diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
deleted file mode 100644
index fa821d3b9..000000000
--- a/.github/FUNDING.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-github: [cryptomator]
-custom: https://cryptomator.org/sponsors/
diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
index 2c28f94d9..2d97ef254 100644
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -1,6 +1,6 @@
 name: Bug Report
 description: Create a report to help us improve
-labels: ["type:bug"]
+type: "Bug"
 body:
   - type: checkboxes
     id: terms
diff --git a/.github/ISSUE_TEMPLATE/feature.yml b/.github/ISSUE_TEMPLATE/feature.yml
index 52c8c535c..c59ae735f 100644
--- a/.github/ISSUE_TEMPLATE/feature.yml
+++ b/.github/ISSUE_TEMPLATE/feature.yml
@@ -1,6 +1,6 @@
 name: Feature Request
 description: Suggest an idea for this project
-labels: ["type:feature-request"]
+type: "Feature"
 body:
   - type: checkboxes
     id: terms
diff --git a/.github/ISSUE_TEMPLATE/story.md b/.github/ISSUE_TEMPLATE/story.md
new file mode 100644
index 000000000..db91f8c49
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/story.md
@@ -0,0 +1,23 @@
+---
+name: Story
+about: Persona needs for purpose.
+title: "[Story]"
+labels: ''
+assignees: ''
+
+---
+
+### Story
+* **Persona**:
+* **Need**: 
+* **Purpose**:
+
+
+### Acceptance Criteria
+- [ ]
+
+### Open Questions
+
+### Context
+
+### Implementation
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6fa8c388d..bc0b88069 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,14 +18,29 @@ jobs:
     name: Run Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
           cache-dependency-path: frontend/package-lock.json
+      # / katta start addition
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+      - name: Generate openapi.json
+        working-directory: backend
+        run: >
+          mvn -B clean compile quarkus:build -P generate-openapi-json
+      - name: Check openapi.json
+        working-directory: backend
+        run: >
+          cat ../frontend/src/openapi/openapi.json
+      # \ katta end addition
       - name: NPM install
         working-directory: frontend
         run: npm ci --ignore-scripts
@@ -35,48 +50,86 @@ jobs:
       - name: Deploy frontend
         working-directory: frontend
         run: npm run dist
-      - name: SonarCloud Scan Frontend
-        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
-        with:
-          projectBaseDir: frontend
-          args: >
-            -Dsonar.organization=cryptomator
-            -Dsonar.projectKey=cryptomator_hub_frontend
-            -Dsonar.typescript.tsconfigPath=tsconfig.json
-            -Dsonar.sources=src/
-            -Dsonar.tests=test/
-            -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+      # / katta start commented out
+      #      - name: SonarCloud Scan Frontend
+      #        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0
+      #        with:
+      #          projectBaseDir: frontend
+      #          args: >
+      #            -Dsonar.organization=cryptomator
+      #            -Dsonar.projectKey=cryptomator_hub_frontend
+      #            -Dsonar.typescript.tsconfigPath=tsconfig.json
+      #            -Dsonar.sources=src/
+      #            -Dsonar.tests=test/
+      #            -Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
+      #        env:
+      #          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+      #          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      # \ katta start commented out
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           distribution: 'temurin'
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
-      - name: Cache SonarCloud packages
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ~/.sonar/cache
-          key: ${{ runner.os }}-sonar
-          restore-keys: ${{ runner.os }}-sonar
+      # / katta start commented out
+      #      - name: Cache SonarCloud packages
+      #        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      #        with:
+      #          path: ~/.sonar/cache
+      #          key: ${{ runner.os }}-sonar
+      #          restore-keys: ${{ runner.os }}-sonar
+      # \ katta start commented out
       - name: Build and test backend
         working-directory: backend
         run: >
           ./mvnw -B clean verify
-          org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
-          -Dsonar.projectKey=cryptomator_hub_backend
-          -Dsonar.organization=cryptomator
-          -Dsonar.host.url=https://sonarcloud.io
+          # / katta start commented out
+          #          org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+          #          -Dsonar.projectKey=cryptomator_hub_backend
+          #          -Dsonar.organization=cryptomator
+          #          -Dsonar.host.url=https://sonarcloud.io
+          # \ katta start commented out
           --no-transfer-progress
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      # / katta addition
+      - id: get_tag
+        name: Get tag
+        working-directory: backend
+        run: |
+          if [[ ! -z "${{ inputs.tag }}" ]]; then
+            TAG="${{ inputs.tag }}"
+          elif [[ ${{ github.ref_type }} == 'tag' ]]; then
+            TAG="${{ github.ref_name }}"
+          # / katta start modification
+          elif [[ ${{ github.ref_name  }} == ${{ github.event.repository.default_branch }} ]]; then
+            TAG=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)
+          else
+            TAG="commit-${{ github.sha }}"
+          fi
+          # \ katta end modification
+          echo tag=${TAG}
+          echo tag=${TAG} >> "$GITHUB_OUTPUT"
+      - name: Build and push container image (ci)
+        working-directory: backend
+        run: ./mvnw -B clean package -DskipTests
+        env:
+          QUARKUS_JIB_PLATFORMS: linux/amd64,linux/arm64/v8
+          QUARKUS_CONTAINER_IMAGE_TAG: ${{ steps.get_tag.outputs.tag }}-ci
+          QUARKUS_CONTAINER_IMAGE_BUILD: true
+          QUARKUS_CONTAINER_IMAGE_PUSH: true
+          QUARKUS_CONTAINER_IMAGE_REGISTRY: ghcr.io
+          QUARKUS_CONTAINER_IMAGE_USERNAME: ${{ github.actor }}
+          QUARKUS_CONTAINER_IMAGE_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+      # \ katta addition
 
   build-native-image:
     name: Build and Push ${{ matrix.arch }} Image
     needs: test
-    if: startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[build image]')
+    # / katta start commented out - build every commit
+    # if: startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[build image]')
+    # \ katta end commented out
     strategy:
       fail-fast: false
       matrix:
@@ -92,15 +145,34 @@ jobs:
       digest_amd64: ${{ steps.digest.outputs.digest_amd64 }}
       digest_arm64: ${{ steps.digest.outputs.digest_arm64 }}
     permissions:
-      contents: read
-      packages: write
+      contents: read # Required for checkout
+      packages: write # Required for pushing the image to GHCR
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
           cache-dependency-path: frontend/package-lock.json
+      # / katta addition
+      - id: get_tag
+        name: get tag
+        working-directory: backend
+        run: |
+          if [[ ! -z "${{ inputs.tag }}" ]]; then
+            TAG="${{ inputs.tag }}"
+          elif [[ ${{ github.ref_type }} == 'tag' ]]; then
+            TAG="${{ github.ref_name }}"
+          # / katta start modification
+          elif [[ ${{ github.ref_name  }} == ${{ github.event.repository.default_branch }} ]]; then
+            TAG=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)
+          else
+            TAG="commit-${{ github.sha }}"
+          fi
+          # \ katta end modification
+          echo tag=${TAG}
+          echo tag=${TAG} >> "$GITHUB_OUTPUT"
+        # \ katta addition
       - name: NPM install
         working-directory: frontend
         run: npm ci --ignore-scripts
@@ -109,30 +181,37 @@ jobs:
         run: npm run dist
       - name: Ensure to use tagged version
         working-directory: backend
-        run: ./mvnw versions:set --file pom.xml -DnewVersion=${GITHUB_REF##*/}
+        # / katta modification
+        #run: ./mvnw versions:set --file pom.xml -DnewVersion=${GITHUB_REF##*/}
+        run: ./mvnw versions:set --file pom.xml -DnewVersion=${{ steps.get_tag.outputs.tag }}
+        # \ katta modification
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
-          images: ghcr.io/cryptomator/hub
+          images: ghcr.io/shift7-ch/katta-server
+          # / katta modification
           tags: |
             type=sha,prefix=,format=short
+            type=raw,value=${{ steps.get_tag.outputs.tag }}
+            type=raw,value=latest,enable={{is_default_branch}}
+          # \ katta modification
           flavor: |
             suffix=-${{ matrix.arch }}
           labels: |
-            org.opencontainers.image.title=Cryptomator Hub
-            org.opencontainers.image.vendor=Skymatic GmbH
+            org.opencontainers.image.title=Katta Server
+            org.opencontainers.image.vendor=Shift 7 GmbH
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Login to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and Push Container Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: backend
           file: backend/src/main/docker/Dockerfile.native
@@ -145,42 +224,63 @@ jobs:
         run: |
           echo "digest_${{ matrix.arch }}=${{ steps.push.outputs.digest }}" >> "$GITHUB_OUTPUT"
 
+
+
   multi-arch-image:
     name: Build and Push Multi-Arch Image
     needs: build-native-image
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
-      contents: read
-      attestations: write
-      packages: write
+      contents: read # Required for checkout
+      id-token: write # Required for the attestations step
+      attestations: write # Required for the attestations step
+      artifact-metadata: write # Required for the attestations step
+      packages: write # Required for pushing the image to GHCR
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Determine short Commit SHA
         id: sha
         run: echo "short_sha=${LONG_SHA:0:7}" >> "$GITHUB_OUTPUT"
         env:
           LONG_SHA: ${{ github.sha }}
       - name: Login to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Create Multi-Arch Manifest for ghcr.io/cryptomator/hub:${{ steps.sha.outputs.short_sha }}
+      - name: Create Multi-Arch Manifest for ghcr.io/shift7-ch/katta-server:${{ steps.sha.outputs.short_sha }}
         run: >
-          docker buildx imagetools create --tag ghcr.io/cryptomator/hub:${{ steps.sha.outputs.short_sha }}
-          ghcr.io/cryptomator/hub@${{ needs.build-native-image.outputs.digest_amd64 }}
-          ghcr.io/cryptomator/hub@${{ needs.build-native-image.outputs.digest_arm64 }}
+          docker buildx imagetools create --tag ghcr.io/shift7-ch/katta-server:${{ steps.sha.outputs.short_sha }}
+          ghcr.io/shift7-ch/katta-server@${{ needs.build-native-image.outputs.digest_amd64 }}
+          ghcr.io/shift7-ch/katta-server@${{ needs.build-native-image.outputs.digest_arm64 }}
       - name: Retrieve Multi-Arch Digest
         id: inspect
         run: |
-          DIGEST=$(docker buildx imagetools inspect ghcr.io/cryptomator/hub:${{ steps.sha.outputs.short_sha }} --format "{{json .Manifest}}" | jq -r .digest)
+          DIGEST=$(docker buildx imagetools inspect ghcr.io/shift7-ch/katta-server:${{ steps.sha.outputs.short_sha }} --format "{{json .Manifest}}" | jq -r .digest)
           echo "digest_multiarch=${DIGEST}" >> "$GITHUB_OUTPUT"
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
-          subject-name: ghcr.io/cryptomator/hub
+          subject-name: ghcr.io/shift7-ch/katta-server
           subject-digest: ${{ steps.inspect.outputs.digest_multiarch }}
           push-to-registry: true
+
+# / katta start addition
+  keycloak-integrationtests:
+    name: Run katta Keycloak Integration Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+      - name: Run Keycloak integration tests
+        working-directory: keycloak
+        run: >
+          mvn -B clean verify
+# \ katta end addition
\ No newline at end of file
diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
new file mode 100644
index 000000000..fed2005a1
--- /dev/null
+++ b/.github/workflows/helm-chart.yml
@@ -0,0 +1,135 @@
+name: Helm Chart
+
+on:
+  push:
+    paths:
+      - charts/cryptomator-hub/**
+      - .github/workflows/helm-chart.yml
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Chart Version'
+        required: true
+      appVersion:
+        description: 'App Version'
+        required: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  lint:
+    name: Lint Helm Chart
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # Required for checkout
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Helm
+        uses: Azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+
+      - name: Lint chart
+        run: helm lint charts/cryptomator-hub
+
+  publish:
+    name: Publish Helm Chart
+    needs: lint
+    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[build image]') || contains(github.event.head_commit.message, '[build chart]')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # Required for checkout
+      id-token: write # Required for the attestations step
+      attestations: write # Required for the attestations step
+      artifact-metadata: write # Required for the attestations step
+      packages: write # Required for pushing the chart to GHCR
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Helm
+        uses: Azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Compute publish version
+        id: version
+        run: |
+          set -euo pipefail
+          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
+            echo "publish_version=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
+            echo "publish_app_version=${{ github.event.inputs.appVersion }}" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          chart_file="charts/cryptomator-hub/Chart.yaml"
+          base_version=$(awk -F': ' '/^version:/ {print $2}' "$chart_file")
+          base_app_version=$(awk -F': ' '/^appVersion:/ {print $2}' "$chart_file" | tr -d '"')
+
+          if [[ -z "$base_version" ]]; then
+            echo "Unable to read chart version from $chart_file" >&2
+            exit 1
+          fi
+
+          if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+            publish_version="$base_version"
+          else
+            short_sha="${GITHUB_SHA::7}"
+            branch_slug=$(echo "${GITHUB_REF_NAME}" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9.-]+/-/g; s/^-+//; s/-+$//')
+            publish_version="${base_version}-${branch_slug}.${short_sha}"
+          fi
+
+          echo "publish_version=${publish_version}" >> "$GITHUB_OUTPUT"
+          echo "publish_app_version=${base_app_version}" >> "$GITHUB_OUTPUT"
+
+      - name: Package chart
+        run: |
+          mkdir -p dist
+          helm package charts/cryptomator-hub \
+            --destination dist \
+            --version "${{ steps.version.outputs.publish_version }}" \
+            --app-version "${{ steps.version.outputs.publish_app_version }}"
+
+      - name: Login to GHCR
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Helm Registry: Login to GHCR"
+        run: echo "$GITHUB_TOKEN" | helm registry login ghcr.io --username "${{ github.actor }}" --password-stdin
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push chart to GHCR
+        id: push
+        run: |
+          set -euo pipefail
+          push_output=$(helm push "dist/cryptomator-hub-${{ steps.version.outputs.publish_version }}.tgz" "oci://ghcr.io/cryptomator/charts" 2>&1)
+          echo "$push_output"
+
+          digest=$(printf '%s\n' "$push_output" | grep -Eo 'sha256:[0-9a-fA-F]{64}' | tail -n1 || true)
+          if [[ -z "$digest" ]]; then
+            echo "Failed to extract chart digest from helm push output" >&2
+            echo "Raw helm push output:" >&2
+            echo "$push_output" >&2
+            exit 1
+          fi
+
+          echo "chart_digest=$digest" >> "$GITHUB_OUTPUT"
+
+      - name: Sign chart with cosign (keyless)
+        run: |
+          set -euo pipefail
+          cosign sign --yes "ghcr.io/cryptomator/charts/cryptomator-hub@${{ steps.push.outputs.chart_digest }}"
+
+      - name: Generate artifact attestation
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-name: "ghcr.io/cryptomator/charts/cryptomator-hub"
+          subject-digest: ${{ steps.push.outputs.chart_digest }}
+          push-to-registry: true
diff --git a/.github/workflows/keycloak.yml b/.github/workflows/keycloak.yml
index 666a5b2fc..5f6476cbd 100644
--- a/.github/workflows/keycloak.yml
+++ b/.github/workflows/keycloak.yml
@@ -9,6 +9,9 @@ on:
 
 env:
   NODE_VERSION: 22
+  # / cipherduck start addition
+  JAVA_VERSION: 22
+  # \ cipherduck end addition
 
 defaults:
   run:
@@ -19,45 +22,65 @@ jobs:
     name: Build Custom Keycloak Image
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
-      contents: read
-      attestations: write
-      packages: write
+      contents: read # Required for checkout
+      id-token: write # Required for the attestations step
+      attestations: write # Required for the attestations step
+      artifact-metadata: write # Required for the attestations step
+      packages: write # Required for pushing the image to GHCR
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
-          cache-dependency-path: keycloak/themes/cryptomator/common/resources/package-lock.json
+          # / cipherduck start modification
+          cache-dependency-path: keycloak/themes/katta/common/resources/package-lock.json
+          # \ cipherduck end modification
       - name: Install Dependencies
-        working-directory: keycloak/themes/cryptomator/common/resources
+        # / cipherduck start modification
+        working-directory: keycloak/themes/katta/common/resources
+        # \ cipherduck end modification
         run: npm install
       - name: Build Theme
-        working-directory: keycloak/themes/cryptomator/common/resources
+        # / cipherduck start modification
+        working-directory: keycloak/themes/katta/common/resources
+        # \ cipherduck end modification
         run: npm run build
+      # / katta start addition
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+      - name: Generate and test token exchange spi
+        working-directory: keycloak
+        run: >
+          mvn -B clean verify
+      # \ katta end addition
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Login to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and Push Container Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: keycloak
           platforms: linux/amd64,linux/arm64
           push: true
+          # / katta start modification
           tags: |
-            ghcr.io/cryptomator/keycloak:${{ github.event.inputs.tag }}
+            ghcr.io/shift7-ch/keycloak:${{ github.event.inputs.tag }}
+          # \ katta end modification
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
-          subject-name: ghcr.io/cryptomator/keycloak
+          subject-name: ghcr.io/shift7-ch/keycloak
           subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
\ No newline at end of file
+          push-to-registry: true
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index 458dcc3ed..c9a043631 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -18,16 +18,18 @@ jobs:
   tag:
     name: Tags an existing image
     runs-on: ubuntu-latest
+    permissions:
+      packages: write # Required for pushing the image to GHCR
     steps:
       - name: Pull image defined by digest
-        run: docker pull ghcr.io/cryptomator/hub@${{ github.event.inputs.digest}}
+        run: docker pull ghcr.io/shift7-ch/katta-server@${{ github.event.inputs.digest}}
       - name: Tag image in github registry
-        run: docker tag ghcr.io/cryptomator/hub@${{ github.event.inputs.digest}} ghcr.io/cryptomator/hub:${{ github.event.inputs.tag }}
+        run: docker tag ghcr.io/shift7-ch/katta-server@${{ github.event.inputs.digest}} ghcr.io/shift7-ch/katta-server:${{ github.event.inputs.tag }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Push tagged image
-        run: docker push ghcr.io/cryptomator/hub:${{ github.event.inputs.tag }}
\ No newline at end of file
+        run: docker push ghcr.io/shift7-ch/katta-server:${{ github.event.inputs.tag }}
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..62c893550
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.idea/
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c0f0e550b..72bdef404 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,9 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased](https://github.com/cryptomator/hub/compare/1.4.6...HEAD)
 
+### Added
+
+- User and group management (#376)
+- Emergency Access: Allow a council to restore access to a orphaned vault (#390)
+- Show pictures of the groups in the Vaults member list (#375)
+- Allow admins to archive and unarchive any vault (#283, #430)
+- Disable users to exclude them from license seat count (#427, #428)
+- Display a banner to indicate that legacy devices are still in use, since these will be removed in the next major release (#420)
+
 ### Changed
 
-- Updated Keycloak to 26.4.5
+- Updated Keycloak to 26.5.6
+- Update Quarkus to 3.27.3 LTS
+- Improved browser locale detection (#371)
+- Improved efficiency of keycloak-to-hub data sync (#377)
+- Improved efficiency of group-based access permission checks (#372)
+- Migrated aes-siv and base encoding libraries to [`@noble/ciphers`](https://github.com/paulmillr/noble-ciphers) and [`@scure/base`](https://github.com/paulmillr/scure-base/) (#373)
+
+### Security
+
+- CVE-2025-64756, CVE-2025-64118: removed `glob` and `tar` dependencies
+- CVE-2025-64718, CVE-2025-62522: updated `js-yaml` and `vite`
+
+### Fixed
+- Hide Archive/Reactivate Vault actions for admins without ownership rights (#379)
+- Creating user with sole role `create-vault` was unable to login due to missing role `user`
 
 ## [1.4.6](https://github.com/cryptomator/hub/compare/1.4.5...1.4.6)
 
diff --git a/README.md b/README.md
index 58efdc6dd..135cda44c 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,20 @@
-[![CI Build](https://github.com/cryptomator/hub/actions/workflows/build.yml/badge.svg)](https://github.com/cryptomator/hub/actions/workflows/build.yml)
+[![CI Build](https://github.com/shift7-ch/katta-server/actions/workflows/build.yml/badge.svg)](https://github.com/shift7-ch/katta-server/actions/workflows/build.yml)
 
-# Cryptomator Hub
+# Katta: the secure and easy way to work in teams
 
-Hub consists of these components:
+Katta bring zero-config storage management and zero-knowledge key management for teams and organizations.
+
+It easily integrates into your existing identity management incl. OpenID Connect, SAML, and LDAP.
+As usual, your favorite cloud service remains your free choice [^1].
+
+[^1]: Currently, we support AWS S3 and MinIO S3.
+
+Katta consists of Katta Server and Katta Client:
+
+* Katta Client is based on [Mountain Duck](https://mountainduck.io/),
+* Katta Server is based on [Cryptomator Hub](https://github.com/cryptomator/hub/).
+
+Katta Server consists of these components:
 
 ## Web Frontend
 
@@ -14,4 +26,11 @@ During development, run Quarkus from the `backend` dir as explained in [its READ
 
 ## Custom Keycloak Image
 
-We add a custom theme to the base keycloak image, as explained in [its README file](keycloak/README.md).:
\ No newline at end of file
+We add custom theme to the base keycloak image, as explained
+in [its README file](keycloak/README.md). We use [token-exchange-standard:v2](https://www.keycloak.org/securing-apps/token-exchange) as per [RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html).
+
+# Setup
+
+See [Katta Documentation → Setup Katta Server](https://github.com/shift7-ch/katta-docs/blob/main/SETUP_KATTA_SERVER.md).
+
+
diff --git a/backend/.gitignore b/backend/.gitignore
index 35e9ee6fe..da1e16343 100644
--- a/backend/.gitignore
+++ b/backend/.gitignore
@@ -45,4 +45,4 @@ nb-configuration.xml
 *.rej
 
 # Local environment
-.env
+.env
\ No newline at end of file
diff --git a/backend/.idea/codeStyles/Project.xml b/backend/.idea/codeStyles/Project.xml
index 909896660..412c01932 100644
--- a/backend/.idea/codeStyles/Project.xml
+++ b/backend/.idea/codeStyles/Project.xml
@@ -1,18 +1,43 @@
 <component name="ProjectCodeStyleConfiguration">
   <code_scheme name="Project" version="173">
+    <option name="AUTODETECT_INDENTS" value="false" />
     <option name="LINE_SEPARATOR" value="&#10;" />
     <option name="RIGHT_MARGIN" value="220" />
     <option name="FORMATTER_TAGS_ENABLED" value="true" />
     <JavaCodeStyleSettings>
+      <option name="VISIBILITY" value="packageLocal" />
+      <option name="NEW_LINE_WHEN_BODY_IS_PRESENTED" value="true" />
       <option name="CLASS_COUNT_TO_USE_IMPORT_ON_DEMAND" value="99" />
-      <option name="NAMES_COUNT_TO_USE_IMPORT_ON_DEMAND" value="5" />
+      <option name="NAMES_COUNT_TO_USE_IMPORT_ON_DEMAND" value="10" />
+      <option name="PACKAGES_TO_USE_IMPORT_ON_DEMAND">
+        <value>
+          <package name="java.lang.annotation.ElementType" withSubpackages="false" static="true" />
+          <package name="org.mockito.Mockito" withSubpackages="false" static="true" />
+        </value>
+      </option>
     </JavaCodeStyleSettings>
-    <SqlCodeStyleSettings version="6">
+    <SqlCodeStyleSettings version="7">
       <option name="INSERT_INTO_NL" value="2" />
       <option name="INSERT_VALUES_EL_LINE" value="101" />
       <option name="EXPR_CASE_WHEN_WRAP" value="false" />
     </SqlCodeStyleSettings>
     <codeStyleSettings language="JAVA">
+      <option name="RIGHT_MARGIN" value="500" />
+      <option name="RESOURCE_LIST_WRAP" value="1" />
+      <option name="TERNARY_OPERATION_WRAP" value="5" />
+      <option name="TERNARY_OPERATION_SIGNS_ON_NEXT_LINE" value="true" />
+      <option name="KEEP_SIMPLE_BLOCKS_IN_ONE_LINE" value="true" />
+      <option name="KEEP_SIMPLE_METHODS_IN_ONE_LINE" value="true" />
+      <option name="KEEP_SIMPLE_LAMBDAS_IN_ONE_LINE" value="true" />
+      <option name="KEEP_SIMPLE_CLASSES_IN_ONE_LINE" value="true" />
+      <option name="ARRAY_INITIALIZER_WRAP" value="5" />
+      <option name="ARRAY_INITIALIZER_RBRACE_ON_NEXT_LINE" value="true" />
+      <option name="IF_BRACE_FORCE" value="1" />
+      <option name="DOWHILE_BRACE_FORCE" value="3" />
+      <option name="WHILE_BRACE_FORCE" value="3" />
+      <option name="FOR_BRACE_FORCE" value="3" />
+      <option name="ENUM_CONSTANTS_WRAP" value="5" />
+      <option name="SOFT_MARGINS" value="220" />
       <indentOptions>
         <option name="USE_TAB_CHARACTER" value="true" />
       </indentOptions>
diff --git a/backend/.idea/inspectionProfiles/Project_Default.xml b/backend/.idea/inspectionProfiles/Project_Default.xml
index 146ab09b7..1a02b73a1 100644
--- a/backend/.idea/inspectionProfiles/Project_Default.xml
+++ b/backend/.idea/inspectionProfiles/Project_Default.xml
@@ -1,6 +1,7 @@
 <component name="InspectionProjectProfileManager">
   <profile version="1.0">
     <option name="myName" value="Project Default" />
+    <inspection_tool class="MarkedForRemoval" enabled="true" level="WARNING" enabled_by_default="true" editorAttributes="WARNING_ATTRIBUTES" />
     <inspection_tool class="SpellCheckingInspection" enabled="false" level="TYPO" enabled_by_default="false">
       <option name="processCode" value="true" />
       <option name="processLiterals" value="true" />
diff --git a/backend/README.md b/backend/README.md
index 835472084..40dd04ca7 100644
--- a/backend/README.md
+++ b/backend/README.md
@@ -7,6 +7,7 @@ If you want to learn more about Quarkus, please visit its website: https://quark
 ## Dev Mode
 
 You can run your application in dev mode that enables live coding using:
+
 ```shell script
 ./mvnw clean quarkus:dev
 ```
@@ -17,7 +18,6 @@ You can run your application in dev mode that enables live coding using:
 
 During development, Keycloak is started as a Quarkus Dev Service using port 8180. When using alternative ports, you can also find it via [http://localhost:8080/q/dev](http://localhost:8080/q/dev).
 
-
 ### Testing rest services via CLI:
 
 First, access the keycloak admin web console and activate direct access grants for the `cryptomator` realm.
@@ -48,12 +48,13 @@ Make sure a container engine is running (required to register the built image lo
 Then run this command to build the image:
 
 ```shell script
-docker build -f src/main/docker/Dockerfile.jvm -t ghcr.io/cryptomator/hub .
+docker build -f src/main/docker/Dockerfile.jvm -t ghcr.io/shift7-ch/katta-server .
 ```
 
 ### Building native images
 
 3x smaller but takes longer to build. Docker VM requires sufficient memory during the build:
+
 ```shell script
-docker build -f src/main/docker/Dockerfile.native -t ghcr.io/cryptomator/hub .
+docker build -f src/main/docker/Dockerfile.native -t ghcr.io/shift7-ch/katta-server .
 ```
diff --git a/backend/pom.xml b/backend/pom.xml
index e45647fd8..4247cabe7 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -1,23 +1,23 @@
 <?xml version="1.0"?>
 <project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-  <modelVersion>4.0.0</modelVersion>
-  <groupId>org.cryptomator</groupId>
-  <artifactId>hub-backend</artifactId>
-  <version>1.5.0-SNAPSHOT</version>
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>org.cryptomator</groupId>
+    <artifactId>hub-backend</artifactId>
+    <version>1.5.0-SNAPSHOT</version>
 
-  <properties>
-    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <project.jdk.version>21</project.jdk.version>
-    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <quarkus.platform.version>3.20.3</quarkus.platform.version>
-    <jwt.version>4.5.0</jwt.version>
-    <compiler-plugin.version>3.14.1</compiler-plugin.version>
-    <dependency-plugin.version>3.8.1</dependency-plugin.version>
-    <surefire-plugin.version>3.5.4</surefire-plugin.version>
-    <failsafe-plugin.version>3.5.4</failsafe-plugin.version>
-    <junit-tree-reporter.version>1.4.0</junit-tree-reporter.version>
-  </properties>
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.jdk.version>21</project.jdk.version>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+        <quarkus.platform.version>3.27.3</quarkus.platform.version>
+        <jwt.version>4.5.1</jwt.version>
+        <compiler-plugin.version>3.15.0</compiler-plugin.version>
+        <dependency-plugin.version>3.10.0</dependency-plugin.version>
+        <surefire-plugin.version>3.5.5</surefire-plugin.version>
+        <failsafe-plugin.version>3.5.5</failsafe-plugin.version>
+        <junit-tree-reporter.version>1.5.1</junit-tree-reporter.version>
+    </properties>
 
   <dependencyManagement>
     <dependencies>
@@ -28,250 +28,326 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <!-- / start katta extension -->
+      <!-- https://docs.quarkiverse.io/quarkus-amazon-services/dev/amazon-s3.html#_prerequisites -->
+      <dependency>
+        <groupId>io.quarkus.platform</groupId>
+        <artifactId>quarkus-bom</artifactId>
+        <version>${quarkus.platform.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>io.quarkus.platform</groupId>
+        <artifactId>quarkus-amazon-services-bom</artifactId>
+        <version>${quarkus.platform.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <!-- \ end katta extension -->
     </dependencies>
-  </dependencyManagement>
+    </dependencyManagement>
 
-  <dependencies>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-arc</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-smallrye-openapi</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-smallrye-health</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-container-image-jib</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-oidc</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-rest</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-rest-jackson</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-hibernate-orm-panache</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-hibernate-validator</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-jdbc-postgresql</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-flyway</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-rest-client-jackson</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-rest-client</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-keycloak-admin-rest-client</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-quartz</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-junit5</artifactId>
+    <dependencies>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-arc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-openapi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-health</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-container-image-jib</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest-jackson</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-hibernate-orm-panache</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-hibernate-validator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-jdbc-postgresql</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-flyway</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest-client-jackson</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-rest-client</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-keycloak-admin-rest-client</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-quartz</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-junit5</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-junit5-mockito</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.github.coffeelibs</groupId>
+      <artifactId>tiny-oauth2-client</artifactId>
+      <version>0.8.1</version>
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-junit5-mockito</artifactId>
+      <groupId>org.htmlunit</groupId>
+      <artifactId>htmlunit</artifactId>
+      <version>4.2.0</version>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.eclipse.jetty</groupId>
+          <artifactId>*</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>io.rest-assured</groupId>
-      <artifactId>rest-assured</artifactId>
-      <scope>test</scope>
+            <artifactId>rest-assured</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-security-oidc</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-panache-mock</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>${jwt.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-undertow</artifactId>
+        </dependency>
+
+    <!-- / start katta extension -->
+    <dependency>
+      <groupId>io.quarkiverse.amazonservices</groupId>
+      <artifactId>quarkus-amazon-s3</artifactId>
     </dependency>
     <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-test-security-oidc</artifactId>
-      <scope>test</scope>
+      <groupId>io.quarkiverse.amazonservices</groupId>
+      <artifactId>quarkus-amazon-iam</artifactId>
     </dependency>
     <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-panache-mock</artifactId>
-      <scope>test</scope>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>url-connection-client</artifactId>
     </dependency>
     <dependency>
-      <groupId>com.auth0</groupId>
-      <artifactId>java-jwt</artifactId>
-      <version>${jwt.version}</version>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>aws-crt-client</artifactId>
     </dependency>
     <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-undertow</artifactId>
+      <groupId>com.github.dasniko</groupId>
+      <artifactId>testcontainers-keycloak</artifactId>
+        <version>4.1.0</version>
+      <scope>test</scope>
     </dependency>
-  </dependencies>
-
-  <build>
-    <plugins>
-      <plugin>
-        <groupId>io.quarkus</groupId>
-        <artifactId>quarkus-maven-plugin</artifactId>
-        <version>${quarkus.platform.version}</version>
-        <extensions>true</extensions>
-        <executions>
-          <execution>
-            <goals>
-              <goal>build</goal>
-              <goal>generate-code</goal>
-              <goal>generate-code-tests</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
-      <plugin>
-        <artifactId>maven-compiler-plugin</artifactId>
-        <version>${compiler-plugin.version}</version>
-        <configuration>
-          <release>${project.jdk.version}</release>
-        </configuration>
-      </plugin>
-      <plugin>
-        <artifactId>maven-dependency-plugin</artifactId>
-        <version>${dependency-plugin.version}</version>
-        <executions>
-          <execution>
-            <id>jar-paths-to-properties</id>
-            <goals>
-              <goal>properties</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
-      <plugin>
-        <artifactId>maven-surefire-plugin</artifactId>
-        <version>${surefire-plugin.version}</version>
-        <dependencies>
-          <dependency>
-            <groupId>me.fabriciorby</groupId>
-            <artifactId>maven-surefire-junit5-tree-reporter</artifactId>
-            <version>${junit-tree-reporter.version}</version>
-          </dependency>
-        </dependencies>
-        <configuration>
-          <argLine>-javaagent:${net.bytebuddy:byte-buddy-agent:jar}</argLine>
-          <systemPropertyVariables>
-            <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
-            <maven.home>${maven.home}</maven.home>
-          </systemPropertyVariables>
-          <reportFormat>plain</reportFormat>
-          <consoleOutputReporter>
-            <disable>false</disable>
-          </consoleOutputReporter>
-          <statelessTestsetInfoReporter implementation="org.apache.maven.plugin.surefire.extensions.junit5.JUnit5StatelessTestsetInfoTreeReporter">
-            <printStacktraceOnError>true</printStacktraceOnError>
-            <printStacktraceOnFailure>true</printStacktraceOnFailure>
-            <printStdoutOnError>true</printStdoutOnError>
-            <printStdoutOnFailure>true</printStdoutOnFailure>
-            <printStdoutOnSuccess>false</printStdoutOnSuccess>
-            <printStderrOnError>true</printStderrOnError>
-            <printStderrOnFailure>true</printStderrOnFailure>
-            <printStderrOnSuccess>false</printStderrOnSuccess>
-          </statelessTestsetInfoReporter>
-        </configuration>
-      </plugin>
-      <plugin>
-        <artifactId>maven-failsafe-plugin</artifactId>
-        <version>${failsafe-plugin.version}</version>
-        <dependencies>
-          <dependency>
-            <groupId>me.fabriciorby</groupId>
-            <artifactId>maven-surefire-junit5-tree-reporter</artifactId>
-            <version>${junit-tree-reporter.version}</version>
-          </dependency>
-        </dependencies>
-        <configuration>
-          <argLine>-javaagent:${net.bytebuddy:byte-buddy-agent:jar}</argLine>
-          <reportFormat>plain</reportFormat>
-          <consoleOutputReporter>
-            <disable>false</disable>
-          </consoleOutputReporter>
-          <statelessTestsetInfoReporter implementation="org.apache.maven.plugin.surefire.extensions.junit5.JUnit5StatelessTestsetInfoTreeReporter">
-            <printStacktraceOnError>true</printStacktraceOnError>
-            <printStacktraceOnFailure>true</printStacktraceOnFailure>
-            <printStdoutOnError>true</printStdoutOnError>
-            <printStdoutOnFailure>true</printStdoutOnFailure>
-            <printStdoutOnSuccess>false</printStdoutOnSuccess>
-            <printStderrOnError>true</printStderrOnError>
-            <printStderrOnFailure>true</printStderrOnFailure>
-            <printStderrOnSuccess>false</printStderrOnSuccess>
-          </statelessTestsetInfoReporter>
-        </configuration>
-        <executions>
-          <execution>
-            <goals>
-              <goal>integration-test</goal>
-              <goal>verify</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
-    </plugins>
-  </build>
+    <!-- \ end katta extension -->
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-micrometer</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-micrometer-registry-prometheus</artifactId>
+        </dependency>
+    </dependencies>
 
-  <profiles>
-    <profile>
-      <id>native</id>
-      <activation>
-        <property>
-          <name>native</name>
-        </property>
-      </activation>
-      <build>
+    <build>
         <plugins>
-          <plugin>
-            <artifactId>maven-failsafe-plugin</artifactId>
-            <version>${failsafe-plugin.version}</version>
-            <executions>
-              <execution>
-                <goals>
-                  <goal>integration-test</goal>
-                  <goal>verify</goal>
-                </goals>
+            <plugin>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-maven-plugin</artifactId>
+                <version>${quarkus.platform.version}</version>
+                <extensions>true</extensions>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>build</goal>
+                            <goal>generate-code</goal>
+                            <goal>generate-code-tests</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${compiler-plugin.version}</version>
+                <configuration>
+                    <release>${project.jdk.version}</release>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <version>${dependency-plugin.version}</version>
+                <executions>
+                    <execution>
+                        <id>jar-paths-to-properties</id>
+                        <goals>
+                            <goal>properties</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${surefire-plugin.version}</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>me.fabriciorby</groupId>
+                        <artifactId>maven-surefire-junit5-tree-reporter</artifactId>
+                        <version>${junit-tree-reporter.version}</version>
+                    </dependency>
+                </dependencies>
                 <configuration>
-                  <systemPropertyVariables>
-                    <native.image.path>${project.build.directory}/${project.build.finalName}-runner</native.image.path>
-                    <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
-                    <maven.home>${maven.home}</maven.home>
-                  </systemPropertyVariables>
+                    <argLine>-javaagent:${net.bytebuddy:byte-buddy-agent:jar}</argLine>
+                    <systemPropertyVariables>
+                        <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
+                        <maven.home>${maven.home}</maven.home>
+                    </systemPropertyVariables>
+                    <reportFormat>plain</reportFormat>
+                    <consoleOutputReporter>
+                        <disable>false</disable>
+                    </consoleOutputReporter>
+                    <statelessTestsetInfoReporter implementation="org.apache.maven.plugin.surefire.extensions.junit5.JUnit5StatelessTestsetInfoTreeReporter">
+                        <printStacktraceOnError>true</printStacktraceOnError>
+                        <printStacktraceOnFailure>true</printStacktraceOnFailure>
+                        <printStdoutOnError>true</printStdoutOnError>
+                        <printStdoutOnFailure>true</printStdoutOnFailure>
+                        <printStdoutOnSuccess>false</printStdoutOnSuccess>
+                        <printStderrOnError>true</printStderrOnError>
+                        <printStderrOnFailure>true</printStderrOnFailure>
+                        <printStderrOnSuccess>false</printStderrOnSuccess>
+                    </statelessTestsetInfoReporter>
                 </configuration>
-              </execution>
-            </executions>
-          </plugin>
+            </plugin>
+            <plugin>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <version>${failsafe-plugin.version}</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>me.fabriciorby</groupId>
+                        <artifactId>maven-surefire-junit5-tree-reporter</artifactId>
+                        <version>${junit-tree-reporter.version}</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <argLine>-javaagent:${net.bytebuddy:byte-buddy-agent:jar}</argLine>
+                    <reportFormat>plain</reportFormat>
+                    <consoleOutputReporter>
+                        <disable>false</disable>
+                    </consoleOutputReporter>
+                    <statelessTestsetInfoReporter implementation="org.apache.maven.plugin.surefire.extensions.junit5.JUnit5StatelessTestsetInfoTreeReporter">
+                        <printStacktraceOnError>true</printStacktraceOnError>
+                        <printStacktraceOnFailure>true</printStacktraceOnFailure>
+                        <printStdoutOnError>true</printStdoutOnError>
+                        <printStdoutOnFailure>true</printStdoutOnFailure>
+                        <printStdoutOnSuccess>false</printStdoutOnSuccess>
+                        <printStderrOnError>true</printStderrOnError>
+                        <printStderrOnFailure>true</printStderrOnFailure>
+                        <printStderrOnSuccess>false</printStderrOnSuccess>
+                    </statelessTestsetInfoReporter>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>integration-test</goal>
+                            <goal>verify</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
-      </build>
-    </profile>
+    </build>
+
+    <profiles>
+        <profile>
+            <id>native</id>
+            <activation>
+                <property>
+                    <name>native</name>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <version>${failsafe-plugin.version}</version>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>integration-test</goal>
+                                    <goal>verify</goal>
+                                </goals>
+                                <configuration>
+                                    <systemPropertyVariables>
+                                        <native.image.path>${project.build.directory}/${project.build.finalName}-runner</native.image.path>
+                                        <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
+                                        <maven.home>${maven.home}</maven.home>
+                                    </systemPropertyVariables>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        <profile>
+            <id>uber-jar</id>
+            <properties>
+                <quarkus.package.jar.type>uber-jar</quarkus.package.jar.type>
+            </properties>
+        </profile>
+    <!-- / start katta modification -->
     <profile>
-      <id>uber-jar</id>
+      <id>generate-openapi-json</id>
       <properties>
-        <quarkus.package.jar.type>uber-jar</quarkus.package.jar.type>
+          <quarkus.smallrye-openapi.store-schema-directory>../frontend/src/openapi</quarkus.smallrye-openapi.store-schema-directory>
       </properties>
     </profile>
+    <!-- \ end katta modification -->
   </profiles>
 </project>
diff --git a/backend/src/main/docker/Dockerfile.jvm b/backend/src/main/docker/Dockerfile.jvm
index ca48d7f7d..a422607ee 100644
--- a/backend/src/main/docker/Dockerfile.jvm
+++ b/backend/src/main/docker/Dockerfile.jvm
@@ -10,7 +10,7 @@ COPY src /code/src
 RUN ./mvnw -B package -DskipTests --no-transfer-progress --strict-checksums
 
 ## Stage 2 : create the docker final image
-FROM eclipse-temurin:21-jre-alpine
+FROM eclipse-temurin:21
 COPY --from=builder /code/target/quarkus-app/ /work/
 WORKDIR /work/
 
diff --git a/backend/src/main/java/org/cryptomator/hub/Main.java b/backend/src/main/java/org/cryptomator/hub/Main.java
new file mode 100644
index 000000000..f1cbcca98
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/Main.java
@@ -0,0 +1,33 @@
+package org.cryptomator.hub;
+
+import io.quarkus.runtime.Quarkus;
+import io.quarkus.runtime.QuarkusApplication;
+import io.quarkus.runtime.annotations.QuarkusMain;
+import jakarta.inject.Inject;
+import org.cryptomator.hub.license.LicenseHolder;
+import org.jboss.logging.Logger;
+
+@QuarkusMain
+public class Main implements QuarkusApplication {
+
+	private static final Logger LOG = Logger.getLogger(Main.class);
+
+	@Inject
+	LicenseHolder license;
+
+	@Override
+	public int run(String... args) throws Exception {
+		try {
+			if (license.get() == null) {
+				LOG.error("No license found, shutting down...");
+				return 2;
+			}
+		} catch (RuntimeException e) {
+			LOG.error("Failed to validate license, shutting down...", e);
+			return 1;
+		}
+		Quarkus.waitForExit();
+		return 0;
+	}
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java b/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
index 01b88fdc0..5b16078fe 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
@@ -17,6 +17,12 @@
 import org.cryptomator.hub.entities.events.AuditEvent;
 import org.cryptomator.hub.entities.events.DeviceRegisteredEvent;
 import org.cryptomator.hub.entities.events.DeviceRemovedEvent;
+import org.cryptomator.hub.entities.events.EmergencyAccessRecoveryAbortedEvent;
+import org.cryptomator.hub.entities.events.EmergencyAccessRecoveryApprovedEvent;
+import org.cryptomator.hub.entities.events.EmergencyAccessRecoveryCompletedEvent;
+import org.cryptomator.hub.entities.events.EmergencyAccessRecoveryStartedEvent;
+import org.cryptomator.hub.entities.events.EmergencyAccessSettingsUpdatedEvent;
+import org.cryptomator.hub.entities.events.EmergencyAccessSetupEvent;
 import org.cryptomator.hub.entities.events.SettingWotUpdateEvent;
 import org.cryptomator.hub.entities.events.SignedWotIdEvent;
 import org.cryptomator.hub.entities.events.UserAccountResetEvent;
@@ -44,6 +50,11 @@
 @Path("/auditlog")
 public class AuditLogResource {
 
+	private static final Set<String> EVENT_TYPES = Set.of(DeviceRegisteredEvent.TYPE, DeviceRemovedEvent.TYPE, UserAccountResetEvent.TYPE, UserKeysChangeEvent.TYPE, UserSetupCodeChangeEvent.TYPE,
+			SettingWotUpdateEvent.TYPE, SignedWotIdEvent.TYPE, VaultCreatedEvent.TYPE, VaultUpdatedEvent.TYPE, VaultAccessGrantedEvent.TYPE,
+			VaultKeyRetrievedEvent.TYPE, VaultMemberAddedEvent.TYPE, VaultMemberRemovedEvent.TYPE, VaultMemberUpdatedEvent.TYPE, VaultOwnershipClaimedEvent.TYPE,
+			EmergencyAccessSetupEvent.TYPE, EmergencyAccessSettingsUpdatedEvent.TYPE, EmergencyAccessRecoveryStartedEvent.TYPE, EmergencyAccessRecoveryApprovedEvent.TYPE, EmergencyAccessRecoveryCompletedEvent.TYPE, EmergencyAccessRecoveryAbortedEvent.TYPE);
+
 	@Inject
 	AuditEvent.Repository auditEventRepo;
 	@Inject
@@ -64,31 +75,34 @@ public class AuditLogResource {
 	@APIResponse(responseCode = "402", description = "Community license used or license expired")
 	@APIResponse(responseCode = "403", description = "requesting user does not have admin role")
 	public List<AuditEventDto> getAllEvents(@QueryParam("startDate") Instant startDate, @QueryParam("endDate") Instant endDate, @QueryParam("type") List<String> type, @QueryParam("paginationId") Long paginationId, @QueryParam("order") @DefaultValue("desc") String order, @QueryParam("pageSize") @DefaultValue("20") int pageSize) {
-		if (!license.isSet() || license.isExpired()) {
+		if (license.getEntitlements().auditLogRetentionDays() == 0 || license.isExpired()) {
 			throw new PaymentRequiredException("Community license used or license expired");
 		}
+		Instant retentionThreshold = license.getEntitlements().auditLogRetentionThreshold();
 
 		if (startDate == null || endDate == null) {
 			throw new BadRequestException("startDate and endDate must be specified");
 		} else if (startDate.isAfter(endDate)) {
 			throw new BadRequestException("startDate must be before endDate");
+		} else if (endDate.isBefore(retentionThreshold)) {
+			throw new PaymentRequiredException("queried date range predates audit log retention period");
 		} else if (!(order.equals("desc") || order.equals("asc"))) {
 			throw new BadRequestException("order must be either 'asc' or 'desc'");
 		} else if (pageSize < 1 || pageSize > 100) {
 			throw new BadRequestException("pageSize must be between 1 and 100");
 		} else if (type == null) {
 			throw new BadRequestException("type must be specified");
-		} else if (!type.isEmpty()) {
-			var validTypes = Set.of(DeviceRegisteredEvent.TYPE, DeviceRemovedEvent.TYPE, UserAccountResetEvent.TYPE, UserKeysChangeEvent.TYPE, UserSetupCodeChangeEvent.TYPE,
-					SettingWotUpdateEvent.TYPE, SignedWotIdEvent.TYPE, VaultCreatedEvent.TYPE, VaultUpdatedEvent.TYPE, VaultAccessGrantedEvent.TYPE,
-					VaultKeyRetrievedEvent.TYPE, VaultMemberAddedEvent.TYPE, VaultMemberRemovedEvent.TYPE, VaultMemberUpdatedEvent.TYPE, VaultOwnershipClaimedEvent.TYPE);
-			if (!validTypes.containsAll(type)) {
-				throw new BadRequestException("Invalid event type provided");
-			}
 		} else if (paginationId == null) {
 			throw new BadRequestException("paginationId must be specified");
 		}
 
+		if (!type.isEmpty() && !EVENT_TYPES.containsAll(type)) {
+			throw new BadRequestException("Invalid event type provided");
+		}
+
+		// cut off startDate at retention threshold
+		startDate = startDate.isBefore(retentionThreshold) ? retentionThreshold : startDate;
+
 		return auditEventRepo.findAllInPeriod(startDate, endDate, type, paginationId, order.equals("asc"), pageSize).map(AuditEventDto::fromEntity).toList();
 	}
 
@@ -108,7 +122,13 @@ public List<AuditEventDto> getAllEvents(@QueryParam("startDate") Instant startDa
 			@JsonSubTypes.Type(value = VaultMemberAddedEventDto.class, name = VaultMemberAddedEvent.TYPE), //
 			@JsonSubTypes.Type(value = VaultMemberRemovedEventDto.class, name = VaultMemberRemovedEvent.TYPE), //
 			@JsonSubTypes.Type(value = VaultMemberUpdatedEventDto.class, name = VaultMemberUpdatedEvent.TYPE), //
-			@JsonSubTypes.Type(value = VaultOwnershipClaimedEventDto.class, name = VaultOwnershipClaimedEvent.TYPE) //
+			@JsonSubTypes.Type(value = VaultOwnershipClaimedEventDto.class, name = VaultOwnershipClaimedEvent.TYPE), //
+			@JsonSubTypes.Type(value = EmergencyAccessSetupEventDto.class, name = EmergencyAccessSetupEvent.TYPE), //
+			@JsonSubTypes.Type(value = EmergencyAccessSettingsUpdatedEventDto.class, name = EmergencyAccessSettingsUpdatedEvent.TYPE), //
+			@JsonSubTypes.Type(value = EmergencyAccessRecoveryStartedEventDto.class, name = EmergencyAccessRecoveryStartedEvent.TYPE), //
+			@JsonSubTypes.Type(value = EmergencyAccessRecoveryApprovedEventDto.class, name = EmergencyAccessRecoveryApprovedEvent.TYPE), //
+			@JsonSubTypes.Type(value = EmergencyAccessRecoveryCompletedEventDto.class, name = EmergencyAccessRecoveryCompletedEvent.TYPE), //
+			@JsonSubTypes.Type(value = EmergencyAccessRecoveryAbortedEventDto.class, name = EmergencyAccessRecoveryAbortedEvent.TYPE), //
 	})
 	public interface AuditEventDto {
 
