)]
+- rc-handling was only active for the dryrun, not the real build-and-push [[#1919](https://github.com/opencloud-eu/opencloud/pull/1919)]
+- handle objectguid endianess [[#1901](https://github.com/opencloud-eu/opencloud/pull/1901)]
+- fix: add update server to default csp rules [[#1875](https://github.com/opencloud-eu/opencloud/pull/1875)]
+- fix: add missing capability flag support-radicale [[#1891](https://github.com/opencloud-eu/opencloud/pull/1891)]
+- fix opensearch client certificate [[#1890](https://github.com/opencloud-eu/opencloud/pull/1890)]
+- Bump reva [[#1882](https://github.com/opencloud-eu/opencloud/pull/1882)]
+- load two yaml configs [[#1617](https://github.com/opencloud-eu/opencloud/pull/1617)]
+- make user cache tenant aware [[#1732](https://github.com/opencloud-eu/opencloud/pull/1732)]
+- fix: sanitise markdow code to make docusaurus happy [[#1851](https://github.com/opencloud-eu/opencloud/pull/1851)]
+- update launch.json [[#1843](https://github.com/opencloud-eu/opencloud/pull/1843)]
+- docs: Fix auth-app examples in README [[#1844](https://github.com/opencloud-eu/opencloud/pull/1844)]
+- fix: fix typo in treesize logging [[#1826](https://github.com/opencloud-eu/opencloud/pull/1826)]
+- fix: set global signing secret fallback correctly [[#1781](https://github.com/opencloud-eu/opencloud/pull/1781)]
+
+### 📈 Enhancement
+
+- feat(ocm): add WAYF configuration for reva OCM service [[#1714](https://github.com/opencloud-eu/opencloud/pull/1714)]
+- log missing name or id attributes [[#1914](https://github.com/opencloud-eu/opencloud/pull/1914)]
+- collabora: Set IsAdminUser and IsAnonymousUser in CheckFileInfo [[#1745](https://github.com/opencloud-eu/opencloud/pull/1745)]
+
+### ✅ Tests
+
+- [full-ci] disable running ci with watch fs when full-ci [[#1902](https://github.com/opencloud-eu/opencloud/pull/1902)]
+- api-tests: delete spaces before users [[#1877](https://github.com/opencloud-eu/opencloud/pull/1877)]
+- update tika version [[#1872](https://github.com/opencloud-eu/opencloud/pull/1872)]
+- add share sync to collaborativePosix suite [[#1806](https://github.com/opencloud-eu/opencloud/pull/1806)]
+- removed test virus files from repo [[#1812](https://github.com/opencloud-eu/opencloud/pull/1812)]
+- increase timeouts waiting for notification & search [[#1802](https://github.com/opencloud-eu/opencloud/pull/1802)]
+- Sync share before action [[#1795](https://github.com/opencloud-eu/opencloud/pull/1795)]
+- correct STORAGE_USERS_POSIX_WATCH_FS env typo in CI [[#1746](https://github.com/opencloud-eu/opencloud/pull/1746)]
+
+### 📦️ Dependencies
+
+- [full-ci] revaBump-v2.40.1 [[#1927](https://github.com/opencloud-eu/opencloud/pull/1927)]
+- [full-ci] chore: bump web to v4.2.1 [[#1938](https://github.com/opencloud-eu/opencloud/pull/1938)]
+- build(deps): bump google.golang.org/grpc from 1.76.0 to 1.77.0 [[#1923](https://github.com/opencloud-eu/opencloud/pull/1923)]
+- build(deps): bump github.com/nats-io/nats-server/v2 from 2.12.1 to 2.12.2 [[#1922](https://github.com/opencloud-eu/opencloud/pull/1922)]
+- build(deps): bump github.com/kovidgoyal/imaging from 1.7.2 to 1.8.17 [[#1912](https://github.com/opencloud-eu/opencloud/pull/1912)]
+- build(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 [[#1911](https://github.com/opencloud-eu/opencloud/pull/1911)]
+- [decomposed]Update version 4.0.0 rc.2 [[#1917](https://github.com/opencloud-eu/opencloud/pull/1917)]
+- chore: bump web to v4.2.1-rc.1 [[#1900](https://github.com/opencloud-eu/opencloud/pull/1900)]
+- revaBump-getting#428 [[#1887](https://github.com/opencloud-eu/opencloud/pull/1887)]
+- build(deps): bump github.com/blevesearch/bleve/v2 from 2.5.4 to 2.5.5 [[#1884](https://github.com/opencloud-eu/opencloud/pull/1884)]
+- build(deps): bump github.com/olekukonko/tablewriter from 1.1.0 to 1.1.1 [[#1869](https://github.com/opencloud-eu/opencloud/pull/1869)]
+- build(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 [[#1845](https://github.com/opencloud-eu/opencloud/pull/1845)]
+- reva-bump-2.39.2. update opencloud 4.0.0-rc.1 [[#1849](https://github.com/opencloud-eu/opencloud/pull/1849)]
+- build(deps): bump golang.org/x/sync from 0.17.0 to 0.18.0 [[#1836](https://github.com/opencloud-eu/opencloud/pull/1836)]
+- build(deps): bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 [[#1828](https://github.com/opencloud-eu/opencloud/pull/1828)]
+- build(deps): bump github.com/KimMachineGun/automemlimit from 0.7.4 to 0.7.5 [[#1787](https://github.com/opencloud-eu/opencloud/pull/1787)]
+- build(deps): bump github.com/open-policy-agent/opa from 1.9.0 to 1.10.1 [[#1788](https://github.com/opencloud-eu/opencloud/pull/1788)]
+- Bump reva [[#1786](https://github.com/opencloud-eu/opencloud/pull/1786)]
+- build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.10 to 1.4.11 [[#1775](https://github.com/opencloud-eu/opencloud/pull/1775)]
+- build(deps): bump github.com/nats-io/nats-server/v2 from 2.12.0 to 2.12.1 [[#1706](https://github.com/opencloud-eu/opencloud/pull/1706)]
+- build(deps): bump github.com/onsi/ginkgo/v2 from 2.27.1 to 2.27.2 [[#1754](https://github.com/opencloud-eu/opencloud/pull/1754)]
+
 ## [3.7.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.7.0) - 2025-11-03

 ### ❤️ Thanks to all contributors! ❤️
--- a/6
+++ b/6
@@ -124,7 +124,7 @@ BEHAT_BIN=vendor-bin/behat/vendor/bin/behat

 .PHONY: test-acceptance-api
 test-acceptance-api: vendor-bin/behat/vendor
-	BEHAT_BIN=$(BEHAT_BIN) tests/acceptance/run.sh
+	BEHAT_BIN=$(BEHAT_BIN) tests/acceptance/scripts/run.sh

 vendor/bamarni/composer-bin-plugin: composer.lock
 	composer install
@@ -198,6 +198,10 @@ go-mod-tidy:
 test:
 	@go test -v -tags '$(TAGS)' -coverprofile coverage.out ./...

+.PHONY: test-with-race
+test-with-race:
+	@go test -race -v -tags '$(TAGS)' -coverprofile coverage.out ./...
+
 .PHONY: go-coverage
 go-coverage:
 	@if [ ! -f coverage.out ]; then $(MAKE) test  &>/dev/null; fi;
--- a/changelog/unreleased/add-ocm-wayf-configuration.md
+++ b/changelog/unreleased/add-ocm-wayf-configuration.md
@@ -0,0 +1,7 @@
+Enhancement: Add WAYF configuration for reva OCM service
+
+Add WAYF configuration support for the Reva OCM service,
+enabling federation discovery functionality for Open Cloud Mesh.
+This includes configuration for federations file storage and invite accept dialog URL.
+
+https://github.com/opencloud-eu/opencloud/pull/1714
--- a/deployments/examples/bare-metal-simple/install.sh
+++ b/deployments/examples/bare-metal-simple/install.sh
@@ -11,7 +11,7 @@ set -euo pipefail
 #   OC_VERSION: Version to download, e.g. OC_VERSION="1.2.0"

 # Call this script directly from opencloud:
-# curl -L https://opencloud.eu/quickinstall.sh | /bin/bash
+# curl -L https://opencloud.eu/install | /bin/bash

 # This function is borrowed from openSUSEs /usr/bin/old, thanks.
 function backup_file () {
--- a/devtools/deployments/opencloud_full/docker-compose.yml
+++ b/devtools/deployments/opencloud_full/docker-compose.yml
@@ -19,6 +19,11 @@ services:
      - "--entryPoints.http.http.redirections.entryPoint.to=https"
      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.https.address=:443"
+      # http2 optimizations
+      - "--entryPoints.https.http2.maxConcurrentStreams=512"
+      - "--serversTransport.maxIdleConnsPerHost=100"
+      # allow self signed certificate from OpenCloud
+      - "--serversTransport.insecureSkipVerify=true"
      # change default timeouts for long-running requests
      # this is needed for webdav clients that do not support the TUS protocol
      - "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
--- a/devtools/deployments/opencloud_full/opencloud.yml
+++ b/devtools/deployments/opencloud_full/opencloud.yml
@@ -25,7 +25,7 @@ services:
      OC_LOG_COLOR: "${LOG_PRETTY:-false}"
      OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
      # do not use SSL between Traefik and OpenCloud
-      PROXY_TLS: "false"
+      PROXY_TLS: "true"
      # make the REVA gateway accessible to the app drivers
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
      # INSECURE: needed if OpenCloud / Traefik is using self generated certificates
@@ -72,6 +72,7 @@ services:
      - "traefik.http.routers.opencloud.tls.certresolver=http"
      - "traefik.http.routers.opencloud.service=opencloud"
      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
+      - "traefik.http.services.opencloud.loadbalancer.server.scheme=https"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
--- a/go.mod
+++ b/go.mod
@@ -5,20 +5,20 @@ go 1.24.6
 require (
 	dario.cat/mergo v1.0.2
 	github.com/CiscoM31/godata v1.0.11
-	github.com/KimMachineGun/automemlimit v0.7.4
+	github.com/KimMachineGun/automemlimit v0.7.5
 	github.com/Masterminds/semver v1.5.0
 	github.com/MicahParks/keyfunc/v2 v2.1.0
 	github.com/Nerzal/gocloak/v13 v13.9.0
 	github.com/bbalet/stopwords v1.0.0
 	github.com/beevik/etree v1.6.0
-	github.com/blevesearch/bleve/v2 v2.5.4
+	github.com/blevesearch/bleve/v2 v2.5.5
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/coreos/go-oidc/v3 v3.16.0
+	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/cs3org/go-cs3apis v0.0.0-20250908152307-4ca807afe54e
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
-	github.com/gabriel-vasile/mimetype v1.4.10
+	github.com/gabriel-vasile/mimetype v1.4.11
 	github.com/ggwhite/go-masker v1.1.0
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/render v1.0.3
@@ -34,7 +34,6 @@ require (
 	github.com/go-micro/plugins/v4/wrapper/monitoring/prometheus v1.2.0
 	github.com/go-micro/plugins/v4/wrapper/trace/opentelemetry v1.2.0
 	github.com/go-playground/validator/v10 v10.28.0
-	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.7.0
@@ -48,24 +47,24 @@ require (
 	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/jinzhu/now v1.1.5
 	github.com/justinas/alice v1.2.0
-	github.com/kovidgoyal/imaging v1.7.2
+	github.com/kovidgoyal/imaging v1.8.17
 	github.com/leonelquinteros/gotext v1.7.2
 	github.com/libregraph/idm v0.5.0
 	github.com/libregraph/lico v0.66.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/mna/pigeon v1.3.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/nats-io/nats-server/v2 v2.12.0
+	github.com/nats-io/nats-server/v2 v2.12.2
 	github.com/nats-io/nats.go v1.47.0
 	github.com/oklog/run v1.2.0
-	github.com/olekukonko/tablewriter v1.1.0
+	github.com/olekukonko/tablewriter v1.1.1
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/ginkgo/v2 v2.27.2
 	github.com/onsi/gomega v1.38.2
-	github.com/open-policy-agent/opa v1.9.0
+	github.com/open-policy-agent/opa v1.11.1
 	github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89
 	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
-	github.com/opencloud-eu/reva/v2 v2.39.2-0.20251030154544-cac8a0257da6
+	github.com/opencloud-eu/reva/v2 v2.41.0
 	github.com/opensearch-project/opensearch-go/v4 v4.5.0
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/pkg/errors v0.9.1
@@ -79,17 +78,18 @@ require (
 	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af
 	github.com/spf13/afero v1.15.0
 	github.com/spf13/cobra v1.10.1
+	github.com/spf13/pflag v1.0.10
+	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	github.com/test-go/testify v1.1.4
-	github.com/testcontainers/testcontainers-go v0.39.0
-	github.com/testcontainers/testcontainers-go/modules/opensearch v0.39.0
+	github.com/testcontainers/testcontainers-go v0.40.0
+	github.com/testcontainers/testcontainers-go/modules/opensearch v0.40.0
 	github.com/theckman/yacspin v0.13.12
 	github.com/thejerf/suture/v4 v4.0.6
 	github.com/tidwall/gjson v1.18.0
 	github.com/tidwall/sjson v1.2.5
 	github.com/tus/tusd/v2 v2.8.0
 	github.com/unrolled/secure v1.16.0
-	github.com/urfave/cli/v2 v2.27.7
 	github.com/vmihailenco/msgpack/v5 v5.4.1
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	go-micro.dev/v4 v4.11.0
@@ -98,22 +98,23 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
 	go.opentelemetry.io/contrib/zpages v0.63.0
 	go.opentelemetry.io/otel v1.38.0
-	go.opentelemetry.io/otel/exporters/jaeger v1.17.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0
 	go.opentelemetry.io/otel/sdk v1.38.0
 	go.opentelemetry.io/otel/trace v1.38.0
-	golang.org/x/crypto v0.43.0
+	golang.org/x/crypto v0.46.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	golang.org/x/image v0.32.0
-	golang.org/x/net v0.46.0
-	golang.org/x/oauth2 v0.32.0
-	golang.org/x/sync v0.17.0
-	golang.org/x/term v0.36.0
-	golang.org/x/text v0.30.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4
-	google.golang.org/grpc v1.76.0
+	golang.org/x/image v0.33.0
+	golang.org/x/net v0.48.0
+	golang.org/x/oauth2 v0.33.0
+	golang.org/x/sync v0.19.0
+	golang.org/x/term v0.38.0
+	golang.org/x/text v0.32.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8
+	google.golang.org/grpc v1.77.0
 	google.golang.org/protobuf v1.36.10
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
 	stash.kopano.io/kgol/rndm v1.1.2
 )
@@ -140,13 +141,13 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bitly/go-simplejson v0.5.0 // indirect
 	github.com/bits-and-blooms/bitset v1.22.0 // indirect
-	github.com/blevesearch/bleve_index_api v1.2.10 // indirect
+	github.com/blevesearch/bleve_index_api v1.2.11 // indirect
 	github.com/blevesearch/geo v0.2.4 // indirect
-	github.com/blevesearch/go-faiss v1.0.25 // indirect
+	github.com/blevesearch/go-faiss v1.0.26 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/gtreap v0.1.1 // indirect
 	github.com/blevesearch/mmap-go v1.0.4 // indirect
-	github.com/blevesearch/scorch_segment_api/v2 v2.3.12 // indirect
+	github.com/blevesearch/scorch_segment_api/v2 v2.3.13 // indirect
 	github.com/blevesearch/segment v0.9.1 // indirect
 	github.com/blevesearch/snowballstem v0.9.0 // indirect
 	github.com/blevesearch/upsidedown_store_api v1.0.2 // indirect
@@ -156,21 +157,24 @@ require (
 	github.com/blevesearch/zapx/v13 v13.4.2 // indirect
 	github.com/blevesearch/zapx/v14 v14.4.2 // indirect
 	github.com/blevesearch/zapx/v15 v15.4.2 // indirect
-	github.com/blevesearch/zapx/v16 v16.2.6 // indirect
+	github.com/blevesearch/zapx/v16 v16.2.7 // indirect
 	github.com/bluele/gcache v0.0.2 // indirect
 	github.com/bombsimon/logrusr/v3 v3.1.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
-	github.com/ceph/go-ceph v0.35.0 // indirect
+	github.com/ceph/go-ceph v0.36.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cevaris/ordered_map v0.0.0-20190319150403-3adeae072e73 // indirect
+	github.com/clipperhouse/displaywidth v0.3.1 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.2.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v1.0.0-rc.1 // indirect
+	github.com/containerd/platforms v1.0.0-rc.2 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.6.0 // indirect
 	github.com/cornelk/hashmap v1.0.8 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
@@ -186,7 +190,7 @@ require (
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/docker v28.3.3+incompatible // indirect
+	github.com/docker/docker v28.5.1+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
@@ -230,15 +234,16 @@ require (
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/gofrs/flock v0.13.0 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/gomodule/redigo v1.9.2 // indirect
+	github.com/gomodule/redigo v1.9.3 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.5 // indirect
+	github.com/google/go-tpm v0.9.6 // indirect
 	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
-	github.com/google/renameio/v2 v2.0.0 // indirect
+	github.com/google/renameio/v2 v2.0.1 // indirect
 	github.com/gookit/goutil v0.7.1 // indirect
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/schema v1.4.1 // indirect
@@ -255,16 +260,18 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/juliangruber/go-intersect v1.1.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.1 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.11 // indirect
-	github.com/kovidgoyal/go-parallel v1.0.1 // indirect
+	github.com/klauspost/crc32 v1.3.0 // indirect
+	github.com/kovidgoyal/go-parallel v1.1.1 // indirect
+	github.com/kovidgoyal/go-shm v1.0.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
 	github.com/lestrrat-go/dsig v1.0.0 // indirect
 	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect
-	github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect
+	github.com/lestrrat-go/jwx/v3 v3.0.12 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/libregraph/oidc-go v1.1.0 // indirect
@@ -275,16 +282,16 @@ require (
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b // indirect
 	github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 // indirect
 	github.com/miekg/dns v1.1.57 // indirect
 	github.com/mileusna/useragent v1.3.5 // indirect
-	github.com/minio/crc64nvme v1.0.2 // indirect
-	github.com/minio/highwayhash v1.0.3 // indirect
+	github.com/minio/crc64nvme v1.1.0 // indirect
+	github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/minio-go/v7 v7.0.95 // indirect
+	github.com/minio/minio-go/v7 v7.0.97 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
@@ -295,7 +302,7 @@ require (
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
@@ -303,8 +310,9 @@ require (
 	github.com/nats-io/nkeys v0.4.11 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
 	github.com/olekukonko/errors v1.1.0 // indirect
-	github.com/olekukonko/ll v0.0.9 // indirect
+	github.com/olekukonko/ll v0.1.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
@@ -312,24 +320,28 @@ require (
 	github.com/pablodz/inotifywaitgo v0.0.9 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.15 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/pquerna/cachecontrol v0.2.0 // indirect
-	github.com/prometheus/alertmanager v0.28.1 // indirect
+	github.com/prometheus/alertmanager v0.29.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/common v0.67.1 // indirect
 	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/prometheus/statsd_exporter v0.22.8 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd // indirect
-	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/sagikazarmark/locafero v0.11.0 // indirect
+	github.com/samber/lo v1.51.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
+	github.com/samber/slog-zerolog/v2 v2.9.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
 	github.com/segmentio/kafka-go v0.4.49 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sercand/kuberesolver/v5 v5.1.1 // indirect
@@ -341,10 +353,12 @@ require (
 	github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c // indirect
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spacewander/go-suffix-tree v0.0.0-20191010040751-0865e368c784 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/studio-b12/gowebdav v0.9.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.3 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
@@ -353,8 +367,9 @@ require (
 	github.com/tklauser/numcpus v0.8.0 // indirect
 	github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect
 	github.com/trustelem/zxcvbn v1.0.1 // indirect
+	github.com/urfave/cli/v2 v2.27.7 // indirect
 	github.com/valyala/fastjson v1.6.4 // indirect
-	github.com/vektah/gqlparser/v2 v2.5.30 // indirect
+	github.com/vektah/gqlparser/v2 v2.5.31 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/wk8/go-ordered-map v1.0.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -363,28 +378,27 @@ require (
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.6 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.6 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.6 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
 	go.opentelemetry.io/otel/metric v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/time v0.13.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
+	golang.org/x/mod v0.30.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )

@@ -399,3 +413,6 @@ replace go-micro.dev/v4 => github.com/butonic/go-micro/v4 v4.11.1-0.202411151126
 exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible

