ApiTest: set user profile photo

Merge pull request #939 from opencloud-eu/dependabot/npm_and_yarn/services/idp/testing-library/user-event-14.6.1
build(deps): bump @testing-library/user-event from 14.5.2 to 14.6.1 in /services/idp
2025-12-24 14:50:39 -05:00 · 2025-05-28 16:18:10 +02:00 · 2025-05-27 11:07:35 +02:00 · 2025-05-26 17:31:56 +02:00 · 2025-05-26 15:09:23 +00:00 · 2025-05-26 14:50:14 +00:00
1455 changed files with 100191 additions and 20625 deletions
--- a/.bingo/Variables.mk
+++ b/.bingo/Variables.mk
@@ -65,12 +65,6 @@ $(GOVULNCHECK): $(BINGO_DIR)/govulncheck.mod
 	@echo "(re)installing $(GOBIN)/govulncheck-v1.1.4"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=govulncheck.mod -o=$(GOBIN)/govulncheck-v1.1.4 "golang.org/x/vuln/cmd/govulncheck"

-HUGO := $(GOBIN)/hugo-v0.123.7
-$(HUGO): $(BINGO_DIR)/hugo.mod
-	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/hugo-v0.123.7"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=hugo.mod -o=$(GOBIN)/hugo-v0.123.7 "github.com/gohugoio/hugo"
-
 MOCKERY := $(GOBIN)/mockery-v2.53.2
 $(MOCKERY): $(BINGO_DIR)/mockery.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
--- a/.bingo/hugo.mod
+++ b/.bingo/hugo.mod
@@ -1,7 +0,0 @@
-module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
-
-go 1.17
-
-replace github.com/markbates/inflect => github.com/markbates/inflect v0.0.0-20171215194931-a12c3aec81a6
-
-require github.com/gohugoio/hugo v0.123.7
--- a/.bingo/hugo.sum
+++ b/.bingo/hugo.sum
--- a/.bingo/variables.env
+++ b/.bingo/variables.env
@@ -24,8 +24,6 @@ GOLANGCI_LINT="${GOBIN}/golangci-lint-v1.64.6"

 GOVULNCHECK="${GOBIN}/govulncheck-v1.1.4"

-HUGO="${GOBIN}/hugo-v0.123.7"
-
 MOCKERY="${GOBIN}/mockery-v2.53.2"

 MUTAGEN="${GOBIN}/mutagen-v0.18.1"
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -0,0 +1,30 @@
+name: Require Pull Request Labels
+on:
+  pull_request:
+    types: [opened, labeled, unlabeled, synchronize]
+jobs:
+  label:
+    # Only run if PR is not from a fork
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: mheap/github-action-required-labels@v5
+        with:
+          mode: minimum
+          count: 1
+          labels: |
+            Type:Bug
+            Type:Enhancement
+            Type:Feature
+            Type:Breaking-Change
+            Type:Test
+            Type:Documentation
+            Type:Maintenance
+            Type:Security
+            Type:Dependencies
+            Type:DevOps
+            dependencies
+          add_comment: true
--- a/.make/go.mk
+++ b/.make/go.mk
@@ -18,21 +18,20 @@ SOURCES ?= $(shell find . -name "*.go" -type f -not -path "./node_modules/*")
 TAGS ?=

 ifndef OUTPUT
-	ifneq ($(DRONE_TAG),)
-		OUTPUT ?= $(subst v,,$(DRONE_TAG))
+	ifneq ($(CI_COMMIT_TAG),)
+		OUTPUT ?= $(subst v,,$(CI_COMMIT_TAG))
 	else
 		OUTPUT ?= testing
 	endif
 endif

-ifndef VERSION
-	ifneq ($(DRONE_TAG),)
-		VERSION ?= $(subst v,,$(DRONE_TAG))
-	else
-		STRING ?= $(shell git rev-parse --short HEAD)
-	endif
+ifeq ($(VERSION), daily)
+	STRING ?= $(shell git rev-parse --short HEAD)
+else ifeq ($(VERSION),)
+	STRING ?= $(shell git rev-parse --short HEAD)
 endif

+
 ifndef DATE
 	DATE := $(shell date -u '+%Y%m%d')
 endif
--- a/.make/protobuf.mk
+++ b/.make/protobuf.mk
@@ -14,12 +14,12 @@ protoc-deps: $(BINGO)
 	@cd ../.. && GOPATH="" GOBIN=".bingo" $(BINGO) get -l github.com/favadi/protoc-go-inject-tag

 .PHONY: buf-generate
-buf-generate: $(BUF) protoc-deps $(SHA1_LOCK_FILE)
+buf-generate: $(SHA1_LOCK_FILE)
 	@find $(abspath $(CURDIR)/../../protogen/proto/) -type f -print0 | sort -z | xargs -0 sha1sum > buf.sha1.lock.tmp
 	@cmp $(SHA1_LOCK_FILE) buf.sha1.lock.tmp --quiet || $(MAKE) -B $(SHA1_LOCK_FILE)
 	@rm -f buf.sha1.lock.tmp

-$(SHA1_LOCK_FILE):
+$(SHA1_LOCK_FILE): $(BUF) protoc-deps
 	@echo "generating protobuf content"
 	cd ../../protogen/proto && $(BUF) generate
 	find $(abspath $(CURDIR)/../../protogen/proto/) -type f -print0 | sort -z | xargs -0 sha1sum > $(SHA1_LOCK_FILE)
--- a/.make/recursion.mk
+++ b/.make/recursion.mk
@@ -1,8 +0,0 @@
-
-ifeq ($(MAKE_DEPTH),)
-MAKE_DEPTH := 0
-else
-$(eval MAKE_DEPTH := $(shell echo "$$(( $(MAKE_DEPTH) + 1 ))" ) )
-endif
-
-export
--- a/.woodpecker.env
+++ b/.woodpecker.env
@@ -1,3 +1,3 @@
 # The test runner source for UI tests
-WEB_COMMITID=4f68c1e1dbcc88839e42c17c57f31dec243d7bd0
+WEB_COMMITID=8c10b33af6ec3a949f95a57f197ee915d666f343
 WEB_BRANCH=main
--- a/.woodpecker.star
+++ b/.woodpecker.star
@@ -1,12 +1,6 @@
 """OpenCloud CI definition
 """

-# Production release tags
-# NOTE: need to be updated if new production releases are determined
-# - follow semver
-# - omit 'v' prefix
-PRODUCTION_RELEASE_TAGS = ["2.0", "3.0"]
-
 # Repository

 repo_slug = "opencloud-eu/opencloud"
@@ -23,7 +17,6 @@ OC_CI_ALPINE = "owncloudci/alpine:latest"
 OC_CI_BAZEL_BUILDIFIER = "owncloudci/bazel-buildifier:latest"
 OC_CI_CLAMAVD = "owncloudci/clamavd"
 OC_CI_DRONE_ANSIBLE = "owncloudci/drone-ansible:latest"
-OC_CI_DRONE_SKIP_PIPELINE = "owncloudci/drone-skip-pipeline"
 OC_CI_GOLANG = "docker.io/golang:1.24"
 OC_CI_NODEJS = "owncloudci/nodejs:%s"
 OC_CI_PHP = "owncloudci/php:%s"
@@ -32,18 +25,12 @@ OC_CS3_API_VALIDATOR = "opencloudeu/cs3api-validator:latest"
 OC_LITMUS = "owncloudci/litmus:latest"
 OC_UBUNTU = "owncloud/ubuntu:20.04"
 ONLYOFFICE_DOCUMENT_SERVER = "onlyoffice/documentserver:7.5.1"
-PLUGINS_CODACY = "plugins/codacy:1"
 PLUGINS_DOCKER_BUILDX = "woodpeckerci/plugin-docker-buildx:latest"
-PLUGINS_GH_PAGES = "plugins/gh-pages:1"
 PLUGINS_GITHUB_RELEASE = "woodpeckerci/plugin-release"
-PLUGINS_GIT_ACTION = "plugins/git-action:1"
-PLUGINS_GIT_PUSH = "appleboy/drone-git-push"
-PLUGINS_MANIFEST = "plugins/manifest:1"
 PLUGINS_S3 = "plugins/s3:1"
 PLUGINS_S3_CACHE = "plugins/s3-cache:1"
 PLUGINS_SLACK = "plugins/slack:1"
 REDIS = "redis:6-alpine"
-SONARSOURCE_SONAR_SCANNER_CLI = "sonarsource/sonar-scanner-cli:11.0"
 READY_RELEASE_GO = "woodpeckerci/plugin-ready-release-go:latest"

 DEFAULT_PHP_VERSION = "8.2"
@@ -59,7 +46,6 @@ dirs = {
    "gobinTar": "go-bin.tar.gz",
    "gobinTarPath": "/go/src/github.com/opencloud-eu/opencloud/go-bin.tar.gz",
    "opencloudConfig": "tests/config/woodpecker/opencloud-config.json",
-    "ocis": "/woodpecker/src/github.com/opencloud-eu/opencloud/srv/app/tmp/ocis",
    "opencloudRevaDataRoot": "/woodpecker/src/github.com/opencloud-eu/opencloud/srv/app/tmp/ocis/owncloud/data",
    "multiServiceOcBaseDataPath": "/woodpecker/src/github.com/opencloud-eu/opencloud/multiServiceData",
    "ocWrapper": "/woodpecker/src/github.com/opencloud-eu/opencloud/tests/ocwrapper",
@@ -78,6 +64,19 @@ FED_OC_SERVER_NAME = "federation-opencloud-server"
 OC_FED_URL = "https://%s:10200" % FED_OC_SERVER_NAME
 OC_FED_DOMAIN = "%s:10200" % FED_OC_SERVER_NAME

+event = {
+    "base": {
+        "event": ["push", "manual"],
+        "branch": "main",
+    },
+    "pull_request": {
+        "event": "pull_request",
+    },
+    "tag": {
+        "event": "tag",
+    },
+}
+
 # configuration
 config = {
    "cs3ApiTests": {
@@ -127,6 +126,7 @@ config = {
            "suites": [
                "apiGraph",
                "apiServiceAvailability",
+                "collaborativePosix",
            ],
            "skip": False,
            "withRemotePhp": [True],
@@ -338,6 +338,20 @@ config = {
    },
    "dockerReleases": {
        "architectures": ["arm64", "amd64"],
+        "production": {
+            # NOTE: need to be updated if new production releases are determined
+            "tags": ["2.0"],
+            "repo": docker_repo_slug,
+            "build_type": "production",
+        },
+        "rolling": {
+            "repo": docker_repo_slug + "-rolling",
+            "build_type": "rolling",
+        },
+        "daily": {
+            "repo": docker_repo_slug + "-rolling",
+            "build_type": "daily",
+        },
    },
    "litmus": True,
    "codestyle": True,
@@ -416,11 +430,8 @@ def main(ctx):
      none
    """

-    pipelines = []
-
    build_release_helpers = \
-        readyReleaseGo() + \
-        docs()
+        readyReleaseGo()

    build_release_helpers.append(
        pipelineDependsOn(
@@ -436,7 +447,7 @@ def main(ctx):
        buildWebCache(ctx) + \
        getGoBinForTesting(ctx) + \
        buildOpencloudBinaryForTesting(ctx) + \
-        checkStarlark() + \
+        checkStarlark(ctx) + \
        build_release_helpers + \
        testOpencloudAndUploadResults(ctx) + \
        testPipelines(ctx)
@@ -474,10 +485,10 @@ def main(ctx):
        ),
    )

-    pipelineSanityChecks(ctx, pipelines)
+    pipelineSanityChecks(pipelines)
    return pipelines

-def cachePipeline(name, steps):
+def cachePipeline(ctx, name, steps):
    return {
        "name": "build-%s-cache" % name,
        "skip_clone": True,
@@ -489,14 +500,17 @@ def cachePipeline(name, steps):
            },
            {
                "event": "pull_request",
+                "path": {
+                    "exclude": skipIfUnchanged(ctx, "base"),
+                },
            },
        ],
    }

 def buildWebCache(ctx):
    return [
-        cachePipeline("web", generateWebCache(ctx)),
-        cachePipeline("web-pnpm", generateWebPnpmCache(ctx)),
+        cachePipeline(ctx, "web", generateWebCache(ctx)),
+        cachePipeline(ctx, "web-pnpm", generateWebPnpmCache(ctx)),
    ]

 def testOpencloudAndUploadResults(ctx):
@@ -547,6 +561,7 @@ def getGoBinForTesting(ctx):
        "steps": checkGoBinCache() +
                 cacheGoBin(),
        "when": [
+            event["tag"],
            {
                "event": ["push", "manual"],
                "branch": ["main", "stable-*"],
@@ -557,9 +572,6 @@ def getGoBinForTesting(ctx):
                    "exclude": skipIfUnchanged(ctx, "unit-tests"),
                },
            },
-            {
-                "event": "tag",
-            },
        ],
        "workspace": workspace,
    }]
@@ -680,10 +692,7 @@ def testOpencloud(ctx):
        "name": "linting_and_unitTests",
        "steps": steps,
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
@@ -711,10 +720,7 @@ def scanOpencloud(ctx):
        "name": "go-vulnerability-scanning",
        "steps": steps,
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
@@ -734,14 +740,11 @@ def buildOpencloudBinaryForTesting(ctx):
                 build() +
                 rebuildBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBinPath"]),
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
-                    "exclude": skipIfUnchanged(ctx, "unit-tests"),
+                    "exclude": skipIfUnchanged(ctx, "base"),
                },
            },
        ],
@@ -785,8 +788,12 @@ def checkTestSuitesInExpectedFailures(ctx):
            },
        ],
        "when": [
+            event["base"],
            {
                "event": "pull_request",
+                "path": {
+                    "exclude": skipIfUnchanged(ctx, "acceptance-tests"),
+                },
            },
        ],
    }]
@@ -805,8 +812,12 @@ def checkGherkinLint(ctx):
            },
        ],
        "when": [
+            event["base"],
            {
                "event": "pull_request",
+                "path": {
+                    "exclude": skipIfUnchanged(ctx, "lint"),
+                },
            },
        ],
    }]
@@ -869,10 +880,7 @@ def codestyle(ctx):
                         ],
                "depends_on": [],
                "when": [
-                    {
-                        "event": ["push", "manual"],
-                        "branch": "main",
-                    },
+                    event["base"],
                    {
                        "event": "pull_request",
                        "path": {
@@ -922,27 +930,24 @@ def localApiTestPipeline(ctx):
                for storage in params["storages"]:
                    for run_with_remote_php in params["withRemotePhp"]:
                        pipeline = {
-                            "name": "%s-%s%s-%s" % ("CLI" if name.startswith("cli") else "API", name, "-withoutRemotePhp" if not run_with_remote_php else "", storage),
+                            "name": "%s-%s%s-%s" % ("CLI" if name.startswith("cli") else "API", name, "-withoutRemotePhp" if not run_with_remote_php else "", "decomposed" if name.startswith("cli") else storage),
                            "steps": restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBinPath"]) +
                                     (tikaService() if params["tikaNeeded"] else []) +
                                     (waitForServices("online-offices", ["collabora:9980", "onlyoffice:443", "fakeoffice:8080"]) if params["collaborationServiceNeeded"] else []) +
-                                     opencloudServer(storage, params["accounts_hash_difficulty"], extra_server_environment = params["extraServerEnvironment"], with_wrapper = True, tika_enabled = params["tikaNeeded"]) +
                                     (waitForClamavService() if params["antivirusNeeded"] else []) +
                                     (waitForEmailService() if params["emailNeeded"] else []) +
+                                     opencloudServer(storage, params["accounts_hash_difficulty"], extra_server_environment = params["extraServerEnvironment"], with_wrapper = True, tika_enabled = params["tikaNeeded"]) +
                                     (opencloudServer(storage, params["accounts_hash_difficulty"], deploy_type = "federation", extra_server_environment = params["extraServerEnvironment"]) if params["federationServer"] else []) +
                                     ((wopiCollaborationService("fakeoffice") + wopiCollaborationService("collabora") + wopiCollaborationService("onlyoffice")) if params["collaborationServiceNeeded"] else []) +
                                     (openCloudHealthCheck("wopi", ["wopi-collabora:9304", "wopi-onlyoffice:9304", "wopi-fakeoffice:9304"]) if params["collaborationServiceNeeded"] else []) +
-                                     localApiTests(ctx, name, params["suites"], storage, params["extraEnvironment"], run_with_remote_php) +
+                                     localApiTests(name, params["suites"], storage, params["extraEnvironment"], run_with_remote_php) +
                                     logRequests(),
                            "services": (emailService() if params["emailNeeded"] else []) +
                                        (clamavService() if params["antivirusNeeded"] else []) +
                                        ((fakeOffice() + collaboraService() + onlyofficeService()) if params["collaborationServiceNeeded"] else []),
                            "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
                            "when": [
-                                {
-                                    "event": ["push", "manual"],
-                                    "branch": "main",
-                                },
+                                event["base"],
                                {
                                    "event": "pull_request",
                                    "path": {
@@ -954,9 +959,9 @@ def localApiTestPipeline(ctx):
                        pipelines.append(pipeline)
    return pipelines

-def localApiTests(ctx, name, suites, storage = "decomposed", extra_environment = {}, with_remote_php = False):
+def localApiTests(name, suites, storage = "decomposed", extra_environment = {}, with_remote_php = False):
    test_dir = "%s/tests/acceptance" % dirs["base"]
-    expected_failures_file = "%s/expected-failures-localAPI-on-decomposed-storage.md" % (test_dir)
+    expected_failures_file = "%s/expected-failures-localAPI-on-%s-storage.md" % (test_dir, storage)

    environment = {
        "TEST_SERVER_URL": OC_URL,
@@ -964,12 +969,13 @@ def localApiTests(ctx, name, suites, storage = "decomposed", extra_environment =
        "SEND_SCENARIO_LINE_REFERENCES": True,
        "STORAGE_DRIVER": storage,
        "BEHAT_SUITES": ",".join(suites),
-        "BEHAT_FILTER_TAGS": "~@skip&&~@skipOnGraph&&~@skipOnOpencloud-%s-Storage" % storage,
+        "BEHAT_FILTER_TAGS": "~@skip&&~@skipOnOpencloud-%s-Storage" % storage,
        "EXPECTED_FAILURES_FILE": expected_failures_file,
        "UPLOAD_DELETE_WAIT_TIME": "1" if storage == "owncloud" else 0,
        "OC_WRAPPER_URL": "http://%s:5200" % OC_SERVER_NAME,
        "WITH_REMOTE_PHP": with_remote_php,
        "COLLABORATION_SERVICE_URL": "http://wopi-fakeoffice:9300",
+        "OC_STORAGE_PATH": "$HOME/.opencloud/storage/users",
    }

    for item in extra_environment:
@@ -990,7 +996,7 @@ def cs3ApiTests(ctx, storage, accounts_hash_difficulty = 4):
    return {
        "name": "cs3ApiTests-%s" % storage,
        "steps": restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBinPath"]) +
-                 opencloudServer(storage, accounts_hash_difficulty, [], [], "cs3api_validator") +
+                 opencloudServer(storage, accounts_hash_difficulty, deploy_type = "cs3api_validator") +
                 [
                     {
                         "name": "cs3ApiTests",
@@ -1005,10 +1011,7 @@ def cs3ApiTests(ctx, storage, accounts_hash_difficulty = 4):
                 ],
        "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
@@ -1036,7 +1039,6 @@ def wopiValidatorTests(ctx, storage, wopiServerType, accounts_hash_difficulty =
    ]

    validatorTests = []
-    wopiServer = []
    extra_server_environment = {}

    if wopiServerType == "cs3":
@@ -1122,10 +1124,7 @@ def wopiValidatorTests(ctx, storage, wopiServerType, accounts_hash_difficulty =
                 validatorTests,
        "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
@@ -1139,7 +1138,7 @@ def coreApiTests(ctx, part_number = 1, number_of_parts = 1, with_remote_php = Fa
    storage = "posix"
    if "[decomposed]" in ctx.build.title.lower():
        storage = "decomposed"
-    filterTags = "~@skipOnGraph&&~@skipOnOpencloud-%s-Storage" % storage
+    filterTags = "~@skipOnOpencloud-%s-Storage" % storage
    test_dir = "%s/tests/acceptance" % dirs["base"]
    expected_failures_file = "%s/expected-failures-API-on-%s-storage.md" % (test_dir, storage)

@@ -1176,10 +1175,7 @@ def coreApiTests(ctx, part_number = 1, number_of_parts = 1, with_remote_php = Fa
        "services": redisForOCStorage(storage),
        "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
@@ -1204,7 +1200,7 @@ def apiTests(ctx):

    for runPart in range(1, config["apiTests"]["numberOfParts"] + 1):
        for run_with_remote_php in defaults["withRemotePhp"]:
-            if (not debugPartsEnabled or (debugPartsEnabled and runPart in debugParts)):
+            if not debugPartsEnabled or (debugPartsEnabled and runPart in debugParts):
                pipelines.append(coreApiTests(ctx, runPart, config["apiTests"]["numberOfParts"], run_with_remote_php))

    return pipelines
@@ -1226,10 +1222,7 @@ def e2eTestPipeline(ctx):
    }

    e2e_trigger = [
-        {
-            "event": ["push", "manual"],
-            "branch": "main",
-        },
+        event["base"],
        {
            "event": "pull_request",
            "path": {
@@ -1244,10 +1237,10 @@ def e2eTestPipeline(ctx):

    pipelines = []

-    if ("skip-e2e" in ctx.build.title.lower()):
+    if "skip-e2e" in ctx.build.title.lower():
        return pipelines

-    if (ctx.build.event == "tag"):
+    if ctx.build.event == "tag":
        return pipelines

    storage = "posix"
@@ -1335,10 +1328,7 @@ def multiServiceE2ePipeline(ctx):
    }

    e2e_trigger = [
-        {
-            "event": ["push", "manual"],
-            "branch": "main",
-        },
+        event["base"],
        {
            "event": "pull_request",
            "path": {
@@ -1347,11 +1337,11 @@ def multiServiceE2ePipeline(ctx):
        },
    ]

-    if ("skip-e2e" in ctx.build.title.lower()):
+    if "skip-e2e" in ctx.build.title.lower():
        return pipelines

    # run this pipeline only for cron jobs and full-ci PRs
-    if (not "full-ci" in ctx.build.title.lower() and ctx.build.event != "cron"):
+    if not "full-ci" in ctx.build.title.lower() and ctx.build.event != "cron":
        return pipelines

    storage = "posix"
@@ -1455,7 +1445,7 @@ def multiServiceE2ePipeline(ctx):
        })
    return pipelines

-def uploadTracingResult(ctx):
+def uploadTracingResult():
    return [{
        "name": "upload-tracing-result",
        "image": PLUGINS_S3,
@@ -1513,26 +1503,31 @@ def logTracingResults():
 def dockerReleases(ctx):
    pipelines = []
    docker_repos = []
-    build_type = "daily"
+    build_type = ""

-    # dockerhub repo
-    #  - "opencloudeu/opencloud-rolling"
-    repo = docker_repo_slug + "-rolling"
-    docker_repos.append(repo)
-
-    # production release repo
    if ctx.build.event == "tag":
        tag = ctx.build.ref.replace("refs/tags/v", "").lower()
-        for prod_tag in PRODUCTION_RELEASE_TAGS:
+
+        is_production = False
+        for prod_tag in config["dockerReleases"]["production"]["tags"]:
            if tag.startswith(prod_tag):
-                docker_repos.append(docker_repo_slug)
+                is_production = True
                break

+        if is_production:
+            docker_repos.append(config["dockerReleases"]["production"]["repo"])
+            build_type = config["dockerReleases"]["production"]["build_type"]
+
+        else:
+            docker_repos.append(config["dockerReleases"]["rolling"]["repo"])
+            build_type = config["dockerReleases"]["rolling"]["build_type"]
+
+    else:
+        docker_repos.append(config["dockerReleases"]["daily"]["repo"])
+        build_type = config["dockerReleases"]["daily"]["build_type"]
+
    for repo in docker_repos:
        repo_pipelines = []
-        if ctx.build.event == "tag":
-            build_type = "rolling" if "rolling" in repo else "production"
-
        repo_pipelines.append(dockerRelease(ctx, repo, build_type))

        # manifest = releaseDockerManifest(ctx, repo, build_type)
@@ -1549,7 +1544,7 @@ def dockerReleases(ctx):

 def dockerRelease(ctx, repo, build_type):
    build_args = [
-        "REVISION=%s" % (ctx.build.commit),
+        "REVISION=%s" % ctx.build.commit,
        "VERSION=%s" % (ctx.build.ref.replace("refs/tags/", "") if ctx.build.event == "tag" else "daily"),
    ]

@@ -1582,11 +1577,7 @@ def dockerRelease(ctx, repo, build_type):
                        "from_secret": "ci_http_proxy",
                    },
                },
-                "when": [
-                    {
-                        "event": ["pull_request"],
-                    },
-                ],
+                "when": [event["pull_request"]],
            },
            {
                "name": "build-and-push",
@@ -1628,31 +1619,21 @@ def dockerRelease(ctx, repo, build_type):
                    ],
                },
                "when": [
-                    {
-                        "event": ["push", "manual"],
-                        "branch": "main",
-                    },
-                    {
-                        "event": "tag",
-                    },
+                    event["base"],
+                    event["tag"],
                ],
            },
        ],
        "depends_on": depends_on,
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
                    "exclude": skipIfUnchanged(ctx, "build-docker"),
                },
            },
-            {
-                "event": "tag",
-            },
+            event["tag"],
        ],
    }

@@ -1673,7 +1654,15 @@ def binaryRelease(ctx, arch, depends_on = []):
            {
                "name": "build",
                "image": OC_CI_GOLANG,
-                "environment": CI_HTTP_PROXY_ENV,
+                "environment": {
+                    "VERSION": (ctx.build.ref.replace("refs/tags/", "") if ctx.build.event == "tag" else "daily"),
+                    "HTTP_PROXY": {
+                        "from_secret": "ci_http_proxy",
+                    },
+                    "HTTPS_PROXY": {
+                        "from_secret": "ci_http_proxy",
+                    },
+                },
                "commands": [
                    "make -C opencloud release-%s" % arch,
                ],
@@ -1686,13 +1675,8 @@ def binaryRelease(ctx, arch, depends_on = []):
                    "make -C opencloud release-finish",
                ],
                "when": [
-                    {
-                        "event": ["push", "manual"],
-                        "branch": "main",
-                    },
-                    {
-                        "event": "tag",
-                    },
+                    event["base"],
+                    event["tag"],
                ],
            },
            {
@@ -1706,31 +1690,23 @@ def binaryRelease(ctx, arch, depends_on = []):
                        "opencloud/dist/release/*",
                    ],
                    "title": ctx.build.ref.replace("refs/tags/v", ""),
-                    "overwrite": True,
                    "prerelease": len(ctx.build.ref.split("-")) > 1,
                },
                "when": [
-                    {
-                        "event": "tag",
-                    },
+                    event["tag"],
                ],
            },
        ],
        "depends_on": depends_on,
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
                    "exclude": skipIfUnchanged(ctx, "build-binary"),
                },
            },
-            {
-                "event": "tag",
-            },
+            event["tag"],
        ],
    }

@@ -1786,27 +1762,17 @@ def licenseCheck(ctx):
                        "third-party-licenses.tar.gz",
                    ],
                    "title": ctx.build.ref.replace("refs/tags/v", ""),
-                    "overwrite": True,
                    "prerelease": len(ctx.build.ref.split("-")) > 1,
                },
                "when": [
-                    {
-                        "event": "tag",
-                    },
+                    event["tag"],
                ],
            },
        ],
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
-            {
-                "event": "pull_request",
-            },
-            {
-                "event": "tag",
-            },
+            event["base"],
+            event["pull_request"],
+            event["tag"],
        ],
        "workspace": workspace,
    }
@@ -1827,12 +1793,7 @@ def readyReleaseGo():
                },
            },
        ],
-        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
-        ],
+        "when": [event["base"]],
    }]

 def releaseDockerReadme(repo, build_type):
@@ -1850,7 +1811,7 @@ def releaseDockerReadme(repo, build_type):
                        "from_secret": "docker_password",
                    },
                    "PUSHRM_TARGET": repo,
-                    "PUSHRM_SHORT": "Docker images for %s" % (repo),
+                    "PUSHRM_SHORT": "Docker images for %s" % repo,
                    "PUSHRM_FILE": "README.md",
                },
            },
@@ -1868,49 +1829,16 @@ def releaseDockerReadme(repo, build_type):
            },
        ],
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
-            {
-                "event": "tag",
-            },
+            event["base"],
+            event["tag"],
        ],
    }

-def docs():
-    return [
-        {
-            "name": "dev-docs",
-            "steps": [
-                {
-                    "name": "devdocs",
-                    "image": "codeberg.org/xfix/plugin-codeberg-pages-deploy:1",
-                    "settings": {
-                        "folder": "docs",
-                        "branch": "docs",
-                        "git_config_email": "${CI_COMMIT_AUTHOR_EMAIL}",
-                        "git_config_name": "${CI_COMMIT_AUTHOR}",
-                        "ssh_key": {
-                            "from_secret": "ssh_key",
-                        },
-                    },
-                },
-            ],
-            "when": [
-                {
-                    "event": "push",
-                    "branch": "main",
-                },
-            ],
-        },
-    ]
-
 def makeNodeGenerate(module):
    if module == "":
        make = "make"
    else:
-        make = "make -C %s" % (module)
+        make = "make -C %s" % module
    return [
        {
            "name": "generate nodejs",
@@ -1920,7 +1848,7 @@ def makeNodeGenerate(module):
            },
            "commands": [
                "pnpm config set store-dir ./.pnpm-store",
-                "for i in $(seq 3); do %s node-generate-prod && break || sleep 1; done" % (make),
+                "for i in $(seq 3); do %s node-generate-prod && break || sleep 1; done" % make,
            ],
        },
    ]
@@ -1929,13 +1857,13 @@ def makeGoGenerate(module):
    if module == "":
        make = "make"
    else:
-        make = "make -C %s" % (module)
+        make = "make -C %s" % module
    return [
        {
            "name": "generate go",
            "image": OC_CI_GOLANG,
            "commands": [
-                "for i in $(seq 3); do %s go-generate && break || sleep 1; done" % (make),
+                "for i in $(seq 3); do %s go-generate && break || sleep 1; done" % make,
            ],
            "environment": CI_HTTP_PROXY_ENV,
        },
@@ -1967,20 +1895,18 @@ def notify(ctx):
                "event": ["push", "manual"],
                "branch": ["main", "release-*"],
            },
-            {
-                "event": "tag",
-            },
+            event["tag"],
        ],
        "runs_on": status,
    }