@@ -135,6 +155,12 @@ static AuditEventDto fromEntity(AuditEvent entity) {
 				case VaultMemberRemovedEvent evt -> new VaultMemberRemovedEventDto(evt.getId(), evt.getTimestamp(), VaultMemberRemovedEvent.TYPE, evt.getRemovedBy(), evt.getVaultId(), evt.getAuthorityId());
 				case VaultMemberUpdatedEvent evt -> new VaultMemberUpdatedEventDto(evt.getId(), evt.getTimestamp(), VaultMemberUpdatedEvent.TYPE, evt.getUpdatedBy(), evt.getVaultId(), evt.getAuthorityId(), evt.getRole());
 				case VaultOwnershipClaimedEvent evt -> new VaultOwnershipClaimedEventDto(evt.getId(), evt.getTimestamp(), VaultOwnershipClaimedEvent.TYPE, evt.getClaimedBy(), evt.getVaultId());
+				case EmergencyAccessSetupEvent evt -> new EmergencyAccessSetupEventDto(evt.getId(), evt.getTimestamp(), EmergencyAccessSetupEvent.TYPE, evt.getVaultId(), evt.getOwnerId(), evt.getSettings(), evt.getIpAddress());
+				case EmergencyAccessSettingsUpdatedEvent evt -> new EmergencyAccessSettingsUpdatedEventDto(evt.getId(), evt.getTimestamp(), EmergencyAccessSettingsUpdatedEvent.TYPE, evt.getAdminId(), evt.isEmergencyAccessEnabled(), evt.getCouncilMemberIds(), evt.getRequiredKeyShares(), evt.getMinMembers(), evt.isAllowChoosingCouncil());
+				case EmergencyAccessRecoveryStartedEvent evt -> new EmergencyAccessRecoveryStartedEventDto(evt.getId(), evt.getTimestamp(), EmergencyAccessRecoveryStartedEvent.TYPE, evt.getVaultId(), evt.getProcessId(), evt.getCouncilMemberId(), evt.getProcessType(), evt.getDetails());
+				case EmergencyAccessRecoveryApprovedEvent evt -> new EmergencyAccessRecoveryApprovedEventDto(evt.getId(), evt.getTimestamp(), EmergencyAccessRecoveryApprovedEvent.TYPE, evt.getProcessId(), evt.getCouncilMemberId(), evt.getIpAddress());
+				case EmergencyAccessRecoveryCompletedEvent evt -> new EmergencyAccessRecoveryCompletedEventDto(evt.getId(), evt.getTimestamp(), EmergencyAccessRecoveryCompletedEvent.TYPE, evt.getProcessId(), evt.getCouncilMemberId(), evt.getIpAddress());
+				case EmergencyAccessRecoveryAbortedEvent evt -> new EmergencyAccessRecoveryAbortedEventDto(evt.getId(), evt.getTimestamp(), EmergencyAccessRecoveryAbortedEvent.TYPE, evt.getVaultId(), evt.getProcessId(), evt.getCouncilMemberId(), evt.getIpAddress());
 				default -> throw new UnsupportedOperationException("conversion not implemented for event type " + entity.getClass());
 			};
 		}
@@ -195,4 +221,31 @@ record VaultMemberUpdatedEventDto(long id, Instant timestamp, String type, @Json
 	record VaultOwnershipClaimedEventDto(long id, Instant timestamp, String type, @JsonProperty("claimedBy") String claimedBy, @JsonProperty("vaultId") UUID vaultId) implements AuditEventDto {
 	}
 
+	record EmergencyAccessSetupEventDto(long id, Instant timestamp, String type, @JsonProperty("vaultId") UUID vaultId, @JsonProperty("ownerId") String ownerId, @JsonProperty("settings") String settings,
+										@JsonProperty("ipAddress") String ipAddress) implements AuditEventDto {
+	}
+
+	record EmergencyAccessSettingsUpdatedEventDto(long id, Instant timestamp, String type, @JsonProperty("adminId") String adminId, @JsonProperty("enableEmergencyAccess") boolean enableEmergencyAccess,
+												  @JsonProperty("councilMemberIds") String councilMemberIds,
+												  @JsonProperty("requiredKeyShares") int requiredKeyShares, @JsonProperty("minMembers") int minMembers,
+												  @JsonProperty("allowChoosingCouncil") boolean allowChoosingCouncil) implements AuditEventDto {
+	}
+
+	record EmergencyAccessRecoveryStartedEventDto(long id, Instant timestamp, String type, @JsonProperty("vaultId") UUID vaultId, @JsonProperty("processId") UUID processId,
+												  @JsonProperty("councilMemberId") String councilMemberId, @JsonProperty("recoveryType") String recoveryType,
+												  @JsonProperty("details") String details) implements AuditEventDto {
+	}
+
+	record EmergencyAccessRecoveryApprovedEventDto(long id, Instant timestamp, String type, @JsonProperty("processId") UUID processId, @JsonProperty("councilMemberId") String councilMemberId,
+												   @JsonProperty("ipAddress") String ipAddress) implements AuditEventDto {
+	}
+
+	record EmergencyAccessRecoveryCompletedEventDto(long id, Instant timestamp, String type, @JsonProperty("processId") UUID processId, @JsonProperty("councilMemberId") String councilMemberId,
+													@JsonProperty("ipAddress") String ipAddress) implements AuditEventDto {
+	}
+
+	record EmergencyAccessRecoveryAbortedEventDto(long id, Instant timestamp, String type, @JsonProperty("vaultId") UUID vaultId, @JsonProperty("processId") UUID processId,
+												  @JsonProperty("councilMemberId") String councilMemberId, @JsonProperty("ipAddress") String ipAddress) implements AuditEventDto {
+	}
+
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/api/AuthorityDto.java b/backend/src/main/java/org/cryptomator/hub/api/AuthorityDto.java
index bfcc4361a..97a119ba8 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/AuthorityDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/AuthorityDto.java
@@ -1,10 +1,27 @@
 package org.cryptomator.hub.api;
 
+import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import org.cryptomator.hub.entities.Authority;
 import org.cryptomator.hub.entities.Group;
 import org.cryptomator.hub.entities.User;
-
+import org.eclipse.microprofile.openapi.annotations.media.DiscriminatorMapping;
+import org.eclipse.microprofile.openapi.annotations.media.Schema;
+
+// / start katta extension
+// TODO review: backport @Schema upstream?
+@Schema(
+		title = "Authority",
+		oneOf = { UserDto.class, GroupDto.class, MemberDto.class },
+		discriminatorMapping = {
+				@DiscriminatorMapping( value = "USER", schema = UserDto.class ),
+				@DiscriminatorMapping( value = "GROUP", schema = GroupDto.class ),
+				@DiscriminatorMapping( value = "MEMBER", schema = MemberDto.class )
+		},
+		discriminatorProperty = "type"
+)
+// \ end katta extension
+@JsonInclude(JsonInclude.Include.NON_NULL)
 abstract sealed class AuthorityDto permits UserDto, GroupDto, MemberDto {
 
 	public enum Type {
diff --git a/backend/src/main/java/org/cryptomator/hub/api/AuthorityResource.java b/backend/src/main/java/org/cryptomator/hub/api/AuthorityResource.java
index 60fd1677b..e5c8564a1 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/AuthorityResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/AuthorityResource.java
@@ -10,6 +10,7 @@
 import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.MediaType;
 import org.cryptomator.hub.entities.Authority;
+import org.cryptomator.hub.entities.User;
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
 import org.jboss.resteasy.reactive.NoCache;
@@ -31,7 +32,7 @@ public class AuthorityResource {
 	@Operation(summary = "search authority by name")
 	@Transactional
 	public List<AuthorityDto> search(@QueryParam("query") @NotBlank String query, @QueryParam("withMemberSize") boolean withMemberSize) {
-		return authorityRepo.byName(query).map(authority -> AuthorityDto.fromEntity(authority, withMemberSize)).toList();
+		return authorityRepo.byName(query).filter(a -> !(a instanceof User u) || u.isEnabled()).map(authority -> AuthorityDto.fromEntity(authority, withMemberSize)).toList();
 	}
 
 	@GET
diff --git a/backend/src/main/java/org/cryptomator/hub/api/BillingResource.java b/backend/src/main/java/org/cryptomator/hub/api/BillingResource.java
index b849deefa..5f7bbe5f7 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/BillingResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/BillingResource.java
@@ -22,7 +22,6 @@
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
 
 import java.time.Instant;
-import java.util.Optional;
 
 //TODO: redirect ot /license path
 @Path("/billing")
@@ -46,12 +45,8 @@ public class BillingResource {
 	public BillingDto get() {
 		int usedSeats = (int) effectiveVaultAccessRepo.countSeatOccupyingUsers();
 		boolean isManaged = licenseHolder.isManagedInstance();
-		return Optional.ofNullable(licenseHolder.get())
-				.map(jwt -> BillingDto.fromDecodedJwt(jwt, usedSeats, isManaged))
-				.orElseGet(() -> {
-					var hubId = settingsRepo.get().getHubId();
-					return BillingDto.create(hubId, (int) licenseHolder.getSeats(), usedSeats, isManaged);
-				});
+		var licenseToken = licenseHolder.get();
+		return BillingDto.fromDecodedJwt(licenseToken, usedSeats, isManaged);
 	}
 
 	@PUT
@@ -71,21 +66,19 @@ public Response setToken(@NotNull @ValidJWS String token) {
 		}
 	}
 
-	public record BillingDto(@JsonProperty("hubId") String hubId, @JsonProperty("hasLicense") Boolean hasLicense, @JsonProperty("email") String email,
+	public record BillingDto(@JsonProperty("hubId") String hubId, @JsonProperty("email") String email,
 							 @JsonProperty("licensedSeats") Integer licensedSeats, @JsonProperty("usedSeats") Integer usedSeats,
-							 @JsonProperty("issuedAt") Instant issuedAt, @JsonProperty("expiresAt") Instant expiresAt, @JsonProperty("managedInstance") Boolean managedInstance) {
-
-		public static BillingDto create(String hubId, int noLicenseSeatCount, int usedSeats, boolean isManaged) {
-			return new BillingDto(hubId, false, null, noLicenseSeatCount, usedSeats, null, null, isManaged);
-		}
+							 @JsonProperty("issuedAt") Instant issuedAt, @JsonProperty("expiresAt") Instant expiresAt, @JsonProperty("managedInstance") Boolean managedInstance, 
+							 @JsonProperty("licenseKey") String licenseKey) {
 
 		public static BillingDto fromDecodedJwt(DecodedJWT jwt, int usedSeats, boolean isManaged) {
 			var id = jwt.getId();
 			var email = jwt.getSubject();
-			var licensedSeats = jwt.getClaim("seats").asInt();
+			var licensedSeats = jwt.getClaim("seats").asInt(); // TODO eventually replace with "org.cryptomator.hub.entitlements"."seats", see https://github.com/cryptomator/hub/issues/391
 			var issuedAt = jwt.getIssuedAt().toInstant();
 			var expiresAt = jwt.getExpiresAt().toInstant();
-			return new BillingDto(id, true, email, licensedSeats, usedSeats, issuedAt, expiresAt, isManaged);
+			var licenseKey = jwt.getToken();
+			return new BillingDto(id, email, licensedSeats, usedSeats, issuedAt, expiresAt, isManaged, licenseKey);
 		}
 
 	}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java b/backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java
index 4d0f69389..50f3dbd5d 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java
@@ -8,6 +8,9 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.core.MediaType;
+import org.cryptomator.hub.entities.Settings;
+import org.cryptomator.hub.license.HubLicenseEntitlements;
+import org.cryptomator.hub.license.LicenseHolder;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
 import java.time.Instant;
@@ -16,66 +19,95 @@
 @Path("/config")
 public class ConfigResource {
 
-	@Inject
-	@ConfigProperty(name = "hub.keycloak.public-url", defaultValue = "")
-	String keycloakPublicUrl;
-
-	@Inject
-	@ConfigProperty(name = "hub.keycloak.realm", defaultValue = "")
-	String keycloakRealm;
-
-	@Inject
-	@ConfigProperty(name = "quarkus.oidc.client-id", defaultValue = "")
-	String keycloakClientIdHub;
-
-	@Inject
-	@ConfigProperty(name = "hub.keycloak.oidc.cryptomator-client-id", defaultValue = "")
-	String keycloakClientIdCryptomator;
-
-	@Inject
-	@ConfigProperty(name = "quarkus.oidc.auth-server-url")
-	String internalRealmUrl;
-
-	@Inject
-	OidcConfigurationMetadata oidcConfData;
-
-
-	@PermitAll
-	@GET
-	@Path("/")
-	@Produces(MediaType.APPLICATION_JSON)
-	public ConfigDto getConfig() {
-		var publicRealmUri = trimTrailingSlash(keycloakPublicUrl + "/realms/" + keycloakRealm);
-		var authUri = replacePrefix(oidcConfData.getAuthorizationUri(), trimTrailingSlash(internalRealmUrl), publicRealmUri);
-		var tokenUri = replacePrefix(oidcConfData.getTokenUri(), trimTrailingSlash(internalRealmUrl), publicRealmUri);
-
-		return new ConfigDto(keycloakPublicUrl, keycloakRealm, keycloakClientIdHub, keycloakClientIdCryptomator, authUri, tokenUri, Instant.now().truncatedTo(ChronoUnit.MILLIS), 4);
-	}
-
-	//visible for testing
-	String replacePrefix(String str, String prefix, String replacement) {
-		int index = str.indexOf(prefix);
-		if (index == 0) {
-			return replacement + str.substring(prefix.length());
-		} else {
-			return str;
-		}
-	}
-
-	//visible for testing
-	String trimTrailingSlash(String str) {
-		if (str.endsWith("/")) {
-			return str.substring(0, str.length() - 1);
-		} else {
-			return str;
-		}
-
-	}
-
-	public record ConfigDto(@JsonProperty("keycloakUrl") String keycloakUrl, @JsonProperty("keycloakRealm") String keycloakRealm,
-							@JsonProperty("keycloakClientIdHub") String keycloakClientIdHub, @JsonProperty("keycloakClientIdCryptomator") String keycloakClientIdCryptomator,
-							@JsonProperty("keycloakAuthEndpoint") String authEndpoint, @JsonProperty("keycloakTokenEndpoint") String tokenEndpoint,
-							@JsonProperty("serverTime") Instant serverTime, @JsonProperty("apiLevel") Integer apiLevel) {
-	}
+    @Inject
+    @ConfigProperty(name = "hub.keycloak.public-url", defaultValue = "")
+    String keycloakPublicUrl;
+
+    @Inject
+    @ConfigProperty(name = "hub.keycloak.realm", defaultValue = "")
+    String keycloakRealm;
+
+    @Inject
+    @ConfigProperty(name = "quarkus.oidc.client-id", defaultValue = "")
+    String keycloakClientIdHub;
+
+    @Inject
+    @ConfigProperty(name = "hub.keycloak.oidc.cryptomator-client-id", defaultValue = "")
+    String keycloakClientIdCryptomator;
+
+    // / start katta extension
+    @Inject
+    @ConfigProperty(name = "hub.keycloak.oidc.cryptomator-vaults-client-id", defaultValue = "")
+    String keycloakClientIdCryptomatorVaults;
+
+    @Inject
+    Settings.Repository settingsRepo;
+    // \ end katta extension
+
+    @Inject
+    @ConfigProperty(name = "quarkus.oidc.auth-server-url")
+    String internalRealmUrl;
+
+    @Inject
+    @ConfigProperty(name = "hub.billing-url", defaultValue = "")
+    String billingUrl;
+
+    @Inject
+    OidcConfigurationMetadata oidcConfData;
+
+    @Inject
+    LicenseHolder license;
+
+    @PermitAll
+    @GET
+    @Path("/")
+    @Produces(MediaType.APPLICATION_JSON)
+    public ConfigDto getConfig() {
+        var publicRealmUri = trimTrailingSlash(keycloakPublicUrl + "/realms/" + keycloakRealm);
+        var authUri = replacePrefix(oidcConfData.getAuthorizationUri(), trimTrailingSlash(internalRealmUrl), publicRealmUri);
+        var tokenUri = replacePrefix(oidcConfData.getTokenUri(), trimTrailingSlash(internalRealmUrl), publicRealmUri);
+
+        return new ConfigDto(keycloakPublicUrl, keycloakRealm, keycloakClientIdHub, keycloakClientIdCryptomator, authUri, tokenUri, Instant.now().truncatedTo(ChronoUnit.MILLIS), 4, license.getEntitlements(), billingUrl
+                // / start katta extension
+                , keycloakClientIdCryptomatorVaults
+                , settingsRepo.get().getHubId()
+                // \ end katta extension
+        );
+    }
+
+
+    //visible for testing
+    String replacePrefix(String str, String prefix, String replacement) {
+        int index = str.indexOf(prefix);
+        if (index == 0) {
+            return replacement + str.substring(prefix.length());
+        } else {
+            return str;
+        }
+    }
+
+    //visible for testing
+    String trimTrailingSlash(String str) {
+        if (str.endsWith("/")) {
+            return str.substring(0, str.length() - 1);
+        } else {
+            return str;
+        }
+
+    }
+
+    public record ConfigDto(@JsonProperty("keycloakUrl") String keycloakUrl, @JsonProperty("keycloakRealm") String keycloakRealm,
+                            @JsonProperty("keycloakClientIdHub") String keycloakClientIdHub,
+                            @JsonProperty("keycloakClientIdCryptomator") String keycloakClientIdCryptomator,
+                            @JsonProperty("keycloakAuthEndpoint") String authEndpoint, @JsonProperty("keycloakTokenEndpoint") String tokenEndpoint,
+                            @JsonProperty("serverTime") Instant serverTime, @JsonProperty("apiLevel") Integer apiLevel,
+                            @JsonProperty("entitlements") HubLicenseEntitlements entitlements,
+                            @JsonProperty("billingUrl") String billingUrl
+                            // / start katta extension
+            , @JsonProperty("keycloakClientIdCryptomatorVaults") String keycloakClientIdCryptomatorVaults
+            , @JsonProperty("uuid") String uuid
+                            // \ end katta extension
+    ) {
+    }
 
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/api/DeviceResource.java b/backend/src/main/java/org/cryptomator/hub/api/DeviceResource.java
index 734a7f92f..3f302b54f 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/DeviceResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/DeviceResource.java
@@ -102,6 +102,21 @@ public List<DeviceDto> getSomeLegacy(@QueryParam("ids") List<String> deviceIds)
 		return legacyDeviceRepo.findAllInList(deviceIds).map(DeviceDto::fromEntity).toList();
 	}
 
+	/**
+	 * @deprecated to be removed in <a href="https://github.com/cryptomator/hub/issues/333">#333</a>
+	 */
+	@Deprecated(since = "1.3.0", forRemoval = true)
+	@GET
+	@Path("/has-legacy-devices")
+	@RolesAllowed("admin")
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "checks if any user has legacy devices")
+	@APIResponse(responseCode = "200")
+	public boolean hasAnyLegacyDevices() {
+		return legacyDeviceRepo.existsAny();
+	}
+
 	@PUT
 	@Path("/{deviceId}")
 	@RolesAllowed("user")
@@ -172,7 +187,7 @@ public DeviceDto get(@PathParam("deviceId") @ValidId String deviceId) {
 	@APIResponse(responseCode = "200")
 	public Map<UUID, String> getLegacyAccessTokens(@PathParam("deviceId") @ValidId String deviceId) {
 		return legacyAccessTokenRepo.getByDeviceAndOwner(deviceId, jwt.getSubject())
-				.collect(Collectors.toMap(token -> token.getId().getVaultId(), LegacyAccessToken::getJwe));
+				.collect(Collectors.toMap(token -> token.getId().vaultId(), LegacyAccessToken::getJwe));
 	}
 
 	@DELETE
diff --git a/backend/src/main/java/org/cryptomator/hub/api/EmergencyAccessResource.java b/backend/src/main/java/org/cryptomator/hub/api/EmergencyAccessResource.java
new file mode 100644
index 000000000..8897d44ce
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/EmergencyAccessResource.java
@@ -0,0 +1,204 @@
+package org.cryptomator.hub.api;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.vertx.core.http.HttpServerRequest;
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.Min;
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.NotNull;
+import jakarta.ws.rs.*;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.entities.EmergencyRecoveryProcess;
+import org.cryptomator.hub.entities.RecoveredEmergencyKeyShares;
+import org.cryptomator.hub.entities.events.EventLogger;
+import org.cryptomator.hub.util.RawJson;
+import org.cryptomator.hub.validation.ValidJWE;
+import org.cryptomator.hub.validation.ValidJWS;
+import org.eclipse.microprofile.jwt.JsonWebToken;
+import org.eclipse.microprofile.openapi.annotations.Operation;
+import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+@Path("/emergency-access")
+public class EmergencyAccessResource {
+
+	@Inject
+	EmergencyRecoveryProcess.Repository recoverProcessRepo;
+
+	@Inject
+	RecoveredEmergencyKeyShares.Repository recoveredKeySharesRepo;
+
+	@Inject
+	JsonWebToken jwt;
+
+	@Context
+	HttpServerRequest request;
+
+	@Inject
+	EventLogger eventLogger;
+
+	@PUT
+	@Path("/{processId}")
+	@RolesAllowed("user")
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Operation(summary = "starts a new recovery process")
+	@APIResponse(responseCode = "204", description = "process created")
+	@APIResponse(responseCode = "400", description = "invalid request, e.g. missing required fields")
+	@Transactional
+	public Response startRecovery(@PathParam("processId") UUID processId, @Valid RecoveryProcessDto dto) {
+		var currentUser = jwt.getSubject();
+		if (!dto.recoveredKeyShares.containsKey(currentUser)) {
+			// the council member who starts the process must, by definition, be part of the process
+			throw new BadRequestException("User is not a member of the recovery process");
+		}
+
+		var process = new EmergencyRecoveryProcess();
+		process.setId(processId);
+		process.setVaultId(dto.vaultId);
+		process.setType(dto.type);
+		process.setDetails(dto.details);
+		process.setRequiredKeyShares(dto.requiredKeyShares);
+		process.setProcessPublicKey(dto.processPublicKey);
+		var keyShares = dto.recoveredKeyShares.entrySet().stream().collect(Collectors.toMap(Map.Entry::getKey, e -> {
+			var memberId = e.getKey();
+			var keyShareDto = e.getValue();
+			var keyShareEntity = new RecoveredEmergencyKeyShares();
+			keyShareEntity.setId(new RecoveredEmergencyKeyShares.Id(memberId, processId));
+			keyShareEntity.setProcessPrivateKey(keyShareDto.processPrivateKey);
+			keyShareEntity.setUnrecoveredKeyShare(keyShareDto.unrecoveredKeyShare);
+			keyShareEntity.setRecoveredKeyShare(keyShareDto.recoveredKeyShare);
+			keyShareEntity.setSignedProcessInfo(keyShareDto.signedProcessInfo);
+			return keyShareEntity;
+		}));
+		process.setRecoveredKeyShares(keyShares);
+		recoverProcessRepo.persist(process);
+
+		// audit logging
+		eventLogger.logEmergencyAccessRecoveryStarted(dto.vaultId, processId, currentUser, dto.type.name(), dto.details);
+		var myKeyShare = keyShares.get(currentUser);
+		assert myKeyShare != null; // as verified above, the user must be part of the process
+		if (myKeyShare.getRecoveredKeyShare() != null) { // usually, this member also adds their key share immediately
+			eventLogger.logEmergencyAccessRecoveryApproved(processId, currentUser, request.remoteAddress().hostAddress());
+		}
+		return Response.status(Response.Status.NO_CONTENT).build();
+	}
+
+	@POST
+	@Path("/{processId}/recovered-key-shares")
+	@RolesAllowed("user")
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Operation(summary = "adds recovered key share")
+	@APIResponse(responseCode = "204", description = "key share added")
+	@APIResponse(responseCode = "400", description = "invalid request, e.g. missing required fields")
+	@Transactional
+	public Response addRecoveredKeyShare(@PathParam("processId") UUID processId, RecoveredKeyShareDto dto) {
+		var id = new RecoveredEmergencyKeyShares.Id(jwt.getSubject(), processId);
+
+		var myKeyShare = recoveredKeySharesRepo.findById(id);
+		if (myKeyShare == null) {
+			throw new NotFoundException("Recovery process not found or user not part of emergency access council");
+		}
+
+		myKeyShare.setRecoveredKeyShare(dto.recoveredKeyShare);
+		myKeyShare.setSignedProcessInfo(dto.signedProcessInfo);
+		recoveredKeySharesRepo.persist(myKeyShare);
+
+		// audit logging
+		eventLogger.logEmergencyAccessRecoveryApproved(processId, jwt.getSubject(), request.remoteAddress().hostAddress());
+
+		return Response.status(Response.Status.NO_CONTENT).build();
+	}
+
+	@DELETE
+	@Path("/{processId}/complete")
+	@RolesAllowed("user")
+	@Operation(summary = "completes an existing recovery process")
+	@APIResponse(responseCode = "204", description = "existing recovery process completed")
+	@APIResponse(responseCode = "404", description = "existing recovery process not found")
+	@Transactional
+	public Response complete(@PathParam("processId") UUID processId) {
+		var currentUserId = jwt.getSubject();
+		var ip = request.remoteAddress().hostAddress();
+		if (recoverProcessRepo.deleteById(processId)) {
+			eventLogger.logEmergencyAccessRecoveryCompleted(processId, currentUserId, ip);
+			return Response.noContent().build();
+		} else {
+			throw new NotFoundException();
+		}
+	}
+
+	@DELETE
+	@Path("/{processId}/abort")
+	@RolesAllowed("user")
+	@Operation(summary = "aborts an existing recovery process")
+	@APIResponse(responseCode = "204", description = "existing recovery process aborted")
+	@APIResponse(responseCode = "404", description = "existing recovery process not found")
+	@Transactional
+	public Response abort(@PathParam("processId") UUID processId) {
+		var currentUserId = jwt.getSubject();
+		var process = recoverProcessRepo.findByIdOptional(processId)
+				.orElseThrow(NotFoundException::new);
+
+		eventLogger.logEmergencyAccessRecoveryAborted(process.getVaultId(), processId, currentUserId, request.remoteAddress().hostAddress());
+
+		recoverProcessRepo.delete(process);
+		return Response.noContent().build();
+	}
+
+	@GET
+	@Path("/{vaultId}")
+	@RolesAllowed("user")
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "finds an existing recovery process")
+	@APIResponse(responseCode = "200")
+	@Transactional
+	public List<RecoveryProcessDto> findByVaultId(@PathParam("vaultId") UUID vaultId) {
+		return recoverProcessRepo.findByVaultId(vaultId).map(RecoveryProcessDto::fromEntity).toList();
+	}
+
+	@JsonInclude(JsonInclude.Include.NON_NULL)
+	public record RecoveryProcessDto(
+			@JsonProperty("id") @NotNull UUID id,
+			@JsonProperty("vaultId") @NotNull UUID vaultId,
+			@JsonProperty("type") @NotNull EmergencyRecoveryProcess.Type type,
+			@JsonProperty("details") @RawJson String details,
+			@JsonProperty("requiredKeyShares") @Min(2) int requiredKeyShares,
+			@JsonProperty("processPublicKey") @NotNull String processPublicKey,
+			@JsonProperty("recoveredKeyShares") @NotEmpty Map<String, RecoveredKeyShareDto> recoveredKeyShares) {
+
+		public static RecoveryProcessDto fromEntity(EmergencyRecoveryProcess entity) {
+			var keyShareDtos = entity.getRecoveredKeyShares().entrySet().stream().collect(Collectors.toMap(Map.Entry::getKey, e -> RecoveredKeyShareDto.fromEntity(e.getValue())));
+			return new RecoveryProcessDto(
+					entity.getId(),
+					entity.getVaultId(),
+					entity.getType(),
+					entity.getDetails(),
+					entity.getRequiredKeyShares(),
+					entity.getProcessPublicKey(),
+					keyShareDtos
+			);
+		}
+	}
+
+	@JsonInclude(JsonInclude.Include.NON_NULL)
+	public record RecoveredKeyShareDto(@JsonProperty("processPrivateKey") @ValidJWE String processPrivateKey,
+									   @JsonProperty("unrecoveredKeyShare") @ValidJWE String unrecoveredKeyShare,
+									   @JsonProperty("recoveredKeyShare") @ValidJWE String recoveredKeyShare,
+									   @JsonProperty("signedProcessInfo") @ValidJWS String signedProcessInfo) {
+
+		public static RecoveredKeyShareDto fromEntity(RecoveredEmergencyKeyShares entity) {
+			return new RecoveredKeyShareDto(entity.getProcessPrivateKey(), entity.getUnrecoveredKeyShare(), entity.getRecoveredKeyShare(), entity.getSignedProcessInfo());
+		}
+	}
+
+}
\ No newline at end of file
diff --git a/backend/src/main/java/org/cryptomator/hub/api/GroupDto.java b/backend/src/main/java/org/cryptomator/hub/api/GroupDto.java
index 812720b93..9b5d6a686 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/GroupDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/GroupDto.java
@@ -1,16 +1,23 @@
 package org.cryptomator.hub.api;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonUnwrapped;
 import org.cryptomator.hub.entities.Group;
 
+import java.util.List;
+
 public final class GroupDto extends AuthorityDto {
 
 	@JsonProperty("memberSize")
 	public final Integer memberSize;
 
-	GroupDto(@JsonProperty("id") String id, @JsonProperty("name") String name, @JsonProperty("memberSize") Integer memberSize) {
-		super(id, Type.GROUP, name, null);
+	@JsonProperty("vaultCount")
+	public final Integer vaultCount;
+
+	GroupDto(@JsonProperty("id") String id, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("memberSize") Integer memberSize, @JsonProperty("vaultCount") Integer vaultCount) {
+		super(id, Type.GROUP, name, pictureUrl);
 		this.memberSize = memberSize;
+		this.vaultCount = vaultCount;
 	}
 
 	public static GroupDto fromEntity(Group group) {
@@ -19,6 +26,21 @@ public static GroupDto fromEntity(Group group) {
 
 	public static GroupDto fromEntity(Group group, boolean withMemberSize) {
 		Integer memberSize = withMemberSize ? group.getMemberSize() : null;
-		return new GroupDto(group.getId(), group.getName(), memberSize);
+		return new GroupDto(group.getId(), group.getName(), group.getPictureUrl(), memberSize, null);
+	}
+
+	public static GroupDto fromEntity(Group group, Integer memberSize, Integer vaultCount) {
+		return new GroupDto(group.getId(), group.getName(), group.getPictureUrl(), memberSize, vaultCount);
+	}
+
+	WithDetails withDetails(List<AuthorityDto> members, List<VaultResource.VaultDtoWithRole> vaults) {
+		return new WithDetails(this, members, vaults);
+	}
+
+	public record WithDetails(
+			@JsonUnwrapped GroupDto group,
+			@JsonProperty("members") List<AuthorityDto> members,
+			@JsonProperty("vaults") List<VaultResource.VaultDtoWithRole> vaults
+	) {
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/api/GroupsResource.java b/backend/src/main/java/org/cryptomator/hub/api/GroupsResource.java
index 78db054a5..d376c5ccb 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/GroupsResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/GroupsResource.java
@@ -1,17 +1,35 @@
 package org.cryptomator.hub.api;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
+import jakarta.ws.rs.ClientErrorException;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.DELETE;
 import jakarta.ws.rs.GET;
+import jakarta.ws.rs.InternalServerErrorException;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.PUT;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import org.cryptomator.hub.entities.Group;
 import org.cryptomator.hub.entities.User;
+import org.cryptomator.hub.entities.VaultAccess;
+import org.cryptomator.hub.keycloak.KeycloakAdminService;
 import org.cryptomator.hub.validation.ValidId;
 import org.eclipse.microprofile.openapi.annotations.Operation;
+import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.jboss.resteasy.reactive.NoCache;
 
+import java.net.URI;
 import java.util.List;
 
 @Path("/groups")
@@ -21,23 +39,153 @@ public class GroupsResource {
 	User.Repository userRepo;
 	@Inject
 	Group.Repository groupRepo;
+	@Inject
+	VaultAccess.Repository vaultAccessRepo;
+	@Inject
+	KeycloakAdminService keycloakAdminService;
 
 	@GET
 	@Path("/")
-	@RolesAllowed("user")
+	@RolesAllowed("admin")
 	@Produces(MediaType.APPLICATION_JSON)
 	@Operation(summary = "list all groups")
 	public List<GroupDto> getAll() {
-		return groupRepo.findAll().stream().map(GroupDto::fromEntity).toList();
+		var groups = groupRepo.findAll().list();
+		return groups.stream()
+				.map(group -> GroupDto.fromEntity(
+						group,
+						group.getMemberSize(),
+						(int) vaultAccessRepo.countByAuthority(group.getId())
+				))
+				.toList();
 	}
 
 	@GET
 	@Path("/{groupId}/effective-members")
-	@RolesAllowed("user")
+	@RolesAllowed("admin")
 	@Produces(MediaType.APPLICATION_JSON)
 	@Operation(summary = "list all effective group members")
 	public List<UserDto> getEffectiveMembers(@PathParam("groupId") @ValidId String groupId) {
 		return userRepo.getEffectiveGroupUsers(groupId).map(UserDto::justPublicInfo).toList();
 	}
 
+	@POST
+	@Path("/{groupId}/members/{userId}")
+	@RolesAllowed("admin")
+	@Transactional
+	@Operation(summary = "add a user to a group")
+	@APIResponse(responseCode = "204", description = "user added to group")
+	@APIResponse(responseCode = "404", description = "group or user not found")
+	public Response addMember(@PathParam("groupId") @ValidId String groupId, @PathParam("userId") @ValidId String userId) {
+		keycloakAdminService.addUserToGroup(groupId, userId);
+		return Response.noContent().build();
+	}
+
+	@DELETE
+	@Path("/{groupId}/members/{userId}")
+	@RolesAllowed("admin")
+	@Transactional
+	@Operation(summary = "remove a user from a group")
+	@APIResponse(responseCode = "204", description = "user removed from group")
+	@APIResponse(responseCode = "404", description = "group or user not found")
+	public Response removeMember(@PathParam("groupId") @ValidId String groupId, @PathParam("userId") @ValidId String userId) {
+		keycloakAdminService.removeUserFromGroup(groupId, userId);
+		return Response.noContent().build();
+	}
+
+	@POST
+	@Path("/")
+	@RolesAllowed("admin")
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "create a new group in Keycloak")
+	@APIResponse(responseCode = "201", description = "group created")
+	@APIResponse(responseCode = "400", description = "invalid input")
+	@APIResponse(responseCode = "409", description = "group name already exists")
+	public Response createGroup(@Valid @NotNull CreateGroupDto dto) {
+		try {
+			var groupRepresentation = keycloakAdminService.createGroup(dto.name(), dto.pictureUrl());
+
+			Group group = groupRepo.findById(groupRepresentation.getId());
+			if (group == null) {
+				throw new InternalServerErrorException("Group was created in Keycloak but not found in database after sync");
+			}
+
+			return Response.created(URI.create("./" + group.getId()))
+					.entity(GroupDto.fromEntity(group))
+					.build();
+		} catch (ClientErrorException e) {
+			return Response.status(Response.Status.CONFLICT).build();
+		}
+	}
+
+	@GET
+	@Path("/{groupId}")
+	@RolesAllowed("admin")
+	@Produces(MediaType.APPLICATION_JSON)
+	@NoCache
+	@Transactional
+	@Operation(summary = "get a specific group")
+	@APIResponse(responseCode = "200", description = "group found")
+	@APIResponse(responseCode = "404", description = "group not found")
+	public GroupDto.WithDetails getGroup(@PathParam("groupId") @ValidId String groupId) {
+		Group group = groupRepo.findByIdWithEagerDetails(groupId);
+		if (group == null) {
+			throw new NotFoundException("Group not found: " + groupId);
+		}
+
+		List<AuthorityDto> members = group.getMembers().stream().map(AuthorityDto::fromEntity).toList();
+
+		List<VaultResource.VaultDtoWithRole> vaults = group.accessibleVaults.stream()
+				.map(va -> VaultResource.VaultDtoWithRole.from(va.getVault(), va.getRole()))
+				.toList();
+
+		return GroupDto.fromEntity(group).withDetails(members, vaults);
+	}
+
+	@PUT
+	@Path("/{groupId}")
+	@RolesAllowed("admin")
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "update a group in Keycloak")
+	@APIResponse(responseCode = "200", description = "group updated")
+	@APIResponse(responseCode = "404", description = "group not found")
+	public GroupDto updateGroup(@PathParam("groupId") @ValidId String groupId, @Valid @NotNull UpdateGroupDto dto) {
+		keycloakAdminService.updateGroup(groupId, dto.name(), dto.pictureUrl());
+
+		Group group = groupRepo.findById(groupId);
+		if (group == null) {
+			throw new NotFoundException("Group not found after update: " + groupId);
+		}
+
+		return GroupDto.fromEntity(group);
+	}
+
+	@DELETE
+	@Path("/{groupId}")
+	@RolesAllowed("admin")
+	@Transactional
+	@Operation(summary = "delete a group from Keycloak")
+	@APIResponse(responseCode = "204", description = "group deleted")
+	@APIResponse(responseCode = "404", description = "group not found")
+	public Response deleteGroup(@PathParam("groupId") @ValidId String groupId) {
+		keycloakAdminService.deleteGroup(groupId);
+		return Response.noContent().build();
+	}
+
+	public record CreateGroupDto(
+			@JsonProperty("name") @NotNull String name,
+			@JsonProperty("pictureUrl") @Size(max = 255) String pictureUrl
+	) {
+
+	}
+
+	public record UpdateGroupDto(
+			@JsonProperty("name") @NotNull String name,
+			@JsonProperty("pictureUrl") @Size(max = 255) String pictureUrl
+	) {
+	}
 }
\ No newline at end of file
diff --git a/backend/src/main/java/org/cryptomator/hub/api/LicenseResource.java b/backend/src/main/java/org/cryptomator/hub/api/LicenseResource.java
index dfc1efa0c..d4d08b202 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/LicenseResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/LicenseResource.java
@@ -1,20 +1,22 @@
 package org.cryptomator.hub.api;
 
-import com.auth0.jwt.interfaces.DecodedJWT;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.GET;
+import jakarta.ws.rs.InternalServerErrorException;
+import jakarta.ws.rs.POST;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import org.cryptomator.hub.entities.EffectiveVaultAccess;
 import org.cryptomator.hub.license.LicenseHolder;
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
 
+import java.io.IOException;
 import java.time.Instant;
-import java.util.Optional;
 
 @Path("/license")
 public class LicenseResource {
@@ -41,11 +43,27 @@ public record LicenseUserInfoDto(@JsonProperty("licensedSeats") Integer licensed
 									 @JsonProperty("expiresAt") Instant expiresAt) {
 
 		public static LicenseUserInfoDto create(LicenseHolder licenseHolder, int usedSeats) {
-			var licensedSeats = (int) licenseHolder.getSeats();
-			var expiresAt = Optional.ofNullable(licenseHolder.get()).map(DecodedJWT::getExpiresAtAsInstant).orElse(null);
+			var licensedSeats = (int) licenseHolder.getEntitlements().seats();
+			var expiresAt = licenseHolder.get().getExpiresAtAsInstant();
 			return new LicenseUserInfoDto(licensedSeats, usedSeats, expiresAt);
 		}
 
 	}
 
+	@POST
+	@Path("/refresh")
+	@RolesAllowed("admin")
+	@Operation(summary = "Refresh license information", description = "Refreshes the license information from the license server.")
+	@APIResponse(responseCode = "204", description = "License information refreshed")
+	@APIResponse(responseCode = "500", description = "License refresh failed")
+	public Response refresh() {
+		try {
+			licenseHolder.refreshLicense();
+		} catch (IOException e) {
+			throw new InternalServerErrorException("License refresh failed", e);
+		}
+		return Response.noContent().build();
+	}
+
+
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java b/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
index 64dcc2b23..04a8eb420 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
@@ -11,12 +11,12 @@ public final class MemberDto extends AuthorityDto {
 	public final String ecdhPublicKey;
 	@JsonProperty("ecdsaPublicKey")
 	public final String ecdsaPublicKey;
-	@JsonProperty("role")
+	@JsonProperty("vaultRole")
 	public final VaultAccess.Role role;
 	@JsonProperty("memberSize")
 	public final Integer memberSize;
 
-	MemberDto(@JsonProperty("id") String id, @JsonProperty("type") Type type, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("ecdhPublicKey") String ecdhPublicKey, @JsonProperty("ecdsaPublicKey") String ecdsaPublicKey, @JsonProperty("role") VaultAccess.Role role, @JsonProperty("memberSize") Integer memberSize) {
+	MemberDto(@JsonProperty("id") String id, @JsonProperty("type") Type type, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("ecdhPublicKey") String ecdhPublicKey, @JsonProperty("ecdsaPublicKey") String ecdsaPublicKey, @JsonProperty("vaultRole") VaultAccess.Role role, @JsonProperty("memberSize") Integer memberSize) {
 		super(id, type, name, pictureUrl);
 		this.ecdhPublicKey = ecdhPublicKey;
 		this.ecdsaPublicKey = ecdsaPublicKey;
@@ -29,7 +29,7 @@ public static MemberDto fromEntity(User user, VaultAccess.Role role) {
 	}
 
 	public static MemberDto fromEntity(Group group, VaultAccess.Role role) {
-		return new MemberDto(group.getId(), Type.GROUP, group.getName(), null, null, null, role, group.getMemberSize());
+		return new MemberDto(group.getId(), Type.GROUP, group.getName(), group.getPictureUrl(), null, null, role, group.getMemberSize());
 	}
 
 }
\ No newline at end of file
diff --git a/backend/src/main/java/org/cryptomator/hub/api/SettingsResource.java b/backend/src/main/java/org/cryptomator/hub/api/SettingsResource.java
index 4e728180d..32a6af153 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/SettingsResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/SettingsResource.java
@@ -21,6 +21,9 @@
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
 
+import java.util.Set;
+import java.util.stream.Collectors;
+
 @Path("/settings")
 public class SettingsResource {
 
@@ -55,19 +58,45 @@ public Response put(@NotNull @Valid SettingsDto dto) {
 		var settings = settingsRepo.get();
 		var oldWotIdVerifyLen = settings.getWotIdVerifyLen();
 		var oldWotMaxDepth = settings.getWotMaxDepth();
+		var oldEmergencyCouncilMemberIds = settings.getEmergencyCouncilMemberIds();
+		var oldRequiredEmergencyKeyShares = settings.getDefaultRequiredEmergencyKeyShares();
+		var oldMinMembers = settings.getDefaultMinMembers();
+		var oldAllowChoosingEmergencyCouncil = settings.isAllowChoosingEmergencyCouncil();
+		var oldEmergencyAccessEnabled = settings.isEmergencyAccessEnabled();
 		settings.setWotMaxDepth(dto.wotMaxDepth);
 		settings.setWotIdVerifyLen(dto.wotIdVerifyLen);
+		settings.setDefaultRequiredEmergencyKeyShares(dto.defaultRequiredEmergencyKeyShares);
+		settings.setDefaultMinMembers(dto.defaultMinMembers);
+		settings.setAllowChoosingEmergencyCouncil(dto.allowChoosingEmergencyCouncil);
+		settings.setEmergencyCouncilMemberIds(dto.emergencyCouncilMemberIds);
+		settings.setEmergencyAccessEnabled(dto.enableEmergencyAccess);
 		settingsRepo.persist(settings);
 		if (oldWotMaxDepth != dto.wotMaxDepth || oldWotIdVerifyLen != dto.wotIdVerifyLen) {
 			eventLogger.logWotSettingUpdated(jwt.getSubject(), dto.wotIdVerifyLen, dto.wotMaxDepth);
 		}
+		if (!oldEmergencyCouncilMemberIds.containsAll(dto.emergencyCouncilMemberIds)
+				|| !dto.emergencyCouncilMemberIds.containsAll(oldEmergencyCouncilMemberIds)
+				|| oldRequiredEmergencyKeyShares != dto.defaultRequiredEmergencyKeyShares
+				|| oldAllowChoosingEmergencyCouncil != dto.allowChoosingEmergencyCouncil
+				|| oldMinMembers != dto.defaultMinMembers
+				|| oldEmergencyAccessEnabled != dto.enableEmergencyAccess) {
+			var councilMemberIds = "[" + dto.emergencyCouncilMemberIds.stream().map(s -> "\"" + s + "\"").collect(Collectors.joining(", ")) + "]";
+			eventLogger.logEmergencyAccessSettingsUpdated(jwt.getSubject(), dto.enableEmergencyAccess, councilMemberIds, dto.defaultRequiredEmergencyKeyShares, dto.defaultMinMembers, dto.allowChoosingEmergencyCouncil);
+		}
 		return Response.status(Response.Status.NO_CONTENT).build();
 	}
 
-	public record SettingsDto(@JsonProperty("hubId") String hubId, @JsonProperty("wotMaxDepth") @Min(0) @Max(9) int wotMaxDepth, @JsonProperty("wotIdVerifyLen") @Min(0) int wotIdVerifyLen) {
+	public record SettingsDto(@JsonProperty("hubId") String hubId,
+							  @JsonProperty("wotMaxDepth") @Min(0) @Max(9) int wotMaxDepth,
+							  @JsonProperty("wotIdVerifyLen") @Min(0) int wotIdVerifyLen,
+							  @JsonProperty("enableEmergencyAccess") boolean enableEmergencyAccess,
+							  @JsonProperty("defaultRequiredEmergencyKeyShares") @Min(0) int defaultRequiredEmergencyKeyShares,
+							  @JsonProperty("defaultMinMembers") @Min(0) int defaultMinMembers,
+							  @JsonProperty("allowChoosingEmergencyCouncil") boolean allowChoosingEmergencyCouncil,
+							  @JsonProperty("emergencyCouncilMemberIds") @NotNull Set<String> emergencyCouncilMemberIds) {
 
 		public static SettingsDto fromEntity(Settings entity) {
-			return new SettingsDto(entity.getHubId(), entity.getWotMaxDepth(), entity.getWotIdVerifyLen());
+			return new SettingsDto(entity.getHubId(), entity.getWotMaxDepth(), entity.getWotIdVerifyLen(), entity.isEmergencyAccessEnabled(), entity.getDefaultRequiredEmergencyKeyShares(), entity.getDefaultMinMembers(), entity.isAllowChoosingEmergencyCouncil(), entity.getEmergencyCouncilMemberIds());
 		}
 
 	}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/UserDto.java b/backend/src/main/java/org/cryptomator/hub/api/UserDto.java
index fe30437ce..0146f918b 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/UserDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/UserDto.java
@@ -1,18 +1,27 @@
 package org.cryptomator.hub.api;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonUnwrapped;
 import jakarta.annotation.Nullable;
+import jakarta.validation.constraints.NotNull;
 import org.cryptomator.hub.entities.User;
 import org.cryptomator.hub.validation.OnlyBase64Chars;
 import org.cryptomator.hub.validation.ValidJWE;
 
+import java.util.List;
 import java.util.Set;
 
+@JsonInclude(JsonInclude.Include.NON_NULL)
 public final class UserDto extends AuthorityDto {
 
 	private final String email;
+	private final String firstName;
+	private final String lastName;
 	private final String language;
+	private final Set<String> realmRoles;
+	private final boolean enabled;
 	private final Set<DeviceResource.DeviceDto> devices;
 	private final String ecdhPublicKey;
 	private final String ecdsaPublicKey;
@@ -21,11 +30,15 @@ public final class UserDto extends AuthorityDto {
 
 	@JsonCreator
 	public UserDto(
-			@JsonProperty("id") String id,
-			@JsonProperty("name") String name,
+			@JsonProperty("id") @NotNull String id,
+			@JsonProperty("name") @NotNull String name,
 			@JsonProperty("pictureUrl") String pictureUrl,
-			@JsonProperty("email") String email,
+			@JsonProperty("email") @NotNull String email,
+			@JsonProperty("firstName") String firstName,
+			@JsonProperty("lastName") String lastName,
 			@JsonProperty("language") String language,
+			@JsonProperty("realmRoles") @NotNull Set<String> realmRoles,
+			@JsonProperty("enabled") boolean enabled,
 			@JsonProperty("devices") Set<DeviceResource.DeviceDto> devices,
 			// Accept either "ecdhPublicKey" or the legacy "publicKey" on input
 			@Nullable @JsonProperty("ecdhPublicKey") @OnlyBase64Chars String ecdhPublicKey,
@@ -37,7 +50,11 @@ public UserDto(
 			@Nullable @JsonProperty("setupCode") @ValidJWE String setupCode) {
 		super(id, Type.USER, name, pictureUrl);
 		this.email = email;
+		this.firstName = firstName;
+		this.lastName = lastName;
 		this.language = language;
+		this.realmRoles = realmRoles;
+		this.enabled = enabled;
 		this.devices = devices;
 		this.ecdhPublicKey = ecdhPublicKey != null ? ecdhPublicKey : publicKey;
 		this.ecdsaPublicKey = ecdsaPublicKey;
@@ -50,13 +67,17 @@ public UserDto(
 			String name,
 			String pictureUrl,
 			String email,
+			String firstName,
+			String lastName,
 			String language,
+			Set<String> realmRoles,
+			boolean enabled,
 			Set<DeviceResource.DeviceDto> devices,
 			String ecdhPublicKey,
 			String ecdsaPublicKey,
 			String privateKeys,
 			String setupCode) {
-		this(id, name, pictureUrl, email, language, devices, ecdhPublicKey, ecdhPublicKey, ecdsaPublicKey, privateKeys, privateKeys, setupCode);
+		this(id, name, pictureUrl, email, firstName, lastName, language, realmRoles, enabled, devices, ecdhPublicKey, ecdhPublicKey, ecdsaPublicKey, privateKeys, privateKeys, setupCode);
 	}
 
 	@JsonProperty("email")
@@ -64,11 +85,31 @@ public String getEmail() {
 		return email;
 	}
 
+	@JsonProperty("firstName")
+	public String getFirstName() {
+		return firstName;
+	}
+
+	@JsonProperty("lastName")
+	public String getLastName() {
+		return lastName;
+	}
+
 	@JsonProperty("language")
 	public String getLanguage() {
 		return language;
 	}
 
+	@JsonProperty("realmRoles")
+	public Set<String> getRealmRoles() {
+		return realmRoles;
+	}
+
+	@JsonProperty("enabled")
+	public boolean isEnabled() {
+		return enabled;
+	}
+
 	@JsonProperty("devices")
 	public Set<DeviceResource.DeviceDto> getDevices() {
 		return devices;
@@ -81,6 +122,7 @@ public String getEcdhPublicKey() {
 
 	/**
 	 * Same as {@link #ecdhPublicKey}, kept for compatibility purposes
+	 *
 	 * @deprecated to be removed in Hub 2.0.0, tracked in <a href="https://github.com/cryptomator/hub/issues/316">#316</a>
 	 */
 	@Deprecated(forRemoval = true)
@@ -101,6 +143,7 @@ public String getPrivateKeys() {
 