 replace github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a
+
+// to get the logger injection (https://github.com/pablodz/inotifywaitgo/pull/11)
+replace github.com/pablodz/inotifywaitgo v0.0.9 => github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9
--- a/go.sum
+++ b/go.sum
@@ -72,8 +72,8 @@ github.com/CiscoM31/godata v1.0.11 h1:w7y8twuW02LdH6mak3/GJ5i0GrCv2IoZUJVqa/g5Ye
 github.com/CiscoM31/godata v1.0.11/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc=
 github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c h1:ocsNvQ2tNHme4v/lTs17HROamc7mFzZfzWcg4m+UXN0=
 github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
-github.com/KimMachineGun/automemlimit v0.7.4 h1:UY7QYOIfrr3wjjOAqahFmC3IaQCLWvur9nmfIn6LnWk=
-github.com/KimMachineGun/automemlimit v0.7.4/go.mod h1:QZxpHaGOQoYvFhv/r4u3U0JTC2ZcOwbSr11UZF46UBM=
+github.com/KimMachineGun/automemlimit v0.7.5 h1:RkbaC0MwhjL1ZuBKunGDjE/ggwAX43DwZrJqVwyveTk=
+github.com/KimMachineGun/automemlimit v0.7.5/go.mod h1:QZxpHaGOQoYvFhv/r4u3U0JTC2ZcOwbSr11UZF46UBM=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
@@ -151,22 +151,22 @@ github.com/bits-and-blooms/bitset v1.12.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6
 github.com/bits-and-blooms/bitset v1.22.0 h1:Tquv9S8+SGaS3EhyA+up3FXzmkhxPGjQQCkcs2uw7w4=
 github.com/bits-and-blooms/bitset v1.22.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/blevesearch/bleve/v2 v2.5.4 h1:1iur8e+PHsxtncV2xIVuqlQme/V8guEDO2uV6Wll3lQ=
-github.com/blevesearch/bleve/v2 v2.5.4/go.mod h1:yB4PnV4N2q5rTEpB2ndG8N2ISexBQEFIYgwx4ztfvoo=
-github.com/blevesearch/bleve_index_api v1.2.10 h1:FMFmZCmTX6PdoLLvwUnKF2RsmILFFwO3h0WPevXY9fE=
-github.com/blevesearch/bleve_index_api v1.2.10/go.mod h1:rKQDl4u51uwafZxFrPD1R7xFOwKnzZW7s/LSeK4lgo0=
+github.com/blevesearch/bleve/v2 v2.5.5 h1:lzC89QUCco+y1qBnJxGqm4AbtsdsnlUvq0kXok8n3C8=
+github.com/blevesearch/bleve/v2 v2.5.5/go.mod h1:t5WoESS5TDteTdnjhhvpA1BpLYErOBX2IQViTMLK7wo=
+github.com/blevesearch/bleve_index_api v1.2.11 h1:bXQ54kVuwP8hdrXUSOnvTQfgK0KI1+f9A0ITJT8tX1s=
+github.com/blevesearch/bleve_index_api v1.2.11/go.mod h1:rKQDl4u51uwafZxFrPD1R7xFOwKnzZW7s/LSeK4lgo0=
 github.com/blevesearch/geo v0.2.4 h1:ECIGQhw+QALCZaDcogRTNSJYQXRtC8/m8IKiA706cqk=
 github.com/blevesearch/geo v0.2.4/go.mod h1:K56Q33AzXt2YExVHGObtmRSFYZKYGv0JEN5mdacJJR8=
-github.com/blevesearch/go-faiss v1.0.25 h1:lel1rkOUGbT1CJ0YgzKwC7k+XH0XVBHnCVWahdCXk4U=
-github.com/blevesearch/go-faiss v1.0.25/go.mod h1:OMGQwOaRRYxrmeNdMrXJPvVx8gBnvE5RYrr0BahNnkk=
+github.com/blevesearch/go-faiss v1.0.26 h1:4dRLolFgjPyjkaXwff4NfbZFdE/dfywbzDqporeQvXI=
+github.com/blevesearch/go-faiss v1.0.26/go.mod h1:OMGQwOaRRYxrmeNdMrXJPvVx8gBnvE5RYrr0BahNnkk=
 github.com/blevesearch/go-porterstemmer v1.0.3 h1:GtmsqID0aZdCSNiY8SkuPJ12pD4jI+DdXTAn4YRcHCo=
 github.com/blevesearch/go-porterstemmer v1.0.3/go.mod h1:angGc5Ht+k2xhJdZi511LtmxuEf0OVpvUUNrwmM1P7M=
 github.com/blevesearch/gtreap v0.1.1 h1:2JWigFrzDMR+42WGIN/V2p0cUvn4UP3C4Q5nmaZGW8Y=
 github.com/blevesearch/gtreap v0.1.1/go.mod h1:QaQyDRAT51sotthUWAH4Sj08awFSSWzgYICSZ3w0tYk=
 github.com/blevesearch/mmap-go v1.0.4 h1:OVhDhT5B/M1HNPpYPBKIEJaD0F3Si+CrEKULGCDPWmc=
 github.com/blevesearch/mmap-go v1.0.4/go.mod h1:EWmEAOmdAS9z/pi/+Toxu99DnsbhG1TIxUoRmJw/pSs=
-github.com/blevesearch/scorch_segment_api/v2 v2.3.12 h1:GGZc2qwbyRBwtckPPkHkLyXw64mmsLJxdturBI1cM+c=
-github.com/blevesearch/scorch_segment_api/v2 v2.3.12/go.mod h1:JBRGAneqgLSI2+jCNjtwMqp2B7EBF3/VUzgDPIU33MM=
+github.com/blevesearch/scorch_segment_api/v2 v2.3.13 h1:ZPjv/4VwWvHJZKeMSgScCapOy8+DdmsmRyLmSB88UoY=
+github.com/blevesearch/scorch_segment_api/v2 v2.3.13/go.mod h1:ENk2LClTehOuMS8XzN3UxBEErYmtwkE7MAArFTXs9Vc=
 github.com/blevesearch/segment v0.9.1 h1:+dThDy+Lvgj5JMxhmOVlgFfkUtZV2kw49xax4+jTfSU=
 github.com/blevesearch/segment v0.9.1/go.mod h1:zN21iLm7+GnBHWTao9I+Au/7MBiL8pPFtJBJTsk6kQw=
 github.com/blevesearch/snowballstem v0.9.0 h1:lMQ189YspGP6sXvZQ4WZ+MLawfV8wOmPoD/iWeNXm8s=
@@ -185,8 +185,8 @@ github.com/blevesearch/zapx/v14 v14.4.2 h1:2SGHakVKd+TrtEqpfeq8X+So5PShQ5nW6GNxT
 github.com/blevesearch/zapx/v14 v14.4.2/go.mod h1:rz0XNb/OZSMjNorufDGSpFpjoFKhXmppH9Hi7a877D8=
 github.com/blevesearch/zapx/v15 v15.4.2 h1:sWxpDE0QQOTjyxYbAVjt3+0ieu8NCE0fDRaFxEsp31k=
 github.com/blevesearch/zapx/v15 v15.4.2/go.mod h1:1pssev/59FsuWcgSnTa0OeEpOzmhtmr/0/11H0Z8+Nw=
-github.com/blevesearch/zapx/v16 v16.2.6 h1:OHuUl2GhM+FpBq9RwNsJ4k/QodqbMMHoQEgn/IHYpu8=
-github.com/blevesearch/zapx/v16 v16.2.6/go.mod h1:cuAPB+YoIyRngNhno1S1GPr9SfMk+x/SgAHBLXSIq3k=
+github.com/blevesearch/zapx/v16 v16.2.7 h1:xcgFRa7f/tQXOwApVq7JWgPYSlzyUMmkuYa54tMDuR0=
+github.com/blevesearch/zapx/v16 v16.2.7/go.mod h1:murSoCJPCk25MqURrcJaBQ1RekuqSCSfMjXH4rHyA14=
 github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw=
 github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY=
@@ -198,8 +198,8 @@ github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/
 github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c=
 github.com/butonic/go-micro/v4 v4.11.1-0.20241115112658-b5d4de5ed9b3 h1:h8Z0hBv5tg/uZMKu8V47+DKWYVQg0lYP8lXDQq7uRpE=
 github.com/butonic/go-micro/v4 v4.11.1-0.20241115112658-b5d4de5ed9b3/go.mod h1:eE/tD53n3KbVrzrWxKLxdkGw45Fg1qaNLWjpJMvIUF4=
-github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA=
-github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q=
+github.com/bytecodealliance/wasmtime-go/v39 v39.0.1 h1:RibaT47yiyCRxMOj/l2cvL8cWiWBSqDXHyqsa9sGcCE=
+github.com/bytecodealliance/wasmtime-go/v39 v39.0.1/go.mod h1:miR4NYIEBXeDNamZIzpskhJ0z/p8al+lwMWylQ/ZJb4=
 github.com/c-bata/go-prompt v0.2.5/go.mod h1:vFnjEGDIIA/Lib7giyE4E9c50Lvl8j0S+7FVlAwDAVw=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
@@ -210,8 +210,8 @@ github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1x
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/ceph/go-ceph v0.35.0 h1:wcDUbsjeNJ7OfbWCE7I5prqUL794uXchopw3IvrGQkk=
-github.com/ceph/go-ceph v0.35.0/go.mod h1:ILF8WKhQQ2p2YuX1oWigkmsfT39U8T/HS2NrqxExq2s=
+github.com/ceph/go-ceph v0.36.0 h1:IDE4vEF+4fmjve+CPjD1WStgfQ+Lh6vD+9PMUI712KI=
+github.com/ceph/go-ceph v0.36.0/go.mod h1:fGCbndVDLuHW7q2954d6y+tgPFOBnRLqJRe2YXyngw4=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -223,6 +223,12 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/clipperhouse/displaywidth v0.3.1 h1:k07iN9gD32177o1y4O1jQMzbLdCrsGJh+blirVYybsk=
+github.com/clipperhouse/displaywidth v0.3.1/go.mod h1:tgLJKKyaDOCadywag3agw4snxS5kYEuYR6Y9+qWDDYM=
+github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
+github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
+github.com/clipperhouse/uax29/v2 v2.2.0 h1:ChwIKnQN3kcZteTXMgb1wztSgaU+ZemkgWdohwgs8tY=
+github.com/clipperhouse/uax29/v2 v2.2.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
 github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
 github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cloudflare/cloudflare-go v0.14.0/go.mod h1:EnwdgGMaFOruiPZRFSgn+TsQ3hQ7C/YWzIGLeu5c304=
@@ -233,18 +239,19 @@ github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151X
 github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E=
-github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
+github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6acgLGv/QzE4=
+github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc/v3 v3.16.0 h1:qRQUCFstKpXwmEjDQTIbyY/5jF00+asXzSkmkoa/mow=
-github.com/coreos/go-oidc/v3 v3.16.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/go-systemd/v22 v22.6.0 h1:aGVa/v8B7hpb0TKl0MWoAavPDmHvobFe5R5zn0bCJWo=
+github.com/coreos/go-systemd/v22 v22.6.0/go.mod h1:iG+pp635Fo7ZmV/j14KUcmEyWF+0X7Lua8rrTWzYgWU=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cornelk/hashmap v1.0.8 h1:nv0AWgw02n+iDcawr5It4CjQIAcdMMKRrs10HOJYlrc=
 github.com/cornelk/hashmap v1.0.8/go.mod h1:RfZb7JO3RviW/rT6emczVuC/oxpdz4UsSB2LJSclR1k=
@@ -303,8 +310,8 @@ github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/dnsimple/dnsimple-go v0.63.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c71tQlGr9SeGrg=
-github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
-github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
+github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -345,12 +352,14 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
 github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
-github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.11 h1:AQvxbp830wPhHTqc1u7nzoLT+ZFxGY7emj5DR5DYFik=
+github.com/gabriel-vasile/mimetype v1.4.11/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gdexlab/go-render v1.0.1 h1:rxqB3vo5s4n1kF0ySmoNeSPRYkEsyHgln4jFIQY7v0U=
 github.com/gdexlab/go-render v1.0.1/go.mod h1:wRi5nW2qfjiGj4mPukH4UV0IknS1cHD4VgFTmJX5JzM=
 github.com/getkin/kin-openapi v0.13.0/go.mod h1:WGRs2ZMM1Q8LR1QBEwUxC6RJEfaBcD0s+pcEVXFuAjw=
@@ -502,8 +511,9 @@ github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4er
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@@ -536,8 +546,8 @@ github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8l
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golangci/lint-1 v0.0.0-20181222135242-d2cdd8c08219/go.mod h1:/X8TswGSh1pIozq4ZwCfxS0WA5JGXguxk94ar/4c87Y=
-github.com/gomodule/redigo v1.9.2 h1:HrutZBLhSIU8abiSfW8pj8mPhOyMYjZT/wcA4/L9L9s=
-github.com/gomodule/redigo v1.9.2/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+ywhcgtw=
+github.com/gomodule/redigo v1.9.3 h1:dNPSXeXv6HCq2jdyWfjgmhBdqnR6PRO3m/G05nvpPC8=
+github.com/gomodule/redigo v1.9.3/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+ywhcgtw=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
@@ -565,8 +575,8 @@ github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/go-tika v0.3.1 h1:l+jr10hDhZjcgxFRfcQChRLo1bPXQeLFluMyvDhXTTA=
 github.com/google/go-tika v0.3.1/go.mod h1:DJh5N8qxXIl85QkqmXknd+PeeRkUOTbvwyYf7ieDz6c=
-github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU=
-github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.6 h1:Ku42PT4LmjDu1H5C5ISWLlpI1mj+Zq7sPGKoRw2XROA=
+github.com/google/go-tpm v0.9.6/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -580,8 +590,8 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
-github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
+github.com/google/renameio/v2 v2.0.1 h1:HyOM6qd9gF9sf15AvhbptGHUnaLTpEI9akAFFU3VyW0=
+github.com/google/renameio/v2 v2.0.1/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -718,21 +728,25 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
+github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.11 h1:0OwqZRYI2rFrjS4kvkDnqJkKHdHaRnCm68/DY4OxRzU=
 github.com/klauspost/cpuid/v2 v2.2.11/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/klauspost/crc32 v1.3.0 h1:sSmTt3gUt81RP655XGZPElI0PelVTZ6YwCRnPSupoFM=
+github.com/klauspost/crc32 v1.3.0/go.mod h1:D7kQaZhnkX/Y0tstFGf8VUzv2UofNGqCjnC3zdHB0Hw=
 github.com/kobergj/gowebdav v0.0.0-20250102091030-aa65266db202 h1:A1xJ2NKgiYFiaHiLl9B5yw/gUBACSs9crDykTS3GuQI=
 github.com/kobergj/gowebdav v0.0.0-20250102091030-aa65266db202/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
 github.com/kolo/xmlrpc v0.0.0-20200310150728-e0350524596b/go.mod h1:o03bZfuBwAXHetKXuInt4S7omeXUu62/A845kiycsSQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kovidgoyal/go-parallel v1.0.1 h1:nYUjN+EdpbmQjTg3N5eTUInuXTB3/1oD2vHdaMfuHoI=
-github.com/kovidgoyal/go-parallel v1.0.1/go.mod h1:BJNIbe6+hxyFWv7n6oEDPj3PA5qSw5OCtf0hcVxWJiw=
-github.com/kovidgoyal/imaging v1.7.2 h1:mmT6k6Az3mC6dbqdZ6Q9KQCdZFWTAQ+q97NyGZgJ/2c=
-github.com/kovidgoyal/imaging v1.7.2/go.mod h1:GdkCORjfZMMGFY0Pb7TDmRhj7PDhxF/QShKukSCj0VU=
+github.com/kovidgoyal/go-parallel v1.1.1 h1:1OzpNjtrUkBPq3UaqrnvOoB2F9RttSt811uiUXyI7ok=
+github.com/kovidgoyal/go-parallel v1.1.1/go.mod h1:BJNIbe6+hxyFWv7n6oEDPj3PA5qSw5OCtf0hcVxWJiw=
+github.com/kovidgoyal/go-shm v1.0.0 h1:HJEel9D1F9YhULvClEHJLawoRSj/1u/EDV7MJbBPgQo=
+github.com/kovidgoyal/go-shm v1.0.0/go.mod h1:Yzb80Xf9L3kaoB2RGok9hHwMIt7Oif61kT6t3+VnZds=
+github.com/kovidgoyal/imaging v1.8.17 h1:IDc7lbN2Qrn8s50y7Zt355HhOc+jUpvsScYAaGCW8vs=
+github.com/kovidgoyal/imaging v1.8.17/go.mod h1:uD4XKN42lLV9du0TsPkwi53yw23vz/qDmfpiDWCSUCE=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -763,8 +777,8 @@ github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
 github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI=
 github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk=
-github.com/lestrrat-go/jwx/v3 v3.0.11 h1:yEeUGNUuNjcez/Voxvr7XPTYNraSQTENJgtVTfwvG/w=
-github.com/lestrrat-go/jwx/v3 v3.0.11/go.mod h1:XSOAh2SiXm0QgRe3DulLZLyt+wUuEdFo81zuKTLcvgQ=
+github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg=
+github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
@@ -818,8 +832,8 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
+github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
 github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
@@ -837,14 +851,14 @@ github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
 github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
 github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
 github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
-github.com/minio/crc64nvme v1.0.2 h1:6uO1UxGAD+kwqWWp7mBFsi5gAse66C4NXO8cmcVculg=
-github.com/minio/crc64nvme v1.0.2/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
-github.com/minio/highwayhash v1.0.3 h1:kbnuUMoHYyVl7szWjSxJnxw11k2U709jqFPPmIUyD6Q=
-github.com/minio/highwayhash v1.0.3/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ=
+github.com/minio/crc64nvme v1.1.0 h1:e/tAguZ+4cw32D+IO/8GSf5UVr9y+3eJcxZI2WOO/7Q=
+github.com/minio/crc64nvme v1.1.0/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
+github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76 h1:KGuD/pM2JpL9FAYvBrnBBeENKZNh6eNtjqytV6TYjnk=
+github.com/minio/highwayhash v1.0.4-0.20251030100505-070ab1a87a76/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.95 h1:ywOUPg+PebTMTzn9VDsoFJy32ZuARN9zhB+K3IYEvYU=
-github.com/minio/minio-go/v7 v7.0.95/go.mod h1:wOOX3uxS334vImCNRVyIDdXX9OsXDm89ToynKgqUKlo=
+github.com/minio/minio-go/v7 v7.0.97 h1:lqhREPyfgHTB/ciX8k2r8k0D93WaFqxbJX36UZq5occ=
+github.com/minio/minio-go/v7 v7.0.97/go.mod h1:re5VXuo0pwEtoNLsNuSr0RrLfT/MBtohwdaSmPPSRSk=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
@@ -884,8 +898,9 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
@@ -899,8 +914,8 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW
 github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04/go.mod h1:5sN+Lt1CaY4wsPvgQH/jsuJi4XO2ssZbdsIizr4CVC8=
 github.com/nats-io/jwt/v2 v2.8.0 h1:K7uzyz50+yGZDO5o772eRE7atlcSEENpL7P+b74JV1g=
 github.com/nats-io/jwt/v2 v2.8.0/go.mod h1:me11pOkwObtcBNR8AiMrUbtVOUGkqYjMQZ6jnSdVUIA=
-github.com/nats-io/nats-server/v2 v2.12.0 h1:OIwe8jZUqJFrh+hhiyKu8snNib66qsx806OslqJuo74=
-github.com/nats-io/nats-server/v2 v2.12.0/go.mod h1:nr8dhzqkP5E/lDwmn+A2CvQPMd1yDKXQI7iGg3lAvww=
+github.com/nats-io/nats-server/v2 v2.12.2 h1:4TEQd0Y4zvcW0IsVxjlXnRso1hBkQl3TS0BI+SxgPhE=
+github.com/nats-io/nats-server/v2 v2.12.2/go.mod h1:j1AAttYeu7WnvD8HLJ+WWKNMSyxsqmZ160pNtCQRMyE=
 github.com/nats-io/nats.go v1.47.0 h1:YQdADw6J/UfGUd2Oy6tn4Hq6YHxCaJrVKayxxFqYrgM=
 github.com/nats-io/nats.go v1.47.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
 github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0=
@@ -921,13 +936,15 @@ github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+
 github.com/oklog/run v1.2.0 h1:O8x3yXwah4A73hJdlrwo/2X6J62gE5qTMusH0dvz60E=
 github.com/oklog/run v1.2.0/go.mod h1:mgDbKRSwPhJfesJ4PntqFUbKQRZ50NgmZTSPlFA0YFk=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc=
+github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6/go.mod h1:rEKTHC9roVVicUIfZK7DYrdIoM0EOr8mK1Hj5s3JjH0=
 github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
 github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
-github.com/olekukonko/ll v0.0.9 h1:Y+1YqDfVkqMWuEQMclsF9HUR5+a82+dxJuL1HHSRpxI=
-github.com/olekukonko/ll v0.0.9/go.mod h1:En+sEW0JNETl26+K8eZ6/W4UQ7CYSrrgg/EdIYT2H8g=
+github.com/olekukonko/ll v0.1.2 h1:lkg/k/9mlsy0SxO5aC+WEpbdT5K83ddnNhAepz7TQc0=
+github.com/olekukonko/ll v0.1.2/go.mod h1:b52bVQRRPObe+yyBl0TxNfhesL0nedD4Cht0/zx55Ew=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/olekukonko/tablewriter v1.1.0 h1:N0LHrshF4T39KvI96fn6GT8HEjXRXYNDrDjKFDB7RIY=
-github.com/olekukonko/tablewriter v1.1.0/go.mod h1:5c+EBPeSqvXnLLgkm9isDdzR3wjfBkHR9Nhfp3NWrzo=
+github.com/olekukonko/tablewriter v1.1.1 h1:b3reP6GCfrHwmKkYwNRFh2rxidGHcT6cgxj/sHiDDx0=
+github.com/olekukonko/tablewriter v1.1.1/go.mod h1:De/bIcTF+gpBDB3Alv3fEsZA+9unTsSzAg/ZGADCtn4=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
@@ -940,16 +957,18 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
 github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
-github.com/open-policy-agent/opa v1.9.0 h1:QWFNwbcc29IRy0xwD3hRrMc/RtSersLY1Z6TaID3vgI=
-github.com/open-policy-agent/opa v1.9.0/go.mod h1:72+lKmTda0O48m1VKAxxYl7MjP/EWFZu9fxHQK2xihs=
+github.com/open-policy-agent/opa v1.11.1 h1:4bMlG6DjRZTRAswRyF+KUCgxHu1Gsk0h9EbZ4W9REvM=
+github.com/open-policy-agent/opa v1.11.1/go.mod h1:QimuJO4T3KYxWzrmAymqlFvsIanCjKrGjmmC8GgAdgE=
 github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a h1:Sakl76blJAaM6NxylVkgSzktjo2dS504iDotEFJsh3M=
 github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a/go.mod h1:pjcozWijkNPbEtX5SIQaxEW/h8VAVZYTLx+70bmB3LY=
 github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89 h1:W1ms+lP5lUUIzjRGDg93WrQfZJZCaV1ZP3KeyXi8bzY=
 github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89/go.mod h1:vigJkNss1N2QEceCuNw/ullDehncuJNFB6mEnzfq9UI=
+github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9 h1:dIftlX03Bzfbujhp9B54FbgER0VBDWJi/w8RBxJlzxU=
+github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9/go.mod h1:JWyDC6H+5oZRdUJUgKuaye+8Ph5hEs6HVzVoPKzWSGI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 h1:vD/EdfDUrv4omSFjrinT8Mvf+8D7f9g4vgQ2oiDrVUI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
-github.com/opencloud-eu/reva/v2 v2.39.2-0.20251030154544-cac8a0257da6 h1:BUrCUrRqBg04MJuhnIK4H1KNK4aebK6H/AYcHjQ0DM4=
-github.com/opencloud-eu/reva/v2 v2.39.2-0.20251030154544-cac8a0257da6/go.mod h1:Qm0CibFYrFc096OhWWL14nsGiFoE6g/4oMFHV5CqU+Q=
+github.com/opencloud-eu/reva/v2 v2.41.0 h1:oie8+sxcA+drREXRTqm0LmfUdy/mmaa6pA6wkdF6tF4=
+github.com/opencloud-eu/reva/v2 v2.41.0/go.mod h1:DGH08n2mvtsQLkt8o15FV6m51FwSJJGhjR8Ty+iIJww=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
@@ -966,8 +985,6 @@ github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CF
 github.com/ovh/go-ovh v1.1.0/go.mod h1:AxitLZ5HBRPyUd+Zl60Ajaag+rNTdVXWIkzfrVuTXWA=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
-github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw=
-github.com/pablodz/inotifywaitgo v0.0.9/go.mod h1:hAfx2oN+WKg8miwUKPs52trySpPignlRBRxWcXVHku0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
@@ -975,6 +992,8 @@ github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 h1:onHthvaw9LFnH4t2D
 github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58/go.mod h1:DXv8WO4yhMYhSNPKjeNKa5WY9YCIEBRbNzFFPJbWO6Y=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
 github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
 github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
@@ -1001,8 +1020,8 @@ github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:Om
 github.com/pquerna/cachecontrol v0.2.0 h1:vBXSNuE5MYP9IJ5kjsdo8uq+w41jSPgvba2DEnkRx9k=
 github.com/pquerna/cachecontrol v0.2.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/pquerna/otp v1.3.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/prometheus/alertmanager v0.28.1 h1:BK5pCoAtaKg01BYRUJhEDV1tqJMEtYBGzPw8QdvnnvA=
-github.com/prometheus/alertmanager v0.28.1/go.mod h1:0StpPUDDHi1VXeM7p2yYfeZgLVi/PPlt39vo9LQUHxM=
+github.com/prometheus/alertmanager v0.29.0 h1:/ET4NmAGx2Dv9kStrXIBqBgHyiSgIk4OetY+hoZRfgc=
+github.com/prometheus/alertmanager v0.29.0/go.mod h1:SjI2vhrfdWg10UaRUxTz27rgdJVG3HXrhI5WFjCdBgs=
 github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
@@ -1035,8 +1054,8 @@ github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/common v0.35.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
 github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
-github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
-github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
+github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
 github.com/prometheus/procfs v0.0.0-20170703101242-e645f4e5aaa8/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
@@ -1061,9 +1080,6 @@ github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8A
 github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/riandyrn/otelchi v0.12.2 h1:6QhGv0LVw/dwjtPd12mnNrl0oEQF4ZAlmHcnlTYbeAg=
 github.com/riandyrn/otelchi v0.12.2/go.mod h1:weZZeUJURvtCcbWsdb7Y6F8KFZGedJlSrgUjq9VirV8=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
-github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
@@ -1083,10 +1099,18 @@ github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd h1:CmH9+J6ZSsIjUK
 github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sacloud/libsacloud v1.36.2/go.mod h1:P7YAOVmnIn3DKHqCZcUKYUXmSwGBm3yS7IBEjKVSrjg=
+github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
+github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
+github.com/samber/lo v1.51.0 h1:kysRYLbHy/MB7kQZf5DSN50JHmMsNEdeY24VzJFu7wI=
+github.com/samber/lo v1.51.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
+github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
+github.com/samber/slog-zerolog/v2 v2.9.0 h1:6LkOabJmZdNLaUWkTC3IVVA+dq7b/V0FM6lz6/7+THI=
+github.com/samber/slog-zerolog/v2 v2.9.0/go.mod h1:gnQW9VnCfM34v2pRMUIGMsZOVbYLqY/v0Wxu6atSVGc=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210127161313-bd30bebeac4f/go.mod h1:CJJ5VAbozOl0yEw7nHB9+7BXTJbIn6h7W+f6Gau5IP8=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
-github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/segmentio/kafka-go v0.4.49 h1:GJiNX1d/g+kG6ljyJEoi9++PUMdXGAxb7JGPiDCuNmk=
 github.com/segmentio/kafka-go v0.4.49/go.mod h1:Y1gn60kzLEEaW28YshXyk2+VCUKbJ3Qr6DrnT3i4+9E=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
@@ -1126,6 +1150,8 @@ github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:s
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/gunit v1.0.4/go.mod h1:EH5qMBab2UclzXUcpR8b93eHsIlp9u+pDQIRp5DZNzQ=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spacewander/go-suffix-tree v0.0.0-20191010040751-0865e368c784 h1:0jjO3HdJfOn6gYHD/ZNZh0LLMxEAqkYX7xoDPQReEgs=
 github.com/spacewander/go-suffix-tree v0.0.0-20191010040751-0865e368c784/go.mod h1:ff/5myEGgtsAwf26goQCO905GrEm5ugEZSd6OWTsrhM=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@@ -1135,6 +1161,8 @@ github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
 github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI=
 github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
 github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
@@ -1147,6 +1175,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
+github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
@@ -1168,14 +1198,16 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/tchap/go-patricia/v2 v2.3.3 h1:xfNEsODumaEcCcY3gI0hYPZ/PcpVv5ju6RMAhgwZDDc=
 github.com/tchap/go-patricia/v2 v2.3.3/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
 github.com/test-go/testify v1.1.4 h1:Tf9lntrKUMHiXQ07qBScBTSA0dhYQlu83hswqelv1iE=
 github.com/test-go/testify v1.1.4/go.mod h1:rH7cfJo/47vWGdi4GPj16x3/t1xGOj2YxzmNQzk2ghU=
-github.com/testcontainers/testcontainers-go v0.39.0 h1:uCUJ5tA+fcxbFAB0uP3pIK3EJ2IjjDUHFSZ1H1UxAts=
-github.com/testcontainers/testcontainers-go v0.39.0/go.mod h1:qmHpkG7H5uPf/EvOORKvS6EuDkBUPE3zpVGaH9NL7f8=
-github.com/testcontainers/testcontainers-go/modules/opensearch v0.39.0 h1:IkJUhR8AigQxv7qHZho/OtTU6JtiSdBGVh76o175JGo=
-github.com/testcontainers/testcontainers-go/modules/opensearch v0.39.0/go.mod h1:B7AhrDmQ4QbpzA0BeWvqzaJ8vbwcdEQDzybr35sBRfw=
+github.com/testcontainers/testcontainers-go v0.40.0 h1:pSdJYLOVgLE8YdUY2FHQ1Fxu+aMnb6JfVz1mxk7OeMU=
+github.com/testcontainers/testcontainers-go v0.40.0/go.mod h1:FSXV5KQtX2HAMlm7U3APNyLkkap35zNLxukw9oBi/MY=
+github.com/testcontainers/testcontainers-go/modules/opensearch v0.40.0 h1:3TIrGk0zXyO9CG2N6APo7auwWIwAvhkwE1reISif8LM=
+github.com/testcontainers/testcontainers-go/modules/opensearch v0.40.0/go.mod h1:VA0UCTPu+Gcs7MzdzBnSl0qDnxquuphv3ngSGdX97Xs=
 github.com/thanhpk/randstr v1.0.6 h1:psAOktJFD4vV9NEVb3qkhRSMvYh4ORRaj1+w/hn4B+o=
 github.com/thanhpk/randstr v1.0.6/go.mod h1:M/H2P1eNLZzlDwAzpkkkUvoyNNMbzRGhESZuEQk3r0U=
 github.com/theckman/yacspin v0.13.12 h1:CdZ57+n0U6JMuh2xqjnjRq5Haj6v1ner2djtLQRzJr4=
@@ -1216,8 +1248,8 @@ github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXV
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
 github.com/valyala/fasttemplate v1.1.0/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
-github.com/vektah/gqlparser/v2 v2.5.30 h1:EqLwGAFLIzt1wpx1IPpY67DwUujF1OfzgEyDsLrN6kE=
-github.com/vektah/gqlparser/v2 v2.5.30/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo=
+github.com/vektah/gqlparser/v2 v2.5.31 h1:YhWGA1mfTjID7qJhd1+Vxhpk5HTgydrGU9IgkWBTJ7k=
+github.com/vektah/gqlparser/v2 v2.5.31/go.mod h1:c1I28gSOVNzlfc4WuDlqU7voQnsqI6OG2amkBAFmgts=
 github.com/vinyldns/go-vinyldns v0.0.0-20200917153823-148a5f6b8f14/go.mod h1:RWc47jtnVuQv6+lY3c768WtXCas/Xi+U5UFc5xULmYg=
 github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
 github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
@@ -1259,12 +1291,12 @@ github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQ
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
 go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
-go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
-go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
-go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
-go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
-go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
-go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/api/v3 v3.6.6 h1:mcaMp3+7JawWv69p6QShYWS8cIWUOl32bFLb6qf8pOQ=
+go.etcd.io/etcd/api/v3 v3.6.6/go.mod h1:f/om26iXl2wSkcTA1zGQv8reJRSLVdoEBsi4JdfMrx4=
+go.etcd.io/etcd/client/pkg/v3 v3.6.6 h1:uoqgzSOv2H9KlIF5O1Lsd8sW+eMLuV6wzE3q5GJGQNs=
+go.etcd.io/etcd/client/pkg/v3 v3.6.6/go.mod h1:YngfUVmvsvOJ2rRgStIyHsKtOt9SZI2aBJrZiWJhCbI=
+go.etcd.io/etcd/client/v3 v3.6.6 h1:G5z1wMf5B9SNexoxOHUGBaULurOZPIgGPsW6CN492ec=
+go.etcd.io/etcd/client/v3 v3.6.6/go.mod h1:36Qv6baQ07znPR3+n7t+Rk5VHEzVYPvFfGmfF4wBHV8=
 go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -1275,8 +1307,8 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
@@ -1285,14 +1317,14 @@ go.opentelemetry.io/contrib/zpages v0.63.0 h1:TppOKuZGbqXMgsfjqq3i09N5Vbo1JLtLIm
 go.opentelemetry.io/contrib/zpages v0.63.0/go.mod h1:5F8uugz75ay/MMhRRhxAXY33FuaI8dl7jTxefrIy5qk=
 go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
 go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
-go.opentelemetry.io/otel/exporters/jaeger v1.17.0 h1:D7UpUy2Xc2wsi1Ras6V40q806WM07rqoCWzXu7Sqy+4=
-go.opentelemetry.io/otel/exporters/jaeger v1.17.0/go.mod h1:nPCqOnEH9rNLKqH/+rrUjiMzHJdV1BlpKcTwRTyKkKI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 h1:kJxSDN4SgWWTjG/hPp3O7LCGLcHXFlvS2/FFOrwL+SE=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0/go.mod h1:mgIOzS7iZeKJdeB8/NYHrJ48fdGc71Llo5bJ1J4DWUE=
 go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
 go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
 go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
@@ -1318,8 +1350,8 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20180621125126-a49355c7e3f8/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -1343,8 +1375,8 @@ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1360,8 +1392,8 @@ golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScy
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
-golang.org/x/image v0.32.0 h1:6lZQWq75h7L5IWNk0r+SCpUJ6tUVd3v4ZHnbRKLkUDQ=
-golang.org/x/image v0.32.0/go.mod h1:/R37rrQmKXtO6tYXAjtDLwQgFLHmhW+V6ayXlxzP2Pc=
+golang.org/x/image v0.33.0 h1:LXRZRnv1+zGd5XBUVRFmYEphyyKJjQjCRiOuAP3sZfQ=
+golang.org/x/image v0.33.0/go.mod h1:DD3OsTYT9chzuzTQt+zMcOlBHgfoKQb1gry8p76Y1sc=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1386,8 +1418,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
-golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1441,8 +1473,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1450,8 +1482,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
+golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1469,8 +1501,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1554,8 +1586,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1567,8 +1599,8 @@ golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
-golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1583,16 +1615,16 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI=
-golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1647,8 +1679,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
-golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 golang.org/x/tools/godoc v0.1.0-deprecated h1:o+aZ1BOj6Hsx/GBdJO/s815sqftjSnrZZwyYTHODvtk=
 golang.org/x/tools/godoc v0.1.0-deprecated/go.mod h1:qM63CriJ961IHWmnWa9CjZnBndniPt4a3CK0PVB9bIg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1712,10 +1744,10 @@ google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb h1:ITgPrl429bc6+2ZraNSzMDk3I95nmQln2fuPstKwFDE=
 google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:sAo5UzpjUwgFBCzupwhcLcxHVDK7vG5IqI30YnwX2eE=
-google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 h1:8XJ4pajGwOlasW+L13MnEGA8W4115jJySQtVfS2/IBU=
-google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4/go.mod h1:NnuHhy+bxcg30o7FnVAZbXsPHUDQ9qKWAQKCD7VxFtk=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 h1:i8QOKZfYg6AbGVZzUAY3LrNWCKF8O6zFisU9Wl9RER4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4/go.mod h1:HSkG/KdJWusxU1F6CNrwNDjBMgisKxGnc5dAZfT0mjQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -1731,8 +1763,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
-google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
 google.golang.org/grpc/examples v0.0.0-20211102180624-670c133e568e h1:m7aQHHqd0q89mRwhwS9Bx2rjyl/hsFAeta+uGrHsQaU=
 google.golang.org/grpc/examples v0.0.0-20211102180624-670c133e568e/go.mod h1:gID3PKrg7pWKntu9Ss6zTLJ0ttC0X9IHgREOCZwbCVU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
--- a/opencloud/Makefile
+++ b/opencloud/Makefile
@@ -17,7 +17,7 @@ include ../.make/docs.mk

 .PHONY: dev-docker
 dev-docker:
-	docker build -f docker/Dockerfile.multiarch -t opencloudeu/opencloud:dev ..
+	docker build -f docker/Dockerfile.multiarch -t opencloudeu/opencloud:dev ../..

