run CI with posix if posix in the title

use old expected failures file
reva bump
2025-12-24 22:59:51 -05:00 · 2025-03-17 12:43:01 +01:00 · 2025-03-17 12:43:01 +01:00 · 2025-03-17 12:43:01 +01:00 · 2025-03-17 12:43:01 +01:00 · 2025-03-17 12:43:00 +01:00
591 changed files with 9070 additions and 53487 deletions
--- a/.github/settings.yml
+++ b/.github/settings.yml
@@ -1 +1,2 @@
 _extends: gh-labels
+
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -1,28 +0,0 @@
-name: Require Pull Request Labels
-on:
-  pull_request:
-    types: [opened, labeled, unlabeled, synchronize]
-jobs:
-  label:
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
-    steps:
-      - uses: mheap/github-action-required-labels@v5
-        with:
-          mode: minimum
-          count: 1
-          labels: |
-            Type:Bug
-            Type:Enhancement
-            Type:Feature
-            Type:Breaking-Change
-            Type:Test
-            Type:Documentation
-            Type:Maintenance
-            Type:Security
-            Type:Dependencies
-            Type:DevOps
-            dependencies
-          add_comment: true
--- a/.make/go.mk
+++ b/.make/go.mk
@@ -18,20 +18,21 @@ SOURCES ?= $(shell find . -name "*.go" -type f -not -path "./node_modules/*")
 TAGS ?=

 ifndef OUTPUT
-	ifneq ($(CI_COMMIT_TAG),)
-		OUTPUT ?= $(subst v,,$(CI_COMMIT_TAG))
+	ifneq ($(DRONE_TAG),)
+		OUTPUT ?= $(subst v,,$(DRONE_TAG))
 	else
 		OUTPUT ?= testing
 	endif
 endif

-ifeq ($(VERSION), daily)
-	STRING ?= $(shell git rev-parse --short HEAD)
-else ifeq ($(VERSION),)
-	STRING ?= $(shell git rev-parse --short HEAD)
+ifndef VERSION
+	ifneq ($(DRONE_TAG),)
+		VERSION ?= $(subst v,,$(DRONE_TAG))
+	else
+		STRING ?= $(shell git rev-parse --short HEAD)
+	endif
 endif

-
 ifndef DATE
 	DATE := $(shell date -u '+%Y%m%d')
 endif
@@ -109,15 +110,3 @@ debug-linux-docker-amd64: release-dirs
 		-ldflags '-extldflags "-static" $(DEBUG_LDFLAGS) $(DOCKER_LDFLAGS)' \
 		-o '$(DIST)/binaries/$(EXECUTABLE)-linux-amd64' \
 		./cmd/$(NAME)
-
-debug-linux-docker-arm64: release-dirs
-	GOOS=linux \
-	GOARCH=arm64 \
-	go build \
-        -gcflags="all=-N -l" \
-		-tags 'netgo $(TAGS)' \
-		-buildmode=exe \
-		-trimpath \
-		-ldflags '-extldflags "-static" $(DEBUG_LDFLAGS) $(DOCKER_LDFLAGS)' \
-		-o '$(DIST)/binaries/$(EXECUTABLE)-linux-arm64' \
-		./cmd/$(NAME)
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -101,9 +101,6 @@
        "APP_PROVIDER_GRPC_ADDR": "127.0.0.1:10164",
        "APP_REGISTRY_DEBUG_ADDR": "127.0.0.1:10243",
        "APP_REGISTRY_GRPC_ADDR": "127.0.0.1:10242",
-        "AUTH_APP_DEBUG_ADDR": "127.0.0.1:10245",
-        "AUTH_APP_GRPC_ADDR": "127.0.0.1:10246",
-        "AUTH_APP_HTTP_ADDR": "127.0.0.1:10247",
        "AUTH_BASIC_DEBUG_ADDR": "127.0.0.1:10147",
        "AUTH_BASIC_GRPC_ADDR": "127.0.0.1:10146",
        "AUTH_MACHINE_DEBUG_ADDR": "127.0.0.1:10167",
--- a/.woodpecker.env
+++ b/.woodpecker.env
@@ -1,3 +1,3 @@
 # The test runner source for UI tests
-WEB_COMMITID=25629bf0d846051ec0ed6f56ddbeb1a4de6f9ba0
+WEB_COMMITID=74c8df4f64d9bf957a0652fb92e01529efa3c0b3
 WEB_BRANCH=main
--- a/.woodpecker.star
+++ b/.woodpecker.star
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,106 +1,2 @@
-# Changelog
+# Table of Contents

-## [2.1.0](https://github.com/opencloud-eu/opencloud/releases/tag/v2.1.0) - 2025-04-07
-
-### ❤️ Thanks to all contributors! ❤️
-
-@AlexAndBear, @JammingBen, @ScharfViktor, @aduffeck, @butonic, @fschade, @individual-it, @kulmann, @micbar, @michaelstingl, @rhafer
-
-### 🐛 Bug Fixes
-
- feat(antivirus): add partial scanning mode [[#559](https://github.com/opencloud-eu/opencloud/pull/559)]
- Simplify item-trashed SSEs. Also fixes it for coll. posix fs. [[#565](https://github.com/opencloud-eu/opencloud/pull/565)]
- fix(opencloud_full): add missing SMTP env vars [[#563](https://github.com/opencloud-eu/opencloud/pull/563)]
- fix: full deployment tika description is wrong [[#553](https://github.com/opencloud-eu/opencloud/pull/553)]
- fix: traefik credentials [[#555](https://github.com/opencloud-eu/opencloud/pull/555)]
- Enable scan/watch in the storageprovider only [[#546](https://github.com/opencloud-eu/opencloud/pull/546)]
- fix: typo in dev docs [[#540](https://github.com/opencloud-eu/opencloud/pull/540)]
-
-### 📈 Enhancement
-
- [full-ci] reva bump 2.31.0 [[#599](https://github.com/opencloud-eu/opencloud/pull/599)]
- feat: support svg as icon [[#538](https://github.com/opencloud-eu/opencloud/pull/538)]
- feat: change theme.json primary color [[#536](https://github.com/opencloud-eu/opencloud/pull/536)]
- graph: reduce memory allocations [[#494](https://github.com/opencloud-eu/opencloud/pull/494)]
-
-### ✅ Tests
-
- [full-ci] fix expected spanish string in test [[#596](https://github.com/opencloud-eu/opencloud/pull/596)]
- Revert "Disable the 'exclude' patterns on the path conditional for now" [[#561](https://github.com/opencloud-eu/opencloud/pull/561)]
-
-### 📦️ Dependencies
-
- build(deps): bump github.com/go-playground/validator/v10 from 10.25.0 to 10.26.0 [[#571](https://github.com/opencloud-eu/opencloud/pull/571)]
- build(deps): bump github.com/nats-io/nats.go from 1.39.1 to 1.41.0 [[#567](https://github.com/opencloud-eu/opencloud/pull/567)]
- [full-ci] chore(web): bump web to v2.2.0 [[#570](https://github.com/opencloud-eu/opencloud/pull/570)]
- build(deps): bump github.com/onsi/gomega from 1.36.3 to 1.37.0 [[#566](https://github.com/opencloud-eu/opencloud/pull/566)]
- build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 [[#557](https://github.com/opencloud-eu/opencloud/pull/557)]
- build(deps-dev): bump eslint-plugin-jsx-a11y from 6.9.0 to 6.10.2 in /services/idp [[#542](https://github.com/opencloud-eu/opencloud/pull/542)]
- build(deps): bump web-vitals from 3.5.2 to 4.2.4 in /services/idp [[#541](https://github.com/opencloud-eu/opencloud/pull/541)]
- build(deps): bump github.com/open-policy-agent/opa from 1.2.0 to 1.3.0 [[#508](https://github.com/opencloud-eu/opencloud/pull/508)]
- build(deps): bump github.com/urfave/cli/v2 from 2.27.5 to 2.27.6 [[#509](https://github.com/opencloud-eu/opencloud/pull/509)]
- fix keycloak example #465 [[#535](https://github.com/opencloud-eu/opencloud/pull/535)]
-
-## [2.0.0](https://github.com/opencloud-eu/opencloud/releases/tag/v2.0.0) - 2025-03-26
-
-### ❤️ Thanks to all contributors! ❤️
-
-@JammingBen, @ScharfViktor, @aduffeck, @amrita-shrestha, @butonic, @dragonchaser, @dragotin, @individual-it, @kulmann, @micbar, @prashant-gurung899, @rhafer
-
-### 💥 Breaking changes
-
- [posix] change storage users default to posixfs [[#237](https://github.com/opencloud-eu/opencloud/pull/237)]
-
-### 🐛 Bug Fixes
-
- Bump reva to 2.29.1 [[#501](https://github.com/opencloud-eu/opencloud/pull/501)]
- remove workaround for translation formatting [[#491](https://github.com/opencloud-eu/opencloud/pull/491)]
- [full-ci] fix(collaboration): hide SaveAs and ExportAs buttons in web office [[#471](https://github.com/opencloud-eu/opencloud/pull/471)]
- fix: add missing debug docker [[#481](https://github.com/opencloud-eu/opencloud/pull/481)]
- Downgrade nats.go to 1.39.1 [[#479](https://github.com/opencloud-eu/opencloud/pull/479)]
-  fix cli driver initialization for "posix"  [[#459](https://github.com/opencloud-eu/opencloud/pull/459)]
- Do not cache when there was an error gathering the data [[#462](https://github.com/opencloud-eu/opencloud/pull/462)]
- fix(storage-users): 'uploads sessions' command crash [[#446](https://github.com/opencloud-eu/opencloud/pull/446)]
- fix: org name in multiarch dev build [[#431](https://github.com/opencloud-eu/opencloud/pull/431)]
- fix local setup [[#440](https://github.com/opencloud-eu/opencloud/pull/440)]
-
-### 📈 Enhancement
-
- [full-ci] chore(web): update web to v2.1.0 [[#497](https://github.com/opencloud-eu/opencloud/pull/497)]
- Bump reva [[#474](https://github.com/opencloud-eu/opencloud/pull/474)]
- Bump reva to pull in the latest fixes [[#451](https://github.com/opencloud-eu/opencloud/pull/451)]
- Switch to jsoncs3 backend for app tokens and enable service by default [[#433](https://github.com/opencloud-eu/opencloud/pull/433)]
- Completely remove "edition" from capabilities [[#434](https://github.com/opencloud-eu/opencloud/pull/434)]
- feat: add post logout redirect uris for mobile clients [[#411](https://github.com/opencloud-eu/opencloud/pull/411)]
- chore: bump version to v1.1.0 [[#422](https://github.com/opencloud-eu/opencloud/pull/422)]
-
-### ✅ Tests
-
- [full-ci] add one more TUS test to expected to fail file [[#489](https://github.com/opencloud-eu/opencloud/pull/489)]
- [full-ci]Remove mtime 500 issue from expected failure [[#467](https://github.com/opencloud-eu/opencloud/pull/467)]
- add auth app to ocm test setup [[#472](https://github.com/opencloud-eu/opencloud/pull/472)]
- use opencloudeu/cs3api-validator in CI [[#469](https://github.com/opencloud-eu/opencloud/pull/469)]
- fix(test): Run app-auth test with jsoncs3 backend [[#460](https://github.com/opencloud-eu/opencloud/pull/460)]
- Always run CLI tests with the decomposed storage driver [[#435](https://github.com/opencloud-eu/opencloud/pull/435)]
- Disable the 'exclude' patterns on the path conditional for now [[#439](https://github.com/opencloud-eu/opencloud/pull/439)]
- run CS3 API tests in CI [[#415](https://github.com/opencloud-eu/opencloud/pull/415)]
- fix: fix path exclusion glob patterns [[#427](https://github.com/opencloud-eu/opencloud/pull/427)]
- Cleanup woodpecker [[#430](https://github.com/opencloud-eu/opencloud/pull/430)]
- enable main API test suite to run in CI [[#419](https://github.com/opencloud-eu/opencloud/pull/419)]
- Run wopi tests in CI [[#416](https://github.com/opencloud-eu/opencloud/pull/416)]
- Run `cliCommands` tests pipeline in CI [[#413](https://github.com/opencloud-eu/opencloud/pull/413)]
-
-### 📚 Documentation
-
- docs(idp): Document how to add custom OIDC clients [[#476](https://github.com/opencloud-eu/opencloud/pull/476)]
- Clean invalid documentation links [[#466](https://github.com/opencloud-eu/opencloud/pull/466)]
-
-### 📦️ Dependencies
-
- build(deps): bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.26.1 to 2.26.3 [[#480](https://github.com/opencloud-eu/opencloud/pull/480)]
- chore: update alpine to 3.21 [[#483](https://github.com/opencloud-eu/opencloud/pull/483)]
- build(deps): bump github.com/nats-io/nats.go from 1.39.1 to 1.40.0 [[#464](https://github.com/opencloud-eu/opencloud/pull/464)]
- build(deps): bump github.com/spf13/afero from 1.12.0 to 1.14.0 [[#436](https://github.com/opencloud-eu/opencloud/pull/436)]
- build(deps): bump github.com/KimMachineGun/automemlimit from 0.7.0 to 0.7.1 [[#437](https://github.com/opencloud-eu/opencloud/pull/437)]
- build(deps): bump golang.org/x/image from 0.24.0 to 0.25.0 [[#426](https://github.com/opencloud-eu/opencloud/pull/426)]
- build(deps): bump go.opentelemetry.io/contrib/zpages from 0.57.0 to 0.60.0 [[#425](https://github.com/opencloud-eu/opencloud/pull/425)]
--- a/deployments/examples/bare-metal-simple/README.md
+++ b/deployments/examples/bare-metal-simple/README.md
@@ -31,9 +31,9 @@ to download. If not set, there is a reasonable default.
 Call

 ```
-OC_VERSION="2.0.0" ./install.sh
+OC_VERSION="1.0.0" ./install.sh
 ``` 
-to install the OpenCloud version 2.0.0
+to install the OpenCloud version 1.0.0

 There is also a hosted version of this script that makes it even
 easier:
--- a/deployments/examples/bare-metal-simple/install.sh
+++ b/deployments/examples/bare-metal-simple/install.sh
@@ -37,7 +37,7 @@ function backup_file () {
 # URL pattern of the download file
 # https://github.com/opencloud-eu/opencloud/releases/download/v1.0.0/opencloud-1.0.0-linux-amd64

-dlversion="${OC_VERSION:-2.0.0}"
+dlversion="${OC_VERSION:-1.0.0}"
 dlurl="https://github.com/opencloud-eu/opencloud/releases/download/v${dlversion}/"

 sandbox="opencloud-sandbox-${dlversion}"
--- a/deployments/examples/opencloud_full/.env
+++ b/deployments/examples/opencloud_full/.env
@@ -17,9 +17,7 @@ TRAEFIK_DASHBOARD=
 # Defaults to "traefik.opencloud.test"
 TRAEFIK_DOMAIN=
 # Basic authentication for the traefik dashboard.
-# Defaults to user "admin" and password "admin" (written as: "admin:$2y$05$KDHu3xq92SPaO3G8Ybkc7edd51pPLJcG1nWk3lmlrIdANQ/B6r5pq").
-# To create user:password pair, it's possible to use this command:
-# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
+# Defaults to user "admin" and password "admin" (written as: "admin:admin").
 TRAEFIK_BASIC_AUTH_USERS=
 # Email address for obtaining LetsEncrypt certificates.
 # Needs only be changed if this is a public facing server.
@@ -52,11 +50,11 @@ OC_DOMAIN=
 ADMIN_PASSWORD=
 # Demo users should not be created on a production instance,
 # because their passwords are public. Defaults to "false".
-# If demo users is set to "true", the following user accounts are created automatically:
-# alan, mary, margaret, dennis and lynn - the password is 'demo' for all.
+# Also see: https://doc.opencloud.eu/opencloud/latest/deployment/general/general-info.html#demo-users-and-groups
 DEMO_USERS=
 # Define the openCloud loglevel used.
-#
+# For more details see:
+# https://doc.opencloud.eu/opencloud/latest/deployment/services/env-vars-special-scope.html
 LOG_LEVEL=
 # Define the kind of logging.
 # The default log can be read by machines.
@@ -66,6 +64,8 @@ LOG_LEVEL=
 # Define the openCloud storage location. Set the paths for config and data to a local path.
 # Note that especially the data directory can grow big.
 # Leaving it default stores data in docker internal volumes.
+# For more details see:
+# https://doc.opencloud.eu/opencloud/next/deployment/general/general-info.html#default-paths
 # OC_CONFIG_DIR=/your/local/opencloud/config
 # OC_DATA_DIR=/your/local/opencloud/data

@@ -74,7 +74,7 @@ LOG_LEVEL=
 # Per default, S3 storage is disabled and the decomposed storage driver is used.
 # To enable S3 storage, uncomment the following line and configure the S3 storage.
 # For more details see:
-# https://docs.opencloud.eu/docs/admin/configuration/storage-decomposeds3
+# https://doc.opencloud.eu/opencloud/next/deployment/storage/decomposeds3.html
 # Note: the leading colon is required to enable the service.
 #DECOMPOSEDS3=:decomposeds3.yml
 # Configure the S3 storage endpoint. Defaults to "http://minio:9000" for testing purposes.
@@ -94,14 +94,16 @@ DECOMPOSEDS3_BUCKET=
 # Minio domain. Defaults to "minio.opencloud.test".
 MINIO_DOMAIN=

-# OpenCloud uses POSIX storage as the default primary storage.
-# By default, Decomposed storage is disabled, and the POSIX storage driver is used.
-# To enable Decomposed storage, uncomment the following line.
+# POSIX Storage configuration - optional
+# OpenCloud supports posix storage as primary storage.
+# Per default, S3 storage is disabled and the decomposed storage driver is used.
+# To enable POSIX storage, uncomment the following line.
 # Note: the leading colon is required to enable the service.
-#DECOMPOSED=:decomposed.yml
+#POSIX=:posix.yml

-# Define SMTP settings if you would like to send OpenCloud email notifications.
-#
+# Define SMPT settings if you would like to send OpenCloud email notifications.
+# For more details see:
+# https://doc.opencloud.eu/opencloud/latest/deployment/services/s-list/notifications.html
 # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
 # SMTP host to connect to.
 SMTP_HOST=
@@ -116,8 +118,6 @@ SMTP_USERNAME=
 SMTP_PASSWORD=
 # Authentication method for the SMTP communication.
 SMTP_AUTHENTICATION=
-# Encryption method for the SMTP communication. Possible values are 'starttls', 'ssltls' and 'none'
-SMTP_TRANSPORT_ENCRYPTION=
 # Allow insecure connections to the SMTP server. Defaults to false.
 SMTP_INSECURE=

@@ -161,7 +161,7 @@ COMPANION_ONEDRIVE_SECRET=
 ## Default Enabled Services ##

 ### Apache Tika Content Analysis Toolkit ###
-# Tika (search) is disabled by default due to performance reasons.
+# Tika (search) is enabled by default, comment if not required.
 # Note: the leading colon is required to enable the service.
 #TIKA=:tika.yml
 # Set the desired docker image tag or digest.
@@ -205,6 +205,7 @@ COLLABORA_SSL_VERIFICATION=false


 ### Debugging - Monitoring ###
+# Please see documentation at: https://opencloud.dev/opencloud/deployment/monitoring-tracing/
 # Note: the leading colon is required to enable the service.
 #MONITORING=:monitoring_tracing/monitoring.yml

@@ -214,13 +215,6 @@ COLLABORA_SSL_VERIFICATION=false
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
 # Note: the leading colon is required to enable the service.
 #CLAMAV=:clamav.yml
-# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
-# Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
-# Defaults to "100MB"
-#ANTIVIRUS_MAX_SCAN_SIZE=
-# Usable modes: partial, skip.
-# Defaults to "partial"
-#ANTIVIRUS_MAX_SCAN_SIZE_MODE=
 # Image version of the ClamAV container.
 # Defaults to "latest"
 CLAMAV_DOCKER_TAG=
@@ -248,20 +242,8 @@ INBUCKET_DOMAIN=
 # Path separator for supplemental compose files specified in COMPOSE_FILE.
 COMPOSE_PATH_SEPARATOR=:

-### Keycloak Settings ###
-# Note: the leading colon is required to enable the service.
-#KEYCLOAK=:keycloak.yml
-# Domain for Keycloak. Defaults to "keycloak.opencloud.test".
-KEYCLOAK_DOMAIN=
-# Realm which to be used with OpenCloud. Defaults to "OpenCloud"
-KEYCLOAK_REALM=
-# Admin user login name. Defaults to "admin"
-KEYCLOAK_ADMIN_USER=
-# Admin user login password. Defaults to "admin"
-KEYCLOAK_ADMIN_PASSWORD=
-
 ## IMPORTANT ##
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${POSIX:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}
--- a/deployments/examples/opencloud_full/clamav.yml
+++ b/deployments/examples/opencloud_full/clamav.yml
@@ -4,8 +4,6 @@ services:
    environment:
      ANTIVIRUS_SCANNER_TYPE: "clamav"
      ANTIVIRUS_CLAMAV_SOCKET: "/var/run/clamav/clamd.sock"
-      ANTIVIRUS_MAX_SCAN_SIZE_MODE: ${ANTIVIRUS_MAX_SCAN_SIZE_MODE:-partial}
-      ANTIVIRUS_MAX_SCAN_SIZE: ${ANTIVIRUS_MAX_SCAN_SIZE:-100MB}
      # the antivirus service needs manual startup, see .env and opencloud.yaml for START_ADDITIONAL_SERVICES
      # configure the antivirus service
      POSTPROCESSING_STEPS: "virusscan"
--- a/deployments/examples/opencloud_full/collabora.yml
+++ b/deployments/examples/opencloud_full/collabora.yml
@@ -53,7 +53,7 @@ services:
    restart: always

  collabora:
-    image: collabora/code:24.04.13.2.1
+    image: collabora/code:24.04.12.2.1
    # release notes: https://www.collaboraonline.com/release-notes/
    networks:
      opencloud-net:
@@ -80,7 +80,6 @@ services:
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
-    entrypoint: ['/bin/bash', '-c']
-    command: ['coolconfig generate-proof-key && /start-collabora-online.sh']
+    command: ["bash", "-c", "coolconfig generate-proof-key ; /start-collabora-online.sh"]
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
--- a/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json
@@ -1,63 +0,0 @@
-{
-  "clientId": "OpenCloudAndroid",
-  "name": "OpenCloud Android App",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "oc://android.opencloud.eu"
-  ],
-  "webOrigins": [],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "post.logout.redirect.uris": "oc://android.opencloud.eu",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}
--- a/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json
@@ -1,64 +0,0 @@
-{
-  "clientId": "OpenCloudDesktop",
-  "name": "OpenCloud Desktop Client",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "http://127.0.0.1",
-    "http://localhost"
-  ],
-  "webOrigins": [],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "post.logout.redirect.uris": "+",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}
--- a/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudIOS.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/OpenCloudIOS.json
@@ -1,63 +0,0 @@
-{
-  "clientId": "OpenCloudIOS",
-  "name": "OpenCloud iOS App",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "oc://ios.opencloud.eu"
-  ],
-  "webOrigins": [],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "post.logout.redirect.uris": "oc://ios.opencloud.eu",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}
--- a/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json
@@ -1,66 +0,0 @@
-{
-  "clientId": "Cyberduck",
-  "name": "Cyberduck",
-  "description": "File transfer utility client",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "x-cyberduck-action:oauth",
-    "x-mountainduck-action:oauth"
-  ],
-  "webOrigins": [],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "oauth2.device.authorization.grant.enabled": "false",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "oidc.ciba.grant.enabled": "false",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}
--- a/deployments/examples/opencloud_full/config/keycloak/clients/web.json
+++ b/deployments/examples/opencloud_full/config/keycloak/clients/web.json
@@ -1,74 +0,0 @@
-{
-  "clientId": "web",
-  "name": "OpenCloud Web App",
-  "description": "",
-  "rootUrl": "{{OC_URL}}",
-  "adminUrl": "{{OC_URL}}",
-  "baseUrl": "",
-  "surrogateAuthRequired": false,
-  "enabled": true,
-  "alwaysDisplayInConsole": false,
-  "clientAuthenticatorType": "client-secret",
-  "redirectUris": [
-    "{{OC_URL}}/",
-    "{{OC_URL}}/oidc-callback.html",
-    "{{OC_URL}}/oidc-silent-redirect.html"
-  ],
-  "webOrigins": [
-    "{{OC_URL}}"
-  ],
-  "notBefore": 0,
-  "bearerOnly": false,
-  "consentRequired": false,
-  "standardFlowEnabled": true,
-  "implicitFlowEnabled": false,
-  "directAccessGrantsEnabled": true,
-  "serviceAccountsEnabled": false,
-  "publicClient": true,
-  "frontchannelLogout": false,
-  "protocol": "openid-connect",
-  "attributes": {
-    "saml.assertion.signature": "false",
-    "saml.force.post.binding": "false",
-    "saml.multivalued.roles": "false",
-    "saml.encrypt": "false",
-    "post.logout.redirect.uris": "+",
-    "oauth2.device.authorization.grant.enabled": "false",
-    "backchannel.logout.revoke.offline.tokens": "false",
-    "saml.server.signature": "false",
-    "saml.server.signature.keyinfo.ext": "false",
-    "exclude.session.state.from.auth.response": "false",
-    "oidc.ciba.grant.enabled": "false",
-    "backchannel.logout.url": "{{OC_URL}}/backchannel_logout",
-    "backchannel.logout.session.required": "true",
-    "client_credentials.use_refresh_token": "false",
-    "saml_force_name_id_format": "false",
-    "saml.client.signature": "false",
-    "tls.client.certificate.bound.access.tokens": "false",
-    "saml.authnstatement": "false",
-    "display.on.consent.screen": "false",
-    "saml.onetimeuse.condition": "false"
-  },
-  "authenticationFlowBindingOverrides": {},
-  "fullScopeAllowed": true,
-  "nodeReRegistrationTimeout": -1,
-  "defaultClientScopes": [
-    "web-origins",
-    "profile",
-    "roles",
-    "groups",
-    "basic",
-    "email"
-  ],
-  "optionalClientScopes": [
-    "address",
-    "phone",
-    "offline_access",
-    "microprofile-jwt"
-  ],
-  "access": {
-    "view": true,
-    "configure": true,
-    "manage": true
-  }
-}
--- a/deployments/examples/opencloud_full/config/keycloak/docker-entrypoint-override.sh
+++ b/deployments/examples/opencloud_full/config/keycloak/docker-entrypoint-override.sh
@@ -1,8 +0,0 @@
-#!/bin/bash
-printenv
-# replace openCloud domain in keycloak realm import
-mkdir /opt/keycloak/data/import
-sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
-
-# run original docker-entrypoint
-/opt/keycloak/bin/kc.sh "$@"
--- a/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json
+++ b/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json
--- a/deployments/examples/opencloud_full/config/opencloud/csp.yaml
+++ b/deployments/examples/opencloud_full/config/opencloud/csp.yaml
@@ -7,7 +7,6 @@ directives:
    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/'
  default-src:
    - '''none'''
  font-src:
--- a/deployments/examples/opencloud_full/decomposed.yml
+++ b/deployments/examples/opencloud_full/decomposed.yml
@@ -1,6 +0,0 @@
---
-services:
-  opencloud:
-    environment:
-      STORAGE_USERS_DRIVER: decomposed
-      
--- a/deployments/examples/opencloud_full/keycloak.yml
+++ b/deployments/examples/opencloud_full/keycloak.yml
@@ -1,73 +0,0 @@
---
-services:
-  traefik:
-    networks:
-      opencloud-net:
-        aliases:
-          - ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
-
-  opencloud:
-    environment:
-      # Keycloak IDP specific configuration
-      PROXY_AUTOPROVISION_ACCOUNTS: "true"
-      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
-      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}
-      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
-      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
-
-      PROXY_USER_OIDC_CLAIM: "preferred_username"
-      PROXY_USER_CS3_CLAIM: "username"
-      OC_EXCLUDE_RUN_SERVICES: "idp"
-      OC_ADMIN_USER_ID: ""
-      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
-      GRAPH_USERNAME_MATCH: "none"
-      KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} 
-
-  postgres:
-    image: postgres:alpine
-    networks:
-      opencloud-net:
-    volumes:
-      - keycloak_postgres_data:/var/lib/postgresql/data
-    environment:
-      POSTGRES_DB: keycloak
-      POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: keycloak
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-
-  keycloak:
-    image: quay.io/keycloak/keycloak:25.0.0
-    networks:
-      opencloud-net:
-    command: ["start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"]
-    entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"]
-    volumes:
-      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
-    environment:
-      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
-      KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
-      KC_DB: postgres
-      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
-      KC_DB_USERNAME: keycloak
-      KC_DB_PASSWORD: keycloak
-      KC_FEATURES: impersonation
-      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN_USER:-admin}
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.keycloak.entrypoints=https"
-      - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
-      - "traefik.http.routers.keycloak.tls.certresolver=http"
-      - "traefik.http.routers.keycloak.service=keycloak"
-      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
-    depends_on:
-      - postgres
-    logging:
-      driver: ${LOG_DRIVER:-local}
-    restart: always
-
-volumes:
-  keycloak_postgres_data:
--- a/deployments/examples/opencloud_full/opencloud.yml
+++ b/deployments/examples/opencloud_full/opencloud.yml
@@ -41,10 +41,7 @@ services:
      NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud notifications <notifications@${OC_DOMAIN:-cloud.opencloud.test}>}"
      NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
-      NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
-      NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
-      NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION}"
      # make the registry available to the app provider containers
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
--- a/deployments/examples/opencloud_full/posix.yml
+++ b/deployments/examples/opencloud_full/posix.yml
@@ -0,0 +1,10 @@
+---
+services:
+  opencloud:
+    environment:
+      # activate posix storage driver for users
+      STORAGE_USERS_DRIVER: posix
+      # keep system data on decomposed storage since this are only small files atm
+      STORAGE_SYSTEM_DRIVER: decomposed
+      # posix requires a shared cache store
+      STORAGE_USERS_ID_CACHE_STORE: "nats-js-kv"
--- a/deployments/examples/opencloud_full/web_extensions/unzip.yml
+++ b/deployments/examples/opencloud_full/web_extensions/unzip.yml
@@ -6,10 +6,12 @@ services:
        condition: service_completed_successfully

  unzip-init:
-    image: opencloudeu/web-extensions:unzip-1.0.2
+    image: opencloudeu/web-extensions:unzip-1.0.0
    user: root
    volumes:
      - opencloud-apps:/apps
    entrypoint:
      - /bin/sh
    command: ["-c", "cp -R /usr/share/nginx/html/unzip/ /apps"]
+
+
--- a/docs/intro.md
+++ b/docs/intro.md
@@ -13,5 +13,5 @@ Please be patient, we are working on the content.

 If you want to contribute to the dev docs, please visit [OpenCloud on Github](https://github.com/opencloud-eu/).

-Contents will be transferred during the build process.
+Contents will be transferred, during the build process.