 	/**
 	 * Same as {@link #privateKeys}, kept for compatibility purposes
+	 *
 	 * @deprecated to be removed in Hub 2.0.0, tracked in <a href="https://github.com/cryptomator/hub/issues/316">#316</a>
 	 */
 	@Deprecated(forRemoval = true)
@@ -120,11 +163,49 @@ public static UserDto justPublicInfo(User user) {
 				user.getName(),
 				user.getPictureUrl(),
 				user.getEmail(),
+				user.getFirstName(),
+				user.getLastName(),
 				user.getLanguage(),
+				Set.of(user.getRealmRoles()),
+				user.isEnabled(),
 				Set.of(),
 				user.getEcdhPublicKey(),
 				user.getEcdsaPublicKey(),
 				null,
 				null);
 	}
+
+	public WithCounts withCounts(long groupsCount, long vaultsCount, long devicesCount) {
+		return new WithCounts(
+				this,
+				devicesCount,
+				groupsCount,
+				vaultsCount);
+	}
+
+	public WithDetails withDetails(List<GroupDto> groups, List<VaultResource.VaultDtoWithRole> accessibleVaults, Set<DeviceResource.DeviceDto> devices, Set<DeviceResource.DeviceDto> legacyDevices) {
+		return new WithDetails(
+				this,
+				groups,
+				accessibleVaults,
+				devices,
+				legacyDevices);
+	}
+
+	public record WithCounts(
+			@JsonUnwrapped UserDto user,
+			@JsonProperty("devicesCount") long devicesCount,
+			@JsonProperty("groupsCount") long groupsCount,
+			@JsonProperty("accessibleVaultCount") long accessibleVaultCount
+	) {
+	}
+
+	public record WithDetails(
+			@JsonUnwrapped UserDto user,
+			@JsonProperty("groups") List<GroupDto> groups,
+			@JsonProperty("accessibleVaults") List<VaultResource.VaultDtoWithRole> accessibleVaults,
+			@JsonProperty("devices") Set<DeviceResource.DeviceDto> devices,
+			@JsonProperty("legacyDevices") Set<DeviceResource.DeviceDto> legacyDevices
+	) {
+	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/api/UsersResource.java b/backend/src/main/java/org/cryptomator/hub/api/UsersResource.java
index e328b8b38..141dc3933 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/UsersResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/UsersResource.java
@@ -7,8 +7,12 @@
 import jakarta.transaction.Transactional;
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
+import jakarta.ws.rs.ClientErrorException;
 import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.DELETE;
 import jakarta.ws.rs.GET;
+import jakarta.ws.rs.InternalServerErrorException;
 import jakarta.ws.rs.NotFoundException;
 import jakarta.ws.rs.POST;
 import jakarta.ws.rs.PUT;
@@ -21,6 +25,7 @@
 import org.cryptomator.hub.entities.AccessToken;
 import org.cryptomator.hub.entities.Device;
 import org.cryptomator.hub.entities.EffectiveWot;
+import org.cryptomator.hub.entities.EmergencyRecoveryProcess;
 import org.cryptomator.hub.entities.LegacyDevice;
 import org.cryptomator.hub.entities.User;
 import org.cryptomator.hub.entities.Vault;
@@ -28,6 +33,8 @@
 import org.cryptomator.hub.entities.events.AuditEvent;
 import org.cryptomator.hub.entities.events.EventLogger;
 import org.cryptomator.hub.entities.events.VaultKeyRetrievedEvent;
+import org.cryptomator.hub.keycloak.KeycloakAdminService;
+import org.cryptomator.hub.keycloak.RealmRole;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.enums.ParameterIn;
@@ -59,6 +66,8 @@ public class UsersResource {
 	@Inject
 	Vault.Repository vaultRepo;
 	@Inject
+	EmergencyRecoveryProcess.Repository emergencyRecovery;
+	@Inject
 	WotEntry.Repository wotRepo;
 	@Inject
 	EffectiveWot.Repository effectiveWotRepo;
@@ -68,6 +77,9 @@ public class UsersResource {
 	@Inject
 	JsonWebToken jwt;
 
+	@Inject
+	KeycloakAdminService keycloakAdminService;
+
 	@PUT
 	@Path("/me")
 	@RolesAllowed("user")
@@ -111,7 +123,7 @@ public Response putMe(@Nullable @Valid UserDto dto) {
 	 */
 	private void updateDevices(User userEntity, UserDto userDto) {
 		if (userDto.getDevices() != null) {
-			var devices = userEntity.devices.stream().collect(Collectors.toUnmodifiableMap(Device::getId, Function.identity()));
+			var devices = userEntity.getDevices().stream().collect(Collectors.toUnmodifiableMap(Device::getId, Function.identity()));
 			var updatedDevices = userDto.getDevices().stream()
 					.filter(d -> devices.containsKey(d.id())) // only look at DTOs for which we find a matching existing entity
 					.map(dto -> {
@@ -167,7 +179,7 @@ public UserDto getMe(@QueryParam("withDevices") boolean withDevices, @QueryParam
 		User user = userRepo.findById(jwt.getSubject());
 		Set<DeviceResource.DeviceDto> deviceDtos;
 		if (withLastAccess) {
-			var devices = user.devices.stream().collect(Collectors.toMap(Device::getId, Function.identity()));
+			var devices = user.getDevices().stream().collect(Collectors.toMap(Device::getId, Function.identity()));
 			var events = auditEventRepo.findLastVaultKeyRetrieve(devices.keySet()).collect(Collectors.toMap(VaultKeyRetrievedEvent::getDeviceId, Function.identity()));
 			deviceDtos = devices.values().stream().map(d -> {
 				var event = events.get(d.getId());
@@ -178,7 +190,7 @@ public UserDto getMe(@QueryParam("withDevices") boolean withDevices, @QueryParam
 		} else {
 			deviceDtos = Set.of();
 		}
-		return new UserDto(user.getId(), user.getName(), user.getPictureUrl(), user.getEmail(), user.getLanguage(), deviceDtos, user.getEcdhPublicKey(), user.getEcdsaPublicKey(), user.getPrivateKeys(), user.getSetupCode());
+		return new UserDto(user.getId(), user.getName(), user.getPictureUrl(), user.getEmail(), user.getFirstName(), user.getLastName(), user.getLanguage(), Set.of(user.getRealmRoles()), user.isEnabled(), deviceDtos, user.getEcdhPublicKey(), user.getEcdsaPublicKey(), user.getPrivateKeys(), user.getSetupCode());
 	}
 
 	/**
@@ -196,13 +208,13 @@ public UserDto getMe(@QueryParam("withDevices") boolean withDevices, @QueryParam
 	@APIResponse(responseCode = "404", description = "no user matching the subject of the JWT passed as Bearer Token")
 	public UserDto getMeWithLegacyDevicesAndAccess() {
 		User user = userRepo.findById(jwt.getSubject());
-		var legacyDevices = user.legacyDevices.stream().collect(Collectors.toMap(LegacyDevice::getId, Function.identity()));
+		var legacyDevices = user.getLegacyDevices().stream().collect(Collectors.toMap(LegacyDevice::getId, Function.identity()));
 		var events = auditEventRepo.findLastVaultKeyRetrieve(legacyDevices.keySet()).collect(Collectors.toMap(VaultKeyRetrievedEvent::getDeviceId, Function.identity()));
 		var deviceDtos = legacyDevices.values().stream().map(d -> {
 			var event = events.get(d.getId());
 			return DeviceResource.DeviceDto.fromEntity(d, event);
 		}).collect(Collectors.toSet());
-		return new UserDto(user.getId(), user.getName(), user.getPictureUrl(), user.getEmail(), user.getLanguage(), deviceDtos, user.getEcdhPublicKey(), user.getEcdsaPublicKey(), user.getPrivateKeys(), user.getSetupCode());
+		return new UserDto(user.getId(), user.getName(), user.getPictureUrl(), user.getEmail(), user.getFirstName(), user.getLastName(), user.getLanguage(), Set.of(user.getRealmRoles()), user.isEnabled(), deviceDtos, user.getEcdhPublicKey(), user.getEcdsaPublicKey(), user.getPrivateKeys(), user.getSetupCode());
 	}
 
 	@POST
@@ -219,6 +231,8 @@ public Response resetMe() {
 		user.setPrivateKeys(null);
 		user.setSetupCode(null);
 		userRepo.persist(user);
+		vaultRepo.deleteEmergencyKeySharesForUser(user.getId());
+		emergencyRecovery.deleteKeySharesForCouncilMember(user.getId());
 		deviceRepo.deleteByOwner(user.getId());
 		accessTokenRepo.deleteByUser(user.getId());
 		eventLogger.logUserAccountReset(jwt.getSubject());
@@ -227,11 +241,14 @@ public Response resetMe() {
 
 	@GET
 	@Path("/")
-	@RolesAllowed("user")
+	@RolesAllowed("admin")
 	@Produces(MediaType.APPLICATION_JSON)
-	@Operation(summary = "list all users")
-	public List<UserDto> getAll() {
-		return userRepo.findAll().stream().map(UserDto::justPublicInfo).toList();
+	@Transactional
+	@Operation(summary = "list all users with counts")
+	public List<UserDto.WithCounts> getAll() {
+		return userRepo.findAllWithMetrics().stream()
+				.map(user -> UserDto.justPublicInfo(user).withCounts(user.metrics.getDirectGroupMembershipCount(), user.metrics.getEffectiveVaultAccessCount(), user.metrics.getDeviceCount()))
+				.toList();
 	}
 
 	@PUT
@@ -243,9 +260,7 @@ public List<UserDto> getAll() {
 	@APIResponse(responseCode = "204", description = "signature stored")
 	public Response putSignature(@PathParam("userId") String userId, @NotNull String signature) {
 		var signer = userRepo.findById(jwt.getSubject());
-		var id = new WotEntry.Id();
-		id.setUserId(userId);
-		id.setSignerId(signer.getId());
+		var id = new WotEntry.Id(userId, signer.getId());
 		var entry = wotRepo.findById(id);
 		if (entry == null) {
 			entry = new WotEntry();
@@ -287,7 +302,173 @@ public List<TrustedUserDto> getTrustedUsers() {
 	public record TrustedUserDto(@JsonProperty("trustedUserId") String trustedUserId, @JsonProperty("signatureChain") List<String> signatureChain) {
 
 		public static TrustedUserDto fromEntity(EffectiveWot entity) {
-			return new TrustedUserDto(entity.getId().getTrustedUserId(), List.of(entity.getSignatureChain()));
+			return new TrustedUserDto(entity.getId().trustedUserId(), List.of(entity.getSignatureChain()));
+		}
+	}
+
+	@POST
+	@Path("/")
+	@RolesAllowed("admin")
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "create a new user in Keycloak")
+	@APIResponse(responseCode = "201", description = "user created")
+	@APIResponse(responseCode = "400", description = "invalid input")
+	@APIResponse(responseCode = "409", description = "user already exists")
+	public Response createUser(@Valid @NotNull CreateUserDto dto) {
+		try {
+			var userRepresentation = keycloakAdminService.createUser(
+					dto.name(),
+					dto.email(),
+					dto.firstName(),
+					dto.lastName(),
+					dto.password(),
+					dto.pictureUrl(),
+					dto.groupIds()
+			);
+
+			if (!dto.realmRoles().isEmpty()) {
+				keycloakAdminService.updateUserRoles(userRepresentation.getId(), dto.realmRoles());
+			}
+
+			User user = userRepo.findById(userRepresentation.getId());
+			if (user == null) {
+				throw new InternalServerErrorException("User was created in Keycloak but not found in database after sync");
+			}
+
+			return Response.created(URI.create("./" + user.getId()))
+					.entity(UserDto.justPublicInfo(user))
+					.build();
+		} catch (ClientErrorException e) {
+			// Return 409 with specific error message (EMAIL_EXISTS or USERNAME_EXISTS)
+			return Response.status(Response.Status.CONFLICT)
+					.entity(e.getMessage())
+					.type(MediaType.TEXT_PLAIN)
+					.build();
 		}
 	}
+
+	@GET
+	@Path("/{id}")
+	@RolesAllowed("admin")
+	@Produces(MediaType.APPLICATION_JSON)
+	@NoCache
+	@Transactional
+	@Operation(summary = "get a specific user")
+	@APIResponse(responseCode = "200", description = "user found")
+	@APIResponse(responseCode = "404", description = "user not found")
+	public UserDto.WithDetails getUser(@PathParam("id") String userId) {
+		User user = userRepo.findByIdWithEagerDetails(userId);
+		if (user == null) {
+			throw new NotFoundException("User not found: " + userId);
+		}
+
+
+		// Fetch groups for the user
+		List<GroupDto> groups = user.getDirectGroupMemberships().stream()
+				.map(GroupDto::fromEntity)
+				.toList();
+
+		// Fetch vaults with roles for the user
+		List<VaultResource.VaultDtoWithRole> vaults = user.getAccessibleVaults().stream()
+				.map(eva -> VaultResource.VaultDtoWithRole.from(eva.getVault(), eva.getRole()))
+				.toList();
+
+		// Fetch devices (modern devices)
+		Set<DeviceResource.DeviceDto> devices = user.getDevices().stream()
+				.map(DeviceResource.DeviceDto::fromEntity)
+				.collect(Collectors.toSet());
+
+		// Fetch legacy devices
+		@SuppressWarnings("removal")
+		Set<DeviceResource.DeviceDto> legacyDevices = user.getLegacyDevices().stream()
+				.map(DeviceResource.DeviceDto::fromEntity)
+				.collect(Collectors.toSet());
+
+		return UserDto.justPublicInfo(user).withDetails(
+				groups,
+				vaults,
+				devices,
+				legacyDevices
+		);
+	}
+
+	@PUT
+	@Path("/{id}")
+	@RolesAllowed("admin")
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "update a user in Keycloak")
+	@APIResponse(responseCode = "200", description = "user updated")
+	@APIResponse(responseCode = "403", description = "user has federated identity and cannot be modified")
+	@APIResponse(responseCode = "404", description = "user not found")
+	public UserDto updateUser(@PathParam("id") String userId, @Valid @NotNull UpdateUserDto dto) {
+		keycloakAdminService.updateUser(
+				userId,
+				dto.email(),
+				dto.firstName(),
+				dto.lastName(),
+				dto.password(),
+				dto.pictureUrl()
+		);
+
+		keycloakAdminService.updateUserRoles(userId, dto.realmRoles());
+
+		User user = userRepo.findById(userId);
+		if (user == null) {
+			throw new NotFoundException("User not found after update: " + userId);
+		}
+
+		return UserDto.justPublicInfo(user);
+	}
+
+	@PUT
+	@Path("/{id}/enabled")
+	@RolesAllowed("admin")
+	@Consumes(MediaType.TEXT_PLAIN)
+	@Transactional
+	@Operation(summary = "enable or disable a user")
+	@APIResponse(responseCode = "204", description = "user updated")
+	public Response setUserEnabled(@PathParam("id") String userId, boolean enabled) {
+		keycloakAdminService.setUserEnabled(userId, enabled);
+		return Response.noContent().build();
+	}
+
+	@DELETE
+	@Path("/{id}")
+	@RolesAllowed("admin")
+	@Transactional
+	@Operation(summary = "delete a user from Keycloak")
+	@APIResponse(responseCode = "204", description = "user deleted")
+	@APIResponse(responseCode = "403", description = "user has federated identity and cannot be deleted")
+	@APIResponse(responseCode = "404", description = "user not found")
+	public Response deleteUser(@PathParam("id") String userId) {
+		keycloakAdminService.deleteUser(userId);
+		return Response.noContent().build();
+	}
+
+	public record CreateUserDto(
+			@JsonProperty("name") @NotNull String name,
+			@JsonProperty("email") @NotNull String email,
+			@JsonProperty("firstName") @NotNull String firstName,
+			@JsonProperty("lastName") @NotNull String lastName,
+			@JsonProperty("password") @NotNull String password,
+			@JsonProperty("pictureUrl") @Size(max = 255) String pictureUrl,
+			@JsonProperty("groupIds") Set<String> groupIds,
+			@JsonProperty("realmRoles") @NotNull Set<RealmRole> realmRoles
+	) {
+	}
+
+	public record UpdateUserDto(
+			@JsonProperty("email") String email,
+			@JsonProperty("firstName") String firstName,
+			@JsonProperty("lastName") String lastName,
+			@JsonProperty("password") String password,
+			@JsonProperty("pictureUrl") @Size(max = 255) String pictureUrl,
+			@JsonProperty("realmRoles") @NotNull Set<RealmRole> realmRoles
+	) {
+	}
+
 }
\ No newline at end of file
diff --git a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
index edfb52847..db93a47fd 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/VaultResource.java
@@ -3,6 +3,7 @@
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.quarkus.security.identity.SecurityIdentity;
 import io.vertx.core.http.HttpServerRequest;
@@ -12,6 +13,7 @@
 import jakarta.persistence.NoResultException;
 import jakarta.transaction.Transactional;
 import jakarta.validation.Valid;
+import jakarta.validation.constraints.Min;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
@@ -33,6 +35,7 @@
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.api.katta.KattaConfig;
 import org.cryptomator.hub.entities.AccessToken;
 import org.cryptomator.hub.entities.Authority;
 import org.cryptomator.hub.entities.EffectiveVaultAccess;
@@ -45,7 +48,10 @@
 import org.cryptomator.hub.entities.events.VaultKeyRetrievedEvent;
 import org.cryptomator.hub.filters.ActiveLicense;
 import org.cryptomator.hub.filters.VaultRole;
+import org.cryptomator.hub.katta.KeycloakCryptomatorVaultsHelper;
+import org.cryptomator.hub.keycloak.RealmRole;
 import org.cryptomator.hub.license.LicenseHolder;
+import org.cryptomator.hub.metrics.VaultUnlockMetrics;
 import org.cryptomator.hub.validation.NoHtmlOrScriptChars;
 import org.cryptomator.hub.validation.OnlyBase64Chars;
 import org.cryptomator.hub.validation.ValidId;
@@ -61,12 +67,17 @@
 import java.net.URI;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.UUID;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+
 @Path("/vaults")
 public class VaultResource {
 
@@ -75,20 +86,29 @@ public class VaultResource {
 
 	@Inject
 	AccessToken.Repository accessTokenRepo;
+
 	@Inject
 	Group.Repository groupRepo;
+
 	@Inject
 	User.Repository userRepo;
+
+	@Inject
+	Authority.Repository authorityRepo;
+
 	@Inject
 	EffectiveVaultAccess.Repository effectiveVaultAccessRepo;
+
 	/**
 	 * @deprecated to be removed in <a href="https://github.com/cryptomator/hub/issues/333">#333</a>
 	 */
 	@Inject
 	@Deprecated(since = "1.3.0", forRemoval = true)
 	LegacyAccessToken.Repository legacyAccessTokenRepo;
+
 	@Inject
 	Vault.Repository vaultRepo;
+
 	@Inject
 	VaultAccess.Repository vaultAccessRepo;
 
@@ -101,9 +121,20 @@ public class VaultResource {
 	@Inject
 	LicenseHolder license;
 
+	@Inject
+	VaultUnlockMetrics vaultUnlockMetrics;
+
 	@Context
 	HttpServerRequest request;
 
+	// / start katta extension
+	@Inject
+	KattaConfig kattaConfig;
+
+	@Inject
+	KeycloakCryptomatorVaultsHelper keycloakCryptomatorVaultsHelper;
+	// \ end katta extension
+
 	@GET
 	@Path("/accessible")
 	@RolesAllowed("user")
@@ -121,6 +152,18 @@ public List<VaultDto> getAccessible(@Nullable @QueryParam("role") VaultAccess.Ro
 		return resultStream.map(VaultDto::fromEntity).toList();
 	}
 
+	@GET
+	@Path("/recoverable")
+	@RolesAllowed("user")
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "list all recoverable vaults", description = "list all vaults that can be recovered by the currently logged in user")
+	public List<VaultDto> getRecoverable() {
+		var currentUserId = jwt.getSubject();
+		final Stream<Vault> resultStream = vaultRepo.findRecoverable(currentUserId);
+		return resultStream.map(VaultDto::fromEntity).toList();
+	}
+
 	@GET
 	@Path("/some")
 	@RolesAllowed("admin")
@@ -145,24 +188,89 @@ public List<VaultDto> getAllVaults() {
 	@GET
 	@Path("/{vaultId}/members")
 	@RolesAllowed("user")
-	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
+	@VaultRole(value = VaultAccess.Role.OWNER, bypassForEmergencyAccess = true) // may throw 403
 	@Transactional
 	@Produces(MediaType.APPLICATION_JSON)
 	@Operation(summary = "list vault members", description = "list all users or groups that this vault has been shared with directly (not inherited via group membership)")
 	@APIResponse(responseCode = "200")
 	@APIResponse(responseCode = "403", description = "not a vault owner")
 	public List<MemberDto> getDirectMembers(@PathParam("vaultId") UUID vaultId) {
-		return vaultAccessRepo.forVault(vaultId).map(access -> switch (access.getAuthority()) {
+		return vaultAccessRepo.forVault(vaultId).filter(access -> !(access.getAuthority() instanceof User u) || u.isEnabled()).map(access -> switch (access.getAuthority()) {
 			case User u -> MemberDto.fromEntity(u, access.getRole());
 			case Group g -> MemberDto.fromEntity(g, access.getRole());
 			default -> throw new IllegalStateException();
 		}).toList();
 	}
 
+	@PUT
+	@Path("/{vaultId}/members")
+	@RolesAllowed("user")
+	@VaultRole(value = VaultAccess.Role.OWNER, bypassForEmergencyAccess = true) // may throw 403
+	@Transactional
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Operation(summary = "set vault members", description = "replaces all direct vault members with the given ones")
+	@APIResponse(responseCode = "204", description = "members updated")
+	@APIResponse(responseCode = "400", description = "invalid members in request body")
+	@APIResponse(responseCode = "403", description = "not a vault owner")
+	@APIResponse(responseCode = "404", description = "vault not found")
+	public Response setDirectMembers(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<String, VaultAccess.Role> memberRoles) {
+		var vault = vaultRepo.findById(vaultId);
+		if (vault == null) {
+			throw new NotFoundException("Vault not found.");
+		}
+		var newVaultAccess = authorityRepo.findAllInList(memberRoles.keySet()).map(authority -> {
+			assert memberRoles.containsKey(authority.getId());
+			return VaultAccess.create(vault, authority, memberRoles.get(authority.getId()));
+		}).toList();
+		if (newVaultAccess.isEmpty()) {
+			throw new BadRequestException("No (valid) members given.");
+		}
+		var oldVaultAccess = vaultAccessRepo.forVault(vaultId).toList();
+
+		// determine diff:
+		Set<VaultAccess.Id> newIds = newVaultAccess.stream().map(VaultAccess::getId).collect(Collectors.toSet());
+		Set<VaultAccess.Id> oldIds = oldVaultAccess.stream().map(VaultAccess::getId).collect(Collectors.toSet());
+		Predicate<VaultAccess> isNew = va -> newIds.contains(va.getId());
+		Predicate<VaultAccess> isOld = va -> oldIds.contains(va.getId());
+		Predicate<VaultAccess> hasChangedRole = va -> memberRoles.get(va.getId().authorityId()) != va.getRole();
+		var addedMembers = newVaultAccess.stream()
+				.filter(isOld.negate()).toList();
+		var removedMembers = oldVaultAccess.stream()
+				.filter(isNew.negate()).toList();
+		var updatedMembers = oldVaultAccess.stream()
+				.filter(isNew)
+				.filter(hasChangedRole)
+				.peek(va -> va.setRole(memberRoles.get(va.getId().authorityId())))
+				.toList();
+
+		// resolve group members and simulate new seat count:
+		var effectiveUsers = new HashSet<User>();
+		effectiveUsers.addAll(userRepo.getEffectiveGroupUsers(memberRoles.keySet()));
+		effectiveUsers.addAll(userRepo.findByIds(memberRoles.keySet()).toList());
+		var newSeatOccupyingUsers = new HashSet<>(effectiveVaultAccessRepo.usersSeatedOnOtherVaults(vaultId).toList()); // initialize with users already having access to other vaults
+		newSeatOccupyingUsers.addAll(effectiveUsers.stream().map(User::getId).toList()); // add all users that will have access to this vault after the operation (avoid double counting by using a set)
+		if (newSeatOccupyingUsers.size() > license.getEntitlements().seats()) {
+			throw new PaymentRequiredException("License seats exceeded. Cannot add more users.");
+		}
+
+		// Audit Log
+		addedMembers.forEach(va -> eventLogger.logVaultMemberAdded(jwt.getSubject(), vaultId, va.getId().authorityId(), va.getRole()));
+		removedMembers.forEach(va -> eventLogger.logVaultMemberRemoved(jwt.getSubject(), vaultId, va.getId().authorityId()));
+		updatedMembers.forEach(va -> eventLogger.logVaultMemberUpdated(jwt.getSubject(), vaultId, va.getId().authorityId(), va.getRole()));
+
+		// replace all:
+		vaultAccessRepo.delete(vaultId, removedMembers.stream().map(VaultAccess::getId).map(VaultAccess.Id::authorityId).toList());
+		vaultAccessRepo.persist(addedMembers);
+		vaultAccessRepo.persist(updatedMembers);
+
+		return Response.noContent().build();
+	}
+
+
 	@PUT
 	@Path("/{vaultId}/users/{userId}")
 	@RolesAllowed("user")
-	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
+	@VaultRole(value = VaultAccess.Role.OWNER, bypassForEmergencyAccess = true) // may throw 403
 	@Transactional
 	@Produces(MediaType.APPLICATION_JSON)
 	@Operation(summary = "adds a user to this vault or updates her role")
@@ -177,8 +285,13 @@ public Response addUser(@PathParam("vaultId") UUID vaultId, @PathParam("userId")
 		var vault = vaultRepo.findById(vaultId); // should always be found, since @VaultRole filter would have triggered
 		var user = userRepo.findByIdOptional(userId).orElseThrow(NotFoundException::new);
 		var usedSeats = effectiveVaultAccessRepo.countSeatOccupyingUsers();
-		if (usedSeats < license.getSeats() // free seats available
+		if (usedSeats < license.getEntitlements().seats() // free seats available
 				|| effectiveVaultAccessRepo.isUserOccupyingSeat(userId)) { // or user already sitting
+
+			// / start katta extension
+			keycloakCryptomatorVaultsHelper.keycloakGrantAccessToVault(vaultId.toString(), userId, kattaConfig.keycloakClientIdCryptomatorVaults(), false);
+			// \ end katta extension
+
 			return addAuthority(vault, user, role);
 		} else {
 			throw new PaymentRequiredException("License seats exceeded. Cannot add more users.");
@@ -204,10 +317,14 @@ public Response addGroup(@PathParam("vaultId") UUID vaultId, @PathParam("groupId
 		var group = groupRepo.findByIdOptional(groupId).orElseThrow(NotFoundException::new);
 
 		//usersInGroup - usersInGroupAndPartOfAtLeastOneVault + usersOfAtLeastOneVault
-		if (userRepo.countEffectiveGroupUsers(groupId) - effectiveVaultAccessRepo.countSeatOccupyingUsersOfGroup(groupId) + effectiveVaultAccessRepo.countSeatOccupyingUsers() > license.getSeats()) {
+		if (userRepo.countEffectiveGroupUsers(groupId) - effectiveVaultAccessRepo.countSeatOccupyingUsersOfGroup(groupId) + effectiveVaultAccessRepo.countSeatOccupyingUsers() > license.getEntitlements().seats()) {
 			throw new PaymentRequiredException("Adding this group would exceed available license seats.");
 		}
 
+		// / start katta extension
+		keycloakCryptomatorVaultsHelper.keycloakGrantAccessToVault(vaultId.toString(), groupId, kattaConfig.keycloakClientIdCryptomatorVaults(), true);
+		// \ end katta extension
+
 		return addAuthority(vault, group, role);
 	}
 
@@ -234,7 +351,7 @@ private Response addAuthority(Vault vault, Authority authority, VaultAccess.Role
 	@DELETE
 	@Path("/{vaultId}/authority/{authorityId}")
 	@RolesAllowed("user")
-	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
+	@VaultRole(value = VaultAccess.Role.OWNER, bypassForEmergencyAccess = true) // may throw 403
 	@Transactional
 	@Produces(MediaType.APPLICATION_JSON)
 	@Operation(summary = "remove a user or group from this vault", description = "revokes the given authority's access rights from this vault. If the given authority is no member, the request is a no-op.")
@@ -243,6 +360,17 @@ private Response addAuthority(Vault vault, Authority authority, VaultAccess.Role
 	public Response removeAuthority(@PathParam("vaultId") UUID vaultId, @PathParam("authorityId") @ValidId String authorityId) {
 		if (vaultAccessRepo.deleteById(new VaultAccess.Id(vaultId, authorityId))) {
 			eventLogger.logVaultMemberRemoved(jwt.getSubject(), vaultId, authorityId);
+
+			// / start katta extension
+			// Decision: when resetting an account or archiving a vault, access to the bucket doesn't need to be revoked.
+			// - Account reset: same situation as for addUser() and addGroup() before being granted access (masterkey): in the STS case, users can technically already gain access to the data at the storage level if they know/guess the STS endpoint etc, however they cannot decrypt yet.
+			// - Archiving: removeAuthority is not called in this case, so users still can renew access (get new temporary S3 credentials) at the storage level in the STS case.
+			//              However, they cannot get the masterkey any more (in all cases) nor the permanent storage credentials (in the non-STS case).
+			var group = groupRepo.findByIdOptional(authorityId);
+			final boolean isGroup = group.isPresent();
+			keycloakCryptomatorVaultsHelper.keycloakRemoveAccessToVault(vaultId.toString(), authorityId, kattaConfig.keycloakClientIdCryptomatorVaults(), isGroup);
+			// \ end katta extension
+
 			return Response.status(Response.Status.NO_CONTENT).build();
 		} else {
 			throw new NotFoundException();
@@ -252,7 +380,7 @@ public Response removeAuthority(@PathParam("vaultId") UUID vaultId, @PathParam("
 	@GET
 	@Path("/{vaultId}/users-requiring-access-grant")
 	@RolesAllowed("user")
-	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
+	@VaultRole(value = VaultAccess.Role.OWNER, bypassForEmergencyAccess = true) // may throw 403
 	@Transactional
 	@Produces(MediaType.APPLICATION_JSON)
 	@Operation(summary = "list members requiring access tokens", description = "lists all members, that have permissions but lack an access token")
@@ -291,16 +419,24 @@ public Response legacyUnlock(@PathParam("vaultId") UUID vaultId, @PathParam("dev
 		}
 
 		var accessTokenSeats = effectiveVaultAccessRepo.countSeatOccupyingUsersWithAccessToken();
-		if (accessTokenSeats > license.getSeats()) {
+		if (accessTokenSeats > license.getEntitlements().seats()) {
 			throw new PaymentRequiredException("Number of effective vault users exceeds available license seats");
 		}
 		var ipAddress = request.remoteAddress().hostAddress();
 		try {
 			var access = legacyAccessTokenRepo.unlock(vaultId, deviceId, jwt.getSubject());
 			eventLogger.logVaultKeyRetrieved(jwt.getSubject(), vaultId, VaultKeyRetrievedEvent.Result.SUCCESS, ipAddress, deviceId);
-			var subscriptionStateHeaderName = "Hub-Subscription-State";
-			var subscriptionStateHeaderValue = license.isSet() ? "ACTIVE" : "INACTIVE"; // license expiration is not checked here, because it is checked in the ActiveLicense filter
-			return Response.ok(access.getJwe()).header(subscriptionStateHeaderName, subscriptionStateHeaderValue).build();
+			var response = Response.ok(access.getJwe());
+			var iosLicense = license.getEntitlements().iosLicense();
+			var androidLicense = license.getEntitlements().androidLicense();
+			if (iosLicense != null) {
+				response = response.header("Hub-Subscription-State", "ACTIVE"); // license expiration is not checked here, because it is checked in the ActiveLicense filter
+				response = response.header("Hub-iOS-License", iosLicense);
+			}
+			if (androidLicense != null) {
+				response = response.header("Hub-Android-License", androidLicense);
+			}
+			return response.build();
 		} catch (NoResultException e) {
 			eventLogger.logVaultKeyRetrieved(jwt.getSubject(), vaultId, VaultKeyRetrievedEvent.Result.UNAUTHORIZED, ipAddress, deviceId);
 			throw new ForbiddenException("Access to this device not granted.");
@@ -321,18 +457,22 @@ public Response legacyUnlock(@PathParam("vaultId") UUID vaultId, @PathParam("dev
 	@APIResponse(responseCode = "449", description = "User account not yet initialized. Retry after setting up user")
 	@ActiveLicense // may throw 402
 	public Response unlock(@PathParam("vaultId") UUID vaultId, @QueryParam("evenIfArchived") @DefaultValue("false") boolean ignoreArchived) {
+		vaultUnlockMetrics.recordUnlock();
 		var vault = vaultRepo.findById(vaultId); // should always be found, since @VaultRole filter would have triggered
 		if (vault.isArchived() && !ignoreArchived) {
+			vaultUnlockMetrics.recordFailure();
 			throw new GoneException("Vault is archived.");
 		}
 
 		var accessTokenSeats = effectiveVaultAccessRepo.countSeatOccupyingUsersWithAccessToken();
-		if (accessTokenSeats > license.getSeats()) {
+		if (accessTokenSeats > license.getEntitlements().seats()) {
+			vaultUnlockMetrics.recordFailure();
 			throw new PaymentRequiredException("Number of effective vault users exceeds available license seats");
 		}
 
 		var user = userRepo.findById(jwt.getSubject());
 		if (user.getEcdhPublicKey() == null) {
+			vaultUnlockMetrics.recordFailure();
 			throw new ActionRequiredException("User account not initialized.");
 		}
 		var ipAddress = request.remoteAddress().hostAddress();
@@ -340,13 +480,21 @@ public Response unlock(@PathParam("vaultId") UUID vaultId, @QueryParam("evenIfAr
 		var access = accessTokenRepo.unlock(vaultId, jwt.getSubject());
 		if (access != null) {
 			eventLogger.logVaultKeyRetrieved(jwt.getSubject(), vaultId, VaultKeyRetrievedEvent.Result.SUCCESS, ipAddress, deviceId);
-			var subscriptionStateHeaderName = "Hub-Subscription-State";
-			var subscriptionStateHeaderValue = license.isSet() ? "ACTIVE" : "INACTIVE"; // license expiration is not checked here, because it is checked in the ActiveLicense filter
-			return Response.ok(access.getVaultKey(), MediaType.TEXT_PLAIN_TYPE).header(subscriptionStateHeaderName, subscriptionStateHeaderValue).build();
-		} else if (vaultRepo.findById(vaultId) == null) {
-			throw new NotFoundException("No such vault.");
+			vaultUnlockMetrics.recordSuccess();
+			var response = Response.ok(access.getVaultKey(), MediaType.TEXT_PLAIN_TYPE);
+			var iosLicense = license.getEntitlements().iosLicense();
+			var androidLicense = license.getEntitlements().androidLicense();
+			if (iosLicense != null) {
+				response = response.header("Hub-Subscription-State", "ACTIVE"); // license expiration is not checked here, because it is checked in the ActiveLicense filter
+				response = response.header("Hub-iOS-License", iosLicense);
+			}
+			if (androidLicense != null) {
+				response = response.header("Hub-Android-License", androidLicense);
+			}
+			return response.build();
 		} else {
 			eventLogger.logVaultKeyRetrieved(jwt.getSubject(), vaultId, VaultKeyRetrievedEvent.Result.UNAUTHORIZED, ipAddress, deviceId);
+			vaultUnlockMetrics.recordFailure();
 			throw new ForbiddenException("Access to this vault not granted.");
 		}
 	}
@@ -386,13 +534,13 @@ public String getUvfKeys(@PathParam("vaultId") UUID vaultId) {
 	@POST
 	@Path("/{vaultId}/access-tokens")
 	@RolesAllowed("user")
-	@VaultRole(VaultAccess.Role.OWNER) // may throw 403
+	@VaultRole(value = VaultAccess.Role.OWNER, bypassForEmergencyAccess = true) // may throw 403
 	@Transactional
 	@Consumes(MediaType.APPLICATION_JSON)
 	@Operation(summary = "adds user-specific vault keys", description = "Stores one or more user-vaultkey-tuples, as defined in the request body ({user1: token1, user2: token2, ...}).")
 	@APIResponse(responseCode = "200", description = "all keys stored")
 	@APIResponse(responseCode = "402", description = "number of users granted access exceeds available license seats")
-	@APIResponse(responseCode = "403", description = "not a vault owner")
+	@APIResponse(responseCode = "403", description = "not a vault owner or emergency access council member")
 	@APIResponse(responseCode = "404", description = "at least one user has not been found")
 	public Response grantAccess(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<String, String> tokens) {
 		var vault = vaultRepo.findById(vaultId); // should always be found, since @VaultRole filter would have triggered
@@ -401,7 +549,7 @@ public Response grantAccess(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<St
 		long occupiedSeats = effectiveVaultAccessRepo.countSeatOccupyingUsers();
 		long usersWithoutSeat = tokens.size() - effectiveVaultAccessRepo.countSeatsOccupiedByUsers(tokens.keySet().stream().toList());
 
-		if (occupiedSeats + usersWithoutSeat > license.getSeats()) {
+		if (occupiedSeats + usersWithoutSeat > license.getEntitlements().seats()) {
 			throw new PaymentRequiredException("Number of effective vault users greater than or equal to the available license seats");
 		}
 
@@ -423,7 +571,7 @@ public Response grantAccess(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<St
 	@GET
 	@Path("/{vaultId}")
 	@RolesAllowed("user")
-	// @VaultRole(VaultAccess.Role.MEMBER) // TODO: members and admin may do this...
+	@VaultRole(value = {VaultAccess.Role.MEMBER, VaultAccess.Role.OWNER}, bypassForRealmRole = true, onMissingVault = VaultRole.OnMissingVault.NOT_FOUND)
 	@Produces(MediaType.APPLICATION_JSON)
 	@Transactional
 	@Operation(summary = "gets a vault")
@@ -431,25 +579,51 @@ public Response grantAccess(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<St
 	@APIResponse(responseCode = "403", description = "requesting user is neither a vault member nor has the admin role")
 	public VaultDto get(@PathParam("vaultId") UUID vaultId) {
 		Vault vault = vaultRepo.findByIdOptional(vaultId).orElseThrow(NotFoundException::new);
-		if (vault.getEffectiveMembers().stream().noneMatch(u -> u.getId().equals(jwt.getSubject())) && !identity.getRoles().contains("admin")) {
-			throw new ForbiddenException("Requesting user is not a member of the vault");
-		}
+		return VaultDto.fromEntity(vault);
+	}
+
+	@PUT
+	@Path("/{vaultId}/archived")
+	@RolesAllowed("user")
+	@VaultRole(value = VaultAccess.Role.OWNER, bypassForRealmRole = true, onMissingVault = VaultRole.OnMissingVault.NOT_FOUND)
+	@Consumes(MediaType.TEXT_PLAIN)
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "sets the archived flag of a vault")
+	@APIResponse(responseCode = "200", description = "archived flag updated")
+	@APIResponse(responseCode = "403", description = "requesting user is neither a vault owner nor has the admin role")
+	@APIResponse(responseCode = "404", description = "vault not found")
+	public VaultDto setArchived(@PathParam("vaultId") UUID vaultId, @NotNull Boolean archived) {
+		Vault vault = vaultRepo.findByIdOptional(vaultId).orElseThrow(NotFoundException::new);
+		vault.setArchived(archived);
+		vaultRepo.persistAndFlush(vault);
+		eventLogger.logVaultUpdated(jwt.getSubject(), vault.getId(), vault.getName(), vault.getDescription(), vault.isArchived());
 		return VaultDto.fromEntity(vault);
 	}
 
 	@PUT
 	@Path("/{vaultId}")
 	@RolesAllowed("user") // general authentication. VaultRole filter will check for specific access rights
-	@VaultRole(value = VaultAccess.Role.OWNER, onMissingVault = VaultRole.OnMissingVault.REQUIRE_REALM_ROLE, realmRole = "create-vaults")
+	@VaultRole(value = VaultAccess.Role.OWNER, onMissingVault = VaultRole.OnMissingVault.REQUIRE_REALM_ROLE, realmRole = RealmRole.CREATE_VAULTS, bypassForEmergencyAccess = true)
 	@Consumes(MediaType.APPLICATION_JSON)
 	@Produces(MediaType.APPLICATION_JSON)
 	@Transactional
 	@Operation(summary = "creates or updates a vault",
 			description = "Creates or updates a vault with the given vault id. The creationTime in the vaultDto is always ignored. On creation, the current server time is used and the archived field is ignored. On update, only the name, description, and archived fields are considered.")
+	// / start katta extension
+	@Parameter(name = "minio", in = ParameterIn.QUERY, description = "whether configuration for STS MinIO needs to be synched to Keycloak (defaults to false)")
+	@Parameter(name = "aws", in = ParameterIn.QUERY, description = "whether configuration for STS MinIO needs to be synched to AWS (defaults to false)")
+	// \ end katta extension
 	@APIResponse(responseCode = "200", description = "existing vault updated")
 	@APIResponse(responseCode = "201", description = "new vault created")
 	@APIResponse(responseCode = "402", description = "number of licensed seats is exceeded")
-	public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNull VaultDto vaultDto) {
+	public Response createOrUpdate(
+			@PathParam("vaultId") UUID vaultId, @Valid @NotNull VaultDto vaultDto
+			// / start katta extension
+			, @QueryParam("minio") Boolean minio
+			, @QueryParam("aws") Boolean aws
+			// \ end katta extension
+	) {
 		User currentUser = userRepo.findById(jwt.getSubject());
 		Optional<Vault> existingVault = vaultRepo.findByIdOptional(vaultId);
 		final Vault vault;
@@ -459,7 +633,7 @@ public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNu
 		} else {
 			//if license is exceeded block vault creation, independent if the user is already sitting
 			var usedSeats = effectiveVaultAccessRepo.countSeatOccupyingUsers();
-			if (usedSeats > license.getSeats()) {
+			if (usedSeats > license.getEntitlements().seats()) {
 				throw new PaymentRequiredException("Number of effective vault users exceeds available license seats");
 			}
 			// create new vault:
@@ -471,10 +645,29 @@ public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNu
 		vault.setName(vaultDto.name);
 		vault.setDescription(vaultDto.description);
 		vault.setArchived(existingVault.isPresent() && vaultDto.archived);
+		var oldEmergencyKeyShares = vault.getEmergencyKeyShares().values();
+		vault.setRequiredEmergencyKeyShares(vaultDto.requiredEmergencyKeyShares);
+		vault.setEmergencyKeyShares(vaultDto.emergencyKeyShares);
 		vault.setUvfMetadataFile(vaultDto.uvfMetadataFile);
 		vault.setUvfKeySet(vaultDto.uvfKeySet);
 
+
+		// / start katta extension
+		keycloakCryptomatorVaultsHelper.keycloakPrepareVault(vaultId.toString(), minio, aws);
+		keycloakCryptomatorVaultsHelper.keycloakGrantAccessToVault(vaultId.toString(), jwt.getSubject(), kattaConfig.keycloakClientIdCryptomatorVaults(), false);
+		// \ end katta extension
+
 		vaultRepo.persistAndFlush(vault); // trigger PersistenceException before we continue with
+
+		// does this request update emergency key shares?
+		if (!oldEmergencyKeyShares.containsAll(vaultDto.emergencyKeyShares.values())) {
+			var emergencyAccessCouncilMembers = String.join("\", \"", vaultDto.emergencyKeyShares.keySet());
+			var settings = """
+					{ "requiredEmergencyKeyShares": %d, "emergencyCouncilMemberIds": ["%s"] }
+					""".formatted(vaultDto.requiredEmergencyKeyShares, emergencyAccessCouncilMembers);
+			eventLogger.logEmergencyAccessSetup(vault.getId(), currentUser.getId(), settings, request.remoteAddress().hostAddress());
+		}
+
 		if (existingVault.isEmpty()) {
 			eventLogger.logVaultCreated(currentUser.getId(), vault.getId(), vault.getName(), vault.getDescription());
 			var access = new VaultAccess();
@@ -547,25 +740,50 @@ public Response claimOwnership(@PathParam("vaultId") UUID vaultId, @FormParam("p
 		return Response.ok(VaultDto.fromEntity(vault), MediaType.APPLICATION_JSON).build();
 	}
 
-
-	public record VaultDto(@JsonProperty("id") UUID id,
+	@JsonInclude(JsonInclude.Include.NON_NULL)
+	public record VaultDto(@JsonProperty("id") @NotNull UUID id,
 						   @JsonProperty("name") @NoHtmlOrScriptChars @NotBlank String name,
+						   @JsonProperty("creationTime") Instant creationTime,
 						   @JsonProperty("description") @NoHtmlOrScriptChars String description,
 						   @JsonProperty("archived") boolean archived,
-						   @JsonProperty("creationTime") Instant creationTime,
+						   @JsonProperty("requiredEmergencyKeyShares") @Min(0) int requiredEmergencyKeyShares,
+						   @JsonProperty("emergencyKeyShares") Map<String, String> emergencyKeyShares,
 						   @JsonProperty("uvfMetadataFile") String uvfMetadataFile,
 						   @JsonProperty("uvfKeySet") String uvfKeySet,
 						   // Legacy properties ("Vault Admin Password"):
-						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations, @JsonProperty("salt") @OnlyBase64Chars String salt,
+						   @JsonProperty("masterkey") @OnlyBase64Chars String masterkey, @JsonProperty("iterations") Integer iterations,
+						   @JsonProperty("salt") @OnlyBase64Chars String salt,
 						   @JsonProperty("authPublicKey") @OnlyBase64Chars String authPublicKey, @JsonProperty("authPrivateKey") @OnlyBase64Chars String authPrivateKey
 
 	) {
 
 		public static VaultDto fromEntity(Vault entity) {
-			return new VaultDto(entity.getId(), entity.getName(), entity.getDescription(), entity.isArchived(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getUvfMetadataFile(), entity.getUvfKeySet(),
+			return new VaultDto(entity.getId(), entity.getName(), entity.getCreationTime().truncatedTo(ChronoUnit.MILLIS), entity.getDescription(), entity.isArchived(), entity.getRequiredEmergencyKeyShares(), entity.getEmergencyKeyShares(),
+					// uvf:
+					entity.getUvfMetadataFile(), entity.getUvfKeySet(),
 					// legacy properties:
 					entity.getMasterkey(), entity.getIterations(), entity.getSalt(), entity.getAuthenticationPublicKey(), entity.getAuthenticationPrivateKey());
 		}
 