 .PHONY: dev-docker-multiarch
 dev-docker-multiarch:
@@ -28,7 +28,7 @@ dev-docker-multiarch:
 	docker buildx rm opencloudbuilder || true
 	docker buildx create --platform linux/arm64,linux/amd64 --name opencloudbuilder
 	docker buildx use opencloudbuilder
-	cd .. && docker buildx build --platform linux/arm64,linux/amd64 --output type=docker --file opencloud/docker/Dockerfile.multiarch --tag opencloudeu/opencloud:dev-multiarch .
+	docker buildx build --platform linux/arm64,linux/amd64 --output type=docker --file docker/Dockerfile.multiarch --tag opencloudeu/opencloud:dev-multiarch ../..
 	docker buildx rm opencloudbuilder

 .PHONY: debug-docker
--- a/opencloud/docker/Dockerfile.multiarch
+++ b/opencloud/docker/Dockerfile.multiarch
@@ -1,19 +1,20 @@
-FROM golang:alpine3.21 AS build
+FROM golang:alpine3.22 AS build
 ARG TARGETOS
 ARG TARGETARCH
 ARG VERSION
 ARG STRING
+ARG EDITION="dev"

 RUN apk add bash make git curl gcc musl-dev libc-dev binutils-gold inotify-tools vips-dev

-WORKDIR /opencloud
-RUN --mount=type=bind,target=/opencloud \
+WORKDIR /build
+RUN --mount=type=bind,target=/build,rw \
    --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache \
    GOOS="${TARGETOS:-linux}" GOARCH="${TARGETARCH:-amd64}" ; \
-    make -C opencloud release-linux-docker-${TARGETARCH} ENABLE_VIPS=true DIST=/dist
+    make -C opencloud/opencloud release-linux-docker-${TARGETARCH} ENABLE_VIPS=true DIST=/dist

-FROM alpine:3.21
+FROM alpine:3.22
 ARG VERSION
 ARG REVISION
 ARG TARGETOS
--- a/opencloud/pkg/command/backup.go
+++ b/opencloud/pkg/command/backup.go
@@ -4,6 +4,8 @@ import (
 	"errors"
 	"fmt"

+	"github.com/spf13/cobra"
+
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/backup"
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
@@ -11,62 +13,34 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/config/parser"
 	decomposedbs "github.com/opencloud-eu/reva/v2/pkg/storage/fs/decomposed/blobstore"
 	decomposeds3bs "github.com/opencloud-eu/reva/v2/pkg/storage/fs/decomposeds3/blobstore"
-	"github.com/urfave/cli/v2"
 )

 // BackupCommand is the entrypoint for the backup command
-func BackupCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "backup",
-		Usage: "OpenCloud backup functionality",
-		Subcommands: []*cli.Command{
-			ConsistencyCommand(cfg),
-		},
-		Before: func(c *cli.Context) error {
+func BackupCommand(cfg *config.Config) *cobra.Command {
+	bckCmd := &cobra.Command{
+		Use:   "backup",
+		Short: "OpenCloud backup functionality",
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnError(parser.ParseConfig(cfg, true))
 		},
-		Action: func(_ *cli.Context) error {
-			fmt.Println("Read the docs")
-			return nil
-		},
 	}
+	bckCmd.AddCommand(ConsistencyCommand(cfg))
+	return bckCmd
 }

 // ConsistencyCommand is the entrypoint for the consistency Command
-func ConsistencyCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "consistency",
-		Usage: "check backup consistency",
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "basepath",
-				Aliases:  []string{"p"},
-				Usage:    "the basepath of the decomposedfs (e.g. /var/tmp/opencloud/storage/users)",
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:    "blobstore",
-				Aliases: []string{"b"},
-				Usage:   "the blobstore type. Can be (none, decomposed, decomposeds3). Default decomposed",
-				Value:   "decomposed",
-			},
-			&cli.BoolFlag{
-				Name:  "fail",
-				Usage: "exit with non-zero status if consistency check fails",
-			},
-		},
-		Action: func(c *cli.Context) error {
-			basePath := c.String("basepath")
-			if basePath == "" {
-				fmt.Println("basepath is required")
-				return cli.ShowCommandHelp(c, "consistency")
-			}
-
+func ConsistencyCommand(cfg *config.Config) *cobra.Command {
+	consCmd := &cobra.Command{
+		Use:   "consistency",
+		Short: "check backup consistency",
+		RunE: func(cmd *cobra.Command, args []string) error {
 			var (
 				bs  backup.ListBlobstore
 				err error
 			)
-			switch c.String("blobstore") {
+			basePath, _ := cmd.Flags().GetString("basepath")
+			blobstoreFlag, _ := cmd.Flags().GetString("blobstore")
+			switch blobstoreFlag {
 			case "decomposeds3":
 				bs, err = decomposeds3bs.New(
 					cfg.StorageUsers.Drivers.DecomposedS3.Endpoint,
@@ -87,7 +61,8 @@ func ConsistencyCommand(cfg *config.Config) *cli.Command {
 				fmt.Println(err)
 				return err
 			}
-			if err := backup.CheckProviderConsistency(basePath, bs, c.Bool("fail")); err != nil {
+			fail, _ := cmd.Flags().GetBool("fail")
+			if err := backup.CheckProviderConsistency(basePath, bs, fail); err != nil {
 				fmt.Println(err)
 				return err
 			}
@@ -95,6 +70,11 @@ func ConsistencyCommand(cfg *config.Config) *cli.Command {
 			return nil
 		},
 	}
+	consCmd.Flags().StringP("basepath", "p", "", "the basepath of the decomposedfs (e.g. /var/tmp/opencloud/storage/users)")
+	_ = consCmd.MarkFlagRequired("basepath")
+	consCmd.Flags().StringP("blobstore", "b", "decomposed", "the blobstore type. Can be (none, decomposed, decomposeds3). Default decomposed")
+	consCmd.Flags().Bool("fail", false, "exit with non-zero status if consistency check fails")
+	return consCmd
 }

 func init() {
--- a/opencloud/pkg/command/benchmark.go
+++ b/opencloud/pkg/command/benchmark.go
@@ -21,105 +21,47 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/version"
 	"github.com/pkg/xattr"
 	"github.com/rogpeppe/go-internal/lockedfile"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // BenchmarkCommand is the entrypoint for the benchmark commands.
-func BenchmarkCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:        "benchmark",
-		Usage:       "cli tools to test low and high level performance",
-		Category:    "benchmark",
-		Subcommands: []*cli.Command{BenchmarkClientCommand(cfg), BenchmarkSyscallsCommand(cfg)},
+func BenchmarkCommand(cfg *config.Config) *cobra.Command {
+	benchCmd := &cobra.Command{
+		Use:   "benchmark",
+		Short: "cli tools to test low and high level performance",
 	}
+	benchCmd.AddCommand(BenchmarkClientCommand(cfg), BenchmarkSyscallsCommand(cfg))
+	return benchCmd
 }

 // BenchmarkClientCommand is the entrypoint for the benchmark client command.
-func BenchmarkClientCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name: "client",
-
-		Usage: "Start a client that continuously makes web requests and prints stats. The options mimic curl, but URL must be at the end.",
-		Flags: []cli.Flag{
-
-			// TODO with v3 'flag.Persistent: true' can be set to make the order of flags no longer relevant \o/
-			// flags mimicing curl
-			&cli.StringFlag{
-				Name:    "request",
-				Aliases: []string{"X"},
-				Value:   "PROPFIND",
-				Usage:   "Specifies a custom request method to use when communicating with the HTTP server.",
-			},
-			&cli.StringFlag{
-				Name:    "user",
-				Aliases: []string{"u"},
-				Value:   "admin:admin",
-				Usage:   "Specify the user name and password to use for server authentication.",
-			},
-			&cli.BoolFlag{
-				Name:    "insecure",
-				Aliases: []string{"k"},
-				Usage:   "Skip the TLS verification step and proceed without checking.",
-			},
-			&cli.StringFlag{
-				Name:    "data",
-				Aliases: []string{"d"},
-				Usage:   "Sends the specified data in a request to the HTTP server.",
-				// TODE support multiple data flags, support data-binary, data-raw
-			},
-			&cli.StringSliceFlag{
-				Name:    "header",
-				Aliases: []string{"H"},
-				Usage:   "Extra header to include in information sent.",
-			},
-			&cli.StringFlag{
-				Name: "rate",
-				Usage: `Specify the maximum transfer frequency you allow a client to use - in number of transfer starts per time unit (sometimes called request rate).
-	The request rate is provided as "N/U" where N is an integer number and U is a time unit. Supported units are 's' (second), 'm' (minute), 'h' (hour) and 'd' /(day, as in a 24 hour unit). The default time unit, if no "/U" is provided, is number of transfers per hour.`,
-			},
-			/*
-				&cli.StringFlag{
-					Name:    "oauth2-bearer",
-					Usage:   "Specify the Bearer Token for OAUTH 2.0 server authentication.",
-				},
-				&cli.StringFlag{
-					Name:    "user-agent",
-					Aliases: []string{"A"},
-					Value:   "admin:admin",
-					Usage:   "Specify the User-Agent string to send to the HTTP	server.",
-				},
-			*/
-			// other flags
-			&cli.StringFlag{
-				Name:  "bearer-token-command",
-				Usage: "Command to execute for a bearer token, e.g. 'oidc-token opencloud'. When set, disables basic auth.",
-			},
-			&cli.IntFlag{
-				Name:  "every",
-				Usage: "Aggregate stats every time this amount of seconds has passed.",
-			},
-			&cli.IntFlag{
-				Name:    "jobs",
-				Aliases: []string{"j"},
-				Value:   1,
-				Usage:   "Number of parallel clients to start.",
-			},
-		},
-		Category: "benchmark",
-		Action: func(c *cli.Context) error {
+func BenchmarkClientCommand(cfg *config.Config) *cobra.Command {
+	benchClientCmd := &cobra.Command{
+		Use:   "client",
+		Short: "Start a client that continuously makes web requests and prints stats. The options mimic curl, but URL must be at the end.",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			jobs, err := cmd.Flags().GetInt("jobs")
+			if err != nil {
+				return err
+			}
+			insecure, _ := cmd.Flags().GetBool("insecure")
 			opt := clientOptions{
-				request:  c.String("request"),
-				url:      c.Args().First(),
-				insecure: c.Bool("insecure"),
-				jobs:     c.Int("jobs"),
+				request:  cmd.Flag("request").Value.String(),
+				url:      args[0],
+				insecure: insecure,
+				jobs:     jobs,
 				headers:  make(map[string]string),
-				data:     []byte(c.String("data")),
+				data:     []byte(cmd.Flag("data").Value.String()),
 			}
 			if opt.url == "" {
 				log.Fatal(errors.New("no URL specified"))
 			}

-			for _, h := range c.StringSlice("headers") {
+			headersSlice, err := cmd.Flags().GetStringSlice("headers")
+			if err != nil {
+				return err
+			}
+			for _, h := range headersSlice {
 				parts := strings.SplitN(h, ":", 2)
 				if len(parts) != 2 {
 					log.Fatal(errors.New("invalid header '" + h + "'"))
@@ -127,7 +69,7 @@ func BenchmarkClientCommand(cfg *config.Config) *cli.Command {
 				opt.headers[parts[0]] = strings.TrimSpace(parts[1])
 			}

-			rate := c.String("rate")
+			rate, _ := cmd.Flags().GetString("rate")
 			if rate != "" {
 				parts := strings.SplitN(rate, "/", 2)
 				num, err := strconv.Atoi(parts[0])
@@ -150,12 +92,12 @@ func BenchmarkClientCommand(cfg *config.Config) *cli.Command {
 				opt.rateDelay = unit / time.Duration(num)
 			}

-			user := c.String("user")
+			user, _ := cmd.Flags().GetString("user")
 			opt.auth = func() string {
 				return "Basic " + base64.StdEncoding.EncodeToString([]byte(user))
 			}

-			btc := c.String("bearer-token-command")
+			btc, _ := cmd.Flags().GetString("bearer-token-command")
 			if btc != "" {
 				parts := strings.SplitN(btc, " ", 2)
 				var cmd *exec.Cmd
@@ -173,7 +115,10 @@ func BenchmarkClientCommand(cfg *config.Config) *cli.Command {
 				}
 			}

-			every := c.Int("every")
+			every, err := cmd.Flags().GetInt("every")
+			if err != nil {
+				return err
+			}
 			if every != 0 {
 				opt.ticker = time.NewTicker(time.Second * time.Duration(every))
 				defer opt.ticker.Stop()
@@ -183,6 +128,22 @@ func BenchmarkClientCommand(cfg *config.Config) *cli.Command {

 		},
 	}
+
+	// TODO with v3 'flag.Persistent: true' can be set to make the order of flags no longer relevant \o/
+	// flags mimicing curl
+	benchClientCmd.Flags().StringP("request", "X", "PROPFIND", "Specifies a custom request method to use when communicating with the HTTP server.")
+	benchClientCmd.Flags().StringP("user", "u", "admin:admin", "Specify the user name and password to use for server authentication.")
+	benchClientCmd.Flags().BoolP("insecure", "k", false, "Skip the TLS verification step and proceed without checking.")
+	benchClientCmd.Flags().StringP("data", "d", "", "Sends the specified data in a request to the HTTP server.")
+	benchClientCmd.Flags().StringSliceP("headers", "H", []string{}, "Extra header to include in information sent.")
+	benchClientCmd.Flags().String("rate", "", "Specify the maximum transfer frequency you allow a client to use - in number of transfer starts per time unit (sometimes called request rate). The request rate is provided as \"N/U\" where N is an integer number and U is a time unit. Supported units are 's' (second), 'm' (minute), 'h' (hour) and 'd' /(day, as in a 24 hour unit). The default time unit, if no \"/U\" is provided, is number of transfers per hour.")
+
+	// other flags
+	benchClientCmd.Flags().IntP("jobs", "j", 1, "Number of parallel clients to start. Defaults to 1.")
+	benchClientCmd.Flags().Int("every", 0, "Aggregate stats every time this amount of seconds has passed.")
+	benchClientCmd.Flags().String("bearer-token-command", "", "Command to execute for a bearer token, e.g. 'oidc-token opencloud'. When set, disables basic auth.")
+
+	return benchClientCmd
 }

 type clientOptions struct {
@@ -280,25 +241,13 @@ func client(o clientOptions) error {
 }

 // BenchmarkSyscallsCommand is the entrypoint for the benchmark syscalls command.
-func BenchmarkSyscallsCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "syscalls",
-		Usage: "test the performance of syscalls",
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:  "path",
-				Usage: "Path to test",
-			},
-			&cli.StringFlag{
-				Name:  "iterations",
-				Value: "100",
-				Usage: "Number of iterations to execute",
-			},
-		},
-		Category: "benchmark",
-		Action: func(c *cli.Context) error {
+func BenchmarkSyscallsCommand(cfg *config.Config) *cobra.Command {
+	benchSysCallCmd := &cobra.Command{
+		Use:   "syscalls",
+		Short: "test the performance of syscalls",
+		RunE: func(cmd *cobra.Command, args []string) error {

-			path := c.String("path")
+			path, _ := cmd.Flags().GetString("path")
 			if path == "" {
 				f, err := os.CreateTemp("", "opencloud-bench-temp-")
 				if err != nil {
@@ -309,11 +258,16 @@ func BenchmarkSyscallsCommand(cfg *config.Config) *cli.Command {
 				defer os.Remove(path)
 			}

-			iterations := c.Int("iterations")
-
+			iterations, err := cmd.Flags().GetInt("iterations")
+			if err != nil {
+				return err
+			}
 			return benchmark(iterations, path)
 		},
 	}
+	benchSysCallCmd.Flags().String("path", "", "Path to test")
+	benchSysCallCmd.Flags().Int("iterations", 100, "Number of iterations to execute")
+	return benchSysCallCmd
 }

 func benchmark(iterations int, path string) error {
--- a/opencloud/pkg/command/command.go
+++ b/opencloud/pkg/command/command.go
@@ -0,0 +1,7 @@
+package command
+
+const (
+	CommandGroupServer   = "Server"
+	CommandGroupServices = "Service"
+	CommandGroupStorage  = "Storage"
+)
--- a/opencloud/pkg/command/decomposedfs.go
+++ b/opencloud/pkg/command/decomposedfs.go
@@ -9,8 +9,6 @@ import (
 	"sort"
 	"strings"

-	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
-	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
 	revactx "github.com/opencloud-eu/reva/v2/pkg/ctx"
@@ -25,69 +23,57 @@ import (
 	"github.com/opencloud-eu/reva/v2/pkg/storage/pkg/decomposedfs/tree"
 	"github.com/opencloud-eu/reva/v2/pkg/storagespace"
 	"github.com/opencloud-eu/reva/v2/pkg/store"
+
+	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/rs/zerolog"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // DecomposedfsCommand is the entrypoint for the groups command.
-func DecomposedfsCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "decomposedfs",
-		Usage:    `cli tools to inspect and manipulate a decomposedfs storage.`,
-		Category: "maintenance",
-		Subcommands: []*cli.Command{
-			metadataCmd(cfg),
-			checkCmd(cfg),
-		},
+func DecomposedfsCommand(cfg *config.Config) *cobra.Command {
+	decomposedCmd := &cobra.Command{
+		Use:     "decomposedfs",
+		Short:   `cli tools to inspect and manipulate a decomposedfs storage.`,
+		GroupID: CommandGroupStorage,
 	}
+	decomposedCmd.AddCommand(metadataCmd(cfg), checkCmd(cfg))
+	return decomposedCmd
 }

 func init() {
 	register.AddCommand(DecomposedfsCommand)
 }

-func checkCmd(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "check-treesize",
-		Usage: `cli tool to check the treesize metadata of a Space`,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "root",
-				Aliases:  []string{"r"},
-				Required: true,
-				Usage:    "Path to the root directory of the decomposedfs",
-			},
-			&cli.StringFlag{
-				Name:     "node",
-				Required: true,
-				Aliases:  []string{"n"},
-				Usage:    "Space ID of the Space to inspect",
-			},
-			&cli.BoolFlag{
-				Name:  "repair",
-				Usage: "Try to repair nodes with incorrect treesize metadata. IMPORTANT: Only use this while OpenCloud is not running.",
-			},
-			&cli.BoolFlag{
-				Name:  "force",
-				Usage: "Do not prompt for confirmation when running in repair mode.",
-			},
-		},
-		Action: check,
+func checkCmd(_ *config.Config) *cobra.Command {
+	cCmd := &cobra.Command{
+		Use:   "check-treesize",
+		Short: `cli tool to check the treesize metadata of a Space`,
+		RunE:  check,
 	}
+	cCmd.Flags().StringP("root", "r", "", "Path to the root directory of the decomposedfs")
+	_ = cCmd.MarkFlagRequired("root")
+	cCmd.Flags().StringP("node", "n", "", "Space ID of the Space to inspect")
+	_ = cCmd.MarkFlagRequired("node")
+	cCmd.Flags().Bool("repair", false, "Try to repair nodes with incorrect treesize metadata. IMPORTANT: Only use this while OpenCloud is not running.")
+	cCmd.Flags().Bool("force", false, "Do not prompt for confirmation when running in repair mode.")
+
+	return cCmd
 }

-func check(c *cli.Context) error {
-	rootFlag := c.String("root")
-	repairFlag := c.Bool("repair")
+func check(cmd *cobra.Command, args []string) error {
+	rootFlag, _ := cmd.Flags().GetString("root")
+	repairFlag, _ := cmd.Flags().GetBool("repair")
+	forceFlag, _ := cmd.Flags().GetBool("force")

-	if repairFlag && !c.Bool("force") {
+	if repairFlag && !forceFlag {
 		answer := strings.ToLower(stringPrompt("IMPORTANT: Only use '--repair' when OpenCloud is not running. Do you want to continue? [yes | no = default]"))
 		if answer != "yes" && answer != "y" {
 			return nil
 		}
 	}

-	lu, backend := getBackend(c)
+	lu, backend := getBackend(cmd)
 	o := &options.Options{
 		MetadataBackend: backend.Name(),
 		MaxConcurrency:  100,
@@ -100,7 +86,7 @@ func check(c *cli.Context) error {

 	tree := tree.New(lu, bs, o, permissions.Permissions{}, store.Create(), &zerolog.Logger{})

-	nId := c.String("node")
+	nId, _ := cmd.Flags().GetString("node")
 	n, err := lu.NodeFromSpaceID(context.Background(), nId)
 	if err != nil || !n.Exists {
 		fmt.Println("Can not find node '" + nId + "'")
@@ -116,7 +102,10 @@ func check(c *cli.Context) error {
 		})

 	treeSize, err := walkTree(ctx, tree, lu, n, repairFlag)
-	treesizeFromMetadata, err := n.GetTreeSize(c.Context)
+	if err != nil {
+		fmt.Printf("failed to walk tree of node %s: %s\n", n.ID, err)
+	}
+	treesizeFromMetadata, err := n.GetTreeSize(cmd.Context())
 	if err != nil {
 		fmt.Printf("failed to read treesize of node: %s: %s\n", n.ID, err)
 	}
@@ -126,7 +115,7 @@ func check(c *cli.Context) error {
 		if repairFlag {
 			fmt.Printf("Fixing tree size for node: %s. Calculated treesize: %d\n",
 				n.ID, treeSize)
-			n.SetTreeSize(c.Context, treeSize)
+			n.SetTreeSize(cmd.Context(), treeSize)
 		}
 	}
 	return nil
@@ -185,105 +174,79 @@ func walkTree(ctx context.Context, tree *tree.Tree, lu *lookup.Lookup, root *nod
 	return treesize, nil
 }

-func metadataCmd(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "metadata",
-		Usage: `cli tools to inspect and manipulate node metadata`,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "root",
-				Aliases:  []string{"r"},
-				Required: true,
-				Usage:    "Path to the decomposedfs",
-			},
-			&cli.StringFlag{
-				Name:     "node",
-				Required: true,
-				Aliases:  []string{"n"},
-				Usage:    "Path to or ID of the node to inspect",
-			},
-		},
-		Subcommands: []*cli.Command{dumpCmd(cfg), getCmd(cfg), setCmd(cfg)},
+func metadataCmd(cfg *config.Config) *cobra.Command {
+	metaCmd := &cobra.Command{
+		Use:   "metadata",
+		Short: `cli tools to inspect and manipulate node metadata`,
 	}
+	metaCmd.AddCommand(dumpCmd(cfg), getCmd(cfg), setCmd(cfg))
+	metaCmd.Flags().StringP("root", "r", "", "Path to the root directory of the decomposedfs")
+	_ = metaCmd.MarkFlagRequired("root")
+	metaCmd.Flags().StringP("node", "n", "", "Path to or ID of the node to inspect")
+	_ = metaCmd.MarkFlagRequired("node")
+	return metaCmd
 }

-func dumpCmd(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "dump",
-		Usage: `print the metadata of the given node. String attributes will be enclosed in quotes. Binary attributes will be returned encoded as base64 with their value being prefixed with '0s'.`,
-		Action: func(c *cli.Context) error {
-			lu, backend := getBackend(c)
-			path, err := getNode(c, lu)
+func dumpCmd(_ *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "dump",
+		Short: `print the metadata of the given node. String attributes will be enclosed in quotes. Binary attributes will be returned encoded as base64 with their value being prefixed with '0s'.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			lu, backend := getBackend(cmd)
+			path, err := getNode(cmd, lu)
 			if err != nil {
 				return err
 			}

-			attribs, err := backend.All(c.Context, path)
+			attribs, err := backend.All(cmd.Context(), path)
 			if err != nil {
 				fmt.Println("Error reading attributes")
 				return err
 			}
-			printAttribs(attribs, c.String("attribute"))
+			attributeFlag, _ := cmd.Flags().GetString("attribute")
+			printAttribs(attribs, attributeFlag)
 			return nil
 		},
 	}
 }

-func getCmd(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "get",
-		Usage: `print a specific attribute of the given node. String attributes will be enclosed in quotes. Binary attributes will be returned encoded as base64 with their value being prefixed with '0s'.`,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "attribute",
-				Aliases: []string{"a"},
-				Usage:   "attribute to inspect",
-			},
-		},
-		Action: func(c *cli.Context) error {
-			lu, backend := getBackend(c)
-			path, err := getNode(c, lu)
+func getCmd(_ *config.Config) *cobra.Command {
+	gCmd := &cobra.Command{
+		Use:   "get",
+		Short: `print a specific attribute of the given node. String attributes will be enclosed in quotes. Binary attributes will be returned encoded as base64 with their value being prefixed with '0s'.`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			lu, backend := getBackend(cmd)
+			path, err := getNode(cmd, lu)
 			if err != nil {
 				return err
 			}

-			attribs, err := backend.All(c.Context, path)
+			attribs, err := backend.All(cmd.Context(), path)
 			if err != nil {
 				fmt.Println("Error reading attributes")
 				return err
 			}
-			printAttribs(attribs, c.String("attribute"))
+			attributeFlag, _ := cmd.Flags().GetString("attribute")
+			printAttribs(attribs, attributeFlag)
 			return nil
 		},
 	}
+	gCmd.Flags().StringP("attribute", "a", "", "attribute to inspect, can be a glob pattern (e.g. 'user.*' will match all attributes starting with 'user.').")
+	return gCmd
 }