-def opencloudServer(storage = "decomposed", accounts_hash_difficulty = 4, volumes = [], depends_on = [], deploy_type = "", extra_server_environment = {}, with_wrapper = False, tika_enabled = False):
+def opencloudServer(storage = "decomposed", accounts_hash_difficulty = 4, depends_on = [], deploy_type = "", extra_server_environment = {}, with_wrapper = False, tika_enabled = False):
    user = "0:0"
    container_name = OC_SERVER_NAME
    environment = {
        "OC_URL": OC_URL,
        "OC_CONFIG_DIR": "/root/.opencloud/config",  # needed for checking config later
-        "STORAGE_USERS_DRIVER": "%s" % (storage),
+        "STORAGE_USERS_DRIVER": "%s" % storage,
        "PROXY_ENABLE_BASIC_AUTH": True,
        "WEB_UI_CONFIG_FILE": "%s/%s" % (dirs["base"], dirs["opencloudConfig"]),
        "OC_LOG_LEVEL": "error",
@@ -1994,6 +1920,7 @@ def opencloudServer(storage = "decomposed", accounts_hash_difficulty = 4, volume
        "OC_JWT_SECRET": "some-opencloud-jwt-secret",
        "EVENTHISTORY_STORE": "memory",
        "OC_TRANSLATION_PATH": "%s/tests/config/translations" % dirs["base"],
+        "ACTIVITYLOG_WRITE_BUFFER_DURATION": "0",  # Disable write buffer so that test expectations are met in time
        # debug addresses required for running services health tests
        "ACTIVITYLOG_DEBUG_ADDR": "0.0.0.0:9197",
        "APP_PROVIDER_DEBUG_ADDR": "0.0.0.0:9165",
@@ -2070,20 +1997,27 @@ def opencloudServer(storage = "decomposed", accounts_hash_difficulty = 4, volume
    # That will allow OpenCloud to use whatever its built-in default is.
    # Otherwise pass in a value from 4 to about 11 or 12 (default 4, for making regular tests fast)
    # The high values cause lots of CPU to be used when hashing passwords, and really slow down the tests.
-    if (accounts_hash_difficulty != "default"):
+    if accounts_hash_difficulty != "default":
        environment["ACCOUNTS_HASH_DIFFICULTY"] = accounts_hash_difficulty

    for item in extra_server_environment:
        environment[item] = extra_server_environment[item]

-    wrapper_commands = [
-        "make -C %s build" % dirs["ocWrapper"],
+    server_commands = [
        "env | sort",
-        "%s/bin/ocwrapper serve --bin %s --url %s --admin-username admin --admin-password admin" % (dirs["ocWrapper"], dirs["opencloudBin"], environment["OC_URL"]),
    ]
+    if with_wrapper:
+        server_commands += [
+            "make -C %s build" % dirs["ocWrapper"],
+            "%s/bin/ocwrapper serve --bin %s --url %s --admin-username admin --admin-password admin" % (dirs["ocWrapper"], dirs["opencloudBin"], environment["OC_URL"]),
+        ]
+    else:
+        server_commands += [
+            "%s server" % dirs["opencloudBin"],
+        ]

    wait_for_opencloud = {
-        "name": "wait-for-%s" % (container_name),
+        "name": "wait-for-%s" % container_name,
        "image": OC_CI_ALPINE,
        "commands": [
            # wait for opencloud-server to be ready (5 minutes)
@@ -2104,10 +2038,12 @@ def opencloudServer(storage = "decomposed", accounts_hash_difficulty = 4, volume
            },
        },
        "commands": [
+            "apt-get update",
+            "apt-get install -y inotify-tools",
            "%s init --insecure true" % dirs["opencloudBin"],
            "cat $OC_CONFIG_DIR/opencloud.yaml",
            "cp tests/config/woodpecker/app-registry.yaml $OC_CONFIG_DIR/app-registry.yaml",
-        ] + (wrapper_commands),
+        ] + server_commands,
    }

    steps = [
@@ -2179,11 +2115,6 @@ def build():
    ]

 def skipIfUnchanged(ctx, type):
-    ## FIXME: the 'exclude' feature (https://woodpecker-ci.org/docs/usage/workflow-syntax#path) does not seem to provide
-    # what we need. It seems to skip the build as soon as one of the changed files matches an exclude pattern, we only
-    # want to skip of ALL changed files match. So skip this condition for now:
-    return []
-
    if "full-ci" in ctx.build.title.lower() or ctx.build.event == "tag" or ctx.build.event == "cron":
        return []

@@ -2211,10 +2142,8 @@ def skipIfUnchanged(ctx, type):
        skip = base + acceptance
    elif type == "build-binary" or type == "build-docker" or type == "litmus":
        skip = base + unit + acceptance
-    elif type == "cache":
+    elif type == "cache" or type == "base":
        skip = base
-    else:
-        return []

    return skip

@@ -2246,13 +2175,13 @@ def example_deploys(ctx):

    deploys = []
    for config in configs:
-        deploys.append(deploy(ctx, config, rebuild))
+        deploys.append(deploy(config, rebuild))

    return deploys

-def deploy(ctx, config, rebuild):
+def deploy(config, rebuild):
    return {
-        "name": "deploy_%s" % (config),
+        "name": "deploy_%s" % config,
        "steps": [
            {
                "name": "clone continuous deployment playbook",
@@ -2267,7 +2196,7 @@ def deploy(ctx, config, rebuild):
                "image": OC_CI_DRONE_ANSIBLE,
                "failure": "ignore",
                "environment": {
-                    "CONTINUOUS_DEPLOY_SERVERS_CONFIG": "../%s" % (config),
+                    "CONTINUOUS_DEPLOY_SERVERS_CONFIG": "../%s" % config,
                    "REBUILD": rebuild,
                    "HCLOUD_API_TOKEN": {
                        "from_secret": "hcloud_api_token",
@@ -2288,17 +2217,12 @@ def deploy(ctx, config, rebuild):
            },
        ],
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
-            {
-                "event": "tag",
-            },
+            event["base"],
+            event["tag"],
        ],
    }

-def checkStarlark():
+def checkStarlark(ctx):
    return [{
        "name": "check-starlark",
        "steps": [
@@ -2325,8 +2249,12 @@ def checkStarlark():
        ],
        "depends_on": [],
        "when": [
+            event["base"],
            {
                "event": "pull_request",
+                "path": {
+                    "exclude": skipIfUnchanged(ctx, "base"),
+                },
            },
        ],
    }]
@@ -2357,7 +2285,7 @@ def genericCache(name, action, mounts, cache_path):
            "secret_key": {
                "from_secret": "cache_s3_secret_key",
            },
-            "filename": "%s.tar" % (name),
+            "filename": "%s.tar" % name,
            "path": cache_path,
            "fallback_path": cache_path,
        },
@@ -2388,13 +2316,8 @@ def genericCachePurge(flush_path):
            },
        ],
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
-            {
-                "event": "pull_request",
-            },
+            event["base"],
+            event["pull_request"],
        ],
        "runs_on": ["success", "failure"],
    }
@@ -2402,7 +2325,7 @@ def genericCachePurge(flush_path):
 def genericBuildArtifactCache(ctx, name, action, path):
    if action == "rebuild" or action == "restore":
        cache_path = "%s/%s/%s" % ("cache", repo_slug, ctx.build.commit + "-${CI_PIPELINE_NUMBER}")
-        name = "%s_build_artifact_cache" % (name)
+        name = "%s_build_artifact_cache" % name
        return genericCache(name, action, [path], cache_path)

    if action == "purge":
@@ -2419,14 +2342,13 @@ def rebuildBuildArtifactCache(ctx, name, path):
 def purgeBuildArtifactCache(ctx):
    return genericBuildArtifactCache(ctx, "", "purge", [])

-def pipelineSanityChecks(ctx, pipelines):
+def pipelineSanityChecks(pipelines):
    """pipelineSanityChecks helps the CI developers to find errors before running it

    These sanity checks are only executed on when converting starlark to yaml.
    Error outputs are only visible when the conversion is done with the woodpecker cli.

    Args:
-      ctx: woodpecker passes a context with information which the pipeline can be adapted to
      pipelines: pipelines to be checked, normally you should run this on the return value of main()

    Returns:
@@ -2438,7 +2360,7 @@ def pipelineSanityChecks(ctx, pipelines):
    for pipeline in pipelines:
        pipeline_name = pipeline["name"]
        if len(pipeline_name) > max_name_length:
-            print("Error: pipeline name %s is longer than 50 characters" % (pipeline_name))
+            print("Error: pipeline name %s is longer than 50 characters" % pipeline_name)

        for step in pipeline["steps"]:
            step_name = step["name"]
@@ -2489,7 +2411,7 @@ def pipelineSanityChecks(ctx, pipelines):
 def litmus(ctx, storage):
    pipelines = []

-    if (config["litmus"] == False):
+    if not config["litmus"]:
        return pipelines

    environment = {
@@ -2574,10 +2496,7 @@ def litmus(ctx, storage):
        "services": redisForOCStorage(storage),
        "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
        "when": [
-            {
-                "event": ["push", "manual"],
-                "branch": "main",
-            },
+            event["base"],
            {
                "event": "pull_request",
                "path": {
--- a/.woodpecker/docs.yaml
+++ b/.woodpecker/docs.yaml
@@ -1,16 +0,0 @@
---
-
-when:
-  - event: ["push", "manual"]
-    branch: main
-
-steps:
-  - name: devdocs
-    image: codeberg.org/xfix/plugin-codeberg-pages-deploy:1
-    settings:
-      folder: docs
-      branch: docs
-      git_config_email: ${CI_COMMIT_AUTHOR_EMAIL}
-      git_config_name: ${CI_COMMIT_AUTHOR}
-      ssh_key:
-        from_secret: ssh_key
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,162 @@
 # Changelog

+## [2.3.0](https://github.com/opencloud-eu/opencloud/releases/tag/v2.3.0) - 2025-05-19
+
+### ❤️ Thanks to all contributors! ❤️
+
+@AlexAndBear, @ScharfViktor, @aduffeck, @butonic, @micbar, @rhafer
+
+### ✨ Features
+
+- deployment: Adapt opencloud_full to include radicale [[#773](https://github.com/opencloud-eu/opencloud/pull/773)]
+- proxy(router): Allow to set some outgoing headers [[#756](https://github.com/opencloud-eu/opencloud/pull/756)]
+- feat: set idp logo defaul url [[#746](https://github.com/opencloud-eu/opencloud/pull/746)]
+
+### 📈 Enhancement
+
+- Reduce load caused by the activitylog service [[#842](https://github.com/opencloud-eu/opencloud/pull/842)]
+
+### ✅ Tests
+
+- PosixTest. Check that version, share and link still exist [[#837](https://github.com/opencloud-eu/opencloud/pull/837)]
+- [test-only] test for #452 [[#826](https://github.com/opencloud-eu/opencloud/pull/826)]
+- collaboration posix tests [[#780](https://github.com/opencloud-eu/opencloud/pull/780)]
+- collaborative posix test [[#672](https://github.com/opencloud-eu/opencloud/pull/672)]
+
+### 🐛 Bug Fixes
+
+- nats: Don't enable debug and trace logging by default [[#825](https://github.com/opencloud-eu/opencloud/pull/825)]
+- fix: show special roles at the end of the list [[#806](https://github.com/opencloud-eu/opencloud/pull/806)]
+- fix: idp login logo url exceeds logo [[#742](https://github.com/opencloud-eu/opencloud/pull/742)]
+
+### 📦️ Dependencies
+
+- [full-ci] chore(web): bump web to v2.3.0 [[#885](https://github.com/opencloud-eu/opencloud/pull/885)]
+- chore:reva bump v.2.33 [[#884](https://github.com/opencloud-eu/opencloud/pull/884)]
+- build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.1 [[#862](https://github.com/opencloud-eu/opencloud/pull/862)]
+- build(deps): bump golang.org/x/net from 0.39.0 to 0.40.0 [[#855](https://github.com/opencloud-eu/opencloud/pull/855)]
+- build(deps-dev): bump dotenv-expand from 10.0.0 to 12.0.2 in /services/idp [[#831](https://github.com/opencloud-eu/opencloud/pull/831)]
+- build(deps): bump github.com/libregraph/lico from 0.65.2-0.20250428103211-356e98f98457 to 0.66.0 [[#839](https://github.com/opencloud-eu/opencloud/pull/839)]
+- build(deps): bump i18next from 23.16.8 to 25.1.2 in /services/idp [[#832](https://github.com/opencloud-eu/opencloud/pull/832)]
+- build(deps): bump dario.cat/mergo from 1.0.1 to 1.0.2 [[#829](https://github.com/opencloud-eu/opencloud/pull/829)]
+- build(deps): bump golang.org/x/image from 0.26.0 to 0.27.0 [[#817](https://github.com/opencloud-eu/opencloud/pull/817)]
+- build(deps): bump github.com/CiscoM31/godata from 1.0.10 to 1.0.11 [[#815](https://github.com/opencloud-eu/opencloud/pull/815)]
+- build(deps): bump github.com/KimMachineGun/automemlimit from 0.7.1 to 0.7.2 [[#803](https://github.com/opencloud-eu/opencloud/pull/803)]
+- build(deps): bump golang.org/x/crypto from 0.37.0 to 0.38.0 [[#802](https://github.com/opencloud-eu/opencloud/pull/802)]
+- build(deps): bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.2 [[#784](https://github.com/opencloud-eu/opencloud/pull/784)]
+- build(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 [[#785](https://github.com/opencloud-eu/opencloud/pull/785)]
+- build(deps-dev): bump eslint-plugin-import from 2.30.0 to 2.31.0 in /services/idp [[#777](https://github.com/opencloud-eu/opencloud/pull/777)]
+- build(deps): bump github.com/nats-io/nats.go from 1.41.2 to 1.42.0 [[#776](https://github.com/opencloud-eu/opencloud/pull/776)]
+- build(deps): bump golang.org/x/oauth2 from 0.29.0 to 0.30.0 [[#775](https://github.com/opencloud-eu/opencloud/pull/775)]
+- build(deps): bump i18next-http-backend from 2.5.2 to 3.0.2 in /services/idp [[#774](https://github.com/opencloud-eu/opencloud/pull/774)]
+- build(deps): bump github.com/beevik/etree from 1.5.0 to 1.5.1 [[#759](https://github.com/opencloud-eu/opencloud/pull/759)]
+- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.2 to 2.11.3 [[#762](https://github.com/opencloud-eu/opencloud/pull/762)]
+- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.1 to 2.11.2 [[#754](https://github.com/opencloud-eu/opencloud/pull/754)]
+- build(deps): bump github.com/gookit/config/v2 from 2.2.5 to 2.2.6 [[#753](https://github.com/opencloud-eu/opencloud/pull/753)]
+- build(deps-dev): bump css-loader from 5.2.7 to 7.1.2 in /services/idp [[#740](https://github.com/opencloud-eu/opencloud/pull/740)]
+- build(deps): bump react-i18next from 15.1.1 to 15.5.1 in /services/idp [[#741](https://github.com/opencloud-eu/opencloud/pull/741)]
+- build(deps): bump github.com/blevesearch/bleve/v2 from 2.4.4 to 2.5.0 [[#743](https://github.com/opencloud-eu/opencloud/pull/743)]
+- build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.8 to 1.4.9 [[#744](https://github.com/opencloud-eu/opencloud/pull/744)]
+
+## [2.2.0](https://github.com/opencloud-eu/opencloud/releases/tag/v2.2.0) - 2025-04-28
+
+### ❤️ Thanks to all contributors! ❤️
+
+@AlexAndBear, @JammingBen, @ScharfViktor, @Svanvith, @TheOneRing, @aduffeck, @amrita-shrestha, @butonic, @dragonchaser, @dragotin, @fschade, @individual-it, @jnweiger, @micbar, @michaelstingl, @rhafer
+
+### ✨ Features
+
+- add new property IdentifierDefaultLogoTargetURI [[#684](https://github.com/opencloud-eu/opencloud/pull/684)]
+- feat: add dev docs for web [[#623](https://github.com/opencloud-eu/opencloud/pull/623)]
+- feat: improve the info about storage path in deployment example [[#617](https://github.com/opencloud-eu/opencloud/pull/617)]
+
+### 📈 Enhancement
+
+- [full-ci] chore(web): bump web to v2.3.0 [[#738](https://github.com/opencloud-eu/opencloud/pull/738)]
+- bare-metal-deploy. getting latest version [[#699](https://github.com/opencloud-eu/opencloud/pull/699)]
+- Automatically find the latest released version of opencloud [[#687](https://github.com/opencloud-eu/opencloud/pull/687)]
+- Expose more config vars for the posix fs watchers [[#669](https://github.com/opencloud-eu/opencloud/pull/669)]
+- Add env var to make the inotify stats frequency configurable [[#552](https://github.com/opencloud-eu/opencloud/pull/552)]
+- feat(web): remove old and unused color tokens [[#665](https://github.com/opencloud-eu/opencloud/pull/665)]
+- Feat: install.sh now honors OC_BASE_DIR and OC_HOST [[#574](https://github.com/opencloud-eu/opencloud/pull/574)]
+- revert: completely remove "edition" from capabilities [[#601](https://github.com/opencloud-eu/opencloud/pull/601)]
+
+### 📚 Documentation
+
+- Update descirption of COLLABORA_SSL_ENABLE [[#724](https://github.com/opencloud-eu/opencloud/pull/724)]
+- Fix broken links in opencloud_full README.md [[#643](https://github.com/opencloud-eu/opencloud/pull/643)]
+- chore: move dev docs to opencloud-eu/docs repo [[#635](https://github.com/opencloud-eu/opencloud/pull/635)]
+
+### 🐛 Bug Fixes
+
+- Makefile: fix protobuf dependencies [[#714](https://github.com/opencloud-eu/opencloud/pull/714)]
+- Some smaller Makefile adjustments [[#709](https://github.com/opencloud-eu/opencloud/pull/709)]
+- fix(decomposeds3): enable async-uploads by default [[#686](https://github.com/opencloud-eu/opencloud/pull/686)]
+- fix deployment: do not create demo accounts when using keycloak [[#671](https://github.com/opencloud-eu/opencloud/pull/671)]
+- fix: web dev docs broken links [[#633](https://github.com/opencloud-eu/opencloud/pull/633)]
+- fix inbucket setup [[#619](https://github.com/opencloud-eu/opencloud/pull/619)]
+
+### ✅ Tests
+
+- update test docs [[#652](https://github.com/opencloud-eu/opencloud/pull/652)]
+
+### 📦️ Dependencies
+
+- chore:reva bump v.2.32 [[#737](https://github.com/opencloud-eu/opencloud/pull/737)]
+- build(deps): bump golang.org/x/image from 0.25.0 to 0.26.0 [[#726](https://github.com/opencloud-eu/opencloud/pull/726)]
+- build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0 [[#725](https://github.com/opencloud-eu/opencloud/pull/725)]
+- build(deps): bump github.com/nats-io/nats.go from 1.41.0 to 1.41.2 [[#722](https://github.com/opencloud-eu/opencloud/pull/722)]
+- build(deps): bump google.golang.org/grpc from 1.71.1 to 1.72.0 [[#721](https://github.com/opencloud-eu/opencloud/pull/721)]
+- build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.29.0 [[#602](https://github.com/opencloud-eu/opencloud/pull/602)]
+- build(deps): bump @testing-library/jest-dom from 6.4.8 to 6.6.3 in /services/idp [[#666](https://github.com/opencloud-eu/opencloud/pull/666)]
+- build(deps): bump golang.org/x/text from 0.23.0 to 0.24.0 [[#641](https://github.com/opencloud-eu/opencloud/pull/641)]
+- build(deps-dev): bump webpack from 5.96.1 to 5.99.6 in /services/idp [[#707](https://github.com/opencloud-eu/opencloud/pull/707)]
+- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.0 to 2.11.1 [[#679](https://github.com/opencloud-eu/opencloud/pull/679)]
+- build(deps): bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 [[#637](https://github.com/opencloud-eu/opencloud/pull/637)]
+- build(deps): bump github.com/coreos/go-oidc/v3 from 3.13.0 to 3.14.1 [[#603](https://github.com/opencloud-eu/opencloud/pull/603)]
+- build(deps-dev): bump typescript from 5.7.3 to 5.8.3 in /services/idp [[#604](https://github.com/opencloud-eu/opencloud/pull/604)]
+
+## [2.1.0](https://github.com/opencloud-eu/opencloud/releases/tag/v2.1.0) - 2025-04-07
+
+### ❤️ Thanks to all contributors! ❤️
+
+@AlexAndBear, @JammingBen, @ScharfViktor, @aduffeck, @butonic, @fschade, @individual-it, @kulmann, @micbar, @michaelstingl, @rhafer
+
+### 🐛 Bug Fixes
+
+- feat(antivirus): add partial scanning mode [[#559](https://github.com/opencloud-eu/opencloud/pull/559)]
+- Simplify item-trashed SSEs. Also fixes it for coll. posix fs. [[#565](https://github.com/opencloud-eu/opencloud/pull/565)]
+- fix(opencloud_full): add missing SMTP env vars [[#563](https://github.com/opencloud-eu/opencloud/pull/563)]
+- fix: full deployment tika description is wrong [[#553](https://github.com/opencloud-eu/opencloud/pull/553)]
+- fix: traefik credentials [[#555](https://github.com/opencloud-eu/opencloud/pull/555)]
+- Enable scan/watch in the storageprovider only [[#546](https://github.com/opencloud-eu/opencloud/pull/546)]
+- fix: typo in dev docs [[#540](https://github.com/opencloud-eu/opencloud/pull/540)]
+
+### 📈 Enhancement
+
+- [full-ci] reva bump 2.31.0 [[#599](https://github.com/opencloud-eu/opencloud/pull/599)]
+- feat: support svg as icon [[#538](https://github.com/opencloud-eu/opencloud/pull/538)]
+- feat: change theme.json primary color [[#536](https://github.com/opencloud-eu/opencloud/pull/536)]
+- graph: reduce memory allocations [[#494](https://github.com/opencloud-eu/opencloud/pull/494)]
+
+### ✅ Tests
+
+- [full-ci] fix expected spanish string in test [[#596](https://github.com/opencloud-eu/opencloud/pull/596)]
+- Revert "Disable the 'exclude' patterns on the path conditional for now" [[#561](https://github.com/opencloud-eu/opencloud/pull/561)]
+
+### 📦️ Dependencies
+
+- build(deps): bump github.com/go-playground/validator/v10 from 10.25.0 to 10.26.0 [[#571](https://github.com/opencloud-eu/opencloud/pull/571)]
+- build(deps): bump github.com/nats-io/nats.go from 1.39.1 to 1.41.0 [[#567](https://github.com/opencloud-eu/opencloud/pull/567)]
+- [full-ci] chore(web): bump web to v2.2.0 [[#570](https://github.com/opencloud-eu/opencloud/pull/570)]
+- build(deps): bump github.com/onsi/gomega from 1.36.3 to 1.37.0 [[#566](https://github.com/opencloud-eu/opencloud/pull/566)]
+- build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 [[#557](https://github.com/opencloud-eu/opencloud/pull/557)]
+- build(deps-dev): bump eslint-plugin-jsx-a11y from 6.9.0 to 6.10.2 in /services/idp [[#542](https://github.com/opencloud-eu/opencloud/pull/542)]
+- build(deps): bump web-vitals from 3.5.2 to 4.2.4 in /services/idp [[#541](https://github.com/opencloud-eu/opencloud/pull/541)]
+- build(deps): bump github.com/open-policy-agent/opa from 1.2.0 to 1.3.0 [[#508](https://github.com/opencloud-eu/opencloud/pull/508)]
+- build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6 [[#509](https://github.com/opencloud-eu/opencloud/pull/509)]
+- fix keycloak example #465 [[#535](https://github.com/opencloud-eu/opencloud/pull/535)]
+
 ## [2.0.0](https://github.com/opencloud-eu/opencloud/releases/tag/v2.0.0) - 2025-03-26

 ### ❤️ Thanks to all contributors! ❤️
--- a/2
+++ b/2
@@ -78,8 +78,6 @@ ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warn
 include .bingo/Variables.mk
 endif

-include .make/recursion.mk
-
 .PHONY: help
 help:
 	@echo "Please use 'make <target>' where <target> is one of the following:"
--- a/deployments/examples/bare-metal-simple/README.md
+++ b/deployments/examples/bare-metal-simple/README.md
@@ -26,14 +26,26 @@ This script should **NOT** be run as user root.
 Set the environment variable `OC_VERSION` to the version you want
 to download. If not set, there is a reasonable default. 

+## Data Location
+
+Set the environment variable `OC_BASE_DIR` to a directory where the
+`data` and `config` subdirectories shall be located. Per default,
+both configuration and storage data are within a sandbox subdirectory
+in the current working directory.
+
+## Server Address
+
+Set the environment variable `OC_HOST` to the fully qualified hostname
+of this server to allow remote accesse. Default: `localhost`.
+
 # Example

 Call

 ```
-OC_VERSION="1.0.0" ./install.sh
+OC_VERSION="2.0.0" ./install.sh
 ``` 
-to install the OpenCloud version 1.0.0
+to install the OpenCloud version 2.0.0

 There is also a hosted version of this script that makes it even
 easier:
--- a/deployments/examples/bare-metal-simple/install.sh
+++ b/deployments/examples/bare-metal-simple/install.sh
@@ -34,10 +34,19 @@ function backup_file () {
    fi
 }

+function get_latest_version() {
+     latest_version=$(curl -s https://api.github.com/repos/opencloud-eu/opencloud/releases/latest \
+	     | grep '"tag_name":' \
+	     | awk -F: '{print $2}' \
+         | tr -d ' ",v')
+}
+
 # URL pattern of the download file
 # https://github.com/opencloud-eu/opencloud/releases/download/v1.0.0/opencloud-1.0.0-linux-amd64

-dlversion="${OC_VERSION:-1.1.0}"
+get_latest_version
+
+dlversion="${OC_VERSION:-$latest_version}"
 dlurl="https://github.com/opencloud-eu/opencloud/releases/download/v${dlversion}/"

 sandbox="opencloud-sandbox-${dlversion}"
@@ -69,14 +78,14 @@ echo "Downloading ${dlurl}/${dlfile}"
 curl -L -o "${dlfile}" --progress-bar "${dlurl}/${dlfile}"
 chmod 755 ${dlfile}

-mkdir data config
-
-export OC_CONFIG_DIR="$(pwd)/config"
-export OC_BASE_DATA_PATH="$(pwd)/data"
+basedir="${OC_BASE_DIR:-$(pwd)}"
+export OC_CONFIG_DIR="$basedir/config"
+export OC_BASE_DATA_PATH="$basedir/data"
+mkdir -p "$OC_CONFIG_DIR" "$OC_BASE_DATA_PATH"

 # It is bound to localhost for now to deal with non existing routes
 # to certain host names for example in WSL
-host="localhost"
+host="${OC_HOST:-localhost}"

 ./${dlfile} init --insecure yes --ap admin

--- a/deployments/examples/opencloud_full/.env
+++ b/deployments/examples/opencloud_full/.env
@@ -17,7 +17,9 @@ TRAEFIK_DASHBOARD=
 # Defaults to "traefik.opencloud.test"
 TRAEFIK_DOMAIN=
 # Basic authentication for the traefik dashboard.
-# Defaults to user "admin" and password "admin" (written as: "admin:admin").
+# Defaults to user "admin" and password "admin" (written as: "admin:$2y$05$KDHu3xq92SPaO3G8Ybkc7edd51pPLJcG1nWk3lmlrIdANQ/B6r5pq").
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
 TRAEFIK_BASIC_AUTH_USERS=
 # Email address for obtaining LetsEncrypt certificates.
 # Needs only be changed if this is a public facing server.
@@ -62,6 +64,8 @@ LOG_LEVEL=
 # LOG_PRETTY=true
 #
 # Define the openCloud storage location. Set the paths for config and data to a local path.
+# Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
+# This matches the default user inside the container and avoids permission issues when accessing files.
 # Note that especially the data directory can grow big.
 # Leaving it default stores data in docker internal volumes.
 # OC_CONFIG_DIR=/your/local/opencloud/config
@@ -98,8 +102,8 @@ MINIO_DOMAIN=
 # Note: the leading colon is required to enable the service.
 #DECOMPOSED=:decomposed.yml

-# Define SMPT settings if you would like to send OpenCloud email notifications.
-# 
+# Define SMTP settings if you would like to send OpenCloud email notifications.
+#
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
 SMTP_HOST=
@@ -114,6 +118,8 @@ SMTP_USERNAME=
 SMTP_PASSWORD=
 # Authentication method for the SMTP communication.
 SMTP_AUTHENTICATION=
+# Encryption method for the SMTP communication. Possible values are 'starttls', 'ssltls' and 'none'
+SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=

@@ -157,7 +163,7 @@ COMPANION_ONEDRIVE_SECRET=
 ## Default Enabled Services ##

 ### Apache Tika Content Analysis Toolkit ###
-# Tika (search) is enabled by default, comment if not required.
+# Tika (search) is disabled by default due to performance reasons.
 # Note: the leading colon is required to enable the service.
 #TIKA=:tika.yml
 # Set the desired docker image tag or digest.
@@ -176,7 +182,7 @@ COLLABORA=:collabora.yml
 # Domain of Collabora, where you can find the frontend.
 # Defaults to "collabora.opencloud.test"
 COLLABORA_DOMAIN=
-# Domain of the wopiserver which handles OnlyOffice.
+# Domain of the wopiserver which handles Collabora.
 # Defaults to "wopiserver.opencloud.test"
 WOPISERVER_DOMAIN=
 # Admin user for Collabora.
@@ -187,7 +193,8 @@ COLLABORA_ADMIN_USER=
 # Admin password for Collabora.
 # Defaults to "admin".
 COLLABORA_ADMIN_PASSWORD=
-# Set to true to enable SSL for Collabora Online. Default is true if not specified.
+# Set to true to enable SSL handling in Collabora Online, this is only required if you are not using a reverse proxy.
+# Default is true if not specified.
 COLLABORA_SSL_ENABLE=false
 # If you're on an internet-facing server, enable SSL verification for Collabora Online.
 # Please comment out the following line:
@@ -210,20 +217,18 @@ COLLABORA_SSL_VERIFICATION=false
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
 # Note: the leading colon is required to enable the service.
 #CLAMAV=:clamav.yml
+# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
+# Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
+# Defaults to "100MB"
+#ANTIVIRUS_MAX_SCAN_SIZE=
+# Usable modes: partial, skip.
+# Defaults to "partial"
+#ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
-# Defaults to "latest"
+# Defaults to "latest"y
 CLAMAV_DOCKER_TAG=


-### OnlyOffice Settings ###
-# Note: the leading colon is required to enable the service.
-#ONLYOFFICE=:onlyoffice.yml
-# Domain for OnlyOffice. Defaults to "onlyoffice.opencloud.test".
-ONLYOFFICE_DOMAIN=
-# Domain for the wopiserver which handles OnlyOffice.
-WOPISERVER_ONLYOFFICE_DOMAIN=
-
-
 ### Inbucket Settings ###
 # Inbucket is a mail catcher tool for testing purposes.
 # DO NOT use in Production.
@@ -237,8 +242,71 @@ INBUCKET_DOMAIN=
 # Path separator for supplemental compose files specified in COMPOSE_FILE.
 COMPOSE_PATH_SEPARATOR=:

+### Ldap Settings ###
+# LDAP is always needed for OpenCloud to store user data as there is no relational database.
+# The built-in LDAP server should used for testing purposes or small installations only.
+# For production installations, it is recommended to use an external LDAP server.
+# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable.
+# This LDAP configuration is known to work with OpenCloud and provides a blueprint for
+# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers.
+#
+# Note: the leading colon is required to enable the service.
+#LDAP=:ldap.yml
+# Password of LDAP user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
+LDAP_ADMIN_PASSWORD=
+# LDAP manager
+# login with uid ldapadmin and password
+#LDAP_MANAGER=:../shared/config/ldap/docker-compose.yml
+# LDAP manager domain. Defaults to "ldap.opencloud.test"
+LDAP_MANAGER_DOMAIN=
+
+### LibreGraph Connect (lico) IDP ###
+# LibreGraph Connect (lico) implements an OpenID provider (OP) with integrated web login and consent forms.
+# Text hint that appears within the username input field on the sign-in page
+IDP_DEFAULT_SIGNIN_PAGE_TEXT=
+
+### Keycloak Settings ###
+# Keycloak is an open-source identity and access management solution.
+# We are using Keycloak as the default identity provider on production installations.
+# It can be used to federate authentication with other identity providers like
+# Microsoft Entra ID, ADFS or other SAML/OIDC providers.
+# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the
+# authentication process, the allowed clients and the session management.
+# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
+# Keycloak can be used in two different modes:
+# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time.
+# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
+# because the LDAP server is connected to both Keycloak and OpenCloud.
+# Note: the leading colon is required to enable the service.
+#KEYCLOAK=:keycloak.yml
+# Domain for Keycloak. Defaults to "keycloak.opencloud.test".
+KEYCLOAK_DOMAIN=
+# Realm which to be used with OpenCloud. Defaults to "OpenCloud"
+KEYCLOAK_REALM=
+# Admin user login name. Defaults to "admin"
+KEYCLOAK_ADMIN_USER=
+# Admin user login password. Defaults to "admin"
+KEYCLOAK_ADMIN_PASSWORD=
+# Autoprovisioning mode. Defaults to "true"
+#KEYCLOAK_AUTOPROVISIONING=:keycloak-autoprovisioning.yml
+
+### Radicale Setting ###
+# Radicale is a small open-source CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
+# When enabled OpenCloud is configured as a reverse proxy for Radicale, providing all authenticated
+# OpenCloud users access to a Personal Calendar and Addressbook
+#RADICALE=:radicale.yml
+# Docker image to use for the Radicale Container
+#RADICALE_DOCKER_IMAGE=opencloudeu/radicale
+# Docker tag to pull for the Radicale Container
+#RADICALE_DOCKER_TAG=latest
+# Define the storage location for the Radicale data. Set the path to a local path.
+# Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
+# This matches the default user inside the container and avoids permission issues when accessing files.
+# Leaving it default stores data in docker internal volumes.
+#RADICALE_DATA_DIR=/your/local/radicale/data
+
 ## IMPORTANT ##
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}
--- a/deployments/examples/opencloud_full/README.md
+++ b/deployments/examples/opencloud_full/README.md
@@ -6,12 +6,12 @@ document this deployment example in: docs/opencloud/deployment/opencloud_full.md

 This deployment example is documented in two locations for different audiences:

-* In the [Admin Documentation](https://docs.opencloud.eu/opencloud/latest/index.html)\
+* In the [Admin Documentation](https://docs.opencloud.eu/docs/admin/intro)\
  Providing two variants using detailed configuration step by step guides:\
-  [Local Production Setup](https://docs.opencloud.eu/opencloud/next/depl-examples/ubuntu-compose/ubuntu-compose-prod.html) and [Deploy OpenCloud on the Hetzner Cloud](https://docs.opencloud.eu/opencloud/next/depl-examples/ubuntu-compose/ubuntu-compose-hetzner.html).\
+  [Docker Compose Setup](https://docs.opencloud.eu/docs/admin/getting-started/docker/docker-compose) and [Docker Compose Local](https://docs.opencloud.eu/docs/admin/getting-started/docker/docker-compose-local).\
  Note that these examples use LetsEncrypt certificates and are intended for production use.

