disable running ci with watch fs when full-ci

* fix: add update server to default csp rules

* adapt tests

---------

Co-authored-by: Viktor Scharf <v.scharf@opencloud.eu>

.codacy.yml

@@ -16,7 +16,7 @@ exclude_paths:
   - 'tests/acceptance/expected-failures-*.md'
   - 'tests/acceptance/bootstrap/**'
   - 'tests/acceptance/TestHelpers/**'
-  - 'tests/acceptance/run.sh'
+  - 'tests/acceptance/scripts/run.sh'
   - 'vendor/**/*'
   - 'tests/ocwrapper/vendor/**'
 ...

.dockerignore

@@ -1,6 +1,8 @@
 .bingo
 !.bingo/*.mod
 !.bingo/Variables.mk
+.git
 **/bin
-docs
 **/node_modules
+**/tmp
+docs

.github/settings.yml

@@ -1 +1,4 @@
 _extends: gh-labels
+
+
+

.gitignore

@@ -38,6 +38,7 @@ vendor-php
 # API acceptance tests - auto-generated files
 .php-cs-fixer.cache
 suite-logs
+tests/acceptance/filesForUpload/filesWithVirus/
 
 # QA activity reports
 tests/qa-activity-report/reports/

.vscode/launch.json

@@ -53,7 +53,7 @@
         "OC_MACHINE_AUTH_API_KEY": "some-opencloud-machine-auth-api-key",
         "OC_TRANSFER_SECRET": "some-opencloud-transfer-secret",
         // collaboration
-        "COLLABORATION_WOPIAPP_SECRET": "some-wopi-secret",
+        "COLLABORATION_WOPI_SECRET": "some-wopi-secret",
         // idm ldap
         "IDM_SVC_PASSWORD": "some-ldap-idm-password",
         "GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
@@ -193,20 +193,21 @@
         "OC_LOG_COLOR": "true",
         "PROXY_ENABLE_BASIC_AUTH": "true",
         "IDM_CREATE_DEMO_USERS": "true",
-        "OC_ADMIN_USER_ID": "some-admin-user-id-0000-000000000000",
+        "OC_ADMIN_USER_ID": "fed-admin-user-id-0000-000000000000",
         "IDM_ADMIN_PASSWORD": "admin",
-        "OC_SYSTEM_USER_ID": "some-system-user-id-000-000000000000",
-        "OC_SYSTEM_USER_API_KEY": "some-system-user-machine-auth-api-key",
-        "OC_JWT_SECRET": "some-opencloud-jwt-secret",
-        "OC_MACHINE_AUTH_API_KEY": "some-opencloud-machine-auth-api-key",
-        "OC_TRANSFER_SECRET": "some-opencloud-transfer-secret",
-        "IDM_SVC_PASSWORD": "some-ldap-idm-password",
-        "GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
-        "IDM_REVASVC_PASSWORD": "some-ldap-reva-password",
-        "GROUPS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
-        "USERS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
-        "AUTH_BASIC_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
-        "IDM_IDPSVC_PASSWORD": "some-ldap-idp-password",
+        "OC_SYSTEM_USER_ID": "fed-system-user-id-000-000000000000",
+        "OC_SYSTEM_USER_API_KEY": "fed-system-user-machine-auth-api-key",
+        "OC_JWT_SECRET": "fed-opencloud-jwt-secret",
+        "OC_MACHINE_AUTH_API_KEY": "fed-opencloud-machine-auth-api-key",
+        "OC_TRANSFER_SECRET": "fed-opencloud-transfer-secret",
+        "COLLABORATION_WOPI_SECRET": "fed-wopi-secret",
+        "IDM_SVC_PASSWORD": "fed-ldap-idm-password",
+        "GRAPH_LDAP_BIND_PASSWORD": "fed-ldap-idm-password",
+        "IDM_REVASVC_PASSWORD": "fed-ldap-reva-password",
+        "GROUPS_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
+        "USERS_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
+        "AUTH_BASIC_LDAP_BIND_PASSWORD": "fed-ldap-reva-password",
+        "IDM_IDPSVC_PASSWORD": "fed-ldap-idp-password",
         "IDP_LDAP_BIND_PASSWORD": "some-ldap-idp-password",
         "GRAPH_APPLICATION_ID": "application-1"
       }

.woodpecker.env

@@ -1,3 +1,4 @@
 # The test runner source for UI tests
-WEB_COMMITID=e060701fc4ef5449a482e501b69e2b5cbf873466
+WEB_COMMITID=6abffcc9cff31c46a341105eb6030fec56338126
 WEB_BRANCH=main
+