-func setCmd(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "set",
-		Usage: `manipulate metadata of the given node. Binary attributes can be given hex encoded (prefix by '0x') or base64 encoded (prefix by '0s').`,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "attribute",
-				Required: true,
-				Aliases:  []string{"a"},
-				Usage:    "attribute to inspect",
-			},
-			&cli.StringFlag{
-				Name:     "value",
-				Required: true,
-				Aliases:  []string{"v"},
-				Usage:    "value to set",
-			},
-		},
-		Action: func(c *cli.Context) error {
-			lu, backend := getBackend(c)
-			n, err := getNode(c, lu)
+func setCmd(_ *config.Config) *cobra.Command {
+	sCmd := &cobra.Command{
+		Use:   "set",
+		Short: `manipulate metadata of the given node. Binary attributes can be given hex encoded (prefix by '0x') or base64 encoded (prefix by '0s').`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			lu, backend := getBackend(cmd)
+			n, err := getNode(cmd, lu)
 			if err != nil {
 				return err
 			}

-			v := c.String("value")
+			v, _ := cmd.Flags().GetString("value")
 			if strings.HasPrefix(v, "0s") {
 				b64, err := base64.StdEncoding.DecodeString(v[2:])
 				if err == nil {
@@ -300,7 +263,8 @@ func setCmd(cfg *config.Config) *cli.Command {
 				}
 			}

-			err = backend.Set(c.Context, n, c.String("attribute"), []byte(v))
+			attributeFlag, _ := cmd.Flags().GetString("attribute")
+			err = backend.Set(cmd.Context(), n, attributeFlag, []byte(v))
 			if err != nil {
 				fmt.Println("Error setting attribute")
 				return err
@@ -308,9 +272,16 @@ func setCmd(cfg *config.Config) *cli.Command {
 			return nil
 		},
 	}
+	sCmd.Flags().StringP("attribute", "a", "", "attribute to inspect, can be a glob pattern (e.g. 'user.*' will match all attributes starting with 'user.').")
+	_ = sCmd.MarkFlagRequired("attribute")
+
+	sCmd.Flags().StringP("value", "v", "", "value to set")
+	_ = sCmd.MarkFlagRequired("value")
+
+	return sCmd
 }

-func backend(root, backend string) metadata.Backend {
+func backend(backend string) metadata.Backend {
 	switch backend {
 	case "xattrs":
 		return metadata.NewXattrsBackend(cache.Config{})
@@ -320,11 +291,11 @@ func backend(root, backend string) metadata.Backend {
 	return metadata.NullBackend{}
 }

-func getBackend(c *cli.Context) (*lookup.Lookup, metadata.Backend) {
-	rootFlag := c.String("root")
+func getBackend(cmd *cobra.Command) (*lookup.Lookup, metadata.Backend) {
+	rootFlag, _ := cmd.Flags().GetString("root")

 	bod := lookup.DetectBackendOnDisk(rootFlag)
-	backend := backend(rootFlag, bod)
+	backend := backend(bod)
 	lu := lookup.New(backend, &options.Options{
 		Root:            rootFlag,
 		MetadataBackend: bod,
@@ -332,8 +303,8 @@ func getBackend(c *cli.Context) (*lookup.Lookup, metadata.Backend) {
 	return lu, backend
 }

-func getNode(c *cli.Context, lu *lookup.Lookup) (*node.Node, error) {
-	nodeFlag := c.String("node")
+func getNode(cmd *cobra.Command, lu *lookup.Lookup) (*node.Node, error) {
+	nodeFlag, _ := cmd.Flags().GetString("node")

 	id, err := storagespace.ParseID(nodeFlag)
 	if err != nil {
--- a/opencloud/pkg/command/helper/common.go
+++ b/opencloud/pkg/command/helper/common.go
@@ -1,9 +0,0 @@
-package helper
-
-import (
-	"fmt"
-)
-
-func SubcommandDescription(serviceName string) string {
-	return fmt.Sprintf("%s service commands", serviceName)
-}
--- a/opencloud/pkg/command/init.go
+++ b/opencloud/pkg/command/init.go
@@ -11,49 +11,19 @@ import (
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/config/defaults"
-	cli "github.com/urfave/cli/v2"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 )

 // InitCommand is the entrypoint for the init command
-func InitCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "init",
-		Usage: "initialise an OpenCloud config",
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "insecure",
-				EnvVars: []string{"OC_INSECURE"},
-				Value:   "ask",
-				Usage:   "Allow insecure OpenCloud config",
-			},
-			&cli.BoolFlag{
-				Name:    "diff",
-				Aliases: []string{"d"},
-				Usage:   "Show the difference between the current config and the new one",
-				Value:   false,
-			},
-			&cli.BoolFlag{
-				Name:    "force-overwrite",
-				Aliases: []string{"f"},
-				EnvVars: []string{"OC_FORCE_CONFIG_OVERWRITE"},
-				Value:   false,
-				Usage:   "Force overwrite existing config file",
-			},
-			&cli.StringFlag{
-				Name:    "config-path",
-				Value:   defaults.BaseConfigPath(),
-				Usage:   "Config path for the OpenCloud runtime",
-				EnvVars: []string{"OC_CONFIG_DIR", "OC_BASE_DATA_PATH"},
-			},
-			&cli.StringFlag{
-				Name:    "admin-password",
-				Aliases: []string{"ap"},
-				EnvVars: []string{"ADMIN_PASSWORD", "IDM_ADMIN_PASSWORD"},
-				Usage:   "Set admin password instead of using a random generated one",
-			},
-		},
-		Action: func(c *cli.Context) error {
-			insecureFlag := c.String("insecure")
+func InitCommand(_ *config.Config) *cobra.Command {
+	initCmd := &cobra.Command{
+		Use:     "init",
+		Short:   "initialise an OpenCloud config",
+		GroupID: CommandGroupServer,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			insecureFlag := viper.GetString("insecure")
 			insecure := false
 			if insecureFlag == "ask" {
 				answer := strings.ToLower(stringPrompt("Do you want to configure OpenCloud with certificate checking disabled?\n This is not recommended for public instances! [yes | no = default]"))
@@ -63,13 +33,37 @@ func InitCommand(cfg *config.Config) *cli.Command {
 			} else if insecureFlag == strings.ToLower("true") || insecureFlag == strings.ToLower("yes") || insecureFlag == strings.ToLower("y") {
 				insecure = true
 			}
-			err := ocinit.CreateConfig(insecure, c.Bool("force-overwrite"), c.Bool("diff"), c.String("config-path"), c.String("admin-password"))
+			forceOverwriteFlag := viper.GetBool("force-overwrite")
+			diffFlag, _ := cmd.Flags().GetBool("diff")
+			configPathFlag := viper.GetString("config-path")
+			adminPasswordFlag := viper.GetString("admin-password")
+			err := ocinit.CreateConfig(insecure, forceOverwriteFlag, diffFlag, configPathFlag, adminPasswordFlag)
 			if err != nil {
 				log.Fatalf("Could not create config: %s", err)
 			}
 			return nil
 		},
 	}
+	initCmd.Flags().String("insecure", "ask", "Allow insecure OpenCloud config")
+	_ = viper.BindEnv("insecure", "OC_INSECURE")
+	_ = viper.BindPFlag("insecure", initCmd.Flags().Lookup("insecure"))
+
+	initCmd.Flags().BoolP("diff", "d", false, "Show the difference between the current config and the new one")
+
+	initCmd.Flags().BoolP("force-overwrite", "f", false, "Force overwrite existing config file")
+	_ = viper.BindEnv("force-overwrite", "OC_FORCE_CONFIG_OVERWRITE")
+	_ = viper.BindPFlag("force-overwrite", initCmd.Flags().Lookup("force-overwrite"))
+
+	initCmd.Flags().String("config-path", defaults.BaseConfigPath(), "Config path for the OpenCloud runtime")
+	_ = viper.BindEnv("config-path", "OC_CONFIG_DIR")
+	_ = viper.BindEnv("config-path", "OC_BASE_DATA_PATH")
+	_ = viper.BindPFlag("config-path", initCmd.Flags().Lookup("config-path"))
+
+	initCmd.Flags().String("admin-password", "", "Set admin password instead of using a random generated one")
+	_ = viper.BindEnv("admin-password", "ADMIN_PASSWORD")
+	_ = viper.BindEnv("admin-password", "IDM_ADMIN_PASSWORD")
+	_ = viper.BindPFlag("admin-password", initCmd.Flags().Lookup("admin-password"))
+	return initCmd
 }

 func init() {
@@ -80,7 +74,7 @@ func stringPrompt(label string) string {
 	input := ""
 	reader := bufio.NewReader(os.Stdin)
 	for {
-		fmt.Fprint(os.Stderr, label+" ")
+		_, _ = fmt.Fprint(os.Stderr, label+" ")
 		input, _ = reader.ReadString('\n')
 		if input != "" {
 			break
--- a/opencloud/pkg/command/list.go
+++ b/opencloud/pkg/command/list.go
@@ -8,31 +8,26 @@ import (

 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
+	"github.com/opencloud-eu/opencloud/pkg/config/parser"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 )

 // ListCommand is the entrypoint for the list command.
-func ListCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "list",
-		Usage:    "list OpenCloud services running in the runtime (supervised mode)",
-		Category: "runtime",
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:        "hostname",
-				Value:       "localhost",
-				EnvVars:     []string{"OC_RUNTIME_HOST"},
-				Destination: &cfg.Runtime.Host,
-			},
-			&cli.StringFlag{
-				Name:        "port",
-				Value:       "9250",
-				EnvVars:     []string{"OC_RUNTIME_PORT"},
-				Destination: &cfg.Runtime.Port,
-			},
+func ListCommand(cfg *config.Config) *cobra.Command {
+	listCmd := &cobra.Command{
+		Use:   "list",
+		Short: "list OpenCloud services running in the runtime (supervised mode)",
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			return configlog.ReturnError(parser.ParseConfig(cfg, true))
 		},
-		Action: func(c *cli.Context) error {
-			client, err := rpc.DialHTTP("tcp", net.JoinHostPort(cfg.Runtime.Host, cfg.Runtime.Port))
+		RunE: func(cmd *cobra.Command, args []string) error {
+			host := viper.GetString("hostname")
+			port := viper.GetString("port")
+
+			client, err := rpc.DialHTTP("tcp", net.JoinHostPort(host, port))
 			if err != nil {
 				log.Fatalf("Failed to connect to the runtime. Has the runtime been started and did you configure the right runtime address (\"%s\")", cfg.Runtime.Host+":"+cfg.Runtime.Port)
 			}
@@ -48,6 +43,15 @@ func ListCommand(cfg *config.Config) *cli.Command {
 			return nil
 		},
 	}
+
+	listCmd.Flags().String("hostname", "localhost", "hostname of the runtime")
+	_ = viper.BindEnv("hostname", "OC_RUNTIME_HOST")
+	_ = viper.BindPFlag("hostname", listCmd.Flags().Lookup("hostname"))
+
+	listCmd.Flags().String("port", "9250", "port of the runtime")
+	_ = viper.BindEnv("port", "OC_RUNTIME_PORT")
+	_ = viper.BindPFlag("port", listCmd.Flags().Lookup("port"))
+	return listCmd
 }

 func init() {
--- a/opencloud/pkg/command/posixfs.go
+++ b/opencloud/pkg/command/posixfs.go
@@ -10,9 +10,10 @@ import (

 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
+
 	"github.com/pkg/xattr"
+	"github.com/spf13/cobra"
 	"github.com/theckman/yacspin"
-	"github.com/urfave/cli/v2"
 	"github.com/vmihailenco/msgpack/v5"
 )

@@ -37,15 +38,16 @@ type EntryInfo struct {
 }

 // PosixfsCommand is the entrypoint for the posixfs command.
-func PosixfsCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "posixfs",
-		Usage:    `cli tools to inspect and manipulate a posixfs storage.`,
-		Category: "maintenance",
-		Subcommands: []*cli.Command{
-			consistencyCmd(cfg),
-		},
+func PosixfsCommand(cfg *config.Config) *cobra.Command {
+	posixCmd := &cobra.Command{
+		Use:     "posixfs",
+		Short:   `cli tools to inspect and manipulate a posixfs storage.`,
+		GroupID: CommandGroupStorage,
 	}
+
+	posixCmd.AddCommand(consistencyCmd(cfg))
+
+	return posixCmd
 }

 func init() {
@@ -53,27 +55,23 @@ func init() {
 }

 // consistencyCmd returns a command to check the consistency of the posixfs storage.
-func consistencyCmd(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "consistency",
-		Usage: "check the consistency of the posixfs storage",
-		Action: func(c *cli.Context) error {
-			return checkPosixfsConsistency(c, cfg)
-		},
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "root",
-				Aliases:  []string{"r"},
-				Required: true,
-				Usage:    "Path to the root directory of the posixfs storage",
-			},
+func consistencyCmd(cfg *config.Config) *cobra.Command {
+	consCmd := &cobra.Command{
+		Use:   "consistency",
+		Short: "check the consistency of the posixfs storage",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return checkPosixfsConsistency(cmd, cfg)
 		},
 	}
+	consCmd.Flags().StringP("root", "r", "", "Path to the root directory of the posixfs storage")
+	_ = consCmd.MarkFlagRequired("root")
+
+	return consCmd
 }

 // checkPosixfsConsistency checks the consistency of the posixfs storage.
-func checkPosixfsConsistency(c *cli.Context, cfg *config.Config) error {
-	rootPath := c.String("root")
+func checkPosixfsConsistency(cmd *cobra.Command, cfg *config.Config) error {
+	rootPath, _ := cmd.Flags().GetString("root")
 	indexesPath := filepath.Join(rootPath, "indexes")

 	_, err := os.Stat(indexesPath)
--- a/opencloud/pkg/command/revisions.go
+++ b/opencloud/pkg/command/revisions.go
@@ -6,6 +6,7 @@ import (
 	"path/filepath"

 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/revisions"
 	"github.com/opencloud-eu/opencloud/pkg/config"
@@ -15,7 +16,8 @@ import (
 	decomposeds3bs "github.com/opencloud-eu/reva/v2/pkg/storage/fs/decomposeds3/blobstore"
 	"github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/lookup"
 	"github.com/opencloud-eu/reva/v2/pkg/storagespace"
-	"github.com/urfave/cli/v2"
+
+	"github.com/spf13/cobra"
 )

 var (
@@ -24,75 +26,33 @@ var (
 )

 // RevisionsCommand is the entrypoint for the revisions command.
-func RevisionsCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "revisions",
-		Usage: "OpenCloud revisions functionality",
-		Subcommands: []*cli.Command{
-			PurgeRevisionsCommand(cfg),
-		},
-		Before: func(_ *cli.Context) error {
+func RevisionsCommand(cfg *config.Config) *cobra.Command {
+	revCmd := &cobra.Command{
+		Use:   "revisions",
+		Short: "OpenCloud revisions functionality",
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnError(parser.ParseConfig(cfg, true))
 		},
-		Action: func(_ *cli.Context) error {
-			fmt.Println("Read the docs")
-			return nil
-		},
 	}
+	revCmd.AddCommand(PurgeRevisionsCommand(cfg))
+
+	return revCmd
 }

 // PurgeRevisionsCommand allows removing all revisions from a storage provider.
-func PurgeRevisionsCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "purge",
-		Usage: "purge revisions",
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "basepath",
-				Aliases:  []string{"p"},
-				Usage:    "the basepath of the decomposedfs (e.g. /var/tmp/opencloud/storage/metadata)",
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:    "blobstore",
-				Aliases: []string{"b"},
-				Usage:   "the blobstore type. Can be (none, decomposed, decomposeds3). Default decomposed. Note: When using decomposeds3 this needs same configuration as the storage-users service",
-				Value:   "decomposed",
-			},
-			&cli.BoolFlag{
-				Name:  "dry-run",
-				Usage: "do not delete anything, just print what would be deleted",
-				Value: true,
-			},
-			&cli.BoolFlag{
-				Name:    "verbose",
-				Aliases: []string{"v"},
-				Usage:   "print verbose output",
-				Value:   false,
-			},
-			&cli.StringFlag{
-				Name:    "resource-id",
-				Aliases: []string{"r"},
-				Usage:   "purge all revisions of this file/space. If not set, all revisions will be purged",
-			},
-			&cli.StringFlag{
-				Name:  "glob-mechanism",
-				Usage: "the glob mechanism to find all nodes. Can be 'glob', 'list' or 'workers'. 'glob' uses globbing with a single worker. 'workers' spawns multiple go routines, accelatering the command drastically but causing high cpu and ram usage. 'list' looks for references by listing directories with multiple workers. Default is 'glob'",
-				Value: "glob",
-			},
-		},
-		Action: func(c *cli.Context) error {
-			basePath := c.String("basepath")
-			if basePath == "" {
-				fmt.Println("basepath is required")
-				return cli.ShowCommandHelp(c, "revisions")
-			}
+func PurgeRevisionsCommand(cfg *config.Config) *cobra.Command {
+	revCmd := &cobra.Command{
+		Use:   "purge",
+		Short: "purge revisions",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			basePath, _ := cmd.Flags().GetString("basepath")

 			var (
 				bs  revisions.DelBlobstore
 				err error
 			)
-			switch c.String("blobstore") {
+			blobstoreFlag, _ := cmd.Flags().GetString("blobstore")
+			switch blobstoreFlag {
 			case "decomposeds3":
 				bs, err = decomposeds3bs.New(
 					cfg.StorageUsers.Drivers.DecomposedS3.Endpoint,
@@ -115,12 +75,13 @@ func PurgeRevisionsCommand(cfg *config.Config) *cli.Command {
 			}

 			var rid *provider.ResourceId
-			resid, err := storagespace.ParseID(c.String("resource-id"))
+			resourceIDFlag, _ := cmd.Flags().GetString("resource-id")
+			resid, err := storagespace.ParseID(resourceIDFlag)
 			if err == nil {
 				rid = &resid
 			}

-			mechanism := c.String("glob-mechanism")
+			mechanism, _ := cmd.Flags().GetString("glob-mechanism")
 			if rid.GetOpaqueId() != "" {
 				mechanism = "glob"
 			}
@@ -146,11 +107,30 @@ func PurgeRevisionsCommand(cfg *config.Config) *cli.Command {
 				ch = revisions.List(p, 10)
 			}

-			files, blobs, revisions := revisions.PurgeRevisions(ch, bs, c.Bool("dry-run"), c.Bool("verbose"))
-			printResults(files, blobs, revisions, c.Bool("dry-run"))
+			flagDryRun, err := cmd.Flags().GetBool("dry-run")
+			if err != nil {
+				return err
+			}
+
+			flagVerbose, err := cmd.Flags().GetBool("verbose")
+			if err != nil {
+				return err
+			}
+
+			files, blobs, revisionResults := revisions.PurgeRevisions(ch, bs, flagDryRun, flagVerbose)
+			printResults(files, blobs, revisionResults, flagDryRun)
 			return nil
 		},
 	}
+	revCmd.Flags().StringP("basepath", "p", "", "the basepath of the decomposedfs (e.g. /var/tmp/opencloud/storage/metadata)")
+	_ = revCmd.MarkFlagRequired("basepath")
+	revCmd.Flags().StringP("blobstore", "b", "decomposed", "the blobstore type. Can be (none, decomposed, decomposeds3). Default decomposed")
+	revCmd.Flags().Bool("dry-run", true, "do not delete anything, just print what would be deleted")
+	revCmd.Flags().BoolP("verbose", "v", false, "print verbose output")
+	revCmd.Flags().StringP("resource-id", "r", "", "purge all revisions of this file/space. If not set, all revisions will be purged")
+	revCmd.Flags().String("glob-mechanism", "glob", "the glob mechanism to find all nodes. Can be 'glob', 'list' or 'workers'. 'glob' uses globbing with a single worker. 'workers' spawns multiple go routines, accelatering the command drastically but causing high cpu and ram usage. 'list' looks for references by listing directories with multiple workers. Default is 'glob'")
+
+	return revCmd
 }

 func printResults(countFiles, countBlobs, countRevisions int, dryRun bool) {
--- a/opencloud/pkg/command/root.go
+++ b/opencloud/pkg/command/root.go
@@ -9,25 +9,32 @@ import (
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/clihelper"
 	"github.com/opencloud-eu/opencloud/pkg/config"
-	"github.com/urfave/cli/v2"
+
+	"github.com/spf13/cobra"
 )

 // Execute is the entry point for the opencloud command.
 func Execute() error {
 	cfg := config.DefaultConfig()

-	app := clihelper.DefaultApp(&cli.App{
-		Name:  "opencloud",
-		Usage: "opencloud",
+	app := clihelper.DefaultApp(&cobra.Command{
+		Use:   "opencloud",
+		Short: "opencloud",
 	})

-	for _, fn := range register.Commands {
-		app.Commands = append(
-			app.Commands,
-			fn(cfg),
-		)
-	}
+	for _, commandFactory := range register.Commands {
+		command := commandFactory(cfg)

+		if command.GroupID != "" && !app.ContainsGroup(command.GroupID) {
+			app.AddGroup(&cobra.Group{
+				ID:    command.GroupID,
+				Title: command.GroupID,
+			})
+		}
+
+		app.AddCommand(command)
+	}
+	app.SetArgs(os.Args[1:])
 	ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
-	return app.RunContext(ctx, os.Args)
+	return app.ExecuteContext(ctx)
 }
--- a/opencloud/pkg/command/server.go
+++ b/opencloud/pkg/command/server.go
@@ -6,22 +6,23 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
 	"github.com/opencloud-eu/opencloud/pkg/config/parser"
-	"github.com/urfave/cli/v2"
+
+	"github.com/spf13/cobra"
 )

 // Server is the entrypoint for the server command.
-func Server(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "server",
-		Usage:    "start a fullstack server (runtime and all services in supervised mode)",
-		Category: "fullstack",
-		Before: func(c *cli.Context) error {
+func Server(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "server",
+		Short: "start a fullstack server (runtime and all services in supervised mode)",
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnError(parser.ParseConfig(cfg, false))
 		},
-		Action: func(c *cli.Context) error {
+		GroupID: CommandGroupServer,
+		RunE: func(cmd *cobra.Command, args []string) error {
 			// Prefer the in-memory registry as the default when running in single-binary mode
 			r := runtime.New(cfg)
-			return r.Start(c.Context)
+			return r.Start(cmd.Context())
 		},
 	}
 }
--- a/opencloud/pkg/command/services.go
+++ b/opencloud/pkg/command/services.go
@@ -1,9 +1,8 @@
 package command

 import (
-	"github.com/urfave/cli/v2"
+	"fmt"

-	"github.com/opencloud-eu/opencloud/opencloud/pkg/command/helper"
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
@@ -50,238 +49,243 @@ import (
 	web "github.com/opencloud-eu/opencloud/services/web/pkg/command"
 	webdav "github.com/opencloud-eu/opencloud/services/webdav/pkg/command"
 	webfinger "github.com/opencloud-eu/opencloud/services/webfinger/pkg/command"
+
+	"github.com/spf13/cobra"
 )

-var svccmds = []register.Command{
-	func(cfg *config.Config) *cli.Command {
+var serviceCommands = []register.Command{
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Activitylog.Service.Name, activitylog.GetCommands(cfg.Activitylog), func(c *config.Config) {
 			cfg.Activitylog.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Antivirus.Service.Name, antivirus.GetCommands(cfg.Antivirus), func(c *config.Config) {
-			// cfg.Antivirus.Commons = cfg.Commons // antivirus needs no commons atm
+			cfg.Antivirus.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.AppProvider.Service.Name, appprovider.GetCommands(cfg.AppProvider), func(c *config.Config) {
 			cfg.AppProvider.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.AppRegistry.Service.Name, appregistry.GetCommands(cfg.AppRegistry), func(c *config.Config) {
 			cfg.AppRegistry.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Audit.Service.Name, audit.GetCommands(cfg.Audit), func(c *config.Config) {
 			cfg.Audit.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.AuthApp.Service.Name, authapp.GetCommands(cfg.AuthApp), func(_ *config.Config) {
 			cfg.AuthApp.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.AuthBasic.Service.Name, authbasic.GetCommands(cfg.AuthBasic), func(c *config.Config) {
 			cfg.AuthBasic.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.AuthBearer.Service.Name, authbearer.GetCommands(cfg.AuthBearer), func(c *config.Config) {
 			cfg.AuthBearer.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.AuthMachine.Service.Name, authmachine.GetCommands(cfg.AuthMachine), func(c *config.Config) {
 			cfg.AuthMachine.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.AuthService.Service.Name, authservice.GetCommands(cfg.AuthService), func(c *config.Config) {
 			cfg.AuthService.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Clientlog.Service.Name, clientlog.GetCommands(cfg.Clientlog), func(c *config.Config) {
 			cfg.Clientlog.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Collaboration.Service.Name, collaboration.GetCommands(cfg.Collaboration), func(c *config.Config) {
 			cfg.Collaboration.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.EventHistory.Service.Name, eventhistory.GetCommands(cfg.EventHistory), func(c *config.Config) {
 			cfg.EventHistory.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Frontend.Service.Name, frontend.GetCommands(cfg.Frontend), func(c *config.Config) {
 			cfg.Frontend.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Gateway.Service.Name, gateway.GetCommands(cfg.Gateway), func(c *config.Config) {
 			cfg.Gateway.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Graph.Service.Name, graph.GetCommands(cfg.Graph), func(c *config.Config) {
 			cfg.Graph.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Groups.Service.Name, groups.GetCommands(cfg.Groups), func(c *config.Config) {
 			cfg.Groups.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.IDM.Service.Name, idm.GetCommands(cfg.IDM), func(c *config.Config) {
 			cfg.IDM.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.IDP.Service.Name, idp.GetCommands(cfg.IDP), func(c *config.Config) {
 			cfg.IDP.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Invitations.Service.Name, invitations.GetCommands(cfg.Invitations), func(c *config.Config) {
 			cfg.Invitations.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Nats.Service.Name, nats.GetCommands(cfg.Nats), func(c *config.Config) {
 			cfg.Nats.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Notifications.Service.Name, notifications.GetCommands(cfg.Notifications), func(c *config.Config) {
 			cfg.Notifications.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.OCDav.Service.Name, ocdav.GetCommands(cfg.OCDav), func(c *config.Config) {
 			cfg.OCDav.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.OCM.Service.Name, ocm.GetCommands(cfg.OCM), func(c *config.Config) {
 			cfg.OCM.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.OCS.Service.Name, ocs.GetCommands(cfg.OCS), func(c *config.Config) {
 			cfg.OCS.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Policies.Service.Name, policies.GetCommands(cfg.Policies), func(c *config.Config) {
 			cfg.Policies.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Postprocessing.Service.Name, postprocessing.GetCommands(cfg.Postprocessing), func(c *config.Config) {
 			cfg.Postprocessing.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Proxy.Service.Name, proxy.GetCommands(cfg.Proxy), func(c *config.Config) {
 			cfg.Proxy.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Search.Service.Name, search.GetCommands(cfg.Search), func(c *config.Config) {
 			cfg.Search.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Settings.Service.Name, settings.GetCommands(cfg.Settings), func(c *config.Config) {
 			cfg.Settings.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Sharing.Service.Name, sharing.GetCommands(cfg.Sharing), func(c *config.Config) {
 			cfg.Sharing.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.SSE.Service.Name, sse.GetCommands(cfg.SSE), func(c *config.Config) {
 			cfg.SSE.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.StoragePublicLink.Service.Name, storagepubliclink.GetCommands(cfg.StoragePublicLink), func(c *config.Config) {
 			cfg.StoragePublicLink.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.StorageShares.Service.Name, storageshares.GetCommands(cfg.StorageShares), func(c *config.Config) {
 			cfg.StorageShares.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.StorageSystem.Service.Name, storagesystem.GetCommands(cfg.StorageSystem), func(c *config.Config) {
 			cfg.StorageSystem.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.StorageUsers.Service.Name, storageusers.GetCommands(cfg.StorageUsers), func(c *config.Config) {
 			cfg.StorageUsers.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Thumbnails.Service.Name, thumbnails.GetCommands(cfg.Thumbnails), func(c *config.Config) {
 			cfg.Thumbnails.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Userlog.Service.Name, userlog.GetCommands(cfg.Userlog), func(c *config.Config) {
 			cfg.Userlog.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Users.Service.Name, users.GetCommands(cfg.Users), func(c *config.Config) {
 			cfg.Users.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Web.Service.Name, web.GetCommands(cfg.Web), func(c *config.Config) {
 			cfg.Web.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.WebDAV.Service.Name, webdav.GetCommands(cfg.WebDAV), func(c *config.Config) {
 			cfg.WebDAV.Commons = cfg.Commons
 		})
 	},
-	func(cfg *config.Config) *cli.Command {
+	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Webfinger.Service.Name, webfinger.GetCommands(cfg.Webfinger), func(c *config.Config) {
 			cfg.Webfinger.Commons = cfg.Commons
 		})
 	},
 }