--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.24.1
 require (
 	dario.cat/mergo v1.0.1
 	github.com/CiscoM31/godata v1.0.10
-	github.com/KimMachineGun/automemlimit v0.7.1
+	github.com/KimMachineGun/automemlimit v0.7.0
 	github.com/Masterminds/semver v1.5.0
 	github.com/MicahParks/keyfunc/v2 v2.1.0
 	github.com/Nerzal/gocloak/v13 v13.9.0
@@ -13,7 +13,7 @@ require (
 	github.com/beevik/etree v1.5.0
 	github.com/blevesearch/bleve/v2 v2.4.4
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/coreos/go-oidc/v3 v3.13.0
+	github.com/coreos/go-oidc/v3 v3.12.0
 	github.com/cs3org/go-cs3apis v0.0.0-20241105092511-3ad35d174fc1
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
@@ -33,16 +33,16 @@ require (
 	github.com/go-micro/plugins/v4/store/nats-js-kv v0.0.0-20240726082623-6831adfdcdc4
 	github.com/go-micro/plugins/v4/wrapper/monitoring/prometheus v1.2.0
 	github.com/go-micro/plugins/v4/wrapper/trace/opentelemetry v1.2.0
-	github.com/go-playground/validator/v10 v10.26.0
+	github.com/go-playground/validator/v10 v10.25.0
 	github.com/gofrs/uuid v4.4.0+incompatible
-	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-tika v0.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gookit/config/v2 v2.2.5
 	github.com/gorilla/mux v1.8.1
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1
 	github.com/invopop/validation v0.8.0
 	github.com/jellydator/ttlcache/v2 v2.11.1
 	github.com/jellydator/ttlcache/v3 v3.3.0
@@ -55,42 +55,42 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/mna/pigeon v1.3.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/nats-io/nats-server/v2 v2.11.0
-	github.com/nats-io/nats.go v1.41.0
+	github.com/nats-io/nats-server/v2 v2.10.26
+	github.com/nats-io/nats.go v1.39.1
 	github.com/oklog/run v1.1.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/ginkgo/v2 v2.23.3
-	github.com/onsi/gomega v1.37.0
-	github.com/open-policy-agent/opa v1.3.0
-	github.com/opencloud-eu/reva/v2 v2.31.0
+	github.com/onsi/ginkgo/v2 v2.23.0
+	github.com/onsi/gomega v1.36.2
+	github.com/open-policy-agent/opa v1.1.0
+	github.com/opencloud-eu/reva/v2 v2.27.3-0.20250314084055-d2fcfe6b3445
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/owncloud/libre-graph-api-go v1.0.5-0.20240829135935-80dc00d6f5ea
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.10
 	github.com/prometheus/client_golang v1.21.1
 	github.com/r3labs/sse/v2 v2.10.0
-	github.com/riandyrn/otelchi v0.12.1
+	github.com/riandyrn/otelchi v0.12.0
 	github.com/rogpeppe/go-internal v1.14.1
 	github.com/rs/cors v1.11.1
-	github.com/rs/zerolog v1.34.0
-	github.com/shamaton/msgpack/v2 v2.2.3
+	github.com/rs/zerolog v1.33.0
+	github.com/shamaton/msgpack/v2 v2.2.2
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/afero v1.14.0
-	github.com/spf13/cobra v1.9.1
+	github.com/spf13/afero v1.12.0
+	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	github.com/test-go/testify v1.1.4
 	github.com/thejerf/suture/v4 v4.0.6
 	github.com/tidwall/gjson v1.18.0
-	github.com/tus/tusd/v2 v2.8.0
+	github.com/tus/tusd/v2 v2.7.1
 	github.com/unrolled/secure v1.16.0
-	github.com/urfave/cli/v2 v2.27.6
+	github.com/urfave/cli/v2 v2.27.5
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	go-micro.dev/v4 v4.11.0
 	go.etcd.io/bbolt v1.4.0
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0
-	go.opentelemetry.io/contrib/zpages v0.60.0
+	go.opentelemetry.io/contrib/zpages v0.57.0
 	go.opentelemetry.io/otel v1.35.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.17.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0
@@ -98,15 +98,15 @@ require (
 	go.opentelemetry.io/otel/trace v1.35.0
 	golang.org/x/crypto v0.36.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	golang.org/x/image v0.25.0
-	golang.org/x/net v0.38.0
+	golang.org/x/image v0.24.0
+	golang.org/x/net v0.37.0
 	golang.org/x/oauth2 v0.28.0
 	golang.org/x/sync v0.12.0
 	golang.org/x/term v0.30.0
 	golang.org/x/text v0.23.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb
-	google.golang.org/grpc v1.71.1
-	google.golang.org/protobuf v1.36.6
+	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a
+	google.golang.org/grpc v1.71.0
+	google.golang.org/protobuf v1.36.5
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools/v3 v3.5.2
 	stash.kopano.io/kgol/rndm v1.1.2
@@ -116,13 +116,14 @@ require (
 	contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v1.1.5 // indirect
 	github.com/RoaringBitmap/roaring v1.9.3 // indirect
-	github.com/agnivade/levenshtein v1.2.1 // indirect
+	github.com/agnivade/levenshtein v1.2.0 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/alexedwards/argon2id v1.0.0 // indirect
 	github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964 // indirect
@@ -159,7 +160,7 @@ require (
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cornelk/hashmap v1.0.8 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
 	github.com/crewjam/saml v0.4.14 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
@@ -197,7 +198,7 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-resty/resty/v2 v2.7.0 // indirect
-	github.com/go-sql-driver/mysql v1.9.1 // indirect
+	github.com/go-sql-driver/mysql v1.9.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
@@ -209,13 +210,12 @@ require (
 	github.com/goccy/go-yaml v1.11.2 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
 	github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/gomodule/redigo v1.9.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.3 // indirect
 	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
 	github.com/google/renameio/v2 v2.0.0 // indirect
 	github.com/gookit/color v1.5.4 // indirect
@@ -237,7 +237,7 @@ require (
 	github.com/juliangruber/go-intersect v1.1.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/libregraph/oidc-go v1.1.0 // indirect
 	github.com/longsleep/go-metrics v1.0.0 // indirect
@@ -246,7 +246,7 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mattn/go-sqlite3 v1.14.27 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b // indirect
 	github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 // indirect
 	github.com/miekg/dns v1.1.57 // indirect
@@ -254,7 +254,7 @@ require (
 	github.com/minio/crc64nvme v1.0.1 // indirect
 	github.com/minio/highwayhash v1.0.3 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/minio-go/v7 v7.0.89 // indirect
+	github.com/minio/minio-go/v7 v7.0.87 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -288,7 +288,6 @@ require (
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sercand/kuberesolver/v5 v5.1.1 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
-	github.com/sethvargo/go-diceware v0.5.0 // indirect
 	github.com/sethvargo/go-password v0.3.1 // indirect
 	github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c // indirect
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
@@ -309,9 +308,9 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.20 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.20 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.20 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.19 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.19 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.19 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
@@ -322,11 +321,11 @@ require (
 	go.uber.org/zap v1.23.0 // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
 	golang.org/x/tools v0.31.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
--- a/go.sum
+++ b/go.sum
@@ -61,15 +61,15 @@ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbt
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
-github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/CiscoM31/godata v1.0.10 h1:DZdJ6M8QNh4HquvDDOqNLu6h77Wl86KGK7Qlbmb90sk=
 github.com/CiscoM31/godata v1.0.10/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc=
 github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c h1:ocsNvQ2tNHme4v/lTs17HROamc7mFzZfzWcg4m+UXN0=
 github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
-github.com/KimMachineGun/automemlimit v0.7.1 h1:QcG/0iCOLChjfUweIMC3YL5Xy9C3VBeNmCZHrZfJMBw=
-github.com/KimMachineGun/automemlimit v0.7.1/go.mod h1:QZxpHaGOQoYvFhv/r4u3U0JTC2ZcOwbSr11UZF46UBM=
+github.com/KimMachineGun/automemlimit v0.7.0 h1:7G06p/dMSf7G8E6oq+f2uOPuVncFyIlDI/pBWK49u88=
+github.com/KimMachineGun/automemlimit v0.7.0/go.mod h1:QZxpHaGOQoYvFhv/r4u3U0JTC2ZcOwbSr11UZF46UBM=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
@@ -84,6 +84,8 @@ github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA
 github.com/Nerzal/gocloak/v13 v13.9.0 h1:YWsJsdM5b0yhM2Ba3MLydiOlujkBry4TtdzfIzSVZhw=
 github.com/Nerzal/gocloak/v13 v13.9.0/go.mod h1:YYuDcXZ7K2zKECyVP7pPqjKxx2AzYSpKDj8d6GuyM10=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
+github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
 github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87/go.mod h1:iGLljf5n9GjT6kc0HBvyI1nOKnGQbNB66VzSNbK5iks=
 github.com/ProtonMail/go-crypto v1.1.5 h1:eoAQfK2dwL+tFSFpr7TbOaPNUbPiJj4fLYwwGE1FQO4=
 github.com/ProtonMail/go-crypto v1.1.5/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
@@ -91,8 +93,8 @@ github.com/RoaringBitmap/roaring v1.9.3 h1:t4EbC5qQwnisr5PrP9nt0IRhRTb9gMUgQF4t4
 github.com/RoaringBitmap/roaring v1.9.3/go.mod h1:6AXUsoIEzDTFFQCe1RbGA6uFONMhvejWj5rqITANK90=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
-github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
-github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
+github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrtYH3SY=
+github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/akamai/AkamaiOPEN-edgegrid-golang v1.1.0/go.mod h1:kX6YddBkXqqywAe8c9LyvgTCyFuZCTMF4cRPQhc3Fy8=
@@ -111,8 +113,6 @@ github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964 h1:I9YN9WMo3SUh7p/
 github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964/go.mod h1:eFiR01PwTcpbzXtdMces7zxg6utvFM5puiWHpWB8D/k=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
-github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op h1:+OSa/t11TFhqfrX0EOSqQBDJ0YlpmK0rDSiB19dg9M0=
-github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op/go.mod h1:IUpT2DPAKh6i/YhSbt6Gl3v2yvUZjmKncl7U91fup7E=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
@@ -222,8 +222,8 @@ github.com/cloudflare/cloudflare-go v0.14.0/go.mod h1:EnwdgGMaFOruiPZRFSgn+TsQ3h
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
-github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
+github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -235,8 +235,9 @@ github.com/cornelk/hashmap v1.0.8/go.mod h1:RfZb7JO3RviW/rT6emczVuC/oxpdz4UsSB2L
 github.com/cpu/goacmedns v0.1.1/go.mod h1:MuaouqEhPAHxsbqjgnck5zeghuwBP1dLnPoobeGqugQ=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
-github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
+github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo=
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
@@ -258,8 +259,8 @@ github.com/deckarep/golang-set v1.8.0/go.mod h1:5nI87KwE7wgsBU1F4GKAw2Qod7p5kyS3
 github.com/deepmap/oapi-codegen v1.3.11/go.mod h1:suMvK7+rKlx3+tpa8ByptmvoXbAV70wERKTOGH3hLp0=
 github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f h1:U5y3Y5UE0w7amNe7Z5G/twsBW0KEalRQXZzf8ufSh9I=
 github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f/go.mod h1:xH/i4TFMt8koVQZ6WFms69WAsDWr2XsYL3Hkl7jkoLE=
-github.com/dgraph-io/badger/v4 v4.6.0 h1:acOwfOOZ4p1dPRnYzvkVm7rUk2Y21TgPVepCy5dJdFQ=
-github.com/dgraph-io/badger/v4 v4.6.0/go.mod h1:KSJ5VTuZNC3Sd+YhvVjk2nYua9UZnnTr/SkXvdtiPgI=
+github.com/dgraph-io/badger/v4 v4.5.1 h1:7DCIXrQjo1LKmM96YD+hLVJ2EEsyyoWxJfpdd56HLps=
+github.com/dgraph-io/badger/v4 v4.5.1/go.mod h1:qn3Be0j3TfV4kPbVoK0arXCD1/nr1ftth6sbL5jxdoA=
 github.com/dgraph-io/ristretto v0.2.0 h1:XAfl+7cmoUDWW/2Lx8TGZQjjxIQ2Ley9DSf52dru4WE=
 github.com/dgraph-io/ristretto v0.2.0/go.mod h1:8uBHCU/PBV4Ag0CJrP47b9Ofby5dqWNh4FicAdoqFNU=
 github.com/dgraph-io/ristretto/v2 v2.1.0 h1:59LjpOJLNDULHh8MC4UaegN52lC4JnO2dITsie/Pa8I=
@@ -411,15 +412,15 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
-github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-playground/validator/v10 v10.25.0 h1:5Dh7cjvzR7BRZadnsVOzPhWsrwUr0nmsZJxEAnFLNO8=
+github.com/go-playground/validator/v10 v10.25.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
 github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/go-resty/resty/v2 v2.1.1-0.20191201195748-d7b97669fe48/go.mod h1:dZGr0i9PLlaaTD4H/hoZIDjQ+r6xq8mgbRzHZf7f2J8=
 github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY=
 github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I=
-github.com/go-sql-driver/mysql v1.9.1 h1:FrjNGn/BsJQjVRuSa8CBrM5BWA9BWoXXat3KrtSb/iI=
-github.com/go-sql-driver/mysql v1.9.1/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
+github.com/go-sql-driver/mysql v1.9.0 h1:Y0zIbQXhQKmQgTp44Y1dp3wTXcn804QoTptLZT1vtvo=
+github.com/go-sql-driver/mysql v1.9.0/go.mod h1:pDetrLJeA3oMujJuvXc8RJoasr589B6A9fwzD3QMrqw=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
@@ -455,10 +456,10 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
-github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
-github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 h1:gtexQ/VGyN+VVFRXSFiguSNcXmS6rkKT+X7FdIrTtfo=
 github.com/golang/geo v0.0.0-20210211234256-740aa86cb551/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -504,8 +505,8 @@ github.com/gomodule/redigo v1.9.2 h1:HrutZBLhSIU8abiSfW8pj8mPhOyMYjZT/wcA4/L9L9s
 github.com/gomodule/redigo v1.9.2/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+ywhcgtw=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
-github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
+github.com/google/flatbuffers v24.12.23+incompatible h1:ubBKR94NR4pXUCY/MUsRVzd9umNW7ht7EG9hHfS9FX8=
+github.com/google/flatbuffers v24.12.23+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -528,8 +529,6 @@ github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/go-tika v0.3.1 h1:l+jr10hDhZjcgxFRfcQChRLo1bPXQeLFluMyvDhXTTA=
 github.com/google/go-tika v0.3.1/go.mod h1:DJh5N8qxXIl85QkqmXknd+PeeRkUOTbvwyYf7ieDz6c=
-github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
-github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -581,8 +580,8 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vb
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
@@ -689,8 +688,8 @@ github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHU
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
-github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
+github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/kobergj/gowebdav v0.0.0-20250102091030-aa65266db202 h1:A1xJ2NKgiYFiaHiLl9B5yw/gUBACSs9crDykTS3GuQI=
 github.com/kobergj/gowebdav v0.0.0-20250102091030-aa65266db202/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
 github.com/kobergj/plugins/v4/store/nats-js-kv v0.0.0-20240807130109-f62bb67e8c90 h1:pfI8Z5yavO6fU6vDGlWhZ4BgDlvj8c6xB7J57HfTPwA=
@@ -768,8 +767,8 @@ github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-sqlite3 v1.14.27 h1:drZCnuvf37yPfs95E5jd9s3XhdVWLal+6BOK6qrv6IU=
-github.com/mattn/go-sqlite3 v1.14.27/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
 github.com/mattn/go-tty v0.0.3/go.mod h1:ihxohKRERHTVzN+aSVRwACLCeqIoZAWpoICkkvrWyR0=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
@@ -789,8 +788,8 @@ github.com/minio/highwayhash v1.0.3 h1:kbnuUMoHYyVl7szWjSxJnxw11k2U709jqFPPmIUyD
 github.com/minio/highwayhash v1.0.3/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.89 h1:hx4xV5wwTUfyv8LarhJAwNecnXpoTsj9v3f3q/ZkiJU=
-github.com/minio/minio-go/v7 v7.0.89/go.mod h1:2rFnGAp02p7Dddo1Fq4S2wYOfpF0MUTSeLTRC90I204=
+github.com/minio/minio-go/v7 v7.0.87 h1:nkr9x0u53PespfxfUqxP3UYWiE2a41gaofgNnC4Y8WQ=
+github.com/minio/minio-go/v7 v7.0.87/go.mod h1:33+O8h0tO7pCeCWwBVa07RhVVfB/3vS4kEX7rwYKmIg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
@@ -827,10 +826,10 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW
 github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04/go.mod h1:5sN+Lt1CaY4wsPvgQH/jsuJi4XO2ssZbdsIizr4CVC8=
 github.com/nats-io/jwt/v2 v2.7.3 h1:6bNPK+FXgBeAqdj4cYQ0F8ViHRbi7woQLq4W29nUAzE=
 github.com/nats-io/jwt/v2 v2.7.3/go.mod h1:GvkcbHhKquj3pkioy5put1wvPxs78UlZ7D/pY+BgZk4=
-github.com/nats-io/nats-server/v2 v2.11.0 h1:fdwAT1d6DZW/4LUz5rkvQUe5leGEwjjOQYntzVRKvjE=
-github.com/nats-io/nats-server/v2 v2.11.0/go.mod h1:leXySghbdtXSUmWem8K9McnJ6xbJOb0t9+NQ5HTRZjI=
-github.com/nats-io/nats.go v1.41.0 h1:PzxEva7fflkd+n87OtQTXqCTyLfIIMFJBpyccHLE2Ko=
-github.com/nats-io/nats.go v1.41.0/go.mod h1:wV73x0FSI/orHPSYoyMeJB+KajMDoWyXmFaRrrYaaTo=
+github.com/nats-io/nats-server/v2 v2.10.26 h1:2i3rAsn4x5/2eOt2NEmuI/iSb8zfHpIUI7yiaOWbo2c=
+github.com/nats-io/nats-server/v2 v2.10.26/go.mod h1:SGzoWGU8wUVnMr/HJhEMv4R8U4f7hF4zDygmRxpNsvg=
+github.com/nats-io/nats.go v1.39.1 h1:oTkfKBmz7W047vRxV762M67ZdXeOtUgvbBaNoQ+3PPk=
+github.com/nats-io/nats.go v1.39.1/go.mod h1:MgRb8oOdigA6cYpEPhXJuRVH6UE/V4jblJ2jQ27IXYM=
 github.com/nats-io/nkeys v0.4.10 h1:glmRrpCmYLHByYcePvnTBEAwawwapjCPMjy2huw20wc=
 github.com/nats-io/nkeys v0.4.10/go.mod h1:OjRrnIKnWBFl+s4YK5ChQfvHP2fxqZexrKJoVVyWB3U=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
@@ -856,17 +855,17 @@ github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/ginkgo/v2 v2.23.3 h1:edHxnszytJ4lD9D5Jjc4tiDkPBZ3siDeJJkUZJJVkp0=
-github.com/onsi/ginkgo/v2 v2.23.3/go.mod h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
+github.com/onsi/ginkgo/v2 v2.23.0 h1:FA1xjp8ieYDzlgS5ABTpdUDB7wtngggONc8a7ku2NqQ=
+github.com/onsi/ginkgo/v2 v2.23.0/go.mod h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
-github.com/open-policy-agent/opa v1.3.0 h1:zVvQvQg+9+FuSRBt4LgKNzJwsWl/c85kD5jPozJTydY=
-github.com/open-policy-agent/opa v1.3.0/go.mod h1:t9iPNhaplD2qpiBqeudzJtEX3fKHK8zdA29oFvofAHo=
-github.com/opencloud-eu/reva/v2 v2.31.0 h1:UVgeb0hSPoaDdqcKSJ7XZAhXCtHaVK9qm/JtFtJM/7U=
-github.com/opencloud-eu/reva/v2 v2.31.0/go.mod h1:8MT1a/WJASZZhlSMC0oeE3ECQdjqFw3BUiiAIZ/JR8I=
+github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
+github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
+github.com/open-policy-agent/opa v1.1.0 h1:HMz2evdEMTyNqtdLjmu3Vyx06BmhNYAx67Yz3Ll9q2s=
+github.com/open-policy-agent/opa v1.1.0/go.mod h1:T1pASQ1/vwfTa+e2fYcfpLCvWgYtqtiUv+IuA/dLPQs=
+github.com/opencloud-eu/reva/v2 v2.27.3-0.20250314084055-d2fcfe6b3445 h1:At2GtwEeNls1P60RpBa9QQridCtFQNW/pnQ5tybT8X0=
+github.com/opencloud-eu/reva/v2 v2.27.3-0.20250314084055-d2fcfe6b3445/go.mod h1:yCscyJJ7FX/HA2fexM2i1OyKSZnJgdq1vnoXgXKmnn8=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
@@ -969,8 +968,8 @@ github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKc
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/riandyrn/otelchi v0.12.1 h1:FdRKK3/RgZ/T+d+qTH5Uw3MFx0KwRF38SkdfTMMq/m8=
-github.com/riandyrn/otelchi v0.12.1/go.mod h1:weZZeUJURvtCcbWsdb7Y6F8KFZGedJlSrgUjq9VirV8=
+github.com/riandyrn/otelchi v0.12.0 h1:7aXphKyzut8849DDb/0LWyCPq4mfnikpggEmmW3b38U=
+github.com/riandyrn/otelchi v0.12.0/go.mod h1:weZZeUJURvtCcbWsdb7Y6F8KFZGedJlSrgUjq9VirV8=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -982,10 +981,11 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
-github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
-github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYzkPUJ7Qhys=
 github.com/russellhaering/goxmldsig v1.4.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -1003,12 +1003,10 @@ github.com/sercand/kuberesolver/v5 v5.1.1 h1:CYH+d67G0sGBj7q5wLK61yzqJJ8gLLC8aep
 github.com/sercand/kuberesolver/v5 v5.1.1/go.mod h1:Fs1KbKhVRnB2aDWN12NjKCB+RgYMWZJ294T3BtmVCpQ=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
-github.com/sethvargo/go-diceware v0.5.0 h1:exrQ7GpaBo00GqRVM1N8ChXSsi3oS7tjQiIehsD+yR0=
-github.com/sethvargo/go-diceware v0.5.0/go.mod h1:Lg1SyPS7yQO6BBgTN5r4f2MUDkqGfLWsOjHPY0kA8iw=
 github.com/sethvargo/go-password v0.3.1 h1:WqrLTjo7X6AcVYfC6R7GtSyuUQR9hGyAj/f1PYQZCJU=
 github.com/sethvargo/go-password v0.3.1/go.mod h1:rXofC1zT54N7R8K/h1WDUdkf9BOx5OptoxrMBcrXzvs=
-github.com/shamaton/msgpack/v2 v2.2.3 h1:uDOHmxQySlvlUYfQwdjxyybAOzjlQsD1Vjy+4jmO9NM=
-github.com/shamaton/msgpack/v2 v2.2.3/go.mod h1:6khjYnkx73f7VQU7wjcFS9DFjs+59naVWJv1TB7qdOI=
+github.com/shamaton/msgpack/v2 v2.2.2 h1:GOIg0c9LV04VwzOOqZSrmsv/JzjNOOMxnS/HvOHGdgs=
+github.com/shamaton/msgpack/v2 v2.2.2/go.mod h1:6khjYnkx73f7VQU7wjcFS9DFjs+59naVWJv1TB7qdOI=
 github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI=
 github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
 github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c h1:aqg5Vm5dwtvL+YgDpBcK1ITf3o96N/K7/wsRXQnUTEs=
@@ -1037,13 +1035,13 @@ github.com/spacewander/go-suffix-tree v0.0.0-20191010040751-0865e368c784/go.mod
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.4.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
-github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
-github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
+github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
+github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
@@ -1098,13 +1096,13 @@ github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208/go.mod h1:BzWtXXrXz
 github.com/transip/gotransip/v6 v6.2.0/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
 github.com/trustelem/zxcvbn v1.0.1 h1:mp4JFtzdDYGj9WYSD3KQSkwwUumWNFzXaAjckaTYpsc=
 github.com/trustelem/zxcvbn v1.0.1/go.mod h1:zonUyKeh7sw6psPf/e3DtRqkRyZvAbOfjNz/aO7YQ5s=
-github.com/tus/tusd/v2 v2.8.0 h1:X2jGxQ05jAW4inDd2ogmOKqwnb4c/D0lw2yhgHayWyU=
-github.com/tus/tusd/v2 v2.8.0/go.mod h1:3/zEOVQQIwmJhvNam8phV4x/UQt68ZmZiTzeuJUNhVo=
+github.com/tus/tusd/v2 v2.7.1 h1:TGJjhv9RYXDmsTz8ug/qSd9vQpmD0Ik0G0IPo80Qmc0=
+github.com/tus/tusd/v2 v2.7.1/go.mod h1:PLdIMQ/ge+5ADgGKcL3FgTaPs+7wB0JIiI5HQXAiJE8=
 github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
 github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
-github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g=
-github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
+github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w=
+github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
 github.com/valyala/fasttemplate v1.1.0/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
@@ -1145,12 +1143,12 @@ github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQ
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.4.0 h1:TU77id3TnN/zKr7CO/uk+fBCwF2jGcMuw2B/FMAzYIk=
 go.etcd.io/bbolt v1.4.0/go.mod h1:AsD+OCi/qPN1giOX1aiLAha3o1U8rAz65bvN4j0sRuk=
-go.etcd.io/etcd/api/v3 v3.5.20 h1:aKfz3nPZECWoZJXMSH9y6h2adXjtOHaHTGEVCuCmaz0=
-go.etcd.io/etcd/api/v3 v3.5.20/go.mod h1:QqKGViq4KTgOG43dr/uH0vmGWIaoJY3ggFi6ZH0TH/U=
-go.etcd.io/etcd/client/pkg/v3 v3.5.20 h1:sZIAtra+xCo56gdf6BR62to/hiie5Bwl7hQIqMzVTEM=
-go.etcd.io/etcd/client/pkg/v3 v3.5.20/go.mod h1:qaOi1k4ZA9lVLejXNvyPABrVEe7VymMF2433yyRQ7O0=
-go.etcd.io/etcd/client/v3 v3.5.20 h1:jMT2MwQEhyvhQg49Cec+1ZHJzfUf6ZgcmV0GjPv0tIQ=
-go.etcd.io/etcd/client/v3 v3.5.20/go.mod h1:J5lbzYRMUR20YolS5UjlqqMcu3/wdEvG5VNBhzyo3m0=
+go.etcd.io/etcd/api/v3 v3.5.19 h1:w3L6sQZGsWPuBxRQ4m6pPP3bVUtV8rjW033EGwlr0jw=
+go.etcd.io/etcd/api/v3 v3.5.19/go.mod h1:QqKGViq4KTgOG43dr/uH0vmGWIaoJY3ggFi6ZH0TH/U=
+go.etcd.io/etcd/client/pkg/v3 v3.5.19 h1:9VsyGhg0WQGjDWWlDI4VuaS9PZJGNbPkaHEIuLwtixk=
+go.etcd.io/etcd/client/pkg/v3 v3.5.19/go.mod h1:qaOi1k4ZA9lVLejXNvyPABrVEe7VymMF2433yyRQ7O0=
+go.etcd.io/etcd/client/v3 v3.5.19 h1:+4byIz6ti3QC28W0zB0cEZWwhpVHXdrKovyycJh1KNo=
+go.etcd.io/etcd/client/v3 v3.5.19/go.mod h1:FNzyinmMIl0oVsty1zA3hFeUrxXI/JpEnz4sG+POzjU=
 go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -1163,12 +1161,12 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 h1:rgMkmiGfix9vFJDcDi1PK8WEQP4FLQwLDfhp5ZLpFeE=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
-go.opentelemetry.io/contrib/zpages v0.60.0 h1:wOM9ie1Hz4H88L9KE6GrGbKJhfm+8F1NfW/Y3q9Xt+8=
-go.opentelemetry.io/contrib/zpages v0.60.0/go.mod h1:xqfToSRGh2MYUsfyErNz8jnNDPlnpZqWM/y6Z2Cx7xw=
+go.opentelemetry.io/contrib/zpages v0.57.0 h1:mHFZlTkyrUJcuBhpytPSaVPiVkqri96RKUDk01d83eQ=
+go.opentelemetry.io/contrib/zpages v0.57.0/go.mod h1:u/SScNsxj6TacMBA6KCJZjXVC1uwkdVgLFyHrOe0x9M=
 go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
 go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
 go.opentelemetry.io/otel/exporters/jaeger v1.17.0 h1:D7UpUy2Xc2wsi1Ras6V40q806WM07rqoCWzXu7Sqy+4=
@@ -1177,8 +1175,6 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0f
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
 go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
 go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
 go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
@@ -1246,8 +1242,8 @@ golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScy
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
-golang.org/x/image v0.25.0 h1:Y6uW6rH1y5y/LK1J8BPWZtr6yZ7hrsy6hFrXjgsc2fQ=
-golang.org/x/image v0.25.0/go.mod h1:tCAmOEGthTtkalusGp1g3xa2gke8J6c2N565dTyl9Rs=
+golang.org/x/image v0.24.0 h1:AN7zRgVsbvmTfNyqIbbOraYL8mSwcKncEj8ofjgzcMQ=
+golang.org/x/image v0.24.0/go.mod h1:4b/ITuLfqYq1hqZcjofwctIhi7sZh2WaCjvsBNjjya8=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1330,8 +1326,8 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1482,8 +1478,8 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
-golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
+golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1599,12 +1595,12 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb h1:ITgPrl429bc6+2ZraNSzMDk3I95nmQln2fuPstKwFDE=
-google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:sAo5UzpjUwgFBCzupwhcLcxHVDK7vG5IqI30YnwX2eE=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk=
+google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc=
+google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 h1:DMTIbak9GhdaSxEjvVzAeNZvyc03I61duqNbnm3SU0M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -1620,8 +1616,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.71.1 h1:ffsFWr7ygTUscGPI0KKK6TLrGz0476KUvvsbqWK0rPI=
-google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
+google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
 google.golang.org/grpc/examples v0.0.0-20211102180624-670c133e568e h1:m7aQHHqd0q89mRwhwS9Bx2rjyl/hsFAeta+uGrHsQaU=
 google.golang.org/grpc/examples v0.0.0-20211102180624-670c133e568e/go.mod h1:gID3PKrg7pWKntu9Ss6zTLJ0ttC0X9IHgREOCZwbCVU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
@@ -1638,8 +1634,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/cenkalti/backoff.v1 v1.1.0 h1:Arh75ttbsvlpVA7WtVpH4u9h6Zl46xuptxqLxPiSo4Y=
 gopkg.in/cenkalti/backoff.v1 v1.1.0/go.mod h1:J6Vskwqd+OMVJl8C33mmtxTBs2gyzfv7UDAkHu8BrjI=
--- a/opencloud/Makefile
+++ b/opencloud/Makefile
@@ -30,10 +30,10 @@ dev-docker-multiarch:
 	docker buildx rm opencloudbuilder || true
 	docker buildx create --platform linux/arm64,linux/amd64 --name opencloudbuilder
 	docker buildx use opencloudbuilder
-	cd .. && docker buildx build --platform linux/arm64,linux/amd64 --output type=docker --file opencloud/docker/Dockerfile.multiarch --tag opencloudeu/opencloud:dev-multiarch .
+	cd .. && docker buildx build --platform linux/arm64,linux/amd64 --output type=docker --file opencloud/docker/Dockerfile.multiarch --tag opencloud-eu/opencloud:dev-multiarch .
 	docker buildx rm opencloudbuilder

 .PHONY: debug-docker
 debug-docker:
 	$(MAKE) --no-print-directory debug-linux-docker-$(GOARCH)
-	docker build -f docker/Dockerfile.linux.debug.$(GOARCH) -t opencloudeu/opencloud:debug .
+	docker build -f docker/Dockerfile.linux.debug.$(GOARCH) -t opencloud-eu/opencloud:debug .
--- a/opencloud/docker/Dockerfile.linux.amd64
+++ b/opencloud/docker/Dockerfile.linux.amd64
@@ -1,4 +1,4 @@
-FROM amd64/alpine:3.21
+FROM amd64/alpine:3.20

 ARG VERSION=""
 ARG REVISION=""
@@ -22,8 +22,6 @@ RUN addgroup -g 1000 -S opencloud-group && \
  adduser -S --ingroup opencloud-group --uid 1000 opencloud-user --home /var/lib/opencloud

 RUN mkdir -p /var/lib/opencloud && \
-# Pre-create the web directory to avoid permission issues
- mkdir -p /var/lib/opencloud/web/assets/apps && \
 chown -R opencloud-user:opencloud-group /var/lib/opencloud && \
 chmod -R 751 /var/lib/opencloud && \
 mkdir -p /etc/opencloud && \
--- a/opencloud/docker/Dockerfile.linux.arm64
+++ b/opencloud/docker/Dockerfile.linux.arm64
@@ -1,4 +1,4 @@
-FROM arm64v8/alpine:3.21
+FROM arm64v8/alpine:3.20

 ARG VERSION=""
 ARG REVISION=""
@@ -22,8 +22,6 @@ RUN addgroup -g 1000 -S opencloud-group && \
  adduser -S --ingroup opencloud-group --uid 1000 opencloud-user --home /var/lib/opencloud

 RUN mkdir -p /var/lib/opencloud && \
-# Pre-create the web directory to avoid permission issues
- mkdir -p /var/lib/opencloud/web/assets/apps && \
 chown -R opencloud-user:opencloud-group /var/lib/opencloud && \
 chmod -R 751 /var/lib/opencloud && \
 mkdir -p /etc/opencloud && \
--- a/opencloud/docker/Dockerfile.linux.debug.amd64
+++ b/opencloud/docker/Dockerfile.linux.debug.amd64
@@ -1,4 +1,4 @@
-FROM amd64/alpine:edge
+FROM amd64/alpine:latest

 ARG VERSION=""
 ARG REVISION=""
@@ -22,8 +22,6 @@ RUN addgroup -g 1000 -S opencloud-group && \
  adduser -S --ingroup opencloud-group --uid 1000 opencloud-user --home /var/lib/opencloud

 RUN mkdir -p /var/lib/opencloud && \
-# Pre-create the web directory to avoid permission issues
- mkdir -p /var/lib/opencloud/web/assets/apps && \
 chown -R opencloud-user:opencloud-group /var/lib/opencloud && \
 chmod -R 751 /var/lib/opencloud && \
 mkdir -p /etc/opencloud && \
--- a/opencloud/docker/Dockerfile.linux.debug.arm64
+++ b/opencloud/docker/Dockerfile.linux.debug.arm64
@@ -1,43 +0,0 @@
-FROM arm64v8/alpine:edge
-
-ARG VERSION=""
-ARG REVISION=""
-
-RUN apk add --no-cache attr bash ca-certificates curl delve inotify-tools libc6-compat mailcap tree vips patch && \
-	echo 'hosts: files dns' >| /etc/nsswitch.conf
-
-LABEL maintainer="OpenCloud GmbH <devops@opencloud.eu>" \
-  org.opencontainers.image.title="OpenCloud" \
-  org.opencontainers.image.vendor="OpenCloud GmbH" \
-  org.opencontainers.image.authors="OpenCloud GmbH" \
-  org.opencontainers.image.description="OpenCloud is a modern file-sync and share platform" \
-  org.opencontainers.image.licenses="Apache-2.0" \
-  org.opencontainers.image.documentation="https://github.com/opencloud-eu/opencloud" \
-  org.opencontainers.image.url="https://hub.docker.com/r/opencloud-eu/opencloud" \
-  org.opencontainers.image.source="https://github.com/opencloud-eu/opencloud" \
-  org.opencontainers.image.version="${VERSION}" \
-  org.opencontainers.image.revision="${REVISION}"
-
-RUN addgroup -g 1000 -S opencloud-group && \
-  adduser -S --ingroup opencloud-group --uid 1000 opencloud-user --home /var/lib/opencloud
-
-RUN mkdir -p /var/lib/opencloud && \
-# Pre-create the web directory to avoid permission issues
- mkdir -p /var/lib/opencloud/web/assets/apps && \
- chown -R opencloud-user:opencloud-group /var/lib/opencloud && \
- chmod -R 751 /var/lib/opencloud && \
- mkdir -p /etc/opencloud && \
- chown -R opencloud-user:opencloud-group /etc/opencloud && \
- chmod -R 751 /etc/opencloud
-
-VOLUME [ "/var/lib/opencloud", "/etc/opencloud" ]
-WORKDIR /var/lib/opencloud
-
-USER 1000
-
-EXPOSE 9200/tcp
-
-ENTRYPOINT ["/usr/bin/opencloud"]
-CMD ["server"]
-
-COPY dist/binaries/opencloud-linux-arm64 /usr/bin/opencloud
--- a/opencloud/docker/Dockerfile.multiarch
+++ b/opencloud/docker/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM golang:alpine3.21 AS build
+FROM golang:alpine3.20 AS build
 ARG TARGETOS
 ARG TARGETARCH
 ARG VERSION
@@ -37,8 +37,6 @@ RUN addgroup -g 1000 -S opencloud-group && \
  adduser -S --ingroup opencloud-group --uid 1000 opencloud-user --home /var/lib/opencloud

 RUN mkdir -p /var/lib/opencloud && \
-# Pre-create the web directory to avoid permission issues
- mkdir -p /var/lib/opencloud/web/assets/apps && \
 chown -R opencloud-user:opencloud-group /var/lib/opencloud && \
 chmod -R 751 /var/lib/opencloud && \
 mkdir -p /etc/opencloud && \
--- a/opencloud/pkg/backup/backup.go
+++ b/opencloud/pkg/backup/backup.go
@@ -28,7 +28,7 @@ var (

 	// regex to determine if a node is trashed or versioned.
 	// 9113a718-8285-4b32-9042-f930f1a58ac2.REV.2024-05-22T07:32:53.89969726Z
-	_versionRegex = regexp.MustCompile(`\.REV\.[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(\.[0-9]+)?Z(\.\d+)?$`)
+	_versionRegex = regexp.MustCompile(`\.REV\.[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(\.[0-9]+)?Z$`)
 	//   9113a718-8285-4b32-9042-f930f1a58ac2.T.2024-05-23T08:25:20.006571811Z <- this HAS a symlink
 	_trashRegex = regexp.MustCompile(`\.T\.[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(\.[0-9]+)?Z$`)
 )
--- a/opencloud/pkg/runtime/service/service.go
+++ b/opencloud/pkg/runtime/service/service.go
@@ -11,9 +11,17 @@ import (
 	"strings"
 	"time"