CHANGELOG.md

@@ -1,5 +1,256 @@
 # Changelog
 
+## [3.7.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.7.0) - 2025-11-03
+
+### ❤️ Thanks to all contributors! ❤️
+
+@ScharfViktor, @individual-it, @kulmann, @rhafer, @schweigisito, @sdwilsh
+
+### ✅ Tests
+
+- check status of postprocessing before accesing the file [[#1762](https://github.com/opencloud-eu/opencloud/pull/1762)]
+
+### 📈 Enhancement
+
+- multi-tenancy: Optional attributes on provision API [[#1663](https://github.com/opencloud-eu/opencloud/pull/1663)]
+- fix: fix #1698 - Notification email doesn't contain Message-Id header [[#1708](https://github.com/opencloud-eu/opencloud/pull/1708)]
+
+### 🐛 Bug Fixes
+
+- fix: only search LDAP group by name [[#1724](https://github.com/opencloud-eu/opencloud/pull/1724)]
+
+### 📦️ Dependencies
+
+- [full-ci] bump web 4.2.0 and opencloud 3.7.0 version [[#1765](https://github.com/opencloud-eu/opencloud/pull/1765)]
+
+## [3.6.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.6.0) - 2025-10-27
+
+### ❤️ Thanks to all contributors! ❤️
+
+@AlexAndBear, @ScharfViktor, @butonic, @dragonchaser, @fschade, @micbar, @prashant-gurung899, @rhafer, @schweigisito, @tammi-23
+
+### 📈 Enhancement
+
+- allow specifying a shutdown order [[#1622](https://github.com/opencloud-eu/opencloud/pull/1622)]
+- change: use 404 as status when thumbnail can not be fetched [[#1582](https://github.com/opencloud-eu/opencloud/pull/1582)]
+- feat: add dedicated logo (web) for mobile view to theme [[#1579](https://github.com/opencloud-eu/opencloud/pull/1579)]
+- feat: make it possible to start the collaboration service in the single process [[#1569](https://github.com/opencloud-eu/opencloud/pull/1569)]
+- introduce AppURLs helper for atomic backgroud updates [[#1542](https://github.com/opencloud-eu/opencloud/pull/1542)]
+- chore: add config for capability CheckForUpdates [[#1556](https://github.com/opencloud-eu/opencloud/pull/1556)]
+
+### ✅ Tests
+
+- [full-ci] feat: implement OIDC authentication option [[#1676](https://github.com/opencloud-eu/opencloud/pull/1676)]
+- apiTest-coverage for #1523 [[#1660](https://github.com/opencloud-eu/opencloud/pull/1660)]
+- [full-ci] deleted unused step definitions [[#1639](https://github.com/opencloud-eu/opencloud/pull/1639)]
+- check thumbnails in the share with me response [[#1605](https://github.com/opencloud-eu/opencloud/pull/1605)]
+- [full-ci][tests-only] fix restore browsers cache workflow [[#1615](https://github.com/opencloud-eu/opencloud/pull/1615)]
+- [full-ci] Enhance getSpaceByName: check local cache before Graph API calls [[#1574](https://github.com/opencloud-eu/opencloud/pull/1574)]
+- [full-ci] getting personal space by userId instead of userName [[#1553](https://github.com/opencloud-eu/opencloud/pull/1553)]
+- apiTest-flaky: sync share before checking [[#1550](https://github.com/opencloud-eu/opencloud/pull/1550)]
+- [decomposed] use Alpine for opencloud starting [[#1547](https://github.com/opencloud-eu/opencloud/pull/1547)]
+
+### 🐛 Bug Fixes
+
+- fix: apply changes from other fixes in compose repo [[#1707](https://github.com/opencloud-eu/opencloud/pull/1707)]
+- fix(settings): env var precedence [[#1625](https://github.com/opencloud-eu/opencloud/pull/1625)]
+- fix(antivirus): update icap-client library which fixes tcp socket reuse [[#1589](https://github.com/opencloud-eu/opencloud/pull/1589)]
+- fix: use valid autocomplete values (axe autocomplete-valid) [[#1588](https://github.com/opencloud-eu/opencloud/pull/1588)]
+- Fix collaboration service name [[#1577](https://github.com/opencloud-eu/opencloud/pull/1577)]
+- let the runtime always create a cancel context [[#1565](https://github.com/opencloud-eu/opencloud/pull/1565)]
+- Bump reva and cs3apis [[#1538](https://github.com/opencloud-eu/opencloud/pull/1538)]
+- use correct endpoint in nats check [[#1533](https://github.com/opencloud-eu/opencloud/pull/1533)]
+
+### 📚 Documentation
+
+- adr: use eduation api for multi-tenancy provisioning [[#1548](https://github.com/opencloud-eu/opencloud/pull/1548)]
+- fix: remove deprecated web ui feature "OpenAppsInTab" [[#1575](https://github.com/opencloud-eu/opencloud/pull/1575)]
+
+### 📦️ Dependencies
+
+- build(deps): bump github.com/onsi/ginkgo/v2 from 2.26.0 to 2.27.1 [[#1705](https://github.com/opencloud-eu/opencloud/pull/1705)]
+- [decomposed] bump-version-v3.6.0 [[#1719](https://github.com/opencloud-eu/opencloud/pull/1719)]
+- revaBump-2.39.1 [[#1718](https://github.com/opencloud-eu/opencloud/pull/1718)]
+- chore: bump reva [[#1701](https://github.com/opencloud-eu/opencloud/pull/1701)]
+- build(deps): bump github.com/kovidgoyal/imaging from 1.6.4 to 1.7.2 [[#1696](https://github.com/opencloud-eu/opencloud/pull/1696)]
+- build(deps): bump github.com/blevesearch/bleve/v2 from 2.5.3 to 2.5.4 [[#1697](https://github.com/opencloud-eu/opencloud/pull/1697)]
+- build(deps): bump golang.org/x/oauth2 from 0.31.0 to 0.32.0 [[#1634](https://github.com/opencloud-eu/opencloud/pull/1634)]
+- build(deps): bump golang.org/x/net from 0.44.0 to 0.46.0 [[#1638](https://github.com/opencloud-eu/opencloud/pull/1638)]
+- revaBumb: add groupware capabilities [[#1689](https://github.com/opencloud-eu/opencloud/pull/1689)]
+- revaUpdate: adding groupware capabilities [[#1659](https://github.com/opencloud-eu/opencloud/pull/1659)]
+- chore/bump-web-4.1.0 [[#1652](https://github.com/opencloud-eu/opencloud/pull/1652)]
+- build(deps): bump google.golang.org/grpc from 1.75.1 to 1.76.0 [[#1628](https://github.com/opencloud-eu/opencloud/pull/1628)]
+- build(deps): bump github.com/coreos/go-oidc/v3 from 3.15.0 to 3.16.0 [[#1627](https://github.com/opencloud-eu/opencloud/pull/1627)]
+- build(deps): bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.27.2 to 2.27.3 [[#1608](https://github.com/opencloud-eu/opencloud/pull/1608)]
+- build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.11 to 3.4.12 [[#1609](https://github.com/opencloud-eu/opencloud/pull/1609)]
+- build(deps): bump google.golang.org/protobuf from 1.36.9 to 1.36.10 [[#1604](https://github.com/opencloud-eu/opencloud/pull/1604)]
+- build(deps): bump github.com/onsi/ginkgo/v2 from 2.25.3 to 2.26.0 [[#1603](https://github.com/opencloud-eu/opencloud/pull/1603)]
+- build(deps): bump github.com/nats-io/nats.go from 1.46.0 to 1.46.1 [[#1590](https://github.com/opencloud-eu/opencloud/pull/1590)]
+- build(deps): bump github.com/olekukonko/tablewriter from 1.0.9 to 1.1.0 [[#1584](https://github.com/opencloud-eu/opencloud/pull/1584)]
+- build(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 [[#1576](https://github.com/opencloud-eu/opencloud/pull/1576)]
+- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.9 to 2.12.0 [[#1568](https://github.com/opencloud-eu/opencloud/pull/1568)]
+- build(deps): bump golang.org/x/net from 0.43.0 to 0.44.0 [[#1567](https://github.com/opencloud-eu/opencloud/pull/1567)]
+- reva bump. getting #327 [[#1555](https://github.com/opencloud-eu/opencloud/pull/1555)]
+- build(deps): bump golang.org/x/image from 0.30.0 to 0.31.0 [[#1552](https://github.com/opencloud-eu/opencloud/pull/1552)]
+- build(deps): bump github.com/nats-io/nats.go from 1.45.0 to 1.46.0 [[#1551](https://github.com/opencloud-eu/opencloud/pull/1551)]
+- build(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 [[#1545](https://github.com/opencloud-eu/opencloud/pull/1545)]
+- build(deps): bump github.com/testcontainers/testcontainers-go/modules/opensearch from 0.38.0 to 0.39.0 [[#1544](https://github.com/opencloud-eu/opencloud/pull/1544)]
+- build(deps): bump github.com/open-policy-agent/opa from 1.6.0 to 1.8.0 [[#1510](https://github.com/opencloud-eu/opencloud/pull/1510)]
+- build(deps): bump google.golang.org/grpc from 1.75.0 to 1.75.1 [[#1534](https://github.com/opencloud-eu/opencloud/pull/1534)]
+
+## [3.5.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.5.0) - 2025-09-22
+
+### ❤️ Thanks to all contributors! ❤️
+
+@JammingBen, @ScharfViktor, @Svanvith, @aduffeck, @butonic, @fschade, @individual-it, @prashant-gurung899, @rhafer
+
+### 📚 Documentation
+
+- enhancement(docs): describe what and why ADRs [[#1518](https://github.com/opencloud-eu/opencloud/pull/1518)]
+- enhancement(docs): add branch naming styleguide and clean up the contribution guidelines [[#1520](https://github.com/opencloud-eu/opencloud/pull/1520)]
+- fix(search): readme typos and mention the lack of scalability [[#1516](https://github.com/opencloud-eu/opencloud/pull/1516)]
+- enhancement(search): simplify search docs and document opensearch backend [[#1513](https://github.com/opencloud-eu/opencloud/pull/1513)]
+- remove opencloud_full from the read.me and add opencloud-compose instead [[#1474](https://github.com/opencloud-eu/opencloud/pull/1474)]
+
+### ✅ Tests
+
+- [full-ci][tests-only] revert behat version and fix regex on test script [[#1507](https://github.com/opencloud-eu/opencloud/pull/1507)]
+- update behat version in `composer.json` [[#1501](https://github.com/opencloud-eu/opencloud/pull/1501)]
+- Apitest. file extension change [[#1482](https://github.com/opencloud-eu/opencloud/pull/1482)]
+- [full-ci] run tests with VIPS enabled [[#1420](https://github.com/opencloud-eu/opencloud/pull/1420)]
+- [full-ci] add pipeline to purge go-bin cache [[#1445](https://github.com/opencloud-eu/opencloud/pull/1445)]
+- [full-ci] purge browsers, opencloud web and playwright tracing cache [[#1403](https://github.com/opencloud-eu/opencloud/pull/1403)]
+
+### 📈 Enhancement
+
+- Insecure opensearch client [[#1509](https://github.com/opencloud-eu/opencloud/pull/1509)]
+- Allow disabling search servers [[#1495](https://github.com/opencloud-eu/opencloud/pull/1495)]
+- Tracing improvements [[#1436](https://github.com/opencloud-eu/opencloud/pull/1436)]
+
+### 🐛 Bug Fixes
+
+- fix(graph): Set the full CS3 user id in the Create Share request [[#1464](https://github.com/opencloud-eu/opencloud/pull/1464)]
+- Remove items from the index when they are purged from the trashbin [[#1347](https://github.com/opencloud-eu/opencloud/pull/1347)]
+- Do not intertwine different batch operations [[#1317](https://github.com/opencloud-eu/opencloud/pull/1317)]
+
+### 📦️ Dependencies
+
+- [decomposed] bump-version-v3.5.0 [[#1532](https://github.com/opencloud-eu/opencloud/pull/1532)]
+- revaBump-2.38.0 [[#1530](https://github.com/opencloud-eu/opencloud/pull/1530)]
+- chore/bump-web-4.0.0 [[#1531](https://github.com/opencloud-eu/opencloud/pull/1531)]
+- build(deps): bump github.com/onsi/ginkgo/v2 from 2.25.2 to 2.25.3 [[#1515](https://github.com/opencloud-eu/opencloud/pull/1515)]
+- build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.9 [[#1491](https://github.com/opencloud-eu/opencloud/pull/1491)]
+- build(deps): bump go.opentelemetry.io/contrib/zpages from 0.62.0 to 0.63.0 [[#1490](https://github.com/opencloud-eu/opencloud/pull/1490)]
+- build(deps): bump golang.org/x/text from 0.28.0 to 0.29.0 [[#1484](https://github.com/opencloud-eu/opencloud/pull/1484)]
+- build(deps): bump github.com/spf13/afero from 1.14.0 to 1.15.0 [[#1483](https://github.com/opencloud-eu/opencloud/pull/1483)]
+- build(deps): bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 [[#1476](https://github.com/opencloud-eu/opencloud/pull/1476)]
+- build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 [[#1477](https://github.com/opencloud-eu/opencloud/pull/1477)]
+- build(deps): bump go.etcd.io/bbolt from 1.4.2 to 1.4.3 [[#1463](https://github.com/opencloud-eu/opencloud/pull/1463)]
+- build(deps): bump github.com/go-chi/chi/v5 from 5.2.2 to 5.2.3 [[#1460](https://github.com/opencloud-eu/opencloud/pull/1460)]
+- build(deps): bump github.com/grpc-ecosystem/grpc-gateway/v2 from 2.27.1 to 2.27.2 [[#1461](https://github.com/opencloud-eu/opencloud/pull/1461)]
+- build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 [[#1459](https://github.com/opencloud-eu/opencloud/pull/1459)]
+- build(deps): bump github.com/riandyrn/otelchi from 0.12.1 to 0.12.2 [[#1456](https://github.com/opencloud-eu/opencloud/pull/1456)]
+- build(deps): bump github.com/beevik/etree from 1.5.1 to 1.6.0 [[#1453](https://github.com/opencloud-eu/opencloud/pull/1453)]
+- build(deps): bump github.com/blevesearch/bleve/v2 from 2.5.2 to 2.5.3 [[#1450](https://github.com/opencloud-eu/opencloud/pull/1450)]
+- build(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.62.0 to 0.63.0 [[#1448](https://github.com/opencloud-eu/opencloud/pull/1448)]
+- build(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.62.0 to 0.63.0 [[#1446](https://github.com/opencloud-eu/opencloud/pull/1446)]
+- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.7 to 2.11.8 [[#1410](https://github.com/opencloud-eu/opencloud/pull/1410)]
+- build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.9 to 1.4.10 [[#1413](https://github.com/opencloud-eu/opencloud/pull/1413)]
+
+## [3.4.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.4.0) - 2025-09-02
+
+### ❤️ Thanks to all contributors! ❤️
+
+@ScharfViktor, @butonic, @dragonchaser, @fschade, @individual-it, @kulmann, @pbleser-oc, @prashant-gurung899, @rhafer, @tammi-23, @tylerlm
+
+### ✨ Features
+
+- feat: added capability for Edit Login Allowed [[#1406](https://github.com/opencloud-eu/opencloud/pull/1406)]
+- Search-service: add opensearch as distributed search backend [[#1290](https://github.com/opencloud-eu/opencloud/pull/1290)]
+- initial skel for user soft delete [[#1344](https://github.com/opencloud-eu/opencloud/pull/1344)]
+
+### 🐛 Bug Fixes
+
+- fix(antivirus): the file bytesize differs if the file is larger than … [[#1408](https://github.com/opencloud-eu/opencloud/pull/1408)]
+- Correct app store URL [[#1412](https://github.com/opencloud-eu/opencloud/pull/1412)]
+- ack tag events [[#1381](https://github.com/opencloud-eu/opencloud/pull/1381)]
+- fix(proxy): First login fails in auto provision setups [[#1353](https://github.com/opencloud-eu/opencloud/pull/1353)]
+
+### 📈 Enhancement
+
+- directly connect to frontend [[#1373](https://github.com/opencloud-eu/opencloud/pull/1373)]
+- Dockerfile cleanup [[#1352](https://github.com/opencloud-eu/opencloud/pull/1352)]
+- feat: add defaultAppId option for the web config.json [[#1354](https://github.com/opencloud-eu/opencloud/pull/1354)]
+
+### ✅ Tests
+
+- tests for collaborativePosixFS [[#1342](https://github.com/opencloud-eu/opencloud/pull/1342)]
+- [full-ci] add pipeline to send CI notifications to matrix [[#1249](https://github.com/opencloud-eu/opencloud/pull/1249)]
+
+### 📦️ Dependencies
+
+- [decomposed] bump-version-v3.4.0 [[#1442](https://github.com/opencloud-eu/opencloud/pull/1442)]
+- [full-ci] revaBump-2.37.0 [[#1433](https://github.com/opencloud-eu/opencloud/pull/1433)]
+- Use bitnamilegacy [[#1418](https://github.com/opencloud-eu/opencloud/pull/1418)]
+- build(deps): bump github.com/nats-io/nats.go from 1.44.0 to 1.45.0 [[#1401](https://github.com/opencloud-eu/opencloud/pull/1401)]
+- build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 [[#1400](https://github.com/opencloud-eu/opencloud/pull/1400)]
+- build(deps): bump github.com/olekukonko/tablewriter from 1.0.8 to 1.0.9 [[#1376](https://github.com/opencloud-eu/opencloud/pull/1376)]
+- build(deps): bump github.com/onsi/ginkgo/v2 from 2.24.0 to 2.25.1 [[#1396](https://github.com/opencloud-eu/opencloud/pull/1396)]
+- [full-ci] Bump reva to latest main [[#1372](https://github.com/opencloud-eu/opencloud/pull/1372)]
+- build(deps): bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0 [[#1385](https://github.com/opencloud-eu/opencloud/pull/1385)]
+- build(deps): bump github.com/onsi/ginkgo/v2 from 2.23.4 to 2.24.0 [[#1375](https://github.com/opencloud-eu/opencloud/pull/1375)]
+- build(deps): bump github.com/gookit/config/v2 from 2.2.6 to 2.2.7 [[#1359](https://github.com/opencloud-eu/opencloud/pull/1359)]
+- build(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 [[#1356](https://github.com/opencloud-eu/opencloud/pull/1356)]
+- chore(dependencies): bump reva 19625996460b2e68da3bbaf539e554366c59e111 [[#1357](https://github.com/opencloud-eu/opencloud/pull/1357)]
+- build(deps): bump golang.org/x/image from 0.28.0 to 0.30.0 [[#1323](https://github.com/opencloud-eu/opencloud/pull/1323)]
+- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.6 to 2.11.7 [[#1339](https://github.com/opencloud-eu/opencloud/pull/1339)]
+- build(deps): bump github.com/onsi/gomega from 1.37.0 to 1.38.0 [[#1266](https://github.com/opencloud-eu/opencloud/pull/1266)]
+
+## [3.3.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.3.0) - 2025-08-12
+
+### ❤️ Thanks to all contributors! ❤️
+
+@ScharfViktor, @aduffeck, @michaelstingl
+
+### ✨ Features
+
+- Tenant [[#1274](https://github.com/opencloud-eu/opencloud/pull/1274)]
+
+### 📈 Enhancement
+
+- chore: bump web to v3.3.0 [[#1329](https://github.com/opencloud-eu/opencloud/pull/1329)]
+
+### ✅ Tests
+
+- multiTenancyTests [[#1313](https://github.com/opencloud-eu/opencloud/pull/1313)]
+
+### 📚 Documentation
+
+- Fix posix driver documentation in STORAGE_USERS_DRIVER description [[#1305](https://github.com/opencloud-eu/opencloud/pull/1305)]
+
+### 🐛 Bug Fixes
+
+- Improve indexing performance using batches [[#1306](https://github.com/opencloud-eu/opencloud/pull/1306)]
+- Do not run the timout func if the work func has run [[#1302](https://github.com/opencloud-eu/opencloud/pull/1302)]
+- Make sure to register prometheus collectors only once [[#1295](https://github.com/opencloud-eu/opencloud/pull/1295)]
+
+### 📦️ Dependencies
+
+- [decomposed] bump-version-v3.3.0 [[#1332](https://github.com/opencloud-eu/opencloud/pull/1332)]
+- [full-ci] Reva bump 2.36.0 [[#1328](https://github.com/opencloud-eu/opencloud/pull/1328)]
+- Bump reva [[#1315](https://github.com/opencloud-eu/opencloud/pull/1315)]
+
+## [3.2.1](https://github.com/opencloud-eu/opencloud/releases/tag/v3.2.1) - 2025-07-30
+
+### ❤️ Thanks to all contributors! ❤️
+
+@aduffeck, @dragonchaser, @individual-it
+
+### 🐛 Bug Fixes
+
+- Do not try to log metrics when we failed to get the consumer info [[#1289](https://github.com/opencloud-eu/opencloud/pull/1289)]
+- Add thumbnails to sharedWithMe and sharedByMe requests [[#1257](https://github.com/opencloud-eu/opencloud/pull/1257)]
+
 ## [3.2.0](https://github.com/opencloud-eu/opencloud/releases/tag/v3.2.0) - 2025-07-21
 
 ### ❤️ Thanks to all contributors! ❤️
@@ -32,6 +283,7 @@
 
 ### 📦️ Dependencies
 
+- [decomposed] bump-version-v3.2.0 [[#1258](https://github.com/opencloud-eu/opencloud/pull/1258)]
 - [full-ci] Reva bump 2.35.0 [[#1255](https://github.com/opencloud-eu/opencloud/pull/1255)]
 - build(deps): bump golang.org/x/net from 0.41.0 to 0.42.0 [[#1232](https://github.com/opencloud-eu/opencloud/pull/1232)]
 - build(deps): bump github.com/KimMachineGun/automemlimit from 0.7.3 to 0.7.4 [[#1226](https://github.com/opencloud-eu/opencloud/pull/1226)]

CONTRIBUTING.md

@@ -1,21 +1,25 @@
 # OpenCloud Contribution Guidelines
 
-First of all, thank you for taking the time to read this and your interest in contributing to OpenCloud!
+First, thank you for taking the time to read this and your interest in contributing to OpenCloud!
 
-The following is a set of guidelines suitable to most of the projects hosted in the [OpenCloud Organization](https://github.com/opencloud-eu). These are mostly guidelines, not rules. Use your best judgement, and feel free to propose changes to this document in a pull request.
+The following is a set of guidelines suitable to most of the projects hosted in the [OpenCloud Organization](https://github.com/opencloud-eu).
+These are mostly guidelines, not rules.
 