-* In the [Developer Documentation](https://docs.opencloud.eu/opencloud/deployment/opencloud_full/)\
+* In the [Developer Documentation](https://docs.opencloud.eu/docs/dev/intro)\
  Providing details which are more developer focused. This description can also be used when deviating from the default.\
  Note that this examples uses self signed certificates and is intended for testing purposes.

--- a/deployments/examples/opencloud_full/clamav.yml
+++ b/deployments/examples/opencloud_full/clamav.yml
@@ -4,6 +4,8 @@ services:
    environment:
      ANTIVIRUS_SCANNER_TYPE: "clamav"
      ANTIVIRUS_CLAMAV_SOCKET: "/var/run/clamav/clamd.sock"
+      ANTIVIRUS_MAX_SCAN_SIZE_MODE: ${ANTIVIRUS_MAX_SCAN_SIZE_MODE:-partial}
+      ANTIVIRUS_MAX_SCAN_SIZE: ${ANTIVIRUS_MAX_SCAN_SIZE:-100MB}
      # the antivirus service needs manual startup, see .env and opencloud.yaml for START_ADDITIONAL_SERVICES
      # configure the antivirus service
      POSTPROCESSING_STEPS: "virusscan"
--- a/deployments/examples/opencloud_full/collabora.yml
+++ b/deployments/examples/opencloud_full/collabora.yml
@@ -53,7 +53,7 @@ services:
    restart: always

  collabora:
-    image: collabora/code:24.04.13.2.1
+    image: collabora/code:25.04.2.1.1
    # release notes: https://www.collaboraonline.com/release-notes/
    networks:
      opencloud-net:
@@ -83,4 +83,5 @@ services:
    entrypoint: ['/bin/bash', '-c']
    command: ['coolconfig generate-proof-key && /start-collabora-online.sh']
    healthcheck:
-      test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
+      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/127.0.0.1/9980 && echo -e 'GET /hosting/discovery HTTP/1.1\r\nHost: localhost:9980\r\n\r\n' >&3 && head -n 1 <&3 | grep '200 OK'"]
+
--- a/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json
@@ -0,0 +1,63 @@
+{
+  "clientId": "OpenCloudAndroid",
+  "name": "OpenCloud Android App",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "oc://android.opencloud.eu"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "oc://android.opencloud.eu",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}
--- a/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json
@@ -0,0 +1,64 @@
+{
+  "clientId": "OpenCloudDesktop",
+  "name": "OpenCloud Desktop Client",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "http://127.0.0.1",
+    "http://localhost"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "+",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}
--- a/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudIOS.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudIOS.json
@@ -0,0 +1,63 @@
+{
+  "clientId": "OpenCloudIOS",
+  "name": "OpenCloud iOS App",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "oc://ios.opencloud.eu"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "oc://ios.opencloud.eu",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}
--- a/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json
@@ -0,0 +1,66 @@
+{
+  "clientId": "Cyberduck",
+  "name": "Cyberduck",
+  "description": "File transfer utility client",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "x-cyberduck-action:oauth",
+    "x-mountainduck-action:oauth"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}
--- a/deployments/examples/opencloud_full/config/keycloak/clients/web.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/web.json
@@ -0,0 +1,74 @@
+{
+  "clientId": "web",
+  "name": "OpenCloud Web App",
+  "description": "",
+  "rootUrl": "{{OC_URL}}",
+  "adminUrl": "{{OC_URL}}",
+  "baseUrl": "",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "{{OC_URL}}/",
+    "{{OC_URL}}/oidc-callback.html",
+    "{{OC_URL}}/oidc-silent-redirect.html"
+  ],
+  "webOrigins": [
+    "{{OC_URL}}"
+  ],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "+",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.url": "{{OC_URL}}/backchannel_logout",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}
--- a/deployments/examples/opencloud_full/config/keycloak/docker-entrypoint-override.sh
+++ b/deployments/examples/opencloud_full/config/keycloak/docker-entrypoint-override.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+printenv
+# replace openCloud domain and LDAP password in keycloak realm import
+mkdir /opt/keycloak/data/import
+sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
+
+# run original docker-entrypoint
+/opt/keycloak/bin/kc.sh "$@"
--- a/deployments/examples/opencloud_full/config/keycloak/opencloud-realm-autoprovisioning.dist.json
+++ b/deployments/examples/opencloud_full/config/keycloak/opencloud-realm-autoprovisioning.dist.json
--- a/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json
+++ b/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json
--- a/deployments/examples/opencloud_full/config/ldap/docker-entrypoint-override.sh
+++ b/deployments/examples/opencloud_full/config/ldap/docker-entrypoint-override.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+printenv
+
+if [ ! -f /opt/bitnami/openldap/share/openldap.key ]
+then	
+	openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/share/openldap.key -out /opt/bitnami/openldap/share/openldap.crt -sha256 -days 365 -batch -nodes
+fi
+# run original docker-entrypoint
+/opt/bitnami/scripts/openldap/entrypoint.sh "$@"
--- a/deployments/examples/opencloud_full/config/ldap/ldif/10_base.ldif
+++ b/deployments/examples/opencloud_full/config/ldap/ldif/10_base.ldif
@@ -0,0 +1,24 @@
+dn: dc=opencloud,dc=eu
+objectClass: organization
+objectClass: dcObject
+dc: opencloud
+o: openCloud
+
+dn: ou=users,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: users
+
+dn: cn=admin,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: person
+cn: admin
+sn: admin
+uid: ldapadmin
+
+dn: ou=groups,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: groups
+
+dn: ou=custom,ou=groups,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: custom
--- a/deployments/examples/opencloud_full/config/ldap/ldif/20_users.ldif
+++ b/deployments/examples/opencloud_full/config/ldap/ldif/20_users.ldif
@@ -0,0 +1,84 @@
+# Start dn with uid (user identifier / login), not cn (Firstname + Surname)
+dn: uid=alan,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: alan
+givenName: Alan
+sn: Turing
+cn: alan
+displayName: Alan Turing
+description:  An English mathematician, computer scientist, logician, cryptanalyst, philosopher and theoretical biologist. He was highly influential in the development of theoretical computer science, providing a formalisation of the concepts of algorithm and computation with the Turing machine.
+mail: alan@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=lynn,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: lynn
+givenName: Lynn
+sn: Conway
+cn: lynn
+displayName: Lynn Conway
+description:  An American computer scientist, electrical engineer, and transgender activist.
+mail: lynn@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=mary,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: mary
+givenName: Mary
+sn: Kenneth Keller
+cn: mary
+displayName: Mary Kenneth Keller
+description: Mary Kenneth Keller of the Sisters of Charity of the Blessed Virgin Mary was a pioneer in computer science.
+mail: mary@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=margaret,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: margaret
+givenName: Margaret
+sn: Hamilton
+cn: margaret
+displayName: Margaret Hamilton
+description: A director of the Software Engineering Division of the MIT Instrumentation Laboratory, which developed on-board flight software for NASA's Apollo program.
+mail: margaret@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=dennis,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: dennis
+givenName: Dennis
+sn: Ritchie
+cn: dennis
+displayName: Dennis Ritchie
+description: American computer scientist. He created the C programming language and the Unix operating system and B language with long-time colleague Ken Thompson.
+mail: dennis@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=admin,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: admin
+givenName: Admin
+sn: Admin
+cn: admin
+displayName: Admin
+description: An admin for this OpenCloud instance.
+mail: admin@example.org
+userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo==
--- a/deployments/examples/opencloud_full/config/ldap/ldif/30_groups.ldif
+++ b/deployments/examples/opencloud_full/config/ldap/ldif/30_groups.ldif
@@ -0,0 +1,70 @@
+dn: cn=users,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: users
+description: Users
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+member: uid=mary,ou=users,dc=opencloud,dc=eu
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+member: uid=lynn,ou=users,dc=opencloud,dc=eu
+member: uid=admin,ou=users,dc=opencloud,dc=eu
+
+dn: cn=chess-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: chess-lovers
+description: Chess lovers
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+
+dn: cn=machine-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: machine-lovers
+description: Machine Lovers
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+
+dn: cn=bible-readers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: bible-readers
+description: Bible readers
+member: uid=mary,ou=users,dc=opencloud,dc=eu
+
+dn: cn=apollos,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: apollos
+description: Contributors to the Appollo mission
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+
+dn: cn=unix-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: unix-lovers
+description: Unix lovers
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+
+dn: cn=basic-haters,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: basic-haters
+description: Haters of the Basic programming language
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+
+dn: cn=vlsi-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: vlsi-lovers
+description: Lovers of VLSI microchip design
+member: uid=lynn,ou=users,dc=opencloud,dc=eu
+
+dn: cn=programmers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: programmers
+description: Computer Programmers
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+member: uid=lynn,ou=users,dc=opencloud,dc=eu
--- a/deployments/examples/opencloud_full/config/onlyoffice/entrypoint-override.sh
+++ b/deployments/examples/opencloud_full/config/onlyoffice/entrypoint-override.sh
@@ -1,7 +0,0 @@
-#!/bin/sh
-set -e
-
-# we can't mount it directly because the run-document-server.sh script wants to move it
-cp /etc/onlyoffice/documentserver/local.dist.json /etc/onlyoffice/documentserver/local.json
-
-/app/ds/run-document-server.sh
--- a/deployments/examples/opencloud_full/config/onlyoffice/local.json
+++ b/deployments/examples/opencloud_full/config/onlyoffice/local.json
@@ -1,71 +0,0 @@
-{
-  "services": {
-    "CoAuthoring": {
-      "sql": {
-        "type": "postgres",
-        "dbHost": "localhost",
-        "dbPort": "5432",
-        "dbName": "onlyoffice",
-        "dbUser": "onlyoffice",
-        "dbPass": "onlyoffice"
-      },
-      "token": {
-        "enable": {
-          "request": {
-            "inbox": true,
-            "outbox": true
-          },
-          "browser": true
-        },
-        "inbox": {
-          "header": "Authorization"
-        },
-        "outbox": {
-          "header": "Authorization"
-        }
-      },
-      "secret": {
-        "inbox": {
-          "string": "B8LjkNqGxn6gf8bkuBUiMwyuCFwFddnu"
-        },
-        "outbox": {
-          "string": "B8LjkNqGxn6gf8bkuBUiMwyuCFwFddnu"
-        },
-        "session": {
-          "string": "B8LjkNqGxn6gf8bkuBUiMwyuCFwFddnu"
-        }
-      }
-    }
-  },
-  "rabbitmq": {
-    "url": "amqp://guest:guest@localhost"
-  },
-  "FileConverter": {
-		"converter": {
-			"inputLimits": [
-				{
-				"type": "docx;dotx;docm;dotm",
-				"zip": {
-					"uncompressed": "1GB",
-					"template": "*.xml"
-				}
-				},
-				{
-				"type": "xlsx;xltx;xlsm;xltm",
-				"zip": {
-					"uncompressed": "1GB",
-					"template": "*.xml"
-				}
-				},
-				{
-				"type": "pptx;ppsx;potx;pptm;ppsm;potm",
-				"zip": {
-					"uncompressed": "1GB",
-					"template": "*.xml"
-				}
-				}
-			]
-		}
-	}
-
-}
--- a/deployments/examples/opencloud_full/config/opencloud/app-registry.yaml
+++ b/deployments/examples/opencloud_full/config/opencloud/app-registry.yaml
@@ -12,49 +12,49 @@ app_registry:
    name: OpenDocument
    description: OpenDocument text document
    icon: ''
-    default_app: Collabora
+    default_app: CollaboraOnline
    allow_creation: true
  - mime_type: application/vnd.oasis.opendocument.spreadsheet
    extension: ods
    name: OpenSpreadsheet
    description: OpenDocument spreadsheet document
    icon: ''
-    default_app: Collabora
+    default_app: CollaboraOnline
    allow_creation: true
  - mime_type: application/vnd.oasis.opendocument.presentation
    extension: odp
    name: OpenPresentation
    description: OpenDocument presentation document
    icon: ''
-    default_app: Collabora
+    default_app: CollaboraOnline
    allow_creation: true
  - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
    extension: docx
    name: Microsoft Word
    description: Microsoft Word document
    icon: ''
-    default_app: OnlyOffice
+    default_app: CollaboraOnline
    allow_creation: true
  - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.form
    extension: docxf
    name: Form Document
    description: Form Document
    icon: ''
-    default_app: OnlyOffice
+    default_app: CollaboraOnline
    allow_creation: true
  - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
    extension: xlsx
    name: Microsoft Excel
    description: Microsoft Excel document
    icon: ''
-    default_app: OnlyOffice
+    default_app: CollaboraOnline
    allow_creation: true
  - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation
    extension: pptx
    name: Microsoft PowerPoint
    description: Microsoft PowerPoint document
    icon: ''
-    default_app: OnlyOffice
+    default_app: CollaboraOnline
    allow_creation: true
  - mime_type: application/vnd.jupyter
    extension: ipynb
--- a/deployments/examples/opencloud_full/config/opencloud/csp.yaml
+++ b/deployments/examples/opencloud_full/config/opencloud/csp.yaml
@@ -7,6 +7,7 @@ directives:
    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
+    - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/'
  default-src:
    - '''none'''
  font-src:
@@ -18,7 +19,6 @@ directives:
    - 'blob:'
    - 'https://embed.diagrams.net/'
    # In contrary to bash and docker the default is given after the | character
-    - 'https://${ONLYOFFICE_DOMAIN|onlyoffice.opencloud.test}/'
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
    # This is needed for the external-sites web extension when embedding sites
    - 'https://docs.opencloud.eu'
@@ -28,7 +28,6 @@ directives:
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    # In contrary to bash and docker the default is given after the | character
-    - 'https://${ONLYOFFICE_DOMAIN|onlyoffice.opencloud.test}/'
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
  manifest-src:
    - '''self'''
--- a/deployments/examples/opencloud_full/config/opencloud/proxy.yaml
+++ b/deployments/examples/opencloud_full/config/opencloud/proxy.yaml
@@ -0,0 +1,40 @@
+# This adds four additional routes to the proxy. Forwarding
+# request on '/carddav/', '/caldav/' and the respective '/.well-knwown'
+# endpoints to the radicale container and setting the required headers.
+additional_policies:
+  - name: default
+    routes:
+      - endpoint: /caldav/
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /caldav
+      - endpoint: /.well-known/caldav
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /caldav
+      - endpoint: /carddav/
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /carddav
+      - endpoint: /.well-known/carddav
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /carddav
+# To enable the radicale web UI add this rule.
+# "unprotected" is True because the Web UI itself ask for
+# the password.
+# Also set "type" to "internal" in the config/radicale/config
+#      - endpoint: /caldav/.web/
+#        backend: http://radicale:5232/
+#        unprotected: true
+#        skip_x_access_token: true
+#        additional_headers:
+#          - X-Script-Name: /caldav
--- a/deployments/examples/opencloud_full/config/radicale/config
+++ b/deployments/examples/opencloud_full/config/radicale/config
@@ -0,0 +1,325 @@
+# -*- mode: conf -*-
+# vim:ft=cfg
+
+# Config file for Radicale - A simple calendar server
+#
+# Place it into /etc/radicale/config (global)
+# or ~/.config/radicale/config (user)
+#
+# The current values are the default ones
+
+
+[server]
+
+# CalDAV server hostnames separated by a comma
+# IPv4 syntax: address:port
+# IPv6 syntax: [address]:port
+# Hostname syntax (using "getaddrinfo" to resolve to IPv4/IPv6 adress(es)): hostname:port
+# For example: 0.0.0.0:9999, [::]:9999, localhost:9999
+hosts = 0.0.0.0:5232
+
+# Max parallel connections
+#max_connections = 8
+
+# Max size of request body (bytes)
+#max_content_length = 100000000
+
+# Socket timeout (seconds)
+#timeout = 30
+
+# SSL flag, enable HTTPS protocol
+#ssl = False
+
+# SSL certificate path
+#certificate = /etc/ssl/radicale.cert.pem
+
+# SSL private key
+#key = /etc/ssl/radicale.key.pem
+
+# CA certificate for validating clients. This can be used to secure
+# TCP traffic between Radicale and a reverse proxy
+#certificate_authority =
+
+# SSL protocol, secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1
+#protocol = (default)
+
+# SSL ciphersuite, secure configuration: DHE:ECDHE:-NULL:-SHA (see also "man openssl-ciphers")
+#ciphersuite = (default)
+
+# script name to strip from URI if called by reverse proxy
+#script_name = (default taken from HTTP_X_SCRIPT_NAME or SCRIPT_NAME)
+
+
+[encoding]
+
+# Encoding for responding requests
+#request = utf-8
+
+# Encoding for storing local collections
+#stock = utf-8
+
+
+[auth]
+
+# Authentication method
+# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall
+type = http_x_remote_user
+
+# Cache logins for until expiration time
+#cache_logins = false
+
+# Expiration time for caching successful logins in seconds
+#cache_successful_logins_expiry = 15
+
+## Expiration time of caching failed logins in seconds
+#cache_failed_logins_expiry = 90
+
+# Ignore modifyTimestamp and createTimestamp attributes. Required e.g. for Authentik LDAP server
+#ldap_ignore_attribute_create_modify_timestamp = false
+
+# URI to the LDAP server
+#ldap_uri = ldap://localhost
+
+# The base DN where the user accounts have to be searched
+#ldap_base = ##BASE_DN##
+
+# The reader DN of the LDAP server
+#ldap_reader_dn = CN=ldapreader,CN=Users,##BASE_DN##
+
+# Password of the reader DN
+#ldap_secret = ldapreader-secret
+
+# Path of the file containing password of the reader DN
+#ldap_secret_file = /run/secrets/ldap_password
+
+# the attribute to read the group memberships from in the user's LDAP entry (default: not set)
+#ldap_groups_attribute = memberOf
+
+# The filter to find the DN of the user. This filter must contain a python-style placeholder for the login
+#ldap_filter = (&(objectClass=person)(uid={0}))
+
+# the attribute holding the value to be used as username after authentication
+#ldap_user_attribute = cn
+
+# Use ssl on the ldap connection
+# Soon to be deprecated, use ldap_security instead
+#ldap_use_ssl = False
+
+# the encryption mode to be used: tls, starttls, default is none
+#ldap_security = none
+
+# The certificate verification mode. Works for ssl and starttls. NONE, OPTIONAL, default is REQUIRED
+#ldap_ssl_verify_mode = REQUIRED
+
+# The path to the CA file in pem format which is used to certificate the server certificate
+#ldap_ssl_ca_file =
+
+# Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6)
+# Note: credentials are transmitted in cleartext
+#dovecot_connection_type = AF_UNIX
+
+# The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket.
+#dovecot_socket = /var/run/dovecot/auth-client
+
+# Host of via network exposed dovecot socket
+#dovecot_host = localhost
+
+# Port of via network exposed dovecot socket
+#dovecot_port = 12345
+
+# IMAP server hostname
+# Syntax: address | address:port | [address]:port | imap.server.tld
+#imap_host = localhost
+
+# Secure the IMAP connection
+# Value: tls | starttls | none
+#imap_security = tls
+
+# OAuth2 token endpoint URL
+#oauth2_token_endpoint = <URL>
+
+# PAM service
+#pam_serivce = radicale
+
+# PAM group user should be member of
+#pam_group_membership =
+
+# Htpasswd filename
+#htpasswd_filename = /etc/radicale/users
+
+# Htpasswd encryption method
+# Value: plain | bcrypt | md5 | sha256 | sha512 | autodetect
+# bcrypt requires the installation of 'bcrypt' module.
+#htpasswd_encryption = autodetect
+
+# Enable caching of htpasswd file based on size and mtime_ns
+#htpasswd_cache = False
+
+# Incorrect authentication delay (seconds)
+#delay = 1
+
+# Message displayed in the client when a password is needed
+#realm = Radicale - Password Required
+
+# Convert username to lowercase, must be true for case-insensitive auth providers
+#lc_username = False
+
+# Strip domain name from username
+#strip_domain = False
+
+
+[rights]
+
+# Rights backend
+# Value: authenticated | owner_only | owner_write | from_file
+#type = owner_only
+
+# File for rights management from_file
+#file = /etc/radicale/rights
+
+# Permit delete of a collection (global)
+#permit_delete_collection = True
+
+# Permit overwrite of a collection (global)
+#permit_overwrite_collection = True
+
+
+[storage]
+
+# Storage backend
+# Value: multifilesystem | multifilesystem_nolock
+#type = multifilesystem
+
+# Folder for storing local collections, created if not present
+#filesystem_folder = /var/lib/radicale/collections
+
+# Folder for storing cache of local collections, created if not present
+# Note: only used in case of use_cache_subfolder_* options are active
+# Note: can be used on multi-instance setup to cache files on local node (see below)
+#filesystem_cache_folder = (filesystem_folder)
+
+# Use subfolder 'collection-cache' for 'item' cache file structure instead of inside collection folder
+# Note: can be used on multi-instance setup to cache 'item' on local node
+#use_cache_subfolder_for_item = False
+
+# Use subfolder 'collection-cache' for 'history' cache file structure instead of inside collection folder
+# Note: use only on single-instance setup, will break consistency with client in multi-instance setup
+#use_cache_subfolder_for_history = False
+
+# Use subfolder 'collection-cache' for 'sync-token' cache file structure instead of inside collection folder
+# Note: use only on single-instance setup, will break consistency with client in multi-instance setup
+#use_cache_subfolder_for_synctoken = False
+
+# Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed)
+# Note: check used filesystem mtime precision before enabling
+# Note: conversion is done on access, bulk conversion can be done offline using storage verification option: radicale --verify-storage
+#use_mtime_and_size_for_item_cache = False
+
+# Use configured umask for folder creation (not applicable for OS Windows)
+# Useful value: 0077 | 0027 | 0007 | 0022
+#folder_umask = (system default, usual 0022)
+
+# Delete sync token that are older (seconds)
+#max_sync_token_age = 2592000
+
+# Skip broken item instead of triggering an exception
+#skip_broken_item = True
+
+# Command that is run after changes to storage, default is emtpy
+#  Supported placeholders:
+#   %(user)s: logged-in user
+#   %(cwd)s : current working directory
+#   %(path)s: full path of item
+#  Command will be executed with base directory defined in filesystem_folder
+#  For "git" check DOCUMENTATION.md for bootstrap instructions
+# Example(test): echo \"user=%(user)s path=%(path)s cwd=%(cwd)s\"
+# Example(git): git add -A && (git diff --cached --quiet || git commit -m "Changes by \"%(user)s\"")
+#hook =
+
+# Create predefined user collections
+#
+# json format:
+#
+#  {
+#    "def-addressbook": {
+#       "D:displayname": "Personal Address Book",
+#       "tag": "VADDRESSBOOK"
+#    },
+#    "def-calendar": {
+#       "C:supported-calendar-component-set": "VEVENT,VJOURNAL,VTODO",
+#       "D:displayname": "Personal Calendar",
+#       "tag": "VCALENDAR"
+#    }
+#  }
+#
+predefined_collections = {
+    "def-addressbook": {
+       "D:displayname": "Personal Address Book",
+       "tag": "VADDRESSBOOK"
+    },
+    "def-calendar": {
+       "C:supported-calendar-component-set": "VEVENT,VJOURNAL,VTODO",
+       "D:displayname": "Personal Calendar",
+       "tag": "VCALENDAR"
+    }
+  }
+
+
+[web]
+
+# Web interface backend
+# Value: none | internal
+type = none
+
+
+[logging]
+
+# Threshold for the logger
+# Value: debug | info | warning | error | critical
+#level = info
+
+# Don't include passwords in logs
+#mask_passwords = True
+
+# Log bad PUT request content
+#bad_put_request_content = False
+
+# Log backtrace on level=debug
+#backtrace_on_debug = False
+
+# Log request header on level=debug
+#request_header_on_debug = False
+
+# Log request content on level=debug
+#request_content_on_debug = False
+
+# Log response content on level=debug
+#response_content_on_debug = False
+
+# Log rights rule which doesn't match on level=debug
+#rights_rule_doesnt_match_on_debug = False
+
+# Log storage cache actions on level=debug
+#storage_cache_actions_on_debug = False
+
+[headers]
+
+# Additional HTTP headers
+#Access-Control-Allow-Origin = *
+
+
+[hook]
+
+# Hook types
+# Value: none | rabbitmq
+#type = none
+#rabbitmq_endpoint =
+#rabbitmq_topic =
+#rabbitmq_queue_type = classic
+
+
+[reporting]
+
+# When returning a free-busy report, limit the number of returned
+# occurences per event to prevent DOS attacks.
+#max_freebusy_occurrence = 10000
--- a/deployments/examples/opencloud_full/keycloak-autoprovisioning.yml
+++ b/deployments/examples/opencloud_full/keycloak-autoprovisioning.yml
@@ -0,0 +1,41 @@
+---
+services:
+  opencloud:
+    environment:
+      # Keycloak IDP specific configuration for auto-provisioning
+      OC_LDAP_SERVER_WRITE_ENABLED: "true"
+      PROXY_AUTOPROVISION_ACCOUNTS: "true"
+      # Use the `sub` claim from keycloak for the user ID
+      # Keycloak uses the keycloak user ID as the `sub` claim
+      PROXY_USER_OIDC_CLAIM: "sub"
+      # Use the `sub` claim as identifier during autoprovisioning
+      # That mitigates problems when a user is renamed in keycloak
+      PROXY_AUTOPROVISION_CLAIM_USERNAME: "sub"
+      PROXY_USER_CS3_CLAIM: "username"
+      # This triggers the creation of the opencloudUUID during the provisioning of users and groups
+      GRAPH_LDAP_SERVER_UUID: "false"
+      # This is the default value, we need to set it here because we overwrite the values
+      OC_LDAP_USER_SCHEMA_ID: "opencloudUUID"
+      # This is the default value, we need to set it here because we overwrite the values
+      OC_LDAP_GROUP_SCHEMA_ID: "opencloudUUID"
+      # This is the default value, we need to set it here because we overwrite the values
+      OC_LDAP_DISABLE_USER_MECHANISM: "attribute"
+      # These values should only be set in keycloak, because opencloud updates them from the claims
+      FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.memberOf"
+  ldap-server:
+    volumes:
+      # Use an empty named volume to overwrite the inherited values
+      - empty-dir:/ldifs
+      # Only use the base ldif file to create the base structure
+      - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
+      # Use the custom schema from opencloud because we are in full control of the ldap server
+      - ../shared/config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
+      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
+      - ldap-certs:/opt/bitnami/openldap/share
+      - ldap-data:/bitnami/openldap
+  keycloak:
+    volumes:
+      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
+      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+volumes:
+  empty-dir:
--- a/deployments/examples/opencloud_full/keycloak.yml
+++ b/deployments/examples/opencloud_full/keycloak.yml
@@ -0,0 +1,74 @@
+---
+services:
+  traefik:
+    networks:
+      opencloud-net:
+        aliases:
+          - ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+
+  opencloud:
+    environment:
+      # Keycloak IDP specific configuration
+      PROXY_AUTOPROVISION_ACCOUNTS: "false"
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
+      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}
+      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
+      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      PROXY_USER_OIDC_CLAIM: "uuid"
+      PROXY_USER_CS3_CLAIM: "userid"
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}/account"
+      # admin and demo accounts must be created in Keycloak
+      OC_ADMIN_USER_ID: ""
+      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+      GRAPH_USERNAME_MATCH: "none"
+      KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+
+  postgres:
+    image: postgres:alpine
+    networks:
+      opencloud-net:
+    volumes:
+      - keycloak_postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: keycloak
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:25.0.0
+    networks:
+      opencloud-net:
+    command: ["start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"]
+    entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"]
+    volumes:
+      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
+      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+    environment:
+      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
+      KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      KC_DB: postgres
+      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: keycloak
+      KC_FEATURES: impersonation
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN_USER:-admin}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.keycloak.entrypoints=https"
+      - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
+      - "traefik.http.routers.keycloak.tls.certresolver=http"
+      - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+    depends_on:
+      - postgres
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+volumes:
+  keycloak_postgres_data:
--- a/deployments/examples/opencloud_full/ldap.yml
+++ b/deployments/examples/opencloud_full/ldap.yml
@@ -0,0 +1,59 @@
+---
+services:
+  traefik:
+    networks:
+      opencloud-net:
+
+  opencloud:
+    environment:
+      # Ldap IDP specific configuration
+      OC_LDAP_URI: ldaps://ldap-server:1636
+      OC_LDAP_INSECURE: "true"
+      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
+      OC_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu"
+      OC_LDAP_GROUP_SCHEMA_ID: "entryUUID"
+      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
+      OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
+      OC_LDAP_USER_SCHEMA_ID: "entryUUID"
+      OC_LDAP_DISABLE_USER_MECHANISM: "none"
+      GRAPH_LDAP_SERVER_UUID: "true"
+      GRAPH_LDAP_GROUP_CREATE_BASE_DN: "ou=custom,ou=groups,dc=opencloud,dc=eu"
+      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
+      FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
+      OC_LDAP_SERVER_WRITE_ENABLED: "false" # assuming the external ldap is not writable
+      # OC_RUN_SERVICES specifies to start all services except glauth, idm and accounts. These are replaced by external services
+      OC_EXCLUDE_RUN_SERVICES: idm
+
+  ldap-server:
+    image: bitnami/openldap:2.6
+    networks:
+      opencloud-net:
+    entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
+    environment:
+      BITNAMI_DEBUG: true
+      LDAP_TLS_VERIFY_CLIENT: never
+      LDAP_ENABLE_TLS: "yes"
+      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
+      LDAP_ROOT: "dc=opencloud,dc=eu"
+      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+    ports:
+      - "127.0.0.1:389:1389"
+      - "127.0.0.1:636:1636"
+    volumes:
+      - ./config/ldap/ldif:/ldifs
+      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
+      - ldap-certs:/opt/bitnami/openldap/share
+      - ldap-data:/bitnami/openldap
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+volumes:
+  ldap-certs:
+  ldap-data:
+
+networks:
+  opencloud-net:
--- a/deployments/examples/opencloud_full/onlyoffice.yml
+++ b/deployments/examples/opencloud_full/onlyoffice.yml
@@ -1,86 +0,0 @@
---
-services:
-  traefik:
-    networks:
-      opencloud-net:
-        aliases:
-          - ${ONLYOFFICE_DOMAIN:-onlyoffice.opencloud.test}
-          - ${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.opencloud.test}
-
-  collaboration-oo:
-    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
-    networks:
-      opencloud-net:
-    depends_on:
-      opencloud:
-        condition: service_started
-      onlyoffice:
-        condition: service_healthy
-    entrypoint:
-      - /bin/sh
-    command: [ "-c", "opencloud collaboration server" ]
-    environment:
-      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
-      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
-      MICRO_REGISTRY: "nats-js-kv"
-      MICRO_REGISTRY_ADDRESS: "opencloud:9233"
-      COLLABORATION_WOPI_SRC: https://${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.opencloud.test}
-      COLLABORATION_APP_NAME: "OnlyOffice"
-      COLLABORATION_APP_PRODUCT: "OnlyOffice"
-      COLLABORATION_APP_ADDR: https://${ONLYOFFICE_DOMAIN:-onlyoffice.opencloud.test}
-      COLLABORATION_APP_ICON: https://${ONLYOFFICE_DOMAIN:-onlyoffice.opencloud.test}/web-apps/apps/documenteditor/main/resources/img/favicon.ico
-      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
-      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
-      COLLABORATION_LOG_LEVEL: ${LOG_LEVEL:-info}
-      COLLABORATION_APP_PROOF_DISABLE: "true"
-      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
-    volumes:
-      # configure the .env file to use own paths instead of docker internal volumes
-      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.collaboration-oo.entrypoints=https"
-      - "traefik.http.routers.collaboration-oo.rule=Host(`${WOPISERVER_ONLYOFFICE_DOMAIN:-wopiserver-oo.opencloud.test}`)"
-      - "traefik.http.routers.collaboration-oo.tls.certresolver=http"
-      - "traefik.http.routers.collaboration-oo.service=collaboration-oo"
-      - "traefik.http.services.collaboration-oo.loadbalancer.server.port=9300"
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-
-  onlyoffice:
-    # if you want to use oo enterprise edition, use: onlyoffice/documentserver-ee:<version>
-    # note, you also need to add a volume, see below
-    image: onlyoffice/documentserver:8.2.2
-    # changelog https://github.com/ONLYOFFICE/DocumentServer/releases
-    networks:
-      opencloud-net:
-    entrypoint:
-      - /bin/sh
-      - /entrypoint-override.sh
-    environment:
-      WOPI_ENABLED: "true"
-      # self-signed certificates
-      USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}"
-    volumes:
-      # paths are relative to the main compose file
-      - ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
-      - ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json
-      # if you want to use oo enterprise edition, you need to add a volume for the license file
-      # for details see: Registering your Enterprise Edition version -->
-      # https://helpcenter.onlyoffice.com/installation/docs-enterprise-install-docker.aspx
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.onlyoffice.entrypoints=https"
-      - "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.opencloud.test}`)"
-      - "traefik.http.routers.onlyoffice.tls.certresolver=http"
-      - "traefik.http.routers.onlyoffice.service=onlyoffice"
-      - "traefik.http.services.onlyoffice.loadbalancer.server.port=80"
-      # websockets can't be opened when this is omitted
-      - "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.routers.onlyoffice.middlewares=onlyoffice"
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost/hosting/discovery"]
--- a/deployments/examples/opencloud_full/opencloud.yml
+++ b/deployments/examples/opencloud_full/opencloud.yml
@@ -36,12 +36,18 @@ services:
      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
      # demo users
      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
+      # idp login form settings
+      IDP_DEFAULT_SIGNIN_PAGE_TEXT: "${IDP_DEFAULT_SIGNIN_PAGE_TEXT}"
      # email server (if configured)
      NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
      NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud notifications <notifications@${OC_DOMAIN:-cloud.opencloud.test}>}"
      NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
+      NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
+      NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
+      NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
+      FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
      # make the registry available to the app provider containers
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
@@ -49,7 +55,6 @@ services:
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
      # these three vars are needed to the csp config file to include the web office apps and the importer
      COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
-      ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.opencloud.test}
      COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.opencloud.test}
      # enable to allow using the banned passwords list
      OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
--- a/deployments/examples/opencloud_full/radicale.yml
+++ b/deployments/examples/opencloud_full/radicale.yml
@@ -0,0 +1,18 @@
+---
+services:
+  opencloud:
+    volumes:
+      # external sites needs to have additional routes configured in the proxy
+      - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml
+  radicale:
+    image: ${RADICALE_DOCKER_IMAGE:-opencloudeu/radicale}:${RADICALE_DOCKER_TAG:-latest}
+    networks:
+      opencloud-net:
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+    volumes:
+      - ./config/radicale/config:/etc/radicale/config
+      - ${RADICALE_DATA_DIR:-radicale-data}:/var/lib/radicale
+volumes:
+  radicale-data:
--- a/deployments/examples/opencloud_full/web_extensions/unzip.yml
+++ b/deployments/examples/opencloud_full/web_extensions/unzip.yml
@@ -6,12 +6,10 @@ services:
        condition: service_completed_successfully