 	}
+
+	public record VaultDtoWithRole(
+			@JsonProperty("id") UUID id,
+			@JsonProperty("name") String name,
+			@JsonProperty("description") String description,
+			@JsonProperty("archived") boolean archived,
+			@JsonProperty("creationTime") Instant creationTime,
+			@JsonProperty("role") VaultAccess.Role role
+	) {
+		public static VaultDtoWithRole from(Vault vault, VaultAccess.Role role) {
+			return new VaultDtoWithRole(
+					vault.getId(),
+					vault.getName(),
+					vault.getDescription(),
+					vault.isArchived(),
+					vault.getCreationTime().truncatedTo(ChronoUnit.MILLIS),
+					role
+			);
+		}
+	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/AutomaticAccessGrant.java b/backend/src/main/java/org/cryptomator/hub/api/katta/AutomaticAccessGrant.java
new file mode 100644
index 000000000..057a01cc5
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/AutomaticAccessGrant.java
@@ -0,0 +1,13 @@
+package org.cryptomator.hub.api.katta;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public record AutomaticAccessGrant(
+		@JsonProperty(value = "enabled", defaultValue = "true")
+		boolean enabled,
+
+		// where -1 means "grant to anyone", where 0, 1, 2 would be the number of edges between any vault owner and the grantee. Exact algorithm tbd
+		@JsonProperty(value = "maxWotDepth", defaultValue = "-1")
+		int maxWotDepth) {
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/CreateS3STSBucketDto.java b/backend/src/main/java/org/cryptomator/hub/api/katta/CreateS3STSBucketDto.java
new file mode 100644
index 000000000..6c61fe843
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/CreateS3STSBucketDto.java
@@ -0,0 +1,29 @@
+package org.cryptomator.hub.api.katta;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.UUID;
+
+public record CreateS3STSBucketDto(
+		@JsonProperty("vaultId")
+		String vaultId,
+		@JsonProperty("storageConfigId")
+		UUID storageConfigId,
+		@JsonProperty("vaultUvf")
+		String vaultUvf,
+		@JsonProperty("dirUvf")
+		String dirUvf,
+		@JsonProperty("rootDirHash")
+		String rootDirHash,
+		@JsonProperty("awsAccessKey")
+		String awsAccessKey,
+		@JsonProperty("awsSecretKey")
+		String awsSecretKey,
+		@JsonProperty("sessionToken")
+		String sessionToken,
+		@JsonProperty("region")
+		String region
+) {
+
+}
+
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/KattaConfig.java b/backend/src/main/java/org/cryptomator/hub/api/katta/KattaConfig.java
new file mode 100644
index 000000000..987132b16
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/KattaConfig.java
@@ -0,0 +1,83 @@
+package org.cryptomator.hub.api.katta;
+
+import io.quarkus.oidc.OidcConfigurationMetadata;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
+// TODO review: backport to ConfigResource.ConfigDto upstream?
+@ApplicationScoped
+public class KattaConfig {
+	@Inject
+	@ConfigProperty(name = "hub.keycloak.public-url", defaultValue = "")
+	String keycloakPublicUrl;
+
+	@Inject
+	@ConfigProperty(name = "hub.keycloak.realm", defaultValue = "")
+	String keycloakRealm;
+
+
+
+	@Inject
+	@ConfigProperty(name = "quarkus.oidc.client-id", defaultValue = "")
+	String keycloakClientIdHub;
+
+	@Inject
+	@ConfigProperty(name = "hub.keycloak.oidc.cryptomator-client-id", defaultValue = "")
+	String keycloakClientIdCryptomator;
+
+	@Inject
+	@ConfigProperty(name = "hub.keycloak.oidc.cryptomator-vaults-client-id", defaultValue = "")
+	String keycloakClientIdCryptomatorVaults;
+
+	@Inject
+	@ConfigProperty(name = "quarkus.oidc.auth-server-url")
+	String internalRealmUrl;
+
+	@Inject
+	OidcConfigurationMetadata oidcConfData;
+
+	String replacePrefix(String str, String prefix, String replacement) {
+		int index = str.indexOf(prefix);
+		if (index == 0) {
+			return replacement + str.substring(prefix.length());
+		} else {
+			return str;
+		}
+	}
+
+	String trimTrailingSlash(String str) {
+		if (str.endsWith("/")) {
+			return str.substring(0, str.length() - 1);
+		} else {
+			return str;
+		}
+
+	}
+
+	public String keycloakClientIdHub() {
+		return keycloakClientIdHub;
+	}
+
+	public String keycloakClientIdCryptomator() {
+		return keycloakClientIdCryptomator;
+	}
+
+	public String keycloakClientIdCryptomatorVaults() {
+		return keycloakClientIdCryptomatorVaults;
+	}
+
+	public String publicRealmUri() {
+		return trimTrailingSlash(keycloakPublicUrl + "/realms/" + keycloakRealm);
+	}
+
+	public String authEndpoint() {
+		return replacePrefix(oidcConfData.getAuthorizationUri(), trimTrailingSlash(internalRealmUrl), publicRealmUri());
+	}
+
+	public String tokenEndpoint() {
+		return replacePrefix(oidcConfData.getTokenUri(), trimTrailingSlash(internalRealmUrl), publicRealmUri());
+	}
+
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/KeycloakTokenExchangeApi.java b/backend/src/main/java/org/cryptomator/hub/api/katta/KeycloakTokenExchangeApi.java
new file mode 100644
index 000000000..aea3c49ce
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/KeycloakTokenExchangeApi.java
@@ -0,0 +1,26 @@
+package org.cryptomator.hub.api.katta;
+
+import io.quarkus.rest.client.reactive.ClientBasicAuth;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+import org.cryptomator.hub.entities.katta.AccessTokenResponse;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+@RegisterRestClient(configKey = "keycloak") // quarkus.rest-client.keycloak.url
+@ClientBasicAuth(username = "${hub.keycloak.oidc.cryptomator-vaults-client-id}", password = "${hub.keycloak.oidc.cryptomator-vaults-client-secret}")
+public interface KeycloakTokenExchangeApi {
+
+	@POST
+	@Path("protocol/openid-connect/token")
+	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+	@Produces(MediaType.APPLICATION_JSON)
+	AccessTokenResponse exchange(@FormParam("grant_type") String grantType,
+								 @FormParam("subject_token") String subjectToken,
+								 @FormParam("subject_token_type") String subjectTokenType,
+								 @FormParam("requested_token_type") String requestedTokenType,
+								 @FormParam("scope") String scope);
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/StorageDto.java b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageDto.java
new file mode 100644
index 000000000..8b9e4fb1a
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageDto.java
@@ -0,0 +1,28 @@
+package org.cryptomator.hub.api.katta;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.UUID;
+
+public record StorageDto(
+		@JsonProperty("vaultId")
+		String vaultId,
+		@JsonProperty("storageConfigId")
+		UUID storageConfigId,
+		@JsonProperty("vaultUvf")
+		String vaultConfigToken,
+		@JsonProperty("rootDirHash")
+		String rootDirHash,
+		@JsonProperty("awsAccessKey")
+		String awsAccessKey,
+		@JsonProperty("awsSecretKey")
+		String awsSecretKey,
+		@JsonProperty("sessionToken")
+		String sessionToken,
+		@JsonProperty("region")
+		String region
+
+) {
+
+}
+
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileDto.java b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileDto.java
new file mode 100644
index 000000000..e44bda77e
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileDto.java
@@ -0,0 +1,95 @@
+package org.cryptomator.hub.api.katta;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonValue;
+import jakarta.persistence.Id;
+import org.cryptomator.hub.entities.katta.StorageProfile;
+import org.cryptomator.hub.entities.katta.StorageProfileS3STS;
+import org.cryptomator.hub.entities.katta.StorageProfileS3Static;
+import org.eclipse.microprofile.openapi.annotations.media.DiscriminatorMapping;
+import org.eclipse.microprofile.openapi.annotations.media.Schema;
+
+import java.util.UUID;
+
+
+// pro-memoria @Schema
+// - "required" is taken from @JSONProperty
+// - "defaultValue" needs to be repeated
+@Schema(
+
+		title = "StorageProfile",
+		oneOf = {StorageProfileS3StaticDto.class, StorageProfileS3STSDto.class},
+		discriminatorMapping = {
+
+				@DiscriminatorMapping(value = "S3STATIC", schema = StorageProfileS3StaticDto.class),
+				@DiscriminatorMapping(value = "S3STS", schema = StorageProfileS3STSDto.class),
+		},
+		discriminatorProperty = "protocol"
+)
+// although we have a dto hierarchy (StorageProfileDto <- StorageProfileS3Dto <- StorageProfileS3STSDto), the DB schema keeps the the tables separate (without foreign keys). There is one common GET service for listing and specific endpoints for POSTing profiles. Future profiles should inherit from StorageProfileDto. Serialized dtos are kept apart by a discriminator property, the openapi generators can de-serialized using it.
+public abstract sealed class StorageProfileDto permits StorageProfileS3StaticDto {
+	public enum Protocol {
+		s3static("S3STATIC"),
+		s3sts("S3STS");
+		private final String protocol;
+
+		private Protocol(final String protocol) {
+			this.protocol = protocol;
+		}
+
+		@JsonValue
+		public String getProtocol() {
+			return protocol;
+		}
+	}
+
+	@Id
+	@JsonProperty(value = "id", required = true)
+	@Schema(description = "Technical identifier for a storage profile. Must be unique UUID. Clients will use this as vendor in profile and provider in vault bookmark")
+	UUID id;
+
+	@JsonProperty(value = "name", required = true)
+	@Schema(description = "Displayed when choosing type of a new vault in dropdown.")
+	String name;
+
+	//======================================================================
+	// (3) client profile
+	//======================================================================
+
+	//----------------------------------------------------------------------
+	// (3a) STS and permanent client profile attributes
+	//----------------------------------------------------------------------
+	@JsonProperty(value = "protocol", required = true)
+	@Schema(description = "Storage protocol: S3 (permanent credentials) or S3STS (STS).")
+	Protocol protocol;
+
+	@JsonProperty(value = "archived", required = true, defaultValue = "false")
+	@Schema(description = "For archived storage profiles, no vaults can be created any more.")
+	boolean archived;
+
+	public StorageProfileDto() {
+		// jackson
+	}
+
+	public StorageProfileDto(final UUID id, final String name, final Protocol protocol, final boolean archived) {
+		this.id = id;
+		this.name = name;
+		this.protocol = protocol;
+		this.archived = archived;
+	}
+
+	static StorageProfileDto fromEntity(final StorageProfile storageProfile) {
+		// TODO refactor to JEP 441 in JDK 21
+		if (storageProfile instanceof StorageProfileS3STS storageProfileS3STS) {
+			return StorageProfileS3STSDto.fromEntity(storageProfileS3STS);
+		} else if (storageProfile instanceof StorageProfileS3Static storageProfileS3Static) {
+			return StorageProfileS3StaticDto.fromEntity(storageProfileS3Static);
+		} else {
+			throw new IllegalStateException("StorageProfile is not of type StorageProfileS3 or StorageProfileS3STS");
+		}
+	}
+
+	public UUID id() {
+		return id;
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileResource.java b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileResource.java
new file mode 100644
index 000000000..5e2f0af9e
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileResource.java
@@ -0,0 +1,126 @@
+package org.cryptomator.hub.api.katta;
+
+import jakarta.annotation.Nullable;
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import jakarta.ws.rs.ClientErrorException;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.entities.katta.StorageProfile;
+import org.cryptomator.hub.entities.katta.StorageProfileS3STS;
+import org.cryptomator.hub.entities.katta.StorageProfileS3Static;
+import org.eclipse.microprofile.openapi.annotations.Operation;
+import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.hibernate.exception.ConstraintViolationException;
+
+import java.net.URI;
+import java.util.List;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+@Path("/storageprofile")
+public class StorageProfileResource {
+
+	@Inject
+	KattaConfig kattaConfig;
+
+
+	@POST
+	@Path("/s3static")
+	@RolesAllowed("admin")
+	@Transactional
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Produces(MediaType.APPLICATION_JSON)
+	@APIResponse(responseCode = "201", description = "uploaded storage configuration")
+	@APIResponse(responseCode = "400", description = "Constraint violation")
+	@APIResponse(responseCode = "403", description = "not an admin")
+	@APIResponse(responseCode = "409", description = "Storage profile with ID already exists")
+	public Response uploadStorageProfile(final StorageProfileS3StaticDto c) {
+		try {
+			final StorageProfileS3Static entity = c.toEntity();
+			if (StorageProfileS3Static.findByIdOptional(entity.id).isPresent()) {
+				throw new ClientErrorException(Response.Status.CONFLICT);
+			}
+			entity.persistAndFlush();
+			return Response.created(URI.create(".")).contentLocation(URI.create(".")).entity(entity).type(MediaType.APPLICATION_JSON).build();
+		} catch (ConstraintViolationException e) {
+			return Response.status(Response.Status.BAD_REQUEST).entity(e).build();
+		}
+	}
+
+	@POST
+	@Path("/s3sts")
+	@RolesAllowed("admin")
+	@Transactional
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Produces(MediaType.APPLICATION_JSON)
+	@APIResponse(responseCode = "201", description = "uploaded storage configuration")
+	@APIResponse(responseCode = "400", description = "Constraint violation")
+	@APIResponse(responseCode = "403", description = "not an admin")
+	@APIResponse(responseCode = "409", description = "Storage profile with ID already exists")
+	public Response uploadStorageProfile(final StorageProfileS3STSDto c) {
+		try {
+			final StorageProfileS3STS entity = c.toEntity();
+			if (StorageProfileS3STS.findByIdOptional(entity.id).isPresent()) {
+				throw new ClientErrorException(Response.Status.CONFLICT);
+			}
+			entity.persistAndFlush();
+			return Response.created(URI.create(".")).contentLocation(URI.create(".")).entity(entity).type(MediaType.APPLICATION_JSON).build();
+		} catch (ConstraintViolationException e) {
+			return Response.status(Response.Status.BAD_REQUEST).entity(e).build();
+		}
+	}
+
+	@GET
+	@Path("/")
+	@RolesAllowed({"user", "admin"})
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "get configs for storage backends", description = "get list of configs for storage backends")
+	@APIResponse(responseCode = "200", description = "list of storage configuration")
+	@APIResponse(responseCode = "403", description = "not a user")
+	public List<StorageProfileDto> getStorageProfiles(@Nullable @QueryParam("archived") Boolean archived) {
+		return StorageProfileS3Static.findAll().<StorageProfile>stream().map(StorageProfileDto::fromEntity).filter(dto -> (archived == null) || archived.equals(dto.archived)).collect(Collectors.toList());
+	}
+
+	@GET
+	@Path("/{profileId}")
+	@RolesAllowed({"user", "admin"})
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "gets a storage profile")
+	@APIResponse(responseCode = "200")
+	@APIResponse(responseCode = "403", description = "not a user")
+	public StorageProfileDto get(@PathParam("profileId") UUID profileId) {
+		return StorageProfileS3StaticDto.fromEntity(StorageProfileS3Static.<StorageProfile>findByIdOptional(profileId).orElseThrow(NotFoundException::new));
+	}
+
+	@PUT
+	@Path("/{profileId}")
+	@RolesAllowed("admin")
+	@Transactional
+	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "archive a storage profile")
+	@APIResponse(responseCode = "204", description = "storage profile archived")
+	@APIResponse(responseCode = "403", description = "not an admin")
+	public Response archive(@PathParam("profileId") UUID profileId, @FormParam("archived") final Boolean archived) {
+		if (archived == null) {
+			return Response.status(Response.Status.BAD_REQUEST).build();
+		}
+		final StorageProfile entity = StorageProfileS3Static.<StorageProfile>findByIdOptional(profileId).orElseThrow(NotFoundException::new);
+		entity.setArchived(archived).persistAndFlush();
+		return Response.status(Response.Status.NO_CONTENT).build();
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileS3STSDto.java b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileS3STSDto.java
new file mode 100644
index 000000000..22efdf508
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileS3STSDto.java
@@ -0,0 +1,135 @@
+package org.cryptomator.hub.api.katta;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.cryptomator.hub.entities.katta.StorageProfileS3STS;
+import org.eclipse.microprofile.openapi.annotations.media.Schema;
+
+import java.util.List;
+import java.util.Objects;
+import java.util.UUID;
+
+@Schema(title = "StorageProfileS3STSDto")
+public final class StorageProfileS3STSDto extends StorageProfileS3StaticDto {
+
+	//----------------------------------------------------------------------
+	// (3b) STS client profile custom properties
+	//----------------------------------------------------------------------
+	@JsonProperty(value = "stsRoleAccessBucketAssumeRoleWithWebIdentity", required = true)
+	@Schema(description = "roleArn to for STS AssumeRoleWithWebIdentity (AWS and MinIO)", example = "arn:aws:iam::930717317329:role/katta_chain_01")
+	String stsRoleAccessBucketAssumeRoleWithWebIdentity;
+
+	@JsonProperty(value = "stsRoleAccessBucketAssumeRoleTaggedSession")
+	@Schema(description = "roleArn to assume for STS AssumeRole in role chaining (AWS only, not MinIO)", example = "arn:aws:iam::930717317329:role/katta_chain_02", nullable = true)
+	String stsRoleAccessBucketAssumeRoleTaggedSession;
+
+
+	@JsonProperty(value = "stsDurationSeconds", required = false)
+	@Schema(description = "Token lifetime for STS tokens assumed. Defaults to AWS/MinIO defaults", nullable = true)
+	Integer stsDurationSeconds;
+
+	@JsonProperty(value = "stsSessionTag", required = true)
+	@Schema(description = "Session tag to use for role chaining (AWS only, not MinIO). Defaults to \"Vault\"", nullable = false, defaultValue = "Vault")
+	String stsSessionTag;
+
+	public StorageProfileS3STSDto() {
+		// jackson
+	}
+
+	public StorageProfileS3STSDto(final UUID id, final String name, final Protocol protocol, final boolean archived, final String scheme, final String hostname, final Integer port, final boolean withPathStyleAccessEnabled, final S3_STORAGE_CLASSES storageClass, final String region, final List<String> regions, final String bucketPrefix, final String stsRoleCreateBucketClient, final String stsRoleCreateBucketHub, final String stsEndpoint, final boolean bucketVersioning, final Boolean bucketAcceleration, final S3_SERVERSIDE_ENCRYPTION bucketEncryption, final String stsRoleAccessBucketAssumeRoleWithWebIdentity, final String stsRoleAccessBucketAssumeRoleTaggedSession, final Integer stsDurationSeconds, final String stsSessionTag) {
+		super(id, name, protocol, archived, scheme, hostname, port, withPathStyleAccessEnabled, storageClass, region, regions, bucketPrefix, stsRoleCreateBucketClient, stsRoleCreateBucketHub, stsEndpoint, bucketVersioning, bucketAcceleration, bucketEncryption);
+		this.stsRoleAccessBucketAssumeRoleWithWebIdentity = stsRoleAccessBucketAssumeRoleWithWebIdentity;
+		this.stsRoleAccessBucketAssumeRoleTaggedSession = stsRoleAccessBucketAssumeRoleTaggedSession;
+		this.stsDurationSeconds = stsDurationSeconds;
+		this.stsSessionTag = stsSessionTag;
+	}
+
+	static StorageProfileS3STSDto fromEntity(final StorageProfileS3STS storageProfile) {
+		return new StorageProfileS3STSDto(
+				storageProfile.id,
+				storageProfile.name,
+				Protocol.s3sts,
+				storageProfile.archived,
+				storageProfile.scheme,
+				storageProfile.hostname,
+				storageProfile.port,
+				storageProfile.withPathStyleAccessEnabled,
+				S3_STORAGE_CLASSES.valueOf(storageProfile.storageClass),
+				storageProfile.region,
+				storageProfile.regions,
+				storageProfile.bucketPrefix,
+				storageProfile.stsRoleCreateBucketClient,
+				storageProfile.stsRoleCreateBucketHub,
+				storageProfile.stsEndpoint,
+				storageProfile.bucketVersioning,
+				storageProfile.bucketAcceleration,
+				S3_SERVERSIDE_ENCRYPTION.valueOf(storageProfile.bucketEncryption),
+				storageProfile.stsRoleAccessBucketAssumeRoleWithWebIdentity,
+				storageProfile.stsRoleAccessBucketAssumeRoleTaggedSession,
+				storageProfile.stsDurationSeconds,
+				storageProfile.stsSessionTag
+		);
+	}
+
+	public StorageProfileS3STS toEntity() {
+		final StorageProfileS3STS storageProfile = new StorageProfileS3STS();
+		storageProfile.id = this.id;
+		storageProfile.name = this.name;
+		storageProfile.protocol = this.protocol;
+		storageProfile.archived = this.archived;
+		storageProfile.scheme = this.scheme;
+		storageProfile.hostname = this.hostname;
+		storageProfile.port = this.port;
+		storageProfile.withPathStyleAccessEnabled = this.withPathStyleAccessEnabled;
+		storageProfile.storageClass = this.storageClass.toString();
+		storageProfile.region = this.region;
+		storageProfile.regions = this.regions;
+		storageProfile.bucketPrefix = this.bucketPrefix;
+		storageProfile.stsRoleCreateBucketClient = this.stsRoleCreateBucketClient;
+		storageProfile.stsRoleCreateBucketHub = this.stsRoleCreateBucketHub;
+		storageProfile.stsEndpoint = this.stsEndpoint;
+		storageProfile.bucketVersioning = this.bucketVersioning;
+		storageProfile.bucketAcceleration = this.bucketAcceleration;
+		storageProfile.bucketEncryption = this.bucketEncryption.name();
+		storageProfile.stsRoleAccessBucketAssumeRoleWithWebIdentity = this.stsRoleAccessBucketAssumeRoleWithWebIdentity;
+		storageProfile.stsRoleAccessBucketAssumeRoleTaggedSession = this.stsRoleAccessBucketAssumeRoleTaggedSession;
+		storageProfile.stsDurationSeconds = this.stsDurationSeconds;
+		storageProfile.stsSessionTag = this.stsSessionTag;
+		return storageProfile;
+	}
+
+	public String stsRoleAccessBucketAssumeRoleWithWebIdentity() {
+		return stsRoleAccessBucketAssumeRoleWithWebIdentity;
+	}
+
+	public String stsRoleAccessBucketAssumeRoleTaggedSession() {
+		return stsRoleAccessBucketAssumeRoleTaggedSession;
+	}
+
+	public Integer stsDurationSeconds() {
+		return stsDurationSeconds;
+	}
+
+	public String stsSessionTag() {
+		return stsSessionTag;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (this == o) return true;
+		if (o == null || getClass() != o.getClass()) return false;
+		if (!super.equals(o)) return false;
+
+		StorageProfileS3STSDto s3STSDto = (StorageProfileS3STSDto) o;
+		return Objects.equals(stsRoleAccessBucketAssumeRoleWithWebIdentity, s3STSDto.stsRoleAccessBucketAssumeRoleWithWebIdentity) && Objects.equals(stsRoleAccessBucketAssumeRoleTaggedSession, s3STSDto.stsRoleAccessBucketAssumeRoleTaggedSession) && Objects.equals(stsDurationSeconds, s3STSDto.stsDurationSeconds) && Objects.equals(stsSessionTag, s3STSDto.stsSessionTag);
+	}
+
+	@Override
+	public int hashCode() {
+		int result = super.hashCode();
+		result = 31 * result + Objects.hashCode(stsRoleAccessBucketAssumeRoleWithWebIdentity);
+		result = 31 * result + Objects.hashCode(stsRoleAccessBucketAssumeRoleTaggedSession);
+		result = 31 * result + Objects.hashCode(stsDurationSeconds);
+		result = 31 * result + Objects.hashCode(stsSessionTag);
+		return result;
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileS3StaticDto.java b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileS3StaticDto.java
new file mode 100644
index 000000000..255c04888
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageProfileS3StaticDto.java
@@ -0,0 +1,209 @@
+package org.cryptomator.hub.api.katta;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.cryptomator.hub.entities.katta.StorageProfileS3Static;
+import org.eclipse.microprofile.openapi.annotations.media.Schema;
+import software.amazon.awssdk.regions.Region;
+
+import java.util.List;
+import java.util.Objects;
+import java.util.UUID;
+
+@Schema(title = "StorageProfileS3StaticDto")
+public sealed class StorageProfileS3StaticDto extends StorageProfileDto permits StorageProfileS3STSDto {
+
+	public enum S3_STORAGE_CLASSES {
+		STANDARD, INTELLIGENT_TIERING, STANDARD_IA, ONEZONE_IA, REDUCED_REDUNDANCY, GLACIER, GLACIER_IR, DEEP_ARCHIVE
+	}
+
+	//======================================================================
+	// (1) STS and permanent:
+	// - bucket creation frontend/desktop client (STS)
+	// - template upload (STS and permanent)
+	// - client profile (STS and permanent)
+	//======================================================================
+
+	@JsonProperty(value = "scheme", defaultValue = "https")
+	@Schema(description = "Scheme of S3 endpoint for template upload/bucket creation. Defaults to default for protocol, i.e. https in most cases.", example = "https", nullable = true)
+	String scheme;
+
+	@JsonProperty("hostname")
+	@Schema(description = "Hostname S3 endpoint for template upload/bucket creation. Defaults to AWS SDK default.", example = "s3-us-gov-west-1.amazonaws.com", nullable = true)
+	String hostname;
+
+	@JsonProperty("port")
+	@Schema(description = "Port S3 endpoint for template upload/bucket creation. Defaults to default port for scheme.", example = "443", nullable = true)
+	Integer port;
+
+	@JsonProperty(value = "withPathStyleAccessEnabled")
+	@Schema(description = "Whether to use path style for S3 endpoint for template upload/bucket creation.", example = "false", defaultValue = "false")
+	Boolean withPathStyleAccessEnabled = false;
+
+	@JsonProperty(value = "storageClass", defaultValue = "STANDARD")
+	@Schema(description = "Storage class for upload. Defaults to STANDARD", example = "STANDARD", required = true)
+	S3_STORAGE_CLASSES storageClass = S3_STORAGE_CLASSES.STANDARD;
+
+	public enum S3_SERVERSIDE_ENCRYPTION {
+		NONE, SSE_AES256, SSE_KMS_DEFAULT
+	}
+
+	//======================================================================
+	// (2) STS only: bucket creation  (only relevant for Desktop client)
+	//======================================================================
+	@JsonProperty(value = "region", required = true, defaultValue = "us-east-1")
+	@Schema(description = "Default region selected in the frontend/client to create bucket in.", example = "us-east-1", defaultValue = "us-east-1")
+	String region = "us-east-1";
+
+	@JsonProperty(value = "regions", required = true)
+	@Schema(description = "List of selectable regions in the frontend/client to create bucket in. Defaults to full list from AWS SDK.")
+	List<String> regions = Region.regions().stream().map(Region::id).toList();
+
+	@JsonProperty(value = "bucketPrefix", required = true)
+	@Schema(description = "Buckets are created with name <bucket prefix><vault UUID>.", example = "katta")
+	String bucketPrefix;
+
+	@JsonProperty(value = "stsRoleCreateBucketClient", required = true)
+	@Schema(description = "STS role for clients to assume to create buckets. Will be the same as stsRoleCreateBucketHub for AWS, different for MinIO.", example = "arn:aws:iam::<ACCOUNT ID>:role/katta-createbucket")
+	String stsRoleCreateBucketClient;
+
+	@JsonProperty(value = "stsRoleCreateBucketHub", required = true)
+	@Schema(description = "STS role for frontend to assume to create buckets (used with inline policy and passed to hub storage). Will be the same as stsRoleCreateBucketClient for AWS, different for MinIO.", example = "arn:aws:iam::<ACCOUNT ID>:role/katta-createbucket")
+	String stsRoleCreateBucketHub;
+
+	@JsonProperty("stsEndpoint")
+	@Schema(description = "STS endpoint to use for AssumeRoleWithWebIdentity and AssumeRole for getting a temporary access token passed to the storage. Defaults to AWS SDK default.", nullable = true)
+	String stsEndpoint;
+
+	@JsonProperty(value = "bucketVersioning", defaultValue = "true", required = true)
+	@Schema(description = "Enable bucket versioning upon bucket creation", defaultValue = "true", required = true)
+	Boolean bucketVersioning = true;
+
+	@JsonProperty(value = "bucketAcceleration")
+	@Schema(description = "Enable bucket versioning upon bucket creation (null for MinIO)", nullable = true)
+	Boolean bucketAcceleration = null;
+
+	@JsonProperty(value = "bucketEncryption", required = true)
+	@Schema(description = "Enable bucket versioning upon bucket creation", required = true)
+	S3_SERVERSIDE_ENCRYPTION bucketEncryption = S3_SERVERSIDE_ENCRYPTION.NONE;
+
+	public StorageProfileS3StaticDto() {
+		// jackson
+	}
+
+	public StorageProfileS3StaticDto(final UUID id, final String name, final Protocol protocol, final boolean archived, final String scheme, final String hostname, final Integer port, final boolean withPathStyleAccessEnabled, final S3_STORAGE_CLASSES storageClass, final String region, final List<String> regions, final String bucketPrefix, final String stsRoleCreateBucketClient, final String stsRoleCreateBucketHub, final String stsEndpoint, final boolean bucketVersioning, final Boolean bucketAcceleration, final S3_SERVERSIDE_ENCRYPTION bucketEncryption) {
+		super(id, name, protocol, archived);
+		this.scheme = scheme;
+		this.hostname = hostname;
+		this.port = port;
+		this.withPathStyleAccessEnabled = withPathStyleAccessEnabled;
+		this.storageClass = storageClass;
+
+		this.region = region;
+		this.regions = regions;
+		this.bucketPrefix = bucketPrefix;
+		this.stsRoleCreateBucketClient = stsRoleCreateBucketClient;
+		this.stsRoleCreateBucketHub = stsRoleCreateBucketHub;
+		this.stsEndpoint = stsEndpoint;
+		this.bucketVersioning = bucketVersioning;
+		this.bucketAcceleration = bucketAcceleration;
+		this.bucketEncryption = bucketEncryption;
+
+	}
+
+	static StorageProfileS3StaticDto fromEntity(final StorageProfileS3Static storageProfile) {
+		return new StorageProfileS3StaticDto(storageProfile.id, storageProfile.name, Protocol.s3static, storageProfile.archived, storageProfile.scheme, storageProfile.hostname, storageProfile.port, storageProfile.withPathStyleAccessEnabled, S3_STORAGE_CLASSES.valueOf(storageProfile.storageClass), storageProfile.region, storageProfile.regions, storageProfile.bucketPrefix, storageProfile.stsRoleCreateBucketClient, storageProfile.stsRoleCreateBucketHub, storageProfile.stsEndpoint, storageProfile.bucketVersioning, storageProfile.bucketAcceleration, S3_SERVERSIDE_ENCRYPTION.valueOf(storageProfile.bucketEncryption));
+	}
+
+	public StorageProfileS3Static toEntity() {
+		final StorageProfileS3Static storageProfile = new StorageProfileS3Static();
+		storageProfile.id = this.id;
+		storageProfile.name = this.name;
+		storageProfile.protocol = this.protocol;
+		storageProfile.archived = this.archived;
+		storageProfile.scheme = this.scheme;
+		storageProfile.hostname = this.hostname;
+		storageProfile.port = this.port;
+		storageProfile.withPathStyleAccessEnabled = this.withPathStyleAccessEnabled;
+		storageProfile.storageClass = this.storageClass.name();
+		storageProfile.region = this.region;
+		storageProfile.regions = this.regions;
+		storageProfile.bucketPrefix = this.bucketPrefix;
+		storageProfile.stsRoleCreateBucketClient = this.stsRoleCreateBucketClient;
+		storageProfile.stsRoleCreateBucketHub = this.stsRoleCreateBucketHub;
+		storageProfile.stsEndpoint = this.stsEndpoint;
+		storageProfile.bucketVersioning = this.bucketVersioning;
+		storageProfile.bucketAcceleration = this.bucketAcceleration;
+		storageProfile.bucketEncryption = this.bucketEncryption.name();
+		return storageProfile;
+	}
+
+	public String scheme() {
+		return scheme;
+	}
+
+	public String hostname() {
+		return hostname;
+	}
+
+	public Integer port() {
+		return port;
+	}
+
+	public Boolean withPathStyleAccessEnabled() {
+		return withPathStyleAccessEnabled;
+	}
+
+	public S3_STORAGE_CLASSES storageClass() {
+		return storageClass;
+	}
+
+	public String region() {
+		return region;
+	}
+
+	public List<String> regions() {
+		return regions;
+	}
+
+	public String bucketPrefix() {
+		return bucketPrefix;
+	}
+
+	public String stsRoleCreateBucketClient() {
+		return stsRoleCreateBucketClient;
+	}
+
+	public String stsRoleCreateBucketHub() {
+		return stsRoleCreateBucketHub;
+	}
+
+	public String stsEndpoint() {
+		return stsEndpoint;
+	}
+
+	public Boolean bucketVersioning() {
+		return bucketVersioning;
+	}
+
+	public Boolean bucketAcceleration() {
+		return bucketAcceleration;
+	}
+
+	public S3_SERVERSIDE_ENCRYPTION bucketEncryption() {
+		return bucketEncryption;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (this == o) return true;
+		if (o == null || getClass() != o.getClass()) return false;
+
+		StorageProfileS3StaticDto that = (StorageProfileS3StaticDto) o;
+		return Objects.equals(scheme, that.scheme) && Objects.equals(hostname, that.hostname) && Objects.equals(port, that.port) && Objects.equals(withPathStyleAccessEnabled, that.withPathStyleAccessEnabled) && storageClass == that.storageClass && Objects.equals(region, that.region) && Objects.equals(regions, that.regions) && Objects.equals(bucketPrefix, that.bucketPrefix) && Objects.equals(stsRoleCreateBucketClient, that.stsRoleCreateBucketClient) && Objects.equals(stsRoleCreateBucketHub, that.stsRoleCreateBucketHub) && Objects.equals(stsEndpoint, that.stsEndpoint) && Objects.equals(bucketVersioning, that.bucketVersioning) && Objects.equals(bucketAcceleration, that.bucketAcceleration) && bucketEncryption == that.bucketEncryption;
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(scheme, hostname, port, withPathStyleAccessEnabled, storageClass, region, regions, bucketPrefix, stsRoleCreateBucketClient, stsRoleCreateBucketHub, stsEndpoint, bucketVersioning, bucketAcceleration, bucketEncryption);
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/StorageResource.java b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageResource.java
new file mode 100644
index 000000000..369619c73
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/StorageResource.java
@@ -0,0 +1,115 @@
+package org.cryptomator.hub.api.katta;
+
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.api.GoneException;
+import org.cryptomator.hub.api.katta.storage.S3StorageHelper;
+import org.cryptomator.hub.entities.Group;
+import org.cryptomator.hub.entities.User;
+import org.cryptomator.hub.entities.Vault;
+import org.cryptomator.hub.entities.katta.AccessTokenResponse;
+import org.cryptomator.hub.entities.katta.StorageProfile;
+import org.cryptomator.hub.entities.katta.StorageProfileS3Static;
+import org.cryptomator.hub.katta.KeycloakCryptomatorVaultsHelper;
+import org.eclipse.microprofile.jwt.JsonWebToken;
+import org.eclipse.microprofile.openapi.annotations.Operation;
+import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.eclipse.microprofile.rest.client.inject.RestClient;
+import org.jboss.logging.Logger;
+
+import java.net.URI;
+import java.util.Map;
+import java.util.UUID;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+
+@Path("/storage")
+public class StorageResource {
+
+	private static final Logger log = Logger.getLogger(StorageResource.class);
+
+	@Inject
+	KattaConfig kattaConfig;
+
+	@Inject
+	KeycloakCryptomatorVaultsHelper keycloakCryptomatorVaultsHelper;
+
+	@Inject
+	JsonWebToken jwt;
+
+	@Inject
+	Vault.Repository vaultRepo;
+
+	@Inject
+	User.Repository userRepo;
+
+	@Inject
+	Group.Repository groupRepo;
+
+	@RestClient
+	KeycloakTokenExchangeApi tokenExchangeApi;
+
+	@Inject
+	S3StorageHelper s3StorageHelper;
+
+	@PUT
+	@Path("/{vaultId}")
+	@RolesAllowed("user")
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "creates bucket and policy", description = "creates an S3 bucket and uploads policy for it for call from Web Client (CORS).")
+	@APIResponse(responseCode = "200", description = "Bucket and Keycloak config created")
+	@APIResponse(responseCode = "400", description = "Could not create bucket")
+	@APIResponse(responseCode = "409", description = "Bucket with this name already exists")
+	@APIResponse(responseCode = "410", description = "Storage profile is archived")
+	public Response createBucket(@PathParam("vaultId") UUID vaultId, final CreateS3STSBucketDto storage) {
+		final Map<UUID, StorageProfileDto> storageConfigs = StorageProfileS3Static.findAll().<StorageProfile>stream().map(StorageProfileDto::fromEntity).collect(Collectors.toMap(StorageProfileDto::id, Function.identity()));
+		if (!storageConfigs.containsKey(storage.storageConfigId())) {
+			return Response.status(Response.Status.BAD_REQUEST).entity(String.format("Storage profile %s not found on this server", storage.storageConfigId())).build();
+		}
+		final StorageProfileDto storageProfileDto = storageConfigs.get(storage.storageConfigId());
+		if (storageProfileDto.archived) {
+			throw new GoneException("Storage profile is archived.");
+		}
+		if (!(storageProfileDto instanceof StorageProfileS3STSDto)) {
+			return Response.status(Response.Status.BAD_REQUEST).entity(String.format("Storage profile must be StorageProfileS3STSDto. Found %s", storageProfileDto.getClass().getName())).build();
+		}
+
+		// N.B. if the bucket already exists, this will fail, so we do not prevent calling this method several times.
+		s3StorageHelper.makeS3Bucket((StorageProfileS3STSDto) storageProfileDto, storage);
+
+		return Response.created(URI.create(".")).build();
+	}
+
+	@POST
+	@Path("/s3-token")
+	@RolesAllowed("user")
+	@Produces(MediaType.APPLICATION_JSON)
+	@Transactional
+	@Operation(summary = "token exchange", description = "retrieves a downscoped access token for S3.")
+	@APIResponse(responseCode = "200", description = "success")
+	@APIResponse(responseCode = "400", description = "bad request")
+	public AccessTokenResponse exchangeS3Token(@QueryParam("vault") String vault) {
+		try {
+			return tokenExchangeApi.exchange("urn:ietf:params:oauth:grant-type:token-exchange",
+					jwt.getRawToken(),
+					"urn:ietf:params:oauth:token-type:access_token",
+					"urn:ietf:params:oauth:token-type:access_token",
+					vault);
+		} catch (WebApplicationException e) {
+			log.error(e);
+			throw new WebApplicationException(Response.status(e.getResponse().getStatus()).entity(String.format("Received: '%s', status code %s from Keycloak.", e.getResponse().getStatusInfo().getReasonPhrase(), e.getResponse().getStatus())).build());
+		}
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/katta/storage/S3StorageHelper.java b/backend/src/main/java/org/cryptomator/hub/api/katta/storage/S3StorageHelper.java
new file mode 100644
index 000000000..5696e6d76
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/katta/storage/S3StorageHelper.java
@@ -0,0 +1,203 @@
+package org.cryptomator.hub.api.katta.storage;
+
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.ws.rs.ClientErrorException;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.api.katta.CreateS3STSBucketDto;
+import org.cryptomator.hub.api.katta.StorageProfileS3STSDto;
+import org.jboss.logging.Logger;
+import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.core.sync.RequestBody;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.S3ClientBuilder;
+import software.amazon.awssdk.services.s3.S3Configuration;
+import software.amazon.awssdk.services.s3.model.AccelerateConfiguration;
+import software.amazon.awssdk.services.s3.model.BucketAccelerateStatus;
+import software.amazon.awssdk.services.s3.model.BucketVersioningStatus;
+import software.amazon.awssdk.services.s3.model.CreateBucketConfiguration;
+import software.amazon.awssdk.services.s3.model.CreateBucketRequest;
+import software.amazon.awssdk.services.s3.model.GetBucketAccelerateConfigurationRequest;
+import software.amazon.awssdk.services.s3.model.GetBucketAccelerateConfigurationResponse;
+import software.amazon.awssdk.services.s3.model.GetBucketEncryptionRequest;
+import software.amazon.awssdk.services.s3.model.GetBucketEncryptionResponse;
+import software.amazon.awssdk.services.s3.model.GetBucketVersioningRequest;
+import software.amazon.awssdk.services.s3.model.GetBucketVersioningResponse;
+import software.amazon.awssdk.services.s3.model.HeadBucketRequest;
+import software.amazon.awssdk.services.s3.model.NoSuchBucketException;
+import software.amazon.awssdk.services.s3.model.PutBucketAccelerateConfigurationRequest;
+import software.amazon.awssdk.services.s3.model.PutBucketEncryptionRequest;
+import software.amazon.awssdk.services.s3.model.PutBucketVersioningRequest;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.awssdk.services.s3.model.S3Exception;
+import software.amazon.awssdk.services.s3.model.ServerSideEncryption;
+import software.amazon.awssdk.services.s3.model.ServerSideEncryptionByDefault;
+import software.amazon.awssdk.services.s3.model.ServerSideEncryptionConfiguration;
+import software.amazon.awssdk.services.s3.model.ServerSideEncryptionRule;
+import software.amazon.awssdk.services.s3.model.VersioningConfiguration;
+
+import java.net.URI;
+import java.util.Base64;
+import java.util.Collections;
+
+@ApplicationScoped
+public class S3StorageHelper {
+	private static final Logger log = Logger.getLogger(S3StorageHelper.class);
+
+	public void makeS3Bucket(
+			final StorageProfileS3STSDto storageConfig,
+			final CreateS3STSBucketDto dto
+	) {
+
+		if (log.isInfoEnabled()) {
+			log.info(String.format("Make S3 bucket %s for profile %s", dto, storageConfig));
+		}
+
+		final String bucketName = storageConfig.bucketPrefix() + dto.vaultId();
+		// https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/java/example_code/s3/src/main/java/aws/example/s3/CreateBucket.java
+		final String region = dto.region();
+
+		S3ClientBuilder s3Builder = S3Client.builder()
+				.credentialsProvider(StaticCredentialsProvider.create(AwsSessionCredentials.create(dto.awsAccessKey(), dto.awsSecretKey(), dto.sessionToken())));
+		if (storageConfig.stsEndpoint() != null) {
+			s3Builder = s3Builder
+					.endpointOverride(URI.create(storageConfig.stsEndpoint()))
+					.serviceConfiguration(S3Configuration.builder()
+							.pathStyleAccessEnabled(storageConfig.withPathStyleAccessEnabled() != null ? storageConfig.withPathStyleAccessEnabled() : false)
+							.build());
+		} else if (region != null) {
+			s3Builder = s3Builder.region(Region.of(region));
+		}
+		try (final S3Client s3 = s3Builder.build()) {
+			boolean okToCreate = true;
+			try {
+				s3.headBucket(HeadBucketRequest.builder().bucket(bucketName).build());
+			} catch (final NoSuchBucketException e) {
+				okToCreate = true;
+			} catch (final S3Exception e) {
+				if (e.statusCode() == 403) {
+					// ignore
+					log.info("Ignoring 403 on bucket head", e);
+					okToCreate = true;
+				}
+			}
+			if (!okToCreate) {
+				throw new ClientErrorException(String.format("Bucket %s already exists or no permission to list.", bucketName), Response.Status.CONFLICT);
+			}
+
+			s3.createBucket(CreateBucketRequest.builder()
+					.bucket(bucketName)
+					.createBucketConfiguration(CreateBucketConfiguration.builder().locationConstraint(region).build())
+					.build());
+			if (log.isInfoEnabled()) {
+				log.info(String.format("Upload vault template to %s (%s, %s)", bucketName, dto, storageConfig));
+			}
+			s3.putObject(PutObjectRequest.builder()
+							.bucket(bucketName)
+							.key("vault.uvf")
+							.build(),
+					RequestBody.fromString(dto.vaultUvf()));
+
+			// See https://github.com/cryptomator/hub/blob/develop/frontend/src/common/vaultconfig.ts
+			//        zip.file('vault.uvf', this.vaultUvf);
+			//        zip.folder('d')?.folder(this.rootDirHash.substring(0, 2))?.folder(this.rootDirHash.substring(2));
+			// create meta-data for your folder and set content-length to 0
+			final PutObjectRequest placeholderPutRequest = PutObjectRequest.builder()
+					.bucket(bucketName)
+					.key(String.format("d/%s/%s/", dto.rootDirHash().substring(0, 2), dto.rootDirHash().substring(2)))
+					.contentLength(0L)
+					.build();
+			s3.putObject(placeholderPutRequest, RequestBody.empty());
+
+			final PutObjectRequest dirUvfPutRequest = PutObjectRequest.builder()
+					.bucket(bucketName)
+					.key(String.format("d/%s/%s/dir.uvf", dto.rootDirHash().substring(0, 2), dto.rootDirHash().substring(2)))
+					.build();
+			s3.putObject(dirUvfPutRequest, RequestBody.fromBytes(Base64.getUrlDecoder().decode(dto.dirUvf())));
+
+
+			// enable versioning on the bucket.
+			{
+				if (log.isInfoEnabled()) {
+					log.info(String.format("Enable/disable bucket versioning on %s (%s, %s)", bucketName, dto, storageConfig));
+				}
+				s3.putBucketVersioning(PutBucketVersioningRequest.builder()
+						.bucket(bucketName)
+						.versioningConfiguration(VersioningConfiguration.builder().status(storageConfig.bucketVersioning() ? BucketVersioningStatus.ENABLED : BucketVersioningStatus.SUSPENDED).build())
+						.build());
+				final GetBucketVersioningResponse conf = s3.getBucketVersioning(GetBucketVersioningRequest.builder().bucket(bucketName).build());
+				if (log.isInfoEnabled()) {
+					log.info(String.format("Enabled/disabled bucket versioning on %s (%s, %s) with status %s", bucketName, dto, storageConfig, conf.statusAsString()));
+				}
+			}
+
+			// enable/disable bucket acceleration on the bucket. Skip if not set (e.g. MinIO which has no bucket acceleration API)
+			if (storageConfig.bucketAcceleration() != null) {
+				if (log.isInfoEnabled()) {
+					log.info(String.format("Enable/disable bucket acceleration on %s (%s, %s)", bucketName, dto, storageConfig));
+				}
+				s3.putBucketAccelerateConfiguration(PutBucketAccelerateConfigurationRequest.builder()
+						.bucket(bucketName)
+						.accelerateConfiguration(AccelerateConfiguration.builder()
+								.status(storageConfig.bucketAcceleration() ? BucketAccelerateStatus.ENABLED : BucketAccelerateStatus.SUSPENDED)
+								.build())
+						.build());
+				final GetBucketAccelerateConfigurationResponse conf = s3.getBucketAccelerateConfiguration(GetBucketAccelerateConfigurationRequest.builder().bucket(bucketName).build());
+				if (log.isInfoEnabled()) {
+					log.info(String.format("Enabled/disabled bucket acceleration on %s (%s, %s) with status %s", bucketName, dto, storageConfig, conf.status()));
+				}
+			}
+
+			// enable/disable bucket encryption on the bucket
+			{
+				if (log.isInfoEnabled()) {
+					log.info(String.format("Enable/disable bucket encryption on %s (%s, %s)", bucketName, dto, storageConfig));
+				}
+				switch (storageConfig.bucketEncryption()) {
+					case NONE -> {
+					}
+					case SSE_AES256 -> s3.putBucketEncryption(
+							PutBucketEncryptionRequest.builder()
+									.bucket(bucketName)
+									.serverSideEncryptionConfiguration(ServerSideEncryptionConfiguration.builder()
+											.rules(Collections.singleton(
+													ServerSideEncryptionRule.builder()
+															.applyServerSideEncryptionByDefault(ServerSideEncryptionByDefault.builder()
+																	.sseAlgorithm(ServerSideEncryption.AES256).build())
+															.build()))
+
+											.build())
+									.build());
+					case SSE_KMS_DEFAULT -> s3.putBucketEncryption(
+							PutBucketEncryptionRequest.builder()
+									.bucket(bucketName)
+									.serverSideEncryptionConfiguration(ServerSideEncryptionConfiguration.builder()
+											.rules(Collections.singleton(
+													ServerSideEncryptionRule.builder()
+															.applyServerSideEncryptionByDefault(ServerSideEncryptionByDefault.builder()
+																	.sseAlgorithm(ServerSideEncryption.AWS_KMS).build())
+															.build()))
+
+											.build())
+									.build());
+				}
+				switch (storageConfig.bucketEncryption()) {
+					case NONE:
+						// MinIO does not support bucket acceleration nor encryption
+						// https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html
+						// https://github.com/minio/minio/blob/master/cmd/api-router.go
+						// https://github.com/minio/minio/issues/14586
+						break;
+					case SSE_AES256:
+					case SSE_KMS_DEFAULT:
+						final GetBucketEncryptionResponse conf = s3.getBucketEncryption(GetBucketEncryptionRequest.builder().bucket(bucketName).build());
+						if (log.isInfoEnabled()) {
+							log.info(String.format("Enabled/disabled bucket encryption on %s (%s, %s) with configuration %s", bucketName, dto, storageConfig, conf.serverSideEncryptionConfiguration()));
+						}
+				}
+			}
+		}
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/AccessToken.java b/backend/src/main/java/org/cryptomator/hub/entities/AccessToken.java
index 0711c8e32..96720bc79 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/AccessToken.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/AccessToken.java
@@ -15,7 +15,6 @@
 import jakarta.persistence.NoResultException;
 import jakarta.persistence.Table;
 
-import java.io.Serializable;
 import java.util.Objects;
 import java.util.UUID;
 
@@ -35,7 +34,7 @@
 public class AccessToken {
 
 	@EmbeddedId
-	private AccessId id = new AccessId();
+	private AccessId id;
 
 	@ManyToOne(optional = false, cascade = {CascadeType.REMOVE})
 	@MapsId("userId")
@@ -109,56 +108,7 @@ public String toString() {
 	}
 
 	@Embeddable
-	public static class AccessId implements Serializable {
-
-		String userId;
-		UUID vaultId;
-
-		public String getUserId() {
-			return userId;
-		}
-
-		public void setUserId(String userId) {
-			this.userId = userId;
-		}
-
-		public UUID getVaultId() {
-			return vaultId;
-		}
-
-		public void setVaultId(UUID vaultId) {
-			this.vaultId = vaultId;
-		}
-
-		public AccessId(String userId, UUID vaultId) {
-			this.userId = userId;
-			this.vaultId = vaultId;
-		}
-
-		public AccessId() {
-		}
-
-		@Override
-		public boolean equals(Object o) {
-			if (this == o) return true;
-			if (o == null || getClass() != o.getClass()) return false;
-			AccessId other = (AccessId) o;
-			return Objects.equals(userId, other.userId) //
-					&& Objects.equals(vaultId, other.vaultId);
-		}
-
-		@Override
-		public int hashCode() {
-			return Objects.hash(userId, vaultId);
-		}
-
-		@Override
-		public String toString() {
-			return "AccessId{" +
-					"userId='" + userId + '\'' +
-					", vaultId='" + vaultId + '\'' +
-					'}';
-		}
+	public record AccessId(String userId, UUID vaultId) {
 	}
 
 	@ApplicationScoped
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Authority.java b/backend/src/main/java/org/cryptomator/hub/entities/Authority.java
index 60e114abc..4c011afea 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Authority.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Authority.java
@@ -12,7 +12,7 @@
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.Table;
 
-import java.util.List;
+import java.util.Collection;
 import java.util.Objects;
 import java.util.stream.Stream;
 
@@ -26,12 +26,6 @@
 				FROM Authority a
 				WHERE LOWER(a.name) LIKE :name
 				""")
-@NamedQuery(name = "Authority.allInList",
-		query = """
-				SELECT a
-				FROM Authority a
-				WHERE a.id IN :ids
-				""")
 public class Authority {
 
 	@Id
@@ -41,6 +35,9 @@ public class Authority {
 	@Column(name = "name", nullable = false)
 	private String name;
 
+	@Column(name = "picture_url")
+	private String pictureUrl;
+
 	public String getId() {
 		return id;
 	}
@@ -57,12 +54,17 @@ public void setName(String name) {
 		this.name = name;
 	}
 
+	public String getPictureUrl() {
+		return pictureUrl;
+	}
+
+	public void setPictureUrl(String pictureUrl) {
+		this.pictureUrl = pictureUrl;
+	}
+
 	@Override
 	public String toString() {
-		return "Authority{" +
-				"id='" + id + '\'' +
-				", name='" + name + '\'' +
-				'}';
+		return "Authority{id='" + id + "'}";
 	}
 
 	@Override
@@ -70,13 +72,12 @@ public boolean equals(Object o) {
 		if (this == o) return true;
 		if (o == null || getClass() != o.getClass()) return false;
 		Authority authority = (Authority) o;
-		return Objects.equals(id, authority.id)
-				&& Objects.equals(name, authority.name);
+		return Objects.equals(id, authority.id);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, name);
+		return Objects.hash(id);
 	}
 
 	@ApplicationScoped
@@ -86,8 +87,11 @@ public Stream<Authority> byName(String name) {
 			return find("#Authority.byName", Parameters.with("name", '%' + name.toLowerCase() + '%')).stream();
 		}
 
-		public Stream<Authority> findAllInList(List<String> ids) {
-			return find("#Authority.allInList", Parameters.with("ids", ids)).stream();
+		public Stream<Authority> findAllInList(Collection<String> ids) {
+			return Batch.of(200).run(ids, Stream.empty(), (batch, result) -> {
+				var partial = find("WHERE id IN :ids", Parameters.with("ids", batch));
+				return Stream.concat(result, partial.stream());
+			});
 		}
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Batch.java b/backend/src/main/java/org/cryptomator/hub/entities/Batch.java
new file mode 100644
index 000000000..f3661e89f
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Batch.java
@@ -0,0 +1,48 @@
+package org.cryptomator.hub.entities;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.function.BiFunction;
+import java.util.function.Consumer;
+
+public class Batch {
+
+	private final int size;
+
+	private Batch(int size) {
+		if (size <= 0) {
+			throw new IllegalArgumentException("Batch size must be positive");
+		}
+		this.size = size;
+	}
+
+	public static Batch of(int size) {
+		if (size <= 0) {
+			throw new IllegalArgumentException("Batch size must be positive");
+		}
+		return new Batch(size);
+	}
+
+	// TODO: add jspecify annotations
+	public <T> void run(Collection<T> collection, Consumer<List<T>> job) {
+		run(collection, null, (batch, ignored) -> {
+			job.accept(batch);
+			return null;
+		});
+	}
+
+	// TODO: add jspecify annotations
+	public <T, R> R run(Collection<T> collection, R initialValue, BiFunction<List<T>, R, R> job) {
+		if (collection == null || collection.isEmpty()) {
+			return initialValue;
+		}
+		List<T> list = collection instanceof List<T> l ? l : List.copyOf(collection);
+		R result = initialValue;
+		for (int i = 0; i < list.size(); i += size) {
+			List<T> sublist = list.subList(i, Math.min(i + size, list.size()));
+			result = job.apply(sublist, result);
+		}
+		return result;
+	}
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Device.java b/backend/src/main/java/org/cryptomator/hub/entities/Device.java
index 04ba69e6d..079a914fa 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Device.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Device.java
@@ -158,7 +158,10 @@ public Device findByIdAndUser(String deviceId, String userId) throws NoResultExc
 		}
 
 		public Stream<Device> findAllInList(List<String> ids) {
-			return find("#Device.allInList", Parameters.with("ids", ids)).stream();
+			return Batch.of(200).run(ids, Stream.empty(), (batch, result) -> {
+				var partial = find("#Device.allInList", Parameters.with("ids", batch));
+				return Stream.concat(result, partial.stream());
+			});
 		}
 
 		public void deleteByOwner(String userId) {
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveGroupMembership.java b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveGroupMembership.java
index 26421c9eb..46be3e3e8 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveGroupMembership.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveGroupMembership.java
@@ -1,16 +1,70 @@
 package org.cryptomator.hub.entities;
 
+import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
+import io.quarkus.panache.common.Parameters;
+import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.persistence.Column;
 import jakarta.persistence.Embeddable;
 import jakarta.persistence.EmbeddedId;
 import jakarta.persistence.Entity;
+import jakarta.persistence.NamedNativeQuery;
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.Table;
 import org.hibernate.annotations.Immutable;
 
-import java.io.Serializable;
-import java.util.Objects;
+import java.util.Collection;
 