+	authapp "github.com/opencloud-eu/opencloud/services/auth-app/pkg/command"
+
 	"github.com/cenkalti/backoff"
 	"github.com/mohae/deepcopy"
 	"github.com/olekukonko/tablewriter"
+	notifications "github.com/opencloud-eu/opencloud/services/notifications/pkg/command"
+	"github.com/opencloud-eu/reva/v2/pkg/events/stream"
+	"github.com/opencloud-eu/reva/v2/pkg/logger"
+	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
+	"github.com/thejerf/suture/v4"
+
 	occfg "github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	ogrpc "github.com/opencloud-eu/opencloud/pkg/service/grpc"
@@ -23,7 +31,6 @@ import (
 	appProvider "github.com/opencloud-eu/opencloud/services/app-provider/pkg/command"
 	appRegistry "github.com/opencloud-eu/opencloud/services/app-registry/pkg/command"
 	audit "github.com/opencloud-eu/opencloud/services/audit/pkg/command"
-	authapp "github.com/opencloud-eu/opencloud/services/auth-app/pkg/command"
 	authbasic "github.com/opencloud-eu/opencloud/services/auth-basic/pkg/command"
 	authmachine "github.com/opencloud-eu/opencloud/services/auth-machine/pkg/command"
 	authservice "github.com/opencloud-eu/opencloud/services/auth-service/pkg/command"
@@ -37,7 +44,6 @@ import (
 	idp "github.com/opencloud-eu/opencloud/services/idp/pkg/command"
 	invitations "github.com/opencloud-eu/opencloud/services/invitations/pkg/command"
 	nats "github.com/opencloud-eu/opencloud/services/nats/pkg/command"
-	notifications "github.com/opencloud-eu/opencloud/services/notifications/pkg/command"
 	ocdav "github.com/opencloud-eu/opencloud/services/ocdav/pkg/command"
 	ocm "github.com/opencloud-eu/opencloud/services/ocm/pkg/command"
 	ocs "github.com/opencloud-eu/opencloud/services/ocs/pkg/command"
@@ -58,10 +64,6 @@ import (
 	web "github.com/opencloud-eu/opencloud/services/web/pkg/command"
 	webdav "github.com/opencloud-eu/opencloud/services/webdav/pkg/command"
 	webfinger "github.com/opencloud-eu/opencloud/services/webfinger/pkg/command"
-	"github.com/opencloud-eu/reva/v2/pkg/events/stream"
-	"github.com/opencloud-eu/reva/v2/pkg/logger"
-	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
-	"github.com/thejerf/suture/v4"
 )

 var (
@@ -158,11 +160,6 @@ func NewService(ctx context.Context, options ...Option) (*Service, error) {
 		cfg.AppRegistry.Commons = cfg.Commons
 		return appRegistry.Execute(cfg.AppRegistry)
 	})
-	reg(3, opts.Config.AuthApp.Service.Name, func(ctx context.Context, cfg *occfg.Config) error {
-		cfg.AuthApp.Context = ctx
-		cfg.AuthApp.Commons = cfg.Commons
-		return authapp.Execute(cfg.AuthApp)
-	})
 	reg(3, opts.Config.AuthBasic.Service.Name, func(ctx context.Context, cfg *occfg.Config) error {
 		cfg.AuthBasic.Context = ctx
 		cfg.AuthBasic.Commons = cfg.Commons
@@ -327,6 +324,11 @@ func NewService(ctx context.Context, options ...Option) (*Service, error) {
 		cfg.Audit.Commons = cfg.Commons
 		return audit.Execute(cfg.Audit)
 	})
+	areg(opts.Config.AuthApp.Service.Name, func(ctx context.Context, cfg *occfg.Config) error {
+		cfg.AuthApp.Context = ctx
+		cfg.AuthApp.Commons = cfg.Commons
+		return authapp.Execute(cfg.AuthApp)
+	})
 	areg(opts.Config.Policies.Service.Name, func(ctx context.Context, cfg *occfg.Config) error {
 		cfg.Policies.Context = ctx
 		cfg.Policies.Commons = cfg.Commons
--- a/pkg/kql/dictionary_gen.go
+++ b/pkg/kql/dictionary_gen.go
@@ -2716,7 +2716,7 @@ var (

 	// errMaxExprCnt is used to signal that the maximum number of
 	// expressions have been parsed.
-	errMaxExprCnt = errors.New("max number of expressions parsed")
+	errMaxExprCnt = errors.New("max number of expresssions parsed")
 )

 // Option is a function that can set an option on the parser. It returns
--- a/pkg/oidc/mocks/oidc_client.go
+++ b/pkg/oidc/mocks/oidc_client.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.53.2. DO NOT EDIT.
+// Code generated by mockery v2.53.0. DO NOT EDIT.

 package mocks

--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -16,7 +16,7 @@ var (
 	// LatestTag is the latest released version plus the dev meta version.
 	// Will be overwritten by the release pipeline
 	// Needs a manual change for every tagged release
-	LatestTag = "2.0.0+dev"
+	LatestTag = "1.1.0-alpha.1+dev"

 	// Date indicates the build date.
 	// This has been removed, it looks like you can only replace static strings with recent go versions
@@ -46,17 +46,18 @@ func GetString() string {
 // Parsed returns a semver Version
 func Parsed() (version *semver.Version) {
 	versionToParse := LatestTag
-	// use the placeholder version if the tag is empty or when we are creating a daily build
-	if Tag != "" && Tag != "daily" {
+	if Tag != "" {
 		versionToParse = Tag
 	}
 	version, err := semver.NewVersion(versionToParse)
+	// We have no semver version but a commitid
 	if err != nil {
 		// this should never happen
-		return &semver.Version{}
+		if err != nil {
+			return &semver.Version{}
+		}
 	}
 	if String != "" {
-		// We have no tagged version but a commitid
 		nVersion, err := version.SetMetadata(String)
 		if err != nil {
 			return &semver.Version{}
--- a/release-config.ts
+++ b/release-config.ts
@@ -1,49 +0,0 @@
-export default {
-    changeTypes: [
-        {
-            title: '💥 Breaking changes',
-            labels: ['breaking', 'Type:Breaking-Change'],
-            bump: 'major',
-            weight: 3
-        },
-        {
-            title: '🔒 Security',
-            labels: ['security', 'Type:Security'],
-            bump: 'patch',
-            weight: 2
-        },
-        {
-            title: '✨ Features',
-            labels: ['feature', 'Type:Feature'],
-            bump: 'minor',
-            weight: 1
-        },
-        {
-            title: '📈 Enhancement',
-            labels: ['enhancement', 'refactor', 'Type:Enhancement'],
-            bump: 'minor'
-        },
-        {
-            title: '🐛 Bug Fixes',
-            labels: ['bug', 'Type:Bug'],
-            bump: 'patch'
-        },
-        {
-            title: '📚 Documentation',
-            labels: ['docs', 'documentation', 'Type:Documentation'],
-            bump: 'patch'
-        },
-        {
-            title: '✅ Tests',
-            labels: ['test', 'tests', 'Type:Test'],
-            bump: 'patch'
-        },
-        {
-            title: '📦️ Dependencies',
-            labels: ['dependency', 'dependencies', 'Type:Dependencies'],
-            bump: 'patch',
-            weight: -1
-        }
-    ],
-    useVersionPrefixV: true,
-}
--- a/services/antivirus/README.md
+++ b/services/antivirus/README.md
@@ -4,10 +4,7 @@ The `antivirus` service is responsible for scanning files for viruses.

 ## Memory Considerations

-The antivirus service can consume considerable amounts of memory.
-This is relevant to provide or define sufficient memory for the deployment selected.
-To avoid out of memory (OOM) situations, the following equation gives a rough overview based on experiences made.
-The memory calculation comes without any guarantee, is intended as overview only and subject of change.
+The antivirus service can consume considerably amounts of memory. This is relevant to provide or define sufficient memory for the deployment selected. To avoid out of memory (OOM) situations, the following equation gives a rough overview based on experiences made. The memory calculation comes without any guarantee, is intended as overview only and subject of change.

 `memory limit` = `max file size` x `workers` x `factor 8 - 14`

@@ -22,31 +19,17 @@ With:

 ### Antivirus Scanner Type

-The antivirus service currently supports [ICAP](https://tools.ietf.org/html/rfc3507) and [ClamAV](http://www.clamav.net/index.html) as antivirus scanners.
-The `ANTIVIRUS_SCANNER_TYPE` environment variable is used to select the scanner.
-The detailed configuration for each scanner heavily depends on the scanner type selected.
-See the environment variables for more details.
+The antivirus service currently supports [ICAP](https://tools.ietf.org/html/rfc3507) and [ClamAV](http://www.clamav.net/index.html) as antivirus scanners. The `ANTIVIRUS_SCANNER_TYPE` environment variable is used to select the scanner. The detailed configuration for each scanner heavily depends on the scanner type selected. See the environment variables for more details.

  -   For `icap`, only scanners using the `X-Infection-Found` header are currently supported.
  -   For `clamav` only local sockets can currently be configured.

 ### Maximum Scan Size

-Several factors can make it necessary to limit the maximum filesize the antivirus service uses for scanning.
-Use the `ANTIVIRUS_MAX_SCAN_SIZE` environment variable to scan only a given number of bytes,
-or to skip the whole resource.
-
-Even if it's recommended to scan the whole file, several factors like scanner type and version,
-bandwidth, performance issues, etc. might make a limit necessary.
-
-In such cases, the antivirus the max scan size mode can be handy, the following modes are available:
-
-  -   `partial`: The file is scanned up to the given size. The rest of the file is not scanned. This is the default mode `ANTIVIRUS_MAX_SCAN_SIZE=partial`
-  -   `skip`: The file is skipped and not scanned. `ANTIVIRUS_MAX_SCAN_SIZE=skip`
+Several factors can make it necessary to limit the maximum filesize the antivirus service will use for scanning. Use the `ANTIVIRUS_MAX_SCAN_SIZE` environment variable to scan only a given amount of bytes. Obviously, it is recommended to scan the whole file, but several factors like scanner type and version, bandwidth, performance issues, etc. might make a limit necessary.

 **IMPORTANT**
-> Streaming of files to the virus scan service still [needs to be implemented](https://github.com/owncloud/ocis/issues/6803).
-> To prevent OOM errors `ANTIVIRUS_MAX_SCAN_SIZE` needs to be set lower than available ram and or the maximum file size that can be scanned by the virus scanner.
+> Streaming of files to the virus scan service still [needs to be implemented](https://github.com/owncloud/ocis/issues/6803). To prevent OOM errors `ANTIVIRUS_MAX_SCAN_SIZE` needs to be set lower than available ram.

 ### Antivirus Workers

@@ -58,7 +41,7 @@ The antivirus service allows three different ways of handling infected files. Th

  -   `delete`: (default): Infected files will be deleted immediately, further postprocessing is cancelled.
  -   `abort`:  (advanced option): Infected files will be kept, further postprocessing is cancelled. Files can be manually retrieved and inspected by an admin. To identify the file for further investigation, the antivirus service logs the abort/infected state including the file ID. The file is located in the `storage/users/uploads` folder of the OpenCloud data directory and persists until it is manually deleted by the admin via the [Manage Unfinished Uploads](https://github.com/opencloud-eu/opencloud/tree/main/services/storage-users#manage-unfinished-uploads) command.
-  -   `continue`:  (not recommended): Infected files will be marked via metadata as infected, but postprocessing continues normally. Note: Infected Files are moved to their final destination and therefore not prevented from download, which includes the risk of spreading viruses.
+  -   `continue`:  (obviously not recommended): Infected files will be marked via metadata as infected but postprocessing continues normally. Note: Infected Files are moved to their final destination and therefore not prevented from download which includes the risk of spreading viruses.

 In all cases, a log entry is added declaring the infection and handling method and a notification via the `userlog` service sent.

--- a/services/antivirus/pkg/command/server.go
+++ b/services/antivirus/pkg/command/server.go
@@ -45,7 +45,7 @@ func Server(cfg *config.Config) *cli.Command {
 			{
 				svc, err := service.NewAntivirus(cfg, logger, traceProvider)
 				if err != nil {
-					return cli.Exit(err.Error(), 1)
+					return err
 				}

 				gr.Add(svc.Run, func(_ error) {
--- a/services/antivirus/pkg/config/config.go
+++ b/services/antivirus/pkg/config/config.go
@@ -5,26 +5,6 @@ import (
 	"time"
 )

-// ScannerType gives info which scanner is used
-type ScannerType string
-
-const (
-	// ScannerTypeClamAV defines that clamav is used
-	ScannerTypeClamAV ScannerType = "clamav"
-	// ScannerTypeICap defines that icap is used
-	ScannerTypeICap ScannerType = "icap"
-)
-
-// MaxScanSizeMode defines the mode of handling files that exceed the maximum scan size
-type MaxScanSizeMode string
-
-const (
-	// MaxScanSizeModeSkip defines that files that are bigger than the max scan size will be skipped
-	MaxScanSizeModeSkip MaxScanSizeMode = "skip"
-	// MaxScanSizeModePartial defines that only the file up to the max size will be used
-	MaxScanSizeModePartial MaxScanSizeMode = "partial"
-)
-
 // Config combines all available configuration parts.
 type Config struct {
 	File string
@@ -40,9 +20,8 @@ type Config struct {
 	Events               Events
 	Workers              int `yaml:"workers" env:"ANTIVIRUS_WORKERS" desc:"The number of concurrent go routines that fetch events from the event queue." introductionVersion:"1.0.0"`

-	Scanner         Scanner
-	MaxScanSize     string          `yaml:"max-scan-size" env:"ANTIVIRUS_MAX_SCAN_SIZE" desc:"The maximum scan size the virus scanner can handle.0 means unlimited. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB." introductionVersion:"1.0.0"`
-	MaxScanSizeMode MaxScanSizeMode `yaml:"max-scan-size-mode" env:"ANTIVIRUS_MAX_SCAN_SIZE_MODE" desc:"Defines the mode of handling files that exceed the maximum scan size. Supported options are: 'skip', which skips files that are bigger than the max scan size, and 'truncate' (default), which only uses the file up to the max size." introductionVersion:"2.1.0"`
+	Scanner     Scanner
+	MaxScanSize string `yaml:"max-scan-size" env:"ANTIVIRUS_MAX_SCAN_SIZE" desc:"The maximum scan size the virus scanner can handle. Only this many bytes of a file will be scanned. 0 means unlimited and is the default. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB." introductionVersion:"1.0.0"`

 	Context context.Context `json:"-" yaml:"-"`

@@ -83,7 +62,7 @@ type Events struct {

 // Scanner provides configuration options for the virus scanner
 type Scanner struct {
-	Type ScannerType `yaml:"type" env:"ANTIVIRUS_SCANNER_TYPE" desc:"The antivirus scanner to use. Supported values are 'clamav' and 'icap'." introductionVersion:"1.0.0"`
+	Type string `yaml:"type" env:"ANTIVIRUS_SCANNER_TYPE" desc:"The antivirus scanner to use. Supported values are 'clamav' and 'icap'." introductionVersion:"1.0.0"`

 	ClamAV ClamAV // only if Type == clamav
 	ICAP   ICAP   // only if Type == icap
@@ -91,8 +70,7 @@ type Scanner struct {

 // ClamAV provides configuration option for clamav
 type ClamAV struct {
-	Socket  string        `yaml:"socket" env:"ANTIVIRUS_CLAMAV_SOCKET" desc:"The socket clamav is running on. Note the default value is an example which needs adaption according your OS." introductionVersion:"1.0.0"`
-	Timeout time.Duration `yaml:"scan_timeout" env:"ANTIVIRUS_CLAMAV_SCAN_TIMEOUT" desc:"Scan timeout for the ClamAV client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details." introductionVersion:"2.1.0"`
+	Socket string `yaml:"socket" env:"ANTIVIRUS_CLAMAV_SOCKET" desc:"The socket clamav is running on. Note the default value is an example which needs adaption according your OS." introductionVersion:"1.0.0"`
 }

 // ICAP provides configuration options for icap
--- a/services/antivirus/pkg/config/defaults/defaultconfig.go
+++ b/services/antivirus/pkg/config/defaults/defaultconfig.go
@@ -30,15 +30,10 @@ func DefaultConfig() *config.Config {
 		},
 		Workers:              10,
 		InfectedFileHandling: "delete",
-		// defaults from clamav sample conf: MaxScanSize=400M, MaxFileSize=100M, StreamMaxLength=100M
-		// https://github.com/Cisco-Talos/clamav/blob/main/etc/clamd.conf.sample
-		MaxScanSize:     "100MB",
-		MaxScanSizeMode: config.MaxScanSizeModePartial,
 		Scanner: config.Scanner{
-			Type: config.ScannerTypeClamAV,
+			Type: "clamav",
 			ClamAV: config.ClamAV{
-				Socket:  "/run/clamav/clamd.ctl",
-				Timeout: 5 * time.Minute,
+				Socket: "/run/clamav/clamd.ctl",
 			},
 			ICAP: config.ICAP{
 				URL:     "icap://127.0.0.1:1344",
@@ -62,9 +57,4 @@ func EnsureDefaults(cfg *config.Config) {

 // Sanitize sanitizes the configuration
 func Sanitize(cfg *config.Config) {
-	defaultConfig := DefaultConfig()
-
-	if cfg.MaxScanSize == "" {
-		cfg.MaxScanSize = defaultConfig.MaxScanSize
-	}
 }
--- a/services/antivirus/pkg/scanners/clamav.go
+++ b/services/antivirus/pkg/scanners/clamav.go
@@ -1,51 +1,34 @@
 package scanners

 import (
-	"fmt"
 	"time"

 	"github.com/dutchcoders/go-clamd"
 )

 // NewClamAV returns a Scanner talking to clamAV via socket
-func NewClamAV(socket string, timeout time.Duration) (*ClamAV, error) {
-	c := clamd.NewClamd(socket)
-
-	if err := c.Ping(); err != nil {
-		return nil, fmt.Errorf("%w: %w", ErrScannerNotReachable, err)
-	}
-
+func NewClamAV(socket string) *ClamAV {
 	return &ClamAV{
-		clamd:   clamd.NewClamd(socket),
-		timeout: timeout,
-	}, nil
+		clamd: clamd.NewClamd(socket),
+	}
 }

 // ClamAV is a Scanner based on clamav
 type ClamAV struct {
-	clamd   *clamd.Clamd
-	timeout time.Duration
+	clamd *clamd.Clamd
 }

 // Scan to fulfill Scanner interface
 func (s ClamAV) Scan(in Input) (Result, error) {
-	abort := make(chan bool, 1)
-	defer close(abort)
-
-	ch, err := s.clamd.ScanStream(in.Body, abort)
+	ch, err := s.clamd.ScanStream(in.Body, make(chan bool))
 	if err != nil {
 		return Result{}, err
 	}

-	select {
-	case <-time.After(s.timeout):
-		abort <- true
-		return Result{}, fmt.Errorf("%w: %s", ErrScanTimeout, in.Url)
-	case s := <-ch:
-		return Result{
-			Infected:    s.Status == clamd.RES_FOUND,
-			Description: s.Description,
-			ScanTime:    time.Now(),
-		}, nil
-	}
+	r := <-ch
+	return Result{
+		Infected:    r.Status == clamd.RES_FOUND,
+		Description: r.Description,
+		ScanTime:    time.Now(),
+	}, nil
 }
--- a/services/antivirus/pkg/scanners/clamav_test.go
+++ b/services/antivirus/pkg/scanners/clamav_test.go
@@ -1,120 +0,0 @@
-package scanners_test
-
-import (
-	"context"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/scanners"
-)
-
-func newUnixListener(t testing.TB, lc net.ListenConfig, v ...string) net.Listener {
-	d, err := os.MkdirTemp("", "")
-	assert.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, os.RemoveAll(d))
-	})
-
-	nl, err := lc.Listen(context.Background(), "unix", filepath.Join(d, "sock"))
-	require.NoError(t, err)
-
-	go func() {
-		i := 0
-		for {
-			if len(v) == i {
-				break
-			}
-
-			conn, err := nl.Accept()
-			require.NoError(t, err)
-
-			time.Sleep(100 * time.Millisecond)
-
-			_, err = conn.Write([]byte(v[i]))
-			require.NoError(t, err)
-			require.NoError(t, conn.Close())
-			i++
-		}
-	}()
-
-	return nl
-}
-
-func TestNewClamAV(t *testing.T) {
-	t.Run("returns a scanner", func(t *testing.T) {
-		ul := newUnixListener(t, net.ListenConfig{}, "PONG\n")
-		defer func() {
-			assert.NoError(t, ul.Close())
-		}()
-
-		done := make(chan bool, 1)
-
-		go func() {
-			_, err := scanners.NewClamAV(ul.Addr().String(), 10*time.Second)
-			assert.NoError(t, err)
-			done <- true
-		}()
-
-		assert.True(t, <-done)
-	})
-
-	t.Run("fails if scanner is not pingable", func(t *testing.T) {
-		_, err := scanners.NewClamAV("", 0)
-		assert.ErrorIs(t, err, scanners.ErrScannerNotReachable)
-	})
-}
-
-func TestNewClamAV_Scan(t *testing.T) {
-	t.Run("returns a result", func(t *testing.T) {
-		ul := newUnixListener(t, net.ListenConfig{}, "PONG\n", "stream: Win.Test.EICAR_HDB-1 FOUND\n")
-		defer func() {
-			assert.NoError(t, ul.Close())
-		}()
-
-		done := make(chan bool, 1)
-
-		go func() {
-			scanner, err := scanners.NewClamAV(ul.Addr().String(), 10*time.Second)
-			assert.NoError(t, err)
-
-			result, err := scanner.Scan(scanners.Input{Body: strings.NewReader("DATA")})
-			assert.NoError(t, err)
-
-			assert.Equal(t, result.Description, "Win.Test.EICAR_HDB-1")
-			assert.True(t, result.Infected)
-			done <- true
-		}()
-
-		assert.True(t, <-done)
-	})
-
-	t.Run("aborts after a certain time", func(t *testing.T) {
-		ul := newUnixListener(t, net.ListenConfig{}, "PONG\n", "stream: Win.Test.EICAR_HDB-1 FOUND\n")
-		defer func() {
-			assert.NoError(t, ul.Close())
-		}()
-
-		done := make(chan bool, 1)
-
-		go func() {
-			scanner, err := scanners.NewClamAV(ul.Addr().String(), 10*time.Second)
-			assert.NoError(t, err)
-
-			result, err := scanner.Scan(scanners.Input{Body: strings.NewReader("DATA")})
-			assert.NoError(t, err)
-
-			assert.Equal(t, result.Description, "Win.Test.EICAR_HDB-1")
-			assert.True(t, result.Infected)
-			done <- true
-		}()
-
-		assert.True(t, <-done)
-	})
-}
--- a/services/antivirus/pkg/scanners/scanners.go
+++ b/services/antivirus/pkg/scanners/scanners.go
@@ -1,31 +1,21 @@
 package scanners

 import (
-	"errors"
 	"io"
 	"time"
 )

-var (
-	// ErrScanTimeout is returned when a scan times out
-	ErrScanTimeout = errors.New("time out waiting for clamav to respond while scanning")
-	// ErrScannerNotReachable is returned when the scanner is not reachable
-	ErrScannerNotReachable = errors.New("failed to reach the scanner")
-)
+// The Result is the common scan result to all scanners
+type Result struct {
+	Infected    bool
+	ScanTime    time.Time
+	Description string
+}

-type (
-	// The Result is the common scan result to all scanners
-	Result struct {
-		Infected    bool
-		ScanTime    time.Time
-		Description string
-	}
-
-	// The Input is the common input to all scanners
-	Input struct {
-		Body io.Reader
-		Size int64
-		Url  string
-		Name string
-	}
-)
+// The Input is the common input to all scanners
+type Input struct {
+	Body io.Reader
+	Size int64
+	Url  string
+	Name string
+}
--- a/services/antivirus/pkg/service/service.go
+++ b/services/antivirus/pkg/service/service.go
@@ -9,7 +9,6 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"slices"
 	"sync"
 	"time"