  unzip-init:
-    image: opencloudeu/web-extensions:unzip-1.0.0
+    image: opencloudeu/web-extensions:unzip-1.0.2
    user: root
    volumes:
      - opencloud-apps:/apps
    entrypoint:
      - /bin/sh
    command: ["-c", "cp -R /usr/share/nginx/html/unzip/ /apps"]
-
-
--- a/deployments/examples/shared/config/ldap/docker-compose.yml
+++ b/deployments/examples/shared/config/ldap/docker-compose.yml
@@ -0,0 +1,24 @@
+---
+# This file can be used to be added to the opencloud_full example
+# to browse the LDAP server with a web interface.
+# This is not a production ready setup.
+services:
+  ldap-manager:
+    image: phpldapadmin/phpldapadmin:latest
+    networks:
+      opencloud-net:
+    environment:
+      LDAP_HOST: ldap-server
+      LDAP_PORT: 1389
+      LDAP_LOGIN_OBJECTCLASS: "inetOrgPerson"
+      APP_URL: "https://${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ldap-manager.entrypoints=https"
+      - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}`)"
+      - "traefik.http.routers.ldap-manager.tls.certresolver=http"
+      - "traefik.http.routers.ldap-manager.service=ldap-manager"
+      - "traefik.http.services.ldap-manager.loadbalancer.server.port=8080"
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
--- a/docs/intro.md
+++ b/docs/intro.md
@@ -1,17 +0,0 @@
---
-sidebar_position: 1
-id: intro
-title: OpenCloud Developer Docs
-custom_edit_url: https://github.com/opencloud-eu/opencloud/edit/main/docs/intro.md
---
-
-# Welcome
-
-Welcome to the OpenCloud Developer Documentation.
-
-Please be patient, we are working on the content.
-
-If you want to contribute to the dev docs, please visit [OpenCloud on Github](https://github.com/opencloud-eu/).
-
-Contents will be transferred, during the build process.
-
--- a/go.mod
+++ b/go.mod
@@ -3,27 +3,27 @@ module github.com/opencloud-eu/opencloud
 go 1.24.1

 require (
-	dario.cat/mergo v1.0.1
-	github.com/CiscoM31/godata v1.0.10
-	github.com/KimMachineGun/automemlimit v0.7.1
+	dario.cat/mergo v1.0.2
+	github.com/CiscoM31/godata v1.0.11
+	github.com/KimMachineGun/automemlimit v0.7.2
 	github.com/Masterminds/semver v1.5.0
 	github.com/MicahParks/keyfunc/v2 v2.1.0
 	github.com/Nerzal/gocloak/v13 v13.9.0
 	github.com/bbalet/stopwords v1.0.0
-	github.com/beevik/etree v1.5.0
-	github.com/blevesearch/bleve/v2 v2.4.4
+	github.com/beevik/etree v1.5.1
+	github.com/blevesearch/bleve/v2 v2.5.1
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/coreos/go-oidc/v3 v3.13.0
+	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/cs3org/go-cs3apis v0.0.0-20241105092511-3ad35d174fc1
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
 	github.com/egirna/icap-client v0.1.1
-	github.com/gabriel-vasile/mimetype v1.4.8
+	github.com/gabriel-vasile/mimetype v1.4.9
 	github.com/ggwhite/go-masker v1.1.0
 	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/go-ldap/ldap/v3 v3.4.10
+	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3
 	github.com/go-micro/plugins/v4/client/grpc v1.2.1
 	github.com/go-micro/plugins/v4/logger/zerolog v1.2.0
@@ -33,14 +33,14 @@ require (
 	github.com/go-micro/plugins/v4/store/nats-js-kv v0.0.0-20240726082623-6831adfdcdc4
 	github.com/go-micro/plugins/v4/wrapper/monitoring/prometheus v1.2.0
 	github.com/go-micro/plugins/v4/wrapper/trace/opentelemetry v1.2.0
-	github.com/go-playground/validator/v10 v10.25.0
+	github.com/go-playground/validator/v10 v10.26.0
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-tika v0.3.1
 	github.com/google/uuid v1.6.0
-	github.com/gookit/config/v2 v2.2.5
+	github.com/gookit/config/v2 v2.2.6
 	github.com/gorilla/mux v1.8.1
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3
 	github.com/invopop/validation v0.8.0
@@ -51,30 +51,29 @@ require (
 	github.com/kovidgoyal/imaging v1.6.4
 	github.com/leonelquinteros/gotext v1.7.1
 	github.com/libregraph/idm v0.5.0
-	github.com/libregraph/lico v0.65.1
+	github.com/libregraph/lico v0.66.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/mna/pigeon v1.3.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/nats-io/nats-server/v2 v2.11.0
-	github.com/nats-io/nats.go v1.39.1
+	github.com/nats-io/nats-server/v2 v2.11.4
+	github.com/nats-io/nats.go v1.42.0
 	github.com/oklog/run v1.1.0
-	github.com/olekukonko/tablewriter v0.0.5
+	github.com/olekukonko/tablewriter v1.0.6
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/ginkgo/v2 v2.23.3
-	github.com/onsi/gomega v1.36.3
-	github.com/open-policy-agent/opa v1.2.0
-	github.com/opencloud-eu/reva/v2 v2.29.1
+	github.com/onsi/ginkgo/v2 v2.23.4
+	github.com/onsi/gomega v1.37.0
+	github.com/open-policy-agent/opa v1.4.2
+	github.com/opencloud-eu/libre-graph-api-go v1.0.6
+	github.com/opencloud-eu/reva/v2 v2.33.1-0.20250520152851-d33c49bb52b9
 	github.com/orcaman/concurrent-map v1.0.0
-	github.com/owncloud/libre-graph-api-go v1.0.5-0.20240829135935-80dc00d6f5ea
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.10
-	github.com/prometheus/client_golang v1.21.1
+	github.com/prometheus/client_golang v1.22.0
 	github.com/r3labs/sse/v2 v2.10.0
 	github.com/riandyrn/otelchi v0.12.1
 	github.com/rogpeppe/go-internal v1.14.1
 	github.com/rs/cors v1.11.1
 	github.com/rs/zerolog v1.34.0
-	github.com/shamaton/msgpack/v2 v2.2.3
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.14.0
 	github.com/spf13/cobra v1.9.1
@@ -82,31 +81,32 @@ require (
 	github.com/test-go/testify v1.1.4
 	github.com/thejerf/suture/v4 v4.0.6
 	github.com/tidwall/gjson v1.18.0
-	github.com/tus/tusd/v2 v2.7.1
+	github.com/tus/tusd/v2 v2.8.0
 	github.com/unrolled/secure v1.16.0
-	github.com/urfave/cli/v2 v2.27.5
+	github.com/urfave/cli/v2 v2.27.6
+	github.com/vmihailenco/msgpack/v5 v5.4.1
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	go-micro.dev/v4 v4.11.0
 	go.etcd.io/bbolt v1.4.0
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0
 	go.opentelemetry.io/contrib/zpages v0.60.0
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/otel v1.36.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.17.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0
-	go.opentelemetry.io/otel/sdk v1.35.0
-	go.opentelemetry.io/otel/trace v1.35.0
-	golang.org/x/crypto v0.36.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0
+	go.opentelemetry.io/otel/sdk v1.36.0
+	go.opentelemetry.io/otel/trace v1.36.0
+	golang.org/x/crypto v0.38.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	golang.org/x/image v0.25.0
-	golang.org/x/net v0.37.0
-	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sync v0.12.0
-	golang.org/x/term v0.30.0
-	golang.org/x/text v0.23.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb
-	google.golang.org/grpc v1.71.0
-	google.golang.org/protobuf v1.36.5
+	golang.org/x/image v0.27.0
+	golang.org/x/net v0.40.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.14.0
+	golang.org/x/term v0.32.0
+	golang.org/x/text v0.25.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237
+	google.golang.org/grpc v1.72.1
+	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools/v3 v3.5.2
 	stash.kopano.io/kgol/rndm v1.1.2
@@ -121,38 +121,38 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.5 // indirect
-	github.com/RoaringBitmap/roaring v1.9.3 // indirect
+	github.com/RoaringBitmap/roaring/v2 v2.4.5 // indirect
 	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/alexedwards/argon2id v1.0.0 // indirect
 	github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.55.6 // indirect
+	github.com/aws/aws-sdk-go v1.55.7 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bitly/go-simplejson v0.5.0 // indirect
-	github.com/bits-and-blooms/bitset v1.12.0 // indirect
-	github.com/blevesearch/bleve_index_api v1.1.12 // indirect
-	github.com/blevesearch/geo v0.1.20 // indirect
-	github.com/blevesearch/go-faiss v1.0.24 // indirect
+	github.com/bits-and-blooms/bitset v1.22.0 // indirect
+	github.com/blevesearch/bleve_index_api v1.2.8 // indirect
+	github.com/blevesearch/geo v0.2.3 // indirect
+	github.com/blevesearch/go-faiss v1.0.25 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/gtreap v0.1.1 // indirect
 	github.com/blevesearch/mmap-go v1.0.4 // indirect
-	github.com/blevesearch/scorch_segment_api/v2 v2.2.16 // indirect
+	github.com/blevesearch/scorch_segment_api/v2 v2.3.10 // indirect
 	github.com/blevesearch/segment v0.9.1 // indirect
 	github.com/blevesearch/snowballstem v0.9.0 // indirect
 	github.com/blevesearch/upsidedown_store_api v1.0.2 // indirect
-	github.com/blevesearch/vellum v1.0.10 // indirect
-	github.com/blevesearch/zapx/v11 v11.3.10 // indirect
-	github.com/blevesearch/zapx/v12 v12.3.10 // indirect
-	github.com/blevesearch/zapx/v13 v13.3.10 // indirect
-	github.com/blevesearch/zapx/v14 v14.3.10 // indirect
-	github.com/blevesearch/zapx/v15 v15.3.16 // indirect
-	github.com/blevesearch/zapx/v16 v16.1.9-0.20241217210638-a0519e7caf3b // indirect
+	github.com/blevesearch/vellum v1.1.0 // indirect
+	github.com/blevesearch/zapx/v11 v11.4.2 // indirect
+	github.com/blevesearch/zapx/v12 v12.4.2 // indirect
+	github.com/blevesearch/zapx/v13 v13.4.2 // indirect
+	github.com/blevesearch/zapx/v14 v14.4.2 // indirect
+	github.com/blevesearch/zapx/v15 v15.4.2 // indirect
+	github.com/blevesearch/zapx/v16 v16.2.3 // indirect
 	github.com/bluele/gcache v0.0.2 // indirect
 	github.com/bombsimon/logrusr/v3 v3.1.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/ceph/go-ceph v0.32.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
+	github.com/ceph/go-ceph v0.33.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cevaris/ordered_map v0.0.0-20190319150403-3adeae072e73 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
@@ -167,6 +167,7 @@ require (
 	github.com/deckarep/golang-set v1.8.0 // indirect
 	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
 	github.com/dgraph-io/ristretto v0.2.0 // indirect
+	github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
@@ -179,7 +180,7 @@ require (
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/gdexlab/go-render v1.0.1 // indirect
 	github.com/go-acme/lego/v4 v4.4.0 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-git/go-git/v5 v5.13.2 // indirect
@@ -197,7 +198,7 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-resty/resty/v2 v2.7.0 // indirect
-	github.com/go-sql-driver/mysql v1.9.1 // indirect
+	github.com/go-sql-driver/mysql v1.9.2 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
@@ -206,20 +207,19 @@ require (
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gobwas/ws v1.2.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.11.2 // indirect
+	github.com/goccy/go-yaml v1.12.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
-	github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/gomodule/redigo v1.9.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.3 // indirect
-	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
+	github.com/google/go-tpm v0.9.5 // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/google/renameio/v2 v2.0.0 // indirect
 	github.com/gookit/color v1.5.4 // indirect
-	github.com/gookit/goutil v0.6.15 // indirect
+	github.com/gookit/goutil v0.6.18 // indirect
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/schema v1.4.1 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
@@ -232,12 +232,12 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jonboulle/clockwork v0.2.2 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/juliangruber/go-intersect v1.1.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/libregraph/oidc-go v1.1.0 // indirect
 	github.com/longsleep/go-metrics v1.0.0 // indirect
@@ -246,7 +246,7 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mattn/go-sqlite3 v1.14.24 // indirect
+	github.com/mattn/go-sqlite3 v1.14.27 // indirect
 	github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b // indirect
 	github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 // indirect
 	github.com/miekg/dns v1.1.57 // indirect
@@ -254,17 +254,19 @@ require (
 	github.com/minio/crc64nvme v1.0.1 // indirect
 	github.com/minio/highwayhash v1.0.3 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/minio-go/v7 v7.0.88 // indirect
+	github.com/minio/minio-go/v7 v7.0.89 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nats-io/jwt/v2 v2.7.3 // indirect
-	github.com/nats-io/nkeys v0.4.10 // indirect
+	github.com/nats-io/jwt/v2 v2.7.4 // indirect
+	github.com/nats-io/nkeys v0.4.11 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/olekukonko/errors v0.0.0-20250405072817-4e6d85265da6 // indirect
+	github.com/olekukonko/ll v0.0.8-0.20250516010636-22ea57d81985 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pablodz/inotifywaitgo v0.0.9 // indirect
@@ -282,14 +284,15 @@ require (
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/xid v1.6.0 // indirect
-	github.com/russellhaering/goxmldsig v1.4.0 // indirect
+	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/segmentio/kafka-go v0.4.47 // indirect
+	github.com/segmentio/kafka-go v0.4.48 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sercand/kuberesolver/v5 v5.1.1 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/sethvargo/go-diceware v0.5.0 // indirect
 	github.com/sethvargo/go-password v0.3.1 // indirect
+	github.com/shamaton/msgpack/v2 v2.2.3 // indirect
 	github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c // indirect
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
@@ -302,6 +305,7 @@ require (
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect
 	github.com/trustelem/zxcvbn v1.0.1 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/wk8/go-ordered-map v1.0.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
@@ -314,19 +318,20 @@ require (
 	go.etcd.io/etcd/client/v3 v3.5.20 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
 	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/tools v0.31.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
@@ -340,10 +345,10 @@ replace github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-2

 replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c

-replace github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/kobergj/plugins/v4/store/nats-js-kv v0.0.0-20240807130109-f62bb67e8c90
-
 replace go-micro.dev/v4 => github.com/butonic/go-micro/v4 v4.11.1-0.20241115112658-b5d4de5ed9b3