+@NamedNativeQuery(name = "EffectiveGroupMembership.fullUpdate", query = """
+		INSERT INTO "effective_group_membership" ("group_id", "intermediate_group_ids", "member_id")
+		WITH RECURSIVE "members" ("root","intermediate_group_ids","member_id", "depth") AS (
+		    SELECT "group_id", ARRAY["group_id"]::varchar[], "member_id", 0
+		        FROM "group_membership"
+		    UNION
+		    SELECT "parent"."root", array_append("parent"."intermediate_group_ids", "child"."group_id"), "child"."member_id", "parent"."depth" + 1
+		        FROM "group_membership" "child"
+		        INNER JOIN "members" "parent" ON "child"."group_id" = "parent"."member_id"
+		        WHERE "parent"."depth" < 10
+		) SELECT "root", "intermediate_group_ids", "member_id" FROM "members"
+		ON CONFLICT DO NOTHING
+		""")
+@NamedNativeQuery(name = "EffectiveGroupMembership.deleteGroups", query = """
+		DELETE
+		FROM "effective_group_membership"
+		WHERE "intermediate_group_ids" && :groupIds
+		""")
+@NamedNativeQuery(name = "EffectiveGroupMembership.updateGroups", query = """
+		INSERT INTO "effective_group_membership" ("group_id", "intermediate_group_ids", "member_id")
+		WITH RECURSIVE "members" ("root", "intermediate_group_ids", "member_id", "depth") AS (
+		    SELECT "group_id", ARRAY["group_id"]::varchar[], "member_id", 0
+		        FROM "group_membership"
+		        WHERE "group_id" IN :groupIds
+		    UNION
+		    SELECT "parent"."root", array_append("parent"."intermediate_group_ids", "child"."group_id"), "child"."member_id", "parent"."depth" + 1
+		        FROM "group_membership" "child"
+		        INNER JOIN "members" "parent" ON "child"."group_id" = "parent"."member_id"
+		        WHERE "parent"."depth" < 10
+		) SELECT "root", "intermediate_group_ids", "member_id" FROM "members"
+		ON CONFLICT DO NOTHING
+		""")
+@NamedQuery(name = "EffectiveGroupMembership.deleteUsers", query = """
+		DELETE
+		FROM EffectiveGroupMembership egm
+		WHERE egm.id.memberId IN :userIds
+		""")
+@NamedNativeQuery(name = "EffectiveGroupMembership.updateUsers", query = """
+		INSERT INTO "effective_group_membership" ("group_id", "intermediate_group_ids", "member_id")
+		WITH RECURSIVE "members" ("group_id", "intermediate_group_ids", "member_id", "depth") AS (
+		    SELECT "group_id", ARRAY["group_id"]::varchar[], "member_id", 0
+		        FROM "group_membership"
+		        WHERE "member_id" IN :userIds
+		    UNION
+		    SELECT "parent"."group_id", array_prepend("parent"."group_id", "child"."intermediate_group_ids"), "child"."member_id", "child"."depth" + 1
+		        FROM "group_membership" "parent"
+		        INNER JOIN "members" "child" ON "child"."group_id" = "parent"."member_id"
+		        WHERE "child"."depth" < 10
+		) SELECT "group_id", "intermediate_group_ids", "member_id" FROM "members"
+		ON CONFLICT DO NOTHING
+		""")
 @Entity
 @Immutable
 @Table(name = "effective_group_membership")
@@ -19,38 +73,48 @@ public class EffectiveGroupMembership {
 	@EmbeddedId
 	private Id id;
 
-	private String path;
-
 	@Embeddable
-	public static class Id implements Serializable {
-
-		@Column(name = "group_id")
-		private String groupId;
-
-		@Column(name = "member_id")
-		private String memberId;
-
-		@Override
-		public boolean equals(Object o) {
-			if (this == o) return true;
-			if (o instanceof Id egmId) {
-				return Objects.equals(groupId, egmId.groupId) //
-						&& Objects.equals(memberId, egmId.memberId);
-			}
-			return false;
+	public record Id(@Column(name = "group_id") String groupId, @Column(name = "member_id") String memberId) {
+	}
+
+	@ApplicationScoped
+	public static class Repository implements PanacheRepositoryBase<EffectiveGroupMembership, EffectiveGroupMembership.Id> {
+
+		public void fullUpdate() {
+			deleteAll();
+			getEntityManager()
+					.createNamedQuery("EffectiveGroupMembership.fullUpdate")
+					.executeUpdate();
 		}
 
-		@Override
-		public int hashCode() {
-			return Objects.hash(groupId, memberId);
+		public void updateGroups(Collection<String> groupIds) {
+			Batch.of(200).run(groupIds, batch -> {
+				getEntityManager()
+						.createNamedQuery("EffectiveGroupMembership.deleteGroups")
+						.setParameter("groupIds", batch.toArray(new String[0])) // explicit cast to array, so JPA maps to VARCHAR[] instead of VARCHAR
+						.executeUpdate();
+				getEntityManager()
+						.createNamedQuery("EffectiveGroupMembership.updateGroups")
+						.setParameter("groupIds", batch)
+						.executeUpdate();
+			});
 		}
 
-		@Override
-		public String toString() {
-			return "EffectiveGroupMembershipId{" +
-					"groupId='" + groupId + '\'' +
-					", memberId='" + memberId + '\'' +
-					'}';
+		public void updateUsers(Collection<String> userIds) {
+			Batch.of(200).run(userIds, batch -> {
+				delete("#EffectiveGroupMembership.deleteUsers", Parameters.with("userIds", batch));
+				getEntityManager()
+						.createNamedQuery("EffectiveGroupMembership.updateUsers")
+						.setParameter("userIds", batch)
+						.executeUpdate();
+			});
 		}
+
+		// visible for testing
+		boolean isMember(String groupId, String memberId) {
+			var id = new EffectiveGroupMembership.Id(groupId, memberId);
+			return findById(id) != null;
+		}
+
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java
index bcb69ee3c..ac129e45a 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveVaultAccess.java
@@ -9,6 +9,7 @@
 import jakarta.persistence.Entity;
 import jakarta.persistence.EnumType;
 import jakarta.persistence.Enumerated;
+import jakarta.persistence.FetchType;
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.ManyToOne;
 import jakarta.persistence.MapsId;
@@ -16,10 +17,8 @@
 import jakarta.persistence.Table;
 import org.hibernate.annotations.Immutable;
 
-import java.io.Serializable;
 import java.util.Collection;
-import java.util.List;
-import java.util.Objects;
+import java.util.Set;
 import java.util.UUID;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -27,39 +26,49 @@
 @Entity
 @Immutable
 @Table(name = "effective_vault_access")
-@NamedQuery(name = "EffectiveVaultAccess.countSeatsOccupiedBySingleUser", query = """
-		SELECT count(u)
+@NamedQuery(name = "EffectiveVaultAccess.isUserOccupyingSeat", query = """
+		SELECT 1
 		FROM User u
 		INNER JOIN EffectiveVaultAccess eva ON u.id = eva.id.authorityId
-		WHERE eva.id.authorityId = :userId
+		INNER JOIN Vault v ON eva.id.vaultId = v.id
+		WHERE u.id = :userId AND NOT v.archived AND u.enabled
 		""")
 @NamedQuery(name = "EffectiveVaultAccess.countSeatsOccupiedByUsers", query = """
 		SELECT COUNT(DISTINCT u.id)
 		FROM User u
 		INNER JOIN EffectiveVaultAccess eva ON u.id = eva.id.authorityId
-		INNER JOIN Vault v ON eva.id.vaultId = v.id AND NOT v.archived
-		WHERE u.id IN :userIds
+		INNER JOIN Vault v ON eva.id.vaultId = v.id
+		WHERE u.id IN :userIds AND NOT v.archived AND u.enabled
+		""")
+@NamedQuery(name = "EffectiveVaultAccess.usersSeatedOnOtherVaults", query = """
+		SELECT DISTINCT u.id
+		FROM User u
+		INNER JOIN EffectiveVaultAccess eva ON u.id = eva.id.authorityId
+		INNER JOIN Vault v ON eva.id.vaultId = v.id
+		WHERE NOT v.archived AND v.id <> :vaultId AND u.enabled
 		""")
 @NamedQuery(name = "EffectiveVaultAccess.countSeatOccupyingUsers", query = """
-		SELECT count(DISTINCT u)
+		SELECT COUNT(DISTINCT u.id)
 		FROM User u
 		INNER JOIN EffectiveVaultAccess eva ON u.id = eva.id.authorityId
-		INNER JOIN Vault v ON eva.id.vaultId = v.id AND NOT v.archived
+		INNER JOIN Vault v ON eva.id.vaultId = v.id
+		WHERE NOT v.archived AND u.enabled
 		""")
 @NamedQuery(name = "EffectiveVaultAccess.countSeatOccupyingUsersWithAccessToken", query = """
-		SELECT count(DISTINCT u)
+		SELECT COUNT(DISTINCT u.id)
 		FROM User u
 		INNER JOIN EffectiveVaultAccess eva ON u.id = eva.id.authorityId
-		INNER JOIN Vault v ON eva.id.vaultId = v.id AND NOT v.archived
+		INNER JOIN Vault v ON eva.id.vaultId = v.id
 		INNER JOIN AccessToken at ON eva.id.vaultId = at.id.vaultId AND eva.id.authorityId = at.id.userId
+		WHERE NOT v.archived AND u.enabled
 		""")
 @NamedQuery(name = "EffectiveVaultAccess.countSeatOccupyingUsersOfGroup", query = """
-		SELECT count(DISTINCT u)
+		SELECT COUNT(DISTINCT u.id)
 		FROM User u
 		INNER JOIN EffectiveVaultAccess eva ON u.id = eva.id.authorityId
 		INNER JOIN EffectiveGroupMembership egm ON u.id = egm.id.memberId
-		INNER JOIN Vault v ON eva.id.vaultId = v.id AND NOT v.archived
-		WHERE egm.id.groupId = :groupId
+		INNER JOIN Vault v ON eva.id.vaultId = v.id
+		WHERE egm.id.groupId = :groupId AND NOT v.archived AND u.enabled
 		""")
 @NamedQuery(name = "EffectiveVaultAccess.findByAuthorityAndVault", query = """
 		SELECT eva
@@ -69,8 +78,8 @@ SELECT count(DISTINCT u)
 @NamedQuery(name = "EffectiveVaultAccess.findMembersWithoutAccessTokens", query = """
 		SELECT eva
 		FROM EffectiveVaultAccess eva
-			INNER JOIN User u ON u.id = eva.id.authorityId
-			LEFT JOIN AccessToken token ON token.id.vaultId = eva.id.vaultId AND token.id.userId = eva.id.authorityId
+			INNER JOIN FETCH eva.authority u
+			LEFT JOIN AccessToken token ON token.id.vaultId = eva.id.vaultId AND token.id.userId = u.id
 			WHERE eva.id.vaultId = :vaultId AND token.vault IS NULL AND u.ecdhPublicKey IS NOT NULL
 		"""
 )
@@ -79,12 +88,12 @@ public class EffectiveVaultAccess {
 	@EmbeddedId
 	private EffectiveVaultAccess.Id id;
 
-	@ManyToOne
+	@ManyToOne(fetch = FetchType.LAZY)
 	@MapsId("vaultId")
 	@JoinColumn(name = "vault_id")
 	private Vault vault;
 
-	@ManyToOne
+	@ManyToOne(fetch = FetchType.LAZY)
 	@MapsId("authorityId")
 	@JoinColumn(name = "authority_id")
 	private Authority authority;
@@ -93,113 +102,37 @@ public Id getId() {
 		return id;
 	}
 
-	public void setId(Id id) {
-		this.id = id;
-	}
-
 	public Vault getVault() {
 		return vault;
 	}
 
-	public void setVault(Vault vault) {
-		this.vault = vault;
-	}
-
 	public Authority getAuthority() {
 		return authority;
 	}
 
-	public void setAuthority(Authority authority) {
-		this.authority = authority;
-	}
-
 	public VaultAccess.Role getRole() {
-		return id.role;
-	}
-
-	public void setRole(VaultAccess.Role role) {
-		this.id.role = role;
+		return id.role();
 	}
 
 	@Embeddable
-	public static class Id implements Serializable {
-
-		@Column(name = "vault_id")
-		private UUID vaultId;
-
-		@Column(name = "authority_id")
-		private String authorityId;
-
-		@Column(name = "role", nullable = false)
-		@Enumerated(EnumType.STRING)
-		private VaultAccess.Role role;
-
-		public UUID getVaultId() {
-			return vaultId;
-		}
-
-		public void setVaultId(UUID vaultId) {
-			this.vaultId = vaultId;
-		}
-
-		public String getAuthorityId() {
-			return authorityId;
-		}
-
-		public void setAuthorityId(String authorityId) {
-			this.authorityId = authorityId;
-		}
-
-		public VaultAccess.Role getRole() {
-			return role;
-		}
-
-		public void setRole(VaultAccess.Role role) {
-			this.role = role;
-		}
-
-		public Id(UUID vaultId, String authorityId, VaultAccess.Role role) {
-			this.vaultId = vaultId;
-			this.authorityId = authorityId;
-			this.role = role;
-		}
-
-		public Id() {
-		}
-
-		@Override
-		public boolean equals(Object o) {
-			if (this == o) return true;
-			if (o instanceof EffectiveVaultAccess.Id other) {
-				return Objects.equals(this.vaultId, other.vaultId) && Objects.equals(this.authorityId, other.authorityId) && Objects.equals(this.role, other.role);
-			}
-			return false;
-		}
-
-		@Override
-		public int hashCode() {
-			return Objects.hash(vaultId, authorityId, role);
-		}
-
-		@Override
-		public String toString() {
-			return "EffectiveVaultAccess.Id{" +
-					"vaultId='" + vaultId + '\'' +
-					", authorityId='" + authorityId + '\'' +
-					", role='" + role + '\'' +
-					'}';
-		}
+	public record Id(
+			@Column(name = "vault_id") UUID vaultId,
+			@Column(name = "authority_id") String authorityId,
+			@Column(name = "role", nullable = false) @Enumerated(EnumType.STRING) VaultAccess.Role role) {
 	}
 
 	@ApplicationScoped
 	public static class Repository implements PanacheRepositoryBase<EffectiveVaultAccess, Id> {
 
 		public boolean isUserOccupyingSeat(String userId) {
-			return count("#EffectiveVaultAccess.countSeatsOccupiedBySingleUser", Parameters.with("userId", userId)) > 0;
+			return find("#EffectiveVaultAccess.isUserOccupyingSeat", Parameters.with("userId", userId)).page(0, 1).firstResult() != null;
 		}
 
-		public long countSeatsOccupiedByUsers(List<String> userIds) {
-			return count("#EffectiveVaultAccess.countSeatsOccupiedByUsers", Parameters.with("userIds", userIds));
+		public long countSeatsOccupiedByUsers(Collection<String> userIds) {
+			return Batch.of(200).run(Set.copyOf(userIds), 0L, (batch, result) -> {
+				long partialCount = count("#EffectiveVaultAccess.countSeatsOccupiedByUsers", Parameters.with("userIds", batch));
+				return result + partialCount;
+			});
 		}
 
 		public long countSeatOccupyingUsers() {
@@ -223,5 +156,9 @@ public Collection<VaultAccess.Role> listRoles(UUID vaultId, String authorityId)
 		public Stream<EffectiveVaultAccess> findMembersWithoutAccessTokens(UUID vaultId) {
 			return find("#EffectiveVaultAccess.findMembersWithoutAccessTokens", Parameters.with("vaultId", vaultId)).stream();
 		}
+
+		public Stream<String> usersSeatedOnOtherVaults(UUID vaultId) {
+			return find("#EffectiveVaultAccess.usersSeatedOnOtherVaults", Parameters.with("vaultId", vaultId)).project(String.class).stream();
+		}
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveWot.java b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveWot.java
index 977e21a7a..7a70632bd 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveWot.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveWot.java
@@ -13,9 +13,6 @@
 import org.hibernate.annotations.Immutable;
 import org.hibernate.annotations.Type;
 
-import java.io.Serializable;
-import java.util.Objects;
-
 @Entity
 @Immutable
 @Table(name = "effective_wot")
@@ -55,44 +52,9 @@ public void setSignatureChain(String[] signatureChain) {
 	}
 
 	@Embeddable
-	public static class Id implements Serializable {
-
-		@Column(name = "trusting_user_id")
-		private String trustingUserId;
-
-		@Column(name = "trusted_user_id")
-		private String trustedUserId;
-
-		public String getTrustingUserId() {
-			return trustingUserId;
-		}
-
-		public String getTrustedUserId() {
-			return trustedUserId;
-		}
-
-		@Override
-		public boolean equals(Object o) {
-			if (this == o) return true;
-			if (o instanceof Id other) {
-				return Objects.equals(trustingUserId, other.trustingUserId) //
-						&& Objects.equals(trustedUserId, other.trustedUserId);
-			}
-			return false;
-		}
-
-		@Override
-		public int hashCode() {
-			return Objects.hash(trustingUserId, trustedUserId);
-		}
-
-		@Override
-		public String toString() {
-			return "EffectiveWotId{" +
-					"trustingUserId='" + trustingUserId + '\'' +
-					", trustedUserId='" + trustedUserId + '\'' +
-					'}';
-		}
+	public record Id(
+			@Column(name = "trusting_user_id") String trustingUserId,
+			@Column(name = "trusted_user_id") String trustedUserId) {
 	}
 
 	@ApplicationScoped
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/EmergencyRecoveryProcess.java b/backend/src/main/java/org/cryptomator/hub/entities/EmergencyRecoveryProcess.java
new file mode 100644
index 000000000..548b9e23b
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/EmergencyRecoveryProcess.java
@@ -0,0 +1,158 @@
+package org.cryptomator.hub.entities;
+
+import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
+import io.quarkus.panache.common.Parameters;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.Id;
+import jakarta.persistence.MapKey;
+import jakarta.persistence.NamedQuery;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.Table;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.UUID;
+import java.util.stream.Stream;
+
+@Entity
+@Table(name = "emergency_recovery_processes")
+@NamedQuery(name = "EmergencyRecoveryProcess.findByVaultId", query = """
+		SELECT process
+		FROM EmergencyRecoveryProcess process
+		WHERE process.vaultId = :vaultId
+		""")
+@NamedQuery(
+		name = "EmergencyRecoveryProcess.byCouncilMember", query = """
+		SELECT process
+		FROM EmergencyRecoveryProcess process
+		WHERE KEY(process.recoveredKeyShares) = :councilMemberId
+		"""
+)
+public class EmergencyRecoveryProcess {
+
+	public enum Type {
+		CHANGE_PERMISSIONS,
+		COUNCIL_CHANGE
+	}
+
+	@Id
+	@Column(name = "id", nullable = false)
+	private UUID id;
+
+	@Column(name = "vault_id", nullable = false)
+	private UUID vaultId;
+
+	@Column(name = "type", nullable = false)
+	@Enumerated(EnumType.STRING)
+	private Type type;
+
+	@Column(name = "details")
+	private String details;
+
+	@Column(name = "required_key_shares", nullable = false)
+	private int requiredKeyShares;
+
+	@Column(name = "process_public_key", nullable = false)
+	private String processPublicKey;
+
+	@OneToMany(mappedBy = "id.recoveryId", fetch = FetchType.EAGER, cascade = CascadeType.ALL, orphanRemoval = true)
+	@MapKey(name = "id.councilMemberId")
+	private Map<String, RecoveredEmergencyKeyShares> recoveredKeyShares = new HashMap<>();
+
+	public UUID getId() {
+		return id;
+	}
+
+	public void setId(UUID id) {
+		this.id = id;
+	}
+
+	public UUID getVaultId() {
+		return vaultId;
+	}
+
+	public void setVaultId(UUID vaultId) {
+		this.vaultId = vaultId;
+	}
+
+	public Type getType() {
+		return type;
+	}
+
+	public void setType(Type type) {
+		this.type = type;
+	}
+
+	public String getDetails() {
+		return details;
+	}
+
+	public void setDetails(String details) {
+		this.details = details;
+	}
+
+	public int getRequiredKeyShares() {
+		return requiredKeyShares;
+	}
+
+	public void setRequiredKeyShares(int requiredKeyShares) {
+		this.requiredKeyShares = requiredKeyShares;
+	}
+
+	public String getProcessPublicKey() {
+		return processPublicKey;
+	}
+
+	public void setProcessPublicKey(String processPublicKey) {
+		this.processPublicKey = processPublicKey;
+	}
+
+	public Map<String, RecoveredEmergencyKeyShares> getRecoveredKeyShares() {
+		return Map.copyOf(recoveredKeyShares);
+	}
+
+	public void setRecoveredKeyShares(Map<String, RecoveredEmergencyKeyShares> recoveredKeyShares) {
+		this.recoveredKeyShares.clear();
+		this.recoveredKeyShares.putAll(recoveredKeyShares);
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o == null || getClass() != o.getClass()) return false;
+		EmergencyRecoveryProcess that = (EmergencyRecoveryProcess) o;
+		return requiredKeyShares == that.requiredKeyShares && Objects.equals(id, that.id) && Objects.equals(vaultId, that.vaultId) && Objects.equals(type, that.type) && Objects.equals(details, that.details) && Objects.equals(processPublicKey, that.processPublicKey);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(id, vaultId, type, details, requiredKeyShares, processPublicKey);
+	}
+
+	@ApplicationScoped
+	public static class Repository implements PanacheRepositoryBase<EmergencyRecoveryProcess, UUID> {
+
+		public Stream<EmergencyRecoveryProcess> findByVaultId(UUID vaultId) {
+			return find("#EmergencyRecoveryProcess.findByVaultId", Parameters.with("vaultId", vaultId)).stream();
+		}
+
+		public Stream<EmergencyRecoveryProcess> findByCouncilMember(String councilMemberId) {
+			return find("#EmergencyRecoveryProcess.byCouncilMember", Parameters.with("councilMemberId", councilMemberId)).stream();
+		}
+
+		public void deleteKeySharesForCouncilMember(String councilMemberId) {
+			var adjustedProcesses = findByCouncilMember(councilMemberId).map(p -> {
+				p.recoveredKeyShares.remove(councilMemberId);
+				return p;
+			});
+			persist(adjustedProcesses);
+		}
+	}
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Group.java b/backend/src/main/java/org/cryptomator/hub/entities/Group.java
index 88a310370..398ae4877 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Group.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Group.java
@@ -1,39 +1,54 @@
 package org.cryptomator.hub.entities;
 
 import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
+import io.quarkus.panache.common.Parameters;
 import jakarta.enterprise.context.ApplicationScoped;
-import jakarta.persistence.CascadeType;
 import jakarta.persistence.DiscriminatorValue;
 import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.JoinTable;
 import jakarta.persistence.ManyToMany;
+import jakarta.persistence.NamedNativeQuery;
+import jakarta.persistence.OneToMany;
 import jakarta.persistence.Table;
 import jakarta.persistence.Transient;
+import org.hibernate.Hibernate;
+import org.hibernate.annotations.Immutable;
 
+import java.util.Collection;
 import java.util.HashSet;
 import java.util.Set;
 
+@NamedNativeQuery(name = "Group.addMember", query = """
+		INSERT INTO "group_membership" ("group_id", "member_id")
+		VALUES (:groupId, :memberId)
+		ON CONFLICT DO NOTHING
+		""")
+@NamedNativeQuery(name = "Group.removeMember", query = """
+		DELETE FROM "group_membership"
+		WHERE "group_id" = :groupId AND "member_id" = :memberId
+		""")
 @Entity
 @Table(name = "group_details")
 @DiscriminatorValue("GROUP")
 public class Group extends Authority {
 
-	@ManyToMany(cascade = {CascadeType.MERGE, CascadeType.PERSIST})
+	@ManyToMany
 	@JoinTable(name = "group_membership",
 			joinColumns = @JoinColumn(name = "group_id", referencedColumnName = "id"),
 			inverseJoinColumns = @JoinColumn(name = "member_id", referencedColumnName = "id")
 	)
 	private Set<Authority> members = new HashSet<>();
 
+	@Immutable
+	@OneToMany(mappedBy = "authority", fetch = FetchType.LAZY)
+	public Set<VaultAccess> accessibleVaults = new HashSet<>();
+
 	public Set<Authority> getMembers() {
 		return members;
 	}
 
-	public void setMembers(Set<Authority> members) {
-		this.members = members;
-	}
-
 	@Transient
 	public int getMemberSize() {
 		return members.size();
@@ -41,5 +56,57 @@ public int getMemberSize() {
 
 	@ApplicationScoped
 	public static class Repository implements PanacheRepositoryBase<Group, String> {
+
+		public Group findByIdWithEagerDetails(String id) {
+			// 1. fetch group with members:
+			var group = find("""
+					FROM Group g
+					LEFT JOIN FETCH g.members
+					WHERE g.id = :id
+					""", Parameters.with("id", id)).singleResultOptional().orElse(null);
+			if (group == null) {
+				return null;
+			}
+			// 2. fetch accessible vaults separately to avoid cartesian product explosion:
+			Hibernate.initialize(group.accessibleVaults);
+			return group;
+		}
+
+		public long deleteByIds(Collection<String> ids) {
+			return Batch.of(200).run(ids, 0L, (batch, result) -> result + delete("id IN :ids", Parameters.with("ids", batch)));
+		}
+
+		/**
+		 * Adds the group membership mapping without loading the entities.
+		 * <p>
+		 * This is a lightweight alternative to calling {@link Group#getMembers() group.getMembers().add(...)} but should be avoided if the group is already present in the persistence context.
+		 *
+		 * @param groupId  group ID
+		 * @param memberId memnber ID
+		 */
+		public void addMember(String groupId, String memberId) {
+			getEntityManager()
+					.createNamedQuery("Group.addMember")
+					.setParameter("groupId", groupId)
+					.setParameter("memberId", memberId)
+					.executeUpdate();
+		}
+
+		/**
+		 * Removes the group membership mapping without loading the entities.
+		 * <p>
+		 * This is a lightweight alternative to calling {@link Group#getMembers() group.getMembers().remove(...)} but should be avoided if the group is already present in the persistence context.
+		 *
+		 * @param groupId  group ID
+		 * @param memberId memnber ID
+		 */
+		public void removeMember(String groupId, String memberId) {
+			getEntityManager()
+					.createNamedQuery("Group.removeMember")
+					.setParameter("groupId", groupId)
+					.setParameter("memberId", memberId)
+					.executeUpdate();
+		}
+
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/LegacyAccessToken.java b/backend/src/main/java/org/cryptomator/hub/entities/LegacyAccessToken.java
index ce0cf0519..56f34f683 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/LegacyAccessToken.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/LegacyAccessToken.java
@@ -9,7 +9,6 @@
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.Table;
 
-import java.io.Serializable;
 import java.util.Map;
 import java.util.Objects;
 import java.util.UUID;
@@ -38,7 +37,7 @@
 public class LegacyAccessToken {
 
 	@EmbeddedId
-	private AccessId id = new AccessId();
+	private AccessId id;
 
 	@Column(name = "jwe", nullable = false)
 	private String jwe;
@@ -82,59 +81,9 @@ public String toString() {
 	}
 
 	@Embeddable
-	public static class AccessId implements Serializable {
-
-		@Column(name = "device_id", nullable = false)
-		private String deviceId;
-
-		@Column(name = "vault_id", nullable = false)
-		private UUID vaultId;
-
-		public String getDeviceId() {
-			return deviceId;
-		}
-
-		public void setDeviceId(String deviceId) {
-			this.deviceId = deviceId;
-		}
-
-		public UUID getVaultId() {
-			return vaultId;
-		}
-
-		public void setVaultId(UUID vaultId) {
-			this.vaultId = vaultId;
-		}
-
-		public AccessId(String deviceId, UUID vaultId) {
-			this.deviceId = deviceId;
-			this.vaultId = vaultId;
-		}
-
-		public AccessId() {
-		}
-
-		@Override
-		public boolean equals(Object o) {
-			if (this == o) return true;
-			if (o == null || getClass() != o.getClass()) return false;
-			AccessId other = (AccessId) o;
-			return Objects.equals(deviceId, other.deviceId) //
-					&& Objects.equals(vaultId, other.vaultId);
-		}
-
-		@Override
-		public int hashCode() {
-			return Objects.hash(deviceId, vaultId);
-		}
-
-		@Override
-		public String toString() {
-			return "LegacyAccessTokenId{" +
-					"deviceId='" + deviceId + '\'' +
-					", vaultId='" + vaultId + '\'' +
-					'}';
-		}
+	public record AccessId(
+			@Column(name = "device_id", nullable = false) String deviceId,
+			@Column(name = "vault_id", nullable = false) UUID vaultId) {
 	}
 
 	/**
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/LegacyDevice.java b/backend/src/main/java/org/cryptomator/hub/entities/LegacyDevice.java
index 95d69f769..7f8c00f8f 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/LegacyDevice.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/LegacyDevice.java
@@ -98,6 +98,10 @@ public Stream<LegacyDevice> findAllInList(List<String> ids) {
 			return find("#LegacyDevice.allInList", Parameters.with("ids", ids)).stream();
 		}
 
+		public boolean existsAny() {
+			return findAll().firstResultOptional().isPresent();
+		}
+
 		public void deleteByOwner(String userId) {
 			delete("#LegacyDevice.deleteByOwner", Parameters.with("userId", userId));
 		}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/RecoveredEmergencyKeyShares.java b/backend/src/main/java/org/cryptomator/hub/entities/RecoveredEmergencyKeyShares.java
new file mode 100644
index 000000000..a7866a884
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/RecoveredEmergencyKeyShares.java
@@ -0,0 +1,98 @@
+package org.cryptomator.hub.entities;
+
+import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
+import jakarta.persistence.EmbeddedId;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.util.Objects;
+import java.util.UUID;
+
+@Entity
+@Table(name = "recovered_emergency_key_shares")
+public class RecoveredEmergencyKeyShares {
+
+	@EmbeddedId
+	private Id id;
+
+	@Column(name = "process_private_key", nullable = false)
+	private String processPrivateKey;
+
+	@Column(name = "unrecovered_key_share", nullable = false)
+	private String unrecoveredKeyShare;
+
+	@Column(name = "recovered_key_share")
+	private String recoveredKeyShare;
+
+	@Column(name = "signed_process_info")
+	private String signedProcessInfo;
+
+	public Id getId() {
+		return id;
+	}
+
+	public void setId(Id id) {
+		this.id = id;
+	}
+
+	public String getProcessPrivateKey() {
+		return processPrivateKey;
+	}
+
+	public void setProcessPrivateKey(String processPrivateKey) {
+		this.processPrivateKey = processPrivateKey;
+	}
+
+	public String getUnrecoveredKeyShare() {
+		return unrecoveredKeyShare;
+	}
+
+	public void setUnrecoveredKeyShare(String unrecoveredKeyShare) {
+		this.unrecoveredKeyShare = unrecoveredKeyShare;
+	}
+
+	public String getRecoveredKeyShare() {
+		return recoveredKeyShare;
+	}
+
+	public void setRecoveredKeyShare(String recoveredKeyShare) {
+		this.recoveredKeyShare = recoveredKeyShare;
+	}
+
+	public String getSignedProcessInfo() {
+		return signedProcessInfo;
+	}
+
+	public void setSignedProcessInfo(String signedProcessInfo) {
+		this.signedProcessInfo = signedProcessInfo;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o == null || getClass() != o.getClass()) return false;
+		RecoveredEmergencyKeyShares other = (RecoveredEmergencyKeyShares) o;
+		return Objects.equals(id, other.id)
+				&& Objects.equals(processPrivateKey, other.processPrivateKey)
+				&& Objects.equals(unrecoveredKeyShare, other.unrecoveredKeyShare)
+				&& Objects.equals(recoveredKeyShare, other.recoveredKeyShare)
+				&& Objects.equals(signedProcessInfo, other.signedProcessInfo);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(id, processPrivateKey, unrecoveredKeyShare, recoveredKeyShare, signedProcessInfo);
+	}
+
+	@Embeddable
+	public record Id(
+			@Column(name = "council_member_id") String councilMemberId,
+			@Column(name = "recovery_process_id") UUID recoveryId) {
+	}
+
+	@ApplicationScoped
+	public static class Repository implements PanacheRepositoryBase<RecoveredEmergencyKeyShares, Id> {
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Settings.java b/backend/src/main/java/org/cryptomator/hub/entities/Settings.java
index 48f8373dc..056868e70 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Settings.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Settings.java
@@ -2,12 +2,18 @@
 
 import io.quarkus.hibernate.orm.panache.PanacheRepository;
 import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.persistence.CollectionTable;
 import jakarta.persistence.Column;
+import jakarta.persistence.ElementCollection;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
 import jakarta.persistence.Table;
 
+import java.util.Collection;
+import java.util.HashSet;
 import java.util.Objects;
+import java.util.Set;
 
 @Entity
 @Table(name = "settings")
@@ -31,6 +37,26 @@ public class Settings {
 	@Column(name = "wot_id_verify_len", nullable = false)
 	private int wotIdVerifyLen;
 
+	@Column(name = "enable_emergency_access", nullable = false)
+	private boolean enableEmergencyAccess;
+
+	@Column(name = "default_required_emergency_key_shares", nullable = false)
+	private int defaultRequiredEmergencyKeyShares;
+
+	@Column(name = "default_min_members", nullable = false)
+	private int defaultMinMembers;
+
+	@Column(name = "allow_choosing_emergency_council", nullable = false)
+	private boolean allowChoosingEmergencyCouncil;
+
+	@ElementCollection
+	@CollectionTable(
+			name = "default_emergency_council",
+			joinColumns = @JoinColumn(name = "settings_id")
+	)
+	@Column(name = "member_id")
+	private Set<String> emergencyCouncilMemberIds = new HashSet<>();
+
 	public int getId() {
 		return id;
 	}
@@ -71,6 +97,47 @@ public void setWotIdVerifyLen(int wotIdVerifyLen) {
 		this.wotIdVerifyLen = wotIdVerifyLen;
 	}
 
+	public boolean isEmergencyAccessEnabled() {
+		return enableEmergencyAccess;
+	}
+
+	public void setEmergencyAccessEnabled(boolean enableEmergencyAccess) {
+		this.enableEmergencyAccess = enableEmergencyAccess;
+	}
+
+	public int getDefaultRequiredEmergencyKeyShares() {
+		return defaultRequiredEmergencyKeyShares;
+	}
+
+	public int getDefaultMinMembers() {
+		return defaultMinMembers;
+	}
+
+	public void setDefaultRequiredEmergencyKeyShares(int defaultRequiredEmergencyKeyShares) {
+		this.defaultRequiredEmergencyKeyShares = defaultRequiredEmergencyKeyShares;
+	}
+
+	public void setDefaultMinMembers(int defaultMinMembers) {
+		this.defaultMinMembers = defaultMinMembers;
+	}
+
+	public boolean isAllowChoosingEmergencyCouncil() {
+		return allowChoosingEmergencyCouncil;
+	}
+
+	public void setAllowChoosingEmergencyCouncil(boolean allowChoosingEmergencyCouncil) {
+		this.allowChoosingEmergencyCouncil = allowChoosingEmergencyCouncil;
+	}
+
+	public Set<String> getEmergencyCouncilMemberIds() {
+		return Set.copyOf(emergencyCouncilMemberIds);
+	}
+
+	public void setEmergencyCouncilMemberIds(Collection<String> emergencyCouncilMemberIds) {
+		this.emergencyCouncilMemberIds.clear();
+		this.emergencyCouncilMemberIds.addAll(emergencyCouncilMemberIds);
+	}
+
 	@Override
 	public String toString() {
 		return "Settings{" +
@@ -79,6 +146,11 @@ public String toString() {
 				", licenseKey='" + licenseKey + '\'' +
 				", wotMaxDepth='" + wotMaxDepth + '\'' +
 				", wotIdVerifyLen='" + wotIdVerifyLen + '\'' +
+				", enableEmergencyAccess=" + enableEmergencyAccess +
+				", defaultRequiredEmergencyKeyShares=" + defaultRequiredEmergencyKeyShares +
+				", defaultMinMembers=" + defaultMinMembers +
+				", allowChoosingEmergencyCouncil=" + allowChoosingEmergencyCouncil +
+				", emergencyCouncilMemberIds= [" + String.join(", ", emergencyCouncilMemberIds) + "]" +
 				'}';
 	}
 
@@ -91,12 +163,17 @@ public boolean equals(Object o) {
 				&& Objects.equals(hubId, settings.hubId)
 				&& Objects.equals(licenseKey, settings.licenseKey)
 				&& Objects.equals(wotMaxDepth, settings.wotMaxDepth)
-				&& Objects.equals(wotIdVerifyLen, settings.wotIdVerifyLen);
+				&& Objects.equals(wotIdVerifyLen, settings.wotIdVerifyLen)
+				&& enableEmergencyAccess == settings.enableEmergencyAccess
+				&& defaultRequiredEmergencyKeyShares == settings.defaultRequiredEmergencyKeyShares
+				&& defaultMinMembers == settings.defaultMinMembers
+				&& allowChoosingEmergencyCouncil == settings.allowChoosingEmergencyCouncil
+				&& Objects.equals(emergencyCouncilMemberIds, settings.emergencyCouncilMemberIds);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, hubId, licenseKey, wotMaxDepth, wotIdVerifyLen);
+		return Objects.hash(id, hubId, licenseKey, wotMaxDepth, wotIdVerifyLen, enableEmergencyAccess, defaultRequiredEmergencyKeyShares, defaultMinMembers, allowChoosingEmergencyCouncil, emergencyCouncilMemberIds);
 	}
 
 	@ApplicationScoped
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/StringArrayType.java b/backend/src/main/java/org/cryptomator/hub/entities/StringArrayType.java
index 07e635524..b6c61d1b3 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/StringArrayType.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/StringArrayType.java
@@ -1,6 +1,6 @@
 package org.cryptomator.hub.entities;
 
-import org.hibernate.engine.spi.SharedSessionContractImplementor;
+import org.hibernate.type.descriptor.WrapperOptions;
 import org.hibernate.usertype.UserType;
 
 import java.io.Serializable;
@@ -34,33 +34,40 @@ public int hashCode(String[] x) {
 	}
 
 	@Override
-	public String[] nullSafeGet(ResultSet rs, int position, SharedSessionContractImplementor session, Object owner) throws SQLException {
+	public String[] nullSafeGet(ResultSet rs, int position, WrapperOptions options) throws SQLException {
 		Array array = rs.getArray(position);
-		return array != null ? (String[]) array.getArray() : null;
+		return array != null ? (String[]) array.getArray() : new String[0];
 	}
 
 	@Override
-	public void nullSafeSet(PreparedStatement st, String[] value, int index, SharedSessionContractImplementor session) {
-		throw new UnsupportedOperationException("Read Only");
+	public void nullSafeSet(PreparedStatement st, String[] value, int index, WrapperOptions options) {
+		options.getSession().doWork(connection -> {
+			var jdbcArray = connection.createArrayOf("VARCHAR", value == null ? new String[0] : value);
+			st.setArray(index, jdbcArray);
+		});
 	}
 
 	@Override
 	public boolean isMutable() {
-		return false;
+		return true;
 	}
 
 	@Override
 	public String[] deepCopy(String[] value) {
-		return value; // value is immutable
+		return value == null ? null : value.clone();
 	}
 
 	@Override
 	public Serializable disassemble(String[] value) {
-		return value; // value is immutable
+		return deepCopy(value);
 	}
 
 	@Override
 	public String[] assemble(Serializable cached, Object owner) {
-		return (String[]) cached; // value is immutable
+		if (cached instanceof String[] s) {
+			return s.clone();
+		} else {
+			throw new IllegalArgumentException("Cached value is not of type String[]");
+		}
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/User.java b/backend/src/main/java/org/cryptomator/hub/entities/User.java
index 50e9d2d0c..dbd8d53a7 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/User.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/User.java
@@ -1,5 +1,6 @@
 package org.cryptomator.hub.entities;
 
+import io.quarkus.hibernate.orm.panache.PanacheQuery;
 import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
 import io.quarkus.panache.common.Parameters;
 import jakarta.enterprise.context.ApplicationScoped;
@@ -7,42 +8,67 @@
 import jakarta.persistence.DiscriminatorValue;
 import jakarta.persistence.Entity;
 import jakarta.persistence.FetchType;
+import jakarta.persistence.ManyToMany;
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.OneToMany;
+import jakarta.persistence.OneToOne;
 import jakarta.persistence.Table;
+import org.hibernate.annotations.Immutable;
+import org.hibernate.annotations.Type;
 
+import java.util.Collection;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Objects;
 import java.util.Set;
 import java.util.UUID;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 @Entity
 @Table(name = "user_details")
 @DiscriminatorValue("USER")
+@NamedQuery(name = "User.requiringAccessGrant",
+		query = """
+				SELECT u
+				FROM User u
+					INNER JOIN EffectiveVaultAccess perm ON u.id = perm.id.authorityId
+					LEFT JOIN u.accessTokens token ON token.id.vaultId = :vaultId AND token.id.userId = u.id
+					WHERE perm.id.vaultId = :vaultId AND token.vault IS NULL AND u.ecdhPublicKey IS NOT NULL AND u.enabled
+				""")
 @NamedQuery(name = "User.getEffectiveGroupUsers", query = """
 				SELECT DISTINCT u
 				FROM User u
 				INNER JOIN EffectiveGroupMembership egm ON u.id = egm.id.memberId
-				WHERE egm.id.groupId = :groupId
+				WHERE egm.id.groupId IN :groupIds AND u.enabled
 		""")
 @NamedQuery(name = "User.countEffectiveGroupUsers", query = """
 				SELECT count( DISTINCT u)
 				FROM User u
 				INNER JOIN EffectiveGroupMembership egm	ON u.id = egm.id.memberId
-				WHERE egm.id.groupId = :groupId
+				WHERE egm.id.groupId = :groupId AND u.enabled
 		""")
 public class User extends Authority {
 
-	@Column(name = "picture_url")
-	private String pictureUrl;
-
 	@Column(name = "email")
 	private String email;
 
+	@Column(name = "firstname")
+	private String firstName;
+
+	@Column(name = "lastname")
+	private String lastName;
+
 	@Column(name = "language")
 	private String language;
 
+	@Column(name = "realm_roles")
+	@Type(StringArrayType.class)
+	private String[] realmRoles = new String[0];
+
+	@Column(name = "enabled", nullable = false)
+	private boolean enabled = true;
+
 	@Column(name = "ecdh_publickey")
 	private String ecdhPublicKey;
 
@@ -55,13 +81,28 @@ public class User extends Authority {
 	@Column(name = "setupcode")
 	private String setupCode;
 
-	public String getPictureUrl() {
-		return pictureUrl;
-	}
+	@OneToOne(mappedBy = "user", fetch = FetchType.LAZY)
+	public UserMetrics metrics;
 
-	public void setPictureUrl(String pictureUrl) {
-		this.pictureUrl = pictureUrl;
-	}
+	@OneToMany(mappedBy = "user", fetch = FetchType.LAZY)
+	private Set<AccessToken> accessTokens = new HashSet<>();
+
+	@OneToMany(mappedBy = "owner", orphanRemoval = true, fetch = FetchType.LAZY)
+	private Set<Device> devices = new HashSet<>();
+
+	@ManyToMany(mappedBy = "members", cascade = {})
+	private Set<Group> directGroupMemberships = new HashSet<>();
+
+	@Immutable
+	@OneToMany(mappedBy = "authority", fetch = FetchType.LAZY)
+	private Set<EffectiveVaultAccess> accessibleVaults = new HashSet<>();
+
+	/**
+	 * @deprecated to be removed in <a href="https://github.com/cryptomator/hub/issues/333">#333</a>
+	 */
+	@Deprecated(since = "1.3.0", forRemoval = true)
+	@OneToMany(mappedBy = "owner", orphanRemoval = true, fetch = FetchType.LAZY)
+	private Set<LegacyDevice> legacyDevices = new HashSet<>();
 
 	public String getEmail() {
 		return email;
@@ -71,6 +112,22 @@ public void setEmail(String email) {
 		this.email = email;
 	}
 
+	public String getFirstName() {
+		return firstName;
+	}
+
+	public void setFirstName(String firstName) {
+		this.firstName = firstName;
+	}
+
+	public String getLastName() {
+		return lastName;
+	}
+
+	public void setLastName(String lastName) {
+		this.lastName = lastName;
+	}
+
 	public String getLanguage() {
 		return language;
 	}
@@ -79,6 +136,22 @@ public void setLanguage(String language) {
 		this.language = language;
 	}
 
+	public String[] getRealmRoles() {
+		return realmRoles;
+	}
+
+	public void setRealmRoles(String[] realmRoles) {
+		this.realmRoles = realmRoles;
+	}
+
+	public boolean isEnabled() {
+		return enabled;
+	}
+
+	public void setEnabled(boolean enabled) {
+		this.enabled = enabled;
+	}
+
 	public String getEcdhPublicKey() {
 		return ecdhPublicKey;
 	}
@@ -127,26 +200,25 @@ public void setDevices(Set<Device> devices) {
 		this.devices = devices;
 	}
 
-	/**
-	 * @deprecated to be removed in <a href="https://github.com/cryptomator/hub/issues/333">#333</a>
-	 */
-	@Deprecated(since = "1.3.0", forRemoval = true)
-	public Set<LegacyDevice> getLegacyDevices() {
-		return legacyDevices;
+	public UserMetrics getMetrics() {
+		return metrics;
 	}
 
-	@OneToMany(mappedBy = "user", fetch = FetchType.LAZY)
-	public Set<AccessToken> accessTokens = new HashSet<>();
+	public Set<Group> getDirectGroupMemberships() {
+		return directGroupMemberships;
+	}
 
-	@OneToMany(mappedBy = "owner", orphanRemoval = true, fetch = FetchType.LAZY)
-	public Set<Device> devices = new HashSet<>();
+	public Set<EffectiveVaultAccess> getAccessibleVaults() {
+		return accessibleVaults;
+	}
 
 	/**
 	 * @deprecated to be removed in <a href="https://github.com/cryptomator/hub/issues/333">#333</a>
 	 */
 	@Deprecated(since = "1.3.0", forRemoval = true)
-	@OneToMany(mappedBy = "owner", orphanRemoval = true, fetch = FetchType.LAZY)
-	public Set<LegacyDevice> legacyDevices = new HashSet<>();
+	public Set<LegacyDevice> getLegacyDevices() {
+		return legacyDevices;
+	}
 
 	@Override
 	public boolean equals(Object o) {
@@ -154,24 +226,81 @@ public boolean equals(Object o) {
 		if (o == null || getClass() != o.getClass()) return false;
 		User that = (User) o;
 		return super.equals(that) //
-				&& Objects.equals(pictureUrl, that.pictureUrl) //
 				&& Objects.equals(email, that.email);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(super.getId(), pictureUrl, email);
+		return Objects.hash(super.hashCode(), email);
 	}
 
 	@ApplicationScoped
 	public static class Repository implements PanacheRepositoryBase<User, String> {
 
+		public PanacheQuery<User> findAllWithMetrics() {
+			return find("""
+					FROM User u
+					LEFT JOIN FETCH u.metrics m
+					""");
+		}
+
+		public User findByIdWithEagerDetails(String id) {
+			// 1. fetch user with groups, devices, legacy devices:
+			// we can do this in a single query since we don't expect a large number of groups/devices per user,
+			// e.g. 1 user x 5 groups x 5 devices = 25 rows, which is acceptable
+			var user = find("""
+					FROM User u
+					LEFT JOIN FETCH u.directGroupMemberships dgm
+					LEFT JOIN FETCH u.devices d
+					LEFT JOIN FETCH u.legacyDevices ld
+					WHERE u.id = :id
+					""", Parameters.with("id", id)).singleResultOptional().orElse(null);
+			if (user == null) {
+				return null;
+			}
+			// 2. fetch accessible vaults separately to avoid cartesian product explosion:
+			// we replace the persistent set with our own set (allowed because it's marked as @Immutable)
+			user.accessibleVaults = getEntityManager().createQuery("""
+							SELECT DISTINCT eva
+							FROM EffectiveVaultAccess eva
+							INNER JOIN FETCH eva.vault v
+							WHERE eva.authority.id = :userId
+							""", EffectiveVaultAccess.class)
+					.setParameter("userId", id)
+					.getResultStream().collect(Collectors.toSet());
+			return user;
+		}
+
+		public Stream<User> findByIds(Collection<String> ids) {
+			return Batch.of(200).run(ids, Stream.empty(), (batch, result) -> {
+				var partial = find("id IN :ids", Parameters.with("ids", batch));
+				return Stream.concat(result, partial.stream());
+			});
+		}
+
+		public long deleteByIds(Collection<String> ids) {
+			return Batch.of(200).run(ids, 0L, (batch, result) -> result + delete("id IN :ids", Parameters.with("ids", batch)));
+		}
+
+		public Stream<User> findRequiringAccessGrant(UUID vaultId) {
+			return find("#User.requiringAccessGrant", Parameters.with("vaultId", vaultId)).stream();
+		}
+
 		public long countEffectiveGroupUsers(String groupdId) {
 			return count("#User.countEffectiveGroupUsers", Parameters.with("groupId", groupdId));
 		}
 
 		public Stream<User> getEffectiveGroupUsers(String groupdId) {
-			return find("#User.getEffectiveGroupUsers", Parameters.with("groupId", groupdId)).stream();
+			return getEffectiveGroupUsers(List.of(groupdId)).stream();
 		}
+
+		public Set<User> getEffectiveGroupUsers(Collection<String> groupIds) {
+			return Batch.of(200).run(groupIds, new HashSet<>(), (batch, result) -> {
+				var partial = find("#User.getEffectiveGroupUsers", Parameters.with("groupIds", batch)).project(User.class);
+				result.addAll(partial.list());
+				return result;
+			});
+		}
+
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/UserMetrics.java b/backend/src/main/java/org/cryptomator/hub/entities/UserMetrics.java
new file mode 100644
index 000000000..a7ec61b30
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/UserMetrics.java
@@ -0,0 +1,57 @@
+package org.cryptomator.hub.entities;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.OneToOne;
+import org.hibernate.annotations.Immutable;
+import org.hibernate.annotations.Subselect;
+
+@Entity
+@Immutable
+@Subselect("""
+		SELECT
+			u.id AS user_id,
+			COUNT(DISTINCT g.group_id) AS direct_group_count,
+			COUNT(DISTINCT eva.vault_id) AS effective_vault_count,
+			COUNT(DISTINCT d.id) AS device_count
+		FROM
+			user_details u
+		LEFT JOIN group_membership g ON g.member_id = u.id
+		LEFT JOIN effective_vault_access eva ON eva.authority_id = u.id
+		LEFT JOIN device d ON d.owner_id = u.id
+		GROUP BY
+			u.id
+		""")
+public class UserMetrics {
+
+	@Id
+	@Column(name = "user_id")
+	private String userId;
+
+	@OneToOne
+	@JoinColumn(name = "user_id", referencedColumnName = "id", insertable = false, updatable = false)
+	private User user;
+
+	@Column(name = "direct_group_count")
+	private long directGroupMembershipCount;
+
+	@Column(name = "effective_vault_count")
+	private long effectiveVaultAccessCount;
+
+	@Column(name = "device_count")
+	private long deviceCount;
+
+	public long getDirectGroupMembershipCount() {
+		return directGroupMembershipCount;
+	}
+
+	public long getEffectiveVaultAccessCount() {
+		return effectiveVaultAccessCount;
+	}
+
+	public long getDeviceCount() {
+		return deviceCount;
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Vault.java b/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
index e8acd432f..ffed73f93 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Vault.java
@@ -3,16 +3,20 @@
 import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
 import io.quarkus.panache.common.Parameters;
 import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.persistence.CollectionTable;
 import jakarta.persistence.Column;
+import jakarta.persistence.ElementCollection;
 import jakarta.persistence.Entity;
 import jakarta.persistence.FetchType;
 import jakarta.persistence.Id;
 import jakarta.persistence.JoinColumn;
 import jakarta.persistence.JoinTable;
 import jakarta.persistence.ManyToMany;
+import jakarta.persistence.MapKeyColumn;
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.OneToMany;
 import jakarta.persistence.Table;
+import jakarta.transaction.Transactional;
 import org.hibernate.annotations.Immutable;
 
 import java.security.KeyFactory;
@@ -22,8 +26,10 @@
 import java.security.spec.X509EncodedKeySpec;
 import java.time.Instant;
 import java.util.Base64;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
@@ -46,6 +52,18 @@
 				INNER JOIN EffectiveVaultAccess a ON a.id.vaultId = v.id AND a.id.authorityId = :userId
 				WHERE a.id.role = :role
 				""")
+@NamedQuery(name = "Vault.recoverableByUser",
+		query = """
+				SELECT DISTINCT v
+				FROM Vault v
+				INNER JOIN v.emergencyKeyShares keyShares WHERE KEY(keyShares) = :councilMemberId
+				UNION
+				SELECT DISTINCT v
+				FROM EmergencyRecoveryProcess process
+				INNER JOIN RecoveredEmergencyKeyShares share ON share.id.recoveryId = process.id
+				INNER JOIN Vault v ON v.id = process.vaultId
+				WHERE share.id.councilMemberId = :councilMemberId
+				""")
 @NamedQuery(name = "Vault.allInList",
 		query = """
 				SELECT v
@@ -67,14 +85,6 @@ public class Vault {
 	)
 	private Set<Authority> directMembers = new HashSet<>();
 
