diff --git a/bosh/opsfiles/api-defaults.yml b/bosh/opsfiles/api-defaults.yml
index f78fb211..df97a3bd 100644
--- a/bosh/opsfiles/api-defaults.yml
+++ b/bosh/opsfiles/api-defaults.yml
@@ -12,7 +12,7 @@
 
 - type: replace
   path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/min_recommended_cli_version?
-  value: 7.7.1
+  value: 8.9.0
 
 
 - type: replace
diff --git a/bosh/opsfiles/clients.yml b/bosh/opsfiles/clients.yml
index 27a6e374..0a7d3f1e 100644
--- a/bosh/opsfiles/clients.yml
+++ b/bosh/opsfiles/clients.yml
@@ -155,6 +155,20 @@
     name: opensearch-dashboards-proxy-ci-secret
     type: password
 
+- type: replace
+  path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/opensearch-ci-cf-read-only?
+  value:
+    override: true
+    authorized-grant-types: client_credentials
+    authorities: scim.read,cloud_controller.global_auditor
+    secret: ((opensearch-ci-cf-read-only-secret))
+
+- type: replace
+  path: /variables/-
+  value:
+    name: opensearch-ci-cf-read-only-secret
+    type: password
+
 - type: replace
   path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/opensearch_dashboards_proxy?
   value:
diff --git a/bosh/opsfiles/users.yml b/bosh/opsfiles/users.yml
index ec23dc65..fb938b69 100644
--- a/bosh/opsfiles/users.yml
+++ b/bosh/opsfiles/users.yml
@@ -25,4 +25,18 @@
   path: /variables/-
   value:
     name: autoscaler-password
+    type: password
+
+# Sandbox Bot user
+# Note: this user is used by the acceptance tests, the sandbox-bot client is used inside the app and doesn't need the higher level of permissions
+- type: replace
+  path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/scim/users/-
+  value:
+    name: sandbox-bot-user
+    password: ((sandbox-bot-password))
+    groups: [openid, cloud_controller.admin, scim.read, scim.write]
+- type: replace
+  path: /variables/-
+  value:
+    name: sandbox-bot-password
     type: password
\ No newline at end of file
diff --git a/ci/test-space-egress/requirements.txt b/ci/test-space-egress/requirements.txt
index e3c67c04..e69c77dd 100644
--- a/ci/test-space-egress/requirements.txt
+++ b/ci/test-space-egress/requirements.txt
@@ -6,7 +6,7 @@ charset-normalizer==2.0.4
 click==8.0.1
 fastapi==0.115.4
 furl==2.1.3
-h11==0.12.0
+h11==0.16.0
 idna==3.7
 mypy-extensions==0.4.3
 orderedmultidict==1.0.1
diff --git a/ci/uaa-client-audit.sh b/ci/uaa-client-audit.sh
index 3dec814f..9bb320ee 100755
--- a/ci/uaa-client-audit.sh
+++ b/ci/uaa-client-audit.sh
@@ -50,7 +50,7 @@ uaapaginate() {
 # Get known clients from broker
 service_label="cloud-gov-identity-provider"
 
-service_guid=$(cfcurl "/v3/service_offerings?names=${service_label}" | jq -r '.resources[0].guid')
+service_guid=$(cfcurl "${CF_API_URL}/v3/service_offerings?names=${service_label}" | jq -r '.resources[0].guid')
 service_plan_guids=$(paginate "/v3/service_plans?service_offering_guids=${service_guid}" ".resources[].guid")
 
 service_plan_list=$(echo "${service_plan_guids}" | paste -sd "," -)