-// ServiceCommand is the entry point for the all service commands.
-func ServiceCommand(cfg *config.Config, serviceName string, subcommands []*cli.Command, f func(*config.Config)) *cli.Command {
-	return &cli.Command{
-		Name:     serviceName,
-		Usage:    helper.SubcommandDescription(serviceName),
-		Category: "services",
-		Before: func(c *cli.Context) error {
+// ServiceCommand composes a cobra command from the given inputs.
+func ServiceCommand(cfg *config.Config, serviceName string, subCommands []*cobra.Command, f func(*config.Config)) *cobra.Command {
+	command := &cobra.Command{
+		Use:     serviceName,
+		Short:   fmt.Sprintf("%s service commands", serviceName),
+		GroupID: CommandGroupServices,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 			configlog.Error(parser.ParseConfig(cfg, true))
 			f(cfg)
 			return nil
 		},
-		Subcommands: subcommands,
 	}
+
+	command.AddCommand(subCommands...)
+
+	return command
 }

 func init() {
-	for _, c := range svccmds {
+	for _, c := range serviceCommands {
 		register.AddCommand(c)
 	}
 }
--- a/opencloud/pkg/command/shares.go
+++ b/opencloud/pkg/command/shares.go
@@ -3,13 +3,7 @@ package command
 import (
 	"errors"

-	"github.com/rs/zerolog"
-	"github.com/urfave/cli/v2"
-
-	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
-	"github.com/opencloud-eu/reva/v2/pkg/share/manager/jsoncs3"
-	"github.com/opencloud-eu/reva/v2/pkg/share/manager/registry"
-	"github.com/opencloud-eu/reva/v2/pkg/utils"
+	"github.com/spf13/viper"

 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
@@ -19,15 +13,21 @@ import (
 	mregistry "github.com/opencloud-eu/opencloud/pkg/registry"
 	sharing "github.com/opencloud-eu/opencloud/services/sharing/pkg/config"
 	sharingparser "github.com/opencloud-eu/opencloud/services/sharing/pkg/config/parser"
+	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
+	"github.com/opencloud-eu/reva/v2/pkg/share/manager/jsoncs3"
+	"github.com/opencloud-eu/reva/v2/pkg/share/manager/registry"
+	"github.com/opencloud-eu/reva/v2/pkg/utils"
+
+	"github.com/rs/zerolog"
+	"github.com/spf13/cobra"
 )

 // SharesCommand is the entrypoint for the groups command.
-func SharesCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "shares",
-		Usage:    `cli tools to manage entries in the share manager.`,
-		Category: "maintenance",
-		Before: func(c *cli.Context) error {
+func SharesCommand(cfg *config.Config) *cobra.Command {
+	sharesCmd := &cobra.Command{
+		Use:   "shares",
+		Short: `cli tools to manage entries in the share manager.`,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			// Parse base config
 			if err := parser.ParseConfig(cfg, true); err != nil {
 				return configlog.ReturnError(err)
@@ -37,37 +37,21 @@ func SharesCommand(cfg *config.Config) *cli.Command {
 			cfg.Sharing.Commons = cfg.Commons
 			return configlog.ReturnError(sharingparser.ParseConfig(cfg.Sharing))
 		},
-		Subcommands: []*cli.Command{
-			cleanupCmd(cfg),
-		},
 	}
+	sharesCmd.AddCommand(cleanupCmd(cfg))
+
+	return sharesCmd
 }

 func init() {
 	register.AddCommand(SharesCommand)
 }

-func cleanupCmd(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "cleanup",
-		Usage: `clean up stale entries in the share manager.`,
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "service-account-id",
-				Value:    "",
-				Usage:    "Name of the service account to use for the cleanup",
-				EnvVars:  []string{"OC_SERVICE_ACCOUNT_ID"},
-				Required: true,
-			},
-			&cli.StringFlag{
-				Name:     "service-account-secret",
-				Value:    "",
-				Usage:    "Secret for the service account",
-				EnvVars:  []string{"OC_SERVICE_ACCOUNT_SECRET"},
-				Required: true,
-			},
-		},
-		Before: func(c *cli.Context) error {
+func cleanupCmd(cfg *config.Config) *cobra.Command {
+	cleanCmd := &cobra.Command{
+		Use:   "cleanup",
+		Short: `clean up stale entries in the share manager.`,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			// Parse base config
 			if err := parser.ParseConfig(cfg, true); err != nil {
 				return configlog.ReturnError(err)
@@ -77,13 +61,24 @@ func cleanupCmd(cfg *config.Config) *cli.Command {
 			cfg.Sharing.Commons = cfg.Commons
 			return configlog.ReturnError(sharingparser.ParseConfig(cfg.Sharing))
 		},
-		Action: func(c *cli.Context) error {
-			return cleanup(c, cfg)
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cleanup(cmd, cfg)
 		},
 	}
+	cleanCmd.Flags().String("service-account-id", "", "Name of the service account to use for the cleanup")
+	_ = cleanCmd.MarkFlagRequired("service-account-id")
+	_ = viper.BindEnv("service-account-id", "OC_SERVICE_ACCOUNT_ID")
+	_ = viper.BindPFlag("service-account-id", cleanCmd.Flags().Lookup("service-account-id"))
+
+	cleanCmd.Flags().String("service-account-secret", "", "Secret for the service account")
+	_ = cleanCmd.MarkFlagRequired("service-account-secret")
+	_ = viper.BindEnv("service-account-secret", "OC_SERVICE_ACCOUNT_SECRET")
+	_ = viper.BindPFlag("service-account-secret", cleanCmd.Flags().Lookup("service-account-secret"))
+
+	return cleanCmd
 }

-func cleanup(c *cli.Context, cfg *config.Config) error {
+func cleanup(_ *cobra.Command, cfg *config.Config) error {
 	driver := cfg.Sharing.UserSharingDriver
 	// cleanup is only implemented for the jsoncs3 share manager
 	if driver != "jsoncs3" {
@@ -114,7 +109,9 @@ func cleanup(c *cli.Context, cfg *config.Config) error {
 		return configlog.ReturnError(err)
 	}

-	serviceUserCtx, err := utils.GetServiceUserContext(c.String("service-account-id"), client, c.String("service-account-secret"))
+	serviceAccountIDFlag := viper.GetString("service-account-id")
+	serviceAccountSecretFlag := viper.GetString("service-account-secret")
+	serviceUserCtx, err := utils.GetServiceUserContext(serviceAccountIDFlag, client, serviceAccountSecretFlag)
 	if err != nil {
 		return configlog.ReturnError(err)
 	}
@@ -171,39 +168,6 @@ func revaShareConfig(cfg *sharing.Config) map[string]interface{} {
 	}
 }

-func revaPublicShareConfig(cfg *sharing.Config) map[string]interface{} {
-	return map[string]interface{}{
-		"json": map[string]interface{}{
-			"file":         cfg.PublicSharingDrivers.JSON.File,
-			"gateway_addr": cfg.Reva.Address,
-		},
-		"jsoncs3": map[string]interface{}{
-			"gateway_addr":        cfg.Reva.Address,
-			"provider_addr":       cfg.PublicSharingDrivers.JSONCS3.ProviderAddr,
-			"service_user_id":     cfg.PublicSharingDrivers.JSONCS3.SystemUserID,
-			"service_user_idp":    cfg.PublicSharingDrivers.JSONCS3.SystemUserIDP,
-			"machine_auth_apikey": cfg.PublicSharingDrivers.JSONCS3.SystemUserAPIKey,
-		},
-		"sql": map[string]interface{}{
-			"db_username":                   cfg.PublicSharingDrivers.SQL.DBUsername,
-			"db_password":                   cfg.PublicSharingDrivers.SQL.DBPassword,
-			"db_host":                       cfg.PublicSharingDrivers.SQL.DBHost,
-			"db_port":                       cfg.PublicSharingDrivers.SQL.DBPort,
-			"db_name":                       cfg.PublicSharingDrivers.SQL.DBName,
-			"password_hash_cost":            cfg.PublicSharingDrivers.SQL.PasswordHashCost,
-			"enable_expired_shares_cleanup": cfg.PublicSharingDrivers.SQL.EnableExpiredSharesCleanup,
-			"janitor_run_interval":          cfg.PublicSharingDrivers.SQL.JanitorRunInterval,
-		},
-		"cs3": map[string]interface{}{
-			"gateway_addr":        cfg.PublicSharingDrivers.CS3.ProviderAddr,
-			"provider_addr":       cfg.PublicSharingDrivers.CS3.ProviderAddr,
-			"service_user_id":     cfg.PublicSharingDrivers.CS3.SystemUserID,
-			"service_user_idp":    cfg.PublicSharingDrivers.CS3.SystemUserIDP,
-			"machine_auth_apikey": cfg.PublicSharingDrivers.CS3.SystemUserAPIKey,
-		},
-	}
-}
-
 func logger() *zerolog.Logger {
 	log := oclog.NewLogger(
 		oclog.Name("migrate"),
--- a/opencloud/pkg/command/trash.go
+++ b/opencloud/pkg/command/trash.go
@@ -3,57 +3,40 @@ package command
 import (
 	"fmt"

-	"github.com/opencloud-eu/opencloud/opencloud/pkg/trash"
-
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
+	"github.com/opencloud-eu/opencloud/opencloud/pkg/trash"
 	"github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
 	"github.com/opencloud-eu/opencloud/pkg/config/parser"
-	"github.com/urfave/cli/v2"
+
+	"github.com/spf13/cobra"
 )

-func TrashCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "trash",
-		Usage: "OpenCloud trash functionality",
-		Subcommands: []*cli.Command{
-			TrashPurgeEmptyDirsCommand(cfg),
-		},
-		Before: func(c *cli.Context) error {
+func TrashCommand(cfg *config.Config) *cobra.Command {
+	trashCmd := &cobra.Command{
+		Use:   "trash",
+		Short: "OpenCloud trash functionality",
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnError(parser.ParseConfig(cfg, true))
 		},
-		Action: func(_ *cli.Context) error {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			fmt.Println("Read the docs")
 			return nil
 		},
 	}
+	trashCmd.AddCommand(TrashPurgeEmptyDirsCommand(cfg))
+
+	return trashCmd
 }

-func TrashPurgeEmptyDirsCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "purge-empty-dirs",
-		Usage: "purge empty directories",
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:     "basepath",
-				Aliases:  []string{"p"},
-				Usage:    "the basepath of the decomposedfs (e.g. /var/tmp/opencloud/storage/users)",
-				Required: true,
-			},
-			&cli.BoolFlag{
-				Name:  "dry-run",
-				Usage: "do not delete anything, just print what would be deleted",
-				Value: true,
-			},
-		},
-		Action: func(c *cli.Context) error {
-			basePath := c.String("basepath")
-			if basePath == "" {
-				fmt.Println("basepath is required")
-				return cli.ShowCommandHelp(c, "trash")
-			}
-
-			if err := trash.PurgeTrashEmptyPaths(basePath, c.Bool("dry-run")); err != nil {
+func TrashPurgeEmptyDirsCommand(cfg *config.Config) *cobra.Command {
+	trashPurgeCmd := &cobra.Command{
+		Use:   "purge-empty-dirs",
+		Short: "purge empty directories",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			basePath, _ := cmd.Flags().GetString("basepath")
+			dryRun, _ := cmd.Flags().GetBool("dry-run")
+			if err := trash.PurgeTrashEmptyPaths(basePath, dryRun); err != nil {
 				fmt.Println(err)
 				return err
 			}
@@ -61,6 +44,12 @@ func TrashPurgeEmptyDirsCommand(cfg *config.Config) *cli.Command {
 			return nil
 		},
 	}
+	trashPurgeCmd.Flags().StringP("basepath", "p", "", "the basepath of the decomposedfs (e.g. /var/tmp/opencloud/storage/users)")
+	_ = trashPurgeCmd.MarkFlagRequired("basepath")
+
+	trashPurgeCmd.Flags().Bool("dry-run", true, "do not delete anything, just print what would be deleted")
+
+	return trashPurgeCmd
 }

 func init() {
--- a/opencloud/pkg/command/version.go
+++ b/opencloud/pkg/command/version.go
@@ -4,15 +4,16 @@ import (
 	"fmt"
 	"os"

-	"github.com/olekukonko/tablewriter"
-	"github.com/olekukonko/tablewriter/tw"
-	"github.com/urfave/cli/v2"
-	mreg "go-micro.dev/v4/registry"
+	"github.com/spf13/cobra"

 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/registry"
 	"github.com/opencloud-eu/opencloud/pkg/version"
+
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
+	mreg "go-micro.dev/v4/registry"
 )

 const (
@@ -20,22 +21,18 @@ const (
 )

 // VersionCommand is the entrypoint for the version command.
-func VersionCommand(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "version",
-		Usage: "print the version of this binary and all running service instances",
-		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:  _skipServiceListingFlagName,
-				Usage: "skip service listing",
-			},
-		},
-		Category: "info",
-		Action: func(c *cli.Context) error {
+func VersionCommand(cfg *config.Config) *cobra.Command {
+	versionCmd := &cobra.Command{
+		Use:     "version",
+		Short:   "print the version of this binary and all running service instances",
+		GroupID: CommandGroupServer,
+		RunE: func(cmd *cobra.Command, args []string) error {
 			fmt.Println("Version: " + version.GetString())
+			fmt.Printf("Edition: %s\n", version.Edition)
 			fmt.Printf("Compiled: %s\n", version.Compiled())

-			if c.Bool(_skipServiceListingFlagName) {
+			skipServiceListing, _ := cmd.Flags().GetBool(_skipServiceListingFlagName)
+			if skipServiceListing {
 				return nil
 			}

@@ -74,6 +71,8 @@ func VersionCommand(cfg *config.Config) *cli.Command {
 			return nil
 		},
 	}
+	versionCmd.Flags().Bool(_skipServiceListingFlagName, false, "skip service listing")
+	return versionCmd
 }

 func init() {
--- a/opencloud/pkg/init/init.go
+++ b/opencloud/pkg/init/init.go
@@ -5,7 +5,7 @@ import (
 	"os"
 	"path"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"gopkg.in/yaml.v2"

 	"github.com/opencloud-eu/opencloud/pkg/generators"
@@ -68,7 +68,7 @@ func CreateConfig(insecure, forceOverwrite, diff bool, configPath, adminPassword
 		systemUserID, adminUserID, graphApplicationID, storageUsersMountID, serviceAccountID string
 		idmServicePassword, idpServicePassword, ocAdminServicePassword, revaServicePassword  string
 		tokenManagerJwtSecret, collaborationWOPISecret, machineAuthAPIKey, systemUserAPIKey  string
-		revaTransferSecret, thumbnailsTransferSecret, serviceAccountSecret                   string
+		revaTransferSecret, thumbnailsTransferSecret, serviceAccountSecret, urlSigningSecret string
 	)

 	if diff {
@@ -95,12 +95,19 @@ func CreateConfig(insecure, forceOverwrite, diff bool, configPath, adminPassword
 		revaTransferSecret = oldCfg.TransferSecret
 		thumbnailsTransferSecret = oldCfg.Thumbnails.Thumbnail.TransferSecret
 		serviceAccountSecret = oldCfg.Graph.ServiceAccount.ServiceAccountSecret
+		urlSigningSecret = oldCfg.URLSigningSecret
+		if urlSigningSecret == "" {
+			urlSigningSecret, err = generators.GenerateRandomPassword(passwordLength)
+			if err != nil {
+				return fmt.Errorf("could not generate random secret for urlSigningSecret: %s", err)
+			}
+		}
 	} else {
-		systemUserID = uuid.Must(uuid.NewV4()).String()
-		adminUserID = uuid.Must(uuid.NewV4()).String()
-		graphApplicationID = uuid.Must(uuid.NewV4()).String()
-		storageUsersMountID = uuid.Must(uuid.NewV4()).String()
-		serviceAccountID = uuid.Must(uuid.NewV4()).String()
+		systemUserID = uuid.NewString()
+		adminUserID = uuid.NewString()
+		graphApplicationID = uuid.NewString()
+		storageUsersMountID = uuid.NewString()
+		serviceAccountID = uuid.NewString()

 		idmServicePassword, err = generators.GenerateRandomPassword(passwordLength)
 		if err != nil {
@@ -142,13 +149,17 @@ func CreateConfig(insecure, forceOverwrite, diff bool, configPath, adminPassword
 		if err != nil {
 			return fmt.Errorf("could not generate random password for revaTransferSecret: %s", err)
 		}
+		urlSigningSecret, err = generators.GenerateRandomPassword(passwordLength)
+		if err != nil {
+			return fmt.Errorf("could not generate random secret for urlSigningSecret: %s", err)
+		}
 		thumbnailsTransferSecret, err = generators.GenerateRandomPassword(passwordLength)
 		if err != nil {
 			return fmt.Errorf("could not generate random password for thumbnailsTransferSecret: %s", err)
 		}
 		serviceAccountSecret, err = generators.GenerateRandomPassword(passwordLength)
 		if err != nil {
-			return fmt.Errorf("could not generate random password for thumbnailsTransferSecret: %s", err)
+			return fmt.Errorf("could not generate random secret for serviceAccountSecret: %s", err)
 		}
 	}

@@ -164,6 +175,7 @@ func CreateConfig(insecure, forceOverwrite, diff bool, configPath, adminPassword
 		MachineAuthAPIKey: machineAuthAPIKey,
 		SystemUserAPIKey:  systemUserAPIKey,
 		TransferSecret:    revaTransferSecret,
+		URLSigningSecret:  urlSigningSecret,
 		SystemUserID:      systemUserID,
 		AdminUserID:       adminUserID,
 		Idm: IdmService{
--- a/opencloud/pkg/init/structs.go
+++ b/opencloud/pkg/init/structs.go
@@ -19,6 +19,7 @@ type OpenCloudConfig struct {
 	MachineAuthAPIKey string                `yaml:"machine_auth_api_key"`
 	SystemUserAPIKey  string                `yaml:"system_user_api_key"`
 	TransferSecret    string                `yaml:"transfer_secret"`
+	URLSigningSecret  string                `yaml:"url_signing_secret"`
 	SystemUserID      string                `yaml:"system_user_id"`
 	AdminUserID       string                `yaml:"admin_user_id"`
 	Graph             GraphService          `yaml:"graph"`
--- a/opencloud/pkg/register/command.go
+++ b/opencloud/pkg/register/command.go
@@ -1,17 +1,18 @@
 package register

 import (
+	"github.com/spf13/cobra"
+
 	"github.com/opencloud-eu/opencloud/pkg/config"
-	"github.com/urfave/cli/v2"
 )

 var (
-	// Commands defines the slice of commands.
-	Commands = []Command{}
+	// Commands define the slice of commands.
+	Commands []Command
 )

 // Command defines the register command.
-type Command func(*config.Config) *cli.Command
+type Command func(*config.Config) *cobra.Command

 // AddCommand appends a command to Commands.
 func AddCommand(cmd Command) {
--- a/opencloud/pkg/runtime/options.go
+++ b/opencloud/pkg/runtime/options.go
@@ -2,14 +2,12 @@ package runtime

 import (
 	"github.com/opencloud-eu/opencloud/pkg/log"
-	"github.com/urfave/cli/v2"
 )

 // Options is a runtime option
 type Options struct {
 	Services []string
 	Logger   log.Logger
-	Context  *cli.Context
 }

 // Option undocumented
@@ -21,10 +19,3 @@ func Services(s []string) Option {
 		o.Services = append(o.Services, s...)
 	}
 }
-
-// Context option
-func Context(c *cli.Context) Option {
-	return func(o *Options) {
-		o.Context = c
-	}
-}
--- a/opencloud/pkg/runtime/service/service.go
+++ b/opencloud/pkg/runtime/service/service.go
@@ -3,7 +3,6 @@ package service
 import (
 	"context"
 	"errors"
-	"fmt"
 	"net"
 	"net/http"
 	"net/rpc"
@@ -125,7 +124,7 @@ func NewService(ctx context.Context, options ...Option) (*Service, error) {
 		if s.Services[priority] == nil {
 			s.Services[priority] = make(serviceFuncMap)
 		}
-		s.Services[priority][name] = NewSutureServiceBuilder(exec)
+		s.Services[priority][name] = NewSutureServiceBuilder(name, exec)
 	}

 	// nats is in priority group 0. It needs to start before all other services
@@ -317,11 +316,11 @@ func NewService(ctx context.Context, options ...Option) (*Service, error) {

 	// populate optional services
 	areg := func(name string, exec func(context.Context, *occfg.Config) error) {
-		s.Additional[name] = NewSutureServiceBuilder(exec)
+		s.Additional[name] = NewSutureServiceBuilder(name, exec)
 	}
 	areg(opts.Config.Antivirus.Service.Name, func(ctx context.Context, cfg *occfg.Config) error {
 		cfg.Antivirus.Context = ctx
-		// cfg.Antivirus.Commons = cfg.Commons // antivirus holds no Commons atm
+		cfg.Antivirus.Commons = cfg.Commons
 		return antivirus.Execute(cfg.Antivirus)
 	})
 	areg(opts.Config.Audit.Service.Name, func(ctx context.Context, cfg *occfg.Config) error {
@@ -382,7 +381,32 @@ func Start(ctx context.Context, o ...Option) error {
 					cancel()
 				}
 			}
-			s.Log.Info().Str("event", e.String()).Msg(fmt.Sprintf("supervisor: %v", e.Map()["supervisor_name"]))
+			switch ev := e.(type) {
+			case suture.EventServicePanic:
+				l := s.Log.Fatal()
+				if ev.Restarting {
+					l = s.Log.Error()
+				}
+				l.Str("event", e.String()).Str("service", ev.ServiceName).Str("supervisor", ev.SupervisorName).
+					Bool("restarting", ev.Restarting).Float64("failures", ev.CurrentFailures).Float64("threshold", ev.FailureThreshold).
+					Str("message", ev.PanicMsg).Msg("service panic")
+			case suture.EventServiceTerminate:
+				l := s.Log.Fatal()
+				if ev.Restarting {
+					l = s.Log.Error()
+				}
+				l.Str("event", e.String()).Str("service", ev.ServiceName).Str("supervisor", ev.SupervisorName).
+					Bool("restarting", ev.Restarting).Float64("failures", ev.CurrentFailures).Float64("threshold", ev.FailureThreshold).
+					Interface("error", ev.Err).Msg("service terminated")
+			case suture.EventBackoff:
+				s.Log.Warn().Str("event", e.String()).Str("supervisor", ev.SupervisorName).Msg("service backoff")
+			case suture.EventResume:
+				s.Log.Info().Str("event", e.String()).Str("supervisor", ev.SupervisorName).Msg("service resume")
+			case suture.EventStopTimeout:
+				s.Log.Warn().Str("event", e.String()).Str("service", ev.ServiceName).Str("supervisor", ev.SupervisorName).Msg("service resume")
+			default:
+				s.Log.Warn().Str("event", e.String()).Msgf("supervisor: %v", e.Map()["supervisor_name"])
+			}
 		},
 		FailureThreshold: 5,
 		FailureBackoff:   3 * time.Second,
--- a/opencloud/pkg/runtime/service/sutureservice.go
+++ b/opencloud/pkg/runtime/service/sutureservice.go
@@ -10,15 +10,17 @@ import (
 // SutureService allows for the settings command to be embedded and supervised by a suture supervisor tree.
 type SutureService struct {
 	exec func(ctx context.Context) error
+	name string
 }

 // NewSutureServiceBuilder creates a new suture service
-func NewSutureServiceBuilder(f func(context.Context, *occfg.Config) error) func(*occfg.Config) suture.Service {
+func NewSutureServiceBuilder(name string, f func(context.Context, *occfg.Config) error) func(*occfg.Config) suture.Service {
 	return func(cfg *occfg.Config) suture.Service {
 		return SutureService{
 			exec: func(ctx context.Context) error {
 				return f(ctx, cfg)
 			},
+			name: name,
 		}
 	}
 }
@@ -27,3 +29,8 @@ func NewSutureServiceBuilder(f func(context.Context, *occfg.Config) error) func(
 func (s SutureService) Serve(ctx context.Context) error {
 	return s.exec(ctx)
 }
+
+// String to fullfil fmt.Stringer interface, used to log the service name
+func (s SutureService) String() string {
+	return s.name
+}
--- a/pkg/clihelper/app.go
+++ b/pkg/clihelper/app.go
@@ -1,26 +1,18 @@
 package clihelper

 import (
+	"fmt"
+
 	"github.com/opencloud-eu/opencloud/pkg/version"
-	"github.com/urfave/cli/v2"
+
+	"github.com/spf13/cobra"
 )

-func DefaultApp(app *cli.App) *cli.App {
+// DefaultApp is a wrapper for DefaultApp that adds Cobra specific settings
+func DefaultApp(app *cobra.Command) *cobra.Command {
+	// TODO: when migration is done this has to become DefaultApp
 	// version info
-	app.Version = version.String
-	app.Compiled = version.Compiled()
-
-	// author info
-	app.Authors = []*cli.Author{
-		{
-			Name:  "OpenCloud GmbH",
-			Email: "support@opencloud.eu",
-		},
-	}
-
-	// disable global version flag
-	// instead we provide the version command
-	app.HideVersion = true
+	app.Version = fmt.Sprintf("%s (%s <%s>) (%s)", version.String, "OpenCloud GmbH", "support@opencloud.eu", version.Compiled())

 	return app
 }
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -55,14 +55,13 @@ type Runtime struct {
 	Services      []string `yaml:"services" env:"OC_RUN_EXTENSIONS;OC_RUN_SERVICES" desc:"A comma-separated list of service names. Will start only the listed services." introductionVersion:"1.0.0"`
 	Disabled      []string `yaml:"disabled_services" env:"OC_EXCLUDE_RUN_SERVICES" desc:"A comma-separated list of service names. Will start all default services except of the ones listed. Has no effect when OC_RUN_SERVICES is set." introductionVersion:"1.0.0"`
 	Additional    []string `yaml:"add_services" env:"OC_ADD_RUN_SERVICES" desc:"A comma-separated list of service names. Will add the listed services to the default configuration. Has no effect when OC_RUN_SERVICES is set. Note that one can add services not started by the default list and exclude services from the default list by using both envvars at the same time." introductionVersion:"1.0.0"`
-	ShutdownOrder []string `yaml:"shutdown_order" env:"OC_SHUTDOWN_ORDER" desc:"A comma-separated list of service names defining the order in which services are shut down. Services not listed will be stopped after the listed ones in random order." introductionVersion:"%%NEXT%%"`
+	ShutdownOrder []string `yaml:"shutdown_order" env:"OC_SHUTDOWN_ORDER" desc:"A comma-separated list of service names defining the order in which services are shut down. Services not listed will be stopped after the listed ones in random order." introductionVersion:"4.0.0"`
 }