-For simplicity reasons, this document mostly refers to the [opencloud repository](https://www.github.com/opencloud-eu/opencloud), but it should be easily transferable to other (sub)projects.
+Use your best judgment and feel free to propose changes to this document in a [pull request](https://github.com/opencloud-eu/opencloud/pulls).
+
+For simplicity reasons, this document mostly refers to the [opencloud repository](https://www.github.com/opencloud-eu/opencloud),
+but it should be easily transferable to other (sub)projects.
 
 #### Table Of Contents
 
 [I don't want to read this whole thing, I just have a question](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
 
-[What should I know before I get started](#what-should-i-know-before-i-get-started)
+[What to know before getting started](#what-to-know-before-getting-started)
 *   [OpenCloud is hosted on GitHub](#opencloud-is-hosted-on-github)
-*   [OpenCloud Company, Engineering Partners and Community](#opencloud-company,-engineering-partners-and-community)
+*   [OpenCloud Company, Engineering Partners and Community](#opencloud-company-engineering-partners-and-community)
 *   [Licensing and CLA](#licensing-and-cla)
 
-[How Can I Contribute](#how-can-i-contribute)
+[How to Contribute](#how-to-contribute)
 *   [Help spreading the word](#help-spreading-the-word)
 *   [Reporting Bugs](#reporting-bugs)
 *   [Suggesting Enhancements](#suggesting-enhancements)
@@ -24,8 +28,9 @@ For simplicity reasons, this document mostly refers to the [opencloud repository
 *   [Documentation Contributions](#documentation-contributions)
 *   [Internationalization](#internationalization)
 
-[Styleguides](#styleguides)
-*   [Git Commit Messages](#git-commit-messages)
+[Styleguide](#styleguide)
+*   [Commit Messages](#commit-messages)
+*   [Branch Naming](#branch-naming)
 *   [Golang Styleguide](#golang-styleguide)
 
 [Additional Notes](#additional-notes)
@@ -37,35 +42,38 @@ For simplicity reasons, this document mostly refers to the [opencloud repository
 
 For general questions, please refer to [OpenCloud's FAQs](https://opencloud.eu/faq/) or check the [project page](https://github.com/opencloud-eu) for communication channels.
 
-## What should I know before I get started
+## What to know before getting started
 
 ### OpenCloud is hosted on GitHub
 
-To effectively contribute to OpenCloud, you need a GitHub account. You can get that for free at [GitHub](https://github.com/join). You can find howtos on the internet, for example [here](https://www.wikihow.com/Create-an-Account-on-GitHub).
+To effectively contribute to OpenCloud, you need a GitHub account. You can get that for free at [GitHub](https://github.com/join). You can find howtos on the internet, for example, [here](https://www.wikihow.com/Create-an-Account-on-GitHub).
 
-For other ways of contributing, for example with translations, other systems require you to have an account as well, for example [Transifex](https://www.transifex.com).
+For other ways of contributing, for example, with translations, other systems require you to have an account as well, for example [Transifex](https://www.transifex.com).
 
 The OpenCloud project follows the strict GitHub workflow of development as briefly [described here](https://guides.github.com/introduction/flow/).
 
 ### OpenCloud Company, Engineering Partners and Community
 
-OpenCloud is largely created by developers who are employed by the [OpenCloud company](https://opencloud.eu), which is located in Germany. It is providing support for OpenCloud for customers mainly in the EU. In addition, there are engineering partners who also work full time on OpenCloud related code, for example on the component [REVA](https://github.com/cs3org/reva/).
+OpenCloud is largely created by developers who are employed by the [OpenCloud company](https://opencloud.eu), which is located in Germany.
+It is providing support for OpenCloud for customers mainly in the EU. In addition, there are engineering partners who also work full-time on OpenCloud related code, for example, on the component [REVA](https://github.com/cs3org/reva/).
 
-Because of that fact, the pace that the development is moving forward is sometimes high for people who are not willing and/or able to spend a comparable amount of time to contribute. Even though this can be a challenge, it should not scare anybody away. Here is our clear commitment that we feel honored by everybody who is interested in our work and improves it, no matter how big the contribution might be.
+Because of that fact, the pace that the development is moving forward is sometimes high for people who are not willing and/or able to spend a comparable amount of time to contribute.
+Even though this can be a challenge, it should not scare anybody away. Here is our clear commitment that we feel honored by everybody who is interested in our work and improves it, no matter how big the contribution might be.
 
-We as the full time devs from either organization are doing our best to listen, review and consider all changes that are brought forward following this guideline and make sense for the project.
+We as the full-time devs from either organization are doing our best to listen, review and consider all changes that are brought forward following this guideline and make sense for the project.
 
 ### Licensing and CLA
 
  There is *no CLA* required for any of the public code of OpenCloud.
 
-## How Can I Contribute
+## How to Contribute
 
 There are many ways to contribute to open source projects, and all are equally valuable and appreciated.
 
 ### Help spreading the word
 
-This way to contribute to the project can not be overestimated: People who talk about their experience with OpenCloud and help others with that are the key to success of the project.
+This way to contribute to the project cannot be overestimated:
+People who talk about their experience with OpenCloud and help others with that are the key to the success of the project.
 
 There are too many ways of doing that to line them up here, but examples are answering questions in any social media or in the [OpenCloud Matrix channel](https://matrix.to/#/#opencloud:matrix.org), writing blog posts etc. pp.
 
@@ -73,9 +81,11 @@ There is no formal guideline to this, just do it :-)
 
 ### Reporting Bugs
 
-This section guides you through submitting a bug report for OpenCloud. Following these guidelines helps maintainers and the community understand your report :pencil:, reproduce the behavior :computer: :computer:, and find related reports :mag_right:.
+This section guides you through submitting a bug report for OpenCloud. Following these guidelines help maintainers and the community understand your report :pencil:,
+reproduce the behavior :computer: :computer:, and find related reports :mag_right:.
 
-Before creating bug reports, please check [this list](#before-submitting-a-bug-report) as you might find out that you don't need to create one. When you are creating a bug report, please [include as many details as possible](#how-do-i-submit-a-good-bug-report). Fill out [the required template](https://github.com/opencloud-eu/opencloud/issues/new?Type%3ABug&template=bug_report.md), the information it asks for helps to resolve issues faster.
+Before creating bug reports, please check [this list](#before-submitting-a-bug-report) as you might find out that you don't need to create one.
+When you are creating a bug report, please [include as many details as possible](#how-to-submit-a-good-bug-report). Fill out [the required template](https://github.com/opencloud-eu/opencloud/issues/new?Type%3ABug&template=bug_report.md), the information it asks for helps to resolve issues faster.
 
 > **Note:** If you find a **Closed** issue that seems like it is the same thing that you're experiencing, open a new issue and include a link to the original issue in the body of your new one. If you have permission to reopen the issue, feel free to do so.
 
@@ -83,9 +93,9 @@ Before creating bug reports, please check [this list](#before-submitting-a-bug-r
 
 *   **Make sure you are running a recent version** Usually, developers' interest in old versions of software drops very fast once a new version has been released. So the general requirement is: Use the latest released version or even the current master to reproduce problems that you might encounter. That helps a lot to attract developers attention.
 *   **Determine which [repository](https://github.com/opencloud-eu) the problem should be reported in**.
-*   **Perform a [cursory search](https://github.com/search?q=org%3Aopencloud-eu+type%3Aissue+&type=issues)** with possibly a more granular filter on the repository, to see if the problem has already been reported. If it has **and the issue is still open**, add a comment to the existing issue instead of opening a new one **if you have new information**. Please abstain from adding "+1" comments. Instead use the GitHub reaction emojis to indicate that you are affected by the issue as well.
+*   **Perform a [cursory search](https://github.com/search?q=org%3Aopencloud-eu+type%3Aissue+&type=issues)** with possibly a more granular filter on the repository to see if the problem has already been reported. If it has **and the issue is still open**, add a comment to the existing issue instead of opening a new one **if you have new information**. Please abstain from adding "+1" comments. Instead, use the GitHub reaction emojis to indicate that you are affected by the issue as well.
 
-#### How Do I Submit A (Good) Bug Report
+#### How to Submit A (Good) Bug Report
 
 Bugs are tracked as [GitHub issues](https://guides.github.com/features/issues/). After you've determined [which repository](https://github.com/opencloud-eu) your bug is related to, create an issue on that repository and provide the following information by filling in [the template](https://github.com/opencloud-eu/opencloud/issues/new?Type%3ABug&template=bug_report.md).
 
@@ -110,16 +120,19 @@ Include details about your configuration and environment as asked for in the tem
 
 ### Suggesting Enhancements
 
-This section guides you through submitting an enhancement suggestion for OpenCloud, including completely new features and minor improvements to existing functionality. Following these guidelines helps maintainers and the community understand your suggestion :pencil: and find related suggestions :mag_right:.
+This section guides you through submitting an enhancement suggestion for OpenCloud, including completely new features and minor improvements to existing functionality.
+Following these guidelines help maintainers and the community understand your suggestion :pencil: and find related suggestions :mag_right:.
 
-Before creating enhancement suggestions, please check [this list](#before-submitting-an-enhancement-suggestion) as you might find out that you don't need to create one. When you are creating an enhancement suggestion, please [include as many details as possible](#how-do-i-submit-a-good-enhancement-suggestion). Fill in [the template](https://github.com/opencloud-eu/opencloud/issues/new?template=feature_request.md), including the steps that you imagine you would take if the feature you're requesting existed.
+Before creating enhancement suggestions, please check [this list](#before-submitting-an-enhancement-suggestion) as you might find out that you don't need to create one.
+When you are creating an enhancement suggestion, please [include as many details as possible](#how-to-submit-a-good-enhancement-suggestion).
+Fill in [the template](https://github.com/opencloud-eu/opencloud/issues/new?template=feature_request.md), including the steps that you imagine you would take if the feature you're requesting existed.
 
 #### Before Submitting An Enhancement Suggestion
 
-*   **Check if there's already an extension or other component which provides that enhancement, even in a different way.**
-*   **Perform a [cursory search](https://github.com/search?q=+is%3Aissue+user%3Aopencloud)** to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one. Feel free to use the GitHub emojis to indicate that you are in favour of an enhancement request.
+*   **Check if there's already an extension or other component that provides that enhancement, even differently.**
+*   **Perform a [cursory search](https://github.com/search?q=+is%3Aissue+user%3Aopencloud)** to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one. Feel free to use the GitHub emojis to indicate that you are in favor of an enhancement request.
 
-#### How Do I Submit A (Good) Enhancement Suggestion
+#### How to Submit A (Good) Enhancement Suggestion
 
 Enhancement suggestions are tracked as [GitHub issues](https://guides.github.com/features/issues/). After you've determined [which repository](https://github.com/opencloud-eu) your enhancement suggestion is related to, create an issue on that repository and provide the following information:
 
@@ -137,9 +150,11 @@ Unsure where to begin contributing to OpenCloud? You can start by looking throug
 *   [Tests needed](https://github.com/opencloud-eu/opencloud/labels/Interaction%3ANeeds-tests) - issues which would benefit from a test.
 *   [Help wanted issues](https://github.com/opencloud-eu/opencloud/labels/Interaction%3ANeeds-help) - issues which should be a bit more involved.
 
-It is fine to pick one of the list following personal preference. While not perfect, number of comments is a reasonable proxy for impact a given change will have.
+It is fine to pick one of the lists following personal preference.
+While not perfect, the number of comments is a reasonable proxy for the impact a given change will have.
 
-To find out how to set up OpenCloud for local development please refer to the [Developer Documentation](https://docs.opencloud.eu/docs/dev/web/getting-started). It contains a lot of information that will come in handy when starting to work on the project.
+To find out how to set up OpenCloud for local development, please refer to the [Developer Documentation](https://docs.opencloud.eu/docs/dev/web/getting-started).
+It contains a lot of information that will come in handy when starting to work on the project.
 
 ### Pull Requests
 
@@ -148,7 +163,7 @@ All contributions to OpenClouds projects use so-called pull requests following t
 Please follow these steps to have your contribution considered by the maintainers:
 
 *   Follow all instructions in [the template](https://github.com/opencloud-eu/opencloud/blob/main/.github/pull_request_template.md)
-*   Follow the [styleguides](#styleguides) where applicable
+*   Follow the [styleguide](#styleguide) where applicable
 *   After you submit your pull request, verify that all [status checks](https://help.github.com/articles/about-status-checks/) are passing <details><summary>What if the status checks are failing?</summary>If a status check is failing, and you believe that the failure is unrelated to your change, please leave a comment on the pull request explaining why you believe the failure is unrelated. A maintainer will re-run the status check for you. If we conclude that the failure was a false positive, then we will open an issue to track that problem with our status check suite.</details>
 
 While the prerequisites above must be satisfied prior to having your pull request reviewed, the reviewer(s) may ask you to complete additional design work, tests, or other changes before your pull request can be ultimately accepted.
@@ -161,25 +176,38 @@ You find more guidance in the [Documentation Repo](https://github.com/opencloud-
 
 ### Internationalization
 
-Our projects are getting translated into many languages to allow people from all over the world to use OpenCloud in their native language. For translations, OpenCloud uses [Transifex](https://www.transifex.com) as a community based collaboration platform for internationalization.
+Our projects are getting translated into many languages to allow people from all over the world to use OpenCloud in their native language.
+For translations, OpenCloud uses [Transifex](https://www.transifex.com) as a community-based collaboration platform for internationalization.
 