 // exclude the v2 line of go-sqlite3 which was released accidentally and prevents pulling in newer versions of go-sqlite3
 // see https://github.com/mattn/go-sqlite3/issues/965 for more details
 exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible
+
+replace github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a
--- a/go.sum
+++ b/go.sum
@@ -36,8 +36,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA=
 contrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxaWJs2/OwXtiWwew3oAg=
 contrib.go.opencensus.io/exporter/prometheus v0.4.2/go.mod h1:dvEHbiKmgvbr5pjaF9fpw1KeYcjrnC1J8B+JKjsZyRQ=
-dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
-dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
@@ -64,12 +64,12 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CiscoM31/godata v1.0.10 h1:DZdJ6M8QNh4HquvDDOqNLu6h77Wl86KGK7Qlbmb90sk=
-github.com/CiscoM31/godata v1.0.10/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc=
+github.com/CiscoM31/godata v1.0.11 h1:w7y8twuW02LdH6mak3/GJ5i0GrCv2IoZUJVqa/g5Yeo=
+github.com/CiscoM31/godata v1.0.11/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc=
 github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c h1:ocsNvQ2tNHme4v/lTs17HROamc7mFzZfzWcg4m+UXN0=
 github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
-github.com/KimMachineGun/automemlimit v0.7.1 h1:QcG/0iCOLChjfUweIMC3YL5Xy9C3VBeNmCZHrZfJMBw=
-github.com/KimMachineGun/automemlimit v0.7.1/go.mod h1:QZxpHaGOQoYvFhv/r4u3U0JTC2ZcOwbSr11UZF46UBM=
+github.com/KimMachineGun/automemlimit v0.7.2 h1:DyfHI7zLWmZPn2Wqdy2AgTiUvrGPmnYWgwhHXtAegX4=
+github.com/KimMachineGun/automemlimit v0.7.2/go.mod h1:QZxpHaGOQoYvFhv/r4u3U0JTC2ZcOwbSr11UZF46UBM=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
@@ -87,8 +87,8 @@ github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAE
 github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87/go.mod h1:iGLljf5n9GjT6kc0HBvyI1nOKnGQbNB66VzSNbK5iks=
 github.com/ProtonMail/go-crypto v1.1.5 h1:eoAQfK2dwL+tFSFpr7TbOaPNUbPiJj4fLYwwGE1FQO4=
 github.com/ProtonMail/go-crypto v1.1.5/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
-github.com/RoaringBitmap/roaring v1.9.3 h1:t4EbC5qQwnisr5PrP9nt0IRhRTb9gMUgQF4t4S2OByM=
-github.com/RoaringBitmap/roaring v1.9.3/go.mod h1:6AXUsoIEzDTFFQCe1RbGA6uFONMhvejWj5rqITANK90=
+github.com/RoaringBitmap/roaring/v2 v2.4.5 h1:uGrrMreGjvAtTBobc0g5IrW1D5ldxDQYe2JW2gggRdg=
+github.com/RoaringBitmap/roaring/v2 v2.4.5/go.mod h1:FiJcsfkGje/nZBZgCu0ZxCPOKD/hVXDS2dXi7/eUFE0=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
@@ -126,13 +126,12 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/aws/aws-sdk-go v1.37.27/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk=
-github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
+github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/bbalet/stopwords v1.0.0 h1:0TnGycCtY0zZi4ltKoOGRFIlZHv0WqpoIGUsObjztfo=
 github.com/bbalet/stopwords v1.0.0/go.mod h1:sAWrQoDMfqARGIn4s6dp7OW7ISrshUD8IP2q3KoqPjc=
-github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
-github.com/beevik/etree v1.5.0 h1:iaQZFSDS+3kYZiGoc9uKeOkUY3nYMXOKLl6KIJxiJWs=
-github.com/beevik/etree v1.5.0/go.mod h1:gPNJNaBGVZ9AwsidazFZyygnd+0pAU38N4D+WemwKNs=
+github.com/beevik/etree v1.5.1 h1:TC3zyxYp+81wAmbsi8SWUpZCurbxa6S8RITYRSkNRwo=
+github.com/beevik/etree v1.5.1/go.mod h1:gPNJNaBGVZ9AwsidazFZyygnd+0pAU38N4D+WemwKNs=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -143,45 +142,46 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bitly/go-simplejson v0.5.0 h1:6IH+V8/tVMab511d5bn4M7EwGXZf9Hj6i2xSwkNEM+Y=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
-github.com/bits-and-blooms/bitset v1.12.0 h1:U/q1fAF7xXRhFCrhROzIfffYnu+dlS38vCZtmFVPHmA=
 github.com/bits-and-blooms/bitset v1.12.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/bits-and-blooms/bitset v1.22.0 h1:Tquv9S8+SGaS3EhyA+up3FXzmkhxPGjQQCkcs2uw7w4=
+github.com/bits-and-blooms/bitset v1.22.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/blevesearch/bleve/v2 v2.4.4 h1:RwwLGjUm54SwyyykbrZs4vc1qjzYic4ZnAnY9TwNl60=
-github.com/blevesearch/bleve/v2 v2.4.4/go.mod h1:fa2Eo6DP7JR+dMFpQe+WiZXINKSunh7WBtlDGbolKXk=
-github.com/blevesearch/bleve_index_api v1.1.12 h1:P4bw9/G/5rulOF7SJ9l4FsDoo7UFJ+5kexNy1RXfegY=
-github.com/blevesearch/bleve_index_api v1.1.12/go.mod h1:PbcwjIcRmjhGbkS/lJCpfgVSMROV6TRubGGAODaK1W8=
-github.com/blevesearch/geo v0.1.20 h1:paaSpu2Ewh/tn5DKn/FB5SzvH0EWupxHEIwbCk/QPqM=
-github.com/blevesearch/geo v0.1.20/go.mod h1:DVG2QjwHNMFmjo+ZgzrIq2sfCh6rIHzy9d9d0B59I6w=
-github.com/blevesearch/go-faiss v1.0.24 h1:K79IvKjoKHdi7FdiXEsAhxpMuns0x4fM0BO93bW5jLI=
-github.com/blevesearch/go-faiss v1.0.24/go.mod h1:OMGQwOaRRYxrmeNdMrXJPvVx8gBnvE5RYrr0BahNnkk=
+github.com/blevesearch/bleve/v2 v2.5.1 h1:cc/O++W2Hcjp1SU5ETHeE+QYWv2oV88ldYEPowdmg8M=
+github.com/blevesearch/bleve/v2 v2.5.1/go.mod h1:9g/wnbWKm9AgXrU8Ecqi+IDdqjUHWymwkQRDg+5tafU=
+github.com/blevesearch/bleve_index_api v1.2.8 h1:Y98Pu5/MdlkRyLM0qDHostYo7i+Vv1cDNhqTeR4Sy6Y=
+github.com/blevesearch/bleve_index_api v1.2.8/go.mod h1:rKQDl4u51uwafZxFrPD1R7xFOwKnzZW7s/LSeK4lgo0=
+github.com/blevesearch/geo v0.2.3 h1:K9/vbGI9ehlXdxjxDRJtoAMt7zGAsMIzc6n8zWcwnhg=
+github.com/blevesearch/geo v0.2.3/go.mod h1:K56Q33AzXt2YExVHGObtmRSFYZKYGv0JEN5mdacJJR8=
+github.com/blevesearch/go-faiss v1.0.25 h1:lel1rkOUGbT1CJ0YgzKwC7k+XH0XVBHnCVWahdCXk4U=
+github.com/blevesearch/go-faiss v1.0.25/go.mod h1:OMGQwOaRRYxrmeNdMrXJPvVx8gBnvE5RYrr0BahNnkk=
 github.com/blevesearch/go-porterstemmer v1.0.3 h1:GtmsqID0aZdCSNiY8SkuPJ12pD4jI+DdXTAn4YRcHCo=
 github.com/blevesearch/go-porterstemmer v1.0.3/go.mod h1:angGc5Ht+k2xhJdZi511LtmxuEf0OVpvUUNrwmM1P7M=
 github.com/blevesearch/gtreap v0.1.1 h1:2JWigFrzDMR+42WGIN/V2p0cUvn4UP3C4Q5nmaZGW8Y=
 github.com/blevesearch/gtreap v0.1.1/go.mod h1:QaQyDRAT51sotthUWAH4Sj08awFSSWzgYICSZ3w0tYk=
 github.com/blevesearch/mmap-go v1.0.4 h1:OVhDhT5B/M1HNPpYPBKIEJaD0F3Si+CrEKULGCDPWmc=
 github.com/blevesearch/mmap-go v1.0.4/go.mod h1:EWmEAOmdAS9z/pi/+Toxu99DnsbhG1TIxUoRmJw/pSs=
-github.com/blevesearch/scorch_segment_api/v2 v2.2.16 h1:uGvKVvG7zvSxCwcm4/ehBa9cCEuZVE+/zvrSl57QUVY=
-github.com/blevesearch/scorch_segment_api/v2 v2.2.16/go.mod h1:VF5oHVbIFTu+znY1v30GjSpT5+9YFs9dV2hjvuh34F0=
+github.com/blevesearch/scorch_segment_api/v2 v2.3.10 h1:Yqk0XD1mE0fDZAJXTjawJ8If/85JxnLd8v5vG/jWE/s=
+github.com/blevesearch/scorch_segment_api/v2 v2.3.10/go.mod h1:Z3e6ChN3qyN35yaQpl00MfI5s8AxUJbpTR/DL8QOQ+8=
 github.com/blevesearch/segment v0.9.1 h1:+dThDy+Lvgj5JMxhmOVlgFfkUtZV2kw49xax4+jTfSU=
 github.com/blevesearch/segment v0.9.1/go.mod h1:zN21iLm7+GnBHWTao9I+Au/7MBiL8pPFtJBJTsk6kQw=
 github.com/blevesearch/snowballstem v0.9.0 h1:lMQ189YspGP6sXvZQ4WZ+MLawfV8wOmPoD/iWeNXm8s=
 github.com/blevesearch/snowballstem v0.9.0/go.mod h1:PivSj3JMc8WuaFkTSRDW2SlrulNWPl4ABg1tC/hlgLs=
 github.com/blevesearch/upsidedown_store_api v1.0.2 h1:U53Q6YoWEARVLd1OYNc9kvhBMGZzVrdmaozG2MfoB+A=
 github.com/blevesearch/upsidedown_store_api v1.0.2/go.mod h1:M01mh3Gpfy56Ps/UXHjEO/knbqyQ1Oamg8If49gRwrQ=
-github.com/blevesearch/vellum v1.0.10 h1:HGPJDT2bTva12hrHepVT3rOyIKFFF4t7Gf6yMxyMIPI=
-github.com/blevesearch/vellum v1.0.10/go.mod h1:ul1oT0FhSMDIExNjIxHqJoGpVrBpKCdgDQNxfqgJt7k=
-github.com/blevesearch/zapx/v11 v11.3.10 h1:hvjgj9tZ9DeIqBCxKhi70TtSZYMdcFn7gDb71Xo/fvk=
-github.com/blevesearch/zapx/v11 v11.3.10/go.mod h1:0+gW+FaE48fNxoVtMY5ugtNHHof/PxCqh7CnhYdnMzQ=
-github.com/blevesearch/zapx/v12 v12.3.10 h1:yHfj3vXLSYmmsBleJFROXuO08mS3L1qDCdDK81jDl8s=
-github.com/blevesearch/zapx/v12 v12.3.10/go.mod h1:0yeZg6JhaGxITlsS5co73aqPtM04+ycnI6D1v0mhbCs=
-github.com/blevesearch/zapx/v13 v13.3.10 h1:0KY9tuxg06rXxOZHg3DwPJBjniSlqEgVpxIqMGahDE8=
-github.com/blevesearch/zapx/v13 v13.3.10/go.mod h1:w2wjSDQ/WBVeEIvP0fvMJZAzDwqwIEzVPnCPrz93yAk=
-github.com/blevesearch/zapx/v14 v14.3.10 h1:SG6xlsL+W6YjhX5N3aEiL/2tcWh3DO75Bnz77pSwwKU=
-github.com/blevesearch/zapx/v14 v14.3.10/go.mod h1:qqyuR0u230jN1yMmE4FIAuCxmahRQEOehF78m6oTgns=
-github.com/blevesearch/zapx/v15 v15.3.16 h1:Ct3rv7FUJPfPk99TI/OofdC+Kpb4IdyfdMH48sb+FmE=
-github.com/blevesearch/zapx/v15 v15.3.16/go.mod h1:Turk/TNRKj9es7ZpKK95PS7f6D44Y7fAFy8F4LXQtGg=
-github.com/blevesearch/zapx/v16 v16.1.9-0.20241217210638-a0519e7caf3b h1:ju9Az5YgrzCeK3M1QwvZIpxYhChkXp7/L0RhDYsxXoE=
-github.com/blevesearch/zapx/v16 v16.1.9-0.20241217210638-a0519e7caf3b/go.mod h1:BlrYNpOu4BvVRslmIG+rLtKhmjIaRhIbG8sb9scGTwI=
+github.com/blevesearch/vellum v1.1.0 h1:CinkGyIsgVlYf8Y2LUQHvdelgXr6PYuvoDIajq6yR9w=
+github.com/blevesearch/vellum v1.1.0/go.mod h1:QgwWryE8ThtNPxtgWJof5ndPfx0/YMBh+W2weHKPw8Y=
+github.com/blevesearch/zapx/v11 v11.4.2 h1:l46SV+b0gFN+Rw3wUI1YdMWdSAVhskYuvxlcgpQFljs=
+github.com/blevesearch/zapx/v11 v11.4.2/go.mod h1:4gdeyy9oGa/lLa6D34R9daXNUvfMPZqUYjPwiLmekwc=
+github.com/blevesearch/zapx/v12 v12.4.2 h1:fzRbhllQmEMUuAQ7zBuMvKRlcPA5ESTgWlDEoB9uQNE=
+github.com/blevesearch/zapx/v12 v12.4.2/go.mod h1:TdFmr7afSz1hFh/SIBCCZvcLfzYvievIH6aEISCte58=
+github.com/blevesearch/zapx/v13 v13.4.2 h1:46PIZCO/ZuKZYgxI8Y7lOJqX3Irkc3N8W82QTK3MVks=
+github.com/blevesearch/zapx/v13 v13.4.2/go.mod h1:knK8z2NdQHlb5ot/uj8wuvOq5PhDGjNYQQy0QDnopZk=
+github.com/blevesearch/zapx/v14 v14.4.2 h1:2SGHakVKd+TrtEqpfeq8X+So5PShQ5nW6GNxT7fWYz0=
+github.com/blevesearch/zapx/v14 v14.4.2/go.mod h1:rz0XNb/OZSMjNorufDGSpFpjoFKhXmppH9Hi7a877D8=
+github.com/blevesearch/zapx/v15 v15.4.2 h1:sWxpDE0QQOTjyxYbAVjt3+0ieu8NCE0fDRaFxEsp31k=
+github.com/blevesearch/zapx/v15 v15.4.2/go.mod h1:1pssev/59FsuWcgSnTa0OeEpOzmhtmr/0/11H0Z8+Nw=
+github.com/blevesearch/zapx/v16 v16.2.3 h1:7Y0r+a3diEvlazsncexq1qoFOcBd64xwMS7aDm4lo1s=
+github.com/blevesearch/zapx/v16 v16.2.3/go.mod h1:wVJ+GtURAaRG9KQAMNYyklq0egV+XJlGcXNCE0OFjjA=
 github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw=
 github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY=
@@ -201,10 +201,12 @@ github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QH
 github.com/cenkalti/backoff/v4 v4.1.0/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
+github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/ceph/go-ceph v0.32.0 h1:iXRUGdPmH7h9Vf/WA1Dg3Wo1tgL7gcUbylfpbxrlGLs=
-github.com/ceph/go-ceph v0.32.0/go.mod h1:42eoJzyLS3VREzqrg2ot44NtuluQZi55hFRSoLF36GQ=
+github.com/ceph/go-ceph v0.33.0 h1:xT9v/MAa+DIBmflyITyFkGRgWngATghGegKJguEOInQ=
+github.com/ceph/go-ceph v0.33.0/go.mod h1:6ef0lIyDHnwArykqfWZDWCfbbJAVTXL1tOYrM1M4bAE=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -222,8 +224,8 @@ github.com/cloudflare/cloudflare-go v0.14.0/go.mod h1:EnwdgGMaFOruiPZRFSgn+TsQ3h
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
-github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -237,7 +239,6 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo=
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
@@ -258,15 +259,15 @@ github.com/deckarep/golang-set v1.8.0/go.mod h1:5nI87KwE7wgsBU1F4GKAw2Qod7p5kyS3
 github.com/deepmap/oapi-codegen v1.3.11/go.mod h1:suMvK7+rKlx3+tpa8ByptmvoXbAV70wERKTOGH3hLp0=
 github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f h1:U5y3Y5UE0w7amNe7Z5G/twsBW0KEalRQXZzf8ufSh9I=
 github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f/go.mod h1:xH/i4TFMt8koVQZ6WFms69WAsDWr2XsYL3Hkl7jkoLE=
-github.com/dgraph-io/badger/v4 v4.5.1 h1:7DCIXrQjo1LKmM96YD+hLVJ2EEsyyoWxJfpdd56HLps=
-github.com/dgraph-io/badger/v4 v4.5.1/go.mod h1:qn3Be0j3TfV4kPbVoK0arXCD1/nr1ftth6sbL5jxdoA=
+github.com/dgraph-io/badger/v4 v4.7.0 h1:Q+J8HApYAY7UMpL8d9owqiB+odzEc0zn/aqOD9jhc6Y=
+github.com/dgraph-io/badger/v4 v4.7.0/go.mod h1:He7TzG3YBy3j4f5baj5B7Zl2XyfNe5bl4Udl0aPemVA=
 github.com/dgraph-io/ristretto v0.2.0 h1:XAfl+7cmoUDWW/2Lx8TGZQjjxIQ2Ley9DSf52dru4WE=
 github.com/dgraph-io/ristretto v0.2.0/go.mod h1:8uBHCU/PBV4Ag0CJrP47b9Ofby5dqWNh4FicAdoqFNU=
-github.com/dgraph-io/ristretto/v2 v2.1.0 h1:59LjpOJLNDULHh8MC4UaegN52lC4JnO2dITsie/Pa8I=
-github.com/dgraph-io/ristretto/v2 v2.1.0/go.mod h1:uejeqfYXpUomfse0+lO+13ATz4TypQYLJZzBSAemuB4=
+github.com/dgraph-io/ristretto/v2 v2.2.0 h1:bkY3XzJcXoMuELV8F+vS8kzNgicwQFAaGINAEJdWGOM=
+github.com/dgraph-io/ristretto/v2 v2.2.0/go.mod h1:RZrm63UmcBAaYWC1DotLYBmTvgkrs0+XhBd7Npn7/zI=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 h1:fAjc9m62+UWV/WAFKLNi6ZS0675eEUC9y3AlwSbQu1Y=
-github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
+github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da h1:aIftn67I1fkbMa512G+w+Pxci9hJPB8oMnkcP3iZF38=
+github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
@@ -319,8 +320,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
-github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
+github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
 github.com/gdexlab/go-render v1.0.1 h1:rxqB3vo5s4n1kF0ySmoNeSPRYkEsyHgln4jFIQY7v0U=
 github.com/gdexlab/go-render v1.0.1/go.mod h1:wRi5nW2qfjiGj4mPukH4UV0IknS1cHD4VgFTmJX5JzM=
 github.com/getkin/kin-openapi v0.13.0/go.mod h1:WGRs2ZMM1Q8LR1QBEwUxC6RJEfaBcD0s+pcEVXFuAjw=
@@ -333,8 +334,8 @@ github.com/go-acme/lego/v4 v4.4.0 h1:uHhU5LpOYQOdp3aDU+XY2bajseu8fuExphTL1Ss6/Fc
 github.com/go-acme/lego/v4 v4.4.0/go.mod h1:l3+tFUFZb590dWcqhWZegynUthtaHJbG2fevUpoOOE0=
 github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-asn1-ber/asn1-ber v1.4.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
-github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-chi/chi v4.0.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
 github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
 github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
@@ -367,8 +368,8 @@ github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBj
 github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=
 github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
 github.com/go-ldap/ldap/v3 v3.1.7/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
-github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
-github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
+github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
+github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3 h1:sfz1YppV05y4sYaW7kXZtrocU/+vimnIWt4cxAYh7+o=
 github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3/go.mod h1:ZXFhGda43Z2TVbfGZefXyMJzsDHhCh0go3bZUcwTx7o=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@@ -411,15 +412,15 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.25.0 h1:5Dh7cjvzR7BRZadnsVOzPhWsrwUr0nmsZJxEAnFLNO8=
-github.com/go-playground/validator/v10 v10.25.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
+github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
+github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
 github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/go-resty/resty/v2 v2.1.1-0.20191201195748-d7b97669fe48/go.mod h1:dZGr0i9PLlaaTD4H/hoZIDjQ+r6xq8mgbRzHZf7f2J8=
 github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY=
 github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I=
-github.com/go-sql-driver/mysql v1.9.1 h1:FrjNGn/BsJQjVRuSa8CBrM5BWA9BWoXXat3KrtSb/iI=
-github.com/go-sql-driver/mysql v1.9.1/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
+github.com/go-sql-driver/mysql v1.9.2 h1:4cNKDYQ1I84SXslGddlsrMhc8k4LeDVj6Ad6WRjiHuU=
+github.com/go-sql-driver/mysql v1.9.2/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
@@ -439,16 +440,16 @@ github.com/gobwas/ws v1.2.1 h1:F2aeBZrm2NDsc7vbovKrWSogd4wvfAxg0FQ89/iqOTk=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.11.2 h1:joq77SxuyIs9zzxEjgyLBugMQ9NEgTWxXfz2wVqwAaQ=
-github.com/goccy/go-yaml v1.11.2/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
+github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM=
+github.com/goccy/go-yaml v1.12.0/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
 github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk=
-github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.3.2 h1:2jfO8j3XgSwlz/wHqemAEugfnTlikAYHhnqQ8Xh4fE0=
+github.com/gofrs/uuid/v5 v5.3.2/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -459,8 +460,6 @@ github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXe
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 h1:gtexQ/VGyN+VVFRXSFiguSNcXmS6rkKT+X7FdIrTtfo=
-github.com/golang/geo v0.0.0-20210211234256-740aa86cb551/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -504,8 +503,8 @@ github.com/gomodule/redigo v1.9.2 h1:HrutZBLhSIU8abiSfW8pj8mPhOyMYjZT/wcA4/L9L9s
 github.com/gomodule/redigo v1.9.2/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+ywhcgtw=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/flatbuffers v24.12.23+incompatible h1:ubBKR94NR4pXUCY/MUsRVzd9umNW7ht7EG9hHfS9FX8=
-github.com/google/flatbuffers v24.12.23+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
+github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
+github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -528,8 +527,8 @@ github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/go-tika v0.3.1 h1:l+jr10hDhZjcgxFRfcQChRLo1bPXQeLFluMyvDhXTTA=
 github.com/google/go-tika v0.3.1/go.mod h1:DJh5N8qxXIl85QkqmXknd+PeeRkUOTbvwyYf7ieDz6c=
-github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
-github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU=
+github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -540,8 +539,8 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/ZoQgRgVIWFJljSWa/zetS2WTvg=
-github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
 github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
@@ -553,10 +552,10 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
 github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
-github.com/gookit/config/v2 v2.2.5 h1:RECbYYbtherywmzn3LNeu9NA5ZqhD7MSKEMsJ7l+MpU=
-github.com/gookit/config/v2 v2.2.5/go.mod h1:NeX+yiNYn6Ei10eJvCQFXuHEPIE/IPS8bqaFIsszzaM=
-github.com/gookit/goutil v0.6.15 h1:mMQ0ElojNZoyPD0eVROk5QXJPh2uKR4g06slgPDF5Jo=
-github.com/gookit/goutil v0.6.15/go.mod h1:qdKdYEHQdEtyH+4fNdQNZfJHhI0jUZzHxQVAV3DaMDY=
+github.com/gookit/config/v2 v2.2.6 h1:8ZbkSr3gnFg1En8za9X3vldnZca3y3C7kaBLGsdLghE=
+github.com/gookit/config/v2 v2.2.6/go.mod h1:++APDf3Ebj6mjzW1ALkegvg1evQKyx4FpuQqQZ2s2WM=
+github.com/gookit/goutil v0.6.18 h1:MUVj0G16flubWT8zYVicIuisUiHdgirPAkmnfD2kKgw=
+github.com/gookit/goutil v0.6.18/go.mod h1:AY/5sAwKe7Xck+mEbuxj0n/bc3qwrGNe3Oeulln7zBA=
 github.com/gookit/ini/v2 v2.2.3 h1:nSbN+x9OfQPcMObTFP+XuHt8ev6ndv/fWWqxFhPMu2E=
 github.com/gookit/ini/v2 v2.2.3/go.mod h1:Vu6p7P7xcfmb8KYu3L0ek8bqu/Im63N81q208SCCZY4=
 github.com/gophercloud/gophercloud v0.15.1-0.20210202035223-633d73521055/go.mod h1:wRtmUelyIIv3CSSDI47aUwbs075O6i+LY+pXsKCBsb4=
@@ -572,8 +571,6 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/schema v1.4.1 h1:jUg5hUjCSDZpNGLuXQOgIWGdlgrIdYvgQ0wZtdK1M3E=
 github.com/gorilla/schema v1.4.1/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
@@ -660,8 +657,8 @@ github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHW
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
-github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -689,12 +686,10 @@ github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHU
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
-github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kobergj/gowebdav v0.0.0-20250102091030-aa65266db202 h1:A1xJ2NKgiYFiaHiLl9B5yw/gUBACSs9crDykTS3GuQI=
 github.com/kobergj/gowebdav v0.0.0-20250102091030-aa65266db202/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
-github.com/kobergj/plugins/v4/store/nats-js-kv v0.0.0-20240807130109-f62bb67e8c90 h1:pfI8Z5yavO6fU6vDGlWhZ4BgDlvj8c6xB7J57HfTPwA=
-github.com/kobergj/plugins/v4/store/nats-js-kv v0.0.0-20240807130109-f62bb67e8c90/go.mod h1:pjcozWijkNPbEtX5SIQaxEW/h8VAVZYTLx+70bmB3LY=
 github.com/kolo/xmlrpc v0.0.0-20200310150728-e0350524596b/go.mod h1:o03bZfuBwAXHetKXuInt4S7omeXUu62/A845kiycsSQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -705,8 +700,6 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -725,8 +718,8 @@ github.com/leonelquinteros/gotext v1.7.1 h1:/JNPeE3lY5JeVYv2+KBpz39994W3W9fmZCGq
 github.com/leonelquinteros/gotext v1.7.1/go.mod h1:I0WoFDn9u2D3VbPnnDPT8mzZu0iSXG8iih+AH2fHHqg=
 github.com/libregraph/idm v0.5.0 h1:tDMwKbAOZzdeDYMxVlY5PbSqRKO7dbAW9KT42A51WSk=
 github.com/libregraph/idm v0.5.0/go.mod h1:BGMwIQ/6orJSPVzJ1x6kgG2JyG9GY05YFmbsnaD80k0=
-github.com/libregraph/lico v0.65.1 h1:7ENAoAgbetZkJSwa1dMMP5WvXMTQ5E/3LI4uRDhwjEk=
-github.com/libregraph/lico v0.65.1/go.mod h1:6w+kgoTYiXpJ7VriAaKJfeyF0eV/Stapd9pnK64du84=
+github.com/libregraph/lico v0.66.0 h1:7T6fD1YF0Ep9n0g4KN6dvWHTlDC3awrQpgsP5GdYCF4=
+github.com/libregraph/lico v0.66.0/go.mod h1:QI7NfmAkAWQ2y97iVfLv10S8tcvPQjc630uyfHGjIOw=
 github.com/libregraph/oidc-go v1.1.0 h1:RyudjL3UyQblqeBQI06W53PniWobqODeeyAy6v/HumA=
 github.com/libregraph/oidc-go v1.1.0/go.mod h1:qW9ubcXvZrfbbWZBaLMuk7bt5qAUMYyt9/NtXQt07Cw=
 github.com/linode/linodego v0.25.3/go.mod h1:GSBKPpjoQfxEfryoCRcgkuUOCuVtGHWhzI8OMdycNTE=
@@ -768,8 +761,8 @@ github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
-github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.27 h1:drZCnuvf37yPfs95E5jd9s3XhdVWLal+6BOK6qrv6IU=
+github.com/mattn/go-sqlite3 v1.14.27/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
 github.com/mattn/go-tty v0.0.3/go.mod h1:ihxohKRERHTVzN+aSVRwACLCeqIoZAWpoICkkvrWyR0=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
@@ -789,8 +782,8 @@ github.com/minio/highwayhash v1.0.3 h1:kbnuUMoHYyVl7szWjSxJnxw11k2U709jqFPPmIUyD
 github.com/minio/highwayhash v1.0.3/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.88 h1:v8MoIJjwYxOkehp+eiLIuvXk87P2raUtoU5klrAAshs=
-github.com/minio/minio-go/v7 v7.0.88/go.mod h1:33+O8h0tO7pCeCWwBVa07RhVVfB/3vS4kEX7rwYKmIg=
+github.com/minio/minio-go/v7 v7.0.89 h1:hx4xV5wwTUfyv8LarhJAwNecnXpoTsj9v3f3q/ZkiJU=
+github.com/minio/minio-go/v7 v7.0.89/go.mod h1:2rFnGAp02p7Dddo1Fq4S2wYOfpF0MUTSeLTRC90I204=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
@@ -825,14 +818,14 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04/go.mod h1:5sN+Lt1CaY4wsPvgQH/jsuJi4XO2ssZbdsIizr4CVC8=
-github.com/nats-io/jwt/v2 v2.7.3 h1:6bNPK+FXgBeAqdj4cYQ0F8ViHRbi7woQLq4W29nUAzE=
-github.com/nats-io/jwt/v2 v2.7.3/go.mod h1:GvkcbHhKquj3pkioy5put1wvPxs78UlZ7D/pY+BgZk4=
-github.com/nats-io/nats-server/v2 v2.11.0 h1:fdwAT1d6DZW/4LUz5rkvQUe5leGEwjjOQYntzVRKvjE=
-github.com/nats-io/nats-server/v2 v2.11.0/go.mod h1:leXySghbdtXSUmWem8K9McnJ6xbJOb0t9+NQ5HTRZjI=
-github.com/nats-io/nats.go v1.39.1 h1:oTkfKBmz7W047vRxV762M67ZdXeOtUgvbBaNoQ+3PPk=
-github.com/nats-io/nats.go v1.39.1/go.mod h1:MgRb8oOdigA6cYpEPhXJuRVH6UE/V4jblJ2jQ27IXYM=
-github.com/nats-io/nkeys v0.4.10 h1:glmRrpCmYLHByYcePvnTBEAwawwapjCPMjy2huw20wc=
-github.com/nats-io/nkeys v0.4.10/go.mod h1:OjRrnIKnWBFl+s4YK5ChQfvHP2fxqZexrKJoVVyWB3U=
+github.com/nats-io/jwt/v2 v2.7.4 h1:jXFuDDxs/GQjGDZGhNgH4tXzSUK6WQi2rsj4xmsNOtI=
+github.com/nats-io/jwt/v2 v2.7.4/go.mod h1:me11pOkwObtcBNR8AiMrUbtVOUGkqYjMQZ6jnSdVUIA=
+github.com/nats-io/nats-server/v2 v2.11.4 h1:oQhvy6He6ER926sGqIKBKuYHH4BGnUQCNb0Y5Qa+M54=
+github.com/nats-io/nats-server/v2 v2.11.4/go.mod h1:jFnKKwbNeq6IfLHq+OMnl7vrFRihQ/MkhRbiWfjLdjU=
+github.com/nats-io/nats.go v1.42.0 h1:ynIMupIOvf/ZWH/b2qda6WGKGNSjwOUutTpWRvAmhaM=
+github.com/nats-io/nats.go v1.42.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
+github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0=
+github.com/nats-io/nkeys v0.4.11/go.mod h1:szDimtgmfOi9n25JpfIdGw12tZFYXqhGxjhVxsatHVE=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms=
@@ -849,24 +842,33 @@ github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+
 github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
 github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
+github.com/olekukonko/errors v0.0.0-20250405072817-4e6d85265da6 h1:r3FaAI0NZK3hSmtTDrBVREhKULp8oUeqLT5Eyl2mSPo=
+github.com/olekukonko/errors v0.0.0-20250405072817-4e6d85265da6/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
+github.com/olekukonko/ll v0.0.8-0.20250516010636-22ea57d81985 h1:V2wKiwjwAfRJRtUP6pC7wt4opeF14enO0du2dRV6Llo=
+github.com/olekukonko/ll v0.0.8-0.20250516010636-22ea57d81985/go.mod h1:En+sEW0JNETl26+K8eZ6/W4UQ7CYSrrgg/EdIYT2H8g=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/olekukonko/tablewriter v1.0.6 h1:/T45mIHc5hcEvibgzBzvMy7ruT+RjgoQRvkHbnl6OWA=
+github.com/olekukonko/tablewriter v1.0.6/go.mod h1:SJ0MV1aHb/89fLcsBMXMp30Xg3g5eGoOUu0RptEk4AU=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/ginkgo/v2 v2.23.3 h1:edHxnszytJ4lD9D5Jjc4tiDkPBZ3siDeJJkUZJJVkp0=
-github.com/onsi/ginkgo/v2 v2.23.3/go.mod h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
-github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
-github.com/open-policy-agent/opa v1.2.0 h1:88NDVCM0of1eO6Z4AFeL3utTEtMuwloFmWWU7dRV1z0=
-github.com/open-policy-agent/opa v1.2.0/go.mod h1:30euUmOvuBoebRCcJ7DMF42bRBOPznvt0ACUMYDUGVY=
-github.com/opencloud-eu/reva/v2 v2.29.1 h1:SgB2zn8d/3UWwFiJ0pUs85aDKJJ36JoKnyRM+iW+VoI=
-github.com/opencloud-eu/reva/v2 v2.29.1/go.mod h1:+nkCU7w6E6cyNSsKRYj1rb0cCI7QswEQ7KOPljctebM=
+github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
+github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/open-policy-agent/opa v1.4.2 h1:ag4upP7zMsa4WE2p1pwAFeG4Pn3mNwfAx9DLhhJfbjU=
+github.com/open-policy-agent/opa v1.4.2/go.mod h1:DNzZPKqKh4U0n0ANxcCVlw8lCSv2c+h5G/3QvSYdWZ8=
+github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a h1:Sakl76blJAaM6NxylVkgSzktjo2dS504iDotEFJsh3M=
+github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a/go.mod h1:pjcozWijkNPbEtX5SIQaxEW/h8VAVZYTLx+70bmB3LY=
+github.com/opencloud-eu/libre-graph-api-go v1.0.6 h1:bUQq0tfaLboZZmPuI6C1rr/wFIVOIM9IsE1WqI5QsDA=
+github.com/opencloud-eu/libre-graph-api-go v1.0.6/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
+github.com/opencloud-eu/reva/v2 v2.33.1-0.20250520152851-d33c49bb52b9 h1:7y8gTqVQSXLyAqeUFesbI58OkgGcS5fmfq2f3e95XOI=
+github.com/opencloud-eu/reva/v2 v2.33.1-0.20250520152851-d33c49bb52b9/go.mod h1:8S3B+GPFdGMcNL/pkSHI4K2/E0ICvR7qxllE7Ooydm8=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
@@ -875,8 +877,6 @@ github.com/oracle/oci-go-sdk v24.3.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35uk
 github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HDbW65HOY=
 github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
 github.com/ovh/go-ovh v1.1.0/go.mod h1:AxitLZ5HBRPyUd+Zl60Ajaag+rNTdVXWIkzfrVuTXWA=
-github.com/owncloud/libre-graph-api-go v1.0.5-0.20240829135935-80dc00d6f5ea h1:ClVthQOjKb7uI2DhHFzIPy+adc6plptGaryH20KOoxQ=
-github.com/owncloud/libre-graph-api-go v1.0.5-0.20240829135935-80dc00d6f5ea/go.mod h1:yXI+rmE8yYx+ZsGVrnCpprw/gZMcxjwntnX2y2+VKxY=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
 github.com/pablodz/inotifywaitgo v0.0.9 h1:njquRbBU7fuwIe5rEvtaniVBjwWzcpdUVptSgzFqZsw=
@@ -895,7 +895,6 @@ github.com/pierrec/lz4/v4 v4.1.15 h1:MO0/ucJhngq7299dKLwIMtgTfbkoSPF6AoMYDd8Q4q0
 github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
 github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -911,6 +910,8 @@ github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndr
 github.com/pquerna/cachecontrol v0.2.0 h1:vBXSNuE5MYP9IJ5kjsdo8uq+w41jSPgvba2DEnkRx9k=
 github.com/pquerna/cachecontrol v0.2.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/pquerna/otp v1.3.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
+github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
+github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/alertmanager v0.28.1 h1:BK5pCoAtaKg01BYRUJhEDV1tqJMEtYBGzPw8QdvnnvA=
 github.com/prometheus/alertmanager v0.28.1/go.mod h1:0StpPUDDHi1VXeM7p2yYfeZgLVi/PPlt39vo9LQUHxM=
 github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -924,8 +925,8 @@ github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqr
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ=
-github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
-github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20170216185247-6f3806018612/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
@@ -976,8 +977,6 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
@@ -986,8 +985,8 @@ github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYzkPUJ7Qhys=
-github.com/russellhaering/goxmldsig v1.4.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
+github.com/russellhaering/goxmldsig v1.5.0 h1:AU2UkkYIUOTyZRbe08XMThaOCelArgvNfYapcmSjBNw=
+github.com/russellhaering/goxmldsig v1.5.0/go.mod h1:x98CjQNFJcWfMxeOrMnMKg70lvDP6tE0nTaeUnjXDmk=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -995,8 +994,8 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb
 github.com/sacloud/libsacloud v1.36.2/go.mod h1:P7YAOVmnIn3DKHqCZcUKYUXmSwGBm3yS7IBEjKVSrjg=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210127161313-bd30bebeac4f/go.mod h1:CJJ5VAbozOl0yEw7nHB9+7BXTJbIn6h7W+f6Gau5IP8=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/segmentio/kafka-go v0.4.47 h1:IqziR4pA3vrZq7YdRxaT3w1/5fvIH5qpCwstUanQQB0=
-github.com/segmentio/kafka-go v0.4.47/go.mod h1:HjF6XbOKh0Pjlkr5GVZxt6CsjjwnmhVOfURM5KMd8qg=
+github.com/segmentio/kafka-go v0.4.48 h1:9jyu9CWK4W5W+SroCe8EffbrRZVqAOkuaLd/ApID4Vs=
+github.com/segmentio/kafka-go v0.4.48/go.mod h1:HjF6XbOKh0Pjlkr5GVZxt6CsjjwnmhVOfURM5KMd8qg=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
 github.com/sercand/kuberesolver/v5 v5.1.1 h1:CYH+d67G0sGBj7q5wLK61yzqJJ8gLLC8aeprPTHb6yY=
@@ -1098,17 +1097,21 @@ github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208/go.mod h1:BzWtXXrXz
 github.com/transip/gotransip/v6 v6.2.0/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
 github.com/trustelem/zxcvbn v1.0.1 h1:mp4JFtzdDYGj9WYSD3KQSkwwUumWNFzXaAjckaTYpsc=
 github.com/trustelem/zxcvbn v1.0.1/go.mod h1:zonUyKeh7sw6psPf/e3DtRqkRyZvAbOfjNz/aO7YQ5s=
-github.com/tus/tusd/v2 v2.7.1 h1:TGJjhv9RYXDmsTz8ug/qSd9vQpmD0Ik0G0IPo80Qmc0=
-github.com/tus/tusd/v2 v2.7.1/go.mod h1:PLdIMQ/ge+5ADgGKcL3FgTaPs+7wB0JIiI5HQXAiJE8=
+github.com/tus/tusd/v2 v2.8.0 h1:X2jGxQ05jAW4inDd2ogmOKqwnb4c/D0lw2yhgHayWyU=
+github.com/tus/tusd/v2 v2.8.0/go.mod h1:3/zEOVQQIwmJhvNam8phV4x/UQt68ZmZiTzeuJUNhVo=
 github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
 github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
-github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w=
-github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
+github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g=
+github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
 github.com/valyala/fasttemplate v1.1.0/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
 github.com/vinyldns/go-vinyldns v0.0.0-20200917153823-148a5f6b8f14/go.mod h1:RWc47jtnVuQv6+lY3c768WtXCas/Xi+U5UFc5xULmYg=
+github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
+github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
+github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
+github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 github.com/vultr/govultr/v2 v2.0.0/go.mod h1:2PsEeg+gs3p/Fo5Pw8F9mv+DUBEOlrNZ8GmCTGmhOhs=
 github.com/wk8/go-ordered-map v1.0.0 h1:BV7z+2PaK8LTSd/mWgY12HyMAo5CEgkHqbkVq2thqr8=
 github.com/wk8/go-ordered-map v1.0.0/go.mod h1:9ZIbRunKbuvfPKyBP1SIKLcXNlv74YCOZ3t3VTS6gRk=
@@ -1165,33 +1168,37 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
 go.opentelemetry.io/contrib/zpages v0.60.0 h1:wOM9ie1Hz4H88L9KE6GrGbKJhfm+8F1NfW/Y3q9Xt+8=
 go.opentelemetry.io/contrib/zpages v0.60.0/go.mod h1:xqfToSRGh2MYUsfyErNz8jnNDPlnpZqWM/y6Z2Cx7xw=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/jaeger v1.17.0 h1:D7UpUy2Xc2wsi1Ras6V40q806WM07rqoCWzXu7Sqy+4=
 go.opentelemetry.io/otel/exporters/jaeger v1.17.0/go.mod h1:nPCqOnEH9rNLKqH/+rrUjiMzHJdV1BlpKcTwRTyKkKI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
-go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 h1:dNzwXjZKpMpE2JhmO+9HsPl42NIXFIFSUSSs0fiqra0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0/go.mod h1:90PoxvaEB5n6AOdZvi+yWJQoE95U8Dhhw2bSyRqnTD0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0 h1:JgtbA0xkWHnTmYk7YusopJFX6uleBmAuZ8n05NEh8nQ=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0/go.mod h1:179AK5aar5R3eS9FucPy6rggvU0g52cvKId8pv4+v0c=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+go.opentelemetry.io/proto/otlp v1.6.0 h1:jQjP+AQyTf+Fe7OKj/MfkDrmK4MNVtw2NpXsf9fefDI=
+go.opentelemetry.io/proto/otlp v1.6.0/go.mod h1:cicgGehlFuNdgZkcALOCh3VE6K/u2tAjzlRhDwmVpZc=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
@@ -1220,15 +1227,13 @@ golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1244,8 +1249,8 @@ golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScy
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
-golang.org/x/image v0.25.0 h1:Y6uW6rH1y5y/LK1J8BPWZtr6yZ7hrsy6hFrXjgsc2fQ=
-golang.org/x/image v0.25.0/go.mod h1:tCAmOEGthTtkalusGp1g3xa2gke8J6c2N565dTyl9Rs=
+golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
+golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1320,16 +1325,14 @@ golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1337,8 +1340,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1356,9 +1359,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1439,9 +1441,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1453,9 +1454,8 @@ golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1471,9 +1471,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1597,12 +1596,12 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk=
-google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb h1:ITgPrl429bc6+2ZraNSzMDk3I95nmQln2fuPstKwFDE=
+google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:sAo5UzpjUwgFBCzupwhcLcxHVDK7vG5IqI30YnwX2eE=
+google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 h1:Kog3KlB4xevJlAcbbbzPfRG0+X9fdoGM+UBRKVz6Wr0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237/go.mod h1:ezi0AVyMKDWy5xAncvjLWH7UcLBB5n7y2fQ8MzjJcto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -1618,8 +1617,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
-google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
 google.golang.org/grpc/examples v0.0.0-20211102180624-670c133e568e h1:m7aQHHqd0q89mRwhwS9Bx2rjyl/hsFAeta+uGrHsQaU=
 google.golang.org/grpc/examples v0.0.0-20211102180624-670c133e568e/go.mod h1:gID3PKrg7pWKntu9Ss6zTLJ0ttC0X9IHgREOCZwbCVU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
@@ -1636,8 +1635,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/cenkalti/backoff.v1 v1.1.0 h1:Arh75ttbsvlpVA7WtVpH4u9h6Zl46xuptxqLxPiSo4Y=
 gopkg.in/cenkalti/backoff.v1 v1.1.0/go.mod h1:J6Vskwqd+OMVJl8C33mmtxTBs2gyzfv7UDAkHu8BrjI=
@@ -1674,6 +1673,7 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
--- a/opencloud/Makefile
+++ b/opencloud/Makefile
@@ -11,7 +11,6 @@ ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warn
 include ../.bingo/Variables.mk
 endif
 include ../.make/default.mk
-include ../.make/recursion.mk
 include ../.make/go.mk
 include ../.make/release.mk
 include ../.make/docs.mk
--- a/opencloud/pkg/backup/provider.go
+++ b/opencloud/pkg/backup/provider.go
@@ -10,7 +10,7 @@ import (
 	"sync"