-	@ManyToMany
-	@Immutable
-	@JoinTable(name = "effective_vault_access",
-			joinColumns = @JoinColumn(name = "vault_id", referencedColumnName = "id"),
-			inverseJoinColumns = @JoinColumn(name = "authority_id", referencedColumnName = "id")
-	)
-	private Set<Authority> effectiveMembers = new HashSet<>();
-
 	@OneToMany(mappedBy = "vault", fetch = FetchType.LAZY)
 	private Set<AccessToken> accessTokens = new HashSet<>();
 
@@ -105,6 +115,18 @@ public class Vault {
 	@Column(name = "archived", nullable = false)
 	private boolean archived;
 
+	@Column(name = "required_emergency_key_shares", nullable = false)
+	private int requiredEmergencyKeyShares;
+
+	@ElementCollection(fetch = FetchType.EAGER)
+	@CollectionTable(
+			name = "emergency_key_shares",
+			joinColumns = @JoinColumn(name = "vault_id")
+	)
+	@MapKeyColumn(name = "council_member_id")
+	@Column(name = "emergency_key_share")
+	private Map<String, String> emergencyKeyShares = new HashMap<>();
+
 	@Column(name = "uvf_metadata_file")
 	private String uvfMetadataFile;
 
@@ -144,18 +166,6 @@ public Set<Authority> getDirectMembers() {
 		return directMembers;
 	}
 
-	public void setDirectMembers(Set<Authority> directMembers) {
-		this.directMembers = directMembers;
-	}
-
-	public Set<Authority> getEffectiveMembers() {
-		return effectiveMembers;
-	}
-
-	public void setEffectiveMembers(Set<Authority> effectiveMembers) {
-		this.effectiveMembers = effectiveMembers;
-	}
-
 	public Set<AccessToken> getAccessTokens() {
 		return accessTokens;
 	}
@@ -236,6 +246,23 @@ public void setArchived(boolean archived) {
 		this.archived = archived;
 	}
 
+	public int getRequiredEmergencyKeyShares() {
+		return requiredEmergencyKeyShares;
+	}
+
+	public void setRequiredEmergencyKeyShares(int requiredEmergencyKeyShares) {
+		this.requiredEmergencyKeyShares = requiredEmergencyKeyShares;
+	}
+
+	public Map<String, String> getEmergencyKeyShares() {
+		return Map.copyOf(emergencyKeyShares);
+	}
+
+	public void setEmergencyKeyShares(Map<String, String> emergencyKeyShares) {
+		this.emergencyKeyShares.clear();
+		this.emergencyKeyShares.putAll(emergencyKeyShares);
+	}
+
 	public String getUvfMetadataFile() {
 		return uvfMetadataFile;
 	}
@@ -257,19 +284,12 @@ public boolean equals(Object o) {
 		if (this == o) return true;
 		if (o == null || getClass() != o.getClass()) return false;
 		Vault vault = (Vault) o;
-		return Objects.equals(id, vault.id)
-				&& Objects.equals(name, vault.name)
-				&& Objects.equals(salt, vault.salt)
-				&& Objects.equals(iterations, vault.iterations)
-				&& Objects.equals(masterkey, vault.masterkey)
-				&& Objects.equals(archived, vault.archived)
-				&& Objects.equals(uvfMetadataFile, vault.uvfMetadataFile)
-				&& Objects.equals(uvfKeySet, vault.uvfKeySet);
+		return Objects.equals(id, vault.id);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, name, salt, iterations, masterkey, archived, uvfMetadataFile, uvfKeySet);
+		return Objects.hash(id);
 	}
 
 	@Override
@@ -282,6 +302,10 @@ public String toString() {
 				", salt='" + salt + '\'' +
 				", iterations='" + iterations + '\'' +
 				", masterkey='" + masterkey + '\'' +
+				", authenticationPublicKey='" + authenticationPublicKey + '\'' +
+				", authenticationPrivateKey='" + authenticationPrivateKey + '\'' +
+				", requiredEmergencyKeyShares='" + requiredEmergencyKeyShares + '\'' +
+				", emergencyKeyShares=" + emergencyKeyShares.keySet().stream().collect(Collectors.joining(", ")) +
 				", archived='" + archived + '\'' +
 				", uvfMetadataFile='" + uvfMetadataFile + '\'' +
 				", uvfKeySet='" + uvfKeySet + '\'' +
@@ -295,12 +319,28 @@ public Stream<Vault> findAccessibleByUser(String userId) {
 			return find("#Vault.accessibleByUser", Parameters.with("userId", userId)).stream();
 		}
 
+		public Stream<Vault> findRecoverable(String userId) {
+			return find("#Vault.recoverableByUser", Parameters.with("councilMemberId", userId)).stream();
+		}
+
 		public Stream<Vault> findAccessibleByUser(String userId, VaultAccess.Role role) {
 			return find("#Vault.accessibleByUserAndRole", Parameters.with("userId", userId).and("role", role)).stream();
 		}
 
 		public Stream<Vault> findAllInList(List<UUID> ids) {
-			return find("#Vault.allInList", Parameters.with("ids", ids)).stream();
+			return Batch.of(200).run(ids, Stream.of(), (batch, result) -> {
+				Stream<Vault> partialResult = find("#Vault.allInList", Parameters.with("ids", batch)).stream();
+				return Stream.concat(result, partialResult);
+			});
+		}
+
+		@Transactional(Transactional.TxType.REQUIRED)
+		public void deleteEmergencyKeySharesForUser(String userId) {
+			var adjustedVaults = findRecoverable(userId).map(v -> {
+				v.emergencyKeyShares.remove(userId);
+				return v;
+			});
+			persist(adjustedVaults);
 		}
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/VaultAccess.java b/backend/src/main/java/org/cryptomator/hub/entities/VaultAccess.java
index 3cf477e56..64ce7e6e9 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/VaultAccess.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/VaultAccess.java
@@ -15,8 +15,6 @@
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.Table;
 
-import java.io.Serializable;
-import java.util.Objects;
 import java.util.UUID;
 import java.util.stream.Stream;
 
@@ -30,10 +28,29 @@
 				INNER JOIN FETCH va.authority
 				WHERE va.id.vaultId = :vaultId
 				""")
+@NamedQuery(name = "VaultAccess.countByAuthority",
+		query = """
+				SELECT COUNT(va)
+				FROM VaultAccess va
+				WHERE va.id.authorityId = :authorityId
+				""")
+@NamedQuery(name = "VaultAccess.findByAuthority",
+		query = """
+				SELECT va
+				FROM VaultAccess va
+				INNER JOIN FETCH va.vault
+				WHERE va.id.authorityId = :authorityId
+				""")
+@NamedQuery(name = "VaultAccess.deleteSpecific",
+		query = """
+				DELETE FROM VaultAccess va
+				WHERE va.id.vaultId = :vaultId
+				AND va.id.authorityId IN :authorityIds
+				""")
 public class VaultAccess {
 
 	@EmbeddedId
-	private VaultAccess.Id id = new VaultAccess.Id();
+	private VaultAccess.Id id;
 
 	@ManyToOne
 	@MapsId("vaultId")
@@ -93,67 +110,36 @@ public void setRole(Role role) {
 		this.role = role;
 	}
 
-	@Embeddable
-	public static class Id implements Serializable {
-
-		@Column(name = "vault_id")
-		UUID vaultId;
-
-		@Column(name = "authority_id")
-		String authorityId;
-
-		public Id(UUID vaultId, String authorityId) {
-			this.vaultId = vaultId;
-			this.authorityId = authorityId;
-		}
-
-		public Id() {
-		}
-
-		public UUID getVaultId() {
-			return vaultId;
-		}
-
-		public void setVaultId(UUID vaultId) {
-			this.vaultId = vaultId;
-		}
+	public static VaultAccess create(Vault vault, Authority authority, Role role) {
+		VaultAccess entity = new VaultAccess();
+		entity.setId(new Id(vault.getId(), authority.getId()));
+		entity.setVault(vault);
+		entity.setAuthority(authority);
+		entity.setRole(role);
+		return entity;
+	}
 
-		public String getAuthorityId() {
-			return authorityId;
-		}
+	@Embeddable
+	public record Id(@Column(name = "vault_id") UUID vaultId, @Column(name = "authority_id") String authorityId) {
+	}
 
-		public void setAuthorityId(String authorityId) {
-			this.authorityId = authorityId;
-		}
+	@ApplicationScoped
+	public static class Repository implements PanacheRepositoryBase<VaultAccess, Id> {
 
-		@Override
-		public boolean equals(Object o) {
-			if (this == o) return true;
-			if (o instanceof Id other) {
-				return Objects.equals(this.vaultId, other.vaultId) && Objects.equals(this.authorityId, other.authorityId);
-			}
-			return false;
+		public Stream<VaultAccess> forVault(UUID vaultId) {
+			return find("#VaultAccess.forVault", Parameters.with("vaultId", vaultId)).stream();
 		}
 
-		@Override
-		public int hashCode() {
-			return Objects.hash(vaultId, authorityId);
+		public long countByAuthority(String authorityId) {
+			return count("#VaultAccess.countByAuthority", Parameters.with("authorityId", authorityId));
 		}
 
-		@Override
-		public String toString() {
-			return "VaultAccess.Id{" +
-					"vaultId='" + vaultId + '\'' +
-					", authorityId='" + authorityId + '\'' +
-					'}';
+		public Stream<VaultAccess> findByAuthority(String authorityId) {
+			return find("#VaultAccess.findByAuthority", Parameters.with("authorityId", authorityId)).stream();
 		}
-	}
 
-	@ApplicationScoped
-	public static class Repository implements PanacheRepositoryBase<VaultAccess, Id> {
-
-		public Stream<VaultAccess> forVault(UUID vaultId) {
-			return find("#VaultAccess.forVault", Parameters.with("vaultId", vaultId)).stream();
+		public long delete(UUID vaultId, Iterable<String> authorityIds) {
+			return delete("#VaultAccess.deleteSpecific", Parameters.with("vaultId", vaultId).and("authorityIds", authorityIds));
 		}
 	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/WotEntry.java b/backend/src/main/java/org/cryptomator/hub/entities/WotEntry.java
index e451831b3..d490b8506 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/WotEntry.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/WotEntry.java
@@ -8,9 +8,6 @@
 import jakarta.persistence.Entity;
 import jakarta.persistence.Table;
 
-import java.io.Serializable;
-import java.util.Objects;
-
 @Entity
 @Table(name = "wot")
 public class WotEntry {
@@ -38,52 +35,7 @@ public void setSignature(String signature) {
 	}
 
 	@Embeddable
-	public static class Id implements Serializable {
-
-		@Column(name = "user_id")
-		private String userId;
-
-		@Column(name = "signer_id")
-		private String signerId;
-
-		public String getUserId() {
-			return userId;
-		}
-
-		public void setUserId(String userId) {
-			this.userId = userId;
-		}
-
-		public String getSignerId() {
-			return signerId;
-		}
-
-		public void setSignerId(String signerId) {
-			this.signerId = signerId;
-		}
-
-		@Override
-		public boolean equals(Object o) {
-			if (this == o) return true;
-			if (o instanceof Id other) {
-				return Objects.equals(userId, other.userId) //
-						&& Objects.equals(signerId, other.signerId);
-			}
-			return false;
-		}
-
-		@Override
-		public int hashCode() {
-			return Objects.hash(userId, signerId);
-		}
-
-		@Override
-		public String toString() {
-			return "WotEntryId{" +
-					"userId='" + userId + '\'' +
-					", signerId='" + signerId + '\'' +
-					'}';
-		}
+	public record Id(@Column(name = "user_id") String userId, @Column(name = "signer_id") String signerId) {
 	}
 
 	@ApplicationScoped
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryAbortedEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryAbortedEvent.java
new file mode 100644
index 000000000..87be806fb
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryAbortedEvent.java
@@ -0,0 +1,77 @@
+package org.cryptomator.hub.entities.events;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.util.Objects;
+import java.util.UUID;
+
+@Entity
+@Table(name = "audit_event_emergaccess_recovery_aborted")
+@DiscriminatorValue(EmergencyAccessRecoveryAbortedEvent.TYPE)
+public class EmergencyAccessRecoveryAbortedEvent extends AuditEvent {
+
+	public static final String TYPE = "EMERGENCY_ACCESS_RECOVERY_ABORTED";
+
+	@Column(name = "vault_id", nullable = false)
+	private UUID vaultId;
+
+	@Column(name = "process_id", nullable = false)
+	private UUID processId;
+
+	@Column(name = "council_member_id", nullable = false)
+	private String councilMemberId;
+
+	@Column(name = "ip_address")
+	private String ipAddress;
+
+	public UUID getVaultId() {
+		return vaultId;
+	}
+
+	public void setVaultId(UUID vaultId) {
+		this.vaultId = vaultId;
+	}
+
+	public UUID getProcessId() {
+		return processId;
+	}
+
+	public void setProcessId(UUID processId) {
+		this.processId = processId;
+	}
+
+	public String getCouncilMemberId() {
+		return councilMemberId;
+	}
+
+	public void setCouncilMemberId(String councilMemberId) {
+		this.councilMemberId = councilMemberId;
+	}
+
+	public String getIpAddress() {
+		return ipAddress;
+	}
+
+	public void setIpAddress(String ipAddress) {
+		this.ipAddress = ipAddress;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o == null || getClass() != o.getClass()) return false;
+		if (!super.equals(o)) return false;
+		EmergencyAccessRecoveryAbortedEvent other = (EmergencyAccessRecoveryAbortedEvent) o;
+		return Objects.equals(vaultId, other.vaultId)
+				&& Objects.equals(processId, other.processId)
+				&& Objects.equals(councilMemberId, other.councilMemberId)
+				&& Objects.equals(ipAddress, other.ipAddress);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(super.hashCode(), vaultId, processId, councilMemberId, ipAddress);
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryApprovedEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryApprovedEvent.java
new file mode 100644
index 000000000..beb72e1d4
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryApprovedEvent.java
@@ -0,0 +1,66 @@
+package org.cryptomator.hub.entities.events;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.util.Objects;
+import java.util.UUID;
+
+@Entity
+@Table(name = "audit_event_emergaccess_recovery_approved")
+@DiscriminatorValue(EmergencyAccessRecoveryApprovedEvent.TYPE)
+public class EmergencyAccessRecoveryApprovedEvent extends AuditEvent {
+
+	public static final String TYPE = "EMERGENCY_ACCESS_RECOVERY_APPROVED";
+
+	@Column(name = "process_id", nullable = false)
+	private UUID processId;
+
+	@Column(name = "council_member_id", nullable = false)
+	private String councilMemberId;
+
+	@Column(name = "ip_address", nullable = false)
+	private String ipAddress;
+
+	public UUID getProcessId() {
+		return processId;
+	}
+
+	public void setProcessId(UUID processId) {
+		this.processId = processId;
+	}
+
+	public String getCouncilMemberId() {
+		return councilMemberId;
+	}
+
+	public void setCouncilMemberId(String councilMemberId) {
+		this.councilMemberId = councilMemberId;
+	}
+
+	public String getIpAddress() {
+		return ipAddress;
+	}
+
+	public void setIpAddress(String ipAddress) {
+		this.ipAddress = ipAddress;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o == null || getClass() != o.getClass()) return false;
+		if (!super.equals(o)) return false;
+		EmergencyAccessRecoveryApprovedEvent other = (EmergencyAccessRecoveryApprovedEvent) o;
+		return Objects.equals(processId, other.processId)
+				&& Objects.equals(councilMemberId, other.councilMemberId)
+				&& Objects.equals(ipAddress, other.ipAddress);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(super.hashCode(), processId, councilMemberId, ipAddress);
+	}
+}
+
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryCompletedEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryCompletedEvent.java
new file mode 100644
index 000000000..0c5ec4c7c
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryCompletedEvent.java
@@ -0,0 +1,66 @@
+package org.cryptomator.hub.entities.events;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.util.Objects;
+import java.util.UUID;
+
+@Entity
+@Table(name = "audit_event_emergaccess_recovery_completed")
+@DiscriminatorValue(EmergencyAccessRecoveryCompletedEvent.TYPE)
+public class EmergencyAccessRecoveryCompletedEvent extends AuditEvent {
+
+	public static final String TYPE = "EMERGENCY_ACCESS_RECOVERY_COMPLETED";
+
+	@Column(name = "process_id", nullable = false)
+	private UUID processId;
+
+	@Column(name = "council_member_id", nullable = false)
+	private String councilMemberId;
+
+	@Column(name = "ip_address")
+	private String ipAddress;
+
+	public UUID getProcessId() {
+		return processId;
+	}
+
+	public void setProcessId(UUID processId) {
+		this.processId = processId;
+	}
+
+	public String getCouncilMemberId() {
+		return councilMemberId;
+	}
+
+	public void setCouncilMemberId(String councilMemberId) {
+		this.councilMemberId = councilMemberId;
+	}
+
+	public String getIpAddress() {
+		return ipAddress;
+	}
+
+	public void setIpAddress(String ipAddress) {
+		this.ipAddress = ipAddress;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o == null || getClass() != o.getClass()) return false;
+		if (!super.equals(o)) return false;
+		EmergencyAccessRecoveryCompletedEvent other = (EmergencyAccessRecoveryCompletedEvent) o;
+		return Objects.equals(processId, other.processId)
+				&& Objects.equals(councilMemberId, other.councilMemberId)
+				&& Objects.equals(ipAddress, other.ipAddress);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(super.hashCode(), processId, councilMemberId, ipAddress);
+	}
+}
+
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryStartedEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryStartedEvent.java
new file mode 100644
index 000000000..857fa528a
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessRecoveryStartedEvent.java
@@ -0,0 +1,89 @@
+package org.cryptomator.hub.entities.events;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.util.Objects;
+import java.util.UUID;
+
+@Entity
+@Table(name = "audit_event_emergaccess_recovery_started")
+@DiscriminatorValue(EmergencyAccessRecoveryStartedEvent.TYPE)
+public class EmergencyAccessRecoveryStartedEvent extends AuditEvent {
+
+	public static final String TYPE = "EMERGENCY_ACCESS_RECOVERY_STARTED";
+
+	@Column(name = "vault_id", nullable = false)
+	private UUID vaultId;
+
+	@Column(name = "process_id", nullable = false)
+	private UUID processId;
+
+	@Column(name = "council_member_id", nullable = false)
+	private String councilMemberId;
+
+	@Column(name = "process_type", nullable = false)
+	private String processType;
+
+	@Column(name = "details", nullable = false)
+	private String details;
+
+	public UUID getVaultId() {
+		return vaultId;
+	}
+
+	public void setVaultId(UUID vaultId) {
+		this.vaultId = vaultId;
+	}
+
+	public UUID getProcessId() {
+		return processId;
+	}
+
+	public void setProcessId(UUID processId) {
+		this.processId = processId;
+	}
+
+	public String getCouncilMemberId() {
+		return councilMemberId;
+	}
+
+	public void setCouncilMemberId(String councilMemberId) {
+		this.councilMemberId = councilMemberId;
+	}
+
+	public String getProcessType() {
+		return processType;
+	}
+
+	public void setProcessType(String processType) {
+		this.processType = processType;
+	}
+
+	public String getDetails() {
+		return details;
+	}
+
+	public void setDetails(String details) {
+		this.details = details;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o == null || getClass() != o.getClass()) return false;
+		if (!super.equals(o)) return false;
+		EmergencyAccessRecoveryStartedEvent other = (EmergencyAccessRecoveryStartedEvent) o;
+		return Objects.equals(vaultId, other.vaultId)
+				&& Objects.equals(processId, other.processId)
+				&& Objects.equals(councilMemberId, other.councilMemberId)
+				&& Objects.equals(processType, other.processType)
+				&& Objects.equals(details, other.details);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(super.hashCode(), vaultId, processId, councilMemberId, processType, details);
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessSettingsUpdatedEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessSettingsUpdatedEvent.java
new file mode 100644
index 000000000..fcada3846
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessSettingsUpdatedEvent.java
@@ -0,0 +1,101 @@
+package org.cryptomator.hub.entities.events;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.util.Objects;
+
+@Entity
+@Table(name = "audit_event_emergaccess_settings_updated")
+@DiscriminatorValue(EmergencyAccessSettingsUpdatedEvent.TYPE)
+public class EmergencyAccessSettingsUpdatedEvent extends AuditEvent {
+
+	public static final String TYPE = "EMERGENCY_ACCESS_SETTINGS_UPDATED";
+
+	@Column(name = "admin_id", nullable = false)
+	private String adminId;
+
+	@Column(name = "enable_emergency_access", nullable = false)
+	private boolean enableEmergencyAccess;
+
+	@Column(name = "council_member_ids", nullable = false)
+	private String councilMemberIds;
+
+	@Column(name = "required_key_shares", nullable = false)
+	private int requiredKeyShares;
+
+	@Column(name = "min_members", nullable = false)
+	private int minMembers;
+
+	@Column(name = "allow_choosing_council", nullable = false)
+	private boolean allowChoosingCouncil;
+
+	public String getAdminId() {
+		return adminId;
+	}
+
+	public void setAdminId(String adminId) {
+		this.adminId = adminId;
+	}
+
+	public boolean isEmergencyAccessEnabled() {
+		return enableEmergencyAccess;
+	}
+
+	public void setEmergencyAccessEnabled(boolean enableEmergencyAccess) {
+		this.enableEmergencyAccess = enableEmergencyAccess;
+	}
+
+	public String getCouncilMemberIds() {
+		return councilMemberIds;
+	}
+
+	public void setCouncilMemberIds(String councilMemberIds) {
+		this.councilMemberIds = councilMemberIds;
+	}
+
+	public int getRequiredKeyShares() {
+		return requiredKeyShares;
+	}
+
+	public void setRequiredKeyShares(int requiredKeyShares) {
+		this.requiredKeyShares = requiredKeyShares;
+	}
+
+	public int getMinMembers() {
+		return minMembers;
+	}
+
+	public void setMinMembers(int minMembers) {
+		this.minMembers = minMembers;
+	}
+
+	public boolean isAllowChoosingCouncil() {
+		return allowChoosingCouncil;
+	}
+
+	public void setAllowChoosingCouncil(boolean allowChoosingCouncil) {
+		this.allowChoosingCouncil = allowChoosingCouncil;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o == null || getClass() != o.getClass()) return false;
+		if (!super.equals(o)) return false;
+		EmergencyAccessSettingsUpdatedEvent other = (EmergencyAccessSettingsUpdatedEvent) o;
+		return enableEmergencyAccess == other.enableEmergencyAccess
+				&& requiredKeyShares == other.requiredKeyShares
+				&& minMembers == other.minMembers
+				&& allowChoosingCouncil == other.allowChoosingCouncil
+				&& Objects.equals(adminId, other.adminId)
+				&& Objects.equals(councilMemberIds, other.councilMemberIds);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(super.hashCode(), adminId, enableEmergencyAccess, councilMemberIds, requiredKeyShares, minMembers, allowChoosingCouncil);
+	}
+}
+
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessSetupEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessSetupEvent.java
new file mode 100644
index 000000000..a219dce9a
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/EmergencyAccessSetupEvent.java
@@ -0,0 +1,77 @@
+package org.cryptomator.hub.entities.events;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.util.Objects;
+import java.util.UUID;
+
+@Entity
+@Table(name = "audit_event_emergaccess_setup")
+@DiscriminatorValue(EmergencyAccessSetupEvent.TYPE)
+public class EmergencyAccessSetupEvent extends AuditEvent {
+
+	public static final String TYPE = "EMERGENCY_ACCESS_SETUP";
+
+	@Column(name = "vault_id", nullable = false)
+	private UUID vaultId;
+
+	@Column(name = "owner_id", nullable = false)
+	private String ownerId;
+
+	@Column(name = "settings", nullable = false)
+	private String settings;
+
+	@Column(name = "ip_address", nullable = false)
+	private String ipAddress;
+
+	public UUID getVaultId() {
+		return vaultId;
+	}
+
+	public void setVaultId(UUID vaultId) {
+		this.vaultId = vaultId;
+	}
+
+	public String getOwnerId() {
+		return ownerId;
+	}
+
+	public void setOwnerId(String ownerId) {
+		this.ownerId = ownerId;
+	}
+
+	public String getSettings() {
+		return settings;
+	}
+
+	public void setSettings(String settings) {
+		this.settings = settings;
+	}
+
+	public String getIpAddress() {
+		return ipAddress;
+	}
+
+	public void setIpAddress(String ipAddress) {
+		this.ipAddress = ipAddress;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (o == null || getClass() != o.getClass()) return false;
+		if (!super.equals(o)) return false;
+		EmergencyAccessSetupEvent other = (EmergencyAccessSetupEvent) o;
+		return Objects.equals(vaultId, other.vaultId)
+				&& Objects.equals(ownerId, other.ownerId)
+				&& Objects.equals(settings, other.settings)
+				&& Objects.equals(ipAddress, other.ipAddress);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(super.hashCode(), vaultId, ownerId, settings, ipAddress);
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/EventLogger.java b/backend/src/main/java/org/cryptomator/hub/entities/events/EventLogger.java
index 54880c854..50586b4be 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/events/EventLogger.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/EventLogger.java
@@ -143,6 +143,71 @@ public void logWotIdSigned(String userId, String signerId, String signerKey, Str
 		auditEventRepository.persist(event);
 	}
 
+	//region Emergency Access
+
+	public void logEmergencyAccessSetup(UUID vaultId, String ownerId, String settings, String ipAddress) {
+		var event = new EmergencyAccessSetupEvent();
+		event.setTimestamp(Instant.now());
+		event.setVaultId(vaultId);
+		event.setOwnerId(ownerId);
+		event.setSettings(settings);
+		event.setIpAddress(ipAddress);
+		auditEventRepository.persist(event);
+	}
+
+	public void logEmergencyAccessSettingsUpdated(String adminId, boolean enableEmergencyAccess, String councilMemberIds, int requiredKeyShares, int minMembers, boolean allowChoosingCouncil) {
+		var event = new EmergencyAccessSettingsUpdatedEvent();
+		event.setTimestamp(Instant.now());
+		event.setAdminId(adminId);
+		event.setCouncilMemberIds(councilMemberIds);
+		event.setRequiredKeyShares(requiredKeyShares);
+		event.setMinMembers(minMembers);
+		event.setAllowChoosingCouncil(allowChoosingCouncil);
+		event.setEmergencyAccessEnabled(enableEmergencyAccess);
+		auditEventRepository.persist(event);
+	}
+
+	public void logEmergencyAccessRecoveryStarted(UUID vaultId, UUID processId, String councilMemberId, String type, String details) {
+		var event = new EmergencyAccessRecoveryStartedEvent();
+		event.setTimestamp(Instant.now());
+		event.setVaultId(vaultId);
+		event.setProcessId(processId);
+		event.setCouncilMemberId(councilMemberId);
+		event.setProcessType(type);
+		event.setDetails(details);
+		auditEventRepository.persist(event);
+	}
+
+	public void logEmergencyAccessRecoveryApproved(UUID processId, String councilMemberId, String ipAddress) {
+		var event = new EmergencyAccessRecoveryApprovedEvent();
+		event.setTimestamp(Instant.now());
+		event.setProcessId(processId);
+		event.setCouncilMemberId(councilMemberId);
+		event.setIpAddress(ipAddress);
+		auditEventRepository.persist(event);
+	}
+
+	public void logEmergencyAccessRecoveryCompleted(UUID processId, String councilMemberId, String ipAddress) {
+		var event = new EmergencyAccessRecoveryCompletedEvent();
+		event.setTimestamp(Instant.now());
+		event.setProcessId(processId);
+		event.setCouncilMemberId(councilMemberId);
+		event.setIpAddress(ipAddress);
+		auditEventRepository.persist(event);
+	}
+
+	public void logEmergencyAccessRecoveryAborted(UUID vaultId, UUID processId, String councilMemberId, String ipAddress) {
+		var event = new EmergencyAccessRecoveryAbortedEvent();
+		event.setTimestamp(Instant.now());
+		event.setVaultId(vaultId);
+		event.setProcessId(processId);
+		event.setCouncilMemberId(councilMemberId);
+		event.setIpAddress(ipAddress);
+		auditEventRepository.persist(event);
+	}
+
+	//endregion
+
 	//legacy
 	public void logVaultOwnershipClaimed(String claimedBy, UUID vaultId) {
 		var event = new VaultOwnershipClaimedEvent();
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/SettingWotUpdateEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/SettingWotUpdateEvent.java
index 545fbf88d..dd336c190 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/events/SettingWotUpdateEvent.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/SettingWotUpdateEvent.java
@@ -5,7 +5,6 @@
 import jakarta.persistence.Entity;
 import jakarta.persistence.Table;
 
-import java.time.Instant;
 import java.util.Objects;
 
 @Entity
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/SignedWotIdEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/SignedWotIdEvent.java
index e87a41610..4566619f9 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/events/SignedWotIdEvent.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/SignedWotIdEvent.java
@@ -3,12 +3,9 @@
 import jakarta.persistence.Column;
 import jakarta.persistence.DiscriminatorValue;
 import jakarta.persistence.Entity;
-import jakarta.persistence.EnumType;
-import jakarta.persistence.Enumerated;
 import jakarta.persistence.Table;
 
 import java.util.Objects;
-import java.util.UUID;
 
 @Entity
 @Table(name = "audit_event_sign_wot_id")
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/katta/AccessTokenResponse.java b/backend/src/main/java/org/cryptomator/hub/entities/katta/AccessTokenResponse.java
new file mode 100644
index 000000000..c542d6976
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/katta/AccessTokenResponse.java
@@ -0,0 +1,26 @@
+package org.cryptomator.hub.entities.katta;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * <a href="https://datatracker.ietf.org/doc/html/rfc8693#name-successful-response">RFC 8693 Token Exchange Response</a>.
+ */
+public class AccessTokenResponse {
+	@JsonProperty("access_token")
+	protected String token;
+
+	@JsonProperty("issued_token_type")
+	protected String issued_token_type;
+
+	@JsonProperty("token_type")
+	protected String token_type;
+
+	@JsonProperty("expires_in")
+	protected long expiresIn;
+
+	@JsonProperty("scope")
+	protected String scope;
+
+	@JsonProperty("refresh_token")
+	protected String refreshToken;
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfile.java b/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfile.java
new file mode 100644
index 000000000..6139541a1
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfile.java
@@ -0,0 +1,33 @@
+package org.cryptomator.hub.entities.katta;
+
+import io.quarkus.hibernate.orm.panache.PanacheEntityBase;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Inheritance;
+import jakarta.persistence.InheritanceType;
+import org.cryptomator.hub.api.katta.StorageProfileDto;
+
+import java.util.UUID;
+
+@Entity
+@Inheritance(strategy = InheritanceType.TABLE_PER_CLASS)
+public class StorageProfile extends PanacheEntityBase { // TODO make sealed?
+	@Id
+	@Column(name = "id", nullable = false)
+	public UUID id;
+
+	@Column(name = "name", nullable = false)
+	public String name;
+
+	@Column(name = "archived", nullable = false)
+	public boolean archived;
+
+	@Column(name = "protocol", nullable = false)
+	public StorageProfileDto.Protocol protocol;
+
+	public StorageProfile setArchived(boolean archived) {
+		this.archived = archived;
+		return this;
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfileS3STS.java b/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfileS3STS.java
new file mode 100644
index 000000000..feefaf356
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfileS3STS.java
@@ -0,0 +1,25 @@
+package org.cryptomator.hub.entities.katta;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+@Entity
+@Table(name = "storage_profile_s3_sts")
+public class StorageProfileS3STS extends StorageProfileS3Static { // TODO make sealed/final?
+
+	//----------------------------------------------------------------------
+	// (3b) STS client profile custom properties
+	//----------------------------------------------------------------------
+	@Column
+	public String stsRoleAccessBucketAssumeRoleWithWebIdentity;
+
+	@Column
+	public String stsRoleAccessBucketAssumeRoleTaggedSession;
+
+	@Column
+	public Integer stsDurationSeconds = null;
+
+	@Column
+	public String stsSessionTag;
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfileS3Static.java b/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfileS3Static.java
new file mode 100644
index 000000000..13e7c822d
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/katta/StorageProfileS3Static.java
@@ -0,0 +1,63 @@
+package org.cryptomator.hub.entities.katta;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.util.List;
+
+@Entity
+@Table(name = "storage_profile_s3_static")
+public class StorageProfileS3Static extends StorageProfile {// TODO make sealed?
+
+	//======================================================================
+	// (1) STS and permanent:
+	// - bucket creation frontend/desktop client (STS)
+	// - template upload (STS and permanent)
+	// - client profile (STS and permanent)
+	//======================================================================
+	@Column
+	public String scheme;
+
+	@Column
+	public String hostname;
+
+	@Column
+	public Integer port;
+
+	@Column
+	public Boolean withPathStyleAccessEnabled = false;
+
+	@Column
+	public String storageClass = "STANDARD";
+
+	//======================================================================
+	// (2) STS only: bucket creation (only relevant for Desktop client)
+	//======================================================================
+	@Column
+	public String region;
+
+	@Column
+	public List<String> regions;
+
+	@Column
+	public String bucketPrefix;
+
+	@Column
+	public String stsRoleCreateBucketClient;
+
+	@Column
+	public String stsRoleCreateBucketHub;
+
+	@Column
+	public String stsEndpoint = null;
+
+	@Column
+	public Boolean bucketVersioning = true;
+
+	@Column
+	public Boolean bucketAcceleration = true;
+
+	@Column
+	public String bucketEncryption;
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/filters/VaultRole.java b/backend/src/main/java/org/cryptomator/hub/filters/VaultRole.java
index 39e4098ad..b33cecdfc 100644
--- a/backend/src/main/java/org/cryptomator/hub/filters/VaultRole.java
+++ b/backend/src/main/java/org/cryptomator/hub/filters/VaultRole.java
@@ -2,6 +2,7 @@
 
 import jakarta.ws.rs.NameBinding;
 import org.cryptomator.hub.entities.VaultAccess;
+import org.cryptomator.hub.keycloak.RealmRole;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
@@ -20,7 +21,7 @@
 	/**
 	 * @return Roles required to access the annotated resource. Access is granted if _any_ role is present.
 	 */
-	VaultAccess.Role[] value() default { VaultAccess.Role.MEMBER };
+	VaultAccess.Role[] value() default {VaultAccess.Role.MEMBER};
 
 	/**
 	 * @return Name of the path parameter containing the {@link org.cryptomator.hub.entities.Vault#id vault id}.
@@ -31,13 +32,40 @@
 	 * @return How to treat the case when a vault does not exist.
 	 */
 	OnMissingVault onMissingVault() default OnMissingVault.FORBIDDEN;
-	enum OnMissingVault { FORBIDDEN, NOT_FOUND, PASS, REQUIRE_REALM_ROLE }
+
+	enum OnMissingVault {FORBIDDEN, NOT_FOUND, PASS, REQUIRE_REALM_ROLE}
 
 	/**
-	 * Which additional realm role is required to access the annotated resource.
+	 * If set to true, skip the role check if the current user has the role {@link #bypassRealmRole()}.
+	 * <p>
+	 * Only applies when the vault exists. For non-existing vaults, use {@link #onMissingVault()} instead.
+	 *
+	 * @return whether the given realm role allows bypassing the vault role check.
+	 */
+	boolean bypassForRealmRole() default false;
+
+	/**
+	 * Which realm role bypasses the vault role check when {@link #bypassForRealmRole()} is true.
+	 * <p>
+	 * Separate from {@link #realmRole()}, which is only used for {@link OnMissingVault#REQUIRE_REALM_ROLE}.
 	 *
+	 * @return realm role that bypasses the vault role check.
+	 */
+	RealmRole bypassRealmRole() default RealmRole.ADMIN;
+
+	/**
+	 * Which additional realm role is required to access the annotated resource.
+	 * <p>
 	 * Only relevant if {@link #onMissingVault()} is set to {@link OnMissingVault#REQUIRE_REALM_ROLE}.
+	 *
 	 * @return realm role required to access the annotated resource.
 	 */
-	String realmRole() default "";
+	RealmRole realmRole() default RealmRole.ADMIN;
+
+	/**
+	 * If set to true, skip the role check if the current user is a member of this vault's emergency access council.
+	 *
+	 * @return whether emergency access council members should bypass the role check.
+	 */
+	boolean bypassForEmergencyAccess() default false;
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/filters/VaultRoleFilter.java b/backend/src/main/java/org/cryptomator/hub/filters/VaultRoleFilter.java
index ca94d360b..4f36b6c8a 100644
--- a/backend/src/main/java/org/cryptomator/hub/filters/VaultRoleFilter.java
+++ b/backend/src/main/java/org/cryptomator/hub/filters/VaultRoleFilter.java
@@ -10,11 +10,14 @@
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.ext.Provider;
 import org.cryptomator.hub.entities.EffectiveVaultAccess;
+import org.cryptomator.hub.entities.EmergencyRecoveryProcess;
 import org.cryptomator.hub.entities.Vault;
 import org.cryptomator.hub.entities.VaultAccess;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 
 import java.util.Arrays;
+import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 import java.util.stream.Collectors;
 
@@ -33,6 +36,9 @@ public class VaultRoleFilter implements ContainerRequestFilter {
 	@Inject
 	EffectiveVaultAccess.Repository effectiveVaultAccessRepo;
 
+	@Inject
+	EmergencyRecoveryProcess.Repository recoveryRepo;
+
 	@Inject
 	Vault.Repository vaultRepo;
 
@@ -47,7 +53,7 @@ public void filter(ContainerRequestContext requestContext) throws NotFoundExcept
 		try {
 			vaultId = UUID.fromString(vaultIdStr);
 		} catch (NullPointerException | IllegalArgumentException e) {
-			throw new ForbiddenException("@VaultRole not set up correctly (unknown vault id)", e);
+			throw new NotFoundException("@VaultRole not set up correctly (unknown vault id)", e);
 		}
 
 		var userId = jwt.getSubject();
@@ -55,25 +61,49 @@ public void filter(ContainerRequestContext requestContext) throws NotFoundExcept
 			throw new NotAuthorizedException("No JWT supplied in request header");
 		}
 
-		var forbiddenMsg = "Vault role required: " + Arrays.stream(annotation.value()).map(VaultAccess.Role::name).collect(Collectors.joining(", "));
-		if (vaultRepo.findByIdOptional(vaultId).isPresent()) {
+		var vault = vaultRepo.findById(vaultId);
+		if (vault != null) {
+			if (annotation.bypassForRealmRole() && requestContext.getSecurityContext().isUserInRole(annotation.bypassRealmRole().kcName())) {
+				// user has required realm role, so we skip the vault role check:
+				return;
+			}
+			if (annotation.bypassForEmergencyAccess() && isEmergencyAccessCouncilMember(userId, vault)) {
+				// user is a member of the emergency access council, so we skip the role check:
+				return;
+			}
 			// check permissions for existing vault:
 			var effectiveRoles = effectiveVaultAccessRepo.listRoles(vaultId, userId);
-			if (Arrays.stream(annotation.value()).noneMatch(effectiveRoles::contains)) {
-				throw new ForbiddenException(forbiddenMsg);
+			var requiredRoles = annotation.value();
+			if (Arrays.stream(requiredRoles).noneMatch(effectiveRoles::contains)) {
+				throw new ForbiddenException("Vault role required: " + Arrays.stream(requiredRoles).map(VaultAccess.Role::name).collect(Collectors.joining(", ")));
 			}
 		} else {
 			// how to treat non-existing vault:
 			switch (annotation.onMissingVault()) {
-				case FORBIDDEN -> throw new ForbiddenException(forbiddenMsg);
+				case FORBIDDEN -> throw new ForbiddenException("Vault role required: " + Arrays.stream(annotation.value()).map(VaultAccess.Role::name).collect(Collectors.joining(", ")));
 				case NOT_FOUND -> throw new NotFoundException("Vault not found");
-				case PASS -> {}
+				case PASS -> {
+				}
 				case REQUIRE_REALM_ROLE -> {
-					if (!requestContext.getSecurityContext().isUserInRole(annotation.realmRole())) {
+					if (!requestContext.getSecurityContext().isUserInRole(annotation.realmRole().kcName())) {
 						throw new ForbiddenException("Missing role " + annotation.realmRole());
 					}
 				}
 			}
 		}
 	}
+
+	private boolean isEmergencyAccessCouncilMember(String userId, Vault vault) {
+		if (vault.getEmergencyKeyShares().containsKey(userId)) {
+			// member of current emergency access council:
+			return true;
+		} else {
+			// check if member of an ongoing recovery process:
+			return recoveryRepo.findByVaultId(vault.getId()) // processes
+					.map(EmergencyRecoveryProcess::getRecoveredKeyShares) // map of member IDs to key shares
+					.map(Map::keySet) // set of process member IDs
+					.flatMap(Set::stream) // steam of process member IDs
+					.anyMatch(userId::equals);
+		}
+	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/flyway/V2__Initialize_Settings.java b/backend/src/main/java/org/cryptomator/hub/flyway/V2__Initialize_Settings.java
index 9e8ee6c4e..008850293 100644
--- a/backend/src/main/java/org/cryptomator/hub/flyway/V2__Initialize_Settings.java
+++ b/backend/src/main/java/org/cryptomator/hub/flyway/V2__Initialize_Settings.java
@@ -4,14 +4,13 @@
 import org.flywaydb.core.api.migration.Context;
 