 For contributions please refer to the [Transifex Resources](https://www.transifex.com/resources/) to learn how to improve OpenClouds translations there.
 
-## Styleguides
+## Styleguide
 
-To keep up with a consistent code and tooling landscape, some OpenCloud modules maintain styleguides for contributions. It is mandatory to follow them in contributions.
+To keep up with a consistent code and tooling landscape, some OpenCloud modules maintain styleguide for contributions.
+It is mandatory to follow them in contributions.
 
-### Git Commit Messages
+### Commit Messages
 
 *   Use the present tense ("Add feature" not "Added feature")
 *   Use the imperative mood ("Move cursor to..." not "Moves cursor to...")
 *   Limit the first line to 72 characters or less
 *   Reference issues and pull requests liberally after the first line
 *   When only changing documentation, include `[docs-only]` in the commit title
+*   Use conventional commit messages, see https://www.conventionalcommits.org/en/v1.0.0/
+
+### Branch Naming
+
+* Use short, descriptive names for your branches. For example, use `fix-login-bug` instead of `bugfix123`.
+* Use hyphens to separate words in branch names. For example, use `add-new-feature` instead of `add_new_feature`.
+* Avoid using special characters or spaces in branch names.
+* Consider including the issue number in the branch name for easy reference. For example, use `issue-45-fix-login-bug` if the branch addresses issue #45.
+* Keep branch names concise and to the point, ideally under 30 characters.
+* Use lowercase letters to maintain consistency and avoid confusion.
 
 ### Golang Styleguide
 
-Use the built-in golang code formatter before submitting the patch. Also, consulting documentation like [Effective Go](https://golang.org/doc/effective_go) or [Practical Go](http://bit.ly/gcsg-2019) helps to improve the code quality.
+Use the built-in golang code formatter before submitting the patch.
+Also, consulting documentation like [Effective Go](https://golang.org/doc/effective_go) or [Practical Go](http://bit.ly/gcsg-2019) helps to improve the code quality.
 
 ## Additional Notes
 
@@ -187,11 +215,13 @@ Use the built-in golang code formatter before submitting the patch. Also, consul
 
 This section lists the labels we use to help us track and manage issues and pull requests. Most labels are used across all OpenCloud repositories, but some are specific.
 
-[GitHub search](https://help.github.com/articles/searching-issues/) makes it easy to use labels for finding groups of issues or pull requests you're interested in. To help you find issues and pull requests, each label can be used in search links for finding open items with that label in the OpenCloud repositories.
+[GitHub search](https://help.github.com/articles/searching-issues/) makes it easy to use labels for finding groups of issues or pull requests you're interested in.
+To help you find issues and pull requests, each label can be used in search links for finding open items with that label in the OpenCloud repositories.
 
 The labels are loosely grouped by their purpose, but it's not required that every issue has a label from every group or that an issue can't have more than one label from the same group.
 
-The list here contains all the more general categories of issues which are followed by a colon and a specific value. For example severity 1 looks like `Severity:sev1-critical`.
+The list here contains all the more general categories of issues which are followed by a colon and a specific value.
+For example, severity 1 looks like `Severity:sev1-critical`.
 
 #### Platform
 
@@ -211,11 +241,11 @@ Flags to indicate the internal QA status in terms of process and priority. Pleas
 
 #### Severity
 
-Severity for the product, mostly impact on user.
+Severity for the product, mostly impacts on the user.
 
 #### Type
 
-The issue type, helps to structure the issues in the agile categories (Epic, Story...) but also organizational ones.
+The issue type helps to structure the issues in the agile categories (Epic, Story...) but also organizational ones.
 
 #### Topic
 
@@ -235,8 +265,8 @@ Another label that indicates the type of the issue.
 
 #### Browser
 
-Important for browser dependent web issues. It specifies the browser that shows the error.
+Important for browser-dependent web issues. It specifies the browser that shows the error.
 
 #### Early-Adopter
 
-Tags issues that were reported by one of the OpenCloud early adopters, i.e. customers and users who start using OpenCloud before its general availability.
+Tags issues reported by one of the OpenCloud early adopters, i.e. customers and users who start using OpenCloud before its general availability.

Makefile

@@ -124,7 +124,7 @@ BEHAT_BIN=vendor-bin/behat/vendor/bin/behat
 
 .PHONY: test-acceptance-api
 test-acceptance-api: vendor-bin/behat/vendor
-	BEHAT_BIN=$(BEHAT_BIN) tests/acceptance/run.sh
+	BEHAT_BIN=$(BEHAT_BIN) tests/acceptance/scripts/run.sh
 
 vendor/bamarni/composer-bin-plugin: composer.lock
 	composer install

README.md

@@ -10,17 +10,30 @@
 > [!TIP]
 > For general information about OpenCloud and how to install please visit [OpenCloud on Github](https://github.com/opencloud-eu/) and [OpenCloud GmbH](https://opencloud.eu).
 
-This the main repository of the OpenCloud server. It contains the golang codebase for the backend services.
+This is the main repository of the OpenCloud server.
+It contains the golang codebase for the backend services.
 
 ## Getting Involved
 
-The OpenCloud server is released under [Apache 2.0](https://github.com/opencloud-eu/opencloud/blob/main/LICENSE). The project is very happy to receive contributions in all forms. Start hacking now 😃
+The OpenCloud server is released under [Apache 2.0](https://github.com/opencloud-eu/opencloud/blob/main/LICENSE).
+The project is thrilled to receive contributions in all forms.
+Start hacking now, there are many ways to get involved such as:
 
-### Build OpenCloud
+- Reporting [issues or bugs](https://github.com/opencloud-eu/opencloud/issues)
+- Requesting [features](https://github.com/opencloud-eu/opencloud/issues)
+- [Writing documentation](https://github.com/opencloud-eu/docs)
+- [Writing code or extend our tests](https://github.com/opencloud-eu/opencloud/pulls)
+- [Reviewing code](https://github.com/opencloud-eu/opencloud/pulls)
+- Helping others in the [community](https://app.element.io/#/room/#opencloud:matrix.org)
+
+Every contribution is meaningful and appreciated!
+Please refer to our [Contribution Guidelines](https://github.com/opencloud-eu/opencloud/blob/main/CONTRIBUTING.md) if you want to get started.
+
+## Build OpenCloud
 
 To build the backend, follow these instructions:
 