 	"github.com/opencloud-eu/reva/v2/pkg/storage/pkg/decomposedfs/node"
-	"github.com/shamaton/msgpack/v2"
+	"github.com/vmihailenco/msgpack/v5"
 )

 // ListBlobstore required to check blob consistency
--- a/opencloud/pkg/command/benchmark.go
+++ b/opencloud/pkg/command/benchmark.go
@@ -14,7 +14,8 @@ import (
 	"strings"
 	"time"

-	tw "github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/version"
@@ -403,11 +404,24 @@ func benchmark(iterations int, path string) error {
 	fmt.Printf("Iterations: %d\n", iterations)
 	fmt.Println("")

-	table := tw.NewWriter(os.Stdout)
-	table.SetHeader([]string{"Test", "Iterations", "dur/it", "total"})
-	table.SetAutoFormatHeaders(false)
-	table.SetColumnAlignment([]int{tw.ALIGN_LEFT, tw.ALIGN_RIGHT, tw.ALIGN_RIGHT, tw.ALIGN_RIGHT})
-	table.SetAutoMergeCellsByColumnIndex([]int{2, 3})
+	cfg := tablewriter.Config{
+		Header: tw.CellConfig{
+			Formatting: tw.CellFormatting{
+				AutoFormat: tw.Off,
+			},
+		},
+		Row: tw.CellConfig{
+			ColumnAligns: []tw.Align{
+				tw.AlignLeft,
+				tw.AlignRight,
+				tw.AlignRight,
+				tw.AlignRight,
+			},
+		},
+	}
+
+	table := tablewriter.NewTable(os.Stdout, tablewriter.WithConfig(cfg))
+	table.Header([]string{"Test", "Iterations", "dur/it", "total"})
 	for _, t := range []string{"lockedfile open(wo,c,t) close", "stat", "fopen(wo,t) write close", "fopen(ro) close", "fopen(ro) read close", "xattr-set", "xattr-get"} {
 		start := time.Now()
 		err := tests[t]()
--- a/opencloud/pkg/command/version.go
+++ b/opencloud/pkg/command/version.go
@@ -4,7 +4,8 @@ import (
 	"fmt"
 	"os"

-	tw "github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
 	"github.com/urfave/cli/v2"
 	mreg "go-micro.dev/v4/registry"

@@ -62,9 +63,8 @@ func VersionCommand(cfg *config.Config) *cli.Command {
 				return nil
 			}

-			table := tw.NewWriter(os.Stdout)
-			table.SetHeader([]string{"Version", "Address", "Id"})
-			table.SetAutoFormatHeaders(false)
+			table := tablewriter.NewTable(os.Stdout, tablewriter.WithHeaderAutoFormat(tw.Off))
+			table.Header([]string{"Version", "Address", "Id"})
 			for _, s := range services {
 				for _, n := range s.Nodes {
 					table.Append([]string{s.Version, n.Address, n.Id})
--- a/opencloud/pkg/revisions/revisions.go
+++ b/opencloud/pkg/revisions/revisions.go
@@ -10,7 +10,7 @@ import (
 	"sync"

 	"github.com/opencloud-eu/reva/v2/pkg/storage/pkg/decomposedfs/node"
-	"github.com/shamaton/msgpack/v2"
+	"github.com/vmihailenco/msgpack/v5"
 )

 var (
--- a/opencloud/pkg/runtime/service/service.go
+++ b/opencloud/pkg/runtime/service/service.go
@@ -480,8 +480,8 @@ func (s *Service) generateRunSet(cfg *occfg.Config) {
 // List running processes for the Service Controller.
 func (s *Service) List(_ struct{}, reply *string) error {
 	tableString := &strings.Builder{}
-	table := tablewriter.NewWriter(tableString)
-	table.SetHeader([]string{"Service"})
+	table := tablewriter.NewTable(tableString)
+	table.Header([]string{"Service"})

 	names := []string{}
 	for t := range s.serviceToken {
--- a/pkg/.mockery.yaml
+++ b/pkg/.mockery.yaml
@@ -1,4 +1,7 @@
+issue-845-fix: True
+resolve-type-alias: False
 with-expecter: true
+disable-version-string: True
 filename: "{{.InterfaceName | snakecase }}.go"
 dir: "{{.PackageName}}/mocks"
 mockname: "{{.InterfaceName}}"
--- a/pkg/Makefile
+++ b/pkg/Makefile
@@ -5,7 +5,6 @@ ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warn
 include ../.bingo/Variables.mk
 endif
 include ../.make/default.mk
-include ../.make/recursion.mk
 include ../.make/go.mk
 include ../.make/release.mk
 include ../.make/docs.mk
--- a/pkg/conversions/ptr_test.go
+++ b/pkg/conversions/ptr_test.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"testing"

-	libregraph "github.com/owncloud/libre-graph-api-go"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"

 	"github.com/opencloud-eu/opencloud/pkg/conversions"
 )
--- a/pkg/keycloak/client.go
+++ b/pkg/keycloak/client.go
@@ -7,7 +7,7 @@ import (
 	"fmt"

 	"github.com/Nerzal/gocloak/v13"
-	libregraph "github.com/owncloud/libre-graph-api-go"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"
 )

 // Some attribute constants.
--- a/pkg/keycloak/types.go
+++ b/pkg/keycloak/types.go
@@ -4,7 +4,7 @@ import (
 	"context"

 	"github.com/Nerzal/gocloak/v13"
-	libregraph "github.com/owncloud/libre-graph-api-go"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"
 )

 // UserAction defines a type for user actions
--- a/pkg/kql/dictionary_gen.go
+++ b/pkg/kql/dictionary_gen.go
@@ -2716,7 +2716,7 @@ var (

 	// errMaxExprCnt is used to signal that the maximum number of
 	// expressions have been parsed.
-	errMaxExprCnt = errors.New("max number of expresssions parsed")
+	errMaxExprCnt = errors.New("max number of expressions parsed")
 )

 // Option is a function that can set an option on the parser. It returns
--- a/pkg/middleware/account.go
+++ b/pkg/middleware/account.go
@@ -42,7 +42,7 @@ func ExtractAccountUUID(opts ...account.Option) func(http.Handler) http.Handler
 	}
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			token := r.Header.Get("x-access-token")
+			token := r.Header.Get(revactx.TokenHeader)
 			if len(token) == 0 {
 				roleIDsJSON, _ := json.Marshal([]string{})
 				ctx := metadata.Set(r.Context(), RoleIDs, string(roleIDsJSON))
--- a/pkg/oidc/mocks/oidc_client.go
+++ b/pkg/oidc/mocks/oidc_client.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.53.0. DO NOT EDIT.
+// Code generated by mockery. DO NOT EDIT.

 package mocks

--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -16,7 +16,7 @@ var (
 	// LatestTag is the latest released version plus the dev meta version.
 	// Will be overwritten by the release pipeline
 	// Needs a manual change for every tagged release
-	LatestTag = "1.1.0+dev"
+	LatestTag = "2.3.0+dev"

 	// Date indicates the build date.
 	// This has been removed, it looks like you can only replace static strings with recent go versions
@@ -46,18 +46,17 @@ func GetString() string {
 // Parsed returns a semver Version
 func Parsed() (version *semver.Version) {
 	versionToParse := LatestTag
-	if Tag != "" {
+	// use the placeholder version if the tag is empty or when we are creating a daily build
+	if Tag != "" && Tag != "daily" {
 		versionToParse = Tag
 	}
 	version, err := semver.NewVersion(versionToParse)
-	// We have no semver version but a commitid
 	if err != nil {
 		// this should never happen
-		if err != nil {
-			return &semver.Version{}
-		}
+		return &semver.Version{}
 	}
 	if String != "" {
+		// We have no tagged version but a commitid
 		nVersion, err := version.SetMetadata(String)
 		if err != nil {
 			return &semver.Version{}
--- a/protogen/.mockery.yaml
+++ b/protogen/.mockery.yaml
@@ -1,4 +1,7 @@
+issue-845-fix: True
+resolve-type-alias: False
 with-expecter: true
+disable-version-string: True
 filename: "{{.InterfaceName | snakecase }}.go"
 dir: "{{.InterfaceDir}}/mocks"
 mockname: "{{.InterfaceName}}"
--- a/protogen/Makefile
+++ b/protogen/Makefile
@@ -5,7 +5,6 @@ ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warn
 include ../.bingo/Variables.mk
 endif
 include ../.make/default.mk
-include ../.make/recursion.mk
 include ../.make/generate.mk

 .PHONY: go-generate
--- a/release-config.ts
+++ b/release-config.ts
@@ -1,49 +1,124 @@
 export default {
-    changeTypes: [
-        {
-            title: '💥 Breaking changes',
-            labels: ['breaking', 'Type:Breaking-Change'],
-            bump: 'major',
-            weight: 3
-        },
-        {
-            title: '🔒 Security',
-            labels: ['security', 'Type:Security'],
-            bump: 'patch',
-            weight: 2
-        },
-        {
-            title: '✨ Features',
-            labels: ['feature', 'Type:Feature'],
-            bump: 'minor',
-            weight: 1
-        },
-        {
-            title: '📈 Enhancement',
-            labels: ['enhancement', 'refactor', 'Type:Enhancement'],
-            bump: 'minor'
-        },
-        {
-            title: '🐛 Bug Fixes',
-            labels: ['bug', 'Type:Bug'],
-            bump: 'patch'
-        },
-        {
-            title: '📚 Documentation',
-            labels: ['docs', 'documentation', 'Type:Documentation'],
-            bump: 'patch'
-        },
-        {
-            title: '✅ Tests',
-            labels: ['test', 'tests', 'Type:Test'],
-            bump: 'patch'
-        },
-        {
-            title: '📦️ Dependencies',
-            labels: ['dependency', 'dependencies', 'Type:Dependencies'],
-            bump: 'patch',
-            weight: -1
-        }
-    ],
-    useVersionPrefixV: true,
-}
+  changeTypes: [
+    {
+      title: "💥 Breaking changes",
+      labels: ["breaking", "Type:Breaking-Change"],
+      bump: "major",
+      weight: 3,
+    },
+    {
+      title: "🔒 Security",
+      labels: ["security", "Type:Security"],
+      bump: "patch",
+      weight: 2,
+    },
+    {
+      title: "✨ Features",
+      labels: ["feature", "Type:Feature"],
+      bump: "minor",
+      weight: 1,
+    },
+    {
+      title: "📈 Enhancement",
+      labels: ["enhancement", "refactor", "Type:Enhancement"],
+      bump: "minor",
+    },
+    {
+      title: "🐛 Bug Fixes",
+      labels: ["bug", "Type:Bug"],
+      bump: "patch",
+    },
+    {
+      title: "📚 Documentation",
+      labels: ["docs", "documentation", "Type:Documentation"],
+      bump: "patch",
+    },
+    {
+      title: "✅ Tests",
+      labels: ["test", "tests", "Type:Test"],
+      bump: "patch",
+    },
+    {
+      title: "📦️ Dependencies",
+      labels: ["dependency", "dependencies", "Type:Dependencies"],
+      bump: "patch",
+      weight: -1,
+    },
+  ],
+  useVersionPrefixV: true,
+  getLatestTag: ({ exec }) => {
+    // the plugin uses the latest tag to determine the next version
+    // and the changes that are included in the upcoming release.
+    const branch = getBranch(exec);
+    let tags = getTags(exec);
+
+    if (branch.startsWith("stable-")) {
+      const [_, majorAndMinor] = branch.split("-");
+      // we only care about tags that are within the range of the current stable branch.
+      // e.g. if the branch is stable-1.2, we only care about tags that are v1.2.x.
+      const matchingTags = tags.filter((t) =>
+        t.startsWith(`v${majorAndMinor}`)
+      );
+
+      if (matchingTags.length) {
+        tags = matchingTags;
+      }
+    }
+
+    return tags.pop() || "v0.0.0";
+  },
+  useLatestRelease: ({ exec, nextVersion }) => {
+    // check if the release should be marked as latest release on GitHub.
+    const tags = getTags(exec);
+    const latestTag = tags.pop() || "v0.0.0";
+    return compareVersions(latestTag, nextVersion) === -1;
+  },
+};
+
+const parseVersion = (tag: string) => {
+  const version = tag.startsWith("v") ? tag.slice(1) : tag;
+  const [main, pre] = version.split("-");
+  const [major, minor, patch] = main.split(".").map(Number);
+  return { major, minor, patch, pre };
+};
+
+const getBranch = (exec: any): string => {
+  return exec("git rev-parse --abbrev-ref HEAD", {
+    silent: true,
+  }).stdout.trim();
+};
+
+const getTags = (exec: any) => {
+  exec("git fetch --tags", { silent: true });
+  const tagsOutput = exec("git tag", { silent: true }).stdout.trim();
+  const tags: string[] = tagsOutput ? tagsOutput.split("\n") : [];
+  return tags.filter((tag) => tag.startsWith("v")).sort(compareVersions);
+};
+
+const compareVersions = (a: string, b: string) => {
+  const va = parseVersion(a);
+  const vb = parseVersion(b);
+
+  if (va.major !== vb.major) {
+    return va.major - vb.major;
+  }
+  if (va.minor !== vb.minor) {
+    return va.minor - vb.minor;
+  }
+  if (va.patch !== vb.patch) {
+    return va.patch - vb.patch;
+  }
+
+  if (va.pre && !vb.pre) {
+    return -1;
+  }
+  if (!va.pre && vb.pre) {
+    return 1;
+  }
+
+  if (va.pre && vb.pre) {
+    return va.pre.localeCompare(vb.pre);
+  }
+
+  return 0;
+};
--- a/services/activitylog/Makefile
+++ b/services/activitylog/Makefile
@@ -8,7 +8,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/services/activitylog/pkg/config/config.go
+++ b/services/activitylog/pkg/config/config.go
@@ -32,6 +32,8 @@ type Config struct {
 	ServiceAccount ServiceAccount `yaml:"service_account"`

 	Context context.Context `yaml:"-"`
+
+	WriteBufferDuration time.Duration `yaml:"write_buffer_duration" env:"ACTIVITYLOG_WRITE_BUFFER_DURATION" desc:"The duration to wait before flushing the write buffer. This is used to reduce the number of writes to the store." introductionVersion:"%%NEXT%%"`
 }

 // Events combines the configuration options for the event bus.
--- a/services/activitylog/pkg/config/defaults/defaultconfig.go
+++ b/services/activitylog/pkg/config/defaults/defaultconfig.go
@@ -1,6 +1,8 @@
 package defaults

 import (
+	"time"
+
 	"github.com/opencloud-eu/opencloud/pkg/shared"
 	"github.com/opencloud-eu/opencloud/pkg/structs"
 	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config"
@@ -50,6 +52,7 @@ func DefaultConfig() *config.Config {
 				AllowCredentials: true,
 			},
 		},
+		WriteBufferDuration: 10 * time.Second,
 	}
 }

--- a/services/activitylog/pkg/server/http/server.go
+++ b/services/activitylog/pkg/server/http/server.go
@@ -88,6 +88,7 @@ func Server(opts ...Option) (http.Service, error) {
 		svc.HistoryClient(options.HistoryClient),
 		svc.ValueClient(options.ValueClient),
 		svc.RegisteredEvents(options.RegisteredEvents),
+		svc.WriteBufferDuration(options.Config.WriteBufferDuration),
 	)
 	if err != nil {
 		return http.Service{}, err
--- a/services/activitylog/pkg/service/http.go
+++ b/services/activitylog/pkg/service/http.go
@@ -23,7 +23,7 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/l10n"
 	ehmsg "github.com/opencloud-eu/opencloud/protogen/gen/opencloud/messages/eventhistory/v0"
 	ehsvc "github.com/opencloud-eu/opencloud/protogen/gen/opencloud/services/eventhistory/v0"
-	libregraph "github.com/owncloud/libre-graph-api-go"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"
 )

 var (
@@ -45,7 +45,7 @@ func (s *ActivitylogService) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 // HandleGetItemActivities handles the request to get the activities of an item.
 func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	ctx = metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, r.Header.Get("X-Access-Token"))
+	ctx = metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, r.Header.Get(revactx.TokenHeader))

 	activeUser, ok := revactx.ContextGetUser(ctx)
 	if !ok {
--- a/services/activitylog/pkg/service/options.go
+++ b/services/activitylog/pkg/service/options.go
@@ -1,6 +1,8 @@
 package service

 import (
+	"time"
+
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	"github.com/go-chi/chi/v5"
 	"github.com/opencloud-eu/opencloud/pkg/log"
@@ -18,16 +20,17 @@ type Option func(*Options)

 // Options for the activitylog service
 type Options struct {
-	Logger           log.Logger
-	Config           *config.Config
-	TraceProvider    trace.TracerProvider
-	Stream           events.Stream
-	RegisteredEvents []events.Unmarshaller
-	Store            microstore.Store
-	GatewaySelector  pool.Selectable[gateway.GatewayAPIClient]
-	Mux              *chi.Mux
-	HistoryClient    ehsvc.EventHistoryService
-	ValueClient      settingssvc.ValueService
+	Logger              log.Logger
+	Config              *config.Config
+	TraceProvider       trace.TracerProvider
+	Stream              events.Stream
+	RegisteredEvents    []events.Unmarshaller
+	Store               microstore.Store
+	GatewaySelector     pool.Selectable[gateway.GatewayAPIClient]
+	Mux                 *chi.Mux
+	HistoryClient       ehsvc.EventHistoryService
+	ValueClient         settingssvc.ValueService
+	WriteBufferDuration time.Duration
 }

 // Logger configures a logger for the activitylog service
@@ -99,3 +102,10 @@ func ValueClient(vs settingssvc.ValueService) Option {
 		o.ValueClient = vs
 	}
 }
+
+// WriteBufferDuration sets the write buffer duration
+func WriteBufferDuration(d time.Duration) Option {
+	return func(o *Options) {
+		o.WriteBufferDuration = d
+	}
+}
--- a/services/activitylog/pkg/service/response.go
+++ b/services/activitylog/pkg/service/response.go
@@ -14,7 +14,7 @@ import (
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/opencloud-eu/reva/v2/pkg/storagespace"
 	"github.com/opencloud-eu/reva/v2/pkg/utils"
-	libregraph "github.com/owncloud/libre-graph-api-go"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"

 	"github.com/opencloud-eu/opencloud/pkg/l10n"
 )
--- a/services/activitylog/pkg/service/service.go
+++ b/services/activitylog/pkg/service/service.go
@@ -1,6 +1,7 @@
 package service

 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -12,11 +13,14 @@ import (
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/go-chi/chi/v5"
+	"github.com/jellydator/ttlcache/v2"
 	"github.com/opencloud-eu/reva/v2/pkg/events"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/opencloud-eu/reva/v2/pkg/storagespace"
 	"github.com/opencloud-eu/reva/v2/pkg/utils"
+	"github.com/vmihailenco/msgpack/v5"
 	microstore "go-micro.dev/v4/store"
+	"go.opentelemetry.io/otel/trace"

 	"github.com/opencloud-eu/opencloud/pkg/log"
 	ehsvc "github.com/opencloud-eu/opencloud/protogen/gen/opencloud/services/eventhistory/v0"
@@ -36,19 +40,92 @@ type RawActivity struct {

 // ActivitylogService logs events per resource
 type ActivitylogService struct {
-	cfg        *config.Config
-	log        log.Logger
-	events     <-chan events.Event
-	store      microstore.Store
-	gws        pool.Selectable[gateway.GatewayAPIClient]
-	mux        *chi.Mux
-	evHistory  ehsvc.EventHistoryService
-	valService settingssvc.ValueService
-	lock       sync.RWMutex
+	cfg           *config.Config
+	log           log.Logger
+	events        <-chan events.Event
+	store         microstore.Store
+	gws           pool.Selectable[gateway.GatewayAPIClient]
+	mux           *chi.Mux
+	evHistory     ehsvc.EventHistoryService
+	valService    settingssvc.ValueService
+	lock          sync.RWMutex
+	tp            trace.TracerProvider
+	tracer        trace.Tracer
+	debouncer     *Debouncer
+	parentIdCache *ttlcache.Cache

 	registeredEvents map[string]events.Unmarshaller
 }

+type Debouncer struct {
+	after      time.Duration
+	f          func(id string, ra []RawActivity) error
+	pending    sync.Map
+	inProgress sync.Map
+
+	mutex sync.Mutex
+}
+
+type queueItem struct {
+	activities []RawActivity
+	timer      *time.Timer
+}
+
+// NewDebouncer returns a new Debouncer instance
+func NewDebouncer(d time.Duration, f func(id string, ra []RawActivity) error) *Debouncer {
+	return &Debouncer{
+		after:      d,
+		f:          f,
+		pending:    sync.Map{},
+		inProgress: sync.Map{},
+	}
+}
+
+// Debounce restarts the debounce timer for the given space
+func (d *Debouncer) Debounce(id string, ra RawActivity) {
+	if d.after == 0 {
+		d.f(id, []RawActivity{ra})
+		return
+	}
+
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+
+	activities := []RawActivity{ra}
+	item := &queueItem{
+		activities: activities,
+	}
+	if i, ok := d.pending.Load(id); ok {
+		// if the item is already in the queue, append the new activities
+		item, ok = i.(*queueItem)
+		if ok {
+			item.activities = append(item.activities, ra)
+		}
+	}
+
+	if item.timer == nil {
+		item.timer = time.AfterFunc(d.after, func() {
+			if _, ok := d.inProgress.Load(id); ok {
+				// Reschedule this run for when the previous run has finished
+				d.mutex.Lock()
+				if i, ok := d.pending.Load(id); ok {
+					i.(*queueItem).timer.Reset(d.after)
+				}
+
+				d.mutex.Unlock()
+				return
+			}
+
+			d.pending.Delete(id)
+			d.inProgress.Store(id, true)
+			defer d.inProgress.Delete(id)
+			d.f(id, item.activities)
+		})
+	}
+
+	d.pending.Store(id, item)
+}
+
 // New creates a new ActivitylogService
 func New(opts ...Option) (*ActivitylogService, error) {
 	o := &Options{}
@@ -69,6 +146,12 @@ func New(opts ...Option) (*ActivitylogService, error) {
 		return nil, err
 	}

+	cache := ttlcache.NewCache()
+	err = cache.SetTTL(30 * time.Second)
+	if err != nil {
+		return nil, err
+	}
+
 	s := &ActivitylogService{
 		log:              o.Logger,
 		cfg:              o.Config,
@@ -80,7 +163,11 @@ func New(opts ...Option) (*ActivitylogService, error) {
 		valService:       o.ValueClient,
 		lock:             sync.RWMutex{},
 		registeredEvents: make(map[string]events.Unmarshaller),
+		tp:               o.TraceProvider,
+		tracer:           o.TraceProvider.Tracer("github.com/opencloud-eu/opencloud/services/activitylog/pkg/service"),
+		parentIdCache:    cache,
 	}
+	s.debouncer = NewDebouncer(o.WriteBufferDuration, s.storeActivity)

 	s.mux.Get("/graph/v1beta1/extensions/org.libregraph/activities", s.HandleGetItemActivities)