 /**
+ * @see <a href="https://github.com/cryptomator/hub/issues/183">Issue 183</a>
+ * @see <a href="https://github.com/cryptomator/hub/pull/184">PR 184</a>
+ * @see <a href="https://github.com/cryptomator/hub/issues/212">Issue 212</a>
  * @deprecated This used to generated the hub id. It got replaced by <code>V3__Initialize_Settings.sql</code>, though. Despite being dead code,
  * this class must remain present in order for Flyway to work correctly on existing installations. May be removed when we start with a new <a href="https://flywaydb.org/documentation/concepts/baselinemigrations">baseline migration</a>
  * <p>
  * Note: Quarkus seems to fail to detect this file during hot reloading (see issue 212).
- *
- * @see <a href="https://github.com/cryptomator/hub/issues/183">Issue 183</a>
- * @see <a href="https://github.com/cryptomator/hub/pull/184">PR 184</a>
- * @see <a href="https://github.com/cryptomator/hub/issues/212">Issue 212</a>
  */
 @Deprecated
 public class V2__Initialize_Settings extends BaseJavaMigration {
diff --git a/backend/src/main/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsHelper.java b/backend/src/main/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsHelper.java
new file mode 100644
index 000000000..e35e8b0e4
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsHelper.java
@@ -0,0 +1,252 @@
+package org.cryptomator.hub.katta;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.api.VaultResource;
+import org.cryptomator.hub.entities.Vault;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.jboss.logging.Logger;
+import org.jboss.resteasy.reactive.ClientWebApplicationException;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.ClientScopeResource;
+import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.ClientScopeRepresentation;
+import org.keycloak.representations.idm.ProtocolMapperRepresentation;
+import org.keycloak.representations.idm.RoleRepresentation;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+@ApplicationScoped
+public class KeycloakCryptomatorVaultsHelper {
+
+	private static final Logger LOG = Logger.getLogger(KeycloakCryptomatorVaultsHelper.class);
+
+	@Inject
+	Keycloak keycloak;
+
+	@ConfigProperty(name = "hub.keycloak.realm")
+	protected String keycloakRealm;
+
+	public void keycloakPrepareVault(final String vaultId, final Boolean minio, final Boolean aws) {
+		keycloakPrepareVault(vaultId, getKeycloak(), keycloakRealm, minio, aws);
+	}
+
+	public void keycloakGrantAccessToVault(final String vaultId, final String userOrGroupId, final String clientId, final boolean isGroup) {
+		keycloakGrantAccessToVault(vaultId, userOrGroupId, clientId, getKeycloak(), keycloakRealm, isGroup);
+	}
+
+	public void keycloakRemoveAccessToVault(final String vaultId, final String userOrGroupId, final String clientId, final boolean isGroup) {
+		keycloakRemoveAccessToVault(vaultId, userOrGroupId, clientId, getKeycloak(), keycloakRealm, isGroup);
+	}
+
+	// TODO review: this loop might not be safe enough to run in production - should we just disable this feature or remove from code entirely?
+	// Deleting the cryptomatorvaults client also deletes the client roles under the client, however, the client scopes are at the realm level and will not be removed by this procedure.
+	// Although safe, this can quickly become a mess in developing scenarios.
+	public void keycloakCleanupDanglingCryptomatorVaultsRoles(final String clientId, final Vault.Repository vaultRepo) {
+		Set<String> existingVaultIds = vaultRepo.findAll().stream().map(VaultResource.VaultDto::fromEntity).map(vdto -> vdto.id().toString()).collect(Collectors.toSet());
+		// https://www.keycloak.org/docs-api/21.1.1/rest-api
+		final RealmResource realm = getKeycloak().realm(keycloakRealm);
+
+		List<ClientRepresentation> byClientId = realm.clients().findByClientId(clientId);
+		if (byClientId.size() != 1) {
+			throw new RuntimeException(String.format("There are %s clients with clientId %s, expected to found exactly one.", byClientId.size(), clientId));
+		}
+		final ClientRepresentation cryptomatorVaultsClientRepresentation = byClientId.getFirst();
+		final ClientResource cryptomatorVaultsClientResource = realm.clients().get(cryptomatorVaultsClientRepresentation.getId());
+
+		for (final RoleRepresentation roleRepresentation : cryptomatorVaultsClientResource.roles().list()) {
+			final String vaultId = roleRepresentation.getName();
+			if (!existingVaultIds.contains(vaultId)) {
+				cryptomatorVaultsClientResource.roles().deleteRole(vaultId);
+				try {
+					realm.clientScopes().get(vaultId).remove();
+				} catch (ClientWebApplicationException e) {
+					if (LOG.isInfoEnabled()) {
+						LOG.info(String.format("Could not delete client scope %s", vaultId), e);
+					}
+				}
+			}
+		}
+	}
+
+	protected static void keycloakPrepareVault(final String vaultId, final Keycloak keycloak, final String keycloakRealm, final Boolean minio, final Boolean aws) {
+		// https://www.keycloak.org/docs-api/21.1.1/rest-api
+		final RealmResource realm = keycloak.realm(keycloakRealm);
+
+		// create client scope <vaultId> (if necessary)
+		ensureClientScopeForVaultExists(vaultId, realm);
+
+		final ClientScopeResource clientScopeResource = realm.clientScopes().get(vaultId);
+		if (minio != null) {
+			final ProtocolMapperRepresentation minioProtocolMapper = minioProtocolMapper(vaultId);
+			final Optional<ProtocolMapperRepresentation> mapper = clientScopeResource.getProtocolMappers().getMappers().stream().filter(m -> m.getName().contains("MinIO")).findFirst();
+			if (mapper.isEmpty()) {
+				if (minio) {
+					clientScopeResource.getProtocolMappers().createMapper(List.of(minioProtocolMapper));
+				}
+			} else {
+				final String mapperId = mapper.get().getId();
+				if (minio) {
+					minioProtocolMapper.setId(mapperId);
+					clientScopeResource.getProtocolMappers().update(mapperId, minioProtocolMapper);
+				} else {
+					clientScopeResource.getProtocolMappers().delete(mapperId);
+				}
+			}
+		}
+		if (aws != null) {
+			final ProtocolMapperRepresentation awsProtocolMapper = awsProtocolMapper(vaultId);
+			final Optional<ProtocolMapperRepresentation> mapper = clientScopeResource.getProtocolMappers().getMappers().stream().filter(m -> m.getName().contains("AWS")).findFirst();
+			if (mapper.isEmpty()) {
+				if (aws) {
+					clientScopeResource.getProtocolMappers().createMapper(List.of(awsProtocolMapper));
+				}
+			} else {
+				final String mapperId = mapper.get().getId();
+				if (aws) {
+					awsProtocolMapper.setId(mapperId);
+					clientScopeResource.getProtocolMappers().update(mapperId, awsProtocolMapper);
+				} else {
+					clientScopeResource.getProtocolMappers().delete(mapperId);
+				}
+			}
+		}
+	}
+
+	protected static ProtocolMapperRepresentation awsProtocolMapper(final String vaultId) {
+		final ProtocolMapperRepresentation awsProtocolMapper = new ProtocolMapperRepresentation();
+		awsProtocolMapper.setName(String.format("Hard-coded mapper for vault %s (AWS)", vaultId));
+		awsProtocolMapper.setProtocolMapper("oidc-hardcoded-claim-mapper");
+		awsProtocolMapper.setProtocol("openid-connect");
+
+		Map<String, String> awsConfig = new HashMap<>();
+		awsConfig.put("jsonType.label", "JSON");
+
+		awsConfig.put("userinfo.token.claim", "false");
+		awsConfig.put("id.token.claim", "false");
+		awsConfig.put("access.token.claim", "true");
+		awsConfig.put("access.tokenResponse.claim", "false");
+
+		awsConfig.put("claim.name", "https://aws\\.amazon\\.com/tags");
+		awsConfig.put("claim.value", String.format("{\"principal_tags\":{\"%s\":[\"\"]},\"transitive_tag_keys\":[\"%s\"]}", vaultId, vaultId));
+
+		awsProtocolMapper.setConfig(awsConfig);
+		return awsProtocolMapper;
+	}
+
+	protected static ProtocolMapperRepresentation minioProtocolMapper(final String vaultId) {
+		final ProtocolMapperRepresentation minioProtocolMapper = new ProtocolMapperRepresentation();
+		minioProtocolMapper.setName(String.format("Hard-coded mapper for vault %s (MinIO)", vaultId));
+		minioProtocolMapper.setProtocolMapper("oidc-hardcoded-claim-mapper");
+		minioProtocolMapper.setProtocol("openid-connect");
+
+		Map<String, String> minioConfig = new HashMap<>();
+		minioConfig.put("jsonType.label", "String");
+
+		minioConfig.put("userinfo.token.claim", "false");
+		minioConfig.put("id.token.claim", "false");
+		minioConfig.put("access.token.claim", "true");
+		minioConfig.put("access.tokenResponse.claim", "false");
+
+		// exhaustive list of jwt claims evaluated in MinIO: https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-variables
+		// let's use client_id, as aud etc. are already use by standard mappers
+		minioConfig.put("claim.name", "client_id");
+		minioConfig.put("claim.value", vaultId);
+
+		minioProtocolMapper.setConfig(minioConfig);
+		return minioProtocolMapper;
+	}
+
+	protected static void keycloakGrantAccessToVault(final String vaultId, final String userOrGroupId, final String clientId, final Keycloak keycloak, final String keycloakRealm, final boolean isGroup) {
+		// https://www.keycloak.org/docs-api/21.1.1/rest-api
+		final RealmResource realm = keycloak.realm(keycloakRealm);
+
+		final List<ClientRepresentation> byClientId = realm.clients().findByClientId(clientId);
+		if (byClientId.size() != 1) {
+			throw new RuntimeException(String.format("There are %s clients with clientId %s, expected to found exactly one.", byClientId.size(), clientId));
+		}
+		final ClientRepresentation cryptomatorVaultsClientRepresentation = byClientId.getFirst();
+		final ClientResource cryptomatorVaultsClientResource = realm.clients().get(cryptomatorVaultsClientRepresentation.getId());
+
+		// create client scope <vaultId> (if necessary)
+		ensureClientScopeForVaultExists(vaultId, realm);
+
+		// add client scope to "cryptomatorvaults" client
+		// -> requires role_manage-clients
+		cryptomatorVaultsClientResource.addOptionalClientScope(vaultId);
+
+		// create client role <vaultId> (if necessary)
+		// -> requires role_manage-clients
+		if (cryptomatorVaultsClientResource.roles().list().stream().map(RoleRepresentation::getName).noneMatch(vaultId::equals)) {
+			RoleRepresentation vaultRole = new RoleRepresentation();
+			vaultRole.setName(vaultId);
+			vaultRole.setDescription(String.format("Role for vault %s", vaultId));
+			vaultRole.setClientRole(true);
+
+			cryptomatorVaultsClientResource.roles().create(vaultRole);
+		}
+
+		// scope the client scope to the client role for the vault
+		realm.clientScopes().get(vaultId).getScopeMappings().clientLevel(cryptomatorVaultsClientRepresentation.getId()).add(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+
+		// add client role to user/group
+		// -> requires role_manage-users
+		if (!isGroup) {
+			realm.users().get(userOrGroupId).roles().clientLevel(cryptomatorVaultsClientRepresentation.getId()).add(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+		} else {
+			realm.groups().group(userOrGroupId).roles().clientLevel(cryptomatorVaultsClientRepresentation.getId()).add(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+		}
+	}
+
+	private static void ensureClientScopeForVaultExists(String vaultId, RealmResource realm) {
+		if (realm.clientScopes().findAll().stream().map(ClientScopeRepresentation::getId).noneMatch(vaultId::equals)) {
+			ClientScopeRepresentation vaultClientScope = new ClientScopeRepresentation();
+			vaultClientScope.setId(vaultId);
+			vaultClientScope.setName(vaultId);
+			vaultClientScope.setDescription(String.format("Client scope for vault %s", vaultId));
+			vaultClientScope.setAttributes(new HashMap<>());
+			vaultClientScope.setProtocol("openid-connect");
+
+			try (Response response = realm.clientScopes().create(vaultClientScope)) {
+				if (response.getStatus() != 201) {
+					throw new RuntimeException(String.format("Failed to create client for vault %s. %s", vaultId, response.getStatusInfo().getReasonPhrase()));
+				}
+			}
+		}
+	}
+
+	protected static void keycloakRemoveAccessToVault(final String vaultId, final String userOrGroupId, final String clientId, final Keycloak keycloak, final String keycloakRealm, boolean isGroup) {
+		// https://www.keycloak.org/docs-api/21.1.1/rest-api
+		final RealmResource realm = keycloak.realm(keycloakRealm);
+
+		// add client scope to "cryptomatorvaults" client
+		// -> requires role_manage-clients
+		final List<ClientRepresentation> byClientId = realm.clients().findByClientId(clientId);
+		if (byClientId.size() != 1) {
+			throw new RuntimeException(String.format("There are %s clients with clientId %s, expected to found exactly one.", byClientId.size(), clientId));
+		}
+		final ClientRepresentation cryptomatorVaultsClientRepresentation = byClientId.getFirst();
+		final ClientResource cryptomatorVaultsClientResource = realm.clients().get(cryptomatorVaultsClientRepresentation.getId());
+		cryptomatorVaultsClientResource.addOptionalClientScope(vaultId);
+
+		// remove client role from user/group
+		// -> requires role_manage-users
+		if (!isGroup) {
+			realm.users().get(userOrGroupId).roles().clientLevel(cryptomatorVaultsClientRepresentation.getId()).remove(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+		} else {
+			realm.groups().group(userOrGroupId).roles().clientLevel(cryptomatorVaultsClientRepresentation.getId()).remove(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+		}
+	}
+
+	protected Keycloak getKeycloak() {
+		return keycloak;
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsSyncer.java b/backend/src/main/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsSyncer.java
new file mode 100644
index 000000000..3466629b2
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsSyncer.java
@@ -0,0 +1,28 @@
+package org.cryptomator.hub.katta;
+
+
+import io.quarkus.scheduler.Scheduled;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import org.cryptomator.hub.api.katta.KattaConfig;
+import org.cryptomator.hub.entities.Vault;
+
+@ApplicationScoped
+public class KeycloakCryptomatorVaultsSyncer {
+
+
+	@Inject
+	KattaConfig kattaConfig;
+
+	@Inject
+	KeycloakCryptomatorVaultsHelper keycloakCryptomatorVaultsHelper;
+
+	@Inject
+	Vault.Repository vaultRepo;
+
+	@Scheduled(every = "{hub.keycloak.syncer-period}")
+	void sync() {
+		keycloakCryptomatorVaultsHelper.keycloakCleanupDanglingCryptomatorVaultsRoles(kattaConfig.keycloakClientIdCryptomatorVaults(), vaultRepo);
+	}
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAdminService.java b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAdminService.java
new file mode 100644
index 000000000..5481b27a7
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAdminService.java
@@ -0,0 +1,375 @@
+package org.cryptomator.hub.keycloak;
+
+import jakarta.annotation.PostConstruct;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.persistence.PersistenceException;
+import jakarta.transaction.Transactional;
+import jakarta.ws.rs.ClientErrorException;
+import jakarta.ws.rs.ForbiddenException;
+import jakarta.ws.rs.InternalServerErrorException;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.entities.EffectiveGroupMembership;
+import org.cryptomator.hub.entities.Group;
+import org.cryptomator.hub.entities.User;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.admin.client.resource.GroupResource;
+import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.admin.client.resource.UserResource;
+import org.keycloak.representations.idm.CredentialRepresentation;
+import org.keycloak.representations.idm.GroupRepresentation;
+import org.keycloak.representations.idm.UserRepresentation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@ApplicationScoped
+public class KeycloakAdminService {
+
+	private static final Logger LOG = LoggerFactory.getLogger(KeycloakAdminService.class);
+
+	@Inject
+	Keycloak keycloak;
+
+	@Inject
+	User.Repository userRepo;
+
+	@Inject
+	Group.Repository groupRepo;
+
+	@Inject
+	EffectiveGroupMembership.Repository effectiveGroupMembershipRepo;
+
+	@Inject
+	KeycloakRealmRoles realmRoles;
+
+	@ConfigProperty(name = "hub.keycloak.realm")
+	String keycloakRealm;
+
+	RealmResource realm;
+
+	@PostConstruct
+	public void setup() {
+		this.realm = keycloak.realm(keycloakRealm);
+	}
+
+	public UserRepresentation createUser(String username, String email, String firstName, String lastName, String password, String pictureUrl, Set<String> groupIds) {
+		UserRepresentation user = new UserRepresentation();
+		user.setUsername(username);
+		user.setEmail(email);
+		user.setFirstName(firstName);
+		user.setLastName(lastName);
+		user.setEnabled(true);
+
+		if (pictureUrl != null && !pictureUrl.isBlank()) {
+			user.setAttributes(Map.of("picture", List.of(pictureUrl)));
+		}
+
+		CredentialRepresentation credential = new CredentialRepresentation();
+		credential.setType(CredentialRepresentation.PASSWORD);
+		credential.setValue(password);
+		credential.setTemporary(false);
+		user.setCredentials(List.of(credential));
+
+		final String userId;
+		try (var response = realm.users().create(user)) {
+			userId = switch (response.getStatus()) {
+				case 201 -> {
+					var location = response.getHeaderString("Location");
+					yield location.substring(location.lastIndexOf('/') + 1);
+				}
+				case 409 -> {
+					String body = response.readEntity(String.class);
+					String errorMessage;
+					if (body != null && body.contains("same email")) {
+						errorMessage = "EMAIL_EXISTS";
+					} else if (body != null && body.contains("same username")) {
+						errorMessage = "USERNAME_EXISTS";
+					} else {
+						errorMessage = "User already exists";
+					}
+					throw new ClientErrorException(errorMessage, Response.Status.CONFLICT);
+				}
+				default -> throw new InternalServerErrorException("Failed to create user in Keycloak. Status: " + response.getStatus());
+			};
+		}
+
+		UserResource userResource = realm.users().get(userId);
+
+		// groups need to be set after creation, see https://github.com/keycloak/keycloak/discussions/8552
+		if (groupIds != null && !groupIds.isEmpty()) {
+			for (String groupId : groupIds) {
+				try {
+					userResource.joinGroup(groupId);
+				} catch (WebApplicationException e) {
+					LOG.warn("Failed to add user {} to group {}", userId, groupId, e);
+					// TODO: shall we fail the whole user creation here? undo previous steps?
+				}
+			}
+		}
+
+		// sync to db:
+		syncUser(userId);
+
+		// update effective group membership as soon as the DB contains all membership data
+		// (we can assume that the groups already exist, otherwise the caller wouldn't have been able to provide their IDs):
+		effectiveGroupMembershipRepo.updateGroups(groupIds);
+
+		return realm.users().get(userId).toRepresentation();
+	}
+
+	public UserRepresentation updateUser(String userId, String email, String firstName, String lastName, String password, String pictureUrl) {
+		if (isUserReadOnly(userId)) {
+			throw new ForbiddenException("User has a federated identity and cannot be modified");
+		}
+
+		UserResource userResource = realm.users().get(userId);
+		UserRepresentation user = userResource.toRepresentation();
+
+		if (email != null && !email.isBlank()) {
+			user.setEmail(email);
+		}
+		if (firstName != null && !firstName.isBlank()) {
+			user.setFirstName(firstName);
+		}
+		if (lastName != null && !lastName.isBlank()) {
+			user.setLastName(lastName);
+		}
+		var attrs = setPicture(user.getAttributes(), pictureUrl);
+		user.setAttributes(attrs);
+
+		userResource.update(user);
+
+		if (password != null && !password.isBlank()) {
+			CredentialRepresentation credential = new CredentialRepresentation();
+			credential.setType(CredentialRepresentation.PASSWORD);
+			credential.setValue(password);
+			credential.setTemporary(false);
+			userResource.resetPassword(credential);
+		}
+
+		syncUser(userId);
+		return userResource.toRepresentation();
+	}
+
+	@Transactional
+	public void deleteUser(String userId) {
+		if (isUserReadOnly(userId)) {
+			throw new ForbiddenException("User has a federated identity and cannot be deleted");
+		}
+
+		// 1. delete from db (roll back if kc deletion fails):
+		userRepo.deleteById(userId);
+
+		// 2. delete from kc:
+		try (var response = realm.users().delete(userId)) {
+			if (response.getStatus() != 204) {
+				throw new InternalServerErrorException("Failed to delete user in Keycloak. Status: " + response.getStatus());
+			}
+		}
+	}
+
+	@Transactional
+	public void setUserEnabled(String userId, boolean enabled) {
+		UserResource userResource = realm.users().get(userId);
+		UserRepresentation user = userResource.toRepresentation();
+		user.setEnabled(enabled);
+		userResource.update(user);
+		syncUser(userId);
+	}
+
+	public boolean isUserReadOnly(String userId) {
+		try {
+			UserResource userResource = realm.users().get(userId);
+			var federatedIdentities = userResource.getFederatedIdentity();
+			return !federatedIdentities.isEmpty();
+		} catch (WebApplicationException e) {
+			LOG.warn("Failed to check federated identity for user {}. Keycloak responded with status {}", userId, e.getResponse().getStatus(), e);
+			throw new InternalServerErrorException("Failed to check federated identity", e);
+		}
+	}
+
+	// TODO deduplicate with KeycloakAuthorityPuller
+	@Transactional
+	public User syncUser(String userId) {
+		UserResource userResource = realm.users().get(userId);
+		UserRepresentation keycloakUser = userResource.toRepresentation();
+
+		User dbUser = userRepo.findById(userId);
+		if (dbUser == null) {
+			dbUser = new User();
+			dbUser.setId(keycloakUser.getId());
+		}
+
+		dbUser.setName(keycloakUser.getUsername());
+		dbUser.setEmail(keycloakUser.getEmail());
+		dbUser.setFirstName(keycloakUser.getFirstName());
+		dbUser.setLastName(keycloakUser.getLastName());
+
+		dbUser.setEnabled(keycloakUser.isEnabled());
+
+		var attrs = keycloakUser.getAttributes();
+		if (attrs != null && attrs.containsKey("picture")) {
+			var pictureAttr = attrs.get("picture");
+			dbUser.setPictureUrl(pictureAttr.isEmpty() ? null : pictureAttr.getFirst());
+		} else {
+			dbUser.setPictureUrl(null);
+		}
+
+		userRepo.persist(dbUser);
+		return dbUser;
+	}
+
+	// TODO deduplicate with KeycloakAuthorityPuller
+	@Transactional
+	public Group syncGroup(String groupId) {
+		GroupResource groupResource = realm.groups().group(groupId);
+		GroupRepresentation keycloakGroup = groupResource.toRepresentation();
+
+		Group dbGroup = groupRepo.findById(groupId);
+		if (dbGroup == null) {
+			dbGroup = new Group();
+			dbGroup.setId(keycloakGroup.getId());
+		}
+
+		dbGroup.setName(keycloakGroup.getName());
+
+		var attrs = keycloakGroup.getAttributes();
+		if (attrs != null && attrs.containsKey("picture")) {
+			var pictureAttr = attrs.get("picture");
+			dbGroup.setPictureUrl(pictureAttr.isEmpty() ? null : pictureAttr.getFirst());
+		} else {
+			dbGroup.setPictureUrl(null);
+		}
+
+		// Sync members
+		var keycloakMembers = groupResource.members().stream().map(UserRepresentation::getId).toList();
+		var dbMembers = userRepo.findByIds(keycloakMembers).toList();
+		dbGroup.getMembers().clear();
+		dbGroup.getMembers().addAll(dbMembers);
+		groupRepo.persist(dbGroup);
+		effectiveGroupMembershipRepo.updateGroups(List.of(dbGroup.getId()));
+		return dbGroup;
+	}
+
+	@Transactional
+	public void addUserToGroup(String groupId, String userId) {
+		// 1. sync to db (roll back if kc update fails):
+		try {
+			groupRepo.addMember(groupId, userId);
+			effectiveGroupMembershipRepo.updateGroups(List.of(groupId));
+		} catch (PersistenceException e) { // caused by foreign key constraint violation
+			throw new NotFoundException("Failed to add member " + userId + " to group " + groupId);
+		}
+
+		// 2. sync to kc:
+		realm.users().get(userId).joinGroup(groupId);
+	}
+
+	@Transactional
+	public void removeUserFromGroup(String groupId, String userId) {
+		// 1. sync to db (roll back if kc update fails):
+		groupRepo.removeMember(groupId, userId);
+		effectiveGroupMembershipRepo.updateGroups(List.of(groupId));
+
+		// 2. sync to kc:
+		realm.users().get(userId).leaveGroup(groupId);
+	}
+
+	@Transactional
+	public void updateUserRoles(String userId, Set<RealmRole> roles) {
+		// remove roles that are not in the provided set:
+		var rolesToRemove = EnumSet.allOf(RealmRole.class);
+		rolesToRemove.removeAll(roles);
+
+		// set roles that are in the provided set:
+		var rolesToSet = EnumSet.noneOf(RealmRole.class);
+		rolesToSet.addAll(roles);
+
+		// 1. sync to db (roll back if kc update fails):
+		User dbUser = userRepo.findByIdOptional(userId).orElseThrow(NotFoundException::new);
+		dbUser.setRealmRoles(rolesToSet.stream().map(RealmRole::kcName).toArray(String[]::new));
+		userRepo.persist(dbUser);
+
+		// 2. sync to kc:
+		UserResource userResource = realm.users().get(userId);
+		var roleMappings = userResource.roles().realmLevel();
+		if (!rolesToRemove.isEmpty()) {
+			roleMappings.remove(rolesToRemove.stream().map(realmRoles::getRealmRole).toList());
+		}
+		if (!rolesToSet.isEmpty()) {
+			roleMappings.add(rolesToSet.stream().map(realmRoles::getRealmRole).toList());
+		}
+	}
+
+	// Group management methods
+
+	public GroupRepresentation createGroup(String name, String pictureUrl) {
+		GroupRepresentation group = new GroupRepresentation();
+		group.setName(name);
+
+		if (pictureUrl != null && !pictureUrl.isBlank()) {
+			group.setAttributes(Map.of("picture", List.of(pictureUrl)));
+		}
+
+		final String groupId;
+		try (var response = realm.groups().add(group)) {
+			groupId = switch (response.getStatus()) {
+				case 201 -> {
+					var location = response.getHeaderString("Location");
+					yield location.substring(location.lastIndexOf('/') + 1);
+				}
+				case 409 -> throw new ClientErrorException("GROUP_NAME_EXISTS", Response.Status.CONFLICT);
+				default -> throw new InternalServerErrorException("Failed to create group in Keycloak. Status: " + response.getStatus());
+			};
+		}
+
+		syncGroup(groupId);
+		return realm.groups().group(groupId).toRepresentation();
+	}
+
+	public GroupRepresentation updateGroup(String groupId, String name, String pictureUrl) {
+		GroupResource groupResource = realm.groups().group(groupId);
+		GroupRepresentation group = groupResource.toRepresentation();
+
+		if (!name.isBlank()) {
+			group.setName(name);
+		}
+
+		var attrs = setPicture(group.getAttributes(), pictureUrl);
+		group.setAttributes(attrs);
+
+		groupResource.update(group);
+		syncGroup(groupId);
+		return groupResource.toRepresentation();
+	}
+
+	@Transactional
+	public void deleteGroup(String groupId) {
+		// 1. delete from db (roll back if kc deletion fails):
+		groupRepo.deleteById(groupId);
+
+		// 2. delete from kc:
+		realm.groups().group(groupId).remove();
+	}
+
+	private static Map<String, List<String>> setPicture(Map<String, List<String>> attributes, String pictureUrl) {
+		Map<String, List<String>> attrs = attributes == null ? new HashMap<>() : new HashMap<>(attributes);
+		if (pictureUrl == null || pictureUrl.isBlank()) {
+			attrs.remove("picture");
+		} else {
+			attrs.put("picture", List.of(pictureUrl));
+		}
+		return attrs;
+	}
+
+}
+
diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityProvider.java b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityProvider.java
index 9711ddbb8..571760670 100644
--- a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityProvider.java
+++ b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityProvider.java
@@ -61,13 +61,21 @@ Optional<KeycloakUserDto> cryptomatorCliUser(RealmResource realm) {
 
 	private KeycloakUserDto mapToUser(UserRepresentation userRepresentation) {
 		var pictureUrl = parsePictureUrl(userRepresentation.getAttributes());
-		return new KeycloakUserDto(userRepresentation.getId(), userRepresentation.getUsername(), userRepresentation.getEmail(), pictureUrl);
+		return new KeycloakUserDto(userRepresentation.getId(),
+				userRepresentation.getUsername(),
+				userRepresentation.getEmail(),
+				userRepresentation.getFirstName(),
+				userRepresentation.getLastName(),
+				pictureUrl,
+				userRepresentation.isEnabled(),
+				RealmRole.fromKcNames(userRepresentation.getRealmRoles()));
 	}
 
 	private String parsePictureUrl(Map<String, List<String>> attributes) {
-		try {
-			return attributes.get("picture").get(0);
-		} catch (NullPointerException e) {
+		if (attributes != null && attributes.containsKey("picture")) {
+			var pictures = attributes.get("picture");
+			return pictures.stream().findFirst().orElse(null);
+		} else {
 			return null;
 		}
 	}
@@ -79,9 +87,10 @@ public List<KeycloakGroupDto> groups() {
 	//visible for testing
 	List<KeycloakGroupDto> groups(RealmResource realm) {
 		return deepCollectGroups(realm).stream().map(group -> {
+			var pictureUrl = parsePictureUrl(group.getAttributes());
 			// TODO add sub groups and the members of the sub group to it too using `group.getSubGroups()` recursively
 			var members = deepCollectMembers(realm, group.getId());
-			return new KeycloakGroupDto(group.getId(), group.getName(), members);
+			return new KeycloakGroupDto(group.getId(), group.getName(), pictureUrl, members);
 		}).toList();
 	}
 
@@ -92,7 +101,7 @@ private List<GroupRepresentation> deepCollectGroups(RealmResource realm) {
 		List<GroupRepresentation> currentRequestedGroups;
 
 		do {
-			currentRequestedGroups = group.groups(groups.size(), MAX_COUNT_PER_REQUEST);
+			currentRequestedGroups = group.groups(null, groups.size(), MAX_COUNT_PER_REQUEST, false);
 			groups.addAll(currentRequestedGroups);
 		} while (currentRequestedGroups.size() == MAX_COUNT_PER_REQUEST);
 
@@ -112,4 +121,23 @@ private Set<KeycloakUserDto> deepCollectMembers(RealmResource realm, String grou
 
 		return members.stream().map(this::mapToUser).collect(Collectors.toSet());
 	}
+
+	public List<UserRepresentation> usersInRole(RealmRole role) {
+		return usersInRole(keycloak.realm(keycloakRealm), role.kcName());
+	}
+
+	//visible for testing
+	List<UserRepresentation> usersInRole(RealmResource realm, String roleName) {
+		var roles = realm.roles();
+
+		List<UserRepresentation> users = new ArrayList<>();
+		List<UserRepresentation> currentBatch;
+
+		do {
+			currentBatch = roles.get(roleName).getUserMembers(true, users.size(), MAX_COUNT_PER_REQUEST);
+			users.addAll(currentBatch);
+		} while (currentBatch.size() == MAX_COUNT_PER_REQUEST);
+
+		return users;
+	}
 }
\ No newline at end of file
diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPuller.java b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPuller.java
index 7472b4d67..a76ffd4a6 100644
--- a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPuller.java
+++ b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPuller.java
@@ -5,9 +5,12 @@
 import jakarta.inject.Inject;
 import jakarta.transaction.Transactional;
 import org.cryptomator.hub.entities.Authority;
+import org.cryptomator.hub.entities.EffectiveGroupMembership;
 import org.cryptomator.hub.entities.Group;
 import org.cryptomator.hub.entities.User;
 
+import java.util.Arrays;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -23,46 +26,73 @@ public class KeycloakAuthorityPuller {
 	Group.Repository groupRepo;
 	@Inject
 	KeycloakAuthorityProvider remoteUserProvider;
+	@Inject
+	EffectiveGroupMembership.Repository effectiveGroupMembershipRepo;
 
 	@Scheduled(every = "{hub.keycloak.syncer-period}")
 	void sync() {
 		var keycloakGroups = remoteUserProvider.groups().stream().collect(Collectors.toMap(KeycloakGroupDto::id, Function.identity()));
 		var keycloakUsers = remoteUserProvider.users().stream().collect(Collectors.toMap(KeycloakUserDto::id, Function.identity()));
+		var keycloakRealmRoles = Arrays.stream(RealmRole.values()).collect(Collectors.toMap(Function.identity(), remoteUserProvider::usersInRole));
+		for (var role : RealmRole.values()) {
+			var usersInRole = keycloakRealmRoles.get(role);
+			for (var user : usersInRole) {
+				var keycloakUser = keycloakUsers.get(user.getId());
+				if (keycloakUser != null) {
+					keycloakUser.roles().add(role);
+				}
+			}
+		}
 		sync(keycloakGroups, keycloakUsers);
 	}
 
 	@Transactional
 	void sync(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, KeycloakUserDto> keycloakUsers) {
+		// get current state from database:
 		var databaseUsers = userRepo.findAll().stream().collect(Collectors.toMap(User::getId, Function.identity()));
 		var databaseGroups = groupRepo.findAll().stream().collect(Collectors.toMap(Group::getId, Function.identity()));
-		syncAddedUsers(keycloakUsers, databaseUsers);
+
+		// sync users:
+		var addedUsers = syncAddedUsers(keycloakUsers, databaseUsers);
 		var deletedUserIds = syncDeletedUsers(keycloakUsers, databaseUsers);
 		syncUpdatedUsers(keycloakUsers, databaseUsers, deletedUserIds);
-		syncAddedGroups(keycloakGroups, databaseGroups, databaseUsers);
+
+		// all users after additions and deletions:
+		Map<String, Authority> allAuthorities = merge(databaseUsers, addedUsers);
+		deletedUserIds.forEach(allAuthorities::remove);
+
+		// sync groups:
+		var addedGroups = syncAddedGroups(keycloakGroups, databaseGroups, allAuthorities);
 		var deletedGroupIds = syncDeletedGroups(keycloakGroups, databaseGroups);
-		syncUpdatedGroups(keycloakGroups, databaseGroups, deletedGroupIds, databaseUsers);
+		syncUpdatedGroups(keycloakGroups, databaseGroups, deletedGroupIds, allAuthorities);
 	}
 
 	//visible for testing
-	void syncAddedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User> databaseUsers) {
+	Map<String, User> syncAddedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User> databaseUsers) {
 		var addedIds = diff(keycloakUsers.keySet(), databaseUsers.keySet());
-		for (var id : addedIds) {
+		var added = addedIds.stream().map(id -> {
 			var keycloakUser = keycloakUsers.get(id);
 			var databaseUser = new User();
 			databaseUser.setId(keycloakUser.id());
 			databaseUser.setName(keycloakUser.name());
 			databaseUser.setEmail(keycloakUser.email());
+			databaseUser.setFirstName(keycloakUser.firstName());
+			databaseUser.setLastName(keycloakUser.lastName());
 			databaseUser.setPictureUrl(keycloakUser.pictureUrl());
-			userRepo.persist(databaseUser);
-		}
+			databaseUser.setEnabled(keycloakUser.enabled());
+			databaseUser.setRealmRoles(keycloakUser.roles().stream().map(RealmRole::kcName).toArray(String[]::new));
+			return databaseUser;
+		}).collect(Collectors.toMap(User::getId, Function.identity()));
+		userRepo.persist(added.values());
+		effectiveGroupMembershipRepo.updateUsers(addedIds);
+		return added;
 	}
 
 	//visible for testing
 	Set<String> syncDeletedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, User> databaseUsers) {
 		var deletedIds = diff(databaseUsers.keySet(), keycloakUsers.keySet());
-		for (var id : deletedIds) {
-			userRepo.delete(databaseUsers.get(id));
-		}
+		userRepo.deleteByIds(deletedIds);
+		effectiveGroupMembershipRepo.updateUsers(deletedIds);
 		return deletedIds;
 	}
 
@@ -74,68 +104,73 @@ void syncUpdatedUsers(Map<String, KeycloakUserDto> keycloakUsers, Map<String, Us
 			var keycloakUser = keycloakUsers.get(id);
 			databaseUser.setName(keycloakUser.name());
 			databaseUser.setEmail(keycloakUser.email());
+			databaseUser.setFirstName(keycloakUser.firstName());
+			databaseUser.setLastName(keycloakUser.lastName());
 			databaseUser.setPictureUrl(keycloakUser.pictureUrl());
+			databaseUser.setEnabled(keycloakUser.enabled());
+			databaseUser.setRealmRoles(keycloakUser.roles().stream().map(RealmRole::kcName).toArray(String[]::new));
 		}
 	}
 
 	//visible for testing
-	void syncAddedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Map<String, User> databaseUsers) {
+	Map<String, Group> syncAddedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Map<String, Authority> allAuthorities) {
 		var addedIds = diff(keycloakGroups.keySet(), databaseGroups.keySet());
-		for (var id : addedIds) {
+		var added = addedIds.stream().map(id -> {
 			var keycloakGroup = keycloakGroups.get(id);
 			var databaseGroup = new Group();
 			databaseGroup.setId(keycloakGroup.id());
 			databaseGroup.setName(keycloakGroup.name());
-			Set<Authority> members = new HashSet<>();
-			for (var keycloakMember : keycloakGroup.members()) {
-				var databaseUser = databaseUsers.get(keycloakMember.id());
-				if (databaseUser == null) {
-					// User might have been just added, fetch from database
-					databaseUser = userRepo.findById(keycloakMember.id());
-				}
-				members.add(databaseUser);
-			}
-			databaseGroup.setMembers(members);
-			groupRepo.persist(databaseGroup);
-		}
+			databaseGroup.setPictureUrl(keycloakGroup.pictureUrl());
+			databaseGroup.getMembers().addAll(keycloakGroup.members().stream().map(KeycloakUserDto::id).map(allAuthorities::get).collect(Collectors.toSet()));
+			return databaseGroup;
+		}).collect(Collectors.toMap(Group::getId, Function.identity()));
+		groupRepo.persist(added.values());
+		effectiveGroupMembershipRepo.updateGroups(addedIds);
+		return added;
 	}
 
 	//visible for testing
 	Set<String> syncDeletedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups) {
 		var deletedIds = diff(databaseGroups.keySet(), keycloakGroups.keySet());
-		for (var id : deletedIds) {
-			var databaseGroup = databaseGroups.get(id);
-			groupRepo.delete(databaseGroup);
-		}
+		groupRepo.deleteByIds(deletedIds);
+		effectiveGroupMembershipRepo.updateGroups(deletedIds);
 		return deletedIds;
 	}
 
 	//visible for testing
-	void syncUpdatedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Set<String> deletedGroupIds, Map<String, User> databaseUsers) {
+	void syncUpdatedGroups(Map<String, KeycloakGroupDto> keycloakGroups, Map<String, Group> databaseGroups, Set<String> deletedGroupIds, Map<String, Authority> allAuthorities) {
 		var toUpdateIds = diff(databaseGroups.keySet(), deletedGroupIds);
+		var idsOfGroupsWithChangedMembers = new HashSet<String>();
 		for (var id : toUpdateIds) {
 			var databaseGroup = databaseGroups.get(id);
 			var keycloakGroup = keycloakGroups.get(id);
-			var wantIds = keycloakGroup.members().stream().map(KeycloakUserDto::id).collect(Collectors.toSet());
-			var haveIds = databaseGroup.getMembers().stream().map(Authority::getId).collect(Collectors.toSet());
 			databaseGroup.setName(keycloakGroup.name());
-			for (var addId : diff(wantIds, haveIds)) {
-				var databaseUser = databaseUsers.get(addId);
-				if (databaseUser == null) {
-					// User might have been just added, fetch from database
-					databaseUser = userRepo.findById(addId);
-				}
-				databaseGroup.getMembers().add(databaseUser);
-			}
-			for (var removeId : diff(haveIds, wantIds)) {
-				databaseGroup.getMembers().removeIf(u -> u.getId().equals(removeId));
+			databaseGroup.setPictureUrl(keycloakGroup.pictureUrl());
+
+			// update members:
+			var kcMemberIds = keycloakGroup.members().stream().map(KeycloakUserDto::id).collect(Collectors.toSet());
+			var dbMemberIds = databaseGroup.getMembers().stream().map(Authority::getId).collect(Collectors.toSet());
+			var addedMemberIds = diff(kcMemberIds, dbMemberIds);
+			var addedMembers = addedMemberIds.stream().map(allAuthorities::get).collect(Collectors.toSet());
+			databaseGroup.getMembers().addAll(addedMembers);
+			var removedMemberIds = diff(dbMemberIds, kcMemberIds);
+			databaseGroup.getMembers().removeIf(u -> removedMemberIds.contains(u.getId()));
+			if (!addedMemberIds.isEmpty() || !removedMemberIds.isEmpty()) {
+				idsOfGroupsWithChangedMembers.add(id);
 			}
 		}
+		effectiveGroupMembershipRepo.updateGroups(idsOfGroupsWithChangedMembers);
 	}
 
-	private <T> Set<T> diff(Set<T> base, Set<T> difference) {
+	private static <T> Set<T> diff(Set<T> base, Set<T> difference) {
 		var result = new HashSet<>(base);
 		result.removeAll(difference);
 		return result;
 	}
+
+	private static <K, V> Map<K, V> merge(Map<K, ? extends V> first, Map<K, ? extends V> second) {
+		Map<K, V> result = new HashMap<>(first);
+		result.putAll(second);
+		return result;
+	}
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakGroupDto.java b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakGroupDto.java
index a45fa466b..3a849a890 100644
--- a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakGroupDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakGroupDto.java
@@ -2,4 +2,5 @@
 
 import java.util.Set;
 
-public record KeycloakGroupDto(String id, String name, Set<KeycloakUserDto> members) { }
+public record KeycloakGroupDto(String id, String name, String pictureUrl, Set<KeycloakUserDto> members) {
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakRealmRoles.java b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakRealmRoles.java
new file mode 100644
index 000000000..259a3fc06
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakRealmRoles.java
@@ -0,0 +1,29 @@
+package org.cryptomator.hub.keycloak;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.representations.idm.RoleRepresentation;
+
+import java.util.EnumMap;
+
+@ApplicationScoped
+public class KeycloakRealmRoles {
+
+	@Inject
+	Keycloak keycloak;
+
+	@ConfigProperty(name = "hub.keycloak.realm")
+	String keycloakRealm;
+
+	private final EnumMap<RealmRole, RoleRepresentation> cachedRoles = new EnumMap<>(RealmRole.class);
+
+	public RoleRepresentation getRealmRole(RealmRole realmRole) {
+		return cachedRoles.computeIfAbsent(realmRole, this::fetchRealmRole);
+	}
+
+	private RoleRepresentation fetchRealmRole(RealmRole realmRole) {
+		return keycloak.realm(keycloakRealm).roles().get(realmRole.kcName()).toRepresentation();
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakUserDto.java b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakUserDto.java
index 2eac18210..b9b18a98d 100644
--- a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakUserDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakUserDto.java
@@ -1,3 +1,6 @@
 package org.cryptomator.hub.keycloak;
 
-public record KeycloakUserDto(String id, String name, String email, String pictureUrl) { }
+import java.util.Set;
+
+public record KeycloakUserDto(String id, String name, String email, String firstName, String lastName, String pictureUrl, boolean enabled, Set<RealmRole> roles) {
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/RealmRole.java b/backend/src/main/java/org/cryptomator/hub/keycloak/RealmRole.java
new file mode 100644
index 000000000..e8614923d
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/keycloak/RealmRole.java
@@ -0,0 +1,47 @@
+package org.cryptomator.hub.keycloak;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.Collection;
+import java.util.EnumSet;
+import java.util.Set;
+
+public enum RealmRole {
+	@JsonProperty("user") USER("user"),
+	@JsonProperty("admin") ADMIN("admin"),
+	@JsonProperty("create-vaults") CREATE_VAULTS("create-vaults");
+
+	private final String kcName;
+
+	RealmRole(String kcName) {
+		this.kcName = kcName;
+	}
+
+	public String kcName() {
+		return kcName;
+	}
+
+	public static RealmRole fromKcName(String kcName) {
+		for (RealmRole role : values()) {
+			if (role.kcName.equals(kcName)) {
+				return role;
+			}
+		}
+		throw new IllegalArgumentException("No matching RealmRole for Keycloak name: " + kcName);
+	}
+
+	public static Set<RealmRole> fromKcNames(Collection<String> kcNames) {
+		if (kcNames == null || kcNames.isEmpty()) {
+			return EnumSet.noneOf(RealmRole.class);
+		}
+		Set<RealmRole> roles = EnumSet.noneOf(RealmRole.class);
+		for (String kcName : kcNames) {
+			for (RealmRole role : values()) {
+				if (role.kcName.equals(kcName)) {
+					roles.add(role);
+				}
+			}
+		}
+		return roles;
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/license/HubLicenseEntitlements.java b/backend/src/main/java/org/cryptomator/hub/license/HubLicenseEntitlements.java
new file mode 100644
index 000000000..5a4f88b64
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/license/HubLicenseEntitlements.java
@@ -0,0 +1,73 @@
+package org.cryptomator.hub.license;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.quarkus.runtime.annotations.RegisterForReflection;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+
+@RegisterForReflection
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record HubLicenseEntitlements(@JsonProperty("seats") long seats,
+									 @JsonProperty("showTrialHint") boolean showTrialHint,
+									 @JsonProperty("auditLogRetentionDays") long auditLogRetentionDays,
+									 @JsonProperty("emergencyAccessEnabled") boolean emergencyAccessEnabled,
+									 @JsonProperty("keycloakAccessEnabled") boolean keycloakAccessEnabled,
+									 @JsonProperty("iosLicense") String iosLicense,
+									 @JsonProperty("androidLicense") String androidLicense,
+									 @JsonProperty("desktopLicense") String desktopLicense) {
+
+	/**
+	 * Calculates the earliest point of time for audit log entries to still be retained.
+	 *
+	 * @return {@link #auditLogRetentionDays} days in the past from now
+	 */
+	public Instant auditLogRetentionThreshold() {
+		try {
+			return Instant.now().minus(auditLogRetentionDays(), ChronoUnit.DAYS).truncatedTo(ChronoUnit.DAYS);
+		} catch (ArithmeticException e) {
+			return Instant.MIN;
+		}
+	}
+
+	// region Factory + Withers
+
+	public static HubLicenseEntitlements create() {
+		return new HubLicenseEntitlements(0, false, 0, false, true, null, null, null);
+	}
+
+	public HubLicenseEntitlements withSeats(long seats) {
+		return new HubLicenseEntitlements(seats, this.showTrialHint, this.auditLogRetentionDays, this.emergencyAccessEnabled, this.keycloakAccessEnabled, this.iosLicense, this.androidLicense, this.desktopLicense);
+	}
+
+	public HubLicenseEntitlements withShowTrialHint(boolean showTrialHint) {
+		return new HubLicenseEntitlements(this.seats, showTrialHint, this.auditLogRetentionDays, this.emergencyAccessEnabled, this.keycloakAccessEnabled, this.iosLicense, this.androidLicense, this.desktopLicense);
+	}
+
+	public HubLicenseEntitlements withAuditLogRetentionDays(long auditLogRetentionDays) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, auditLogRetentionDays, this.emergencyAccessEnabled, this.keycloakAccessEnabled, this.iosLicense, this.androidLicense, this.desktopLicense);
+	}
+
+	public HubLicenseEntitlements withEmergencyAccessEnabled(boolean emergencyAccessEnabled) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, this.auditLogRetentionDays, emergencyAccessEnabled, this.keycloakAccessEnabled, this.iosLicense, this.androidLicense, this.desktopLicense);
+	}
+
+	public HubLicenseEntitlements withKeycloakAccessEnabled(boolean keycloakAccessEnabled) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, this.auditLogRetentionDays, this.emergencyAccessEnabled, keycloakAccessEnabled, this.iosLicense, this.androidLicense, this.desktopLicense);
+	}
+
+	public HubLicenseEntitlements withIosLicense(String iosLicense) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, this.auditLogRetentionDays, this.emergencyAccessEnabled, this.keycloakAccessEnabled, iosLicense, this.androidLicense, this.desktopLicense);
+	}
+
+	public HubLicenseEntitlements withAndroidLicense(String androidLicense) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, this.auditLogRetentionDays, this.emergencyAccessEnabled, this.keycloakAccessEnabled, this.iosLicense, androidLicense, this.desktopLicense);
+	}
+
+	public HubLicenseEntitlements withDesktopLicense(String desktopLicense) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, this.auditLogRetentionDays, this.emergencyAccessEnabled, this.keycloakAccessEnabled, this.iosLicense, this.androidLicense, desktopLicense);
+	}
+
+	// endregion
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/license/LicenseApi.java b/backend/src/main/java/org/cryptomator/hub/license/LicenseApi.java
new file mode 100644
index 000000000..3e098de0c
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/license/LicenseApi.java
@@ -0,0 +1,77 @@
+package org.cryptomator.hub.license;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.HeaderParam;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.util.Base64;
+
+@RegisterRestClient(configKey = "license-api")
+public interface LicenseApi {
+
+	@GET
+	@Path("/hub/challenge")
+	@Produces(MediaType.APPLICATION_JSON)
+	Challenge generateChallenge();
+
+	@GET
+	@Path("/hub/no-challenge")
+	@Produces(MediaType.APPLICATION_JSON)
+	Solution generatePresolvedChallenge(@HeaderParam("Authorization") String authHeader);
+
+	@POST
+	@Path("/hub/trial")
+	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+	@Produces(MediaType.APPLICATION_JSON)
+	TrialLicenseResponse generateTrialLicense(@FormParam("captcha") String captcha);
+
+	@POST
+	@Path("/hub/refresh")
+	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+	@Produces(MediaType.TEXT_PLAIN)
+	String refreshLicense(@FormParam("token") String licenseKey, @FormParam("captcha") String captcha);
+
+	record Challenge(@JsonProperty("algorithm") String algorithm,
+					 @JsonProperty("challenge") String challenge,
+					 @JsonProperty("maxnumber") int maxnumber,
+					 @JsonProperty("salt") String salt,
+					 @JsonProperty("signature") String signature) {
+		public Solution solve(int number, long took) {
+			return new Solution(algorithm, challenge, number, salt, signature, took);
+		}
+	}
+
+	record Solution(@JsonProperty("algorithm") String algorithm,
+					@JsonProperty("challenge") String challenge,
+					@JsonProperty("number") int number,
+					@JsonProperty("salt") String salt,
+					@JsonProperty("signature") String signature,
+					@JsonProperty("took") long took) {
+		private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+
+		public String toCaptcha() {
+			try {
+				var serialized = OBJECT_MAPPER.writer().writeValueAsBytes(this);
+				return Base64.getEncoder().encodeToString(serialized);
+			} catch (IOException e) {
+				throw new UncheckedIOException("Failed to encode captcha", e);
+			}
+		}
+	}
+
+	record TrialLicenseResponse(@JsonProperty("hubId") String hubId,
+								@JsonProperty("licenseKey") String licenseKey) {
+	}
+
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/license/LicenseHolder.java b/backend/src/main/java/org/cryptomator/hub/license/LicenseHolder.java
index faf95471a..a29f9ba96 100644
--- a/backend/src/main/java/org/cryptomator/hub/license/LicenseHolder.java
+++ b/backend/src/main/java/org/cryptomator/hub/license/LicenseHolder.java
@@ -1,33 +1,42 @@
 package org.cryptomator.hub.license;
 
 import com.auth0.jwt.exceptions.JWTVerificationException;
-import com.auth0.jwt.interfaces.Claim;
 import com.auth0.jwt.interfaces.DecodedJWT;
 import io.quarkus.scheduler.Scheduled;
-import io.quarkus.scheduler.ScheduledExecution;
+import io.smallrye.common.annotation.RunOnVirtualThread;
 import jakarta.annotation.PostConstruct;
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;
 import jakarta.transaction.Transactional;
+import jakarta.validation.constraints.NotNull;
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.MediaType;
 import org.cryptomator.hub.entities.Settings;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.eclipse.microprofile.rest.client.inject.RestClient;
 import org.jboss.logging.Logger;
 
 import java.io.IOException;
+import java.io.InterruptedIOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URLEncoder;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Base64;
+import java.util.HexFormat;
 import java.util.Optional;
 
 @ApplicationScoped
 public class LicenseHolder {
 
-	private static final int SELFHOSTED_NOLICENSE_SEATS = 5;
-	private static final int MANAGED_NOLICENSE_SEATS = 0;
+	private static final Logger LOG = Logger.getLogger(LicenseHolder.class);
 
 	@Inject
 	@ConfigProperty(name = "hub.managed-instance", defaultValue = "false")
@@ -41,52 +50,139 @@ public class LicenseHolder {
 	@ConfigProperty(name = "hub.initial-license")
 	Optional<String> initialLicenseToken;
 
+	@Inject
+	@ConfigProperty(name = "hub.managed-api-username")
+	Optional<String> managedApiUsername;
+
+	@Inject
+	@ConfigProperty(name = "hub.managed-api-password")
+	Optional<String> managedApiPassword;
+
 	@Inject
 	LicenseValidator licenseValidator;
 
 	@Inject
-	RandomMinuteSleeper randomMinuteSleeper;
+	RandomSleeper randomSleeper;
+
 	@Inject
 	Settings.Repository settingsRepo;
 
-	private static final Logger LOG = Logger.getLogger(LicenseHolder.class);
+	@RestClient
+	LicenseApi licenseApi;
+
 	private DecodedJWT license;
 
-	/**
-	 * Loads the license from the database or from init props, if present
-	 */
 	@PostConstruct
 	void init() {
+		this.license = this.ensureLicenseExists();
+		// refresh upon startup:
+		// except for trial licenses and recently issued licenses (to avoid restart-loop spam)
+		var hasNotBeenIssuedRecently = license.getIssuedAtAsInstant().isBefore(Instant.now().minus(5, ChronoUnit.MINUTES));
+		var isTrialLicense = getEntitlements().showTrialHint();
+		if (hasNotBeenIssuedRecently && !isTrialLicense) {
+			LOG.debug("License was issued more than 5 minutes ago. Attempting a refresh to ensure we have the latest license information from the license server.");
+			try {
+				refreshLicense();
+			} catch (IOException e) {
+				LOG.error("Failed to refresh license during startup.", e);
+			}
+		}
+	}
+
+	/**
+	 * Makes sure a valid (but possibly expired) license exists.
+	 * <p>
+	 * Called during {@link org.cryptomator.hub.Main application startup}.
+	 *
+	 * @throws JWTVerificationException if the license is invalid
+	 */
+	@Transactional
+	DecodedJWT ensureLicenseExists() throws JWTVerificationException, WebApplicationException {
 		var settings = settingsRepo.get();
 		if (settings.getLicenseKey() != null && settings.getHubId() != null) {
-			validateOrResetExistingLicense(settings);
+			return validateExistingLicense(settings);
 		} else if (initialLicenseToken.isPresent() && initialId.isPresent()) {
-			validateAndApplyInitLicense(settings, initialLicenseToken.get(), initialId.get());
+			return validateAndApplyInitLicense(settings, initialLicenseToken.get(), initialId.get());
+		} else {
+			return requestAnonTrialLicense(settings);
 		}
 	}
 
-	@Transactional
-	void validateOrResetExistingLicense(Settings settings) {
+	@Transactional(Transactional.TxType.MANDATORY)
+	DecodedJWT validateExistingLicense(Settings settings) throws JWTVerificationException {
 		try {
-			this.license = licenseValidator.validate(settings.getLicenseKey(), settings.getHubId());
+			var validated = licenseValidator.validate(settings.getLicenseKey(), settings.getHubId());
+			LOG.info("Verified existing license.");
+			return validated;
 		} catch (JWTVerificationException e) {
 			LOG.warn("License in database is invalid or does not match hubId", e);
-			LOG.warn("Deleting license entry. Please add the license over the REST API again.");
-			settings.setLicenseKey(null);
-			settingsRepo.persistAndFlush(settings);
+			throw e;
 		}
 	}
 
-	@Transactional
-	void validateAndApplyInitLicense(Settings settings, String initialLicenseToken, String initialHubId) {
+	@Transactional(Transactional.TxType.MANDATORY)
+	DecodedJWT validateAndApplyInitLicense(Settings settings, String initialLicenseToken, String initialHubId) throws JWTVerificationException {
 		try {
-			this.license = licenseValidator.validate(initialLicenseToken, initialHubId);
+			var validated = licenseValidator.validate(initialLicenseToken, initialHubId);
 			settings.setLicenseKey(initialLicenseToken);
 			settings.setHubId(initialHubId);
 			settingsRepo.persistAndFlush(settings);
+			LOG.info("Successfully imported license from property hub.initial-license.");
+			return validated;
 		} catch (JWTVerificationException e) {
-			LOG.warn("Provided initial license is invalid or does not match inital hubId.", e);
+			LOG.warn("Provided initial license is invalid or does not match initial hubId.", e);
+			throw e;
+		}
+	}
+
+	@Transactional(Transactional.TxType.MANDATORY)
+	DecodedJWT requestAnonTrialLicense(Settings settings) throws WebApplicationException {
+		LOG.info("No license found. Requesting trial license...");
+		var solution = solveChallenge();
+		var trialResponse = licenseApi.generateTrialLicense(solution.toCaptcha());
+		var validated = licenseValidator.validate(trialResponse.licenseKey(), trialResponse.hubId());
+		settings.setLicenseKey(trialResponse.licenseKey());
+		settings.setHubId(trialResponse.hubId());
+		settingsRepo.persistAndFlush(settings);
+		LOG.info("Successfully retrieved trial license.");
+		return validated;
+	}
+
+	LicenseApi.Solution solveChallenge() {
+		if (managedApiUsername.isPresent() && managedApiPassword.isPresent()) {
+			var authHeader = "Basic " + Base64.getEncoder().encodeToString((managedApiUsername.get() + ":" + managedApiPassword.get()).getBytes(StandardCharsets.UTF_8));
+			try {
+				return licenseApi.generatePresolvedChallenge(authHeader);
+			} catch (WebApplicationException e) {
+				LOG.warn("Failed to retrieve presolved challenge for license refresh. Falling back to solving a regular challenge.", e);
+			}
 		}
+		var challenge = licenseApi.generateChallenge();
+		return solveChallenge(challenge);
+	}
+
+	// visible for testing
+	LicenseApi.Solution solveChallenge(LicenseApi.Challenge challenge) {
+		HexFormat hex = HexFormat.of();
+		MessageDigest sha256;
+		try {
+			sha256 = MessageDigest.getInstance("SHA-256");
+		} catch (NoSuchAlgorithmException e) {
+			throw new AssertionError("Every implementation of the Java platform is required to support [...] SHA-256", e);
+		}
+		LOG.debug("Solving challenge...");
+		long start = System.nanoTime();
+		for (int i = 0; i < challenge.maxnumber(); i++) {
+			var saltedSecret = challenge.salt() + i;
+			sha256.update(saltedSecret.getBytes(StandardCharsets.US_ASCII));
+			var attempt = hex.formatHex(sha256.digest());
+			if (challenge.challenge().equals(attempt)) {
+				long took = System.nanoTime() - start;
+				LOG.debugv("Solved challenge in {1,number,integer} ms", took / 1_000_000);
+				return challenge.solve(i, took / 1_000_000);
+			}
+		}
+		throw new IllegalArgumentException("Unsolvable challenge");
 	}
 
 	/**
@@ -104,36 +200,63 @@ public void set(String token) throws JWTVerificationException {
 	}
 