-Generate the assets needed by e.g. the web UI and the builtin IDP
+Generate the assets needed by e.g., the web UI and the builtin IDP
 
 ``` console
 make generate
@@ -40,10 +53,6 @@ This creates a server configuration (by default in `$HOME/.opencloud`) and start
 
 For more setup- and installation options consult the [Development Documentation](https://docs.opencloud.eu/).
 
-### Contribute
-
-We very much appreciate contributions from the community. Please refer to our [Contribution Guidelines](https://github.com/opencloud-eu/opencloud/blob/main/CONTRIBUTING.md) on how to get started.
-
 ## Technology
 
 Important information for contributors about the technology in use.
@@ -58,4 +67,4 @@ The OpenCloud backend does not use a database. It stores all data in the filesys
 
 ## Security
 
-If you find a security related issue, please contact [security@opencloud.eu](mailto:security@opencloud.eu) immediately.
+If you find a security-related issue, please contact [security@opencloud.eu](mailto:security@opencloud.eu) immediately.

deployments/continuous-deployment-config/opencloud_full/master.yml

@@ -1,49 +0,0 @@
----
-- name: continuous-deployment-opencloud-master
-  server:
-    server_type: cx22
-    image: ubuntu-24.04
-    location: nbg1
-    initial_ssh_key_names:
-      - opencloud@drone.opencloud.com
-    labels:
-      owner: opencloud-team
-      for: opencloud-continuous-deployment-examples
-    rebuild: $REBUILD
-    rebuild_carry_paths:
-      - /var/lib/docker/volumes/opencloud_certs
-
-  domains:
-    - "*.cloud.main.opencloud.works"
-
-  vars:
-    ssh_authorized_keys:
-      - https://github.com/micbar.keys
-    docker_compose_projects:
-      - name: opencloud
-        git_url: https://github.com/opencloud-eu/opencloud.git
-        ref: main
-        docker_compose_path: deployments/examples/opencloud_full
-        env:
-          INSECURE: "false"
-          TRAEFIK_ACME_MAIL: devops@opencloud.eu
-          OC_DOCKER_TAG: main
-          OC_DOCKER_IMAGE: opencloudeu/opencloud-rolling:latest
-          OC_DOMAIN: cloud.main.opencloud.rocks
-          COMPANION_DOMAIN: companion.main.opencloud.rocks
-          COMPANION_IMAGE: transloadit/companion:5.5.0
-          WOPISERVER_DOMAIN: wopiserver.main.opencloud.rocks
-          COLLABORA_DOMAIN: collabora.main.opencloud.rocks
-          INBUCKET_DOMAIN: mail.main.opencloud.rocks
-          DEMO_USERS: "true"
-          COMPOSE_FILE: docker-compose.yml:opencloud.yml:tika.yml:collabora.yml:web_extensions/extensions.yml:web_extensions/unzip.yml:web_extensions/importer.yml:inbucket.yml:monitoring_tracing/monitoring.yml
-      - name: monitoring
-        git_url: https://github.com/opencloud-devops/monitoring-tracing-client.git
-        ref: master
-        env:
-          NETWORK_NAME: opencloud-net
-          TELEMETRY_SERVE_DOMAIN: telemetry.main.opencloud.rocks
-          JAEGER_COLLECTOR: jaeger-collector.infra.opencloud.works:443
-          TELEGRAF_SPECIFIC_CONFIG: opencloud_full
-          OC_URL: opencloud.main.opencloud.rocks
-          OC_DEPLOYMENT_ID: continuous-deployment-opencloud-master

deployments/examples/README.md

@@ -1,3 +1,3 @@
 # Deployment Examples
-
-These docker-compose deployment examples are referenced in the documentation on [docs.opencloud.eu](https://docs.opencloud.eu/opencloud/next/). Therefore, please create an issue on the documentation [issue tracker](https://github.com/opencloud-eu/docs/issues) prior to major changes like moving, renaming or massively changing deployment examples.
+Please note: The docker-compose deployment examples that lived in this directory have been moved over to the
+[opencloud-compose](https://github.com/opencloud-eu/opencloud-compose) repository.

devtools/deployments/README.md

@@ -0,0 +1,4 @@
+# Docker Compose Deployments for development use
+
+The docker-compose deployments in this directory are for developement purposes only. They are
+not actively maintained and not to be used in production.

devtools/deployments/multi-tenancy/.env.example

@@ -0,0 +1,161 @@
+## Basic Settings ##
+# Define the docker compose log driver used.
+# Defaults to local
+LOG_DRIVER=
+# If you're on an internet facing server, comment out following line.
+# It skips certificate validation for various parts of OpenCloud and is
+# needed when self signed certificates are used.
+INSECURE=true
+
+## Features ##
+COMPOSE_FILE=docker-compose.yml:traefik.yml:keycloak.yml:ldap-server.yml
+
+## Traefik Settings ##
+# Note: Traefik is always enabled and can't be disabled.
+# Serve Traefik dashboard.
+# Defaults to "false".
+TRAEFIK_DASHBOARD=
+# Domain of Traefik, where you can find the dashboard.
+# Defaults to "traefik.opencloud.test"
+TRAEFIK_DOMAIN=
+# Basic authentication for the traefik dashboard.
+# Defaults to user "admin" and password "admin" (written as: "admin:$2y$05$KDHu3xq92SPaO3G8Ybkc7edd51pPLJcG1nWk3lmlrIdANQ/B6r5pq").
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
+TRAEFIK_BASIC_AUTH_USERS=
+# Email address for obtaining LetsEncrypt certificates.
+# Needs only be changed if this is a public facing server.
+TRAEFIK_ACME_MAIL=
+# Set to the following for testing to check the certificate process:
+# "https://acme-staging-v02.api.letsencrypt.org/directory"
+# With staging configured, there will be an SSL error in the browser.
+# When certificates are displayed and are emitted by # "Fake LE Intermediate X1",
+# the process went well and the envvar can be reset to empty to get valid certificates.
+TRAEFIK_ACME_CASERVER=
+# Enable the Traefik ACME (Automatic Certificate Management Environment) for automatic SSL certificate management.
+TRAEFIK_SERVICES_TLS_CONFIG="tls.certresolver=letsencrypt"
+# Enable Traefik to use local certificates.
+#TRAEFIK_SERVICES_TLS_CONFIG="tls=true"
+# You also need to provide a config file in ./config/traefik/dynamic/certs.yml
+# Example:
+# cat ./config/traefik/dynamic/certs.yml
+# tls:
+#   certificates:
+#     - certFile: /certs/opencloud.test.crt
+#       keyFile: /certs/opencloud.test.key
+#     stores:
+#       - default
+#
+# The certificates need to copied into ./certs/, the absolute path inside the container is /certs/.
+# You can also use TRAEFIK_CERTS_DIR=/path/on/host to set the path to the certificates directory.
+# Enable the access log for Traefik by setting the following variable to true.
+TRAEFIK_ACCESS_LOG=
+# Configure the log level for Traefik.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "PANIC". Default is "ERROR".
+TRAEFIK_LOG_LEVEL=
+
+
+## OpenCloud Settings ##
+# The opencloud container image.
+# For production releases: "opencloudeu/opencloud"
+# For rolling releases:    "opencloudeu/opencloud-rolling"
+# Defaults to production if not set otherwise
+OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
+# The openCloud container version.
+# Defaults to "latest" and points to the latest stable tag.
+OC_DOCKER_TAG=
+# Domain of openCloud, where you can find the frontend.
+# Defaults to "cloud.opencloud.test"
+OC_DOMAIN=
+# Demo users should not be created on a production instance,
+# because their passwords are public. Defaults to "false".
+# If demo users is set to "true", the following user accounts are created automatically:
+# alan, mary, margaret, dennis and lynn - the password is 'demo' for all.
+DEMO_USERS=
+# Admin Password for the OpenCloud admin user.
+# NOTE: This is only needed when using the built-in LDAP server (idm).
+# If you are using an external LDAP server, the admin password is managed by the LDAP server.
+# NOTE: This variable needs to be set before the first start of OpenCloud. Changes to this variable after the first start will be IGNORED.
+# If not set, opencloud will not work properly. The container will be restarting.
+# After the first initialization, the admin password can only be changed via the OpenCloud User Settings UI or by using the OpenCloud CLI.
+# Documentation: https://docs.opencloud.eu/docs/admin/resources/common-issues#-change-admin-password-set-in-env
+INITIAL_ADMIN_PASSWORD=
+# Define the openCloud loglevel used.
+#
+LOG_LEVEL=
+# Define the kind of logging.
+# The default log can be read by machines.
+# Set this to true to make the log human readable.
+# LOG_PRETTY=true
+#
+# Define the openCloud storage location. Set the paths for config and data to a local path.
+# Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
+# This matches the default user inside the container and avoids permission issues when accessing files.
+# Note that especially the data directory can grow big.
+# Leaving it default stores data in docker internal volumes.
+# OC_CONFIG_DIR=/your/local/opencloud/config
+# OC_DATA_DIR=/your/local/opencloud/data
+
+### Compose Configuration ###
+# Path separator for supplemental compose files specified in COMPOSE_FILE.
+COMPOSE_PATH_SEPARATOR=:
+
+### Ldap Settings ###
+# LDAP is always needed for OpenCloud to store user data as there is no relational database.
+# The built-in LDAP server should used for testing purposes or small installations only.
+# For production installations, it is recommended to use an external LDAP server.
+# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable.
+# This LDAP configuration is known to work with OpenCloud and provides a blueprint for
+# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers.
+#
+# Password of LDAP bind user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
+LDAP_BIND_PASSWORD=
+# The LDAP server also creates an openCloud admin user dn: uid=admin,ou=users,dc=opencloud,dc=eu
+# The initial password for this user is "admin"
+# NOTE: This password can only be set once, if you want to change it later, you have to use the OpenCloud User Settings UI.
+# If you changed the password and lost it, you need to execute the following LDAP query to reset it:
+# enter the ldap-server container with `docker compose exec ldap-server sh`
+# and run the following command to change the password:
+# ldappasswd -H ldap://127.0.0.1:1389 -D "cn=admin,dc=opencloud,dc=eu" -W "uid=admin,ou=users,dc=opencloud,dc=eu"
+# You will be prompted for the LDAP bind password.
+# The output should provide you a new password for the admin user.
+
+
+### Keycloak Settings ###
+# Keycloak is an open-source identity and access management solution.
+# We are using Keycloak as the default identity provider on production installations.
+# It can be used to federate authentication with other identity providers like
+# Microsoft Entra ID, ADFS or other SAML/OIDC providers.
+# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the
+# authentication process, the allowed clients and the session management.
+# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
+# Keycloak can be used in two different modes:
+# 1. Autoprovisioning: New users are automatically created in openCloud when they log in for the first time.
+# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
+# because the LDAP server is connected to both Keycloak and OpenCloud.
+# Only use one of the two modes at a time.
+
+## Autoprovisioning Mode ##
+# Use together with idm/external-idp.yml
+# If you want to use a keycloak for local testing, you can use testing/external-keycloak.yml and testing/ldap-manager.yml
+# Domain of your Identity Provider.
+IDP_DOMAIN=
+# IdP Issuer URL, which is used to identify the Identity Provider.
+# We need the complete URL, including the protocol (http or https) and the realm.
+# Example: "https://keycloak.opencloud.test/realms/openCloud"
+IDP_ISSUER_URL=
+# Url of the account edit page from your Identity Provider.
+IDP_ACCOUNT_URL=
+
+## Shared User Directory Mode ##
+# Use together with idm/ldap-keycloak.yml and traefik/ldap-keycloak.yml
+# Domain for Keycloak. Defaults to "keycloak.opencloud.test".
+KEYCLOAK_DOMAIN=
+# Admin user login name. Defaults to "kcadmin".
+KEYCLOAK_ADMIN=
+# Admin user login password. Defaults to "admin".
+KEYCLOAK_ADMIN_PASSWORD=
+# Keycloak Database username. Defaults to "keycloak".
+KC_DB_USERNAME=
+# Keycloak Database password. Defaults to "keycloak".
+KC_DB_PASSWORD=

devtools/deployments/multi-tenancy/README.md

@@ -0,0 +1,49 @@
+# Development/Test Deployment for a multi-tenacy setup
+
+The docker compose files in this directory are derived from the
+opencloud-compose project and can be used to deploy a Development or Testing
+environment for a multi-tenancy setup of OpenCloud. It consists of the
+following services:
+
+* `provisioning`: The OpenCloud graph service deployed in a standalone mode. It
+  is configured to provide the libregraph education API for managing tenants
+  and users. The `ldap-server`service (see below) is used to store the tenants
+  and users.
+* `ldap-server`: An OpenLDAP server that is used by the provisioning service to
+  store tenants and users. Used by the OpenCloud services as the user directory
+  (for looking up users and searching for sharees).
+* `keycloak`: The OpenID Connect Provider used for authenticating users. The
+  pre-loaded realm is configured to add `tenantid` claim into the identity and
+  access tokens. It's also currently consuming user from the `ldap-server`
+  (this federation will likely go away in the future and is optional for future
+  configurations).
+* `opencloud`: The OpenCloud configured so that is hides users from different
+  tenants from each other.
+
+To deploy the setup, run:
+
+```bash
+docker compose -f docker-compose.yml -f keycloak.yml -f ldap-server.yml -f traefik.yml up
+```
+
+Once deployed you can use the `initialize_users.go` to create a couple of example
+tenants and some users in each tenant:
+
+* Tenant `Famous Coders` with users `dennis` and `grace`
+* Tenant `Scientists` with users `einstein` and `marie`
+
+The passwords for the users is set to `demo` in keycloak
+
+```
+> go run initialize_users.go
+Created tenant: Famous Coders with id fc58e19a-3a2a-4afc-90ec-8f94986db340
+Created user: Dennis Ritchie with id ee1e14e7-b00b-4eec-8b03-a6bf0e29c77c
+Created user: Grace Hopper with id a29f3afd-e4a3-4552-91e8-cc99e26bffce
+Created tenant: Scientists with id 18406c53-e2d6-4e83-98b6-a55880eef195
+Created user: Albert Einstein with id 12023d37-d6ce-4f19-a318-b70866f265ba
+Created user: Marie Curie with id 30c3c825-c37d-4e85-8195-0142e4884872
+Setting password for user: grace
+Setting password for user: marie
+Setting password for user: dennis
+Setting password for user: einstein
+```

devtools/deployments/multi-tenancy/config/keycloak/docker-entrypoint-override.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+printenv
+# replace openCloud domain and LDAP password in keycloak realm import
+mkdir /opt/keycloak/data/import
+sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json
+
+# run original docker-entrypoint
+/opt/keycloak/bin/kc.sh "$@"

devtools/deployments/multi-tenancy/config/keycloak/themes/opencloud/login/resources/css/theme.css

@@ -0,0 +1,38 @@
+:root {
+    --pf-global--primary-color--100: #e2baff;
+    --pf-global--primary-color--200: #e2baff;
+    --pf-global--primary-color--dark-100: #e2baff;
+    --pf-global--Color--light-100: #20434f;
+}
+
+@font-face {
+    font-family: OpenCloud;
+    src: url('../fonts/OpenCloud500-Regular.woff2') format('woff2');
+    font-weight: normal;
+    font-style: normal;
+}
+
+@font-face {
+    font-family: OpenCloud;
+    src: url('../fonts/OpenCloud750-Bold.woff2') format('woff2');
+    font-weight: bold;
+    font-style: normal;
+}
+
+body {
+    font-family: "OpenCloud", "Open Sans", Helvetica, Arial, sans-serif;
+    background: url(../img/background.png) no-repeat center !important;
+    background-size: cover !important;
+}
+
+.kc-logo-text {
+    background-image: url(../img/logo.svg) !important;
+    background-size: contain;
+    width: 400px;
+    margin: 0 !important;
+}
+
+#kc-header-wrapper{
+    display: flex;
+    justify-content: center;
+}

devtools/deployments/multi-tenancy/config/keycloak/themes/opencloud/login/resources/js/script.js

@@ -0,0 +1,19 @@
+document.addEventListener("DOMContentLoaded", function () {
+    const setLogoUrl = (url) => {
+        const logoTextSelector = document.querySelector(".kc-logo-text");
+
+        if (!logoTextSelector) {
+            return