@@ -38,44 +37,38 @@ type Scanner interface {
 }

 // NewAntivirus returns a service implementation for Service.
-func NewAntivirus(cfg *config.Config, logger log.Logger, tracerProvider trace.TracerProvider) (Antivirus, error) {
+func NewAntivirus(c *config.Config, l log.Logger, tp trace.TracerProvider) (Antivirus, error) {
+
 	var scanner Scanner
 	var err error
-	switch cfg.Scanner.Type {
+	switch c.Scanner.Type {
 	default:
-		return Antivirus{}, fmt.Errorf("unknown av scanner: '%s'", cfg.Scanner.Type)
-	case config.ScannerTypeClamAV:
-		scanner, err = scanners.NewClamAV(cfg.Scanner.ClamAV.Socket, cfg.Scanner.ClamAV.Timeout)
-	case config.ScannerTypeICap:
-		scanner, err = scanners.NewICAP(cfg.Scanner.ICAP.URL, cfg.Scanner.ICAP.Service, cfg.Scanner.ICAP.Timeout)
+		return Antivirus{}, fmt.Errorf("unknown av scanner: '%s'", c.Scanner.Type)
+	case "clamav":
+		scanner = scanners.NewClamAV(c.Scanner.ClamAV.Socket)
+	case "icap":
+		scanner, err = scanners.NewICAP(c.Scanner.ICAP.URL, c.Scanner.ICAP.Service, c.Scanner.ICAP.Timeout)
 	}
 	if err != nil {
 		return Antivirus{}, err
 	}

-	av := Antivirus{config: cfg, log: logger, tracerProvider: tracerProvider, scanner: scanner, client: rhttp.GetHTTPClient(rhttp.Insecure(true))}
+	av := Antivirus{c: c, l: l, tp: tp, s: scanner, client: rhttp.GetHTTPClient(rhttp.Insecure(true))}

-	switch mode := cfg.MaxScanSizeMode; mode {
-	case config.MaxScanSizeModeSkip, config.MaxScanSizeModePartial:
-		break
-	default:
-		return av, fmt.Errorf("unknown max scan size mode '%s'", cfg.MaxScanSizeMode)
-	}
-
-	switch outcome := events.PostprocessingOutcome(cfg.InfectedFileHandling); outcome {
+	switch o := events.PostprocessingOutcome(c.InfectedFileHandling); o {
 	case events.PPOutcomeContinue, events.PPOutcomeAbort, events.PPOutcomeDelete:
-		av.outcome = outcome
+		av.o = o
 	default:
-		return av, fmt.Errorf("unknown infected file handling '%s'", outcome)
+		return av, fmt.Errorf("unknown infected file handling '%s'", o)
 	}

-	if cfg.MaxScanSize != "" {
-		b, err := bytesize.Parse(cfg.MaxScanSize)
+	if c.MaxScanSize != "" {
+		b, err := bytesize.Parse(c.MaxScanSize)
 		if err != nil {
 			return av, err
 		}

-		av.maxScanSize = b.Bytes()
+		av.m = b.Bytes()
 	}

 	return av, nil
@@ -83,23 +76,23 @@ func NewAntivirus(cfg *config.Config, logger log.Logger, tracerProvider trace.Tr

 // Antivirus defines implements the business logic for Service.
 type Antivirus struct {
-	config         *config.Config
-	log            log.Logger
-	scanner        Scanner
-	outcome        events.PostprocessingOutcome
-	maxScanSize    uint64
-	tracerProvider trace.TracerProvider
+	c  *config.Config
+	l  log.Logger
+	s  Scanner
+	o  events.PostprocessingOutcome
+	m  uint64
+	tp trace.TracerProvider

 	client *http.Client
 }

 // Run runs the service
 func (av Antivirus) Run() error {
-	eventsCfg := av.config.Events
+	evtsCfg := av.c.Events

 	var rootCAPool *x509.CertPool
-	if av.config.Events.TLSRootCACertificate != "" {
-		rootCrtFile, err := os.Open(eventsCfg.TLSRootCACertificate)
+	if av.c.Events.TLSRootCACertificate != "" {
+		rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
 		if err != nil {
 			return err
 		}
@@ -111,10 +104,10 @@ func (av Antivirus) Run() error {

 		rootCAPool = x509.NewCertPool()
 		rootCAPool.AppendCertsFromPEM(certBytes.Bytes())
-		av.config.Events.TLSInsecure = false
+		av.c.Events.TLSInsecure = false
 	}

-	natsStream, err := stream.NatsFromConfig(av.config.Service.Name, false, stream.NatsConfig(av.config.Events))
+	natsStream, err := stream.NatsFromConfig(av.c.Service.Name, false, stream.NatsConfig(av.c.Events))
 	if err != nil {
 		return err
 	}
@@ -125,7 +118,7 @@ func (av Antivirus) Run() error {
 	}

 	wg := sync.WaitGroup{}
-	for i := 0; i < av.config.Workers; i++ {
+	for i := 0; i < av.c.Workers; i++ {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
@@ -134,11 +127,11 @@ func (av Antivirus) Run() error {
 				if err != nil {
 					switch {
 					case errors.Is(err, ErrFatal):
-						av.log.Fatal().Err(err).Msg("fatal error - exiting")
+						av.l.Fatal().Err(err).Msg("fatal error - exiting")
 					case errors.Is(err, ErrEvent):
-						av.log.Error().Err(err).Msg("continuing")
+						av.l.Error().Err(err).Msg("continuing")
 					default:
-						av.log.Fatal().Err(err).Msg("unknown error - exiting")
+						av.l.Fatal().Err(err).Msg("unknown error - exiting")
 					}
 				}
 			}
@@ -150,20 +143,20 @@ func (av Antivirus) Run() error {
 }

 func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {
-	ctx, span := av.tracerProvider.Tracer("antivirus").Start(e.GetTraceContext(context.Background()), "processEvent")
+	ctx := e.GetTraceContext(context.Background())
+	ctx, span := av.tp.Tracer("antivirus").Start(ctx, "processEvent")
 	defer span.End()
-	av.log.Info().Str("traceID", span.SpanContext().TraceID().String()).Msg("TraceID")
-
+	av.l.Info().Str("traceID", span.SpanContext().TraceID().String()).Msg("TraceID")
 	ev := e.Event.(events.StartPostprocessingStep)
 	if ev.StepToStart != events.PPStepAntivirus {
 		return nil
 	}

-	if av.config.DebugScanOutcome != "" {
-		av.log.Warn().Str("antivir, clamav", ">>>>>>> ANTIVIRUS_DEBUG_SCAN_OUTCOME IS SET NO ACTUAL VIRUS SCAN IS PERFORMED!").Send()
+	if av.c.DebugScanOutcome != "" {
+		av.l.Warn().Str("antivir, clamav", ">>>>>>> ANTIVIRUS_DEBUG_SCAN_OUTCOME IS SET NO ACTUAL VIRUS SCAN IS PERFORMED!").Send()
 		if err := events.Publish(ctx, s, events.PostprocessingStepFinished{
 			FinishedStep:  events.PPStepAntivirus,
-			Outcome:       events.PostprocessingOutcome(av.config.DebugScanOutcome),
+			Outcome:       events.PostprocessingOutcome(av.c.DebugScanOutcome),
 			UploadID:      ev.UploadID,
 			ExecutingUser: ev.ExecutingUser,
 			Filename:      ev.Filename,
@@ -174,14 +167,13 @@ func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {
 				ResourceID:  ev.ResourceID,
 			},
 		}); err != nil {
-			av.log.Fatal().Err(err).Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Msg("cannot publish events - exiting")
+			av.l.Fatal().Err(err).Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Msg("cannot publish events - exiting")
 			return fmt.Errorf("%w: cannot publish events", ErrFatal)
 		}
 		return fmt.Errorf("%w: no actual virus scan performed", ErrEvent)
 	}

-	av.log.Debug().Str("uploadid", ev.UploadID).Str("filename", ev.Filename).Msg("Starting virus scan.")
-
+	av.l.Debug().Str("uploadid", ev.UploadID).Str("filename", ev.Filename).Msg("Starting virus scan.")
 	var errmsg string
 	start := time.Now()
 	res, err := av.process(ev)
@@ -193,17 +185,17 @@ func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {
 	var outcome events.PostprocessingOutcome
 	switch {
 	case res.Infected:
-		outcome = av.outcome
+		outcome = av.o
 	case !res.Infected && err == nil:
 		outcome = events.PPOutcomeContinue
 	case err != nil:
 		outcome = events.PPOutcomeRetry
 	default:
-		// Not sure what this is about. Abort.
+		// Not sure what this is about. abort.
 		outcome = events.PPOutcomeAbort
 	}

-	av.log.Info().Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Str("virus", res.Description).Str("outcome", string(outcome)).Str("filename", ev.Filename).Str("user", ev.ExecutingUser.GetId().GetOpaqueId()).Bool("infected", res.Infected).Dur("duration", duration).Msg("File scanned")
+	av.l.Info().Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Str("virus", res.Description).Str("outcome", string(outcome)).Str("filename", ev.Filename).Str("user", ev.ExecutingUser.GetId().GetOpaqueId()).Bool("infected", res.Infected).Dur("duration", duration).Msg("File scanned")
 	if err := events.Publish(ctx, s, events.PostprocessingStepFinished{
 		FinishedStep:  events.PPStepAntivirus,
 		Outcome:       outcome,
@@ -218,7 +210,7 @@ func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {
 			ErrorMsg:    errmsg,
 		},
 	}); err != nil {
-		av.log.Fatal().Err(err).Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Msg("cannot publish events - exiting")
+		av.l.Fatal().Err(err).Str("uploadid", ev.UploadID).Interface("resourceID", ev.ResourceID).Msg("cannot publish events - exiting")
 		return fmt.Errorf("%w: %s", ErrFatal, err)
 	}
 	return nil
@@ -226,24 +218,11 @@ func (av Antivirus) processEvent(e events.Event, s events.Publisher) error {

 // process the scan
 func (av Antivirus) process(ev events.StartPostprocessingStep) (scanners.Result, error) {
-	if ev.Filesize == 0 {
-		av.log.Info().Str("uploadid", ev.UploadID).Msg("Skipping file to be virus scanned, file size is 0.")
-		return scanners.Result{ScanTime: time.Now()}, nil
-	}
-
-	headers := make(map[string]string)
-	switch {
-	case av.maxScanSize == 0:
-		// there is no size limit
-		break
-	case av.config.MaxScanSizeMode == config.MaxScanSizeModeSkip && ev.Filesize > av.maxScanSize:
-		// skip the file if it is bigger than the max scan size
-		av.log.Info().Str("uploadid", ev.UploadID).Uint64("filesize", ev.Filesize).
-			Msg("Skipping file to be virus scanned, file size is bigger than max scan size.")
-		return scanners.Result{ScanTime: time.Now()}, nil
-	case av.config.MaxScanSizeMode == config.MaxScanSizeModePartial && ev.Filesize > av.maxScanSize:
-		// set the range header to only download the first maxScanSize bytes
-		headers["Range"] = fmt.Sprintf("bytes=0-%d", av.maxScanSize-1)
+	if ev.Filesize == 0 || (0 < av.m && av.m < ev.Filesize) {
+		av.l.Info().Str("uploadid", ev.UploadID).Uint64("limit", av.m).Uint64("filesize", ev.Filesize).Msg("Skipping file to be virus scanned because its file size is higher than the defined limit.")
+		return scanners.Result{
+			ScanTime: time.Now(),
+		}, nil
 	}

 	var err error
@@ -251,61 +230,56 @@ func (av Antivirus) process(ev events.StartPostprocessingStep) (scanners.Result,

 	switch ev.UploadID {
 	default:
-		rrc, err = av.downloadViaToken(ev.URL, headers)
+		rrc, err = av.downloadViaToken(ev.URL)
 	case "":
-		rrc, err = av.downloadViaReva(ev.URL, ev.Token, ev.RevaToken, headers)
+		rrc, err = av.downloadViaReva(ev.URL, ev.Token, ev.RevaToken)
 	}
 	if err != nil {
-		av.log.Error().Err(err).Str("uploadid", ev.UploadID).Msg("error downloading file")
+		av.l.Error().Err(err).Str("uploadid", ev.UploadID).Msg("error downloading file")
 		return scanners.Result{}, err
 	}
-	defer func() {
-		_ = rrc.Close()
-	}()
+	defer rrc.Close()
+	av.l.Debug().Str("uploadid", ev.UploadID).Msg("Downloaded file successfully, starting virusscan")

-	av.log.Debug().Str("uploadid", ev.UploadID).Msg("Downloaded file successfully, starting virusscan")
-
-	res, err := av.scanner.Scan(scanners.Input{Body: rrc, Size: int64(ev.Filesize), Url: ev.URL, Name: ev.Filename})
+	res, err := av.s.Scan(scanners.Input{Body: rrc, Size: int64(ev.Filesize), Url: ev.URL, Name: ev.Filename})
 	if err != nil {
-		av.log.Error().Err(err).Str("uploadid", ev.UploadID).Msg("error scanning file")
+		av.l.Error().Err(err).Str("uploadid", ev.UploadID).Msg("error scanning file")
 	}

 	return res, err
 }

 // download will download the file
-func (av Antivirus) downloadViaToken(url string, headers map[string]string) (io.ReadCloser, error) {
+func (av Antivirus) downloadViaToken(url string) (io.ReadCloser, error) {
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}

-	return av.doDownload(req, headers)
+	return av.doDownload(req)
 }

 // download will download the file
-func (av Antivirus) downloadViaReva(url string, dltoken string, revatoken string, headers map[string]string) (io.ReadCloser, error) {
-	req, err := rhttp.NewRequest(ctxpkg.ContextSetToken(context.Background(), revatoken), http.MethodGet, url, nil)
+func (av Antivirus) downloadViaReva(url string, dltoken string, revatoken string) (io.ReadCloser, error) {
+	ctx := ctxpkg.ContextSetToken(context.Background(), revatoken)
+
+	req, err := rhttp.NewRequest(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set("X-Reva-Transfer", dltoken)

-	return av.doDownload(req, headers)
+	return av.doDownload(req)
 }

-func (av Antivirus) doDownload(req *http.Request, headers map[string]string) (io.ReadCloser, error) {
-	for k, v := range headers {
-		req.Header.Add(k, v)
-	}
-
+func (av Antivirus) doDownload(req *http.Request) (io.ReadCloser, error) {
 	res, err := av.client.Do(req)
 	if err != nil {
 		return nil, err
 	}

-	if !slices.Contains([]int{http.StatusOK, http.StatusPartialContent}, res.StatusCode) {
-		_ = res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		res.Body.Close()
 		return nil, fmt.Errorf("unexpected status code from Download %v", res.StatusCode)
 	}

--- a/services/auth-app/README.md
+++ b/services/auth-app/README.md
@@ -1,44 +1,53 @@
 # Auth-App

-The auth-app service provides authentication for 3rd party apps unable to use
-OpenID Connect. The service is enabled by default and started automatically. It
-is possible to disable the service by setting:
+The auth-app service provides authentication for 3rd party apps.

+## The `auth` Service Family
+
+OpenCloud uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist:
+  -   `auth-app` handles authentication of external 3rd party apps
+  -   `auth-basic` handles basic authentication
+  -   `auth-bearer` handles oidc authentication
+  -   `auth-machine` handles interservice authentication when a user is impersonated
+  -   `auth-service` handles interservice authentication when using service accounts
+
+## Service Startup
+
+Because this service is not started automatically, a manual start needs to be initiated which can be done in several ways. To configure the service usage, an environment variable for the proxy service needs to be set to allow app authentication.
 ```bash
-OC_EXCLUDE_RUN_SERVICES=auth-app # deployment specific. Removes service from the list of automatically started services, use with single-binary deployments
-PROXY_ENABLE_APP_AUTH=false      # mandatory, disables app authentication. In case of a distributed environment, this envvar needs to be set in the proxy service.
+OC_ADD_RUN_SERVICES=auth-app  # deployment specific. Add the service to the manual startup list, use with binary deployments. Alternatively you can start the service explicitly via the command line.
+PROXY_ENABLE_APP_AUTH=true      # mandatory, allow app authentication. In case of a distributed environment, this envvar needs to be set in the proxy service.
 ```

 ## App Tokens

-App Tokens are password specifically generated to be used by 3rd party applications
-for authentication when accessing the OpenCloud API endpoints. To
-be able to use an app token, one must first create a token. There are different
-options of creating a token.
+App Tokens are used to authenticate 3rd party access via https like when using curl (apps) to access an API endpoint. These apps need to authenticate themselves as no logged in user authenticates the request. To be able to use an app token, one must first create a token. There are different options of creating a token.

-## Important Security Note
+### Via CLI (dev only)

-When using an external IDP for authentication, App Token are NOT invalidated
-when the user is disabled or locked in that external IDP. That means the user
-will still be able to use its existing App Tokens for authentication for as
-long as the App Tokes are valid.
+Replace the `user-name` with an existing user. For the `token-expiration`, you can use any time abbreviation from the following list: `h, m, s`. Examples: `72h` or `1h` or `1m` or `1s.` Default is `72h`.

-## Managing App Tokens
+```bash
+opencloud auth-app create --user-name={user-name} --expiration={token-expiration}
+```
+
+Once generated, these tokens can be used to authenticate requests to OpenCloud. They are passed as part of the request as `Basic Auth` header.

 ### Via API

-Please note: This API is preliminary. In the future we will provide endpoints
-in the `graph` service for allowing the management of App Tokens.
-
 The `auth-app` service provides an API to create (POST), list (GET) and delete (DELETE) tokens at the `/auth-app/tokens` endpoint.

+When using curl for the respective command, you need to authenticate with a header. To do so, get from the browsers developer console the currently active bearer token. Consider that this token has a short lifetime. In any example, replace `<your host[:port]>` with the URL:port of your OpenCloud instance, and `{token}`  `{value}` accordingly. Note that the active bearer token authenticates the user the token was issued for.
+
 * **Create a token**\
  The POST request requires:
  * A `expiry` key/value pair in the form of `expiry=<number><h|m|s>`\
    Example: `expiry=72h`
+  * An active bearer token
  ```bash
  curl --request POST 'https://<your host:9200>/auth-app/tokens?expiry={value}' \
-       --header 'accept: application/json'
+       --header 'accept: application/json' \
+       --header 'authorization: Bearer {token}'
  ```
  Example output:
  ```
@@ -50,19 +59,14 @@ The `auth-app` service provides an API to create (POST), list (GET) and delete (
  }
  ```