@@ -100,9 +187,9 @@ func (a *ActivitylogService) Run() {
 		var err error
 		switch ev := e.Event.(type) {
 		case events.UploadReady:
-			err = a.AddActivity(ev.FileRef, e.ID, utils.TSToTime(ev.Timestamp))
+			err = a.AddActivity(ev.FileRef, ev.ParentID, e.ID, utils.TSToTime(ev.Timestamp))
 		case events.FileTouched:
-			err = a.AddActivity(ev.Ref, e.ID, utils.TSToTime(ev.Timestamp))
+			err = a.AddActivity(ev.Ref, ev.ParentID, e.ID, utils.TSToTime(ev.Timestamp))
 		// Disabled https://github.com/owncloud/ocis/issues/10293
 		//case events.FileDownloaded:
 		// we are only interested in public link downloads - so no need to store others.
@@ -110,29 +197,32 @@ func (a *ActivitylogService) Run() {
 		//	err = a.AddActivity(ev.Ref, e.ID, utils.TSToTime(ev.Timestamp))
 		//}
 		case events.ContainerCreated:
-			err = a.AddActivity(ev.Ref, e.ID, utils.TSToTime(ev.Timestamp))
+			err = a.AddActivity(ev.Ref, ev.ParentID, e.ID, utils.TSToTime(ev.Timestamp))
 		case events.ItemTrashed:
-			err = a.AddActivityTrashed(ev.ID, ev.Ref, e.ID, utils.TSToTime(ev.Timestamp))
+			err = a.AddActivityTrashed(ev.ID, ev.Ref, nil, e.ID, utils.TSToTime(ev.Timestamp))
 		case events.ItemPurged:
 			err = a.RemoveResource(ev.ID)
 		case events.ItemMoved:
-			err = a.AddActivity(ev.Ref, e.ID, utils.TSToTime(ev.Timestamp))
+			// remove the cached parent id for this resource
+			a.removeCachedParentID(ev.Ref)
+
+			err = a.AddActivity(ev.Ref, nil, e.ID, utils.TSToTime(ev.Timestamp))
 		case events.ShareCreated:
-			err = a.AddActivity(toRef(ev.ItemID), e.ID, utils.TSToTime(ev.CTime))
+			err = a.AddActivity(toRef(ev.ItemID), nil, e.ID, utils.TSToTime(ev.CTime))
 		case events.ShareUpdated:
 			if ev.Sharer != nil && ev.ItemID != nil && ev.Sharer.GetOpaqueId() != ev.ItemID.GetSpaceId() {
-				err = a.AddActivity(toRef(ev.ItemID), e.ID, utils.TSToTime(ev.MTime))
+				err = a.AddActivity(toRef(ev.ItemID), nil, e.ID, utils.TSToTime(ev.MTime))
 			}
 		case events.ShareRemoved:
-			err = a.AddActivity(toRef(ev.ItemID), e.ID, ev.Timestamp)
+			err = a.AddActivity(toRef(ev.ItemID), nil, e.ID, ev.Timestamp)
 		case events.LinkCreated:
-			err = a.AddActivity(toRef(ev.ItemID), e.ID, utils.TSToTime(ev.CTime))
+			err = a.AddActivity(toRef(ev.ItemID), nil, e.ID, utils.TSToTime(ev.CTime))
 		case events.LinkUpdated:
 			if ev.Sharer != nil && ev.ItemID != nil && ev.Sharer.GetOpaqueId() != ev.ItemID.GetSpaceId() {
-				err = a.AddActivity(toRef(ev.ItemID), e.ID, utils.TSToTime(ev.MTime))
+				err = a.AddActivity(toRef(ev.ItemID), nil, e.ID, utils.TSToTime(ev.MTime))
 			}
 		case events.LinkRemoved:
-			err = a.AddActivity(toRef(ev.ItemID), e.ID, utils.TSToTime(ev.Timestamp))
+			err = a.AddActivity(toRef(ev.ItemID), nil, e.ID, utils.TSToTime(ev.Timestamp))
 		case events.SpaceShared:
 			err = a.AddSpaceActivity(ev.ID, e.ID, ev.Timestamp)
 		case events.SpaceUnshared:
@@ -146,7 +236,7 @@ func (a *ActivitylogService) Run() {
 }

 // AddActivity adds the activity to the given resource and all its parents
-func (a *ActivitylogService) AddActivity(initRef *provider.Reference, eventID string, timestamp time.Time) error {
+func (a *ActivitylogService) AddActivity(initRef *provider.Reference, parentId *provider.ResourceId, eventID string, timestamp time.Time) error {
 	gwc, err := a.gws.Next()
 	if err != nil {
 		return fmt.Errorf("cant get gateway client: %w", err)
@@ -156,14 +246,17 @@ func (a *ActivitylogService) AddActivity(initRef *provider.Reference, eventID st
 	if err != nil {
 		return fmt.Errorf("cant get service user context: %w", err)
 	}
+	var span trace.Span
+	ctx, span = a.tracer.Start(ctx, "AddActivity")
+	defer span.End()

-	return a.addActivity(initRef, eventID, timestamp, func(ref *provider.Reference) (*provider.ResourceInfo, error) {
+	return a.addActivity(ctx, initRef, parentId, eventID, timestamp, func(ref *provider.Reference) (*provider.ResourceInfo, error) {
 		return utils.GetResource(ctx, ref, gwc)
 	})
 }

 // AddActivityTrashed adds the activity to given trashed resource and all its former parents
-func (a *ActivitylogService) AddActivityTrashed(resourceID *provider.ResourceId, reference *provider.Reference, eventID string, timestamp time.Time) error {
+func (a *ActivitylogService) AddActivityTrashed(resourceID *provider.ResourceId, reference *provider.Reference, parentId *provider.ResourceId, eventID string, timestamp time.Time) error {
 	gwc, err := a.gws.Next()
 	if err != nil {
 		return fmt.Errorf("cant get gateway client: %w", err)
@@ -175,7 +268,13 @@ func (a *ActivitylogService) AddActivityTrashed(resourceID *provider.ResourceId,
 	}

 	// store activity on trashed item
-	if err := a.storeActivity(storagespace.FormatResourceID(resourceID), eventID, 0, timestamp); err != nil {
+	if err := a.storeActivity(storagespace.FormatResourceID(resourceID), []RawActivity{
+		{
+			EventID:   eventID,
+			Depth:     0,
+			Timestamp: timestamp,
+		},
+	}); err != nil {
 		return fmt.Errorf("could not store activity: %w", err)
 	}

@@ -185,7 +284,11 @@ func (a *ActivitylogService) AddActivityTrashed(resourceID *provider.ResourceId,
 		Path:       filepath.Dir(reference.GetPath()),
 	}

-	return a.addActivity(ref, eventID, timestamp, func(ref *provider.Reference) (*provider.ResourceInfo, error) {
+	var span trace.Span
+	ctx, span = a.tracer.Start(ctx, "AddActivity")
+	defer span.End()
+
+	return a.addActivity(ctx, ref, parentId, eventID, timestamp, func(ref *provider.Reference) (*provider.ResourceInfo, error) {
 		return utils.GetResource(ctx, ref, gwc)
 	})
 }
@@ -200,7 +303,13 @@ func (a *ActivitylogService) AddSpaceActivity(spaceID *provider.StorageSpaceId,
 		return fmt.Errorf("could not parse space id: %w", err)
 	}
 	rid.OpaqueId = rid.GetSpaceId()
-	return a.storeActivity(storagespace.FormatResourceID(&rid), eventID, 0, timestamp)
+	return a.storeActivity(storagespace.FormatResourceID(&rid), []RawActivity{
+		{
+			EventID:   eventID,
+			Depth:     0,
+			Timestamp: timestamp,
+		},
+	})

 }

@@ -265,70 +374,118 @@ func (a *ActivitylogService) activities(rid *provider.ResourceId) ([]RawActivity
 	}

 	var activities []RawActivity
-	if err := json.Unmarshal(records[0].Value, &activities); err != nil {
-		return nil, fmt.Errorf("could not unmarshal activities: %w", err)
+	if err := msgpack.Unmarshal(records[0].Value, &activities); err != nil {
+		a.log.Debug().Err(err).Str("resourceID", resourceID).Msg("could not unmarshal messagepack, trying json")
+		if err := json.Unmarshal(records[0].Value, &activities); err != nil {
+			return nil, fmt.Errorf("could not unmarshal activities: %w", err)
+		}
 	}

 	return activities, nil
 }

 // note: getResource is abstracted to allow unit testing, in general this will just be utils.GetResource
-func (a *ActivitylogService) addActivity(initRef *provider.Reference, eventID string, timestamp time.Time, getResource func(*provider.Reference) (*provider.ResourceInfo, error)) error {
+func (a *ActivitylogService) addActivity(ctx context.Context, initRef *provider.Reference, parentId *provider.ResourceId, eventID string, timestamp time.Time, getResource func(*provider.Reference) (*provider.ResourceInfo, error)) error {
 	var (
-		info  *provider.ResourceInfo
 		err   error
 		depth int
 		ref   = initRef
 	)
 	for {
-		info, err = getResource(ref)
-		if err != nil {
-			return fmt.Errorf("could not get resource info: %w", err)
+		var info *provider.ResourceInfo
+		id := ref.GetResourceId()
+		if ref.Path != "" {
+			// Path based reference, we need to resolve the resource id
+			info, err = getResource(ref)
+			if err != nil {
+				return fmt.Errorf("could not get resource info: %w", err)
+			}
+			id = info.GetId()
+		}
+		if id == nil {
+			return fmt.Errorf("resource id is required")
 		}

-		if err := a.storeActivity(storagespace.FormatResourceID(info.GetId()), eventID, depth, timestamp); err != nil {
-			return fmt.Errorf("could not store activity: %w", err)
-		}
+		key := storagespace.FormatResourceID(id)
+		_, span := a.tracer.Start(ctx, "queueStoreActivity")
+		a.debouncer.Debounce(key, RawActivity{
+			EventID:   eventID,
+			Depth:     depth,
+			Timestamp: timestamp,
+		})
+		span.End()

-		if info != nil && utils.IsSpaceRoot(info) {
+		if id.OpaqueId == id.SpaceId {
+			// we are at the root of the space, no need to go further
 			return nil
 		}

+		// check if parent id is cached
+		// parent id is cached in the format <storageid>$<spaceid>!<resourceid>
+		// if it is not cached, get the resource info and cache it
+		if parentId == nil {
+			if v, err := a.parentIdCache.Get(key); err != nil {
+				if info == nil {
+					_, span = a.tracer.Start(ctx, "getResource")
+					info, err = getResource(ref)
+					span.End()
+					if err != nil || info.GetParentId() == nil || info.GetParentId().GetOpaqueId() == "" {
+						return fmt.Errorf("could not get parent id: %w", err)
+					}
+				}
+				parentId = info.GetParentId()
+				a.parentIdCache.Set(key, parentId)
+			} else {
+				parentId = v.(*provider.ResourceId)
+			}
+		} else {
+			a.log.Debug().Msg("parent id is cached")
+		}
+
 		depth++
-		ref = &provider.Reference{ResourceId: info.GetParentId()}
+		ref = &provider.Reference{ResourceId: parentId}
+		parentId = nil // reset parent id so it's not reused in the next iteration
 	}
 }

-func (a *ActivitylogService) storeActivity(resourceID string, eventID string, depth int, timestamp time.Time) error {
+func (a *ActivitylogService) storeActivity(resourceID string, activities []RawActivity) error {
 	a.lock.Lock()
 	defer a.lock.Unlock()

+	ctx, span := a.tracer.Start(context.Background(), "storeActivity")
+	defer span.End()
+	_, subspan := a.tracer.Start(ctx, "store.Read")
 	records, err := a.store.Read(resourceID)
 	if err != nil && err != microstore.ErrNotFound {
 		return err
 	}
+	subspan.End()

-	var activities []RawActivity
+	_, subspan = a.tracer.Start(ctx, "Unmarshal")
+	var existingActivities []RawActivity
 	if len(records) > 0 {
-		if err := json.Unmarshal(records[0].Value, &activities); err != nil {
-			return err
+		if err := msgpack.Unmarshal(records[0].Value, &existingActivities); err != nil {
+			a.log.Debug().Err(err).Str("resourceID", resourceID).Msg("could not unmarshal messagepack, trying json")
+			if err := json.Unmarshal(records[0].Value, &existingActivities); err != nil {
+				return err
+			}
 		}
 	}
+	subspan.End()

-	if l := len(activities); l >= _maxActivities {
-		activities = activities[l-_maxActivities+1:]
+	if l := len(existingActivities) + len(activities); l >= _maxActivities {
+		start := min(len(existingActivities), l-_maxActivities+1)
+		existingActivities = existingActivities[start:]
 	}

-	activities = append(activities, RawActivity{
-		EventID:   eventID,
-		Depth:     depth,
-		Timestamp: timestamp,
-	})
+	activities = append(existingActivities, activities...)

-	b, err := json.Marshal(activities)
+	_, subspan = a.tracer.Start(ctx, "Unmarshal")
+	b, err := msgpack.Marshal(activities)
 	if err != nil {
 		return err
 	}
+	subspan.End()

 	return a.store.Write(&microstore.Record{
 		Key:   resourceID,
@@ -347,3 +504,30 @@ func toSpace(r *provider.Reference) *provider.StorageSpaceId {
 		OpaqueId: storagespace.FormatStorageID(r.GetResourceId().GetStorageId(), r.GetResourceId().GetSpaceId()),
 	}
 }
+
+func (a *ActivitylogService) removeCachedParentID(ref *provider.Reference) {
+	purgeId := ref.GetResourceId()
+	if ref.GetPath() != "" {
+		gwc, err := a.gws.Next()
+		if err != nil {
+			a.log.Error().Err(err).Msg("could not get gateway client")
+			return
+		}
+
+		ctx, err := utils.GetServiceUserContext(a.cfg.ServiceAccount.ServiceAccountID, gwc, a.cfg.ServiceAccount.ServiceAccountSecret)
+		if err != nil {
+			a.log.Error().Err(err).Msg("could not get service user context")
+			return
+		}
+
+		info, err := utils.GetResource(ctx, ref, gwc)
+		if err != nil {
+			a.log.Error().Err(err).Msg("could not get resource info")
+			return
+		}
+		purgeId = info.GetId()
+	}
+	if err := a.parentIdCache.Remove(storagespace.FormatResourceID(purgeId)); err != nil {
+		a.log.Error().Interface("event", ref).Err(err).Msg("could not delete parent id cache")
+	}
+}
--- a/services/activitylog/pkg/service/service_suite_test.go
+++ b/services/activitylog/pkg/service/service_suite_test.go
@@ -0,0 +1,13 @@
+package service_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestService(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Service Suite")
+}
--- a/services/activitylog/pkg/service/service_test.go
+++ b/services/activitylog/pkg/service/service_test.go
@@ -1,147 +1,139 @@
 package service

 import (
-	"testing"
+	"context"
 	"time"

 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
+	"github.com/jellydator/ttlcache/v2"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	"github.com/opencloud-eu/reva/v2/pkg/store"
-	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel/trace/noop"
 )

-func TestAddActivity(t *testing.T) {
-	testCases := []struct {
-		Name       string
-		Tree       map[string]*provider.ResourceInfo
-		Activities map[string]string
-		Expected   map[string][]RawActivity
-	}{
-		{
-			Name: "simple",
-			Tree: map[string]*provider.ResourceInfo{
+var _ = Describe("ActivitylogService", func() {
+	var (
+		alog        *ActivitylogService
+		getResource func(ref *provider.Reference) (*provider.ResourceInfo, error)
+	)
+
+	Context("with a noop debouncer", func() {
+		BeforeEach(func() {
+			alog = &ActivitylogService{
+				store:         store.Create(),
+				tracer:        noop.NewTracerProvider().Tracer("test"),
+				parentIdCache: ttlcache.NewCache(),
+			}
+			alog.debouncer = NewDebouncer(0, alog.storeActivity)
+		})
+
+		Describe("AddActivity", func() {
+			type testCase struct {
+				Name       string
+				Tree       map[string]*provider.ResourceInfo
+				Activities map[string]string
+				Expected   map[string][]RawActivity
+			}
+
+			testCases := []testCase{
+				{
+					Name: "simple",
+					Tree: map[string]*provider.ResourceInfo{
+						"base":    resourceInfo("base", "parent"),
+						"parent":  resourceInfo("parent", "spaceid"),
+						"spaceid": resourceInfo("spaceid", "spaceid"),
+					},
+					Activities: map[string]string{
+						"activity": "base",
+					},
+					Expected: map[string][]RawActivity{
+						"base":    activitites("activity", 0),
+						"parent":  activitites("activity", 1),
+						"spaceid": activitites("activity", 2),
+					},
+				},
+				{
+					Name: "two activities on same resource",
+					Tree: map[string]*provider.ResourceInfo{
+						"base":    resourceInfo("base", "parent"),
+						"parent":  resourceInfo("parent", "spaceid"),
+						"spaceid": resourceInfo("spaceid", "spaceid"),
+					},
+					Activities: map[string]string{
+						"activity1": "base",
+						"activity2": "base",
+					},
+					Expected: map[string][]RawActivity{
+						"base":    activitites("activity1", 0, "activity2", 0),
+						"parent":  activitites("activity1", 1, "activity2", 1),
+						"spaceid": activitites("activity1", 2, "activity2", 2),
+					},
+				},
+				// Add other test cases here...
+			}
+
+			for _, tc := range testCases {
+				tc := tc // capture range variable
+				Context(tc.Name, func() {
+					BeforeEach(func() {
+						getResource = func(ref *provider.Reference) (*provider.ResourceInfo, error) {
+							return tc.Tree[ref.GetResourceId().GetOpaqueId()], nil
+						}
+
+						for k, v := range tc.Activities {
+							err := alog.addActivity(context.Background(), reference(v), nil, k, time.Time{}, getResource)
+							Expect(err).NotTo(HaveOccurred())
+						}
+					})
+
+					It("should match the expected activities", func() {
+						for id, acts := range tc.Expected {
+							activities, err := alog.Activities(resourceID(id))
+							Expect(err).NotTo(HaveOccurred(), tc.Name+":"+id)
+							Expect(activities).To(ConsistOf(acts), tc.Name+":"+id)
+						}
+					})
+				})
+			}
+		})
+	})
+
+	Context("with a debouncing debouncer", func() {
+		var (
+			tree = map[string]*provider.ResourceInfo{
 				"base":    resourceInfo("base", "parent"),
 				"parent":  resourceInfo("parent", "spaceid"),
 				"spaceid": resourceInfo("spaceid", "spaceid"),
-			},
-			Activities: map[string]string{
-				"activity": "base",
-			},
-			Expected: map[string][]RawActivity{
-				"base":    activitites("activity", 0),
-				"parent":  activitites("activity", 1),
-				"spaceid": activitites("activity", 2),
-			},
-		},
-		{
-			Name: "two activities on same resource",
-			Tree: map[string]*provider.ResourceInfo{
-				"base":    resourceInfo("base", "parent"),
-				"parent":  resourceInfo("parent", "spaceid"),
-				"spaceid": resourceInfo("spaceid", "spaceid"),
-			},
-			Activities: map[string]string{
-				"activity1": "base",
-				"activity2": "base",
-			},
-			Expected: map[string][]RawActivity{
-				"base":    activitites("activity1", 0, "activity2", 0),
-				"parent":  activitites("activity1", 1, "activity2", 1),
-				"spaceid": activitites("activity1", 2, "activity2", 2),
-			},
-		},
-		{
-			Name: "two activities on different resources",
-			Tree: map[string]*provider.ResourceInfo{
-				"base1":   resourceInfo("base1", "parent"),
-				"base2":   resourceInfo("base2", "parent"),
-				"parent":  resourceInfo("parent", "spaceid"),
-				"spaceid": resourceInfo("spaceid", "spaceid"),
-			},
-			Activities: map[string]string{
-				"activity1": "base1",
-				"activity2": "base2",
-			},
-			Expected: map[string][]RawActivity{
-				"base1":   activitites("activity1", 0),
-				"base2":   activitites("activity2", 0),
-				"parent":  activitites("activity1", 1, "activity2", 1),
-				"spaceid": activitites("activity1", 2, "activity2", 2),
-			},
-		},
-		{
-			Name: "more elaborate resource tree",
-			Tree: map[string]*provider.ResourceInfo{
-				"base1":   resourceInfo("base1", "parent1"),
-				"base2":   resourceInfo("base2", "parent1"),
-				"parent1": resourceInfo("parent1", "spaceid"),
-				"base3":   resourceInfo("base3", "parent2"),
-				"parent2": resourceInfo("parent2", "spaceid"),
-				"spaceid": resourceInfo("spaceid", "spaceid"),
-			},
-			Activities: map[string]string{
-				"activity1": "base1",
-				"activity2": "base2",
-				"activity3": "base3",
-			},
-			Expected: map[string][]RawActivity{
-				"base1":   activitites("activity1", 0),
-				"base2":   activitites("activity2", 0),
-				"base3":   activitites("activity3", 0),
-				"parent1": activitites("activity1", 1, "activity2", 1),
-				"parent2": activitites("activity3", 1),
-				"spaceid": activitites("activity1", 2, "activity2", 2, "activity3", 2),
-			},
-		},
-		{
-			Name: "different depths within one resource",
-			Tree: map[string]*provider.ResourceInfo{
-				"base1":   resourceInfo("base1", "parent1"),
-				"parent1": resourceInfo("parent1", "parent2"),
-				"base2":   resourceInfo("base2", "parent2"),
-				"parent2": resourceInfo("parent2", "parent3"),
-				"base3":   resourceInfo("base3", "parent3"),
-				"parent3": resourceInfo("parent3", "spaceid"),
-				"spaceid": resourceInfo("spaceid", "spaceid"),
-			},
-			Activities: map[string]string{
-				"activity1": "base1",
-				"activity2": "base2",
-				"activity3": "base3",
-				"activity4": "parent2",
-			},
-			Expected: map[string][]RawActivity{
-				"base1":   activitites("activity1", 0),
-				"base2":   activitites("activity2", 0),
-				"base3":   activitites("activity3", 0),
-				"parent1": activitites("activity1", 1),
-				"parent2": activitites("activity1", 2, "activity2", 1, "activity4", 0),
-				"parent3": activitites("activity1", 3, "activity2", 2, "activity3", 1, "activity4", 1),
-				"spaceid": activitites("activity1", 4, "activity2", 3, "activity3", 2, "activity4", 2),
-			},
-		},
-	}
+			}
+		)
+		BeforeEach(func() {
+			alog = &ActivitylogService{
+				store:         store.Create(),
+				tracer:        noop.NewTracerProvider().Tracer("test"),
+				parentIdCache: ttlcache.NewCache(),
+			}
+			alog.debouncer = NewDebouncer(100*time.Millisecond, alog.storeActivity)
+		})

-	for _, tc := range testCases {
-		alog := &ActivitylogService{
-			store: store.Create(),
-		}
+		It("should debounce activities", func() {
+			getResource = func(ref *provider.Reference) (*provider.ResourceInfo, error) {
+				return tree[ref.GetResourceId().GetOpaqueId()], nil
+			}

-		getResource := func(ref *provider.Reference) (*provider.ResourceInfo, error) {
-			return tc.Tree[ref.GetResourceId().GetOpaqueId()], nil
-		}
+			err := alog.addActivity(context.Background(), reference("base"), nil, "activity1", time.Time{}, getResource)
+			Expect(err).NotTo(HaveOccurred())
+			err = alog.addActivity(context.Background(), reference("base"), nil, "activity2", time.Time{}, getResource)
+			Expect(err).NotTo(HaveOccurred())

-		for k, v := range tc.Activities {
-			err := alog.addActivity(reference(v), k, time.Time{}, getResource)
-			require.NoError(t, err)
-		}
-
-		for id, acts := range tc.Expected {
-			activities, err := alog.Activities(resourceID(id))
-			require.NoError(t, err, tc.Name+":"+id)
-			require.ElementsMatch(t, acts, activities, tc.Name+":"+id)
-		}
-	}
-}
+			Eventually(func(g Gomega) {
+				activities, err := alog.Activities(resourceID("base"))
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(activities).To(ConsistOf(activitites("activity1", 0, "activity2", 0)))
+			}).Should(Succeed())
+		})
+	})
+})

 func activitites(acts ...interface{}) []RawActivity {
 	var activities []RawActivity
--- a/services/antivirus/.mockery.yaml
+++ b/services/antivirus/.mockery.yaml
@@ -1,4 +1,7 @@
+issue-845-fix: True
+resolve-type-alias: False
 with-expecter: true
+disable-version-string: True
 filename: "{{.InterfaceName | snakecase }}.go"
 dir: "pkg/{{.PackageName}}/mocks"
 mockname: "{{.InterfaceName}}"
--- a/services/antivirus/Makefile
+++ b/services/antivirus/Makefile
@@ -6,7 +6,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/services/antivirus/README.md
+++ b/services/antivirus/README.md
@@ -4,7 +4,10 @@ The `antivirus` service is responsible for scanning files for viruses.

 ## Memory Considerations

-The antivirus service can consume considerably amounts of memory. This is relevant to provide or define sufficient memory for the deployment selected. To avoid out of memory (OOM) situations, the following equation gives a rough overview based on experiences made. The memory calculation comes without any guarantee, is intended as overview only and subject of change.
+The antivirus service can consume considerable amounts of memory.
+This is relevant to provide or define sufficient memory for the deployment selected.
+To avoid out of memory (OOM) situations, the following equation gives a rough overview based on experiences made.
+The memory calculation comes without any guarantee, is intended as overview only and subject of change.

 `memory limit` = `max file size` x `workers` x `factor 8 - 14`

@@ -19,17 +22,31 @@ With:

 ### Antivirus Scanner Type

-The antivirus service currently supports [ICAP](https://tools.ietf.org/html/rfc3507) and [ClamAV](http://www.clamav.net/index.html) as antivirus scanners. The `ANTIVIRUS_SCANNER_TYPE` environment variable is used to select the scanner. The detailed configuration for each scanner heavily depends on the scanner type selected. See the environment variables for more details.
+The antivirus service currently supports [ICAP](https://tools.ietf.org/html/rfc3507) and [ClamAV](http://www.clamav.net/index.html) as antivirus scanners.
+The `ANTIVIRUS_SCANNER_TYPE` environment variable is used to select the scanner.
+The detailed configuration for each scanner heavily depends on the scanner type selected.
+See the environment variables for more details.

  -   For `icap`, only scanners using the `X-Infection-Found` header are currently supported.
  -   For `clamav` only local sockets can currently be configured.

 ### Maximum Scan Size

-Several factors can make it necessary to limit the maximum filesize the antivirus service will use for scanning. Use the `ANTIVIRUS_MAX_SCAN_SIZE` environment variable to scan only a given amount of bytes. Obviously, it is recommended to scan the whole file, but several factors like scanner type and version, bandwidth, performance issues, etc. might make a limit necessary.
+Several factors can make it necessary to limit the maximum filesize the antivirus service uses for scanning.
+Use the `ANTIVIRUS_MAX_SCAN_SIZE` environment variable to scan only a given number of bytes,
+or to skip the whole resource.
+
+Even if it's recommended to scan the whole file, several factors like scanner type and version,
+bandwidth, performance issues, etc. might make a limit necessary.
+
+In such cases, the antivirus the max scan size mode can be handy, the following modes are available:
+
+  -   `partial`: The file is scanned up to the given size. The rest of the file is not scanned. This is the default mode `ANTIVIRUS_MAX_SCAN_SIZE=partial`
+  -   `skip`: The file is skipped and not scanned. `ANTIVIRUS_MAX_SCAN_SIZE=skip`

 **IMPORTANT**
-> Streaming of files to the virus scan service still [needs to be implemented](https://github.com/owncloud/ocis/issues/6803). To prevent OOM errors `ANTIVIRUS_MAX_SCAN_SIZE` needs to be set lower than available ram.
+> Streaming of files to the virus scan service still [needs to be implemented](https://github.com/owncloud/ocis/issues/6803).
+> To prevent OOM errors `ANTIVIRUS_MAX_SCAN_SIZE` needs to be set lower than available ram and or the maximum file size that can be scanned by the virus scanner.

 ### Antivirus Workers

@@ -41,7 +58,7 @@ The antivirus service allows three different ways of handling infected files. Th

  -   `delete`: (default): Infected files will be deleted immediately, further postprocessing is cancelled.
  -   `abort`:  (advanced option): Infected files will be kept, further postprocessing is cancelled. Files can be manually retrieved and inspected by an admin. To identify the file for further investigation, the antivirus service logs the abort/infected state including the file ID. The file is located in the `storage/users/uploads` folder of the OpenCloud data directory and persists until it is manually deleted by the admin via the [Manage Unfinished Uploads](https://github.com/opencloud-eu/opencloud/tree/main/services/storage-users#manage-unfinished-uploads) command.
-  -   `continue`:  (obviously not recommended): Infected files will be marked via metadata as infected but postprocessing continues normally. Note: Infected Files are moved to their final destination and therefore not prevented from download which includes the risk of spreading viruses.
+  -   `continue`:  (not recommended): Infected files will be marked via metadata as infected, but postprocessing continues normally. Note: Infected Files are moved to their final destination and therefore not prevented from download, which includes the risk of spreading viruses.

 In all cases, a log entry is added declaring the infection and handling method and a notification via the `userlog` service sent.