 // Config combines all available configuration parts.
 type Config struct {
 	*shared.Commons `yaml:"shared"`

-	Tracing        *shared.Tracing        `yaml:"tracing"`
 	Log            *shared.Log            `yaml:"log"`
 	Cache          *shared.Cache          `yaml:"cache"`
 	GRPCClientTLS  *shared.GRPCClientTLS  `yaml:"grpc_client_tls"`
@@ -78,6 +77,7 @@ type Config struct {
 	TokenManager      *shared.TokenManager `yaml:"token_manager"`
 	MachineAuthAPIKey string               `yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services." introductionVersion:"1.0.0"`
 	TransferSecret    string               `yaml:"transfer_secret" env:"OC_TRANSFER_SECRET" desc:"Transfer secret for signing file up- and download requests." introductionVersion:"1.0.0"`
+	URLSigningSecret  string               `yaml:"url_signing_secret" env:"OC_URL_SIGNING_SECRET" desc:"The shared secret used to sign URLs e.g. for image downloads by the web office suite." introductionVersion:"4.0.0"`
 	SystemUserID      string               `yaml:"system_user_id" env:"OC_SYSTEM_USER_ID" desc:"ID of the OpenCloud storage-system system user. Admins need to set the ID for the storage-system system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format." introductionVersion:"1.0.0"`
 	SystemUserAPIKey  string               `yaml:"system_user_api_key" env:"OC_SYSTEM_USER_API_KEY" desc:"API key for the storage-system system user." introductionVersion:"1.0.0"`
 	AdminUserID       string               `yaml:"admin_user_id" env:"OC_ADMIN_USER_ID" desc:"ID of a user, that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand." introductionVersion:"1.0.0"`
--- a/pkg/config/parser/parse.go
+++ b/pkg/config/parser/parse.go
@@ -40,9 +40,6 @@ func ParseConfig(cfg *config.Config, skipValidate bool) error {
 // EnsureDefaults ensures that all pointers in the
 // OpenCloud config (not the services configs) are initialized
 func EnsureDefaults(cfg *config.Config) {
-	if cfg.Tracing == nil {
-		cfg.Tracing = &shared.Tracing{}
-	}
 	if cfg.Log == nil {
 		cfg.Log = &shared.Log{}
 	}
@@ -71,7 +68,6 @@ func EnsureCommons(cfg *config.Config) {
 	}

 	cfg.Commons.Log = structs.CopyOrZeroValue(cfg.Log)
-	cfg.Commons.Tracing = structs.CopyOrZeroValue(cfg.Tracing)
 	cfg.Commons.Cache = structs.CopyOrZeroValue(cfg.Cache)

 	if cfg.GRPCClientTLS != nil {
@@ -100,6 +96,14 @@ func EnsureCommons(cfg *config.Config) {
 		cfg.Commons.TransferSecret = cfg.TransferSecret
 	}

+	// make sure url signing secret is set and copy it to the commons part
+	// fall back to transfer secret for url signing secret to avoid
+	// issues when upgrading from an older release
+	if cfg.URLSigningSecret == "" {
+		cfg.URLSigningSecret = cfg.TransferSecret
+	}
+	cfg.Commons.URLSigningSecret = cfg.URLSigningSecret
+
 	// copy metadata user id to the commons part if set
 	if cfg.SystemUserID != "" {
 		cfg.Commons.SystemUserID = cfg.SystemUserID
@@ -128,6 +132,10 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingRevaTransferSecretError("opencloud")
 	}

+	if cfg.URLSigningSecret == "" {
+		return shared.MissingURLSigningSecret("opencloud")
+	}
+
 	if cfg.MachineAuthAPIKey == "" {
 		return shared.MissingMachineAuthApiKeyError("opencloud")
 	}
--- a/pkg/service/http/option.go
+++ b/pkg/service/http/option.go
@@ -6,7 +6,8 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/pkg/shared"
-	"github.com/urfave/cli/v2"
+
+	"github.com/spf13/pflag"
 	"go.opentelemetry.io/otel/trace"
 )

@@ -23,7 +24,7 @@ type Options struct {
 	Address       string
 	Handler       http.Handler
 	Context       context.Context
-	Flags         []cli.Flag
+	Flags         []pflag.Flag
 	TraceProvider trace.TracerProvider
 }

@@ -83,7 +84,7 @@ func Context(ctx context.Context) Option {
 }

 // Flags provides a function to set the flags option.
-func Flags(flags ...cli.Flag) Option {
+func Flags(flags ...pflag.Flag) Option {
 	return func(o *Options) {
 		o.Flags = append(o.Flags, flags...)
 	}
--- a/pkg/service/http/service.go
+++ b/pkg/service/http/service.go
@@ -49,6 +49,8 @@ func NewService(opts ...Option) (Service, error) {
 		}
 		tlsConfig := &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS12,
+			NextProtos:   []string{"h2", "http/1.1"},
 		}
 		mServer = mhttps.NewServer(server.TLSConfig(tlsConfig))
 	} else {
@@ -62,7 +64,8 @@ func NewService(opts ...Option) (Service, error) {
 		micro.Name(strings.Join([]string{sopts.Namespace, sopts.Name}, ".")),
 		micro.Version(sopts.Version),
 		micro.Context(sopts.Context),
-		micro.Flags(sopts.Flags...),
+		// TODO: clarify if this is actually used on the go-micro side
+		//micro.Flags(sopts.Flags...),
 		micro.Registry(registry.GetRegistry()),
 		micro.RegisterTTL(registry.GetRegisterTTL()),
 		micro.RegisterInterval(registry.GetRegisterInterval()),
--- a/pkg/shared/errors.go
+++ b/pkg/shared/errors.go
@@ -93,3 +93,11 @@ func MissingWOPISecretError(service string) error {
 		"the config/corresponding environment variable).",
 		service, defaults.BaseConfigPath())
 }
+
+func MissingURLSigningSecret(service string) error {
+	return fmt.Errorf("The URL signing secret has not been set properly in your config for %s. "+
+		"Make sure your %s config contains the proper values "+
+		"(e.g. by using 'opencloud init --diff' and applying the patch or setting a value manually in "+
+		"the config/corresponding environment variable).",
+		service, defaults.BaseConfigPath())
+}
--- a/pkg/shared/shared_types.go
+++ b/pkg/shared/shared_types.go
@@ -18,14 +18,6 @@ type Log struct {
 	File   string `yaml:"file" env:"OC_LOG_FILE" desc:"The path to the log file. Activates logging to this file if set." introductionVersion:"1.0.0"`
 }

-// Tracing defines the available tracing configuration.
-type Tracing struct {
-	Enabled   bool   `yaml:"enabled" env:"OC_TRACING_ENABLED" desc:"Activates tracing." introductionVersion:"1.0.0"`
-	Type      string `yaml:"type" env:"OC_TRACING_TYPE" desc:"The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now." introductionVersion:"1.0.0"`
-	Endpoint  string `yaml:"endpoint" env:"OC_TRACING_ENDPOINT" desc:"The endpoint of the tracing agent." introductionVersion:"1.0.0"`
-	Collector string `yaml:"collector" env:"OC_TRACING_COLLECTOR" desc:"The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset." introductionVersion:"1.0.0"`
-}
-
 // TokenManager is the config for using the reva token manager
 type TokenManager struct {
 	JWTSecret string `mask:"password" yaml:"jwt_secret" env:"OC_JWT_SECRET" desc:"The secret to mint and validate jwt tokens." introductionVersion:"1.0.0"`
@@ -69,8 +61,8 @@ type Cache struct {
 // Commons holds configuration that are common to all extensions. Each extension can then decide whether
 // to overwrite its values.
 type Commons struct {
+	TracesExporter     string          `yaml:"traces_exporter" env:"OTEL_TRACES_EXPORTER" desc:"The exporter used for traces. Supports 'otlp', 'console' and 'none' (default)." introductionVersion:"%%NEXT%%"`
 	Log                *Log            `yaml:"log"`
-	Tracing            *Tracing        `yaml:"tracing"`
 	Cache              *Cache          `yaml:"cache"`
 	GRPCClientTLS      *GRPCClientTLS  `yaml:"grpc_client_tls"`
 	GRPCServiceTLS     *GRPCServiceTLS `yaml:"grpc_service_tls"`
@@ -80,10 +72,11 @@ type Commons struct {
 	Reva               *Reva           `yaml:"reva"`
 	MachineAuthAPIKey  string          `mask:"password" yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary for the access to resources from other services." introductionVersion:"1.0.0"`
 	TransferSecret     string          `mask:"password" yaml:"transfer_secret,omitempty" env:"REVA_TRANSFER_SECRET" desc:"The secret used for signing the requests towards the data gateway for up- and downloads." introductionVersion:"1.0.0"`
+	URLSigningSecret   string          `yaml:"url_signing_secret" env:"OC_URL_SIGNING_SECRET" desc:"The shared secret used to sign URLs e.g. for image downloads by the web office suite." introductionVersion:"4.0.0"`
 	SystemUserID       string          `yaml:"system_user_id" env:"OC_SYSTEM_USER_ID" desc:"ID of the OpenCloud storage-system system user. Admins need to set the ID for the storage-system system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format." introductionVersion:"1.0.0"`
 	SystemUserAPIKey   string          `mask:"password" yaml:"system_user_api_key" env:"SYSTEM_USER_API_KEY" desc:"API key for all system users." introductionVersion:"1.0.0"`
 	AdminUserID        string          `yaml:"admin_user_id" env:"OC_ADMIN_USER_ID" desc:"ID of a user, that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand." introductionVersion:"1.0.0"`
-	MultiTenantEnabled bool            `yaml:"multi_tenant_enabled" env:"OC_MULTI_TENANT_ENABLED" desc:"Set this to true to enable multi-tenant support." introductionVersion:"%%NEXT%%"`
+	MultiTenantEnabled bool            `yaml:"multi_tenant_enabled" env:"OC_MULTI_TENANT_ENABLED" desc:"Set this to true to enable multi-tenant support." introductionVersion:"4.0.0"`

 	// NOTE: you will not fing GRPCMaxReceivedMessageSize size being used in the code. The envvar is actually extracted in revas `pool` package: https://github.com/cs3org/reva/blob/edge/pkg/rgrpc/todo/pool/connection.go
 	// It is mentioned here again so it is documented
--- a/pkg/tracing/config.go
+++ b/pkg/tracing/config.go
@@ -1,14 +0,0 @@
-package tracing
-
-// ConfigConverter is the interface for external configuration.
-type ConfigConverter interface {
-	Convert() Config
-}
-
-// Tracing defines the available tracing configuration.
-type Config struct {
-	Enabled   bool   `yaml:"enabled" env:"OC_TRACING_ENABLED" desc:"Activates tracing." introductionVersion:"1.0.0"`
-	Type      string `yaml:"type" env:"OC_TRACING_TYPE" desc:"The type of tracing. Defaults to \"\", which is the same as \"jaeger\". Allowed tracing types are \"jaeger\" and \"\" as of now." introductionVersion:"1.0.0"`
-	Endpoint  string `yaml:"endpoint" env:"OC_TRACING_ENDPOINT" desc:"The endpoint of the tracing agent." introductionVersion:"1.0.0"`
-	Collector string `yaml:"collector" env:"OC_TRACING_COLLECTOR" desc:"The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset." introductionVersion:"1.0.0"`
-}
--- a/pkg/tracing/tracing.go
+++ b/pkg/tracing/tracing.go
@@ -3,22 +3,16 @@ package tracing
 import (
 	"context"
 	"fmt"
-	"net/url"
-	"reflect"
-	"strings"
-	"time"

 	rtrace "github.com/opencloud-eu/reva/v2/pkg/trace"
 	"go.opentelemetry.io/otel/attribute"
-	"go.opentelemetry.io/otel/exporters/jaeger"
 	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
+	"go.opentelemetry.io/otel/exporters/stdout/stdouttrace"
 	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/sdk/resource"
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
-	semconv "go.opentelemetry.io/otel/semconv/v1.4.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.37.0"
 	"go.opentelemetry.io/otel/trace"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials/insecure"
 )

 // Propagator ensures the importer module uses the same trace propagation strategy.
@@ -27,25 +21,9 @@ var Propagator = propagation.NewCompositeTextMapPropagator(
 	propagation.TraceContext{},
 )

-// GetServiceTraceProvider returns a configured open-telemetry trace provider.
-func GetServiceTraceProvider(c ConfigConverter, serviceName string) (trace.TracerProvider, error) {
-	var cfg Config
-	if c == nil || reflect.ValueOf(c).IsNil() {
-		cfg = Config{Enabled: false}
-	} else {
-		cfg = c.Convert()
-	}
-
-	if cfg.Enabled {
-		return GetTraceProvider(cfg.Endpoint, cfg.Collector, serviceName, cfg.Type)
-	}
-
-	tp := sdktrace.NewTracerProvider(
-		sdktrace.WithSampler(sdktrace.NeverSample()),
-	)
-	rtrace.SetDefaultTracerProvider(tp)
-
-	return tp, nil
+// Deprecated: GetServiceTraceProvider returns a configured open-telemetry trace provider. Use GetTraceProvider.
+func GetServiceTraceProvider(exporter, serviceName string) (trace.TracerProvider, error) {
+	return GetTraceProvider(context.Background(), exporter, serviceName)
 }

 // GetPropagator gets a configured propagator.
@@ -57,116 +35,93 @@ func GetPropagator() propagation.TextMapPropagator {
 }

 // GetTraceProvider returns a configured open-telemetry trace provider.
-func GetTraceProvider(endpoint, collector, serviceName, traceType string) (*sdktrace.TracerProvider, error) {
-	switch t := traceType; t {
-	case "", "jaeger":
-		var (
-			exp *jaeger.Exporter
-			err error
-		)
+func GetTraceProvider(ctx context.Context, exporter, serviceName string) (*sdktrace.TracerProvider, error) {

-		if endpoint != "" {
-			var agentHost string
-			var agentPort string
+	// Create resource - shared across all exporters
+	resources, err := createResource(ctx, serviceName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create resource: %w", err)
+	}

-			agentHost, agentPort, err = parseAgentConfig(endpoint)
-			if err != nil {
-				return nil, err
-			}
+	var tp *sdktrace.TracerProvider

-			exp, err = jaeger.New(
-				jaeger.WithAgentEndpoint(
-					jaeger.WithAgentHost(agentHost),
-					jaeger.WithAgentPort(agentPort),
-				),
-			)
-		} else if collector != "" {
-			exp, err = jaeger.New(
-				jaeger.WithCollectorEndpoint(
-					jaeger.WithEndpoint(collector),
-				),
-			)
-		} else {
-			return sdktrace.NewTracerProvider(sdktrace.WithSampler(sdktrace.NeverSample())), nil
-		}
-		if err != nil {
-			return nil, err
-		}
-
-		tp := sdktrace.NewTracerProvider(
-			sdktrace.WithBatcher(exp),
-			sdktrace.WithResource(resource.NewWithAttributes(
-				semconv.SchemaURL,
-				semconv.ServiceNameKey.String(serviceName)),
-			),
-		)
-		rtrace.SetDefaultTracerProvider(tp)
-		return tp, nil
-	case "otlp":
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-		defer cancel()
-		conn, err := grpc.DialContext(ctx, endpoint,
-			// Note the use of insecure transport here. TLS is recommended in production.
-			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithBlock(),
-		)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create gRPC connection to collector: %w", err)
-		}
-		exporter, err := otlptracegrpc.New(
-			context.Background(),
-			otlptracegrpc.WithGRPCConn(conn),
-		)
-		if err != nil {
-			return nil, err
-		}
-		resources, err := resource.New(
-			context.Background(),
-			resource.WithAttributes(
-				attribute.String("service.name", serviceName),
-				attribute.String("library.language", "go"),
-			),
-		)
-		if err != nil {
-			return nil, err
-		}
-
-		tp := sdktrace.NewTracerProvider(
-			sdktrace.WithSampler(sdktrace.AlwaysSample()),
-			sdktrace.WithBatcher(exporter),
+	switch exporter {
+	case "", "none":
+		// No-op exporter - never sample
+		tp = sdktrace.NewTracerProvider(
+			sdktrace.WithSampler(sdktrace.NeverSample()),
 			sdktrace.WithResource(resources),
 		)
-		rtrace.SetDefaultTracerProvider(tp)
-		return tp, nil
-	case "agent":
-		fallthrough
-	case "zipkin":
-		fallthrough
+
+	case "console":
+		// Console exporter - prints to stdout (useful for debugging)
+		consoleExporter, err := stdouttrace.New(
+			stdouttrace.WithPrettyPrint(),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create console exporter: %w", err)
+		}
+
+		// Use SimpleSpanProcessor for console to get immediate output
+		tp = sdktrace.NewTracerProvider(
+			sdktrace.WithSpanProcessor(sdktrace.NewSimpleSpanProcessor(consoleExporter)),
+			sdktrace.WithResource(resources),
+		)
+
+	case "otlp":
+		// OTLP exporter - connects to collector
+		// This automatically reads:
+		// - OTEL_EXPORTER_OTLP_ENDPOINT
+		// - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT (takes precedence)
+		// - OTEL_EXPORTER_OTLP_HEADERS
+		// - OTEL_EXPORTER_OTLP_INSECURE
+		// - OTEL_EXPORTER_OTLP_CERTIFICATE (for custom CA)
+		otlpExporter, err := otlptracegrpc.New(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create OTLP exporter: %w", err)
+		}
+
+		// Create tracer provider
+		// This automatically reads:
+		// - OTEL_TRACES_SAMPLER
+		// - OTEL_TRACES_SAMPLER_ARG
+		tp = sdktrace.NewTracerProvider(
+			sdktrace.WithBatcher(otlpExporter),
+			sdktrace.WithResource(resources),
+		)
+
 	default:
-		return nil, fmt.Errorf("unknown trace type %s", traceType)
+		return nil, fmt.Errorf("unsupported trace exporter: %q (supported: none, console, otlp)", exporter)
 	}
+
+	// Set as global default
+	rtrace.SetDefaultTracerProvider(tp)
+
+	return tp, nil
 }

-func parseAgentConfig(ae string) (string, string, error) {
-	u, err := url.Parse(ae)
-	// as per url.go:
-	// [...] Trying to parse a hostname and path
-	// without a scheme is invalid but may not necessarily return an
-	// error, due to parsing ambiguities.
-	if err == nil && u.Hostname() != "" && u.Port() != "" {
-		return u.Hostname(), u.Port(), nil
-	}
-
-	p := strings.Split(ae, ":")
-	if len(p) != 2 {
-		return "", "", fmt.Errorf("invalid agent endpoint `%s`. expected format: `hostname:port`", ae)
-	}
-
-	switch {
-	case p[0] == "" && p[1] == "": // case ae = ":"
-		return "", "", fmt.Errorf("invalid agent endpoint `%s`. expected format: `hostname:port`", ae)
-	case p[0] == "":
-		return "", "", fmt.Errorf("invalid agent endpoint `%s`. expected format: `hostname:port`", ae)
-	}
-	return p[0], p[1], nil
+// createResource creates a resource with service information
+func createResource(ctx context.Context, serviceName string) (*resource.Resource, error) {
+	return resource.New(ctx,
+		// Reads OTEL_RESOURCE_ATTRIBUTES and OTEL_SERVICE_NAME
+		resource.WithFromEnv(),
+		// Host Information
+		resource.WithHost(),
+		// Process Information
+		// Resource WithProcessOwner is deliberately omitted because
+		// inside containers where process might run as an arbitrary
+		// uid without a username associated this would fail.
+		resource.WithProcessPID(),
+		resource.WithProcessCommandArgs(),
+		resource.WithProcessExecutableName(),
+		resource.WithProcessExecutablePath(),
+		resource.WithProcessRuntimeDescription(),
+		resource.WithProcessRuntimeName(),
+		resource.WithProcessRuntimeVersion(),
+		// Service attributes
+		resource.WithAttributes(
+			semconv.ServiceName(serviceName),
+			attribute.String("library.language", "go"),
+		),
+	)
 }
--- a/pkg/tracing/tracing_test.go
+++ b/pkg/tracing/tracing_test.go
@@ -1,77 +0,0 @@
-package tracing
-
-import "testing"
-
-func Test_parseAgentConfig(t *testing.T) {
-	type args struct {
-		ae string
-	}
-	tests := []struct {
-		name    string
-		args    args
-		want    string
-		want1   string
-		wantErr bool
-	}{
-		{
-			name: "docker-style config",
-			args: args{
-				ae: "docker-jaeger:6666",
-			},
-			want:    "docker-jaeger",
-			want1:   "6666",
-			wantErr: false,
-		},
-		{
-			name: "agent in an url config",
-			args: args{
-				ae: "https://example-agent.com:6666",
-			},
-			want:    "example-agent.com",
-			want1:   "6666",
-			wantErr: false,
-		},
-		{
-			name: "agent as ipv4",
-			args: args{
-				ae: "127.0.0.1:6666",
-			},
-			want:    "127.0.0.1",
-			want1:   "6666",
-			wantErr: false,
-		},
-		{
-			name: "no hostname config should error",
-			args: args{
-				ae: ":6666",
-			},
-			want:    "",
-			want1:   "",
-			wantErr: true,
-		},
-		{
-			name: "no hostname nor port but separator should error",
-			args: args{
-				ae: ":",
-			},
-			want:    "",
-			want1:   "",
-			wantErr: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, got1, err := parseAgentConfig(tt.args.ae)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("parseAgentConfig() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("parseAgentConfig() got = %v, want %v", got, tt.want)
-			}
-			if got1 != tt.want1 {
-				t.Errorf("parseAgentConfig() got1 = %v, want %v", got1, tt.want1)
-			}
-		})
-	}
-}
--- a/pkg/version/export_test.go
+++ b/pkg/version/export_test.go
@@ -0,0 +1,4 @@
+package version
+
+// InitEdition exports the private edition initialization func for testing
+var InitEdition = initEdition
--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -1,9 +1,27 @@
 package version

 import (
+	"fmt"
+	"slices"
+	"strings"
 	"time"

 	"github.com/Masterminds/semver"
+	"github.com/opencloud-eu/reva/v2/pkg/logger"
+)
+
+const (
+
+	// Dev is used as a placeholder.
+	Dev = "dev"
+	// EditionDev indicates the development build channel was used to build the binary.
+	EditionDev = Dev
+	// EditionRolling indicates the rolling release build channel was used to build the binary.
+	EditionRolling = "rolling"
+	// EditionStable indicates the stable release build channel was used to build the binary.
+	EditionStable = "stable"
+	// EditionLTS indicates the lts release build channel was used to build the binary.
+	EditionLTS = "lts"
 )

 var (
@@ -16,22 +34,64 @@ var (
 	// LatestTag is the latest released version plus the dev meta version.
 	// Will be overwritten by the release pipeline
 	// Needs a manual change for every tagged release
-	LatestTag = "3.7.0+dev"
+	LatestTag = "4.0.0-rc.3+dev"

 	// Date indicates the build date.
 	// This has been removed, it looks like you can only replace static strings with recent go versions
 	//Date = time.Now().Format("20060102")
-	Date = "dev"
+	Date = Dev

 	// Legacy defines the old long 4 number OpenCloud version needed for some clients
 	Legacy = "0.1.0.0"
 	// LegacyString defines the old OpenCloud version needed for some clients
 	LegacyString = "0.1.0"
+
+	// Edition describes the build channel (stable, rolling, nightly, daily, dev)
+	Edition = Dev // default for self-compiled builds
 )

+func init() { //nolint:gochecknoinits
+	if err := initEdition(); err != nil {
+		logger.New().Error().Err(err).Msg("falling back to dev")
+	}
+}
+
+func initEdition() error {
+	regularEditions := []string{EditionDev, EditionRolling, EditionStable}
+	versionedEditions := []string{EditionLTS}
+	if !slices.ContainsFunc(slices.Concat(regularEditions, versionedEditions), func(s string) bool {
+		isRegularEdition := slices.Contains(regularEditions, Edition)
+		if isRegularEdition && s == Edition {
+			return true
+		}
+
+		// handle editions with a version
+		editionParts := strings.Split(Edition, "-")
+		if len(editionParts) != 2 { // a versioned edition channel must consist of exactly 2 parts.
+			return false
+		}
+
+		isVersionedEdition := slices.Contains(versionedEditions, editionParts[0])
+		if !isVersionedEdition { // not all channels can contain version information
+			return false
+		}
+
+		_, err := semver.NewVersion(editionParts[1])
+		return err == nil
+	}) {
+		defer func() {
+			Edition = Dev
+		}()
+
+		return fmt.Errorf(`unknown edition channel '%s'`, Edition)
+	}
+
+	return nil
+}
+
 // Compiled returns the compile time of this service.
 func Compiled() time.Time {
-	if Date == "dev" {
+	if Date == Dev {
 		return time.Now()
 	}
 	t, _ := time.Parse("20060102", Date)
--- a/pkg/version/version_test.go
+++ b/pkg/version/version_test.go
@@ -0,0 +1,68 @@
+package version_test
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/opencloud-eu/opencloud/pkg/version"
+)
+
+func TestChannel(t *testing.T) {
+	tests := map[string]struct {
+		got   string
+		valid bool
+	}{
+		"no channel, defaults to dev": {
+			got:   "",
+			valid: false,
+		},
+		"dev channel": {
+			got:   version.EditionDev,
+			valid: true,
+		},
+		"rolling channel": {
+			got:   version.EditionRolling,
+			valid: true,
+		},
+		"stable channel": {
+			got:   version.EditionStable,
+			valid: true,
+		},
+		"lts channel without version": {
+			got:   version.EditionLTS,
+			valid: false,
+		},
+		"lts-1.0.0 channel": {
+			got:   fmt.Sprintf("%s-1", version.EditionLTS),
+			valid: true,
+		},
+		"lts-one invalid version": {
+			got:   fmt.Sprintf("%s-one", version.EditionLTS),
+			valid: false,
+		},
+		"known channel with version": {
+			got:   fmt.Sprintf("%s-1", version.EditionStable),
+			valid: false,
+		},
+		"unknown channel": {
+			got:   "foo",
+			valid: false,
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			version.Edition = test.got
+
+			switch err := version.InitEdition(); {
+			case err != nil && !test.valid && version.Edition != version.Dev: // if a given edition is unknown, the value is always dev
+				fallthrough
+			case test.valid != (err == nil):
+				t.Fatalf("invalid edition: %s", version.Edition)
+			case !test.valid && !strings.Contains(err.Error(), "'"+test.got+"'"):
+				t.Fatalf("no mention of invalid edition '%s' in error: %s", test.got, err.Error())
+			}
+		})
+	}
+}
--- a/services/activitylog/cmd/activitylog/main.go
+++ b/services/activitylog/cmd/activitylog/main.go
@@ -1,19 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/command"
-	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config/defaults"
-)
-
-func main() {
-	cfg := defaults.DefaultConfig()
-	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
-	if err := command.Execute(cfg); err != nil {
-		os.Exit(1)
-	}
-}
--- a/services/activitylog/pkg/command/health.go
+++ b/services/activitylog/pkg/command/health.go
@@ -2,16 +2,16 @@ package command

 import (
 	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // Health is the entrypoint for the health command.
-func Health(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:  "health",
-		Usage: "Check health status",
-		Action: func(c *cli.Context) error {
-			// Not implemented
+func Health(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "health",
+		Short: "Check health status",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// not implemented
 			return nil
 		},
 	}
--- a/services/activitylog/pkg/command/root.go
+++ b/services/activitylog/pkg/command/root.go
@@ -5,12 +5,12 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/clihelper"
 	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // GetCommands provides all commands for this service
-func GetCommands(cfg *config.Config) cli.Commands {
-	return []*cli.Command{
+func GetCommands(cfg *config.Config) []*cobra.Command {
+	return []*cobra.Command{
 		// start this service
 		Server(cfg),