-  Note, that this is the only time the app token will be returned in cleartext. To use the token
-  please copy it from the response.
-
 * **List tokens**\
+  The GET request only requires an active bearer token for authentication:\
+  Note that `--request GET` is technically not required because it is curl default. 
  ```bash
  curl --request GET 'https://<your host:9200>/auth-app/tokens' \
-       --header 'accept: application/json'
+       --header 'accept: application/json' \
+       --header 'authorization: Bearer {token}'
  ```
-
-  Note that the `token` value in the response to the "List Tokens` request is not the actual
-  app token, but a hashed value of the token. So this value cannot be used for authenticating
-  with the token.
-
  Example output:
  ```
  [
@@ -83,23 +87,20 @@ The `auth-app` service provides an API to create (POST), list (GET) and delete (

 * **Delete a token**\
  The DELETE request requires:
-  * A `token` key/value pair in the form of `token=<token_issued>`. The value needs to be the hashed value as returned by the `List Tokens` respone.\
-    Example: `token=$2$Z3s2K7816M4vuSpd5`
+  * A `token` key/value pair in the form of `token=<token_issued>`\
+    Example: `token=Z3s2K7816M4vuSpd5`
+  * An active bearer token
  ```bash
  curl --request DELETE 'https://<your host:9200>/auth-app/tokens?token={value}' \
-       --header 'accept: application/json'
+       --header 'accept: application/json' \
+       --header 'authorization: Bearer {token}'
  ```

 ### Via Impersonation API

-When setting the environment variable `AUTH_APP_ENABLE_IMPERSONATION` to
-`true`, admins will be able to use the `/auth-app/tokens` endpoint to create
-tokens for other users. This can be important for migration scenarios, but
-should not be considered for regular tasks on a production system for security
-reasons.
+When setting the environment variable `AUTH_APP_ENABLE_IMPERSONATION` to `true`, admins will be able to use the `/auth-app/tokens` endpoint to create tokens for other users but using their own bearer token for authentication. This can be important for migration scenarios, but should not be considered for regular tasks on a production system for security reasons.

-To impersonate, the respective requests from the CLI commands above extend with
-the following parameters, where you can use one or the other:
+To impersonate, the respective requests from the CLI commands above extend with the following parameters, where you can use one or the other:

 * The `userID` in the form of: `userID={value}`\
  Example:\
@@ -113,27 +114,6 @@ Example:\
 A final create request would then look like:
 ```bash
 curl --request POST 'https://<your host:9200>/auth-app/tokens?expiry={value}&userName={value}' \
-     --header 'accept: application/json'
-```
-
-### Via CLI (developer only)
-
-As the CLI is using the internal CS3Apis this needs access to the reva gateway
-service. This is mainly of developer (and admin) usage.
-Replace the `user-name` with an existing user. For the `token-expiration`, you
-can use any time abbreviation from the following list: `h, m, s`. Examples:
-`72h` or `1h` or `1m` or `1s.` Default is `72h`.
-
-```bash
-opencloud auth-app create --user-name={user-name} --expiration={token-expiration}
-```
-
-## Authenticating using App Tokens
-
-To autenticate using an App Token simply use the username for which token was generated
-and the token value as returned by the "Create Token" request.
-
-```bash
-curl -u <username>:<tokenvalue> 'https://<your host>/graph/v1.0/me' \
-     --header 'accept: application/json'
+     --header 'accept: application/json' \
+     --header 'authorization: Bearer {token}'
 ```
--- a/services/auth-app/pkg/config/config.go
+++ b/services/auth-app/pkg/config/config.go
@@ -28,40 +28,9 @@ type Config struct {

 	AllowImpersonation bool `yaml:"allow_impersonation" env:"AUTH_APP_ENABLE_IMPERSONATION" desc:"Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments." introductionVersion:"1.0.0"`

-	StorageDriver  string         `yaml:"storage_driver" env:"AUTH_APP_STORAGE_DRIVER" desc:"Driver to be used to persist the app tokes . Supported values are 'jsoncs3', 'json'." introductionVersion:"%%NEXT%%"`
-	StorageDrivers StorageDrivers `yaml:"storage_drivers"`
-
 	Context context.Context `yaml:"-"`
 }

-type StorageDrivers struct {
-	JSONCS3 JSONCS3Driver `yaml:"jsoncs3"`
-}
-
-type JSONCS3Driver struct {
-	ProviderAddr             string                   `yaml:"provider_addr" env:"AUTH_APP_JSONCS3_PROVIDER_ADDR" desc:"GRPC address of the STORAGE-SYSTEM service." introductionVersion:"%%NEXT%%"`
-	SystemUserID             string                   `yaml:"system_user_id" env:"OC_SYSTEM_USER_ID;AUTH_APP_JSONCS3_SYSTEM_USER_ID" desc:"ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format." introductionVersion:"%%NEXT%%"`
-	SystemUserIDP            string                   `yaml:"system_user_idp" env:"OC_SYSTEM_USER_IDP;AUTH_APP_JSONCS3_SYSTEM_USER_IDP" desc:"IDP of the OpenCloud STORAGE-SYSTEM system user." introductionVersion:"%%NEXT%%"`
-	SystemUserAPIKey         string                   `yaml:"system_user_api_key" env:"OC_SYSTEM_USER_API_KEY;AUTH_APP_JSONCS3_SYSTEM_USER_API_KEY" desc:"API key for the STORAGE-SYSTEM system user." introductionVersion:"%%NEXT%%"`
-	PasswordGenerator        string                   `yaml:"password_generator" env:"AUTH_APP_JSONCS3_PASSWORD_GENERATOR" desc:"The password generator that should be used for generating app tokens. Supported values are: 'diceware' and 'random'." introductionVersion:"%%NEXT%%"`
-	PasswordGeneratorOptions PasswordGeneratorOptions `yaml:"password_generator_options"`
-}
-
-type PasswordGeneratorOptions struct {
-	DicewareOptions DicewareOptions `yaml:"diceware"`
-	RandPWOpts      RandPWOpts      `yaml:"randon"`
-}
-
-// DicewareOptions defines the config options for the "diceware" password generator
-type DicewareOptions struct {
-	NumberOfWords int `yaml:"number_of_words" env:"AUTH_APP_JSONCS3_DICEWARE_NUMBER_OF_WORDS" desc:"The number of words the generated passphrase will have." introductionVersion:"%%NEXT%%"`
-}
-
-// RandPWOpts defines the config options for the "random" password generator
-type RandPWOpts struct {
-	PasswordLength int `yaml:"password_length" env:"AUTH_APP_JSONCS3_RANDOM_PASSWORD_LENGTH" desc:"The number of charactors the generated passwords will have." introductionVersion:"%%NEXT%%"`
-}
-
 // Log defines the loging configuration
 type Log struct {
 	Level  string `yaml:"level" env:"OC_LOG_LEVEL;AUTH_APP_LOG_LEVEL" desc:"The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'." introductionVersion:"1.0.0"`
--- a/services/auth-app/pkg/config/defaults/defaultconfig.go
+++ b/services/auth-app/pkg/config/defaults/defaultconfig.go
@@ -44,19 +44,6 @@ func DefaultConfig() *config.Config {
 		Service: config.Service{
 			Name: "auth-app",
 		},
-		StorageDriver: "jsoncs3",
-		StorageDrivers: config.StorageDrivers{
-			JSONCS3: config.JSONCS3Driver{
-				ProviderAddr:      "eu.opencloud.api.storage-system",
-				SystemUserIDP:     "internal",
-				PasswordGenerator: "diceware",
-				PasswordGeneratorOptions: config.PasswordGeneratorOptions{
-					DicewareOptions: config.DicewareOptions{
-						NumberOfWords: 6,
-					},
-				},
-			},
-		},
 		Reva: shared.DefaultRevaConfig(),
 	}
 }
@@ -98,14 +85,6 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
 	}

-	if cfg.StorageDrivers.JSONCS3.SystemUserAPIKey == "" && cfg.Commons != nil && cfg.Commons.SystemUserAPIKey != "" {
-		cfg.StorageDrivers.JSONCS3.SystemUserAPIKey = cfg.Commons.SystemUserAPIKey
-	}
-
-	if cfg.StorageDrivers.JSONCS3.SystemUserID == "" && cfg.Commons != nil && cfg.Commons.SystemUserID != "" {
-		cfg.StorageDrivers.JSONCS3.SystemUserID = cfg.Commons.SystemUserID
-	}
-
 	if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {
 		cfg.TokenManager = &config.TokenManager{
 			JWTSecret: cfg.Commons.TokenManager.JWTSecret,
--- a/services/auth-app/pkg/revaconfig/config.go
+++ b/services/auth-app/pkg/revaconfig/config.go
@@ -11,14 +11,6 @@ import (
 func AuthAppConfigFromStruct(cfg *config.Config) map[string]interface{} {
 	appAuthJSON := filepath.Join(defaults.BaseDataPath(), "appauth.json")

-	jsonCS3pwGenOpt := map[string]any{}
-	switch cfg.StorageDrivers.JSONCS3.PasswordGenerator {
-	case "random":
-		jsonCS3pwGenOpt["token_strength"] = cfg.StorageDrivers.JSONCS3.PasswordGeneratorOptions.RandPWOpts.PasswordLength
-	case "diceware":
-		jsonCS3pwGenOpt["number_of_words"] = cfg.StorageDrivers.JSONCS3.PasswordGeneratorOptions.DicewareOptions.NumberOfWords
-	}
-
 	rcfg := map[string]interface{}{
 		"shared": map[string]interface{}{
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
@@ -44,19 +36,11 @@ func AuthAppConfigFromStruct(cfg *config.Config) map[string]interface{} {
 					},
 				},
 				"applicationauth": map[string]interface{}{
-					"driver": cfg.StorageDriver,
+					"driver": "json",
 					"drivers": map[string]interface{}{
 						"json": map[string]interface{}{
 							"file": appAuthJSON,
 						},
-						"jsoncs3": map[string]interface{}{
-							"provider_addr":       cfg.StorageDrivers.JSONCS3.ProviderAddr,
-							"service_user_id":     cfg.StorageDrivers.JSONCS3.SystemUserID,
-							"service_user_idp":    cfg.StorageDrivers.JSONCS3.SystemUserIDP,
-							"machine_auth_apikey": cfg.StorageDrivers.JSONCS3.SystemUserAPIKey,
-							"password_generator":  cfg.StorageDrivers.JSONCS3.PasswordGenerator,
-							"generator_config":    jsonCS3pwGenOpt,
-						},
 					},
 				},
 			},
--- a/services/auth-app/pkg/service/service.go
+++ b/services/auth-app/pkg/service/service.go
@@ -99,10 +99,7 @@ func (a *AuthAppService) HandleCreate(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	label := q.Get("label")
-	if label == "" {
-		label = "Generated via API"
-	}
+	label := "Generated via API"

 	// Impersonated request
 	userID, userName := q.Get("userID"), q.Get("userName")
@@ -134,7 +131,7 @@ func (a *AuthAppService) HandleCreate(w http.ResponseWriter, r *http.Request) {
 			return
 		}

-		label = label + " (Impersonation)"
+		label = "Generated via Impersonation API"
 	}

 	scopes, err := scope.AddOwnerScope(map[string]*authpb.Scope{})
--- a/services/clientlog/pkg/service/service.go
+++ b/services/clientlog/pkg/service/service.go
@@ -11,6 +11,7 @@ import (
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	group "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
 	user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"go.opentelemetry.io/otel/trace"

@@ -218,16 +219,33 @@ func processShareEvent(ctx context.Context, ref *provider.Reference, gwc gateway

 // custom logic for item trashed event
 func processItemTrashedEvent(ctx context.Context, ref *provider.Reference, gwc gateway.GatewayAPIClient, initiatorid string, itemID *provider.ResourceId) ([]string, FileEvent, error) {
-	data := FileEvent{
-		ItemID: storagespace.FormatResourceID(itemID),
-		// TODO: check with web if parentID is needed
-		// ParentItemID: storagespace.FormatResourceID(*item.GetRef().GetResourceId()),
-		SpaceID:     storagespace.FormatStorageID(itemID.GetStorageId(), itemID.GetSpaceId()),
-		InitiatorID: initiatorid,
+	resp, err := gwc.ListRecycle(ctx, &provider.ListRecycleRequest{
+		Ref: ref,
+		Key: itemID.GetOpaqueId(),
+	})
+	if err != nil {
+		return nil, FileEvent{}, err
+	}
+	if resp.GetStatus().GetCode() != rpc.Code_CODE_OK {
+		return nil, FileEvent{}, fmt.Errorf("error listing recycle: %s", resp.GetStatus().GetMessage())
 	}

-	users, err := utils.GetSpaceMembers(ctx, itemID.GetSpaceId(), gwc, utils.ViewerRole)
-	return users, data, err
+	for _, item := range resp.GetRecycleItems() {
+		if item.GetKey() == itemID.GetOpaqueId() {
+
+			data := FileEvent{
+				ItemID: storagespace.FormatResourceID(itemID),
+				// TODO: check with web if parentID is needed
+				// ParentItemID: storagespace.FormatResourceID(*item.GetRef().GetResourceId()),
+				SpaceID:     storagespace.FormatStorageID(itemID.GetStorageId(), itemID.GetSpaceId()),
+				InitiatorID: initiatorid,
+			}
+
+			users, err := utils.GetSpaceMembers(ctx, itemID.GetSpaceId(), gwc, utils.ViewerRole)
+			return users, data, err
+		}
+	}
+	return nil, FileEvent{}, errors.New("item not found in recycle bin")
 }

 // adds share related data to the FileEvent
--- a/services/collaboration/pkg/connector/fileconnector.go
+++ b/services/collaboration/pkg/connector/fileconnector.go
@@ -1272,10 +1272,6 @@ func (f *FileConnector) CheckFileInfo(ctx context.Context) (*ConnectorResponse,

 		fileinfo.KeyPostMessageOrigin:            f.cfg.Commons.OpenCloudURL,
 		fileinfo.KeyLicenseCheckForEditIsEnabled: f.cfg.App.LicenseCheckEnable,
-
-		// set to true for Collabora until we have a web embed mode for "Save As" and "Export As"
-		// see the FIXME in ./fileinfo/collabora.go and https://github.com/opencloud-eu/web/issues/422
-		fileinfo.KeyUserCanNotWriteRelative: false,
 	}

 	switch wopiContext.ViewMode {
--- a/services/collaboration/pkg/connector/fileconnector_test.go
+++ b/services/collaboration/pkg/connector/fileconnector_test.go
@@ -1780,7 +1780,7 @@ var _ = Describe("FileConnector", func() {
 				OwnerID:                 "61616262636340637573746f6d496470", // hex of aabbcc@customIdp
 				Size:                    int64(998877),
 				BaseFileName:            "test.txt",
-				UserCanNotWriteRelative: true,
+				UserCanNotWriteRelative: false,
 				DisableExport:           true,
 				DisableCopy:             true,
 				DisablePrint:            true,
@@ -1962,7 +1962,7 @@ var _ = Describe("FileConnector", func() {
 				OwnerID:                 "61616262636340637573746f6d496470", // hex of aabbcc@customIdp
 				Size:                    int64(998877),
 				BaseFileName:            "test.txt",
-				UserCanNotWriteRelative: true,
+				UserCanNotWriteRelative: false,
 				DisableExport:           true,
 				DisableCopy:             true,
 				DisablePrint:            true,
--- a/services/collaboration/pkg/connector/fileinfo/collabora.go
+++ b/services/collaboration/pkg/connector/fileinfo/collabora.go
@@ -99,7 +99,7 @@ func (cinfo *Collabora) SetProperties(props map[string]interface{}) {
 		case KeyUserCanWrite:
 			cinfo.UserCanWrite = value.(bool)
 		case KeyUserCanNotWriteRelative:
-			cinfo.UserCanNotWriteRelative = true // FIXME: set to `value.(bool)` again for https://github.com/opencloud-eu/web/issues/422
+			cinfo.UserCanNotWriteRelative = value.(bool)
 		case KeyUserID:
 			cinfo.UserID = value.(string)
 		case KeyUserFriendlyName:
--- a/services/frontend/pkg/config/config.go
+++ b/services/frontend/pkg/config/config.go
@@ -34,6 +34,7 @@ type Config struct {
 	EnableFederatedSharingIncoming bool   `yaml:"enable_federated_sharing_incoming" env:"OC_ENABLE_OCM;FRONTEND_ENABLE_FEDERATED_SHARING_INCOMING" desc:"Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed." introductionVersion:"1.0.0"`
 	EnableFederatedSharingOutgoing bool   `yaml:"enable_federated_sharing_outgoing" env:"OC_ENABLE_OCM;FRONTEND_ENABLE_FEDERATED_SHARING_OUTGOING" desc:"Changing this value is NOT supported. Enables support for outgoing federated sharing for clients. The backend behaviour is not changed." introductionVersion:"1.0.0"`
 	SearchMinLength                int    `yaml:"search_min_length" env:"FRONTEND_SEARCH_MIN_LENGTH" desc:"Minimum number of characters to enter before a client should start a search for Share receivers. This setting can be used to customize the user experience if e.g too many results are displayed." introductionVersion:"1.0.0"`
+	Edition                        string `yaml:"edition" env:"OC_EDITION;FRONTEND_EDITION" desc:"Edition of OpenCloud. Used for branding purposes." introductionVersion:"1.0.0"`
 	DisableSSE                     bool   `yaml:"disable_sse" env:"OC_DISABLE_SSE;FRONTEND_DISABLE_SSE" desc:"When set to true, clients are informed that the Server-Sent Events endpoint is not accessible." introductionVersion:"1.0.0"`
 	DefaultLinkPermissions         int    `yaml:"default_link_permissions" env:"FRONTEND_DEFAULT_LINK_PERMISSIONS" desc:"Defines the default permissions a link is being created with. Possible values are 0 (= internal link, for instance members only) and 1 (= public link with viewer permissions). Defaults to 1." introductionVersion:"1.0.0"`

--- a/services/frontend/pkg/config/defaults/defaultconfig.go
+++ b/services/frontend/pkg/config/defaults/defaultconfig.go
@@ -87,6 +87,7 @@ func DefaultConfig() *config.Config {
 		DefaultUploadProtocol:    "tus",
 		DefaultLinkPermissions:   1,
 		SearchMinLength:          3,
+		Edition:                  "Community",
 		Checksums: config.Checksums{
 			SupportedTypes:      []string{"sha1", "md5", "adler32"},
 			PreferredUploadType: "sha1",
--- a/services/frontend/pkg/revaconfig/config.go
+++ b/services/frontend/pkg/revaconfig/config.go
@@ -208,6 +208,7 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 									"needsDbUpgrade": false,
 									"version":        version.Legacy,
 									"versionstring":  version.LegacyString,
+									"edition":        cfg.Edition,
 									"productname":    "OpenCloud",
 									"product":        "OpenCloud",
 									"productversion": version.GetString(),
@@ -338,7 +339,7 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 						},
 						"version": map[string]interface{}{
 							"product":        "OpenCloud",
-							"edition":        "",
+							"edition":        "Community",
 							"major":          version.ParsedLegacy().Major(),
 							"minor":          version.ParsedLegacy().Minor(),
 							"micro":          version.ParsedLegacy().Patch(),
--- a/services/graph/pkg/service/v0/api_driveitem_permissions.go
+++ b/services/graph/pkg/service/v0/api_driveitem_permissions.go
@@ -83,7 +83,6 @@ func NewDriveItemPermissionsService(logger log.Logger, gatewaySelector pool.Sele
 			gatewaySelector: gatewaySelector,
 			identityCache:   identityCache,
 			config:          config,
-			availableRoles:  unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(config.UnifiedRoles.AvailableRoles...)),
 		},
 	}, nil
 }
--- a/services/graph/pkg/service/v0/api_driveitem_permissions_test.go
+++ b/services/graph/pkg/service/v0/api_driveitem_permissions_test.go
@@ -441,6 +441,7 @@ var _ = Describe("DriveItemPermissionsService", func() {
 		})
 		It("returns role denied", func() {
 			statResponse.Info.PermissionSet = roleconversions.NewManagerRole().CS3ResourcePermissions()
+			cfg.UnifiedRoles.AvailableRoles = []string{unifiedrole.UnifiedRoleViewerID, unifiedrole.UnifiedRoleDeniedID, unifiedrole.UnifiedRoleManagerID}
 			listSharesResponse.Shares = []*collaboration.Share{
 				{
 					Id: &collaboration.ShareId{OpaqueId: "1"},
@@ -464,15 +465,11 @@ var _ = Describe("DriveItemPermissionsService", func() {
 			}
 			listPublicSharesResponse.Share = []*link.PublicShare{}

-			cfg = defaults.FullDefaultConfig()
-			cfg.UnifiedRoles.AvailableRoles = []string{unifiedrole.UnifiedRoleViewerID, unifiedrole.UnifiedRoleDeniedID, unifiedrole.UnifiedRoleManagerID}
-			service, err := svc.NewDriveItemPermissionsService(log.NewLogger(), gatewaySelector, cache, cfg)
-
 			gatewayClient.On("Stat", mock.Anything, mock.Anything).Return(statResponse, nil)
 			gatewayClient.On("ListShares", mock.Anything, mock.Anything).Return(listSharesResponse, nil)
 			gatewayClient.On("GetUser", mock.Anything, mock.Anything).Return(getUserResponse, nil)
 			gatewayClient.On("ListPublicShares", mock.Anything, mock.Anything).Return(listPublicSharesResponse, nil)
-			permissions, err := service.ListPermissions(context.Background(), itemID, false, false)
+			permissions, err := driveItemPermissionsService.ListPermissions(context.Background(), itemID, false, false)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(len(permissions.LibreGraphPermissionsActionsAllowedValues)).ToNot(BeZero())
 			Expect(len(permissions.LibreGraphPermissionsRolesAllowedValues)).ToNot(BeZero())
--- a/services/graph/pkg/service/v0/base.go
+++ b/services/graph/pkg/service/v0/base.go
@@ -46,7 +46,6 @@ type BaseGraphService struct {
 	gatewaySelector pool.Selectable[gateway.GatewayAPIClient]
 	identityCache   identity.IdentityCache
 	config          *config.Config
-	availableRoles  []*libregraph.UnifiedRoleDefinition
 }

 func (g BaseGraphService) getSpaceRootPermissions(ctx context.Context, spaceID *storageprovider.StorageSpaceId) ([]libregraph.Permission, error) {
@@ -87,7 +86,8 @@ func (g BaseGraphService) CS3ReceivedSharesToDriveItems(ctx context.Context, rec
 		return nil, err
 	}

-	return cs3ReceivedSharesToDriveItems(ctx, g.logger, gatewayClient, g.identityCache, receivedShares, g.availableRoles)
+	availableRoles := unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(g.config.UnifiedRoles.AvailableRoles...))
+	return cs3ReceivedSharesToDriveItems(ctx, g.logger, gatewayClient, g.identityCache, receivedShares, availableRoles)
 }

 func (g BaseGraphService) CS3ReceivedOCMSharesToDriveItems(ctx context.Context, receivedShares []*ocm.ReceivedShare) ([]libregraph.DriveItem, error) {
@@ -96,7 +96,8 @@ func (g BaseGraphService) CS3ReceivedOCMSharesToDriveItems(ctx context.Context,
 		return nil, err
 	}

-	return cs3ReceivedOCMSharesToDriveItems(ctx, g.logger, gatewayClient, g.identityCache, receivedShares, g.availableRoles)
+	availableRoles := unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(g.config.UnifiedRoles.AvailableRoles...))
+	return cs3ReceivedOCMSharesToDriveItems(ctx, g.logger, gatewayClient, g.identityCache, receivedShares, availableRoles)
 }

 func (g BaseGraphService) cs3SpacePermissionsToLibreGraph(ctx context.Context, space *storageprovider.StorageSpace, apiVersion APIVersion) []libregraph.Permission {
@@ -195,8 +196,9 @@ func (g BaseGraphService) cs3SpacePermissionsToLibreGraph(ctx context.Context, s
 			p.SetExpirationDateTime(time.Unix(int64(exp.GetSeconds()), int64(exp.GetNanos())))
 		}

+		availableRoles := unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(g.config.UnifiedRoles.AvailableRoles...))
 		if role := unifiedrole.CS3ResourcePermissionsToRole(
-			g.availableRoles,
+			availableRoles,
 			perm,
 			unifiedrole.UnifiedRoleConditionDrive,
 			false,
@@ -599,7 +601,7 @@ func (g BaseGraphService) cs3UserShareToPermission(ctx context.Context, share *c
 		perm.SetCreatedDateTime(cs3TimestampToTime(share.GetCtime()))
 	}
 	role := unifiedrole.CS3ResourcePermissionsToRole(
-		g.availableRoles,
+		unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(g.config.UnifiedRoles.AvailableRoles...)),
 		share.GetPermissions().GetPermissions(),
 		roleCondition,
 		false,
@@ -687,8 +689,9 @@ func (g BaseGraphService) cs3OCMShareToPermission(ctx context.Context, share *oc
 		}
 	}

+	availableRoles := unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(g.config.UnifiedRoles.AvailableRoles...))
 	role := unifiedrole.CS3ResourcePermissionsToRole(
-		g.availableRoles,
+		availableRoles,
 		permissions,
 		roleCondition,
 		true,
--- a/services/graph/pkg/service/v0/driveitems.go
+++ b/services/graph/pkg/service/v0/driveitems.go
@@ -677,34 +677,21 @@ func (g Graph) getSpecialDriveItems(ctx context.Context, baseURL *url.URL, space
 	}

 	var spaceItems []libregraph.DriveItem
-	var err error
-	doCache := true

-	spaceItems, err = g.fetchSpecialDriveItem(ctx, spaceItems, SpaceImageSpecialFolderName, imageNode, space, baseURL)
-	if err != nil {
-		doCache = false
-		g.logger.Debug().Err(err).Str("ID", imageNode).Msg("Could not get space image")
-	}
-	spaceItems, err = g.fetchSpecialDriveItem(ctx, spaceItems, ReadmeSpecialFolderName, readmeNode, space, baseURL)
-	if err != nil {
-		doCache = false
-		g.logger.Debug().Err(err).Str("ID", imageNode).Msg("Could not get space readme")
-	}
+	spaceItems = g.fetchSpecialDriveItem(ctx, spaceItems, SpaceImageSpecialFolderName, imageNode, space, baseURL)
+	spaceItems = g.fetchSpecialDriveItem(ctx, spaceItems, ReadmeSpecialFolderName, readmeNode, space, baseURL)

 	// cache properties
 	spacePropertiesEntry := specialDriveItemEntry{
 		specialDriveItems: spaceItems,
 		rootMtime:         space.GetMtime(),
 	}
-
-	if doCache {
-		g.specialDriveItemsCache.Set(cachekey, spacePropertiesEntry, time.Duration(g.config.Spaces.ExtendedSpacePropertiesCacheTTL))
-	}
+	g.specialDriveItemsCache.Set(cachekey, spacePropertiesEntry, time.Duration(g.config.Spaces.ExtendedSpacePropertiesCacheTTL))

 	return spaceItems
 }

-func (g Graph) fetchSpecialDriveItem(ctx context.Context, spaceItems []libregraph.DriveItem, itemName string, itemNode string, space *storageprovider.StorageSpace, baseURL *url.URL) ([]libregraph.DriveItem, error) {