--- a/services/antivirus/pkg/command/server.go
+++ b/services/antivirus/pkg/command/server.go
@@ -45,7 +45,7 @@ func Server(cfg *config.Config) *cli.Command {
 			{
 				svc, err := service.NewAntivirus(cfg, logger, traceProvider)
 				if err != nil {
-					return err
+					return cli.Exit(err.Error(), 1)
 				}

 				gr.Add(svc.Run, func(_ error) {
--- a/services/antivirus/pkg/config/config.go
+++ b/services/antivirus/pkg/config/config.go
@@ -5,6 +5,26 @@ import (
 	"time"
 )

+// ScannerType gives info which scanner is used
+type ScannerType string
+
+const (
+	// ScannerTypeClamAV defines that clamav is used
+	ScannerTypeClamAV ScannerType = "clamav"
+	// ScannerTypeICap defines that icap is used
+	ScannerTypeICap ScannerType = "icap"
+)
+
+// MaxScanSizeMode defines the mode of handling files that exceed the maximum scan size
+type MaxScanSizeMode string
+
+const (
+	// MaxScanSizeModeSkip defines that files that are bigger than the max scan size will be skipped
+	MaxScanSizeModeSkip MaxScanSizeMode = "skip"
+	// MaxScanSizeModePartial defines that only the file up to the max size will be used
+	MaxScanSizeModePartial MaxScanSizeMode = "partial"
+)
+
 // Config combines all available configuration parts.
 type Config struct {
 	File string
@@ -20,8 +40,9 @@ type Config struct {
 	Events               Events
 	Workers              int `yaml:"workers" env:"ANTIVIRUS_WORKERS" desc:"The number of concurrent go routines that fetch events from the event queue." introductionVersion:"1.0.0"`

-	Scanner     Scanner
-	MaxScanSize string `yaml:"max-scan-size" env:"ANTIVIRUS_MAX_SCAN_SIZE" desc:"The maximum scan size the virus scanner can handle. Only this many bytes of a file will be scanned. 0 means unlimited and is the default. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB." introductionVersion:"1.0.0"`
+	Scanner         Scanner
+	MaxScanSize     string          `yaml:"max-scan-size" env:"ANTIVIRUS_MAX_SCAN_SIZE" desc:"The maximum scan size the virus scanner can handle.0 means unlimited. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB." introductionVersion:"1.0.0"`
+	MaxScanSizeMode MaxScanSizeMode `yaml:"max-scan-size-mode" env:"ANTIVIRUS_MAX_SCAN_SIZE_MODE" desc:"Defines the mode of handling files that exceed the maximum scan size. Supported options are: 'skip', which skips files that are bigger than the max scan size, and 'truncate' (default), which only uses the file up to the max size." introductionVersion:"2.1.0"`

 	Context context.Context `json:"-" yaml:"-"`

@@ -62,7 +83,7 @@ type Events struct {

 // Scanner provides configuration options for the virus scanner
 type Scanner struct {
-	Type string `yaml:"type" env:"ANTIVIRUS_SCANNER_TYPE" desc:"The antivirus scanner to use. Supported values are 'clamav' and 'icap'." introductionVersion:"1.0.0"`
+	Type ScannerType `yaml:"type" env:"ANTIVIRUS_SCANNER_TYPE" desc:"The antivirus scanner to use. Supported values are 'clamav' and 'icap'." introductionVersion:"1.0.0"`

 	ClamAV ClamAV // only if Type == clamav
 	ICAP   ICAP   // only if Type == icap
@@ -70,7 +91,8 @@ type Scanner struct {

 // ClamAV provides configuration option for clamav
 type ClamAV struct {
-	Socket string `yaml:"socket" env:"ANTIVIRUS_CLAMAV_SOCKET" desc:"The socket clamav is running on. Note the default value is an example which needs adaption according your OS." introductionVersion:"1.0.0"`
+	Socket  string        `yaml:"socket" env:"ANTIVIRUS_CLAMAV_SOCKET" desc:"The socket clamav is running on. Note the default value is an example which needs adaption according your OS." introductionVersion:"1.0.0"`
+	Timeout time.Duration `yaml:"scan_timeout" env:"ANTIVIRUS_CLAMAV_SCAN_TIMEOUT" desc:"Scan timeout for the ClamAV client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details." introductionVersion:"2.1.0"`
 }

 // ICAP provides configuration options for icap
--- a/services/antivirus/pkg/config/defaults/defaultconfig.go
+++ b/services/antivirus/pkg/config/defaults/defaultconfig.go
@@ -30,10 +30,15 @@ func DefaultConfig() *config.Config {
 		},
 		Workers:              10,
 		InfectedFileHandling: "delete",
+		// defaults from clamav sample conf: MaxScanSize=400M, MaxFileSize=100M, StreamMaxLength=100M
+		// https://github.com/Cisco-Talos/clamav/blob/main/etc/clamd.conf.sample
+		MaxScanSize:     "100MB",
+		MaxScanSizeMode: config.MaxScanSizeModePartial,
 		Scanner: config.Scanner{
-			Type: "clamav",
+			Type: config.ScannerTypeClamAV,
 			ClamAV: config.ClamAV{
-				Socket: "/run/clamav/clamd.ctl",
+				Socket:  "/run/clamav/clamd.ctl",
+				Timeout: 5 * time.Minute,
 			},
 			ICAP: config.ICAP{
 				URL:     "icap://127.0.0.1:1344",
@@ -57,4 +62,9 @@ func EnsureDefaults(cfg *config.Config) {

 // Sanitize sanitizes the configuration
 func Sanitize(cfg *config.Config) {
+	defaultConfig := DefaultConfig()
+
+	if cfg.MaxScanSize == "" {
+		cfg.MaxScanSize = defaultConfig.MaxScanSize
+	}
 }
--- a/services/antivirus/pkg/scanners/clamav.go
+++ b/services/antivirus/pkg/scanners/clamav.go
@@ -1,34 +1,51 @@
 package scanners

 import (
+	"fmt"
 	"time"

 	"github.com/dutchcoders/go-clamd"
 )

 // NewClamAV returns a Scanner talking to clamAV via socket
-func NewClamAV(socket string) *ClamAV {
-	return &ClamAV{
-		clamd: clamd.NewClamd(socket),
+func NewClamAV(socket string, timeout time.Duration) (*ClamAV, error) {
+	c := clamd.NewClamd(socket)
+
+	if err := c.Ping(); err != nil {
+		return nil, fmt.Errorf("%w: %w", ErrScannerNotReachable, err)
 	}
+
+	return &ClamAV{
+		clamd:   clamd.NewClamd(socket),
+		timeout: timeout,
+	}, nil
 }

 // ClamAV is a Scanner based on clamav
 type ClamAV struct {
-	clamd *clamd.Clamd
+	clamd   *clamd.Clamd
+	timeout time.Duration
 }

 // Scan to fulfill Scanner interface
 func (s ClamAV) Scan(in Input) (Result, error) {
-	ch, err := s.clamd.ScanStream(in.Body, make(chan bool))
+	abort := make(chan bool, 1)
+	defer close(abort)
+
+	ch, err := s.clamd.ScanStream(in.Body, abort)
 	if err != nil {
 		return Result{}, err
 	}

-	r := <-ch
-	return Result{
-		Infected:    r.Status == clamd.RES_FOUND,
-		Description: r.Description,
-		ScanTime:    time.Now(),
-	}, nil
+	select {
+	case <-time.After(s.timeout):
+		abort <- true
+		return Result{}, fmt.Errorf("%w: %s", ErrScanTimeout, in.Url)
+	case s := <-ch:
+		return Result{
+			Infected:    s.Status == clamd.RES_FOUND,
+			Description: s.Description,
+			ScanTime:    time.Now(),
+		}, nil
+	}
 }
--- a/services/antivirus/pkg/scanners/clamav_test.go
+++ b/services/antivirus/pkg/scanners/clamav_test.go
@@ -0,0 +1,120 @@
+package scanners_test
+
+import (
+	"context"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/scanners"
+)
+
+func newUnixListener(t testing.TB, lc net.ListenConfig, v ...string) net.Listener {
+	d, err := os.MkdirTemp("", "")
+	assert.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, os.RemoveAll(d))
+	})
+
+	nl, err := lc.Listen(context.Background(), "unix", filepath.Join(d, "sock"))
+	require.NoError(t, err)
+
+	go func() {
+		i := 0
+		for {
+			if len(v) == i {
+				break
+			}
+
+			conn, err := nl.Accept()
+			require.NoError(t, err)
+
+			time.Sleep(100 * time.Millisecond)
+
+			_, err = conn.Write([]byte(v[i]))
+			require.NoError(t, err)
+			require.NoError(t, conn.Close())
+			i++
+		}
+	}()
+
+	return nl
+}
+
+func TestNewClamAV(t *testing.T) {
+	t.Run("returns a scanner", func(t *testing.T) {
+		ul := newUnixListener(t, net.ListenConfig{}, "PONG\n")
+		defer func() {
+			assert.NoError(t, ul.Close())
+		}()
+
+		done := make(chan bool, 1)
+
+		go func() {
+			_, err := scanners.NewClamAV(ul.Addr().String(), 10*time.Second)
+			assert.NoError(t, err)
+			done <- true
+		}()
+
+		assert.True(t, <-done)
+	})
+
+	t.Run("fails if scanner is not pingable", func(t *testing.T) {
+		_, err := scanners.NewClamAV("", 0)
+		assert.ErrorIs(t, err, scanners.ErrScannerNotReachable)
+	})
+}
+
+func TestNewClamAV_Scan(t *testing.T) {
+	t.Run("returns a result", func(t *testing.T) {
+		ul := newUnixListener(t, net.ListenConfig{}, "PONG\n", "stream: Win.Test.EICAR_HDB-1 FOUND\n")
+		defer func() {
+			assert.NoError(t, ul.Close())
+		}()
+
+		done := make(chan bool, 1)
+
+		go func() {
+			scanner, err := scanners.NewClamAV(ul.Addr().String(), 10*time.Second)
+			assert.NoError(t, err)
+
+			result, err := scanner.Scan(scanners.Input{Body: strings.NewReader("DATA")})
+			assert.NoError(t, err)
+
+			assert.Equal(t, result.Description, "Win.Test.EICAR_HDB-1")
+			assert.True(t, result.Infected)
+			done <- true
+		}()
+
+		assert.True(t, <-done)
+	})
+
+	t.Run("aborts after a certain time", func(t *testing.T) {
+		ul := newUnixListener(t, net.ListenConfig{}, "PONG\n", "stream: Win.Test.EICAR_HDB-1 FOUND\n")
+		defer func() {
+			assert.NoError(t, ul.Close())
+		}()
+
+		done := make(chan bool, 1)
+
+		go func() {
+			scanner, err := scanners.NewClamAV(ul.Addr().String(), 10*time.Second)
+			assert.NoError(t, err)
+
+			result, err := scanner.Scan(scanners.Input{Body: strings.NewReader("DATA")})
+			assert.NoError(t, err)
+
+			assert.Equal(t, result.Description, "Win.Test.EICAR_HDB-1")
+			assert.True(t, result.Infected)
+			done <- true
+		}()
+
+		assert.True(t, <-done)
+	})
+}
--- a/services/antivirus/pkg/scanners/mocks/scanner.go
+++ b/services/antivirus/pkg/scanners/mocks/scanner.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.53.2. DO NOT EDIT.
+// Code generated by mockery. DO NOT EDIT.

 package mocks

--- a/services/antivirus/pkg/scanners/scanners.go
+++ b/services/antivirus/pkg/scanners/scanners.go
@@ -1,21 +1,31 @@
 package scanners

 import (
+	"errors"
 	"io"
 	"time"
 )

-// The Result is the common scan result to all scanners
-type Result struct {
-	Infected    bool
-	ScanTime    time.Time
-	Description string
-}
+var (
+	// ErrScanTimeout is returned when a scan times out
+	ErrScanTimeout = errors.New("time out waiting for clamav to respond while scanning")
+	// ErrScannerNotReachable is returned when the scanner is not reachable
+	ErrScannerNotReachable = errors.New("failed to reach the scanner")
+)

-// The Input is the common input to all scanners
-type Input struct {
-	Body io.Reader
-	Size int64
-	Url  string
-	Name string
-}
+type (
+	// The Result is the common scan result to all scanners
+	Result struct {
+		Infected    bool
+		ScanTime    time.Time
+		Description string
+	}
+
+	// The Input is the common input to all scanners
+	Input struct {
+		Body io.Reader
+		Size int64
+		Url  string
+		Name string
+	}
+)
--- a/services/antivirus/pkg/service/service.go
+++ b/services/antivirus/pkg/service/service.go
@@ -9,6 +9,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"slices"
 	"sync"
 	"time"

@@ -37,38 +38,44 @@ type Scanner interface {
 }

 // NewAntivirus returns a service implementation for Service.
-func NewAntivirus(c *config.Config, l log.Logger, tp trace.TracerProvider) (Antivirus, error) {
-
+func NewAntivirus(cfg *config.Config, logger log.Logger, tracerProvider trace.TracerProvider) (Antivirus, error) {
 	var scanner Scanner
 	var err error
-	switch c.Scanner.Type {
+	switch cfg.Scanner.Type {
 	default:
-		return Antivirus{}, fmt.Errorf("unknown av scanner: '%s'", c.Scanner.Type)
-	case "clamav":
-		scanner = scanners.NewClamAV(c.Scanner.ClamAV.Socket)
-	case "icap":
-		scanner, err = scanners.NewICAP(c.Scanner.ICAP.URL, c.Scanner.ICAP.Service, c.Scanner.ICAP.Timeout)
+		return Antivirus{}, fmt.Errorf("unknown av scanner: '%s'", cfg.Scanner.Type)
+	case config.ScannerTypeClamAV:
+		scanner, err = scanners.NewClamAV(cfg.Scanner.ClamAV.Socket, cfg.Scanner.ClamAV.Timeout)
+	case config.ScannerTypeICap:
+		scanner, err = scanners.NewICAP(cfg.Scanner.ICAP.URL, cfg.Scanner.ICAP.Service, cfg.Scanner.ICAP.Timeout)
 	}
 	if err != nil {
 		return Antivirus{}, err
 	}

-	av := Antivirus{c: c, l: l, tp: tp, s: scanner, client: rhttp.GetHTTPClient(rhttp.Insecure(true))}
+	av := Antivirus{config: cfg, log: logger, tracerProvider: tracerProvider, scanner: scanner, client: rhttp.GetHTTPClient(rhttp.Insecure(true))}

-	switch o := events.PostprocessingOutcome(c.InfectedFileHandling); o {
-	case events.PPOutcomeContinue, events.PPOutcomeAbort, events.PPOutcomeDelete:
-		av.o = o
+	switch mode := cfg.MaxScanSizeMode; mode {
+	case config.MaxScanSizeModeSkip, config.MaxScanSizeModePartial:
+		break
 	default:
-		return av, fmt.Errorf("unknown infected file handling '%s'", o)
+		return av, fmt.Errorf("unknown max scan size mode '%s'", cfg.MaxScanSizeMode)
 	}

-	if c.MaxScanSize != "" {
-		b, err := bytesize.Parse(c.MaxScanSize)
+	switch outcome := events.PostprocessingOutcome(cfg.InfectedFileHandling); outcome {
+	case events.PPOutcomeContinue, events.PPOutcomeAbort, events.PPOutcomeDelete:
+		av.outcome = outcome
+	default:
+		return av, fmt.Errorf("unknown infected file handling '%s'", outcome)
+	}
+
+	if cfg.MaxScanSize != "" {
+		b, err := bytesize.Parse(cfg.MaxScanSize)
 		if err != nil {
 			return av, err
 		}

-		av.m = b.Bytes()
+		av.maxScanSize = b.Bytes()
 	}

 	return av, nil
@@ -76,23 +83,23 @@ func NewAntivirus(c *config.Config, l log.Logger, tp trace.TracerProvider) (Anti

 // Antivirus defines implements the business logic for Service.
 type Antivirus struct {
-	c  *config.Config
-	l  log.Logger
-	s  Scanner
-	o  events.PostprocessingOutcome
-	m  uint64
-	tp trace.TracerProvider
+	config         *config.Config
+	log            log.Logger
+	scanner        Scanner
+	outcome        events.PostprocessingOutcome
+	maxScanSize    uint64
+	tracerProvider trace.TracerProvider

 	client *http.Client
 }

 // Run runs the service
 func (av Antivirus) Run() error {
-	evtsCfg := av.c.Events
+	eventsCfg := av.config.Events

 	var rootCAPool *x509.CertPool
-	if av.c.Events.TLSRootCACertificate != "" {
-		rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
+	if av.config.Events.TLSRootCACertificate != "" {
+		rootCrtFile, err := os.Open(eventsCfg.TLSRootCACertificate)
 		if err != nil {
 			return err
 		}
@@ -104,10 +111,10 @@ func (av Antivirus) Run() error {

 		rootCAPool = x509.NewCertPool()
 		rootCAPool.AppendCertsFromPEM(certBytes.Bytes())
-		av.c.Events.TLSInsecure = false
+		av.config.Events.TLSInsecure = false
 	}

-	natsStream, err := stream.NatsFromConfig(av.c.Service.Name, false, stream.NatsConfig(av.c.Events))
+	natsStream, err := stream.NatsFromConfig(av.config.Service.Name, false, stream.NatsConfig(av.config.Events))
 	if err != nil {
 		return err
 	}
@@ -118,7 +125,7 @@ func (av Antivirus) Run() error {
 	}

 	wg := sync.WaitGroup{}
-	for i := 0; i < av.c.Workers; i++ {
+	for i := 0; i < av.config.Workers; i++ {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
@@ -127,11 +134,11 @@ func (av Antivirus) Run() error {
 				if err != nil {
 					switch {
 					case errors.Is(err, ErrFatal):
-						av.l.Fatal().Err(err).Msg("fatal error - exiting")
+						av.log.Fatal().Err(err).Msg("fatal error - exiting")
 					case errors.Is(err, ErrEvent):
-						av.l.Error().Err(err).Msg("continuing")
+						av.log.Error().Err(err).Msg("continuing")
 					default:
-						av.l.Fatal().Err(err).Msg("unknown error - exiting")
+						av.log.Fatal().Err(err).Msg("unknown error - exiting")
 					}
 				}
 			}
@@ -143,20 +150,20 @@ func (av Antivirus) Run() error {
 }

 func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {
-	ctx := e.GetTraceContext(context.Background())
-	ctx, span := av.tp.Tracer("antivirus").Start(ctx, "processEvent")
+	ctx, span := av.tracerProvider.Tracer("antivirus").Start(e.GetTraceContext(context.Background()), "processEvent")
 	defer span.End()
-	av.l.Info().Str("traceID", span.SpanContext().TraceID().String()).Msg("TraceID")
+	av.log.Info().Str("traceID", span.SpanContext().TraceID().String()).Msg("TraceID")
+
 	ev := e.Event.(events.StartPostprocessingStep)
 	if ev.StepToStart != events.PPStepAntivirus {
 		return nil
 	}

-	if av.c.DebugScanOutcome != "" {
-		av.l.Warn().Str("antivir, clamav", ">>>>>>> ANTIVIRUS_DEBUG_SCAN_OUTCOME IS SET NO ACTUAL VIRUS SCAN IS PERFORMED!").Send()
+	if av.config.DebugScanOutcome != "" {
+		av.log.Warn().Str("antivir, clamav", ">>>>>>> ANTIVIRUS_DEBUG_SCAN_OUTCOME IS SET NO ACTUAL VIRUS SCAN IS PERFORMED!").Send()
 		if err := events.Publish(ctx, s, events.PostprocessingStepFinished{
 			FinishedStep:  events.PPStepAntivirus,
-			Outcome:       events.PostprocessingOutcome(av.c.DebugScanOutcome),
+			Outcome:       events.PostprocessingOutcome(av.config.DebugScanOutcome),
 			UploadID:      ev.UploadID,
 			ExecutingUser: ev.ExecutingUser,
 			Filename:      ev.Filename,
@@ -167,13 +174,14 @@ func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {
 				ResourceID:  ev.ResourceID,
 			},
 		}); err != nil {
-			av.l.Fatal().Err(err).Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Msg("cannot publish events - exiting")
+			av.log.Fatal().Err(err).Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Msg("cannot publish events - exiting")
 			return fmt.Errorf("%w: cannot publish events", ErrFatal)
 		}
 		return fmt.Errorf("%w: no actual virus scan performed", ErrEvent)
 	}

-	av.l.Debug().Str("uploadid", ev.UploadID).Str("filename", ev.Filename).Msg("Starting virus scan.")
+	av.log.Debug().Str("uploadid", ev.UploadID).Str("filename", ev.Filename).Msg("Starting virus scan.")
+
 	var errmsg string
 	start := time.Now()
 	res, err := av.process(ev)
@@ -185,17 +193,17 @@ func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {
 	var outcome events.PostprocessingOutcome
 	switch {
 	case res.Infected:
-		outcome = av.o
+		outcome = av.outcome
 	case !res.Infected && err == nil:
 		outcome = events.PPOutcomeContinue
 	case err != nil:
 		outcome = events.PPOutcomeRetry
 	default:
-		// Not sure what this is about. abort.
+		// Not sure what this is about. Abort.
 		outcome = events.PPOutcomeAbort
 	}

-	av.l.Info().Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Str("virus", res.Description).Str("outcome", string(outcome)).Str("filename", ev.Filename).Str("user", ev.ExecutingUser.GetId().GetOpaqueId()).Bool("infected", res.Infected).Dur("duration", duration).Msg("File scanned")
+	av.log.Info().Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Str("virus", res.Description).Str("outcome", string(outcome)).Str("filename", ev.Filename).Str("user", ev.ExecutingUser.GetId().GetOpaqueId()).Bool("infected", res.Infected).Dur("duration", duration).Msg("File scanned")
 	if err := events.Publish(ctx, s, events.PostprocessingStepFinished{
 		FinishedStep:  events.PPStepAntivirus,
 		Outcome:       outcome,
@@ -210,7 +218,7 @@ func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {
 			ErrorMsg:    errmsg,
 		},
 	}); err != nil {
-		av.l.Fatal().Err(err).Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Msg("cannot publish events - exiting")
+		av.log.Fatal().Err(err).Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Msg("cannot publish events - exiting")
 		return fmt.Errorf("%w: %s", ErrFatal, err)
 	}
 	return nil
@@ -218,11 +226,24 @@ func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {

 // process the scan
 func (av Antivirus) process(ev events.StartPostprocessingStep) (scanners.Result, error) {
-	if ev.Filesize == 0 || (0 < av.m && av.m < ev.Filesize) {
-		av.l.Info().Str("uploadid", ev.UploadID).Uint64("limit", av.m).Uint64("filesize", ev.Filesize).Msg("Skipping file to be virus scanned because its file size is higher than the defined limit.")
-		return scanners.Result{
-			ScanTime: time.Now(),
-		}, nil
+	if ev.Filesize == 0 {
+		av.log.Info().Str("uploadid", ev.UploadID).Msg("Skipping file to be virus scanned, file size is 0.")
+		return scanners.Result{ScanTime: time.Now()}, nil
+	}
+
+	headers := make(map[string]string)
+	switch {
+	case av.maxScanSize == 0:
+		// there is no size limit
+		break
+	case av.config.MaxScanSizeMode == config.MaxScanSizeModeSkip && ev.Filesize > av.maxScanSize:
+		// skip the file if it is bigger than the max scan size
+		av.log.Info().Str("uploadid", ev.UploadID).Uint64("filesize", ev.Filesize).
+			Msg("Skipping file to be virus scanned, file size is bigger than max scan size.")
+		return scanners.Result{ScanTime: time.Now()}, nil
+	case av.config.MaxScanSizeMode == config.MaxScanSizeModePartial && ev.Filesize > av.maxScanSize:
+		// set the range header to only download the first maxScanSize bytes
+		headers["Range"] = fmt.Sprintf("bytes=0-%d", av.maxScanSize-1)
 	}

 	var err error
@@ -230,56 +251,61 @@ func (av Antivirus) process(ev events.StartPostprocessingStep) (scanners.Result,

 	switch ev.UploadID {
 	default:
-		rrc, err = av.downloadViaToken(ev.URL)
+		rrc, err = av.downloadViaToken(ev.URL, headers)
 	case "":
-		rrc, err = av.downloadViaReva(ev.URL, ev.Token, ev.RevaToken)
+		rrc, err = av.downloadViaReva(ev.URL, ev.Token, ev.RevaToken, headers)
 	}
 	if err != nil {
-		av.l.Error().Err(err).Str("uploadid", ev.UploadID).Msg("error downloading file")
+		av.log.Error().Err(err).Str("uploadid", ev.UploadID).Msg("error downloading file")
 		return scanners.Result{}, err
 	}
-	defer rrc.Close()
-	av.l.Debug().Str("uploadid", ev.UploadID).Msg("Downloaded file successfully, starting virusscan")
+	defer func() {
+		_ = rrc.Close()
+	}()

-	res, err := av.s.Scan(scanners.Input{Body: rrc, Size: int64(ev.Filesize), Url: ev.URL, Name: ev.Filename})
+	av.log.Debug().Str("uploadid", ev.UploadID).Msg("Downloaded file successfully, starting virusscan")
+
+	res, err := av.scanner.Scan(scanners.Input{Body: rrc, Size: int64(ev.Filesize), Url: ev.URL, Name: ev.Filename})
 	if err != nil {
-		av.l.Error().Err(err).Str("uploadid", ev.UploadID).Msg("error scanning file")
+		av.log.Error().Err(err).Str("uploadid", ev.UploadID).Msg("error scanning file")
 	}

 	return res, err
 }

 // download will download the file
-func (av Antivirus) downloadViaToken(url string) (io.ReadCloser, error) {
+func (av Antivirus) downloadViaToken(url string, headers map[string]string) (io.ReadCloser, error) {
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}

-	return av.doDownload(req)
+	return av.doDownload(req, headers)
 }

 // download will download the file
-func (av Antivirus) downloadViaReva(url string, dltoken string, revatoken string) (io.ReadCloser, error) {
-	ctx := ctxpkg.ContextSetToken(context.Background(), revatoken)
-
-	req, err := rhttp.NewRequest(ctx, http.MethodGet, url, nil)
+func (av Antivirus) downloadViaReva(url string, dltoken string, revatoken string, headers map[string]string) (io.ReadCloser, error) {
+	req, err := rhttp.NewRequest(ctxpkg.ContextSetToken(context.Background(), revatoken), http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set("X-Reva-Transfer", dltoken)

-	return av.doDownload(req)
+	return av.doDownload(req, headers)
 }

-func (av Antivirus) doDownload(req *http.Request) (io.ReadCloser, error) {
+func (av Antivirus) doDownload(req *http.Request, headers map[string]string) (io.ReadCloser, error) {
+	for k, v := range headers {
+		req.Header.Add(k, v)
+	}
+
 	res, err := av.client.Do(req)
 	if err != nil {
 		return nil, err
 	}

-	if res.StatusCode != http.StatusOK {
-		res.Body.Close()
+	if !slices.Contains([]int{http.StatusOK, http.StatusPartialContent}, res.StatusCode) {
+		_ = res.Body.Close()
 		return nil, fmt.Errorf("unexpected status code from Download %v", res.StatusCode)
 	}

--- a/services/app-provider/Makefile
+++ b/services/app-provider/Makefile
@@ -6,7 +6,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/services/app-provider/pkg/command/version.go
+++ b/services/app-provider/pkg/command/version.go
@@ -7,7 +7,8 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/registry"
 	"github.com/opencloud-eu/opencloud/pkg/version"

-	tw "github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
 	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/config"
 	"github.com/urfave/cli/v2"
 )
@@ -35,9 +36,8 @@ func Version(cfg *config.Config) *cli.Command {
 				return nil
 			}

-			table := tw.NewWriter(os.Stdout)
-			table.SetHeader([]string{"Version", "Address", "Id"})
-			table.SetAutoFormatHeaders(false)
+			table := tablewriter.NewTable(os.Stdout, tablewriter.WithHeaderAutoFormat(tw.Off))
+			table.Header([]string{"Version", "Address", "Id"})
 			for _, s := range services {
 				for _, n := range s.Nodes {
 					table.Append([]string{s.Version, n.Address, n.Id})
--- a/services/app-registry/Makefile
+++ b/services/app-registry/Makefile
@@ -6,7 +6,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/services/app-registry/pkg/command/version.go
+++ b/services/app-registry/pkg/command/version.go
@@ -7,7 +7,8 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/registry"
 	"github.com/opencloud-eu/opencloud/pkg/version"

-	tw "github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
 	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/config"
 	"github.com/urfave/cli/v2"
 )
@@ -35,9 +36,8 @@ func Version(cfg *config.Config) *cli.Command {
 				return nil
 			}

-			table := tw.NewWriter(os.Stdout)
-			table.SetHeader([]string{"Version", "Address", "Id"})
-			table.SetAutoFormatHeaders(false)
+			table := tablewriter.NewTable(os.Stdout, tablewriter.WithHeaderAutoFormat(tw.Off))
+			table.Header([]string{"Version", "Address", "Id"})
 			for _, s := range services {
 				for _, n := range s.Nodes {
 					table.Append([]string{s.Version, n.Address, n.Id})
--- a/services/audit/Makefile
+++ b/services/audit/Makefile
@@ -6,7 +6,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/services/auth-app/Makefile
+++ b/services/auth-app/Makefile
@@ -6,7 +6,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/services/auth-app/pkg/command/version.go
+++ b/services/auth-app/pkg/command/version.go
@@ -7,7 +7,8 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/registry"
 	"github.com/opencloud-eu/opencloud/pkg/version"

-	tw "github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
 	"github.com/opencloud-eu/opencloud/services/auth-app/pkg/config"
 	"github.com/urfave/cli/v2"
 )
@@ -35,9 +36,8 @@ func Version(cfg *config.Config) *cli.Command {
 				return nil
 			}

-			table := tw.NewWriter(os.Stdout)
-			table.SetHeader([]string{"Version", "Address", "Id"})
-			table.SetAutoFormatHeaders(false)
+			table := tablewriter.NewTable(os.Stdout, tablewriter.WithHeaderAutoFormat(tw.Off))
+			table.Header([]string{"Version", "Address", "Id"})
 			for _, s := range services {
 				for _, n := range s.Nodes {
 					table.Append([]string{s.Version, n.Address, n.Id})
--- a/services/auth-app/pkg/service/service.go
+++ b/services/auth-app/pkg/service/service.go
@@ -278,7 +278,7 @@ func (a *AuthAppService) authenticateUser(userID, userName string, gwc gateway.G

 func getContext(r *http.Request) context.Context {
 	ctx := r.Context()
-	return metadata.AppendToOutgoingContext(ctx, ctxpkg.TokenHeader, r.Header.Get("X-Access-Token"))
+	return metadata.AppendToOutgoingContext(ctx, ctxpkg.TokenHeader, r.Header.Get(ctxpkg.TokenHeader))
 }

 func buildClientID(userID, userName string) string {
--- a/services/auth-basic/Makefile
+++ b/services/auth-basic/Makefile
@@ -6,7 +6,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/services/auth-basic/pkg/command/version.go
+++ b/services/auth-basic/pkg/command/version.go
@@ -7,7 +7,8 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/registry"
 	"github.com/opencloud-eu/opencloud/pkg/version"

-	tw "github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
 	"github.com/opencloud-eu/opencloud/services/auth-basic/pkg/config"
 	"github.com/urfave/cli/v2"
 )
@@ -35,9 +36,8 @@ func Version(cfg *config.Config) *cli.Command {
 				return nil
 			}

-			table := tw.NewWriter(os.Stdout)
-			table.SetHeader([]string{"Version", "Address", "Id"})
-			table.SetAutoFormatHeaders(false)
+			table := tablewriter.NewTable(os.Stdout, tablewriter.WithHeaderAutoFormat(tw.Off))
+			table.Header([]string{"Version", "Address", "Id"})
 			for _, s := range services {
 				for _, n := range s.Nodes {
 					table.Append([]string{s.Version, n.Address, n.Id})
--- a/services/auth-bearer/Makefile
+++ b/services/auth-bearer/Makefile
@@ -6,7 +6,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/services/auth-bearer/pkg/command/version.go
+++ b/services/auth-bearer/pkg/command/version.go
@@ -7,7 +7,8 @@ import (
 	"github.com/opencloud-eu/opencloud/pkg/registry"
 	"github.com/opencloud-eu/opencloud/pkg/version"

-	tw "github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
 	"github.com/opencloud-eu/opencloud/services/auth-bearer/pkg/config"
 	"github.com/urfave/cli/v2"
 )
@@ -35,9 +36,8 @@ func Version(cfg *config.Config) *cli.Command {
 				return nil
 			}

-			table := tw.NewWriter(os.Stdout)
-			table.SetHeader([]string{"Version", "Address", "Id"})
-			table.SetAutoFormatHeaders(false)
+			table := tablewriter.NewTable(os.Stdout, tablewriter.WithHeaderAutoFormat(tw.Off))
+			table.Header([]string{"Version", "Address", "Id"})
 			for _, s := range services {
 				for _, n := range s.Nodes {
 					table.Append([]string{s.Version, n.Address, n.Id})
--- a/services/auth-machine/Makefile
+++ b/services/auth-machine/Makefile
@@ -6,7 +6,6 @@ include ../../.bingo/Variables.mk
 endif

 include ../../.make/default.mk
-include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
--- a/Show More
+++ b/Show More