+        }
+
+        const link = document.createElement("a");
+        link.href = url;
+        link.target = "_blank";
+
+        const parent = logoTextSelector.parentNode;
+        parent.insertBefore(link, logoTextSelector);
+        link.appendChild(logoTextSelector);
+    }
+
+    setLogoUrl('https://opencloud.eu')
+});

devtools/deployments/multi-tenancy/config/keycloak/themes/opencloud/login/theme.properties

@@ -0,0 +1,5 @@
+parent=keycloak
+import=common/keycloak
+
+styles=css/login.css css/theme.css
+scripts=js/script.js

devtools/deployments/multi-tenancy/config/ldap/docker-entrypoint-override.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+echo "Running custom LDAP entrypoint script..."
+
+if [ ! -f /opt/bitnami/openldap/share/openldap.key ]
+then	
+	openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/share/openldap.key -out /opt/bitnami/openldap/share/openldap.crt -sha256 -days 365 -batch -nodes
+fi
+# run original docker-entrypoint
+/opt/bitnami/scripts/openldap/entrypoint.sh "$@"

devtools/deployments/multi-tenancy/config/ldap/ldif/10_base.ldif

@@ -0,0 +1,20 @@
+dn: dc=opencloud,dc=eu
+objectClass: organization
+objectClass: dcObject
+dc: opencloud
+o: openCloud
+
+dn: ou=users,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: users
+
+dn: cn=admin,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: person
+cn: admin
+sn: admin
+uid: ldapadmin
+
+dn: ou=tenants,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: tenants

devtools/deployments/multi-tenancy/config/ldap/ldif/20_admin.ldif

@@ -0,0 +1,20 @@
+dn: uid=admin,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: admin
+givenName: Admin
+sn: Admin
+cn: admin
+displayName: Admin
+description: An admin for this OpenCloud instance.
+mail: admin@example.org
+userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo==
+
+dn: cn=administrators,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: administrators
+description: OpenCloud Administrators
+member: uid=admin,ou=users,dc=opencloud,dc=eu

devtools/deployments/multi-tenancy/config/opencloud/csp.yaml

@@ -0,0 +1,44 @@
+directives:
+  child-src:
+    - '''self'''
+  connect-src:
+    - '''self'''
+    - 'blob:'
+    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
+    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
+    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
+  default-src:
+    - '''none'''
+  font-src:
+    - '''self'''
+  frame-ancestors:
+    - '''self'''
+  frame-src:
+    - '''self'''
+    - 'blob:'
+    - 'https://embed.diagrams.net/'
+    # In contrary to bash and docker the default is given after the | character
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
+    # This is needed for the external-sites web extension when embedding sites
+    - 'https://docs.opencloud.eu'
+  img-src:
+    - '''self'''
+    - 'data:'
+    - 'blob:'
+    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
+    # In contrary to bash and docker the default is given after the | character
+    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
+  manifest-src:
+    - '''self'''
+  media-src:
+    - '''self'''
+  object-src:
+    - '''self'''
+    - 'blob:'
+  script-src:
+    - '''self'''
+    - '''unsafe-inline'''
+  style-src:
+    - '''self'''
+    - '''unsafe-inline'''

devtools/deployments/multi-tenancy/config/traefik/docker-entrypoint-override.sh

@@ -0,0 +1,72 @@
+set -e
+
+printenv
+# Function to add arguments to the command
+add_arg() {
+    TRAEFIK_CMD="$TRAEFIK_CMD $1"
+}
+
+# Initialize the base command
+TRAEFIK_CMD="traefik"
+
+# Base Traefik arguments (from your existing configuration)
+add_arg "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
+# enable dashboard
+add_arg "--api.dashboard=true"
+# define entrypoints
+add_arg "--entryPoints.http.address=:80"
+add_arg "--entryPoints.http.http.redirections.entryPoint.to=https"
+add_arg "--entryPoints.http.http.redirections.entryPoint.scheme=https"
+add_arg "--entryPoints.https.address=:443"
+# change default timeouts for long-running requests
+# this is needed for webdav clients that do not support the TUS protocol
+add_arg "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
+add_arg "--entryPoints.https.transport.respondingTimeouts.writeTimeout=12h"
+add_arg "--entryPoints.https.transport.respondingTimeouts.idleTimeout=3m"
+# docker provider (get configuration from container labels)
+add_arg "--providers.docker.endpoint=unix:///var/run/docker.sock"
+add_arg "--providers.docker.exposedByDefault=false"
+# access log
+add_arg "--accessLog=${TRAEFIK_ACCESS_LOG:-false}"
+add_arg "--accessLog.format=json"
+add_arg "--accessLog.fields.headers.names.X-Request-Id=keep"
+
+# Add Let's Encrypt configuration if enabled
+if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls.certresolver=letsencrypt" ]; then
+    echo "Configuring Traefik with Let's Encrypt..."
+    add_arg "--certificatesResolvers.letsencrypt.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
+    add_arg "--certificatesResolvers.letsencrypt.acme.storage=/certs/acme.json"
+    add_arg "--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
+    add_arg "--certificatesResolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
+fi
+
+# Add local certificate configuration if enabled
+if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" = "tls=true" ]; then
+    echo "Configuring Traefik with local certificates..."
+    add_arg "--providers.file.directory=/etc/traefik/dynamic"
+    add_arg "--providers.file.watch=true"
+fi
+
+# Warning if neither certificate method is enabled
+if [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls=true" ] && [ "${TRAEFIK_SERVICES_TLS_CONFIG}" != "tls.certresolver=letsencrypt" ]; then
+    echo "WARNING: Neither Let's Encrypt nor local certificates are enabled."
+    echo "HTTPS will not work properly without certificate configuration."
+fi
+
+# Add any custom arguments from environment variable
+if [ -n "${TRAEFIK_CUSTOM_ARGS}" ]; then
+    echo "Adding custom Traefik arguments: ${TRAEFIK_CUSTOM_ARGS}"
+    TRAEFIK_CMD="$TRAEFIK_CMD $TRAEFIK_CUSTOM_ARGS"
+fi
+
+# Add any additional arguments passed to the script
+for arg in "$@"; do
+    add_arg "$arg"
+done
+
+# Print the final command for debugging
+echo "Starting Traefik with command:"
+echo "$TRAEFIK_CMD"
+
+# Execute Traefik
+exec $TRAEFIK_CMD

devtools/deployments/multi-tenancy/docker-compose.yml

@@ -0,0 +1,119 @@
+---
+services:
+  # OpenCloud instance configured for multi-tenancy using keycloak as identity provider
+  # The graph service is setup to consume users via the CS3 API.
+  opencloud:
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
+    # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
+    networks:
+      opencloud-net:
+    entrypoint:
+      - /bin/sh
+    # run opencloud init to initialize a configuration file with random secrets
+    # it will fail on subsequent runs, because the config file already exists
+    # therefore we ignore the error and then start the opencloud server
+    command: ["-c", "opencloud init || true; opencloud server"]
+    environment:
+      OC_MULTI_TENANT_ENABLED: "true"
+      # enable services that are not started automatically
+      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
+      OC_LOG_LEVEL: ${LOG_LEVEL:-info}
+      OC_LOG_COLOR: "${LOG_PRETTY:-false}"
+      OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
+      OC_EXCLUDE_RUN_SERVICES: idm,idp
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
+      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud
+      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
+      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      PROXY_USER_OIDC_CLAIM: "uuid"
+      PROXY_USER_CS3_CLAIM: "userid"
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account"
+      # admin and demo accounts must be created in Keycloak
+      OC_ADMIN_USER_ID: ""
+      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+      GRAPH_USERNAME_MATCH: "none"
+      GROUPS_DRIVER: "null"
+      # This is needed to set the correct CSP rules for OpenCloud
+      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      # do not use SSL between the reverse proxy and OpenCloud
+      PROXY_TLS: "false"
+      # INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
+      OC_INSECURE: "${INSECURE:-false}"
+      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
+      PROXY_ENABLE_BASIC_AUTH: "false"
+      GRAPH_IDENTITY_BACKEND: "cs3"
+      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
+      OC_LDAP_URI: ldaps://ldap-server:1636
+      OC_LDAP_INSECURE: "true"
+      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
+      OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
+      OC_LDAP_USER_SCHEMA_TENANT_ID: "openCloudMemberOfSchool"
+      PROXY_LOG_LEVEL: "debug"
+    volumes:
+      - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
+      # configure the .env file to use own paths instead of docker internal volumes
+      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
+      - ${OC_DATA_DIR:-opencloud-data}:/var/lib/opencloud
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.opencloud.entrypoints=https"
+      - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
+      - "traefik.http.routers.opencloud.service=opencloud"
+      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
+      - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
+  # Stand-alone instance of the 'graph' service to serve the provisioning API
+  provsioning:
+    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
+    networks:
+      opencloud-net:
+    entrypoint:
+      - /bin/sh
+    # run opencloud init to initialize a configuration file with random secrets
+    # it will fail on subsequent runs, because the config file already exists
+    # therefore we ignore the error and then start the opencloud server
+    command: ["-c", "opencloud init || true; opencloud graph server"]
+    environment:
+      OC_LOG_LEVEL: "debug"
+      OC_LOG_COLOR: "${LOG_PRETTY:-false}"
+      OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
+      # This just runs the standalone graph service we don't need access to the registry
+      MICRO_REGISTRY: "memory"
+      # INSECURE: needed if OpenCloud / reverse proxy is using self generated certificates
+      OC_INSECURE: "${INSECURE:-false}"
+      GRAPH_HTTP_ADDR: "0.0.0.0:9120"
+      GRAPH_HTTP_API_TOKEN: "${PROVISIONING_API_TOKEN:-changeme}"
+      # disable listening for events
+      GRAPH_EVENTS_ENDPOINT: ""
+      GRAPH_STORE_NODES: ""
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+      GRAPH_USERNAME_MATCH: "none"
+      GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED: "true"
+      GRAPH_LDAP_SCHOOL_BASE_DN: "ou=tenants,dc=opencloud,dc=eu"
+      OC_LDAP_URI: ldaps://ldap-server:1636
+      OC_LDAP_INSECURE: "true"
+      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
+      OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
+      OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
+    volumes:
+      # configure the .env file to use own paths instead of docker internal volumes
+      - ${PROVISIONING_CONFIG_DIR:-provisioning-config}:/etc/opencloud
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+    ports:
+      - "9120:9120"
+
+volumes:
+  opencloud-config:
+  opencloud-data:
+  provisioning-config:
+
+networks:
+  opencloud-net:

devtools/deployments/multi-tenancy/initialize_users.go

@@ -0,0 +1,140 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+
+	"github.com/Nerzal/gocloak/v13"
+	"github.com/go-resty/resty/v2"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"
+)
+
+const (
+	provisioningAPIURL    = "http://localhost:9120/graph"
+	provisioningAuthToken = "changeme"
+)
+
+type tenantWithUsers struct {
+	tenant libregraph.EducationSchool
+	users  []libregraph.EducationUser
+}
+
+var demoTenants = []tenantWithUsers{
+	{
+		tenant: libregraph.EducationSchool{
+			DisplayName: libregraph.PtrString("Famous Coders"),
+		},
+		users: []libregraph.EducationUser{
+			{
+				DisplayName:              libregraph.PtrString("Dennis Ritchie"),
+				OnPremisesSamAccountName: libregraph.PtrString("dennis"),
+				Mail:                     libregraph.PtrString("dennis@example.org"),
+			},
+			{
+				DisplayName:              libregraph.PtrString("Grace Hopper"),
+				OnPremisesSamAccountName: libregraph.PtrString("grace"),
+				Mail:                     libregraph.PtrString("grace@example.org"),
+			},
+		},
+	},
+	{
+		tenant: libregraph.EducationSchool{
+			DisplayName: libregraph.PtrString("Scientists"),
+		},
+		users: []libregraph.EducationUser{
+			{
+				DisplayName:              libregraph.PtrString("Albert Einstein"),
+				OnPremisesSamAccountName: libregraph.PtrString("einstein"),
+				Mail:                     libregraph.PtrString("einstein@example.org"),
+			},
+			{
+				DisplayName:              libregraph.PtrString("Marie Curie"),
+				OnPremisesSamAccountName: libregraph.PtrString("marie"),
+				Mail:                     libregraph.PtrString("marie@example.org"),
+			},
+		},
+	},
+}
+
+func main() {
+	lgconf := libregraph.NewConfiguration()
+	lgconf.Servers = libregraph.ServerConfigurations{
+		{
+			URL: provisioningAPIURL,
+		},
+	}
+	lgconf.DefaultHeader = map[string]string{"Authorization": "Bearer " + provisioningAuthToken}
+	lgclient := libregraph.NewAPIClient(lgconf)
+
+	for _, tenant := range demoTenants {
+		tenantid, err := createTenant(lgclient, tenant.tenant)
+		if err != nil {
+			fmt.Printf("Failed to create tenant: %s\n", err)
+			continue
+		}
+		for _, user := range tenant.users {
+			userid1, err := createUser(lgclient, user)
+			if err != nil {
+				fmt.Printf("Failed to create user: %s\n", err)
+				continue
+			}
+			_, err = lgclient.EducationSchoolApi.AddUserToSchool(context.TODO(), tenantid).EducationUserReference(libregraph.EducationUserReference{
+				OdataId: libregraph.PtrString(fmt.Sprintf("%s/education/users/%s", provisioningAPIURL, userid1)),
+			}).Execute()
+			if err != nil {
+				fmt.Printf("Failed to add user to tenant: %s\n", err)
+				continue
+			}
+		}
+	}
+
+	resetAllUserPasswords()
+}
+
+func createUser(client *libregraph.APIClient, user libregraph.EducationUser) (string, error) {
+	newUser, _, err := client.EducationUserApi.CreateEducationUser(context.TODO()).EducationUser(user).Execute()
+	if err != nil {
+		fmt.Printf("Failed to create user: %s\n", err)
+		return "", err
+	}
+	fmt.Printf("Created user: %s with id %s\n", newUser.GetDisplayName(), newUser.GetId())
+	return newUser.GetId(), nil
+}
+
+func createTenant(client *libregraph.APIClient, tenant libregraph.EducationSchool) (string, error) {
+	newTenant, _, err := client.EducationSchoolApi.CreateSchool(context.TODO()).EducationSchool(tenant).Execute()
+	if err != nil {
+		fmt.Printf("Failed to create tenant: %s\n", err)
+		return "", err
+	}
+	fmt.Printf("Created tenant: %s with id %s\n", newTenant.GetDisplayName(), newTenant.GetId())
+	return newTenant.GetId(), nil
+}
+
+func resetAllUserPasswords() {
+	tls := tls.Config{InsecureSkipVerify: true}
+	restyClient := resty.New().SetTLSClientConfig(&tls)
+	client := gocloak.NewClient("https://keycloak.opencloud.test")
+	client.SetRestyClient(restyClient)
+	ctx := context.Background()
+	token, err := client.LoginAdmin(ctx, "kcadmin", "admin", "master")
+	if err != nil {
+		fmt.Printf("Failed to login: %s\n", err)
+		panic("Something wrong with the credentials or url")
+	}
+
+	users, err := client.GetUsers(ctx, token.AccessToken, "openCloud", gocloak.GetUsersParams{})
+	if err != nil {
+		fmt.Printf("%s\n", err)
+		panic("Oh no!, failed to list users :(")
+	}
+	for _, user := range users {
+		fmt.Printf("Setting password for user: %s\n", *user.Username)
+		err = client.SetPassword(ctx, token.AccessToken, *user.ID, "openCloud", "demo", false)
+		if err != nil {
+			fmt.Printf("Failed to set password for user %s: %s\n", *user.Username, err)
+		}
+	}
+
+}

devtools/deployments/multi-tenancy/keycloak.yml

@@ -0,0 +1,55 @@
+---
+services:
+  opencloud:
+    environment:
+  postgres:
+    image: postgres:alpine