@@ -24,11 +24,11 @@ func GetCommands(cfg *config.Config) cli.Commands {

 // Execute is the entry point for the activitylog command.
 func Execute(cfg *config.Config) error {
-	app := clihelper.DefaultApp(&cli.App{
-		Name:     "activitylog",
-		Usage:    "starts activitylog service",
-		Commands: GetCommands(cfg),
+	app := clihelper.DefaultApp(&cobra.Command{
+		Use:   "activitylog",
+		Short: "starts activitylog service",
 	})
-
-	return app.RunContext(cfg.Context, os.Args)
+	app.AddCommand(GetCommands(cfg)...)
+	app.SetArgs(os.Args[1:])
+	return app.ExecuteContext(cfg.Context)
 }
--- a/services/activitylog/pkg/command/server.go
+++ b/services/activitylog/pkg/command/server.go
@@ -9,7 +9,7 @@ import (
 	"github.com/opencloud-eu/reva/v2/pkg/events/stream"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/opencloud-eu/reva/v2/pkg/store"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 	microstore "go-micro.dev/v4/store"

 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
@@ -47,24 +47,23 @@ var _registeredEvents = []events.Unmarshaller{
 }

 // Server is the entrypoint for the server command.
-func Server(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "server",
-		Usage:    fmt.Sprintf("start the %s service without runtime (unsupervised mode)", cfg.Service.Name),
-		Category: "server",
-		Before: func(c *cli.Context) error {
+func Server(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "server",
+		Short: fmt.Sprintf("start the %s service without runtime (unsupervised mode)", cfg.Service.Name),
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnFatal(parser.ParseConfig(cfg))
 		},
-		Action: func(c *cli.Context) error {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			logger := logging.Configure(cfg.Service.Name, cfg.Log)
-			tracerProvider, err := tracing.GetServiceTraceProvider(cfg.Tracing, cfg.Service.Name)
+			tracerProvider, err := tracing.GetTraceProvider(cmd.Context(), cfg.Commons.TracesExporter, cfg.Service.Name)
 			if err != nil {
 				logger.Error().Err(err).Msg("Failed to initialize tracer")
 				return err
 			}

 			gr := run.Group{}
-			ctx, cancel := context.WithCancel(c.Context)
+			ctx, cancel := context.WithCancel(cmd.Context())

 			mtrcs := metrics.New()
 			mtrcs.BuildInfo.WithLabelValues(version.GetString()).Set(1)
--- a/services/activitylog/pkg/command/version.go
+++ b/services/activitylog/pkg/command/version.go
@@ -2,16 +2,15 @@ package command

 import (
 	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // Version prints the service versions of all running instances.
-func Version(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "version",
-		Usage:    "print the version of this binary and the running service instances",
-		Category: "info",
-		Action: func(c *cli.Context) error {
+func Version(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "version",
+		Short: "Print the version of this binary and the running service instances",
+		RunE: func(cmd *cobra.Command, args []string) error {
 			// not implemented
 			return nil
 		},
--- a/services/activitylog/pkg/config/config.go
+++ b/services/activitylog/pkg/config/config.go
@@ -13,9 +13,8 @@ type Config struct {

 	Service Service `yaml:"-"`

-	Tracing *Tracing `yaml:"tracing"`
-	Log     *Log     `yaml:"log"`
-	Debug   Debug    `yaml:"debug"`
+	Log   *Log  `yaml:"log"`
+	Debug Debug `yaml:"debug"`

 	Events Events `yaml:"events"`
 	Store  Store  `yaml:"store"`
@@ -33,15 +32,15 @@ type Config struct {

 	Context context.Context `yaml:"-"`

-	WriteBufferDuration time.Duration `yaml:"write_buffer_duration" env:"ACTIVITYLOG_WRITE_BUFFER_DURATION" desc:"The duration to wait before flushing the write buffer. This is used to reduce the number of writes to the store." introductionVersion:"%%NEXT%%"`
-	MaxActivities       int           `yaml:"max_activities" env:"ACTIVITYLOG_MAX_ACTIVITIES" desc:"The maximum number of activities to keep in the store per resource. If the number of activities exceeds this value, the oldest activities will be removed." introductionVersion:"%%NEXT%%"`
+	WriteBufferDuration time.Duration `yaml:"write_buffer_duration" env:"ACTIVITYLOG_WRITE_BUFFER_DURATION" desc:"The duration to wait before flushing the write buffer. This is used to reduce the number of writes to the store." introductionVersion:"4.0.0"`
+	MaxActivities       int           `yaml:"max_activities" env:"ACTIVITYLOG_MAX_ACTIVITIES" desc:"The maximum number of activities to keep in the store per resource. If the number of activities exceeds this value, the oldest activities will be removed." introductionVersion:"4.0.0"`
 }

 // Events combines the configuration options for the event bus.
 type Events struct {
 	Endpoint             string `yaml:"endpoint" env:"OC_EVENTS_ENDPOINT" desc:"The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture." introductionVersion:"1.0.0"`
 	Cluster              string `yaml:"cluster" env:"OC_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system." introductionVersion:"1.0.0"`
-	TLSInsecure          bool   `yaml:"tls_insecure" env:"OC_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"1.0.0"`
+	TLSInsecure          bool   `yaml:"tls_insecure" env:"OC_INSECURE;OC_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"1.0.0"`
 	TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"`
 	EnableTLS            bool   `yaml:"enable_tls" env:"OC_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"`
 	AuthUsername         string `yaml:"username" env:"OC_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"`
--- a/services/activitylog/pkg/config/defaults/defaultconfig.go
+++ b/services/activitylog/pkg/config/defaults/defaultconfig.go
@@ -86,19 +86,6 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Commons != nil {
 		cfg.HTTP.TLS = cfg.Commons.HTTPServiceTLS
 	}
-
-	// provide with defaults for shared tracing, since we need a valid destination address for "envdecode".
-	if cfg.Tracing == nil && cfg.Commons != nil && cfg.Commons.Tracing != nil {
-		cfg.Tracing = &config.Tracing{
-			Enabled:   cfg.Commons.Tracing.Enabled,
-			Type:      cfg.Commons.Tracing.Type,
-			Endpoint:  cfg.Commons.Tracing.Endpoint,
-			Collector: cfg.Commons.Tracing.Collector,
-		}
-	} else if cfg.Tracing == nil {
-		cfg.Tracing = &config.Tracing{}
-	}
-
 }

 // Sanitize sanitizes the config
--- a/services/activitylog/pkg/config/tracing.go
+++ b/services/activitylog/pkg/config/tracing.go
@@ -1,21 +0,0 @@
-package config
-
-import "github.com/opencloud-eu/opencloud/pkg/tracing"
-
-// Tracing defines the available tracing configuration.
-type Tracing struct {
-	Enabled   bool   `yaml:"enabled" env:"OC_TRACING_ENABLED;ACTIVITYLOG_TRACING_ENABLED" desc:"Activates tracing." introductionVersion:"1.0.0"`
-	Type      string `yaml:"type" env:"OC_TRACING_TYPE;ACTIVITYLOG_TRACING_TYPE" desc:"The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now." introductionVersion:"1.0.0"`
-	Endpoint  string `yaml:"endpoint" env:"OC_TRACING_ENDPOINT;ACTIVITYLOG_TRACING_ENDPOINT" desc:"The endpoint of the tracing agent." introductionVersion:"1.0.0"`
-	Collector string `yaml:"collector" env:"OC_TRACING_COLLECTOR;ACTIVITYLOG_TRACING_COLLECTOR" desc:"The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset." introductionVersion:"1.0.0"`
-}
-
-// Convert Tracing to the tracing package's Config struct.
-func (t Tracing) Convert() tracing.Config {
-	return tracing.Config{
-		Enabled:   t.Enabled,
-		Type:      t.Type,
-		Endpoint:  t.Endpoint,
-		Collector: t.Collector,
-	}
-}
--- a/services/activitylog/pkg/server/http/option.go
+++ b/services/activitylog/pkg/server/http/option.go
@@ -11,7 +11,8 @@ import (
 	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/metrics"
 	"github.com/opencloud-eu/reva/v2/pkg/events"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
-	"github.com/urfave/cli/v2"
+
+	"github.com/spf13/pflag"
 	"go-micro.dev/v4/store"
 	"go.opentelemetry.io/otel/trace"
 )
@@ -25,7 +26,7 @@ type Options struct {
 	Context          context.Context
 	Config           *config.Config
 	Metrics          *metrics.Metrics
-	Flags            []cli.Flag
+	Flags            []pflag.Flag
 	Namespace        string
 	Store            store.Store
 	Stream           events.Stream
@@ -76,9 +77,9 @@ func Metrics(val *metrics.Metrics) Option {
 }

 // Flags provides a function to set the flags option.
-func Flags(val []cli.Flag) Option {
+func Flags(flags ...pflag.Flag) Option {
 	return func(o *Options) {
-		o.Flags = append(o.Flags, val...)
+		o.Flags = append(o.Flags, flags...)
 	}
 }

--- a/services/activitylog/pkg/service/l10n/locale/ca/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/ca/LC_MESSAGES/activitylog.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-20 00:01+0000\n"
+"POT-Creation-Date: 2025-12-20 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Ivan Fustero, 2025\n"
 "Language-Team: Catalan (https://app.transifex.com/opencloud-eu/teams/204053/ca/)\n"
--- a/services/activitylog/pkg/service/l10n/locale/de/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/de/LC_MESSAGES/activitylog.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-20 00:01+0000\n"
+"POT-Creation-Date: 2025-12-20 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Jörn Friedrich Dreyer <jfd@butonic.de>, 2025\n"
 "Language-Team: German (https://app.transifex.com/opencloud-eu/teams/204053/de/)\n"
--- a/services/activitylog/pkg/service/l10n/locale/es/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/es/LC_MESSAGES/activitylog.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-20 00:01+0000\n"
+"POT-Creation-Date: 2025-12-20 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Elías Martín, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/opencloud-eu/teams/204053/es/)\n"
--- a/services/activitylog/pkg/service/l10n/locale/fi/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/fi/LC_MESSAGES/activitylog.po
@@ -0,0 +1,103 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# 
+# Translators:
+# Jiri Grönroos <jiri.gronroos@iki.fi>, 2025
+# 
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2025-12-16 00:02+0000\n"
+"PO-Revision-Date: 2025-01-27 10:17+0000\n"
+"Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>, 2025\n"
+"Language-Team: Finnish (https://app.transifex.com/opencloud-eu/teams/204053/fi/)\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Language: fi\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: pkg/service/response.go:44
+msgid "description"
+msgstr "kuvaus"
+
+#: pkg/service/response.go:43
+msgid "display name"
+msgstr "näyttönimi"
+
+#: pkg/service/response.go:42
+msgid "expiration date"
+msgstr "vanhenemispäivä"
+
+#: pkg/service/response.go:41
+msgid "password"
+msgstr "salasana"
+
+#: pkg/service/response.go:40
+msgid "permission"
+msgstr "käyttöoikeus"
+
+#: pkg/service/response.go:39
+msgid "some field"
+msgstr "jokin kieltä"
+
+#: pkg/service/response.go:26
+msgid "{resource} was downloaded via public link {token}"
+msgstr "{resource} ladattiin julkisen linkin {token} kautta"
+
+#: pkg/service/response.go:24
+msgid "{user} added {resource} to {folder}"
+msgstr "{user} lisäsi {resource} kansioon {folder}"
+
+#: pkg/service/response.go:36
+msgid "{user} added {sharee} as member of {space}"
+msgstr "{user} lisäsi {sharee} jäseneksi avaruuteen {space}"
+
+#: pkg/service/response.go:27
+msgid "{user} deleted {resource} from {folder}"
+msgstr "{user} poisti {resource} kansiosta {folder}"
+
+#: pkg/service/response.go:28
+msgid "{user} moved {resource} to {folder}"
+msgstr "{user} siirsi {resource} kansioon {folder}"
+
+#: pkg/service/response.go:35
+msgid "{user} removed link to {resource}"
+msgstr "{user} poisti linkin resurssiin {resource}"
+
+#: pkg/service/response.go:32
+msgid "{user} removed {sharee} from {resource}"
+msgstr "{user} poisti {sharee} resurssista {resource}"
+
+#: pkg/service/response.go:37
+msgid "{user} removed {sharee} from {space}"
+msgstr "{user} poisti {sharee} avaruudesta {space}"
+
+#: pkg/service/response.go:29
+msgid "{user} renamed {oldResource} to {resource}"
+msgstr "{user} muutti kohteen {oldResource} uudeksi nimeksi {resource}"
+
+#: pkg/service/response.go:33
+msgid "{user} shared {resource} via link"
+msgstr "{user} jakoi {resource} linkin kautta"
+
+#: pkg/service/response.go:30
+msgid "{user} shared {resource} with {sharee}"
+msgstr "{user} jakoi {resource} käyttäjän {sharee} kanssa"
+
+#: pkg/service/response.go:34
+msgid "{user} updated {field} for a link {token} on {resource}"
+msgstr ""
+"{user} päivitti kentän {field} linkkiin {token} resurssissa {resource}"
+
+#: pkg/service/response.go:31
+msgid "{user} updated {field} for the {resource}"
+msgstr "{user} päivitti kentän {field} resurssille {resource}"
+
+#: pkg/service/response.go:25
+msgid "{user} updated {resource} in {folder}"
+msgstr "{user} päivitti {resource} kansiossa {folder}"
--- a/services/activitylog/pkg/service/l10n/locale/fr/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/fr/LC_MESSAGES/activitylog.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-20 00:01+0000\n"
+"POT-Creation-Date: 2025-12-20 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: eric_G <junk.eg@free.fr>, 2025\n"
 "Language-Team: French (https://app.transifex.com/opencloud-eu/teams/204053/fr/)\n"
--- a/services/activitylog/pkg/service/l10n/locale/it/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/it/LC_MESSAGES/activitylog.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-20 00:01+0000\n"
+"POT-Creation-Date: 2025-12-20 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Simone Broglia, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/opencloud-eu/teams/204053/it/)\n"
--- a/services/activitylog/pkg/service/l10n/locale/ja/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/ja/LC_MESSAGES/activitylog.po
@@ -0,0 +1,102 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# 
+# Translators:
+# ii kaka, 2025
+# 
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2025-12-18 00:04+0000\n"
+"PO-Revision-Date: 2025-01-27 10:17+0000\n"
+"Last-Translator: ii kaka, 2025\n"
+"Language-Team: Japanese (https://app.transifex.com/opencloud-eu/teams/204053/ja/)\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Language: ja\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+
+#: pkg/service/response.go:44
+msgid "description"
+msgstr "詳細"
+
+#: pkg/service/response.go:43
+msgid "display name"
+msgstr "表示名"
+
+#: pkg/service/response.go:42
+msgid "expiration date"
+msgstr "有効期限"
+
+#: pkg/service/response.go:41
+msgid "password"
+msgstr "パスワード"
+
+#: pkg/service/response.go:40
+msgid "permission"
+msgstr "権限"
+
+#: pkg/service/response.go:39
+msgid "some field"
+msgstr "特定の項目"
+
+#: pkg/service/response.go:26
+msgid "{resource} was downloaded via public link {token}"
+msgstr "{resource} が公開リンク {token}  経由でダウンロードされました"
+
+#: pkg/service/response.go:24
+msgid "{user} added {resource} to {folder}"
+msgstr "{user} が %{resource} を {folder} に追加しました"
+
+#: pkg/service/response.go:36
+msgid "{user} added {sharee} as member of {space}"
+msgstr "{user} が  {sharee} を {space} のメンバーに追加しました"
+
+#: pkg/service/response.go:27
+msgid "{user} deleted {resource} from {folder}"
+msgstr "{user} が {folder} から {resource} を削除しました"
+
+#: pkg/service/response.go:28
+msgid "{user} moved {resource} to {folder}"
+msgstr "{user} が {resource} を {folder} に移動しました"
+
+#: pkg/service/response.go:35
+msgid "{user} removed link to {resource}"
+msgstr "{user} が {resource} へのリンクを解除しました"
+
+#: pkg/service/response.go:32
+msgid "{user} removed {sharee} from {resource}"
+msgstr "{user} が {resource} の共有から {sharee} を削除しました"
+
+#: pkg/service/response.go:37
+msgid "{user} removed {sharee} from {space}"
+msgstr "{user} が {space} の共有から {sharee} を削除しました"
+
+#: pkg/service/response.go:29
+msgid "{user} renamed {oldResource} to {resource}"
+msgstr "{user} が {oldResource} の名前を {resource} に変更しました"
+
+#: pkg/service/response.go:33
+msgid "{user} shared {resource} via link"
+msgstr "{user} がリンク経由で {resource} を共有しました"
+
+#: pkg/service/response.go:30
+msgid "{user} shared {resource} with {sharee}"
+msgstr "{user} が {resource} を {sharee} と共有しました"
+
+#: pkg/service/response.go:34
+msgid "{user} updated {field} for a link {token} on {resource}"
+msgstr "{user} が {resource} のリンク {token}の {field} を更新しました"
+
+#: pkg/service/response.go:31
+msgid "{user} updated {field} for the {resource}"
+msgstr "{user} が {resource} の {field} を更新しました"
+
+#: pkg/service/response.go:25
+msgid "{user} updated {resource} in {folder}"
+msgstr "{user} が {folder} 内の {resource} を更新しました"
--- a/services/activitylog/pkg/service/l10n/locale/ko/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/ko/LC_MESSAGES/activitylog.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-20 00:01+0000\n"
+"POT-Creation-Date: 2025-12-20 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Junghyuk Kwon <kwon@junghy.uk>, 2025\n"
 "Language-Team: Korean (https://app.transifex.com/opencloud-eu/teams/204053/ko/)\n"
--- a/services/activitylog/pkg/service/l10n/locale/nl/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/nl/LC_MESSAGES/activitylog.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-23 00:01+0000\n"
+"POT-Creation-Date: 2025-12-23 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Stephan Paternotte <stephan@paternottes.net>, 2025\n"
 "Language-Team: Dutch (https://app.transifex.com/opencloud-eu/teams/204053/nl/)\n"
--- a/services/activitylog/pkg/service/l10n/locale/pt/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/pt/LC_MESSAGES/activitylog.po
@@ -0,0 +1,102 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# 
+# Translators:
+# Mário Machado, 2025
+# 
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
+"PO-Revision-Date: 2025-01-27 10:17+0000\n"
+"Last-Translator: Mário Machado, 2025\n"
+"Language-Team: Portuguese (https://app.transifex.com/opencloud-eu/teams/204053/pt/)\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Language: pt\n"
+"Plural-Forms: nplurals=3; plural=(n == 0 || n == 1) ? 0 : n != 0 && n % 1000000 == 0 ? 1 : 2;\n"
+
+#: pkg/service/response.go:44
+msgid "description"
+msgstr "descrição"
+
+#: pkg/service/response.go:43
+msgid "display name"
+msgstr "nome de exibição"
+
+#: pkg/service/response.go:42
+msgid "expiration date"
+msgstr "data de expiração"
+
+#: pkg/service/response.go:41
+msgid "password"
+msgstr "palavra-passe"
+
+#: pkg/service/response.go:40
+msgid "permission"
+msgstr "permissão"
+
+#: pkg/service/response.go:39
+msgid "some field"
+msgstr "algum campo"
+
+#: pkg/service/response.go:26
+msgid "{resource} was downloaded via public link {token}"
+msgstr "{resource} foi descarregado através da ligação pública {token}"
+
+#: pkg/service/response.go:24
+msgid "{user} added {resource} to {folder}"
+msgstr "{user} adicionou {resource} a {folder}"
+
+#: pkg/service/response.go:36
+msgid "{user} added {sharee} as member of {space}"
+msgstr "{user} adicionou {sharee} como membro de {space}"
+
+#: pkg/service/response.go:27
+msgid "{user} deleted {resource} from {folder}"
+msgstr "{user} eliminou {resource} de {folder}"
+
+#: pkg/service/response.go:28
+msgid "{user} moved {resource} to {folder}"
+msgstr "{user} moveu {resource} para {folder}"
+
+#: pkg/service/response.go:35
+msgid "{user} removed link to {resource}"
+msgstr "{user} removeu a ligação para {resource}"
+
+#: pkg/service/response.go:32
+msgid "{user} removed {sharee} from {resource}"
+msgstr "{user} removeu {sharee} de {resource}"
+
+#: pkg/service/response.go:37
+msgid "{user} removed {sharee} from {space}"
+msgstr "{user} removeu {sharee} de {space}"
+
+#: pkg/service/response.go:29
+msgid "{user} renamed {oldResource} to {resource}"
+msgstr "{user} renomeou {oldResource} para {resource}"
+
+#: pkg/service/response.go:33
+msgid "{user} shared {resource} via link"
+msgstr "{user} partilhou {resource} via ligação"
+
+#: pkg/service/response.go:30
+msgid "{user} shared {resource} with {sharee}"
+msgstr "{user} partilhou {resource} com {sharee}"
+
+#: pkg/service/response.go:34
+msgid "{user} updated {field} for a link {token} on {resource}"
+msgstr "{user} atualizou {field} para a ligação {token} em {resource}"
+
+#: pkg/service/response.go:31
+msgid "{user} updated {field} for the {resource}"
+msgstr "{user} atualizou {field} para o {resource}"
+
+#: pkg/service/response.go:25
+msgid "{user} updated {resource} in {folder}"
+msgstr "{user} atualizou {resource} em {folder}"
--- a/services/activitylog/pkg/service/l10n/locale/ru/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/ru/LC_MESSAGES/activitylog.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-23 00:01+0000\n"
+"POT-Creation-Date: 2025-12-23 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Lulufox, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/opencloud-eu/teams/204053/ru/)\n"
--- a/services/activitylog/pkg/service/l10n/locale/sv/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/sv/LC_MESSAGES/activitylog.po
@@ -0,0 +1,102 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# 
+# Translators:
+# Daniel Nylander <po@danielnylander.se>, 2025
+# 
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2025-12-19 00:05+0000\n"
+"PO-Revision-Date: 2025-01-27 10:17+0000\n"
+"Last-Translator: Daniel Nylander <po@danielnylander.se>, 2025\n"
+"Language-Team: Swedish (https://app.transifex.com/opencloud-eu/teams/204053/sv/)\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Language: sv\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: pkg/service/response.go:44
+msgid "description"
+msgstr "beskrivning"
+
+#: pkg/service/response.go:43
+msgid "display name"
+msgstr "visningsnamn"
+
+#: pkg/service/response.go:42
+msgid "expiration date"
+msgstr "utgångsdatum"
+
+#: pkg/service/response.go:41
+msgid "password"
+msgstr "lösenord"
+
+#: pkg/service/response.go:40
+msgid "permission"
+msgstr "behörighet"
+
+#: pkg/service/response.go:39
+msgid "some field"
+msgstr "något fält"
+
+#: pkg/service/response.go:26
+msgid "{resource} was downloaded via public link {token}"
+msgstr "{resource} hämtades via en offentlig länk {token}"
+
+#: pkg/service/response.go:24
+msgid "{user} added {resource} to {folder}"
+msgstr "{user} lade till {resource} till {folder}"
+
+#: pkg/service/response.go:36
+msgid "{user} added {sharee} as member of {space}"
+msgstr "{user} lade till {sharee} som medlem av {space}"
+
+#: pkg/service/response.go:27
+msgid "{user} deleted {resource} from {folder}"
+msgstr "{user} raderade {resource} från {folder}"
+
+#: pkg/service/response.go:28
+msgid "{user} moved {resource} to {folder}"
+msgstr "{user} flyttade {resource} till {folder}"
+
+#: pkg/service/response.go:35
+msgid "{user} removed link to {resource}"
+msgstr "{user} tog bort länk till {resource}"
+
+#: pkg/service/response.go:32
+msgid "{user} removed {sharee} from {resource}"
+msgstr "{user} tog bort {sharee} från {resource}"
+
+#: pkg/service/response.go:37
+msgid "{user} removed {sharee} from {space}"
+msgstr "{user} tog bort {sharee} från {space}"
+
+#: pkg/service/response.go:29
+msgid "{user} renamed {oldResource} to {resource}"
+msgstr "{user} döpte om {oldResource} till {resource}"
+
+#: pkg/service/response.go:33
+msgid "{user} shared {resource} via link"
+msgstr "{user} delade {resource} via länk"
+
+#: pkg/service/response.go:30
+msgid "{user} shared {resource} with {sharee}"
+msgstr "{user} delade {resource} med {sharee}"
+
+#: pkg/service/response.go:34
+msgid "{user} updated {field} for a link {token} on {resource}"
+msgstr "{user} uppdaterade {field} för en länk {token} på {resource}"
+
+#: pkg/service/response.go:31
+msgid "{user} updated {field} for the {resource}"
+msgstr "{user} uppdaterade {field} för {resource}"
+
+#: pkg/service/response.go:25
+msgid "{user} updated {resource} in {folder}"
+msgstr "{user} uppdaterade {resource} i {folder}"
--- a/services/activitylog/pkg/service/l10n/locale/vi/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/vi/LC_MESSAGES/activitylog.po
@@ -0,0 +1,102 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+# 
+# Translators:
+# Quan Tran, 2025
+# 
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"Report-Msgid-Bugs-To: EMAIL\n"
+"POT-Creation-Date: 2025-12-17 00:03+0000\n"
+"PO-Revision-Date: 2025-01-27 10:17+0000\n"
+"Last-Translator: Quan Tran, 2025\n"
+"Language-Team: Vietnamese (https://app.transifex.com/opencloud-eu/teams/204053/vi/)\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Language: vi\n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+
+#: pkg/service/response.go:44
+msgid "description"
+msgstr "mô tả"
+
+#: pkg/service/response.go:43
+msgid "display name"
+msgstr "tên hiển thị"
+
+#: pkg/service/response.go:42
+msgid "expiration date"
+msgstr "ngày hết hạn"
+
+#: pkg/service/response.go:41
+msgid "password"
+msgstr "mật khẩu"
+
+#: pkg/service/response.go:40
+msgid "permission"
+msgstr "quyền"
+
+#: pkg/service/response.go:39
+msgid "some field"
+msgstr "một số trường"
+
+#: pkg/service/response.go:26
+msgid "{resource} was downloaded via public link {token}"
+msgstr "{resource} được tải xuống qua đường dẫn công khai {token}"
+
+#: pkg/service/response.go:24
+msgid "{user} added {resource} to {folder}"
+msgstr "{user} thêm {resource} vào {folder}"
+
+#: pkg/service/response.go:36
+msgid "{user} added {sharee} as member of {space}"
+msgstr "{user} thêm {sharee} vào {space}"
+
+#: pkg/service/response.go:27
+msgid "{user} deleted {resource} from {folder}"
+msgstr "{user} xóa {resource} khỏi {folder}"
+
+#: pkg/service/response.go:28
+msgid "{user} moved {resource} to {folder}"
+msgstr "{user} chuyển{resource} đến {folder}"
+
+#: pkg/service/response.go:35
+msgid "{user} removed link to {resource}"
+msgstr "{user} xóa đường liên kết tới {resource}"
+
+#: pkg/service/response.go:32
+msgid "{user} removed {sharee} from {resource}"
+msgstr "{user} xóa {sharee} khỏi {resource}"
+
+#: pkg/service/response.go:37
+msgid "{user} removed {sharee} from {space}"
+msgstr "{user} xóa {sharee} khỏi {space}"
+
+#: pkg/service/response.go:29
+msgid "{user} renamed {oldResource} to {resource}"
+msgstr "{user} đổi tên {oldResource} thành {resource}"
+
+#: pkg/service/response.go:33
+msgid "{user} shared {resource} via link"
+msgstr "{user} chia sẻ {resource} qua đường liên kết"
+
+#: pkg/service/response.go:30
+msgid "{user} shared {resource} with {sharee}"
+msgstr "{user} chia sẻ {resource} với {sharee}"
+
+#: pkg/service/response.go:34
+msgid "{user} updated {field} for a link {token} on {resource}"
+msgstr "{user} cập nhật {field}  của đường liên kết {token} đến {resource}"
+
+#: pkg/service/response.go:31
+msgid "{user} updated {field} for the {resource}"
+msgstr "{user} cập nhật {field} của {resource}"
+
+#: pkg/service/response.go:25
+msgid "{user} updated {resource} in {folder}"
+msgstr "{user} cập nhật {resource} trong {folder}"
--- a/services/activitylog/pkg/service/l10n/locale/zh/LC_MESSAGES/activitylog.po
+++ b/services/activitylog/pkg/service/l10n/locale/zh/LC_MESSAGES/activitylog.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-10-20 00:01+0000\n"
+"POT-Creation-Date: 2025-12-20 00:05+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: YQS Yang, 2025\n"
 "Language-Team: Chinese (https://app.transifex.com/opencloud-eu/teams/204053/zh/)\n"
--- a/services/antivirus/README.md
+++ b/services/antivirus/README.md
@@ -36,13 +36,13 @@ Several factors can make it necessary to limit the maximum filesize the antiviru
 Use the `ANTIVIRUS_MAX_SCAN_SIZE` environment variable to scan only a given number of bytes,
 or to skip the whole resource.