+func (g Graph) fetchSpecialDriveItem(ctx context.Context, spaceItems []libregraph.DriveItem, itemName string, itemNode string, space *storageprovider.StorageSpace, baseURL *url.URL) []libregraph.DriveItem {
 	var ref *storageprovider.Reference
 	if itemNode != "" {
 		rid, _ := storagespace.ParseID(itemNode)
@@ -713,15 +700,12 @@ func (g Graph) fetchSpecialDriveItem(ctx context.Context, spaceItems []libregrap
 		ref = &storageprovider.Reference{
 			ResourceId: &rid,
 		}
-		spaceItem, err := g.getSpecialDriveItem(ctx, ref, itemName, baseURL, space)
-		if err != nil {
-			return spaceItems, err
-		}
+		spaceItem := g.getSpecialDriveItem(ctx, ref, itemName, baseURL, space)
 		if spaceItem != nil {
 			spaceItems = append(spaceItems, *spaceItem)
 		}
 	}
-	return spaceItems, nil
+	return spaceItems
 }

 // generates a space root stat cache key used to detect changes in a space
@@ -746,10 +730,10 @@ type specialDriveItemEntry struct {
 	rootMtime         *types.Timestamp
 }

-func (g Graph) getSpecialDriveItem(ctx context.Context, ref *storageprovider.Reference, itemName string, baseURL *url.URL, space *storageprovider.StorageSpace) (*libregraph.DriveItem, error) {
+func (g Graph) getSpecialDriveItem(ctx context.Context, ref *storageprovider.Reference, itemName string, baseURL *url.URL, space *storageprovider.StorageSpace) *libregraph.DriveItem {
 	var spaceItem *libregraph.DriveItem
 	if ref.GetResourceId().GetSpaceId() == "" && ref.GetResourceId().GetOpaqueId() == "" {
-		return nil, nil
+		return nil
 	}

 	// FIXME we should send a fieldmask 'path' and return it as the Path property to save an additional call to the storage.
@@ -757,14 +741,16 @@ func (g Graph) getSpecialDriveItem(ctx context.Context, ref *storageprovider.Ref
 	// and Path should always be relative to the space root OR the resource the current user can access ...
 	spaceItem, err := g.getDriveItem(ctx, ref)
 	if err != nil {
-		return nil, err
+		g.logger.Debug().Err(err).Str("ID", ref.GetResourceId().GetOpaqueId()).Str("name", itemName).Msg("Could not get item info")
+		return nil
 	}
 	itemPath := ref.GetPath()
 	if itemPath == "" {
 		// lookup by id
 		itemPath, err = g.getPathForResource(ctx, *ref.GetResourceId())
 		if err != nil {
-			return nil, err
+			g.logger.Debug().Err(err).Str("ID", ref.GetResourceId().GetOpaqueId()).Str("name", itemName).Msg("Could not get item path")
+			return nil
 		}
 	}
 	spaceItem.SpecialFolder = &libregraph.SpecialFolder{Name: libregraph.PtrString(itemName)}
@@ -772,5 +758,5 @@ func (g Graph) getSpecialDriveItem(ctx context.Context, ref *storageprovider.Ref
 	webdavURL.Path = path.Join(webdavURL.Path, space.GetId().GetOpaqueId(), itemPath)
 	spaceItem.WebDavUrl = libregraph.PtrString(webdavURL.String())

-	return spaceItem, nil
+	return spaceItem
 }
--- a/services/graph/pkg/service/v0/rolemanagement.go
+++ b/services/graph/pkg/service/v0/rolemanagement.go
@@ -14,7 +14,7 @@ import (
 // GetRoleDefinitions a list of permission roles than can be used when sharing with users or groups
 func (g Graph) GetRoleDefinitions(w http.ResponseWriter, r *http.Request) {
 	render.Status(r, http.StatusOK)
-	render.JSON(w, r, g.availableRoles)
+	render.JSON(w, r, unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(g.config.UnifiedRoles.AvailableRoles...)))
 }

 // GetRoleDefinition a permission role than can be used when sharing with users or groups
--- a/services/graph/pkg/service/v0/service.go
+++ b/services/graph/pkg/service/v0/service.go
@@ -31,7 +31,6 @@ import (
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/identity"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/identity/ldap"
 	graphm "github.com/opencloud-eu/opencloud/services/graph/pkg/middleware"
-	"github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole"
 )

 const (
@@ -149,7 +148,6 @@ func NewService(opts ...Option) (Graph, error) { //nolint:maintidx
 			identityCache:   identityCache,
 			gatewaySelector: options.GatewaySelector,
 			config:          options.Config,
-			availableRoles:  unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(options.Config.UnifiedRoles.AvailableRoles...)),
 		},
 		mux:                      m,
 		specialDriveItemsCache:   spacePropertiesCache,
--- a/services/graph/pkg/service/v0/sharedwithme.go
+++ b/services/graph/pkg/service/v0/sharedwithme.go
@@ -10,6 +10,7 @@ import (
 	libregraph "github.com/owncloud/libre-graph-api-go"

 	"github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode"
+	"github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole"
 )

 // ListSharedWithMe lists the files shared with the current user.
@@ -39,7 +40,8 @@ func (g Graph) listSharedWithMe(ctx context.Context) ([]libregraph.DriveItem, er
 		g.logger.Error().Err(err).Msg("listing shares failed")
 		return nil, err
 	}
-	driveItems, err := cs3ReceivedSharesToDriveItems(ctx, g.logger, gatewayClient, g.identityCache, listReceivedSharesResponse.GetShares(), g.availableRoles)
+	availableRoles := unifiedrole.GetRoles(unifiedrole.RoleFilterIDs(g.config.UnifiedRoles.AvailableRoles...))
+	driveItems, err := cs3ReceivedSharesToDriveItems(ctx, g.logger, gatewayClient, g.identityCache, listReceivedSharesResponse.GetShares(), availableRoles)
 	if err != nil {
 		g.logger.Error().Err(err).Msg("could not convert received shares to drive items")
 		return nil, err
@@ -51,7 +53,7 @@ func (g Graph) listSharedWithMe(ctx context.Context) ([]libregraph.DriveItem, er
 			g.logger.Error().Err(err).Msg("listing shares failed")
 			return nil, err
 		}
-		ocmDriveItems, err := cs3ReceivedOCMSharesToDriveItems(ctx, g.logger, gatewayClient, g.identityCache, listReceivedOCMSharesResponse.GetShares(), g.availableRoles)
+		ocmDriveItems, err := cs3ReceivedOCMSharesToDriveItems(ctx, g.logger, gatewayClient, g.identityCache, listReceivedOCMSharesResponse.GetShares(), availableRoles)
 		if err != nil {
 			g.logger.Error().Err(err).Msg("could not convert received ocm shares to drive items")
 			return nil, err
--- a/services/idp/Makefile
+++ b/services/idp/Makefile
@@ -17,16 +17,15 @@ node-generate-prod: assets
 .PHONY: assets
 assets: pnpm-build \
 		assets/identifier/static \
-		assets/identifier/static/favicon.svg \
+		assets/identifier/static/favicon.ico \
 		assets/identifier/static/icon-lilac.svg

 assets/identifier/static:
 	mkdir -p assets/identifier/static

-.PHONY: assets/identifier/static/favicon.svg # force overwrite
-assets/identifier/static/favicon.svg:
-	cp src/images/favicon.svg assets/identifier/static/favicon.svg
-	rm assets/identifier/static/favicon.ico
+.PHONY: assets/identifier/static/favicon.ico # force overwrite
+assets/identifier/static/favicon.ico:
+	cp src/images/favicon.ico assets/identifier/static/favicon.ico

 .PHONY: assets/identifier/static/icon-lilac.svg
 assets/identifier/static/icon-lilac.svg:
--- a/services/idp/README.md
+++ b/services/idp/README.md
@@ -7,76 +7,3 @@ It is mainly targeted at smaller installations. For larger setups it is recommen
 By default, it is configured to use the OpenCloud IDM service as its LDAP backend for looking up and authenticating users. Other backends like an external LDAP server can be configured via a set of [enviroment variables](https://docs.opencloud.eu/services/idp/configuration/#environment-variables).

 Note that translations provided by the IDP service are not maintained via OpenCloud but part of the embedded  [LibreGraph Connect Identifier](https://github.com/libregraph/lico/tree/master/identifier) package.
-
-## Configuration
-
-### Custom Clients
-
-By default the `idp` service generates a OIDC client configuration suitable for
-using OpenCloud with the standard client applications (Web, Desktop, iOS and
-Android). If you need to configure additional client it is possible to inject a
-custom configuration via `yaml`. This can be done by adding a section `clients`
-to the `idp` section of the main configuration file (`opencloud.yaml`). This section
-needs to contain configuration for all clients (including the standard clients).
-
-For example if you want to add a (public) client for use with the oidc-agent you would
-need to add this snippet to the `idp` section in `opencloud.yaml`.
-
-```yaml
-clients:
- id: web
-  name: OpenCloud Web App
-  trusted: true
-  secret: ""
-  redirect_uris:
-  - https://opencloud.k8s:9200/
-  - https://opencloud.k8s:9200/oidc-callback.html
-  - https://opencloud.k8s:9200/oidc-silent-redirect.html
-  post_logout_redirect_uris: []
-  origins:
-  - https://opencloud.k8s:9200
-  application_type: ""
- id: OpenCloudDesktop
-  name: OpenCloud Desktop Client
-  trusted: false
-  secret: ""
-  redirect_uris:
-  - http://127.0.0.1
-  - http://localhost
-  post_logout_redirect_uris: []
-  origins: []
-  application_type: native
- id: OpenCloudAndroid
-  name: OpenCloud Android App
-  trusted: false
-  secret: ""
-  redirect_uris:
-  - oc://android.opencloud.eu
-  post_logout_redirect_uris:
-  - oc://android.opencloud.eu
-  origins: []
-  application_type: native
- id: OpenCloudIOS
-  name: OpenCloud iOS App
-  trusted: false
-  secret: ""
-  redirect_uris:
-  - oc://ios.opencloud.eu
-  post_logout_redirect_uris:
-  - oc://ios.opencloud.eu
-  origins: []
-  application_type: native
- id: oidc-agent
-  name: OIDC Agent
-  trusted: false
-  secret: ""
-  redirect_uris:
-  - http://127.0.0.1
-  - http://localhost
-  post_logout_redirect_uris: []
-  origins: []
-  application_type: native
-```
-
-
-
--- a/services/idp/package.json
+++ b/services/idp/package.json
@@ -102,14 +102,14 @@
    "redux-logger": "^3.0.6",
    "redux-thunk": "^2.4.2",
    "render-if": "^0.1.1",
-    "web-vitals": "^4.2.4"
+    "web-vitals": "^3.5.2"
  },
  "devDependencies": {
-    "@babel/core": "7.26.10",
+    "@babel/core": "7.26.9",
    "@typescript-eslint/eslint-plugin": "^4.33.0",
    "@typescript-eslint/parser": "^4.33.0",
    "babel-eslint": "^10.1.0",
-    "babel-loader": "10.0.0",
+    "babel-loader": "9.2.1",
    "babel-plugin-named-asset-import": "^0.3.8",
    "babel-preset-react-app": "^10.1.0",
    "case-sensitive-paths-webpack-plugin": "2.4.0",
@@ -125,7 +125,7 @@
    "eslint-plugin-i18next": "^6.1.1",
    "eslint-plugin-import": "^2.30.0",
    "eslint-plugin-jest": "^24.7.0",
-    "eslint-plugin-jsx-a11y": "^6.10.2",
+    "eslint-plugin-jsx-a11y": "^6.9.0",
    "eslint-plugin-react": "^7.37.2",
    "eslint-plugin-react-hooks": "^4.6.2",
    "eslint-plugin-testing-library": "^3.10.2",
--- a/services/idp/pkg/config/config.go
+++ b/services/idp/pkg/config/config.go
@@ -60,14 +60,13 @@ type Asset struct {
 }

 type Client struct {
-	ID                     string   `yaml:"id"`
-	Name                   string   `yaml:"name"`
-	Trusted                bool     `yaml:"trusted"`
-	Secret                 string   `yaml:"secret"`
-	RedirectURIs           []string `yaml:"redirect_uris"`
-	PostLogoutRedirectURIs []string `yaml:"post_logout_redirect_uris"`
-	Origins                []string `yaml:"origins"`
-	ApplicationType        string   `yaml:"application_type"`
+	ID              string   `yaml:"id"`
+	Name            string   `yaml:"name"`
+	Trusted         bool     `yaml:"trusted"`
+	Secret          string   `yaml:"secret"`
+	RedirectURIs    []string `yaml:"redirect_uris"`
+	Origins         []string `yaml:"origins"`
+	ApplicationType string   `yaml:"application_type"`
 }

 type Settings struct {
--- a/services/idp/pkg/config/defaults/defaultconfig.go
+++ b/services/idp/pkg/config/defaults/defaultconfig.go
@@ -101,9 +101,6 @@ func DefaultConfig() *config.Config {
 				RedirectURIs: []string{
 					"oc://android.opencloud.eu",
 				},
-				PostLogoutRedirectURIs: []string{
-					"oc://android.opencloud.eu",
-				},
 			},
 			{
 				ID:              "OpenCloudIOS",
@@ -112,9 +109,6 @@ func DefaultConfig() *config.Config {
 				RedirectURIs: []string{
 					"oc://ios.opencloud.eu",
 				},
-				PostLogoutRedirectURIs: []string{
-					"oc://ios.opencloud.eu",
-				},
 			},
 		},
 		Ldap: config.Ldap{
--- a/services/idp/pnpm-lock.yaml
+++ b/services/idp/pnpm-lock.yaml
--- a/services/idp/public/index.html
+++ b/services/idp/public/index.html
@@ -4,7 +4,7 @@
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="theme-color" content="#1b223d">
-    <link rel="icon" href="%PUBLIC_URL%/static/favicon.svg" type="image/svg+xml">
+    <link rel="shortcut icon" href="%PUBLIC_URL%/static/favicon.ico" type="image/x-icon">
    <meta property="csp-nonce" content="__CSP_NONCE__">
    <title>Sign in - OpenCloud</title>
  </head>
--- a/services/idp/src/images/favicon.ico
+++ b/services/idp/src/images/favicon.ico
--- a/services/idp/src/images/favicon.svg
+++ b/services/idp/src/images/favicon.svg
@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:svgjs="http://svgjs.dev/svgjs" width="512" height="512"><svg id="SvgjsSvg1001" xmlns="http://www.w3.org/2000/svg" width="512" height="512" viewBox="0 0 512 512"><rect x=".02" y="0" width="512" height="512" fill="#20434f"></rect><polygon points="255.98 342.75 271.89 333.57 271.89 267.12 329.08 234.1 329.08 215.78 313.18 206.6 255.6 239.84 198.83 207.06 182.93 216.24 182.93 234.56 240.12 267.58 240.12 333.59 255.98 342.75" fill="#e2baff"></polygon><polygon points="401.95 150.82 256 66.56 256 66.56 256 66.56 110.05 150.82 110.05 187.5 256 103.24 401.95 187.5 401.95 150.82" fill="#e2baff"></polygon><polygon points="401.95 324.5 256 408.76 110.06 324.5 110.06 361.17 256 445.43 256 445.43 256 445.43 401.95 361.17 401.95 324.5" fill="#e2baff"></polygon></svg><style>@media (prefers-color-scheme: light) { :root { filter: none; } }
-@media (prefers-color-scheme: dark) { :root { filter: none; } }
-</style></svg>
--- a/services/notifications/pkg/email/composer.go
+++ b/services/notifications/pkg/email/composer.go
@@ -21,19 +21,19 @@ var (
 func NewTextTemplate(mt MessageTemplate, locale, defaultLocale string, translationPath string, vars map[string]string) (MessageTemplate, error) {
 	var err error
 	t := l10n.NewTranslatorFromCommonConfig(defaultLocale, _domain, translationPath, _translationFS, "l10n/locale").Locale(locale)
-	mt.Subject, err = composeMessage(t.Get(mt.Subject, []interface{}{}...), vars)
+	mt.Subject, err = composeMessage(t.Get("%s", mt.Subject), vars)
 	if err != nil {
 		return mt, err
 	}
-	mt.Greeting, err = composeMessage(t.Get(mt.Greeting, []interface{}{}...), vars)
+	mt.Greeting, err = composeMessage(t.Get("%s", mt.Greeting), vars)
 	if err != nil {
 		return mt, err
 	}
-	mt.MessageBody, err = composeMessage(t.Get(mt.MessageBody, []interface{}{}...), vars)
+	mt.MessageBody, err = composeMessage(t.Get("%s", mt.MessageBody), vars)
 	if err != nil {
 		return mt, err
 	}
-	mt.CallToAction, err = composeMessage(t.Get(mt.CallToAction, []interface{}{}...), vars)
+	mt.CallToAction, err = composeMessage(t.Get("%s", mt.CallToAction), vars)
 	if err != nil {
 		return mt, err
 	}
@@ -44,19 +44,19 @@ func NewTextTemplate(mt MessageTemplate, locale, defaultLocale string, translati
 func NewHTMLTemplate(mt MessageTemplate, locale, defaultLocale string, translationPath string, vars map[string]string) (MessageTemplate, error) {
 	var err error
 	t := l10n.NewTranslatorFromCommonConfig(defaultLocale, _domain, translationPath, _translationFS, "l10n/locale").Locale(locale)
-	mt.Subject, err = composeMessage(t.Get(mt.Subject, []interface{}{}...), vars)
+	mt.Subject, err = composeMessage(t.Get("%s", mt.Subject), vars)
 	if err != nil {
 		return mt, err
 	}
-	mt.Greeting, err = composeMessage(newlineToBr(t.Get(mt.Greeting, []interface{}{}...)), vars)
+	mt.Greeting, err = composeMessage(newlineToBr(t.Get("%s", mt.Greeting)), vars)
 	if err != nil {
 		return mt, err
 	}
-	mt.MessageBody, err = composeMessage(newlineToBr(t.Get(mt.MessageBody, []interface{}{}...)), vars)
+	mt.MessageBody, err = composeMessage(newlineToBr(t.Get("%s", mt.MessageBody)), vars)
 	if err != nil {
 		return mt, err
 	}
-	mt.CallToAction, err = composeMessage(callToActionToHTML(t.Get(mt.CallToAction, []interface{}{}...)), vars)
+	mt.CallToAction, err = composeMessage(callToActionToHTML(t.Get("%s", mt.CallToAction)), vars)
 	if err != nil {
 		return mt, err
 	}
@@ -71,18 +71,18 @@ func NewGroupedTextTemplate(gmt GroupedMessageTemplate, vars map[string]string,

 	var err error
 	t := l10n.NewTranslatorFromCommonConfig(defaultLocale, _domain, translationPath, _translationFS, "l10n/locale").Locale(locale)
-	gmt.Subject, err = composeMessage(t.Get(gmt.Subject, []interface{}{}...), vars)
+	gmt.Subject, err = composeMessage(t.Get("%s", gmt.Subject), vars)
 	if err != nil {
 		return gmt, err
 	}
-	gmt.Greeting, err = composeMessage(t.Get(gmt.Greeting, []interface{}{}...), vars)
+	gmt.Greeting, err = composeMessage(t.Get("%s", gmt.Greeting), vars)
 	if err != nil {
 		return gmt, err
 	}

 	bodyParts := make([]string, 0, len(mtsVars))
 	for i, mt := range mts {
-		bodyPart, err := composeMessage(t.Get(mt.MessageBody, []interface{}{}...), mtsVars[i])
+		bodyPart, err := composeMessage(t.Get("%s", mt.MessageBody), mtsVars[i])
 		if err != nil {
 			return gmt, err
 		}
@@ -100,18 +100,18 @@ func NewGroupedHTMLTemplate(gmt GroupedMessageTemplate, vars map[string]string,

 	var err error
 	t := l10n.NewTranslatorFromCommonConfig(defaultLocale, _domain, translationPath, _translationFS, "l10n/locale").Locale(locale)
-	gmt.Subject, err = composeMessage(t.Get(gmt.Subject, []interface{}{}...), vars)
+	gmt.Subject, err = composeMessage(t.Get("%s", gmt.Subject), vars)
 	if err != nil {
 		return gmt, err
 	}
-	gmt.Greeting, err = composeMessage(newlineToBr(t.Get(gmt.Greeting, []interface{}{}...)), vars)
+	gmt.Greeting, err = composeMessage(newlineToBr(t.Get("%s", gmt.Greeting)), vars)
 	if err != nil {
 		return gmt, err
 	}

 	bodyParts := make([]string, 0, len(mtsVars))
 	for i, mt := range mts {
-		bodyPart, err := composeMessage(t.Get(mt.MessageBody, []interface{}{}...), mtsVars[i])
+		bodyPart, err := composeMessage(t.Get("%s", mt.MessageBody), mtsVars[i])
 		if err != nil {
 			return gmt, err
 		}
--- a/services/ocdav/pkg/command/server.go
+++ b/services/ocdav/pkg/command/server.go
@@ -77,6 +77,7 @@ func Server(cfg *config.Config) *cli.Command {
 					ocdav.Product(cfg.Status.Product),
 					ocdav.Version(cfg.Status.Version),
 					ocdav.VersionString(cfg.Status.VersionString),
+					ocdav.Edition(cfg.Status.Edition),
 					ocdav.MachineAuthAPIKey(cfg.MachineAuthAPIKey),
 					ocdav.Broker(broker.NoOp{}),
 					// ocdav.FavoriteManager() // FIXME needs a proper persistence implementation https://github.com/owncloud/ocis/issues/1228
--- a/services/ocdav/pkg/config/config.go
+++ b/services/ocdav/pkg/config/config.go
@@ -81,4 +81,5 @@ type Status struct {
 	Product        string
 	ProductName    string
 	ProductVersion string
+	Edition        string `yaml:"edition" env:"OC_EDITION;OCDAV_EDITION" desc:"Edition of OpenCloud. Used for branding purposes." introductionVersion:"1.0.0"`
 }
--- a/services/ocdav/pkg/config/defaults/defaultconfig.go
+++ b/services/ocdav/pkg/config/defaults/defaultconfig.go
@@ -92,6 +92,7 @@ func DefaultConfig() *config.Config {
 			ProductVersion: version.GetString(),
 			Product:        "OpenCloud",
 			ProductName:    "OpenCloud",
+			Edition:        "Community",
 		},
 	}
 }
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -352,7 +352,7 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 			middleware.CredentialsByUserAgent(cfg.AuthMiddleware.CredentialsByUserAgent),
 			middleware.Logger(logger),
 			middleware.OIDCIss(cfg.OIDC.Issuer),
-			middleware.EnableBasicAuth(cfg.EnableBasicAuth || cfg.AuthMiddleware.AllowAppAuth),
+			middleware.EnableBasicAuth(cfg.EnableBasicAuth),
 			middleware.TraceProvider(traceProvider),
 		),
 		middleware.AccountResolver(
--- a/services/proxy/pkg/config/defaults/defaultconfig.go
+++ b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -100,9 +100,6 @@ func DefaultConfig() *config.Config {
 			Cluster:   "opencloud-cluster",
 			EnableTLS: false,
 		},
-		AuthMiddleware: config.AuthMiddleware{
-			AllowAppAuth: true,
-		},
 	}
 }

--- a/services/search/pkg/content/mocks/extractor.go
+++ b/services/search/pkg/content/mocks/extractor.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.53.2. DO NOT EDIT.
+// Code generated by mockery v2.53.0. DO NOT EDIT.

 package mocks

--- a/services/search/pkg/content/mocks/retriever.go
+++ b/services/search/pkg/content/mocks/retriever.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.53.2. DO NOT EDIT.
+// Code generated by mockery v2.53.0. DO NOT EDIT.

 package mocks

--- a/services/search/pkg/engine/mocks/engine.go
+++ b/services/search/pkg/engine/mocks/engine.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.53.2. DO NOT EDIT.
+// Code generated by mockery v2.53.0. DO NOT EDIT.

 package mocks

--- a/services/search/pkg/search/mocks/searcher.go
+++ b/services/search/pkg/search/mocks/searcher.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.53.2. DO NOT EDIT.
+// Code generated by mockery v2.53.0. DO NOT EDIT.

 package mocks

--- a/services/settings/pkg/service/v0/service.go
+++ b/services/settings/pkg/service/v0/service.go
@@ -697,7 +697,7 @@ func translateBundle(bundle *settingsmsg.Bundle, t *gotext.Locale) *settingsmsg.
 			// translate interval names ('Instant', 'Daily', 'Weekly', 'Never')
 			value := set.GetSingleChoiceValue()
 			for i, v := range value.GetOptions() {
-				value.Options[i].DisplayValue = t.Get(v.GetDisplayValue(), []interface{}{}...)
+				value.Options[i].DisplayValue = t.Get("%s", v.GetDisplayValue())
 			}
 			set.Value = &settingsmsg.Setting_SingleChoiceValue{SingleChoiceValue: value}
 			fallthrough
@@ -710,9 +710,9 @@ func translateBundle(bundle *settingsmsg.Bundle, t *gotext.Locale) *settingsmsg.
 			defaults.SettingUUIDProfileEventSpaceDisabled,
 			defaults.SettingUUIDProfileEventSpaceDeleted:
 			// translate event names ('Share Received', 'Share Removed', ...)
-			set.DisplayName = t.Get(set.GetDisplayName(), []interface{}{}...)
+			set.DisplayName = t.Get("%s", set.GetDisplayName())
 			// translate event descriptions ('Notify me when I receive a share', ...)
-			set.Description = t.Get(set.GetDescription(), []interface{}{}...)
+			set.Description = t.Get("%s", set.GetDescription())
 			bundle.Settings[i] = set
 		}
 	}
--- a/services/settings/pkg/settings/mocks/manager.go
+++ b/services/settings/pkg/settings/mocks/manager.go
@@ -1,4 +1,4 @@
-// Code generated by mockery v2.53.2. DO NOT EDIT.
+// Code generated by mockery v2.53.0. DO NOT EDIT.

 package mocks

--- a/services/storage-users/README.md
+++ b/services/storage-users/README.md
@@ -12,7 +12,7 @@ When hard-stopping OpenCloud, for example with the `kill <pid>` command (SIGKILL

 *   With the value of the environment variable `STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT`, the `storage-users` service will delay its shutdown giving it time to finalize writing necessary data. This delay can be necessary if there is a lot of data to be saved and/or if storage access/thruput is slow. In such a case you would receive an error log entry informing you that not all data could be saved in time. To prevent such occurrences, you must increase the default value.

-*   If a shutdown error has been logged, the command-line maintenance tool to inspect and manipulate node metadata can help to fix the issue. Please contact support for details.
+*   If a shutdown error has been logged, the command-line maintenance tool [Inspect and Manipulate Node Metadata](https://doc.opencloud.eu/maintenance/commands/commands.html#inspect-and-manipulate-node-metadata) can help to fix the issue. Please contact support for details.

 ## CLI Commands

@@ -142,7 +142,8 @@ opencloud storage-users uploads sessions --processing=false --has-virus=false --

 ### Manage Trash-Bin Items

-This command set provides commands to get an overview of trash-bin items, restore items and purge old items of `personal` spaces and `project` spaces (spaces that have been created manually). `trash-bin` commands require a `spaceID` as parameter. 
+This command set provides commands to get an overview of trash-bin items, restore items and purge old items of `personal` spaces and `project` spaces (spaces that have been created manually). `trash-bin` commands require a `spaceID` as parameter. See [List all spaces
+](https://doc.opencloud.eu/apis/http/graph/spaces/#list-all-spaces-get-drives) or [Listing Space IDs](https://doc.opencloud.eu/maintenance/space-ids/space-ids.html) for details of how to get them.