+    networks:
+      opencloud-net:
+    volumes:
+      - keycloak_postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: ${KC_DB_USERNAME:-keycloak}
+      POSTGRES_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+  keycloak:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.keycloak.entrypoints=https"
+      - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
+      - "traefik.http.routers.keycloak.${TRAEFIK_SERVICES_TLS_CONFIG}"
+      - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+    image: quay.io/keycloak/keycloak:26.4
+    networks:
+      opencloud-net:
+    command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
+    volumes:
+      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
+      - "./config/keycloak/openCloud-realm.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json"
+      - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
+    environment:
+      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
+      KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      KC_DB: postgres
+      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
+      KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
+      KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
+      KC_FEATURES: impersonation
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
+    depends_on:
+      - postgres
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+volumes:
+  keycloak_postgres_data:

devtools/deployments/multi-tenancy/ldap-server.yml

@@ -0,0 +1,32 @@
+---
+services:
+  ldap-server:
+    image: bitnamilegacy/openldap:2.6
+    networks:
+      opencloud-net:
+    entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
+    environment:
+      BITNAMI_DEBUG: true
+      LDAP_TLS_VERIFY_CLIENT: never
+      LDAP_ENABLE_TLS: "yes"
+      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
+      LDAP_ROOT: "dc=opencloud,dc=eu"
+      LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+    ports:
+      - "127.0.0.1:389:1389"
+      - "127.0.0.1:636:1636"
+    volumes:
+      # Only use the base ldif file to create the base structure
+      - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
+      # Use the custom schema from opencloud because we are in full control of the ldap server
+      - ../shared/config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
+      - ../shared/config/ldap/schemas/20_opencloud_education_schema.ldif:/schemas/20_opencloud_education_schema.ldif
+      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
+      - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
+      - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
+
+volumes:
+  ldap-certs:
+  ldap-data:

devtools/deployments/multi-tenancy/testing/ldap-manager.yml

@@ -0,0 +1,24 @@
+---
+# This file can be used to be added to the opencloud_full example
+# to browse the LDAP server with a web interface.
+# This is not a production ready setup.
+services:
+  ldap-manager:
+    image: phpldapadmin/phpldapadmin:latest
+    networks:
+      opencloud-net:
+    environment:
+      LDAP_HOST: ldap-server
+      LDAP_PORT: 1389
+      LDAP_LOGIN_OBJECTCLASS: "inetOrgPerson"
+      APP_URL: "https://${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ldap-manager.entrypoints=https"
+      - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}`)"
+      - "traefik.http.routers.ldap-manager.${TRAEFIK_SERVICES_TLS_CONFIG}"
+      - "traefik.http.routers.ldap-manager.service=ldap-manager"
+      - "traefik.http.services.ldap-manager.loadbalancer.server.port=8080"
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always

devtools/deployments/multi-tenancy/traefik.yml

@@ -0,0 +1,45 @@
+---
+services:
+  opencloud:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.opencloud.entrypoints=https"
+      - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)"
+      - "traefik.http.routers.opencloud.service=opencloud"
+      - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
+      - "traefik.http.routers.opencloud.${TRAEFIK_SERVICES_TLS_CONFIG}"
+  traefik:
+    image: traefik:v3.3.1
+    # release notes: https://github.com/traefik/traefik/releases
+    networks:
+      opencloud-net:
+        aliases:
+          - ${OC_DOMAIN:-cloud.opencloud.test}
+          - ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+    entrypoint: [ "/bin/sh", "/opt/traefik/bin/docker-entrypoint-override.sh"]
+    environment:
+      - "TRAEFIK_SERVICES_TLS_CONFIG=${TRAEFIK_SERVICES_TLS_CONFIG:-tls.certresolver=letsencrypt}"
+      - "TRAEFIK_ACME_MAIL=${TRAEFIK_ACME_MAIL:-example@example.org}"
+      - "TRAEFIK_ACME_CASERVER=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
+      - "TRAEFIK_LOG_LEVEL=${TRAEFIK_LOG_LEVEL:-ERROR}"
+      - "TRAEFIK_ACCESS_LOG=${TRAEFIK_ACCESS_LOG:-false}"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
+      - "./config/traefik/docker-entrypoint-override.sh:/opt/traefik/bin/docker-entrypoint-override.sh"
+      - "${TRAEFIK_CERTS_DIR:-./certs}:/certs"
+      - "./config/traefik/dynamic:/etc/traefik/dynamic"
+    labels:
+      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
+      # defaults to admin:admin
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.opencloud.test}`)"
+      - "traefik.http.routers.traefik.middlewares=traefik-auth"
+      - "traefik.http.routers.traefik.${TRAEFIK_SERVICES_TLS_CONFIG}"
+      - "traefik.http.routers.traefik.service=api@internal"
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always

devtools/deployments/opencloud_full/.env

@@ -309,4 +309,4 @@ KEYCLOAK_ADMIN_PASSWORD=
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}

devtools/deployments/opencloud_full/config/keycloak/clients/OpenCloudAndroid.json

@@ -0,0 +1,63 @@
+{
+  "clientId": "OpenCloudAndroid",
+  "name": "OpenCloud Android App",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "oc://android.opencloud.eu"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "oc://android.opencloud.eu",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

devtools/deployments/opencloud_full/config/keycloak/clients/OpenCloudDesktop.json

@@ -0,0 +1,64 @@
+{
+  "clientId": "OpenCloudDesktop",
+  "name": "OpenCloud Desktop Client",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "http://127.0.0.1",
+    "http://localhost"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "+",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

devtools/deployments/opencloud_full/config/keycloak/clients/OpenCloudIOS.json

@@ -0,0 +1,63 @@
+{
+  "clientId": "OpenCloudIOS",
+  "name": "OpenCloud iOS App",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "oc://ios.opencloud.eu"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "oc://ios.opencloud.eu",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

devtools/deployments/opencloud_full/config/keycloak/clients/cyberduck.json

@@ -0,0 +1,66 @@
+{
+  "clientId": "Cyberduck",
+  "name": "Cyberduck",
+  "description": "File transfer utility client",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "x-cyberduck-action:oauth",
+    "x-mountainduck-action:oauth"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

devtools/deployments/opencloud_full/config/keycloak/clients/web.json

@@ -0,0 +1,74 @@
+{
+  "clientId": "web",
+  "name": "OpenCloud Web App",
+  "description": "",
+  "rootUrl": "{{OC_URL}}",
+  "adminUrl": "{{OC_URL}}",
+  "baseUrl": "",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "{{OC_URL}}/",
+    "{{OC_URL}}/oidc-callback.html",
+    "{{OC_URL}}/oidc-silent-redirect.html"
+  ],
+  "webOrigins": [
+    "{{OC_URL}}"
+  ],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "+",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.url": "{{OC_URL}}/backchannel_logout",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

devtools/deployments/opencloud_full/config/keycloak/opencloud-realm.dist.json

@@ -663,6 +663,7 @@
         "profile",
         "roles",
         "groups",
+        "OpenCloudUnique_ID",
         "basic",
         "email"
       ],
@@ -2308,7 +2309,7 @@
             "always"
           ],
           "usePasswordModifyExtendedOp": [
-            "false"
+            "true"
           ],
           "trustEmail": [
             "false"

devtools/deployments/opencloud_full/config/opencloud/proxy.yaml

@@ -0,0 +1,40 @@
+# This adds four additional routes to the proxy. Forwarding
+# request on '/carddav/', '/caldav/' and the respective '/.well-knwown'
+# endpoints to the radicale container and setting the required headers.
+additional_policies:
+  - name: default
+    routes:
+      - endpoint: /caldav/
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /caldav
+      - endpoint: /.well-known/caldav
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /caldav
+      - endpoint: /carddav/
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /carddav
+      - endpoint: /.well-known/carddav
+        backend: http://radicale:5232
+        remote_user_header: X-Remote-User
+        skip_x_access_token: true
+        additional_headers:
+          - X-Script-Name: /carddav
+# To enable the radicale web UI add this rule.
+# "unprotected" is True because the Web UI itself ask for
+# the password.
+# Also set "type" to "internal" in the config/radicale/config
+#      - endpoint: /caldav/.web/
+#        backend: http://radicale:5232/
+#        unprotected: true
+#        skip_x_access_token: true
+#        additional_headers:
+#          - X-Script-Name: /caldav

devtools/deployments/opencloud_full/ldap.yml

@@ -26,7 +26,7 @@ services:
       OC_EXCLUDE_RUN_SERVICES: idm
 
   ldap-server:
-    image: bitnami/openldap:2.6
+    image: bitnamilegacy/openldap:2.6
     networks:
       opencloud-net:
     entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]

docs/adr/0002-use-education-api-for-multitenant-user-provisioning.md

@@ -0,0 +1,79 @@
+---
+title: "Use the graph education API for multi-tenant user provisioning"
+---
+
+* Status: approved
+* Deciders: [@micbar, @butonic, @rhafer]
+* Date: 2025-09-23
+
+Reference: https://github.com/opencloud-eu/opencloud/issues/877
+
+## Context and Problem Statement
+
+With the current multi-tenancy implementation, the user-management is mostly external
+to the OpenCloud instance. Up to [now](../0001-simple-multi-tenancy-using-a-single-opencloud-instance.md)
+we relied on some external LDAP server providing the users including their tenant assignment.
+We'd like multi-tenancy to also work in environments where no such LDAP server is available.
+
+## Decision Drivers
+
+* Multi-tenancy must work without some existing external (as in not managed by us) LDAP server
+* keep the implementation effort low
+* allow integration with existing (de)provisioning systems
+
+## Considered Options
+
+### Use the auto-provisioning feature of OpenCloud
+
+We already have basic auto-provsioning features implemented in OpenCloud.
+Currently this is not tenant-aware, but it could be extended to support that.
+This would require some changes in the way that the users are managed by the
+auto-proviosioning code.
+
+The auto-provisioning code does currently use the "normal" graph API to create
+users. That API is not tenant-aware and would need to be significantly changed
+to support multi-tenancy. However currently there is no real need to put
+tenant-awareness into that API (and it would drive us even further a away from
+compatibility with the MS Graph API). We could also switch away from the Graph API
+for auto-provisioning and use some direct calls to the underlying LDAP server.
+
+Also, using the auto-provisioning feature means that users are only created
+when they first login. This means it is not possible to share files with users that
+have not yet logged in. This is a significant limitation.
+
+Also we don't currently have any de-provisioning features implemented.
+
+### Use the existing Eudcation API of the Graph Service
+
+We already implemented the Graph Education API in OpenCloud (based on the MS Graph Education API).
+This, apart from the somewhat different naming, does already bring most of what is needed
+for provisioning users in a multi-tenant environment.
+
+The customer would just need to hookup their existing (de)provisioning system to call the
+Education API to create/delete users and assign them to tenants (schools/classes).
+
+The main drawback of this approach is that the customer needs to create some code to
+hookup their existing system to the Education API.
+
+The main advantage is that it would give the customer much more control over the users' lifecycle.
+
+## Decision Outcome
+
+Use the existing Education API of the Graph Service.
+
+* Allows integration with existing (de)provisioning systems
+* hopefully keeps the implementation effort low
+
+Note: For now this means that the auto-provisioning feature will not be available for
+multi-tenant setups. We might want to revisit this in the future.
+
+### Implementation Steps
+
+* re-vive the existing Education API implementation and run it as a separate service
+* (maybe) allow to create tenants with a customer specified ID. The tenant id might also be
+  part of the user's claims (provided by the customer's identity provider). It would be better
+  if the tenant ids in our system match the tenant ids in the customer's identity provider.
+* For de-provisioning to work we need to implement a way to lookup users by an external ID as
+  that is only unique identfier the customer's system knows for a user. While the MS Graph API
+  already provides an `externalId` Attribute we don't currently support that on our APIs.
+

docs/adr/README.md

@@ -0,0 +1,91 @@
+# Architecture Decision Records (ADRs)
+
+## Purpose
+
+This folder contains Architecture Decision Records (ADRs) for the OpenCloud related topics.
+ADRs capture important architectural decisions, their context, alternatives, and rationale.
+
+They help us:
+
+- Document the reasoning behind significant technical choices.
+- Share knowledge and context with current and future team members.
+- Ensure transparency and continuity in our architectural evolution.
+
+## Why Use ADRs?
+
+ADRs provide a structured way to record, discuss, and find architectural decisions over time.
+They make it easier to:
+
+- Understand why certain approaches were chosen.
+- Avoid revisiting previous discussions without context.
+- Onboard new contributors efficiently.
+
+## When to Create an ADR
+
+Not every technical or architectural decision needs a dedicated ADR.
+Use an ADR to document decisions which are significant, such as:
+
+* It substantially affects the architecture, design, or direction of OpenCloud.
+* It involves trade-offs between multiple options.
+* It needs Team consensus or input from multiple stakeholders.
+
+## Writing ADRs
+
+- **Location**: Store all ADRs as Markdown files in this folder.
+- **Format**: Use [Markdown](https://commonmark.org/).
+- **Naming**: Adhere to the naming convention, e.g., `0001-descriptive-title.md`.
+
+### ADR Template
+
+```markdown
+---
+title: "Some Descriptive Title"
+---
+
+* Status: proposed / accepted / deprecated / superseded
+* Deciders: [@user1, @user2]
+* Date: YYYY-MM-DD
+
+Reference: (link to relevant epic, story, issue)
+
+## Context and Problem Statement
+
+Describe the background and why this decision is needed.
+
+## Decision Drivers
+
+Describe the criteria that explains why this decision has to be made.
+
+## Considered Options
+
+Describe single or multiple options that were considered or could be considered.
+
+## Decision Outcome
+
+Describe the chosen option and why it was selected.
+
+### Implementation Steps
+
+Describe the steps needed to implement the decision.
+```
+
+## Process
+
+### New ADRs
+
+1. Write a new ADR as a Markdown file.
+2. Submit it via pull request for review.
+3. Decision is made collaboratively, details will be discussed in the PR, which can lead to further changes.
+4. Update the ADR status once a decision is reached.
+5. Reference ADRs in code, documentation, or issues where relevant.
+
+### Updating ADRs
+
+1. If an ADR needs to be updated, create a new ADR that references the original.
+2. Follow the same process as for new ADRs.