-Even if it's recommended to scan the whole file, several factors like scanner type and version,
+Even if it is recommended to scan the whole file, several factors like scanner type and version,
 bandwidth, performance issues, etc. might make a limit necessary.

-In such cases, the antivirus the max scan size mode can be handy, the following modes are available:
+In such cases, the antivirus max scan size mode can be handy, the following modes are available:

-  -   `partial`: The file is scanned up to the given size. The rest of the file is not scanned. This is the default mode `ANTIVIRUS_MAX_SCAN_SIZE=partial`
-  -   `skip`: The file is skipped and not scanned. `ANTIVIRUS_MAX_SCAN_SIZE=skip`
+  -   `partial`: The file is scanned up to the given size. The rest of the file is not scanned. This is the default mode `ANTIVIRUS_MAX_SCAN_SIZE_MODE=partial`
+  -   `skip`: The file is skipped and not scanned. `ANTIVIRUS_MAX_SCAN_SIZE_MODE=skip`

 **IMPORTANT**
 > Streaming of files to the virus scan service still [needs to be implemented](https://github.com/owncloud/ocis/issues/6803).
--- a/services/antivirus/cmd/antivirus/main.go
+++ b/services/antivirus/cmd/antivirus/main.go
@@ -1,19 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/command"
-	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/config/defaults"
-)
-
-func main() {
-	cfg := defaults.DefaultConfig()
-	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
-	if err := command.Execute(cfg); err != nil {
-		os.Exit(1)
-	}
-}
--- a/services/antivirus/pkg/command/health.go
+++ b/services/antivirus/pkg/command/health.go
@@ -5,23 +5,22 @@ import (
 	"net/http"

 	"github.com/opencloud-eu/opencloud/pkg/log"
+	"github.com/spf13/cobra"

 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
 	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/config"
 	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/config/parser"
-	"github.com/urfave/cli/v2"
 )

 // Health is the entrypoint for the health command.
-func Health(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "health",
-		Usage:    "check health status",
-		Category: "info",
-		Before: func(c *cli.Context) error {
+func Health(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "health",
+		Short: "check health status",
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnError(parser.ParseConfig(cfg))
 		},
-		Action: func(c *cli.Context) error {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			logger := log.NewLogger(
 				log.Name(cfg.Service.Name),
 				log.Level(cfg.Log.Level),
--- a/services/antivirus/pkg/command/root.go
+++ b/services/antivirus/pkg/command/root.go
@@ -5,12 +5,12 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/clihelper"
 	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // GetCommands provides all commands for this service
-func GetCommands(cfg *config.Config) cli.Commands {
-	return []*cli.Command{
+func GetCommands(cfg *config.Config) []*cobra.Command {
+	return []*cobra.Command{
 		Server(cfg),
 		Health(cfg),
 		Version(cfg),
@@ -19,11 +19,11 @@ func GetCommands(cfg *config.Config) cli.Commands {

 // Execute is the entry point for the antivirus command.
 func Execute(cfg *config.Config) error {
-	app := clihelper.DefaultApp(&cli.App{
-		Name:     "antivirus",
-		Usage:    "Antivirus service for OpenCloud",
-		Commands: GetCommands(cfg),
+	app := clihelper.DefaultApp(&cobra.Command{
+		Use:   "antivirus",
+		Short: "Antivirus service for OpenCloud",
 	})
-
-	return app.RunContext(cfg.Context, os.Args)
+	app.AddCommand(GetCommands(cfg)...)
+	app.SetArgs(os.Args[1:])
+	return app.ExecuteContext(cfg.Context)
 }
--- a/services/antivirus/pkg/command/server.go
+++ b/services/antivirus/pkg/command/server.go
@@ -3,10 +3,9 @@ package command
 import (
 	"context"
 	"fmt"
+	"os"
 	"os/signal"

-	"github.com/urfave/cli/v2"
-
 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/pkg/runner"
@@ -15,18 +14,18 @@ import (
 	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/config/parser"
 	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/server/debug"
 	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/service"
+	"github.com/spf13/cobra"
 )

 // Server is the entrypoint for the server command.
-func Server(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "server",
-		Usage:    fmt.Sprintf("start the %s service without runtime (unsupervised mode)", cfg.Service.Name),
-		Category: "server",
-		Before: func(c *cli.Context) error {
+func Server(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "server",
+		Short: fmt.Sprintf("start the %s service without runtime (unsupervised mode)", cfg.Service.Name),
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnFatal(parser.ParseConfig(cfg))
 		},
-		Action: func(c *cli.Context) error {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			var cancel context.CancelFunc
 			if cfg.Context == nil {
 				cfg.Context, cancel = signal.NotifyContext(context.Background(), runner.StopSignals...)
@@ -42,7 +41,7 @@ func Server(cfg *config.Config) *cli.Command {
 				log.File(cfg.Log.File),
 			)

-			traceProvider, err := tracing.GetServiceTraceProvider(cfg.Tracing, cfg.Service.Name)
+			traceProvider, err := tracing.GetTraceProvider(cmd.Context(), cfg.Commons.TracesExporter, cfg.Service.Name)
 			if err != nil {
 				return err
 			}
@@ -51,7 +50,8 @@ func Server(cfg *config.Config) *cli.Command {
 			{
 				svc, err := service.NewAntivirus(cfg, logger, traceProvider)
 				if err != nil {
-					return cli.Exit(err.Error(), 1)
+					fmt.Errorf("failed to initialize antivirus service: %v", err)
+					os.Exit(1)
 				}

 				gr.Add(runner.New(cfg.Service.Name+".svc", func() error {
--- a/services/antivirus/pkg/command/version.go
+++ b/services/antivirus/pkg/command/version.go
@@ -4,18 +4,17 @@ import (
 	"fmt"

 	"github.com/opencloud-eu/opencloud/pkg/version"
+	"github.com/spf13/cobra"

 	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/config"
-	"github.com/urfave/cli/v2"
 )

 // Version prints the service versions of all running instances.
-func Version(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "version",
-		Usage:    "print the version of this binary and the running service instances",
-		Category: "info",
-		Action: func(c *cli.Context) error {
+func Version(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "version",
+		Short: "print the version of this binary and the running service instances",
+		RunE: func(cmd *cobra.Command, args []string) error {
 			fmt.Println("Version: " + version.GetString())
 			fmt.Printf("Compiled: %s\n", version.Compiled())
 			fmt.Println("")
--- a/services/antivirus/pkg/config/config.go
+++ b/services/antivirus/pkg/config/config.go
@@ -3,6 +3,8 @@ package config
 import (
 	"context"
 	"time"
+
+	"github.com/opencloud-eu/opencloud/pkg/shared"
 )

 // ScannerType gives info which scanner is used
@@ -27,15 +29,14 @@ const (

 // Config combines all available configuration parts.
 type Config struct {
-	File string
-	Log  *Log
+	Commons *shared.Commons `yaml:"-"` // don't use this directly as configuration for a service
+	File    string
+	Log     *Log

 	Debug Debug `yaml:"debug" mask:"struct"`

 	Service Service `yaml:"-"`

-	Tracing *Tracing `yaml:"tracing"`
-
 	InfectedFileHandling string `yaml:"infected-file-handling" env:"ANTIVIRUS_INFECTED_FILE_HANDLING" desc:"Defines the behaviour when a virus has been found. Supported options are: 'delete', 'continue' and 'abort '. Delete will delete the file. Continue will mark the file as infected but continues further processing. Abort will keep the file in the uploads folder for further admin inspection and will not move it to its final destination." introductionVersion:"1.0.0"`
 	Events               Events
 	Workers              int `yaml:"workers" env:"ANTIVIRUS_WORKERS" desc:"The number of concurrent go routines that fetch events from the event queue." introductionVersion:"1.0.0"`
@@ -74,7 +75,7 @@ type Debug struct {
 type Events struct {
 	Endpoint             string `yaml:"endpoint" env:"OC_EVENTS_ENDPOINT;ANTIVIRUS_EVENTS_ENDPOINT" desc:"The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture." introductionVersion:"1.0.0"`
 	Cluster              string `yaml:"cluster" env:"OC_EVENTS_CLUSTER;ANTIVIRUS_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system." introductionVersion:"1.0.0"`
-	TLSInsecure          bool   `yaml:"tls_insecure" env:"OC_INSECURE;ANTIVIRUS_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"1.0.0"`
+	TLSInsecure          bool   `yaml:"tls_insecure" env:"OC_INSECURE;OC_EVENTS_TLS_INSECURE;ANTIVIRUS_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"1.0.0"`
 	TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"`
 	EnableTLS            bool   `yaml:"enable_tls" env:"OC_EVENTS_ENABLE_TLS;ANTIVIRUS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"`
 	AuthUsername         string `yaml:"username" env:"OC_EVENTS_AUTH_USERNAME;ANTIVIRUS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"`
--- a/services/antivirus/pkg/config/defaults/defaultconfig.go
+++ b/services/antivirus/pkg/config/defaults/defaultconfig.go
@@ -54,10 +54,6 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Log == nil {
 		cfg.Log = &config.Log{}
 	}
-
-	if cfg.Tracing == nil {
-		cfg.Tracing = &config.Tracing{}
-	}
 }

 // Sanitize sanitizes the configuration
--- a/services/antivirus/pkg/config/tracing.go
+++ b/services/antivirus/pkg/config/tracing.go
@@ -1,21 +0,0 @@
-package config
-
-import "github.com/opencloud-eu/opencloud/pkg/tracing"
-
-// Tracing defines the available tracing configuration.
-type Tracing struct {
-	Enabled   bool   `yaml:"enabled" env:"OC_TRACING_ENABLED;ANTIVIRUS_TRACING_ENABLED" desc:"Activates tracing." introductionVersion:"1.0.0"`
-	Type      string `yaml:"type" env:"OC_TRACING_TYPE;ANTIVIRUS_TRACING_TYPE" desc:"The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now." introductionVersion:"1.0.0"`
-	Endpoint  string `yaml:"endpoint" env:"OC_TRACING_ENDPOINT;ANTIVIRUS_TRACING_ENDPOINT" desc:"The endpoint of the tracing agent." introductionVersion:"1.0.0"`
-	Collector string `yaml:"collector" env:"OC_TRACING_COLLECTOR;ANTIVIRUS_TRACING_COLLECTOR" desc:"The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset." introductionVersion:"1.0.0"`
-}
-
-// Convert Tracing to the tracing package's Config struct.
-func (t Tracing) Convert() tracing.Config {
-	return tracing.Config{
-		Enabled:   t.Enabled,
-		Type:      t.Type,
-		Endpoint:  t.Endpoint,
-		Collector: t.Collector,
-	}
-}
--- a/services/app-provider/README.md
+++ b/services/app-provider/README.md
@@ -0,0 +1,20 @@
+# App Provider
+
+The `app-provider` service provides the CS3 App Provider API for OpenCloud. It is responsible for managing and serving applications that can open files based on their MIME types.
+
+The service works in conjunction with the `app-registry` service, which maintains the registry of available applications and their supported MIME types. When a client requests to open a file with a specific application, the `app-provider` service handles the request and coordinates with the application to provide the appropriate interface.
+
+## Integration
+
+The `app-provider` service integrates with:
+- `app-registry` - For discovering which applications are available for specific MIME types
+- `frontend` - The frontend service forwards app provider requests (default endpoint `/app`) to this service
+
+## Configuration
+
+The service can be configured via environment variables. Key configuration options include:
+- `APP_PROVIDER_EXTERNAL_ADDR` - External address where the gateway service can reach the app provider
+
+## Scalability
+
+The app-provider service can be scaled horizontally as it primarily acts as a coordinator between applications and the OpenCloud backend services.
--- a/services/app-provider/cmd/app-provider/main.go
+++ b/services/app-provider/cmd/app-provider/main.go
@@ -1,19 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/command"
-	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/config/defaults"
-)
-
-func main() {
-	cfg := defaults.DefaultConfig()
-	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
-	if err := command.Execute(cfg); err != nil {
-		os.Exit(1)
-	}
-}
--- a/services/app-provider/pkg/command/health.go
+++ b/services/app-provider/pkg/command/health.go
@@ -8,19 +8,18 @@ import (
 	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/config"
 	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/config/parser"
 	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/logging"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // Health is the entrypoint for the health command.
-func Health(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "health",
-		Usage:    "check health status",
-		Category: "info",
-		Before: func(c *cli.Context) error {
+func Health(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "health",
+		Short: "check health status",
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnError(parser.ParseConfig(cfg))
 		},
-		Action: func(c *cli.Context) error {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			logger := logging.Configure(cfg.Service.Name, cfg.Log)

 			resp, err := http.Get(
--- a/services/app-provider/pkg/command/root.go
+++ b/services/app-provider/pkg/command/root.go
@@ -5,12 +5,12 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/clihelper"
 	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // GetCommands provides all commands for this service
-func GetCommands(cfg *config.Config) cli.Commands {
-	return []*cli.Command{
+func GetCommands(cfg *config.Config) []*cobra.Command {
+	return []*cobra.Command{
 		// start this service
 		Server(cfg),

@@ -24,11 +24,12 @@ func GetCommands(cfg *config.Config) cli.Commands {

 // Execute is the entry point for the opencloud app-provider command.
 func Execute(cfg *config.Config) error {
-	app := clihelper.DefaultApp(&cli.App{
-		Name:     "app-provider",
-		Usage:    "Provide apps for OpenCloud",
-		Commands: GetCommands(cfg),
+	app := clihelper.DefaultApp(&cobra.Command{
+		Use:   "app-provider",
+		Short: "Provide apps for OpenCloud",
 	})
+	app.AddCommand(GetCommands(cfg)...)
+	app.SetArgs(os.Args[1:])

-	return app.RunContext(cfg.Context, os.Args)
+	return app.ExecuteContext(cfg.Context)
 }
--- a/services/app-provider/pkg/command/server.go
+++ b/services/app-provider/pkg/command/server.go
@@ -6,7 +6,7 @@ import (
 	"os/signal"

 	"github.com/opencloud-eu/reva/v2/cmd/revad/runtime"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"

 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
 	"github.com/opencloud-eu/opencloud/pkg/registry"
@@ -21,17 +21,16 @@ import (
 )

 // Server is the entry point for the server command.
-func Server(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "server",
-		Usage:    fmt.Sprintf("start the %s service without runtime (unsupervised mode)", cfg.Service.Name),
-		Category: "server",
-		Before: func(c *cli.Context) error {
+func Server(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "server",
+		Short: fmt.Sprintf("start the %s service without runtime (unsupervised mode)", cfg.Service.Name),
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnFatal(parser.ParseConfig(cfg))
 		},
-		Action: func(c *cli.Context) error {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			logger := logging.Configure(cfg.Service.Name, cfg.Log)
-			traceProvider, err := tracing.GetServiceTraceProvider(cfg.Tracing, cfg.Service.Name)
+			traceProvider, err := tracing.GetTraceProvider(cmd.Context(), cfg.Commons.TracesExporter, cfg.Service.Name)
 			if err != nil {
 				return err
 			}
--- a/services/app-provider/pkg/command/version.go
+++ b/services/app-provider/pkg/command/version.go
@@ -6,20 +6,19 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/registry"
 	"github.com/opencloud-eu/opencloud/pkg/version"
+	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/config"

 	"github.com/olekukonko/tablewriter"
 	"github.com/olekukonko/tablewriter/tw"
-	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // Version prints the service versions of all running instances.
-func Version(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "version",
-		Usage:    "print the version of this binary and the running service instances",
-		Category: "info",
-		Action: func(c *cli.Context) error {
+func Version(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "version",
+		Short: "print the version of this binary and the running service instances",
+		RunE: func(cmd *cobra.Command, args []string) error {
 			fmt.Println("Version: " + version.GetString())
 			fmt.Printf("Compiled: %s\n", version.Compiled())
 			fmt.Println("")
--- a/services/app-provider/pkg/config/config.go
+++ b/services/app-provider/pkg/config/config.go
@@ -9,7 +9,6 @@ import (
 type Config struct {
 	Commons *shared.Commons `yaml:"-"` // don't use this directly as configuration for a service
 	Service Service         `yaml:"-"`
-	Tracing *Tracing        `yaml:"tracing"`
 	Log     *Log            `yaml:"log"`
 	Debug   Debug           `yaml:"debug"`

--- a/services/app-provider/pkg/config/defaults/defaultconfig.go
+++ b/services/app-provider/pkg/config/defaults/defaultconfig.go
@@ -56,17 +56,6 @@ func EnsureDefaults(cfg *config.Config) {
 	} else if cfg.Log == nil {
 		cfg.Log = &config.Log{}
 	}
-	// provide with defaults for shared tracing, since we need a valid destination address for "envdecode".
-	if cfg.Tracing == nil && cfg.Commons != nil && cfg.Commons.Tracing != nil {
-		cfg.Tracing = &config.Tracing{
-			Enabled:   cfg.Commons.Tracing.Enabled,
-			Type:      cfg.Commons.Tracing.Type,
-			Endpoint:  cfg.Commons.Tracing.Endpoint,
-			Collector: cfg.Commons.Tracing.Collector,
-		}
-	} else if cfg.Tracing == nil {
-		cfg.Tracing = &config.Tracing{}
-	}

 	if cfg.Reva == nil && cfg.Commons != nil {
 		cfg.Reva = structs.CopyOrZeroValue(cfg.Commons.Reva)
--- a/services/app-provider/pkg/config/tracing.go
+++ b/services/app-provider/pkg/config/tracing.go
@@ -1,21 +0,0 @@
-package config
-
-import "github.com/opencloud-eu/opencloud/pkg/tracing"
-
-// Tracing defines the configuration options for tracing.
-type Tracing struct {
-	Enabled   bool   `yaml:"enabled" env:"OC_TRACING_ENABLED;APP_PROVIDER_TRACING_ENABLED" desc:"Activates tracing." introductionVersion:"1.0.0"`
-	Type      string `yaml:"type" env:"OC_TRACING_TYPE;APP_PROVIDER_TRACING_TYPE" desc:"The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now." introductionVersion:"1.0.0"`
-	Endpoint  string `yaml:"endpoint" env:"OC_TRACING_ENDPOINT;APP_PROVIDER_TRACING_ENDPOINT" desc:"The endpoint of the tracing agent." introductionVersion:"1.0.0"`
-	Collector string `yaml:"collector" env:"OC_TRACING_COLLECTOR;APP_PROVIDER_TRACING_COLLECTOR" desc:"The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset." introductionVersion:"1.0.0"`
-}
-
-// Convert Tracing to the tracing package's Config struct.
-func (t Tracing) Convert() tracing.Config {
-	return tracing.Config{
-		Enabled:   t.Enabled,
-		Type:      t.Type,
-		Endpoint:  t.Endpoint,
-		Collector: t.Collector,
-	}
-}
--- a/services/app-registry/cmd/app-registry/main.go
+++ b/services/app-registry/cmd/app-registry/main.go
@@ -1,19 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-
-	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/command"
-	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/config/defaults"
-)
-
-func main() {
-	cfg := defaults.DefaultConfig()
-	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
-	if err := command.Execute(cfg); err != nil {
-		os.Exit(1)
-	}
-}
--- a/services/app-registry/pkg/command/health.go
+++ b/services/app-registry/pkg/command/health.go
@@ -8,19 +8,18 @@ import (
 	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/config"
 	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/config/parser"
 	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/logging"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // Health is the entrypoint for the health command.
-func Health(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "health",
-		Usage:    "check health status",
-		Category: "info",
-		Before: func(c *cli.Context) error {
+func Health(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "health",
+		Short: "check health status",
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnError(parser.ParseConfig(cfg))
 		},
-		Action: func(c *cli.Context) error {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			logger := logging.Configure(cfg.Service.Name, cfg.Log)

 			resp, err := http.Get(
--- a/services/app-registry/pkg/command/root.go
+++ b/services/app-registry/pkg/command/root.go
@@ -5,12 +5,12 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/clihelper"
 	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // GetCommands provides all commands for this service
-func GetCommands(cfg *config.Config) cli.Commands {
-	return []*cli.Command{
+func GetCommands(cfg *config.Config) []*cobra.Command {
+	return []*cobra.Command{
 		// start this service
 		Server(cfg),

@@ -24,11 +24,12 @@ func GetCommands(cfg *config.Config) cli.Commands {

 // Execute is the entry point for the opencloud app-registry command.
 func Execute(cfg *config.Config) error {
-	app := clihelper.DefaultApp(&cli.App{
-		Name:     "app-registry",
-		Usage:    "Provide an app registry for OpenCloud",
-		Commands: GetCommands(cfg),
+	app := clihelper.DefaultApp(&cobra.Command{
+		Use:   "app-registry",
+		Short: "Provide an app registry for OpenCloud",
 	})
+	app.AddCommand(GetCommands(cfg)...)
+	app.SetArgs(os.Args[1:])

-	return app.RunContext(cfg.Context, os.Args)
+	return app.ExecuteContext(cfg.Context)
 }
--- a/services/app-registry/pkg/command/server.go
+++ b/services/app-registry/pkg/command/server.go
@@ -16,21 +16,20 @@ import (
 	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/revaconfig"
 	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/server/debug"
 	"github.com/opencloud-eu/reva/v2/cmd/revad/runtime"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // Server is the entry point for the server command.
-func Server(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "server",
-		Usage:    fmt.Sprintf("start the %s service without runtime (unsupervised mode)", cfg.Service.Name),
-		Category: "server",
-		Before: func(c *cli.Context) error {
+func Server(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "server",
+		Short: fmt.Sprintf("start the %s service without runtime (unsupervised mode)", cfg.Service.Name),
+		PreRunE: func(cmd *cobra.Command, args []string) error {
 			return configlog.ReturnFatal(parser.ParseConfig(cfg))
 		},
-		Action: func(c *cli.Context) error {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			logger := logging.Configure(cfg.Service.Name, cfg.Log)
-			traceProvider, err := tracing.GetServiceTraceProvider(cfg.Tracing, cfg.Service.Name)
+			traceProvider, err := tracing.GetTraceProvider(cmd.Context(), cfg.Commons.TracesExporter, cfg.Service.Name)
 			if err != nil {
 				return err
 			}
--- a/services/app-registry/pkg/command/version.go
+++ b/services/app-registry/pkg/command/version.go
@@ -6,20 +6,19 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/registry"
 	"github.com/opencloud-eu/opencloud/pkg/version"
+	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/config"

 	"github.com/olekukonko/tablewriter"
 	"github.com/olekukonko/tablewriter/tw"
-	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/config"
-	"github.com/urfave/cli/v2"
+	"github.com/spf13/cobra"
 )

 // Version prints the service versions of all running instances.
-func Version(cfg *config.Config) *cli.Command {
-	return &cli.Command{
-		Name:     "version",
-		Usage:    "print the version of this binary and the running service instances",
-		Category: "info",
-		Action: func(c *cli.Context) error {
+func Version(cfg *config.Config) *cobra.Command {
+	return &cobra.Command{
+		Use:   "version",
+		Short: "print the version of this binary and the running service instances",
+		RunE: func(cmd *cobra.Command, args []string) error {
 			fmt.Println("Version: " + version.GetString())
 			fmt.Printf("Compiled: %s\n", version.Compiled())
 			fmt.Println("")
--- a/services/app-registry/pkg/config/config.go
+++ b/services/app-registry/pkg/config/config.go
@@ -9,10 +9,9 @@ import (
 type Config struct {
 	Commons *shared.Commons `yaml:"-"` // don't use this directly as configuration for a service

-	Service Service  `yaml:"-"`
-	Tracing *Tracing `yaml:"tracing"`
-	Log     *Log     `yaml:"log"`
-	Debug   Debug    `yaml:"debug"`
+	Service Service `yaml:"-"`
+	Log     *Log    `yaml:"log"`
+	Debug   Debug   `yaml:"debug"`

 	GRPC GRPCConfig `yaml:"grpc"`

--- a/services/app-registry/pkg/config/defaults/defaultconfig.go
+++ b/services/app-registry/pkg/config/defaults/defaultconfig.go
@@ -133,17 +133,6 @@ func EnsureDefaults(cfg *config.Config) {
 	} else if cfg.Log == nil {
 		cfg.Log = &config.Log{}
 	}
-	// provide with defaults for shared tracing, since we need a valid destination address for "envdecode".
-	if cfg.Tracing == nil && cfg.Commons != nil && cfg.Commons.Tracing != nil {
-		cfg.Tracing = &config.Tracing{
-			Enabled:   cfg.Commons.Tracing.Enabled,
-			Type:      cfg.Commons.Tracing.Type,
-			Endpoint:  cfg.Commons.Tracing.Endpoint,
-			Collector: cfg.Commons.Tracing.Collector,
-		}
-	} else if cfg.Tracing == nil {
-		cfg.Tracing = &config.Tracing{}
-	}

 	if cfg.Reva == nil && cfg.Commons != nil {
 		cfg.Reva = structs.CopyOrZeroValue(cfg.Commons.Reva)
--- a/services/app-registry/pkg/config/tracing.go
+++ b/services/app-registry/pkg/config/tracing.go
@@ -1,21 +0,0 @@
-package config
-
-import "github.com/opencloud-eu/opencloud/pkg/tracing"
-
-// Tracing contains the tracing config parameters.
-type Tracing struct {
-	Enabled   bool   `yaml:"enabled" env:"OC_TRACING_ENABLED;APP_REGISTRY_TRACING_ENABLED" desc:"Activates tracing." introductionVersion:"1.0.0"`
-	Type      string `yaml:"type" env:"OC_TRACING_TYPE;APP_REGISTRY_TRACING_TYPE" desc:"The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now." introductionVersion:"1.0.0"`
-	Endpoint  string `yaml:"endpoint" env:"OC_TRACING_ENDPOINT;APP_REGISTRY_TRACING_ENDPOINT"  desc:"The endpoint of the tracing agent." introductionVersion:"1.0.0"`
-	Collector string `yaml:"collector" env:"OC_TRACING_COLLECTOR;APP_REGISTRY_TRACING_COLLECTOR" desc:"The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset." introductionVersion:"1.0.0"`
-}
-
-// Convert Tracing to the tracing package's Config struct.
-func (t Tracing) Convert() tracing.Config {
-	return tracing.Config{
-		Enabled:   t.Enabled,
-		Type:      t.Type,
-		Endpoint:  t.Endpoint,
-		Collector: t.Collector,
-	}
-}
--- a/Show More
+++ b/Show More