 ```bash
 opencloud storage-users trash-bin <command>
@@ -169,10 +170,10 @@ The behaviour of the `purge-expired` command can be configured by using the foll
 Used to obtain space trash-bin information and takes the system admin user as the default which is the `OC_ADMIN_USER_ID` but can be set individually. It should be noted, that the `OC_ADMIN_USER_ID` is only assigned automatically when using the single binary deployment and must be manually assigned in all other deployments. The command only considers spaces to which the assigned user has access and delete permission.

 *   `STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE`\
-Has a default value of `720h` which equals `30 days`. This means, the command will delete all files older than `30 days`. The value is human-readable. A value of `0` is equivalent to disable and prevents the deletion of `personal space` trash-bin files.
+Has a default value of `720h` which equals `30 days`. This means, the command will delete all files older than `30 days`. The value is human-readable, for valid values see the duration type described in the [Environment Variable Types](https://doc.opencloud.eu/deployment/services/envvar-types-description.html). A value of `0` is equivalent to disable and prevents the deletion of `personal space` trash-bin files.

 *   `STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE`\
-Has a default value of `720h` which equals `30 days`. This means, the command will delete all files older than `30 days`. The value is human-readable. A value of `0` is equivalent to disable and prevents the deletion of `project space` trash-bin files.
+Has a default value of `720h` which equals `30 days`. This means, the command will delete all files older than `30 days`. The value is human-readable, for valid values see the duration type described in the [Environment Variable Types](https://doc.opencloud.eu/latest/deployment/services/envvar-types-description.html). A value of `0` is equivalent to disable and prevents the deletion of `project space` trash-bin files.

 #### List and Restore Trash-Bins Items

--- a/services/storage-users/pkg/command/uploads.go
+++ b/services/storage-users/pkg/command/uploads.go
@@ -98,26 +98,13 @@ func ListUploadSessions(cfg *config.Config) *cli.Command {
 			return configlog.ReturnFatal(parser.ParseConfig(cfg))
 		},
 		Action: func(c *cli.Context) error {
-			var err error
 			f, ok := registry.NewFuncs[cfg.Driver]
 			if !ok {
 				fmt.Fprintf(os.Stderr, "Unknown filesystem driver '%s'\n", cfg.Driver)
 				os.Exit(1)
 			}
 			drivers := revaconfig.StorageProviderDrivers(cfg)
-			var fsStream events.Stream
-			if cfg.Driver == "posix" {
-				// We need to init the posix driver with 'scanfs' disabled
-				drivers["posix"] = revaconfig.Posix(cfg, false, false)
-				// Also posix refuses to start without an events stream
-				fsStream, err = event.NewStream(cfg)
-				if err != nil {
-					fmt.Fprintf(os.Stderr, "Failed to create event stream for posix driver: %v\n", err)
-					os.Exit(1)
-				}
-			}
-
-			fs, err := f(drivers[cfg.Driver].(map[string]interface{}), fsStream, nil)
+			fs, err := f(drivers[cfg.Driver].(map[string]interface{}), nil, nil)
 			if err != nil {
 				fmt.Fprintf(os.Stderr, "Failed to initialize filesystem driver '%s'\n", cfg.Driver)
 				return err
@@ -130,7 +117,7 @@ func ListUploadSessions(cfg *config.Config) *cli.Command {
 			}

 			var stream events.Stream
-			if c.Bool("restart") || c.Bool("resume") {
+			if c.Bool("restart") {
 				stream, err = event.NewStream(cfg)
 				if err != nil {
 					fmt.Fprintf(os.Stderr, "Failed to create event stream: %v\n", err)
--- a/services/storage-users/pkg/config/config.go
+++ b/services/storage-users/pkg/config/config.go
@@ -194,21 +194,14 @@ type OwnCloudSQLDriver struct {
 // PosixDriver is the storage driver configuration when using 'posix' storage driver
 type PosixDriver struct {
 	// Root is the absolute path to the location of the data
-	Root                       string                 `yaml:"root" env:"STORAGE_USERS_POSIX_ROOT" desc:"The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users." introductionVersion:"1.0.0"`
-	Propagator                 string                 `yaml:"propagator" env:"OC_DECOMPOSEDFS_PROPAGATOR;STORAGE_USERS_POSIX_PROPAGATOR" desc:"The propagator used for the posix driver. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option." introductionVersion:"2.0.0"`
-	AsyncPropagatorOptions     AsyncPropagatorOptions `yaml:"async_propagator_options"`
-	PersonalSpaceAliasTemplate string                 `yaml:"personalspacealias_template" env:"STORAGE_USERS_POSIX_PERSONAL_SPACE_ALIAS_TEMPLATE" desc:"Template string to construct personal space aliases." introductionVersion:"1.0.0"`
-	PersonalSpacePathTemplate  string                 `yaml:"personalspacepath_template" env:"STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE" desc:"Template string to construct the paths of the personal space roots." introductionVersion:"1.0.0"`
-	GeneralSpaceAliasTemplate  string                 `yaml:"generalspacealias_template" env:"STORAGE_USERS_POSIX_GENERAL_SPACE_ALIAS_TEMPLATE" desc:"Template string to construct general space aliases." introductionVersion:"1.0.0"`
-	GeneralSpacePathTemplate   string                 `yaml:"generalspacepath_template" env:"STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE" desc:"Template string to construct the paths of the projects space roots." introductionVersion:"1.0.0"`
-	PermissionsEndpoint        string                 `yaml:"permissions_endpoint" env:"STORAGE_USERS_PERMISSION_ENDPOINT;STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT" desc:"Endpoint of the permissions service. The endpoints can differ for 'decomposed', 'posix' and 'decomposeds3'." introductionVersion:"1.0.0"`
-	AsyncUploads               bool                   `yaml:"async_uploads" env:"OC_ASYNC_UPLOADS" desc:"Enable asynchronous file uploads." introductionVersion:"1.0.0"`
-	ScanDebounceDelay          time.Duration          `yaml:"scan_debounce_delay" env:"STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY" desc:"The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected." introductionVersion:"1.0.0"`
-	MaxQuota                   uint64                 `yaml:"max_quota" env:"OC_SPACES_MAX_QUOTA;STORAGE_USERS_POSIX_MAX_QUOTA" desc:"Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service." introductionVersion:"2.0.0"`
-	MaxAcquireLockCycles       int                    `yaml:"max_acquire_lock_cycles" env:"STORAGE_USERS_POSIX_MAX_ACQUIRE_LOCK_CYCLES" desc:"When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used." introductionVersion:"2.0.0"`
-	LockCycleDurationFactor    int                    `yaml:"lock_cycle_duration_factor" env:"STORAGE_USERS_POSIX_LOCK_CYCLE_DURATION_FACTOR" desc:"When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used." introductionVersion:"2.0.0"`
-	MaxConcurrency             int                    `yaml:"max_concurrency" env:"OC_MAX_CONCURRENCY;STORAGE_USERS_POSIX_MAX_CONCURRENCY" desc:"Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used." introductionVersion:"2.0.0"`
-	DisableVersioning          bool                   `yaml:"disable_versioning" env:"OC_DISABLE_VERSIONING" desc:"Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version." introductionVersion:"2.0.0"`
+	Root                       string        `yaml:"root" env:"STORAGE_USERS_POSIX_ROOT" desc:"The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users." introductionVersion:"1.0.0"`
+	PersonalSpaceAliasTemplate string        `yaml:"personalspacealias_template" env:"STORAGE_USERS_POSIX_PERSONAL_SPACE_ALIAS_TEMPLATE" desc:"Template string to construct personal space aliases." introductionVersion:"1.0.0"`
+	PersonalSpacePathTemplate  string        `yaml:"personalspacepath_template" env:"STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE" desc:"Template string to construct the paths of the personal space roots." introductionVersion:"1.0.0"`
+	GeneralSpaceAliasTemplate  string        `yaml:"generalspacealias_template" env:"STORAGE_USERS_POSIX_GENERAL_SPACE_ALIAS_TEMPLATE" desc:"Template string to construct general space aliases." introductionVersion:"1.0.0"`
+	GeneralSpacePathTemplate   string        `yaml:"generalspacepath_template" env:"STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE" desc:"Template string to construct the paths of the projects space roots." introductionVersion:"1.0.0"`
+	PermissionsEndpoint        string        `yaml:"permissions_endpoint" env:"STORAGE_USERS_PERMISSION_ENDPOINT;STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT" desc:"Endpoint of the permissions service. The endpoints can differ for 'decomposed', 'posix' and 'decomposeds3'." introductionVersion:"1.0.0"`
+	AsyncUploads               bool          `yaml:"async_uploads" env:"OC_ASYNC_UPLOADS" desc:"Enable asynchronous file uploads." introductionVersion:"1.0.0"`
+	ScanDebounceDelay          time.Duration `yaml:"scan_debounce_delay" env:"STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY" desc:"The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected." introductionVersion:"1.0.0"`

 	UseSpaceGroups bool `yaml:"use_space_groups" env:"STORAGE_USERS_POSIX_USE_SPACE_GROUPS" desc:"Use space groups to manage permissions on spaces." introductionVersion:"1.0.0"`

--- a/services/storage-users/pkg/config/defaults/defaultconfig.go
+++ b/services/storage-users/pkg/config/defaults/defaultconfig.go
@@ -91,7 +91,7 @@ func DefaultConfig() *config.Config {
 		TransferExpires:         86400,
 		UploadExpiration:        24 * 60 * 60,
 		GracefulShutdownTimeout: 30,
-		Driver:                  "posix",
+		Driver:                  "decomposed",
 		Drivers: config.Drivers{
 			OwnCloudSQL: config.OwnCloudSQLDriver{
 				Root:                  filepath.Join(defaults.BaseDataPath(), "storage", "owncloud"),
@@ -143,7 +143,7 @@ func DefaultConfig() *config.Config {
 				UseSpaceGroups:             false,
 				Root:                       filepath.Join(defaults.BaseDataPath(), "storage", "users"),
 				PersonalSpaceAliasTemplate: "{{.SpaceType}}/{{.User.Username | lower}}",
-				PersonalSpacePathTemplate:  "users/{{.User.Id.OpaqueId}}",
+				PersonalSpacePathTemplate:  "users/{{.User.Username}}",
 				GeneralSpaceAliasTemplate:  "{{.SpaceType}}/{{.SpaceName | replace \" \" \"-\" | lower}}",
 				GeneralSpacePathTemplate:   "projects/{{.SpaceId}}",
 				PermissionsEndpoint:        "eu.opencloud.api.settings",
@@ -165,7 +165,7 @@ func DefaultConfig() *config.Config {
 			TTL:      24 * 60 * time.Second,
 		},
 		IDCache: config.IDCache{
-			Store:    "nats-js-kv",
+			Store:    "memory",
 			Nodes:    []string{"127.0.0.1:9233"},
 			Database: "ids-storage-users",
 			TTL:      24 * 60 * time.Second,
--- a/services/storage-users/pkg/revaconfig/drivers.go
+++ b/services/storage-users/pkg/revaconfig/drivers.go
@@ -85,28 +85,17 @@ func Local(cfg *config.Config) map[string]interface{} {
 }

 // Posix is the config mapping for the Posix storage driver
-func Posix(cfg *config.Config, enableFSScan, enableFSWatch bool) map[string]interface{} {
+func Posix(cfg *config.Config, enableFSScan bool) map[string]interface{} {
 	return map[string]interface{}{
-		"root":                        cfg.Drivers.Posix.Root,
-		"personalspacepath_template":  cfg.Drivers.Posix.PersonalSpacePathTemplate,
-		"personalspacealias_template": cfg.Drivers.Posix.PersonalSpaceAliasTemplate,
-		"generalspacepath_template":   cfg.Drivers.Posix.GeneralSpacePathTemplate,
-		"generalspacealias_template":  cfg.Drivers.Posix.GeneralSpaceAliasTemplate,
-		"permissionssvc":              cfg.Drivers.Posix.PermissionsEndpoint,
-		"permissionssvc_tls_mode":     cfg.Commons.GRPCClientTLS.Mode,
-		"treetime_accounting":         true,
-		"treesize_accounting":         true,
-		"asyncfileuploads":            cfg.Drivers.Posix.AsyncUploads,
-		"scan_debounce_delay":         cfg.Drivers.Posix.ScanDebounceDelay,
-		"max_quota":                   cfg.Drivers.Posix.MaxQuota,
-		"disable_versioning":          cfg.Drivers.Posix.DisableVersioning,
-		"propagator":                  cfg.Drivers.Posix.Propagator,
-		"async_propagator_options": map[string]interface{}{
-			"propagation_delay": cfg.Drivers.Posix.AsyncPropagatorOptions.PropagationDelay,
-		},
-		"max_acquire_lock_cycles":    cfg.Drivers.Posix.MaxAcquireLockCycles,
-		"lock_cycle_duration_factor": cfg.Drivers.Posix.LockCycleDurationFactor,
-		"max_concurrency":            cfg.Drivers.Posix.MaxConcurrency,
+		"root":                       cfg.Drivers.Posix.Root,
+		"personalspacepath_template": cfg.Drivers.Posix.PersonalSpacePathTemplate,
+		"generalspacepath_template":  cfg.Drivers.Posix.GeneralSpacePathTemplate,
+		"permissionssvc":             cfg.Drivers.Posix.PermissionsEndpoint,
+		"permissionssvc_tls_mode":    cfg.Commons.GRPCClientTLS.Mode,
+		"treetime_accounting":        true,
+		"treesize_accounting":        true,
+		"asyncfileuploads":           cfg.Drivers.Posix.AsyncUploads,
+		"scan_debounce_delay":        cfg.Drivers.Posix.ScanDebounceDelay,
 		"idcache": map[string]interface{}{
 			"cache_store":               cfg.IDCache.Store,
 			"cache_nodes":               cfg.IDCache.Nodes,
@@ -125,19 +114,10 @@ func Posix(cfg *config.Config, enableFSScan, enableFSWatch bool) map[string]inte
 			"cache_auth_username":       cfg.FilemetadataCache.AuthUsername,
 			"cache_auth_password":       cfg.FilemetadataCache.AuthPassword,
 		},
-		"events": map[string]interface{}{
-			"numconsumers": cfg.Events.NumConsumers,
-		},
-		"tokens": map[string]interface{}{
-			"transfer_shared_secret": cfg.Commons.TransferSecret,
-			"transfer_expires":       cfg.TransferExpires,
-			"download_endpoint":      cfg.DataServerURL,
-			"datagateway_endpoint":   cfg.DataGatewayURL,
-		},
 		"use_space_groups":           cfg.Drivers.Posix.UseSpaceGroups,
 		"enable_fs_revisions":        cfg.Drivers.Posix.EnableFSRevisions,
 		"scan_fs":                    enableFSScan,
-		"watch_fs":                   enableFSWatch,
+		"watch_fs":                   cfg.Drivers.Posix.WatchFS,
 		"watch_type":                 cfg.Drivers.Posix.WatchType,
 		"watch_path":                 cfg.Drivers.Posix.WatchPath,
 		"watch_folder_kafka_brokers": cfg.Drivers.Posix.WatchFolderKafkaBrokers,
--- a/services/storage-users/pkg/revaconfig/user.go
+++ b/services/storage-users/pkg/revaconfig/user.go
@@ -16,7 +16,7 @@ func StorageProviderDrivers(cfg *config.Config) map[string]interface{} {
 		"decomposed":   DecomposedNoEvents(cfg),
 		"s3":           S3(cfg),
 		"decomposeds3": DecomposedS3NoEvents(cfg),
-		"posix":        Posix(cfg, true, cfg.Drivers.Posix.WatchFS),
+		"posix":        Posix(cfg, true),

 		"ocis": Decomposed(cfg),           // deprecated: use decomposed
 		"s3ng": DecomposedS3NoEvents(cfg), // deprecated: use decomposeds3
@@ -36,7 +36,7 @@ func DataProviderDrivers(cfg *config.Config) map[string]interface{} {
 		"decomposed":   Decomposed(cfg),
 		"s3":           S3(cfg),
 		"decomposeds3": DecomposedS3(cfg),
-		"posix":        Posix(cfg, false, false),
+		"posix":        Posix(cfg, false),

 		"ocis": Decomposed(cfg),           // deprecated: use decomposed
 		"s3ng": DecomposedS3NoEvents(cfg), // deprecated: use decomposeds3
--- a/services/userlog/pkg/service/conversion.go
+++ b/services/userlog/pkg/service/conversion.go
@@ -376,7 +376,7 @@ func composeMessage(nt NotificationTemplate, locale, defaultLocale, path string,

 func loadTemplates(nt NotificationTemplate, locale, defaultLocale, path string) (string, string) {
 	t := l10n.NewTranslatorFromCommonConfig(defaultLocale, _domain, path, _translationFS, "l10n/locale").Locale(locale)
-	return t.Get(nt.Subject, []interface{}{}...), t.Get(nt.Message, []interface{}{}...)
+	return t.Get("%s", nt.Subject), t.Get("%s", nt.Message)
 }

 func executeTemplate(raw string, vars map[string]interface{}) (string, error) {
--- a/services/web/Makefile
+++ b/services/web/Makefile
@@ -1,6 +1,6 @@
 SHELL := bash
 NAME := web
-WEB_ASSETS_VERSION = v2.2.0
+WEB_ASSETS_VERSION = v1.0.0
 WEB_ASSETS_BRANCH = main

 ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warnings` for non go targets in CI
--- a/services/web/assets/themes/opencloud-dev/assets/favicon.ico
+++ b/services/web/assets/themes/opencloud-dev/assets/favicon.ico
--- a/services/web/assets/themes/opencloud-dev/assets/favicon.svg
+++ b/services/web/assets/themes/opencloud-dev/assets/favicon.svg
@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:svgjs="http://svgjs.dev/svgjs" width="512" height="512"><svg id="SvgjsSvg1001" xmlns="http://www.w3.org/2000/svg" width="512" height="512" viewBox="0 0 512 512"><rect x=".02" y="0" width="512" height="512" fill="#20434f"></rect><polygon points="255.98 342.75 271.89 333.57 271.89 267.12 329.08 234.1 329.08 215.78 313.18 206.6 255.6 239.84 198.83 207.06 182.93 216.24 182.93 234.56 240.12 267.58 240.12 333.59 255.98 342.75" fill="#e2baff"></polygon><polygon points="401.95 150.82 256 66.56 256 66.56 256 66.56 110.05 150.82 110.05 187.5 256 103.24 401.95 187.5 401.95 150.82" fill="#e2baff"></polygon><polygon points="401.95 324.5 256 408.76 110.06 324.5 110.06 361.17 256 445.43 256 445.43 256 445.43 401.95 361.17 401.95 324.5" fill="#e2baff"></polygon></svg><style>@media (prefers-color-scheme: light) { :root { filter: none; } }
-@media (prefers-color-scheme: dark) { :root { filter: none; } }
-</style></svg>
--- a/services/web/assets/themes/opencloud-dev/theme.json
+++ b/services/web/assets/themes/opencloud-dev/theme.json
@@ -43,7 +43,7 @@
          }
        },
        "logo": "themes/opencloud-dev/assets/logo.svg",
-        "favicon": "themes/opencloud-dev/assets/favicon.svg"
+        "favicon": "themes/opencloud-dev/assets/favicon.jpg"
      },
      "themes": [
        {
--- a/services/web/assets/themes/opencloud/assets/favicon.ico
+++ b/services/web/assets/themes/opencloud/assets/favicon.ico
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Viktor Scharf	e362f04093	run CI with posix if posix in the title	2025-03-17 12:43:01 +01:00
Viktor Scharf	9f01bf1af3	use old expected failures file	2025-03-17 12:43:01 +01:00
Viktor Scharf	217a84b360	reva bump	2025-03-17 12:43:01 +01:00
Viktor Scharf	e40d7f4246	add storage_user_id_cache	2025-03-17 12:43:01 +01:00
Viktor Scharf	827a053ac0	run test in CI with posix	2025-03-17 12:43:00 +01:00