+3. Once accepted, update the status of the original ADR and reference that new ADR.
+
+## References
+
+- [ADR GitHub Template](https://github.com/joelparkerhenderson/architecture_decision_record)
+- [Wikipedia on ADRs](https://en.wikipedia.org/wiki/Architectural_decision)

go.mod

@@ -1,29 +1,29 @@
 module github.com/opencloud-eu/opencloud
 
-go 1.24.1
+go 1.24.6
 
 require (
 	dario.cat/mergo v1.0.2
 	github.com/CiscoM31/godata v1.0.11
-	github.com/KimMachineGun/automemlimit v0.7.4
+	github.com/KimMachineGun/automemlimit v0.7.5
 	github.com/Masterminds/semver v1.5.0
 	github.com/MicahParks/keyfunc/v2 v2.1.0
 	github.com/Nerzal/gocloak/v13 v13.9.0
 	github.com/bbalet/stopwords v1.0.0
-	github.com/beevik/etree v1.5.1
-	github.com/blevesearch/bleve/v2 v2.5.2
+	github.com/beevik/etree v1.6.0
+	github.com/blevesearch/bleve/v2 v2.5.5
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/coreos/go-oidc/v3 v3.14.1
-	github.com/cs3org/go-cs3apis v0.0.0-20250703154118-810365dec814
+	github.com/coreos/go-oidc/v3 v3.16.0
+	github.com/cs3org/go-cs3apis v0.0.0-20250908152307-4ca807afe54e
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
-	github.com/egirna/icap-client v0.1.1
-	github.com/gabriel-vasile/mimetype v1.4.9
+	github.com/gabriel-vasile/mimetype v1.4.11
 	github.com/ggwhite/go-masker v1.1.0
-	github.com/go-chi/chi/v5 v5.2.2
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/render v1.0.3
-	github.com/go-ldap/ldap/v3 v3.4.11
+	github.com/go-jose/go-jose/v3 v3.0.4
+	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3
 	github.com/go-micro/plugins/v4/client/grpc v1.2.1
 	github.com/go-micro/plugins/v4/logger/zerolog v1.2.0
@@ -33,82 +33,87 @@ require (
 	github.com/go-micro/plugins/v4/store/nats-js-kv v0.0.0-20240726082623-6831adfdcdc4
 	github.com/go-micro/plugins/v4/wrapper/monitoring/prometheus v1.2.0
 	github.com/go-micro/plugins/v4/wrapper/trace/opentelemetry v1.2.0
-	github.com/go-playground/validator/v10 v10.27.0
-	github.com/gofrs/uuid v4.4.0+incompatible
-	github.com/golang-jwt/jwt/v5 v5.2.3
+	github.com/go-playground/validator/v10 v10.28.0
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-tika v0.3.1
 	github.com/google/uuid v1.6.0
-	github.com/gookit/config/v2 v2.2.6
+	github.com/gookit/config/v2 v2.2.7
 	github.com/gorilla/mux v1.8.1
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3
 	github.com/invopop/validation v0.8.0
 	github.com/jellydator/ttlcache/v2 v2.11.1
 	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/jinzhu/now v1.1.5
 	github.com/justinas/alice v1.2.0
-	github.com/kovidgoyal/imaging v1.6.4
+	github.com/kovidgoyal/imaging v1.7.2
 	github.com/leonelquinteros/gotext v1.7.2
 	github.com/libregraph/idm v0.5.0
 	github.com/libregraph/lico v0.66.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/mna/pigeon v1.3.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/nats-io/nats-server/v2 v2.11.6
-	github.com/nats-io/nats.go v1.43.0
+	github.com/nats-io/nats-server/v2 v2.12.1
+	github.com/nats-io/nats.go v1.47.0
 	github.com/oklog/run v1.2.0
-	github.com/olekukonko/tablewriter v1.0.8
+	github.com/olekukonko/tablewriter v1.1.1
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/ginkgo/v2 v2.23.4
-	github.com/onsi/gomega v1.37.0
-	github.com/open-policy-agent/opa v1.6.0
-	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250707143759-32eaae12b2ce
-	github.com/opencloud-eu/reva/v2 v2.35.0
+	github.com/onsi/ginkgo/v2 v2.27.2
+	github.com/onsi/gomega v1.38.2
+	github.com/open-policy-agent/opa v1.10.1
+	github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89
+	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
+	github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397
+	github.com/opensearch-project/opensearch-go/v4 v4.5.0
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.12
-	github.com/prometheus/client_golang v1.22.0
+	github.com/prometheus/client_golang v1.23.2
 	github.com/r3labs/sse/v2 v2.10.0
-	github.com/riandyrn/otelchi v0.12.1
+	github.com/riandyrn/otelchi v0.12.2
 	github.com/rogpeppe/go-internal v1.14.1
 	github.com/rs/cors v1.11.1
 	github.com/rs/zerolog v1.34.0
-	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/afero v1.14.0
-	github.com/spf13/cobra v1.9.1
-	github.com/stretchr/testify v1.10.0
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af
+	github.com/spf13/afero v1.15.0
+	github.com/spf13/cobra v1.10.1
+	github.com/stretchr/testify v1.11.1
 	github.com/test-go/testify v1.1.4
+	github.com/testcontainers/testcontainers-go v0.39.0
+	github.com/testcontainers/testcontainers-go/modules/opensearch v0.39.0
 	github.com/theckman/yacspin v0.13.12
 	github.com/thejerf/suture/v4 v4.0.6
 	github.com/tidwall/gjson v1.18.0
+	github.com/tidwall/sjson v1.2.5
 	github.com/tus/tusd/v2 v2.8.0
 	github.com/unrolled/secure v1.16.0
 	github.com/urfave/cli/v2 v2.27.7
 	github.com/vmihailenco/msgpack/v5 v5.4.1
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	go-micro.dev/v4 v4.11.0
-	go.etcd.io/bbolt v1.4.2
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.62.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0
-	go.opentelemetry.io/contrib/zpages v0.62.0
-	go.opentelemetry.io/otel v1.37.0
+	go.etcd.io/bbolt v1.4.3
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
+	go.opentelemetry.io/contrib/zpages v0.63.0
+	go.opentelemetry.io/otel v1.38.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.17.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0
-	go.opentelemetry.io/otel/sdk v1.37.0
-	go.opentelemetry.io/otel/trace v1.37.0
-	golang.org/x/crypto v0.40.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0
+	go.opentelemetry.io/otel/sdk v1.38.0
+	go.opentelemetry.io/otel/trace v1.38.0
+	golang.org/x/crypto v0.44.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	golang.org/x/image v0.28.0
-	golang.org/x/net v0.42.0
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.16.0
-	golang.org/x/term v0.33.0
-	golang.org/x/text v0.27.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822
-	google.golang.org/grpc v1.74.0
-	google.golang.org/protobuf v1.36.6
+	golang.org/x/image v0.32.0
+	golang.org/x/net v0.46.0
+	golang.org/x/oauth2 v0.33.0
+	golang.org/x/sync v0.18.0
+	golang.org/x/term v0.37.0
+	golang.org/x/text v0.31.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4
+	google.golang.org/grpc v1.76.0
+	google.golang.org/protobuf v1.36.10
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
 	stash.kopano.io/kgol/rndm v1.1.2
 )
@@ -116,9 +121,11 @@ require (
 require (
 	contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.5 // indirect
@@ -127,19 +134,19 @@ require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/alexedwards/argon2id v1.0.0 // indirect
 	github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964 // indirect
+	github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.55.7 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bitly/go-simplejson v0.5.0 // indirect
 	github.com/bits-and-blooms/bitset v1.22.0 // indirect
-	github.com/blevesearch/bleve_index_api v1.2.8 // indirect
-	github.com/blevesearch/geo v0.2.3 // indirect
-	github.com/blevesearch/go-faiss v1.0.25 // indirect
+	github.com/blevesearch/bleve_index_api v1.2.11 // indirect
+	github.com/blevesearch/geo v0.2.4 // indirect
+	github.com/blevesearch/go-faiss v1.0.26 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/gtreap v0.1.1 // indirect
 	github.com/blevesearch/mmap-go v1.0.4 // indirect
-	github.com/blevesearch/scorch_segment_api/v2 v2.3.10 // indirect
+	github.com/blevesearch/scorch_segment_api/v2 v2.3.13 // indirect
 	github.com/blevesearch/segment v0.9.1 // indirect
 	github.com/blevesearch/snowballstem v0.9.0 // indirect
 	github.com/blevesearch/upsidedown_store_api v1.0.2 // indirect
@@ -149,32 +156,47 @@ require (
 	github.com/blevesearch/zapx/v13 v13.4.2 // indirect
 	github.com/blevesearch/zapx/v14 v14.4.2 // indirect
 	github.com/blevesearch/zapx/v15 v15.4.2 // indirect
-	github.com/blevesearch/zapx/v16 v16.2.4 // indirect
+	github.com/blevesearch/zapx/v16 v16.2.7 // indirect
 	github.com/bluele/gcache v0.0.2 // indirect
 	github.com/bombsimon/logrusr/v3 v3.1.0 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
-	github.com/ceph/go-ceph v0.34.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/ceph/go-ceph v0.36.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cevaris/ordered_map v0.0.0-20190319150403-3adeae072e73 // indirect
+	github.com/clipperhouse/displaywidth v0.3.1 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.2.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v1.0.0-rc.1 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.6.0 // indirect
 	github.com/cornelk/hashmap v1.0.8 // indirect
+	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
 	github.com/crewjam/saml v0.4.14 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/deckarep/golang-set v1.8.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
 	github.com/dgraph-io/ristretto v0.2.0 // indirect
 	github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
+	github.com/docker/docker v28.3.3+incompatible // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/egirna/icap v0.0.0-20181108071049-d5ee18bd70bc // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/emvi/iso-639-1 v1.1.0 // indirect
+	github.com/emvi/iso-639-1 v1.1.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.5.0 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -186,8 +208,7 @@ require (
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-git/go-git/v5 v5.13.2 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
@@ -195,6 +216,7 @@ require (
 	github.com/go-micro/plugins/v4/events/natsjs v1.2.2 // indirect
 	github.com/go-micro/plugins/v4/store/nats-js v1.2.1 // indirect
 	github.com/go-micro/plugins/v4/store/redis v1.2.1 // indirect
+	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
@@ -203,149 +225,178 @@ require (
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gobwas/ws v1.2.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.12.0 // indirect
-	github.com/gofrs/flock v0.12.1 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/gofrs/flock v0.13.0 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/gomodule/redigo v1.9.2 // indirect
+	github.com/gomodule/redigo v1.9.3 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.5 // indirect
+	github.com/google/go-tpm v0.9.6 // indirect
 	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
-	github.com/google/renameio/v2 v2.0.0 // indirect
-	github.com/gookit/color v1.5.4 // indirect
-	github.com/gookit/goutil v0.6.18 // indirect
+	github.com/google/renameio/v2 v2.0.1 // indirect
+	github.com/gookit/goutil v0.7.1 // indirect
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/schema v1.4.1 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
-	github.com/hashicorp/go-plugin v1.6.3 // indirect
-	github.com/hashicorp/yamux v0.1.1 // indirect
+	github.com/hashicorp/go-plugin v1.7.0 // indirect
+	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/iancoleman/strcase v0.3.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/juliangruber/go-intersect v1.1.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.11 // indirect
+	github.com/klauspost/crc32 v1.3.0 // indirect
+	github.com/kovidgoyal/go-parallel v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect
+	github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/libregraph/oidc-go v1.1.0 // indirect
 	github.com/longsleep/go-metrics v1.0.0 // indirect
 	github.com/longsleep/rndm v1.2.0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mattn/go-sqlite3 v1.14.28 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/maxymania/go-system v0.0.0-20170110133659-647cc364bf0b // indirect
 	github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 // indirect
 	github.com/miekg/dns v1.1.57 // indirect
 	github.com/mileusna/useragent v1.3.5 // indirect
-	github.com/minio/crc64nvme v1.0.1 // indirect
+	github.com/minio/crc64nvme v1.1.0 // indirect
 	github.com/minio/highwayhash v1.0.3 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/minio-go/v7 v7.0.94 // indirect
+	github.com/minio/minio-go/v7 v7.0.97 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/go-archive v0.1.0 // indirect
+	github.com/moby/patternmatcher v0.6.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nats-io/jwt/v2 v2.7.4 // indirect
+	github.com/nats-io/jwt/v2 v2.8.0 // indirect
 	github.com/nats-io/nkeys v0.4.11 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
-	github.com/olekukonko/errors v0.0.0-20250405072817-4e6d85265da6 // indirect
-	github.com/olekukonko/ll v0.0.8 // indirect
+	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
+	github.com/olekukonko/errors v1.1.0 // indirect
+	github.com/olekukonko/ll v0.1.2 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pablodz/inotifywaitgo v0.0.9 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
-	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
+	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.15 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/pquerna/cachecontrol v0.2.0 // indirect
-	github.com/prometheus/alertmanager v0.28.1 // indirect
+	github.com/prometheus/alertmanager v0.29.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/common v0.67.1 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/prometheus/statsd_exporter v0.22.8 // indirect
-	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/segmentio/kafka-go v0.4.48 // indirect
+	github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd // indirect
+	github.com/samber/lo v1.51.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
+	github.com/samber/slog-zerolog/v2 v2.9.0 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/segmentio/kafka-go v0.4.49 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sercand/kuberesolver/v5 v5.1.1 // indirect
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/sethvargo/go-diceware v0.5.0 // indirect
 	github.com/sethvargo/go-password v0.3.1 // indirect
-	github.com/shamaton/msgpack/v2 v2.2.3 // indirect
+	github.com/shamaton/msgpack/v2 v2.4.0 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.6 // indirect
 	github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c // indirect
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/spacewander/go-suffix-tree v0.0.0-20191010040751-0865e368c784 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/studio-b12/gowebdav v0.9.0 // indirect
-	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.3 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tinylib/msgp v1.3.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.14 // indirect
+	github.com/tklauser/numcpus v0.8.0 // indirect
 	github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect
 	github.com/trustelem/zxcvbn v1.0.1 // indirect
-	github.com/vektah/gqlparser/v2 v2.5.28 // indirect
+	github.com/valyala/fastjson v1.6.4 // indirect
+	github.com/vektah/gqlparser/v2 v2.5.30 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/wk8/go-ordered-map v1.0.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.2 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.2 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.2 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
+	go.opentelemetry.io/otel/metric v1.38.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace github.com/studio-b12/gowebdav => github.com/kobergj/gowebdav v0.0.0-20250102091030-aa65266db202
 
-replace github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240802074440-aade4a234387
-
 replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c
 
 replace go-micro.dev/v4 => github.com/butonic/go-micro/v4 v4.11.1-0.20241115112658-b5d4de5ed9b3
@@ -355,3 +406,6 @@ replace go-micro.dev/v4 => github.com/butonic/go-micro/v4 v4.11.1-0.202411151126
 exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible
 
 replace github.com/go-micro/plugins/v4/store/nats-js-kv => github.com/opencloud-eu/go-micro-plugins/v4/store/nats-js-kv v0.0.0-20250512152754-23325793059a
+
+// to get the logger injection (https://github.com/pablodz/inotifywaitgo/pull/11)
+replace github.com/pablodz/inotifywaitgo v0.0.9 => github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9