 	/**
-	 * Attempts to refresh the Hub licence every day between 01:00:00 and 02:00:00 AM UTC if claim refreshURL is present.
+	 * Attempts to refresh the Hub license every day between 01:00:00 and 02:00:00 AM UTC if claim refreshURL is present.
 	 */
 	@Scheduled(cron = "0 0 1 * * ?", timeZone = "UTC", concurrentExecution = Scheduled.ConcurrentExecution.SKIP)
-	void refreshLicense() throws InterruptedException {
-		if (get() != null) {
-			randomMinuteSleeper.sleep(); // add random sleep between [0,59]min to reduce infrastructure load
-			var refreshUrlClaim = get().getClaim("refreshUrl");
-			if (refreshUrlClaim != null) {
-				try {
-					var refreshUrl = URI.create(refreshUrlClaim.asString());
-					var refreshedLicense = requestLicenseRefresh(refreshUrl, get().getToken());
-					set(refreshedLicense);
-				} catch (LicenseRefreshFailedException lrfe) {
-					LOG.errorv("Failed to refresh license token. Request to {0} was answerd with response code {1,number,integer}", refreshUrlClaim, lrfe.statusCode);
-				} catch (IllegalArgumentException | IOException e) {
-					LOG.error("Failed to refresh license token", e);
-				} catch (JWTVerificationException jve) {
-					LOG.error("Failed to refresh license token. Refreshed token is invalid.", jve);
-				}
-			}
+	@RunOnVirtualThread
+	void scheduleLicenseRefresh() {
+		try {
+			randomSleeper.sleep(0, 59, ChronoUnit.MINUTES); // add random sleep to reduce infrastructure load
+			refreshLicense();
+		} catch (IOException e) {
+			LOG.error("Scheduled license refresh failed.", e);
+		} catch (InterruptedException e) {
+			Thread.currentThread().interrupt();
+			LOG.warn("Scheduled license refresh was interrupted.", e);
+		}
+	}
+
+	public void refreshLicense() throws IOException {
+		var refreshUrl = getLicenseRefreshUri();
+		final String refreshedLicense;
+		try {
+			refreshedLicense = requestLicenseRefresh(refreshUrl, get().getToken());
+		} catch (LicenseRefreshFailedException e) {
+			LOG.errorv("Failed to refresh license token. Request to {0} was answered with response code {1,number,integer}", refreshUrl, e.statusCode);
+			throw new IOException("Failed to refresh license token.", e);
+		} catch (InterruptedException e) {
+			Thread.currentThread().interrupt();
+			throw new InterruptedIOException("License refresh was interrupted");
+		}
+		try {
+			set(refreshedLicense);
+		} catch (JWTVerificationException e) {
+			LOG.errorv(e, "Failed to refresh license token. Refreshed token is invalid: {0}", refreshedLicense);
+			throw new IOException("Invalid new license token.", e);
+		}
+	}
+
+	private URI getLicenseRefreshUri() {
+		var refreshUrlClaim = get().getClaim("refreshUrl");
+		if (refreshUrlClaim.isMissing()) {
+			throw new IllegalStateException("Missing refreshUrl claim.");
+		}
+		try {
+			return new URI(refreshUrlClaim.asString());
+		} catch (NullPointerException | URISyntaxException e) {
+			throw new IllegalStateException("Invalid value for refreshUrl claim", e);
 		}
 	}
 
 	//visible for testing
 	String requestLicenseRefresh(URI refreshUrl, String licenseToken) throws InterruptedException, IOException, LicenseRefreshFailedException {
+		var solution = solveChallenge();
 		try (var client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).build()) {
-			var body = "token=" + URLEncoder.encode(licenseToken, StandardCharsets.UTF_8);
+			var body = "token=" + URLEncoder.encode(licenseToken, StandardCharsets.UTF_8)
+					+ "&captcha=" + URLEncoder.encode(solution.toCaptcha(), StandardCharsets.UTF_8);
 			var request = HttpRequest.newBuilder() //
 					.uri(refreshUrl) //
-					.headers("Content-Type", "application/x-www-form-urlencoded") //
+					.header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED) //
 					.POST(HttpRequest.BodyPublishers.ofString(body)) //
 					.version(HttpClient.Version.HTTP_1_1) //
 					.build();
@@ -146,49 +269,35 @@ String requestLicenseRefresh(URI refreshUrl, String licenseToken) throws Interru
 		}
 	}
 
+	@NotNull
 	public DecodedJWT get() {
+		if (license == null) {
+			throw new IllegalStateException();
+		}
 		return license;
 	}
 
-	/**
-	 * Checks if the license is set.
-	 *
-	 * @return {@code true}, if the license _is not null_. Otherwise false.
-	 */
-	public boolean isSet() {
-		return license != null;
+	public HubLicenseEntitlements getEntitlements() {
+		var entitlements = license.getClaim("org.cryptomator.hub.entitlements").as(HubLicenseEntitlements.class);
+		// TODO: eventually "entitlements" claim will be mandatory and this fallback can be removed, see https://github.com/cryptomator/hub/issues/391
+		if (entitlements == null) { // legacy (pre 1.5.0) license without "org.cryptomator.hub.entitlements" claim:
+			return HubLicenseEntitlements.create().withSeats(license.getClaim("seats").asLong());
+		} else {
+			return entitlements;
+		}
 	}
 
 	/**
 	 * Checks if the license is expired.
 	 *
-	 * @return {@code true}, if the license _is not nul and expired_. Otherwise false.
+	 * @return {@code true}, if the license expired, {@code false} otherwise.
 	 */
 	public boolean isExpired() {
-		return Optional.ofNullable(license) //
-				.map(l -> l.getExpiresAt().toInstant().isBefore(Instant.now())) //
-				.orElse(false);
-	}
-
-	/**
-	 * Gets the number of seats in the license
-	 *
-	 * @return Number of seats of the license, if license is not null. Otherwise {@value SELFHOSTED_NOLICENSE_SEATS}.
-	 */
-	public long getSeats() {
-		return Optional.ofNullable(license) //
-				.map(l -> l.getClaim("seats")) //
-				.map(Claim::asLong) //
-				.orElseGet(this::seatsOnNotExisingLicense);
-	}
-
-	//visible for testing
-	public long seatsOnNotExisingLicense() {
-		if (!managedInstance) {
-			return SELFHOSTED_NOLICENSE_SEATS;
-		} else {
-			return MANAGED_NOLICENSE_SEATS;
+		var license = get();
+		if (license == null) {
+			throw new IllegalStateException();
 		}
+		return license.getExpiresAt().toInstant().isBefore(Instant.now());
 	}
 
 	public boolean isManagedInstance() {
@@ -204,4 +313,5 @@ static class LicenseRefreshFailedException extends RuntimeException {
 			this.body = body;
 		}
 	}
+
 }
diff --git a/backend/src/main/java/org/cryptomator/hub/license/LicenseValidator.java b/backend/src/main/java/org/cryptomator/hub/license/LicenseValidator.java
index 1813251c1..f78e862e9 100644
--- a/backend/src/main/java/org/cryptomator/hub/license/LicenseValidator.java
+++ b/backend/src/main/java/org/cryptomator/hub/license/LicenseValidator.java
@@ -1,67 +1,37 @@
 package org.cryptomator.hub.license;
 
-import com.auth0.jwt.JWT;
-import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.InvalidClaimException;
 import com.auth0.jwt.exceptions.JWTVerificationException;
 import com.auth0.jwt.interfaces.DecodedJWT;
 import com.auth0.jwt.interfaces.JWTVerifier;
 import jakarta.enterprise.context.ApplicationScoped;
-import org.jose4j.base64url.Base64;
-
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.interfaces.ECPublicKey;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.X509EncodedKeySpec;
-import java.time.Instant;
-import java.util.Objects;
-import java.util.Optional;
+import jakarta.inject.Inject;
+import jakarta.inject.Named;
 
 @ApplicationScoped
 public class LicenseValidator {
 
-	private static final String[] REQUIRED_CLAIMS = {"seats"};
-
-	private static final String LICENSE_PUBLIC_KEY = """
-			MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjvVwj5K4/v6yq23luaEEYYG9ru6z\
-			BuXeQLtZNy49FlGA5rbeumoruFVQfVPuV8R9mofxyJBpU4ixi8KGkYl+eEQBTGvN\
-			EQ9Z36gBX2uZOCOfHM4x50lpwtTZ0QA3B07WPhmvupy9gZk18NHuysOd8KZFEPpG\
-			YGmYBhMZXAL30qweiBQ=
-			""";
-
-	private final JWTVerifier verifier;
-
-	public LicenseValidator() {
-		var algorithm = Algorithm.ECDSA512(decodePublicKey(LICENSE_PUBLIC_KEY), null);
-		var expiresleeway = Instant.now().getEpochSecond(); // this will make sure to accept tokens that expired in the past (beginning from 1970)
-		// ignoring issued at will make sure to accept tokens that are issued "in the future" e.g. when the hub time is behind the store time
-		this.verifier = JWT.require(algorithm).acceptExpiresAt(expiresleeway).ignoreIssuedAt().build();
-	}
+	private static final String[] REQUIRED_CLAIMS = {"jti", "sub", "iat", "exp", "seats"}; // TODO: eventually phase out "seats" claim in favor of "org.cryptomator.hub.entitlements"."seats", see https://github.com/cryptomator/hub/issues/391
 
-	private static ECPublicKey decodePublicKey(String pemEncodedPublicKey) {
-		try {
-			var keyBytes = Base64.decode(pemEncodedPublicKey);
-			var key = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(keyBytes));
-			if (key instanceof ECPublicKey k) {
-				return k;
-			} else {
-				throw new IllegalStateException("Key not an EC public key.");
-			}
-		} catch (InvalidKeySpecException e) {
-			throw new IllegalArgumentException("Invalid license public key", e);
-		} catch (NoSuchAlgorithmException e) {
-			throw new IllegalStateException(e);
-		}
-	}
+	@Inject
+	@Named("licenseVerifier")
+	JWTVerifier verifier;
 
+	/**
+	 * Validates the token signature and whether it matches the Hub ID. It does NOT check the expiration date, though.
+	 *
+	 * @param token         JWT
+	 * @param expectedHubId the ID of this Hub instance
+	 * @return the verified token.
+	 * @throws JWTVerificationException If validation fails.
+	 */
 	public DecodedJWT validate(String token, String expectedHubId) throws JWTVerificationException {
 		var jwt = verifier.verify(token);
 		if (!jwt.getId().equals(expectedHubId)) {
 			throw new InvalidClaimException("Token ID " + jwt.getId() + " does not match your Hub ID " + expectedHubId);
 		}
 		for (var claim : REQUIRED_CLAIMS) {
-			if (Objects.isNull(jwt.getClaim(claim))) {
+			if (jwt.getClaim(claim).isMissing()) {
 				throw new InvalidClaimException("The claim " + claim + " is required, but not present.");
 			}
 		}
diff --git a/backend/src/main/java/org/cryptomator/hub/license/LicenseVerifierProducer.java b/backend/src/main/java/org/cryptomator/hub/license/LicenseVerifierProducer.java
new file mode 100644
index 000000000..cb8a22720
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/license/LicenseVerifierProducer.java
@@ -0,0 +1,85 @@
+package org.cryptomator.hub.license;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.JWTVerifier;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.inject.Produces;
+import jakarta.inject.Named;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.time.Instant;
+import java.util.Base64;
+import java.util.Objects;
+
+@ApplicationScoped
+public class LicenseVerifierProducer {
+
+	@Deprecated // TODO: once all issued tokens contain the x5c claim, we can remove the legacy verification method
+	private static final String LICENSE_PUBLIC_KEY = "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjvVwj5K4/v6yq23luaEEYYG9ru6zBuXeQLtZNy49FlGA5rbeumoruFVQfVPuV8R9mofxyJBpU4ixi8KGkYl+eEQBTGvNEQ9Z36gBX2uZOCOfHM4x50lpwtTZ0QA3B07WPhmvupy9gZk18NHuysOd8KZFEPpGYGmYBhMZXAL30qweiBQ=";
+	private static final String LICENSE_ROOT_CERTIFICATE = """
+			-----BEGIN CERTIFICATE-----
+			MIIBqDCCAVqgAwIBAgIUKNImuR2JD+NyAWaYzb8V8w8SdFwwBQYDK2VwMD8xCzAJ
+			BgNVBAYTAkRFMRYwFAYDVQQKDA1Ta3ltYXRpYyBHbWJIMRgwFgYDVQQDDA9MaWNl
+			bnNlIFJvb3QgQ0EwIBcNMjYwMjI2MTMzMTQxWhgPMjA3NjAyMTQxMzMxNDFaMD8x
+			CzAJBgNVBAYTAkRFMRYwFAYDVQQKDA1Ta3ltYXRpYyBHbWJIMRgwFgYDVQQDDA9M
+			aWNlbnNlIFJvb3QgQ0EwKjAFBgMrZXADIQCOyUIv+3Ust66VWJ8yH5ruJGxyZC1u
+			LK2Yxb+ZtPGAQKNmMGQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMC
+			AQYwHQYDVR0OBBYEFGhKUh0jCta2wXzxrUldIBqB4Bz3MB8GA1UdIwQYMBaAFGhK
+			Uh0jCta2wXzxrUldIBqB4Bz3MAUGAytlcANBAOERjFKpGnjxH1nh2u5lsCjX65zz
+			XisC7XFaZQikVLKzHK+YTIusi3x7dGCFBjO/m3ieQpt7BsaPo0lLL719pQ8=
+			-----END CERTIFICATE-----
+			""";
+
+	@ConfigProperty(name = "hub.license.chain.required-cn")
+	String licenseChainRequiredCn;
+
+	@Produces
+	@ApplicationScoped
+	@Named("licenseVerifier")
+	public JWTVerifier produceLicenseVerifier() {
+		return produceLicenseVerifier(LICENSE_ROOT_CERTIFICATE, Objects.requireNonNull(licenseChainRequiredCn));
+	}
+
+	// visible for testing
+	JWTVerifier produceLicenseVerifier(String rootCert, String licenseChainRequiredCn) throws JWTVerificationException {
+		var fallback = produceLegacyVerifier();
+		try {
+			var trustedRoot = X509Helper.parseCertificate(rootCert);
+			return new X5cCheckingJWTVerifier(trustedRoot, fallback, licenseChainRequiredCn);
+		} catch (GeneralSecurityException e) {
+			throw new IllegalStateException("Invalid trusted root certificate", e);
+		}
+	}
+
+	@Deprecated // TODO: once all issued tokens contain the x5c claim, we can remove the legacy verification method
+	private JWTVerifier produceLegacyVerifier() {
+		var algorithm = Algorithm.ECDSA512(decodePublicKey(LICENSE_PUBLIC_KEY), null);
+		var expiresleeway = Instant.now().getEpochSecond(); // this will make sure to accept tokens that expired in the past (beginning from 1970)
+		return JWT.require(algorithm).acceptExpiresAt(expiresleeway).ignoreIssuedAt().build(); // ignoring issued at will make sure to accept tokens that are issued "in the future" e.g. when the hub time is behind the store time
+	}
+
+	private static ECPublicKey decodePublicKey(String pemEncodedPublicKey) {
+		try {
+			var keyBytes = Base64.getDecoder().decode(pemEncodedPublicKey);
+			var key = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(keyBytes));
+			if (key instanceof ECPublicKey k) {
+				return k;
+			} else {
+				throw new IllegalStateException("Key not an EC public key.");
+			}
+		} catch (InvalidKeySpecException e) {
+			throw new IllegalArgumentException("Invalid license public key", e);
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException(e);
+		}
+	}
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/license/RandomMinuteSleeper.java b/backend/src/main/java/org/cryptomator/hub/license/RandomMinuteSleeper.java
deleted file mode 100644
index f5b005e75..000000000
--- a/backend/src/main/java/org/cryptomator/hub/license/RandomMinuteSleeper.java
+++ /dev/null
@@ -1,21 +0,0 @@
-package org.cryptomator.hub.license;
-
-import jakarta.enterprise.context.ApplicationScoped;
-
-import java.util.Random;
-
-@ApplicationScoped
-public class RandomMinuteSleeper {
-
-	private static final long MINUTE_IN_MILLIS = 60 * 1000L;
-	private final Random rng;
-
-	public RandomMinuteSleeper() {
-		this.rng = new Random();
-	}
-
-	void sleep() throws InterruptedException {
-		Thread.sleep(rng.nextInt(0, 60) * MINUTE_IN_MILLIS);
-	}
-
-}
diff --git a/backend/src/main/java/org/cryptomator/hub/license/RandomSleeper.java b/backend/src/main/java/org/cryptomator/hub/license/RandomSleeper.java
new file mode 100644
index 000000000..4738a2506
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/license/RandomSleeper.java
@@ -0,0 +1,23 @@
+package org.cryptomator.hub.license;
+
+import jakarta.enterprise.context.ApplicationScoped;
+
+import java.time.Duration;
+import java.time.temporal.TemporalUnit;
+import java.util.random.RandomGenerator;
+
+@ApplicationScoped
+public class RandomSleeper {
+
+	private final RandomGenerator rng;
+
+	public RandomSleeper() {
+		this.rng = RandomGenerator.getDefault();
+	}
+
+	void sleep(int min, int max, TemporalUnit unit) throws InterruptedException {
+		var delay = Duration.of(rng.nextInt(min, max), unit);
+		Thread.sleep(delay.toMillis());
+	}
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/license/X509Helper.java b/backend/src/main/java/org/cryptomator/hub/license/X509Helper.java
new file mode 100644
index 000000000..9bc61b024
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/license/X509Helper.java
@@ -0,0 +1,103 @@
+package org.cryptomator.hub.license;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.security.auth.x500.X500Principal;
+import java.io.ByteArrayInputStream;
+import java.security.GeneralSecurityException;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.List;
+import java.util.Set;
+
+final class X509Helper {
+
+	private X509Helper() {}
+
+	public static X509Certificate validateX5cChain(List<String> x5c, X509Certificate trustedRootCertificate) throws GeneralSecurityException {
+		if (x5c == null || x5c.isEmpty()) {
+			throw new CertPathValidatorException("null or empty x5c chain");
+		}
+		var chain = new ArrayList<>(decodeCertificates(x5c));
+		for (var cert : chain) {
+			cert.checkValidity();
+		}
+
+		// JWS x5c is leaf-first. Remove trust anchor if present at the end.
+		if (!chain.isEmpty() && chain.getLast().equals(trustedRootCertificate)) {
+			chain.removeLast();
+		}
+		if (chain.isEmpty()) {
+			throw new CertPathValidatorException("x5c chain does not contain a leaf certificate.");
+		}
+
+		var certPath = CertificateFactory.getInstance("X.509").generateCertPath(chain);
+		var pkixParams = new PKIXParameters(Set.of(new TrustAnchor(trustedRootCertificate, null)));
+		pkixParams.setRevocationEnabled(false);
+		CertPathValidator.getInstance("PKIX").validate(certPath, pkixParams);
+
+		return chain.getFirst();
+	}
+
+	private static List<X509Certificate> decodeCertificates(List<String> encodedCertificates) throws GeneralSecurityException {
+		var certs = new ArrayList<X509Certificate>(encodedCertificates.size());
+		for (var encodedCert : encodedCertificates) {
+			certs.add(parseCertificate(encodedCert));
+		}
+		return certs;
+	}
+
+	/**
+	 * Imports an X.509 certificate from the given string.
+	 *
+	 * @param encoded The encoded certificate (PEM or base64 DER)
+	 * @return The decoded X.509 certificate
+	 * @throws CertificateException In case of invalid input
+	 */
+	public static X509Certificate parseCertificate(String encoded) throws CertificateException {
+		if (encoded == null || encoded.isBlank()) {
+			throw new CertificateParsingException("Certificate string is null or empty.");
+		}
+		var certBytes = decodeBase64PemOrDer(encoded);
+		var certFactory = CertificateFactory.getInstance("X.509");
+		var cert = certFactory.generateCertificate(new ByteArrayInputStream(certBytes));
+		if (cert instanceof X509Certificate x509Cert) {
+			return x509Cert;
+		}
+		throw new CertificateException("X.509 certificate could not be decoded");
+	}
+
+	private static byte[] decodeBase64PemOrDer(String value) throws CertificateParsingException {
+		var normalized = value
+				.replace("-----BEGIN CERTIFICATE-----", "")
+				.replace("-----END CERTIFICATE-----", "")
+				.replaceAll("\\s", "");
+		try {
+			return Base64.getDecoder().decode(normalized);
+		} catch (IllegalArgumentException e) {
+			throw new CertificateParsingException(e);
+		}
+	}
+
+	public static String getCommonName(X509Certificate cert) throws CertificateException {
+		try {
+			var dn = cert.getSubjectX500Principal().getName(X500Principal.RFC2253);
+			for (var rdn : new LdapName(dn).getRdns()) {
+				if ("CN".equals(rdn.getType())) {
+					return String.valueOf(rdn.getValue());
+				}
+			}
+			throw new CertificateException("Certificate subject does not contain CN.");
+		} catch (InvalidNameException e) {
+			throw new CertificateException("Invalid certificate subject.", e);
+		}
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/license/X5cCheckingJWTVerifier.java b/backend/src/main/java/org/cryptomator/hub/license/X5cCheckingJWTVerifier.java
new file mode 100644
index 000000000..1ad4ba31e
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/license/X5cCheckingJWTVerifier.java
@@ -0,0 +1,80 @@
+package org.cryptomator.hub.license;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.Claim;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.jwt.interfaces.JWTVerifier;
+
+import java.security.GeneralSecurityException;
+import java.security.cert.CertPathValidatorException;
+import java.security.interfaces.ECPublicKey;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.util.List;
+import java.util.Objects;
+
+class X5cCheckingJWTVerifier implements JWTVerifier {
+
+	private final X509Certificate trustedRootCertificate;
+	private final JWTVerifier fallback;
+	private final String licenseChainRequiredCn;
+
+	X5cCheckingJWTVerifier(X509Certificate trustedRootCertificate, JWTVerifier fallback, String licenseChainRequiredCn) {
+		this.trustedRootCertificate = Objects.requireNonNull(trustedRootCertificate);
+		this.fallback = Objects.requireNonNull(fallback);
+		this.licenseChainRequiredCn = Objects.requireNonNull(licenseChainRequiredCn);
+	}
+
+	@Override
+	public DecodedJWT verify(String token) throws JWTVerificationException {
+		return verify(JWT.decode(token));
+	}
+
+	@Override
+	public DecodedJWT verify(DecodedJWT decodedJWT) throws JWTVerificationException {
+		var x5cChain = decodedJWT.getHeaderClaim("x5c").asList(String.class);
+		if (x5cChain == null || x5cChain.isEmpty()) {
+			// if present, the x5c claim must contain leaf and intermediate certificate.
+			// If not present or invalid, we fall back to the old verification method (e.g., for tokens that are signed with the old private key and thus do not contain the x5c claim).
+			return fallback.verify(decodedJWT);
+		}
+
+		var leafPublicKey = verifyCertChain(x5cChain);
+		var expiresLeeway = Instant.now().getEpochSecond();
+		var x5cVerifier = JWT.require(Algorithm.ECDSA512(leafPublicKey, null))
+				.acceptExpiresAt(expiresLeeway) // this will make sure to accept tokens that expired in the past (beginning from 1970)
+				.ignoreIssuedAt() // ignoring issued at will make sure to accept tokens that are issued "in the future" e.g. when the hub time is behind the store time
+				.build();
+		return x5cVerifier.verify(decodedJWT);
+	}
+
+	private ECPublicKey verifyCertChain(List<String> x5cChain) throws JWTVerificationException {
+		try {
+			var leafCertificate = X509Helper.validateX5cChain(x5cChain, trustedRootCertificate);
+			if (!licenseChainRequiredCn.isEmpty()) {
+				verifyCNIsPartOfChain(licenseChainRequiredCn, x5cChain);
+			}
+			if (leafCertificate.getPublicKey() instanceof ECPublicKey leafPublicKey) {
+				return leafPublicKey;
+			} else {
+				throw new JWTVerificationException("Unsupported key algorithm in x5c leaf certificate. Expected EC.");
+			}
+		} catch (GeneralSecurityException e) {
+			throw new JWTVerificationException("Invalid x5c certificate chain.", e);
+		}
+	}
+
+	private void verifyCNIsPartOfChain(String expectedCN, List<String> x5cChain) throws GeneralSecurityException {
+		for (var encodedCert : x5cChain) {
+			var cert = X509Helper.parseCertificate(encodedCert);
+			var actualCn = X509Helper.getCommonName(cert);
+			if (expectedCN.equals(actualCn)) {
+				return;
+			}
+		}
+		throw new JWTVerificationException("Expected certificate CN not found in x5c chain.");
+	}
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/metrics/SystemUsageMetrics.java b/backend/src/main/java/org/cryptomator/hub/metrics/SystemUsageMetrics.java
new file mode 100644
index 000000000..b1fd0c8ee
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/metrics/SystemUsageMetrics.java
@@ -0,0 +1,71 @@
+package org.cryptomator.hub.metrics;
+
+import io.micrometer.core.instrument.Gauge;
+import io.micrometer.core.instrument.MeterRegistry;
+import io.quarkus.scheduler.Scheduled;
+import jakarta.annotation.PostConstruct;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import org.cryptomator.hub.entities.Device;
+import org.cryptomator.hub.entities.EffectiveVaultAccess;
+import org.cryptomator.hub.entities.Vault;
+
+import java.util.EnumMap;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicLong;
+
+@ApplicationScoped
+public class SystemUsageMetrics {
+
+	private static final String VAULTS_TOTAL_METRIC = "hub_vaults_total";
+	private static final String ACTIVE_USERS_TOTAL_METRIC = "hub_active_users_total";
+	private static final String DEVICES_TOTAL_METRIC = "hub_devices_total";
+
+	@Inject
+	MeterRegistry meterRegistry;
+
+	@Inject
+	Vault.Repository vaultRepo;
+
+	@Inject
+	EffectiveVaultAccess.Repository effectiveVaultAccessRepo;
+
+	@Inject
+	Device.Repository deviceRepo;
+
+	private final AtomicLong vaultsTotal = new AtomicLong(0);
+	private final AtomicLong activeUsersTotal = new AtomicLong(0);
+	private final Map<Device.Type, AtomicLong> devicesPerType = new EnumMap<>(Device.Type.class);
+
+	@PostConstruct
+	void registerMetrics() {
+		Gauge.builder(VAULTS_TOTAL_METRIC, vaultsTotal, AtomicLong::get)
+				.description("Number of vaults")
+				.register(meterRegistry);
+
+		Gauge.builder(ACTIVE_USERS_TOTAL_METRIC, activeUsersTotal, AtomicLong::get)
+				.description("Number of unique users with access to any non-archived vault")
+				.register(meterRegistry);
+
+		for (var deviceType : Device.Type.values()) {
+			var value = new AtomicLong(0);
+			devicesPerType.put(deviceType, value);
+			Gauge.builder(DEVICES_TOTAL_METRIC, value, AtomicLong::get)
+					.description("Number of devices grouped by type")
+					.tag("type", deviceType.name())
+					.register(meterRegistry);
+		}
+	}
+
+	@Scheduled(every = "24h", delayed = "10s")
+	@Transactional
+	void collect() {
+		vaultsTotal.set(vaultRepo.count());
+		activeUsersTotal.set(effectiveVaultAccessRepo.countSeatOccupyingUsers());
+		for (var deviceType : Device.Type.values()) {
+			var count = deviceRepo.count("type", deviceType);
+			devicesPerType.get(deviceType).set(count);
+		}
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/metrics/VaultUnlockMetrics.java b/backend/src/main/java/org/cryptomator/hub/metrics/VaultUnlockMetrics.java
new file mode 100644
index 000000000..206016972
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/metrics/VaultUnlockMetrics.java
@@ -0,0 +1,54 @@
+package org.cryptomator.hub.metrics;
+
+import io.micrometer.core.instrument.Counter;
+import io.micrometer.core.instrument.Gauge;
+import io.micrometer.core.instrument.MeterRegistry;
+import jakarta.annotation.PostConstruct;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+
+import java.util.concurrent.atomic.AtomicLong;
+
+@ApplicationScoped
+public class VaultUnlockMetrics {
+
+	private static final String UNLOCKS_TOTAL_METRIC = "hub_vault_unlocks_total";
+	private static final String LAST_SUCCESS_METRIC = "hub_vault_unlock_last_success_epoch_seconds";
+	private static final String LAST_FAILURE_METRIC = "hub_vault_unlock_last_failure_epoch_seconds";
+
+	@Inject
+	MeterRegistry meterRegistry;
+
+	private final AtomicLong lastSuccessEpochSeconds = new AtomicLong(0);
+	private final AtomicLong lastFailureEpochSeconds = new AtomicLong(0);
+	private Counter unlockCounter;
+
+	@PostConstruct
+	void registerGauges() {
+		unlockCounter = Counter.builder(UNLOCKS_TOTAL_METRIC)
+				.description("Total number of vault unlock attempts")
+				.register(meterRegistry);
+		Gauge.builder(LAST_SUCCESS_METRIC, lastSuccessEpochSeconds, AtomicLong::get)
+				.description("Epoch timestamp in seconds of the last successful vault unlock")
+				.register(meterRegistry);
+		Gauge.builder(LAST_FAILURE_METRIC, lastFailureEpochSeconds, AtomicLong::get)
+				.description("Epoch timestamp in seconds of the last failed vault unlock")
+				.register(meterRegistry);
+	}
+
+	public void recordUnlock() {
+		unlockCounter.increment();
+	}
+
+	public void recordSuccess() {
+		lastSuccessEpochSeconds.set(currentEpochSeconds());
+	}
+
+	public void recordFailure() {
+		lastFailureEpochSeconds.set(currentEpochSeconds());
+	}
+
+	private long currentEpochSeconds() {
+		return System.currentTimeMillis() / 1000;
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/util/RawJson.java b/backend/src/main/java/org/cryptomator/hub/util/RawJson.java
new file mode 100644
index 000000000..1976cfbe7
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/util/RawJson.java
@@ -0,0 +1,59 @@
+package org.cryptomator.hub.util;
+
+import com.fasterxml.jackson.annotation.JacksonAnnotationsInside;
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import java.io.IOException;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * During serialization, this annotation will convert a JSON string into a JSON object.
+ * During deserialization, it will convert a JSON object back into a JSON string.
+ * <p>
+ * This is useful for fields that need to store raw JSON data as a string in the database,
+ *
+ * @see com.fasterxml.jackson.annotation.JsonRawValue @JsonRawValue has similar functionality, but does not support deserialization.
+ */
+@JacksonAnnotationsInside
+@Target({ElementType.FIELD, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@JsonSerialize(using = RawJson.Serializer.class)
+@JsonDeserialize(using = RawJson.Deserializer.class)
+public @interface RawJson {
+
+	class Serializer extends JsonSerializer<String> {
+		private static final ObjectMapper mapper = new ObjectMapper();
+
+		@Override
+		public void serialize(String value, JsonGenerator gen, SerializerProvider serializers) throws IOException {
+			if (value == null) {
+				gen.writeNull();
+			} else {
+				JsonNode node = mapper.readTree(value);
+				gen.writeObject(node);
+			}
+		}
+	}
+
+	class Deserializer extends JsonDeserializer<String> {
+		@Override
+		public String deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
+			JsonNode node = p.readValueAsTree();
+			return node.toString();
+		}
+	}
+}
diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
index fe58990b2..096bce7c4 100644
--- a/backend/src/main/resources/application.properties
+++ b/backend/src/main/resources/application.properties
@@ -16,27 +16,59 @@ hub.keycloak.local-url=http://localhost:8180
 hub.keycloak.realm=cryptomator
 
 hub.managed-instance=false
+hub.billing-url=https://cryptomator.org/hub/billing
+%dev.hub.billing-url=https://staging.cryptomator.org/hub/billing
 
 quarkus.rest.path=/api
 %test.quarkus.rest.path=/
 
 quarkus.http.port=8080
+quarkus.http.access-log.enabled=true
+%dev.quarkus.log.level=DEBUG
 
 quarkus.oidc.application-type=service
 quarkus.oidc.client-id=cryptomatorhub
 hub.keycloak.oidc.cryptomator-client-id=cryptomator
-
+hub.keycloak.oidc.cryptomator-vaults-client-id=cryptomatorvaults
+hub.keycloak.oidc.cryptomator-vaults-client-secret=top-secret
+quarkus.rest-client.keycloak.url=${quarkus.oidc.auth-server-url}
+
+# License Stuff
+quarkus.rest-client.license-api.url=https://api.cryptomator.org/licenses
+%dev.quarkus.rest-client.license-api.url=https://api.staging.cryptomator.org/licenses
+%test.quarkus.rest-client.license-api.url=https://api.staging.cryptomator.org/licenses
+hub.license.chain.required-cn=License Intermediate CA (Prod)
+%dev.hub.license.chain.required-cn=License Intermediate CA (Staging)
+%test.hub.license.chain.required-cn=License Intermediate CA (Staging)
+# Alternatively, when using api locally (docker compose up --build):
+#%dev.quarkus.rest-client.license-api.url=http://localhost:3300/licenses
+#%test.quarkus.rest-client.license-api.url=http://localhost:3300/licenses
 # Keycloak dev service
+#quarkus.devservices.timeout=2m
 %dev.quarkus.keycloak.devservices.realm-path=cryptomator-realm.json
 # TODO: realm-path needs to be in class path, i.e. under src/main/resources -> we might not want to include it in production jar though, so make use of maven profiles and specify optional resources https://github.com/quarkusio/quarkus-quickstarts/blob/f3f4939df30bcff062be126faaaeb58cb7c79fb6/security-keycloak-authorization-quickstart/pom.xml#L68-L75
 %dev.quarkus.keycloak.devservices.realm-name=cryptomator
-%dev.quarkus.keycloak.devservices.start-command=start-dev
 %dev.quarkus.keycloak.devservices.port=8180
 %dev.quarkus.keycloak.devservices.service-name=quarkus-cryptomator-hub
-%dev.quarkus.keycloak.devservices.image-name=ghcr.io/cryptomator/keycloak:26.4.5
+%dev.quarkus.keycloak.devservices.image-name=ghcr.io/shift7-ch/keycloak:26.5.6
 %dev.quarkus.oidc.devui.grant.type=code
-# OIDC will be mocked during unit tests. Use fake auth url to prevent dev services to start:
+# OIDC will be mocked during unit tests or setup with (custom) TestResourceLifecycleManager. Use fake auth url to prevent dev services to start by default:
 %test.quarkus.oidc.auth-server-url=http://localhost:43210/dev/null
+# use trust store from dasniko Keycloak testcontainers for OIDC discovery in REST services during tests.
+# copied from https://github.com/dasniko/testcontainers-keycloa
+# k/tree/main/src/main/resources
+# https://quarkus.io/guides/security-oidc-configuration-properties-reference
+# https://quarkus.io/guides/security-oidc-bearer-token-authentication#jwt-token-certificate-chain
+%test.quarkus.oidc.tls.tls-configuration-name=oidc-client-tls
+%test.quarkus.tls.oidc-client-tls.trust-store.jks.path=/dasniko.jks
+%test.quarkus.tls.oidc-client-tls.trust-store.jks.password=changeit
+# disable TLS verification for "keycloak" rest client (used in /storage/s3-token) during tests as configuring SSLContext not possible: https://quarkus.io/guides/rest-client#known-limitations
+# https://quarkus.io/guides/rest-client#trusting-all-certificates-and-disabling-ssl-hostname-verification
+%test.quarkus.tls.tls-disabled.trust-all=true
+%test.quarkus.tls.tls-disabled.hostname-verification-algorithm=NONE
+%test.quarkus.rest-client.keycloak.tls-configuration-name=tls-disabled
+# disable all TLS verification for all rest clients when using keycloak-testcontainers' keycloakAadminClient:
+%test.quarkus.tls.trust-all=true
 
 %dev.hub.keycloak.system-client-id=cryptomatorhub-system
 %dev.hub.keycloak.system-client-secret=top-secret
@@ -44,13 +76,20 @@ hub.keycloak.oidc.cryptomator-client-id=cryptomator
 %test.hub.keycloak.system-client-secret=top-secret
 %dev.hub.keycloak.syncer-period=1m
 %test.hub.keycloak.syncer-period=off
+# S3 Dev Service
+quarkus.s3.devservices.enabled=false
+quarkus.iam.devservices.enabled=false
 
 # Expose OpenAPI and SwaggerUI
-quarkus.swagger-ui.enable=false
-%dev.quarkus.swagger-ui.enable=true
+# https://quarkus.io/guides/openapi-swaggerui: This is a build time property, it cannot be changed at runtime after your application is built.
+quarkus.swagger-ui.always-include=true
+quarkus.swagger-ui.enabled=false
+%dev.quarkus.swagger-ui.enabled=true
 %dev.quarkus.swagger-ui.title=Hub API
 %dev.quarkus.swagger-ui.oauth-use-pkce-with-authorization-code-grant=true
-
+# Metrics endpoint
+quarkus.micrometer.export.prometheus.enabled=false
+%dev.quarkus.micrometer.export.prometheus.enabled=true
 # Database
 quarkus.datasource.db-kind=postgresql
 quarkus.datasource.jdbc.driver=org.postgresql.Driver
@@ -60,35 +99,36 @@ quarkus.hibernate-orm.database.globally-quoted-identifiers=true
 quarkus.flyway.migrate-at-start=true
 quarkus.flyway.locations=classpath:org/cryptomator/hub/flyway
 %dev.quarkus.flyway.ignore-missing-migrations=true
+%dev.quarkus.flyway.validate-migration-naming=true
+# https://quarkus.io/guides/databases-dev-services
+# https://stackoverflow.com/questions/44654216/correct-way-to-install-psql-without-full-postgres-on-macos
+#  psql -h localhost -p 54082 -U quarkus -d quarkus
 
 # log Hibernate SQL statements including values, for dev-purpose only
 %dev.quarkus.log.min-level=TRACE
 %dev.quarkus.hibernate-orm.log.sql=true
 %dev.quarkus.hibernate-orm.log.bind-parameters=true
-
 # Allow cross-origin requests in DEV profile
 %dev.quarkus.http.cors=true
 %dev.quarkus.http.cors.origins=http://localhost:3000,http//localhost:8080
-
 %test.quarkus.application.version=TEST_VERSION_3000
-
 # HTTP Security Headers see e.g. https://owasp.org/www-project-secure-headers/#div-bestpractices
 quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none'
-%dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org localhost:8180; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none'
+#%dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org api.katta.cloud localhost:8180; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none'
 # dev-ui needs very permissive CSP:
-# %dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self' api.cryptomator.org localhost:8180;
+%dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self' api.cryptomator.org api.katta.cloud localhost:8180 *.amazonaws.com; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none'
 quarkus.http.header."Referrer-Policy".value=no-referrer
 quarkus.http.header."Strict-Transport-Security".value=max-age=31536000; includeSubDomains
 quarkus.http.header."X-Content-Type-Options".value=nosniff
 quarkus.http.header."X-Frame-Options".value=deny
+# dev-ui needs very permissive xfo:
+#%dev.quarkus.http.header."X-Frame-Options".value=sameorigin
 quarkus.http.header."X-Permitted-Cross-Domain-Policies".value=none
 quarkus.http.header."Cross-Origin-Embedder-Policy".value=credentialless
 quarkus.http.header."Cross-Origin-Opener-Policy".value=same-origin
 quarkus.http.header."Cross-Origin-Resource-Policy".value=same-origin
 quarkus.http.header."Content-Type".value=text/html
-
 %test.quarkus.http.proxy.proxy-address-forwarding=true
-
 # Cache
 # /app, /index.html and / for 1min in case hub gets updated
 # /api never because the backend content can change at any time
@@ -97,27 +137,23 @@ quarkus.http.header."Content-Type".value=text/html
 quarkus.http.filter.app.header."Cache-Control"=private, max-age=60
 quarkus.http.filter.app.methods=GET,HEAD
 quarkus.http.filter.app.matches=/app/.*|/index.html|/
-
 quarkus.http.filter.api.header."Cache-Control"=no-cache, no-store, must-revalidate
 quarkus.http.filter.api.methods=GET,HEAD
 quarkus.http.filter.api.matches=/api/.*
-
 quarkus.http.filter.assets.header."Cache-Control"=max-age=31536000, immutable
 quarkus.http.filter.assets.methods=GET,HEAD
 quarkus.http.filter.assets.matches=/assets/.*
-
 quarkus.http.filter.static.header."Cache-Control"=public, max-age=86400
 quarkus.http.filter.static.methods=GET,HEAD
 quarkus.http.filter.static.matches=/(favicon.ico|logo.svg)
-
 # Container Image Adjustments
 quarkus.container-image.registry=ghcr.io
-quarkus.container-image.group=cryptomator
-quarkus.container-image.name=hub
+quarkus.container-image.group=shift7-ch
+quarkus.container-image.name=katta-server
 quarkus.container-image.tag=latest
-quarkus.container-image.labels."org.opencontainers.image.title"=Cryptomator Hub
+quarkus.container-image.labels."org.opencontainers.image.title"=Katta Server
 quarkus.container-image.labels."org.opencontainers.image.description"=Centralized Zero-Knowledge Key Management for using Cryptomator in Teams and Organizations
-quarkus.container-image.labels."org.opencontainers.image.vendor"=Skymatic GmbH
-quarkus.container-image.labels."org.opencontainers.image.url"=https://cryptomator.org/hub
-quarkus.container-image.labels."org.opencontainers.image.source"=https://github.com/cryptomator/hub
+quarkus.container-image.labels."org.opencontainers.image.vendor"=Shift7 GmbH
+quarkus.container-image.labels."org.opencontainers.image.url"=https://github.com/shift7-ch/katta-server
+quarkus.container-image.labels."org.opencontainers.image.source"=https://github.com/shift7-ch/katta-server
 quarkus.container-image.labels."org.opencontainers.image.licenses"=AGPL-3.0-or-later
diff --git a/backend/src/main/resources/cryptomator-realm.json b/backend/src/main/resources/cryptomator-realm.json
index 57bfd2a1c..2194d821a 100644
--- a/backend/src/main/resources/cryptomator-realm.json
+++ b/backend/src/main/resources/cryptomator-realm.json
@@ -1,8 +1,8 @@
 {
   "id": "cryptomator",
   "realm": "cryptomator",
-  "displayName": "Cryptomator Hub",
-  "loginTheme": "cryptomator",
+  "displayName": "Katta",
+  "loginTheme": "katta",
   "enabled": true,
   "sslRequired": "external",
   "defaultRole": {
@@ -41,13 +41,14 @@
   },
   "users": [
     {
+      "id": "admin",
       "username": "admin",
       "firstName": "admin",
       "lastName": "admin",
       "email": "admin@localhost",
       "enabled": true,
       "attributes": {
-        "picture": "https://cryptomator.org/img/logo.svg"
+        "picture": "/logo.png"
       },
       "credentials": [
         {
@@ -60,6 +61,7 @@
       ]
     },
     {
+      "id": "alice",
       "username": "alice",
       "firstName": "alice",
       "lastName": "alice",
@@ -77,6 +79,7 @@
       ]
     },
     {
+      "id": "bob",
       "username": "bob",
       "firstName": "bob",
       "lastName": "bob",
@@ -94,6 +97,7 @@
       ]
     },
     {
+      "id": "carol",
       "username": "carol",
       "firstName": "carol",
       "lastName": "carol",
@@ -113,6 +117,7 @@
       ]
     },
     {
+      "id": "dave",
       "username": "dave",
       "firstName": "dave",
       "lastName": "dave",
@@ -132,6 +137,7 @@
       ]
     },
     {
+      "id": "erin",
       "username": "erin",
       "firstName": "erin",
       "lastName": "erin",
@@ -151,12 +157,13 @@
       ]
     },
     {
+      "id": "system",
       "username": "system",
       "email": "system@localhost",
       "enabled": true,
       "serviceAccountClientId": "cryptomatorhub-system",
       "attributes": {
-        "picture": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9IiMwMDAiIHZpZXdCb3g9IjAgMCAxMDAgMTAwIj4KCTxtYXNrIGlkPSJjbGlwIj4KCQk8Y2lyY2xlIGZpbGw9IiNGRkYiIHI9IjUwIiBjeD0iNTAiIGN5PSI1MCIvPgoJCTxnIGZpbGw9IiMwMDAiPgoJCTxjaXJjbGUgcj0iMjUiIGN4PSI1MCIgY3k9IjUwIiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjUwIiBjeT0iMCIgLz4KCQk8Y2lyY2xlIHI9IjEyIiBjeD0iODUiIGN5PSIxNSIgLz4KCQk8Y2lyY2xlIHI9IjEyIiBjeD0iMTAwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9Ijg1IiBjeT0iODUiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjUwIiBjeT0iMTAwIiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIxNSIgY3k9Ijg1IiAvPgoJCTxjaXJjbGUgcj0iMTIiIGN4PSIwIiBjeT0iNTAiIC8+CgkJPGNpcmNsZSByPSIxMiIgY3g9IjE1IiBjeT0iMTUiIC8+CgkJPC9nPgoJPC9tYXNrPgoJPGNpcmNsZSByPSI1MCIgY3g9IjUwIiBjeT0iNTAiIG1hc2s9InVybCgjY2xpcCkiIC8+Cjwvc3ZnPg=="
+        "picture": "/logo.png"
       },
       "clientRoles": {
         "realm-management": [
@@ -166,6 +173,7 @@
       }
     },
     {
+      "id": "cli",
       "username": "cli",
       "email": "cli@localhost",
       "enabled": true,
@@ -190,7 +198,11 @@
       "name": "groupies",
       "path": "/groupies",
       "subGroups": [],
-      "attributes": {},
+      "attributes": {
+        "picture": [
+          "https://cryptomator.org/img/logo.svg"
+        ]
+      },
       "realmRoles": [],
       "clientRoles": {}
     }
@@ -226,30 +238,44 @@
       },
       "protocolMappers": [
         {
-          "name": "realm roles",
+          "name": "aud",
           "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "protocolMapper": "oidc-audience-mapper",
           "consentRequired": false,
           "config": {
+            "included.client.audience": "cryptomator",
+            "id.token.claim": "false",
             "access.token.claim": "true",
-            "claim.name": "realm_access.roles",
-            "jsonType.label": "String",
+            "userinfo.token.claim": "false",
             "multivalued": "true"
           }
         },
         {
-          "name": "client roles",
+          "name": "realm roles",
           "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
           "consentRequired": false,
           "config": {
             "access.token.claim": "true",
-            "claim.name": "resource_access.${client_id}.roles",
+            "claim.name": "realm_access.roles",
             "jsonType.label": "String",
-            "multivalued": "true",
-            "usermodel.clientRoleMapping.clientId": "cryptomatorhub"
+            "multivalued": "true"
           }
         }
+      ],
+      "defaultClientScopes": [
+        "web-origins",
+        "phone",
+        "profile",
+        "basic",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "acr",
+        "address",
+        "roles",
+        "offline_access",
+        "microprofile-jwt"
       ]
     },
     {
@@ -269,7 +295,100 @@
       "protocol": "openid-connect",
       "attributes": {
         "pkce.code.challenge.method": "S256"
-      }
+      },
+      "protocolMappers": [
+        {
+          "name": "aud",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-mapper",
+          "consentRequired": false,
+          "config": {
+            "included.client.audience": "cryptomator",
+            "id.token.claim": "false",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "false",
+            "multivalued": "true"
+          }
+        },
+        {
+          "name": "aud-cryptomatorvaults",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-mapper",
+          "consentRequired": false,
+          "config": {
+            "included.client.audience": "cryptomatorvaults",
+            "id.token.claim": "false",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "false",
+            "multivalued": "true"
+          }
+        },
+        {
+          "name": "realm roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "access.token.claim": "true",
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "basic",
+        "web-origins",
+        "phone",
+        "profile",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "acr",
+        "address",
+        "offline_access",
+        "microprofile-jwt",
+        "roles"
+      ]
+    },
+    {
+      "clientId": "cryptomatorvaults",
+      "name": "Cryptomator S3 Access",
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "enabled": true,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "top-secret",
+      "bearerOnly": false,
+      "frontchannelLogout": false,
+      "standardFlowEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "standard.token.exchange.enabled": "true"
+      },
+      "protocolMappers": [
+        {
+          "name": "aud",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-mapper",
+          "consentRequired": false,
+          "config": {
+            "included.client.audience": "cryptomatorvaults",
+            "id.token.claim": "false",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "false",
+            "multivalued": "true"
+          }
+        }
+      ],
+      "defaultClientScopes": [
+        "basic"
+      ],
+      "optionalClientScopes": [
+        "address"
+      ]
     },
     {
       "clientId": "cryptomatorhub-system",
@@ -294,5 +413,18 @@
   ],
   "browserSecurityHeaders": {
     "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self' http://localhost:*; object-src 'none';"
+  },
+  "components": {
+    "org.keycloak.userprofile.UserProfileProvider": [
+      {
+        "providerId": "declarative-user-profile",
+        "subComponents": {},
+        "config": {
+          "kc.user.profile.config": [
+            "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"required\":{\"roles\":[\"user\"]},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"picture\",\"displayName\":\"\",\"validations\":{},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}"
+          ]
+        }
+      }
+    ]
   }
 }
diff --git a/backend/src/main/resources/dasniko.jks b/backend/src/main/resources/dasniko.jks
new file mode 100644
index 000000000..2233b0315
Binary files /dev/null and b/backend/src/main/resources/dasniko.jks differ
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png b/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png
index cd2460e62..07694753a 100644
Binary files a/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png and b/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png differ
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V19.1__StorageProfile.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V19.1__StorageProfile.sql
new file mode 100644
index 000000000..6df0a658a
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V19.1__StorageProfile.sql
@@ -0,0 +1,73 @@
+CREATE TABLE "storage_profile_s3_static"
+(
+	"id"                UUID NOT NULL,
+   "name"              VARCHAR,
+
+	-- (1) bucket creation, template upload and client profile
+    "scheme"            VARCHAR,
+    "hostname"          VARCHAR,
+    "port"              INT4,
+    "withPathStyleAccessEnabled"
+                        bool NOT NULL,
+    "storageClass" VARCHAR NOT NULL,
+
+  -- (2) bucket creation only (only relevant for Desktop client)
+    "region"            VARCHAR,
+    "regions"           text[],
+    "bucketPrefix"      VARCHAR NOT NULL,
+    "stsRoleCreateBucketClient"  VARCHAR NOT NULL,
+    "stsRoleCreateBucketHub"     VARCHAR NOT NULL,
+    "stsEndpoint"       VARCHAR,
+    "bucketVersioning"  bool NOT NULL,
+    "bucketAcceleration" bool,
+    "bucketEncryption" VARCHAR NOT NULL,
+
+  -- (3) client profile
+  -- (3a) client profile attributes
+    "protocol"           VARCHAR NOT NULL,
+    "archived"           bool NOT NULL,
+
+
+	CONSTRAINT "STORAGE_PROFILE_S3_PK" PRIMARY KEY ("id"),
+	CONSTRAINT "STORAGE_PROFILE_S3_CHK_STORAGE_CLASS" CHECK ("storageClass" = 'STANDARD' OR "storageClass" = 'INTELLIGENT_TIERING' OR "storageClass" = 'STANDARD_IA' OR "storageClass" = 'ONEZONE_IA' OR "storageClass" = 'GLACIER' OR "storageClass" = 'GLACIER_IR' OR "storageClass" = 'DEEP_ARCHIVE'),
+	CONSTRAINT "STORAGE_PROFILE_S3_CHK_BUCKET_ENCRYPTION" CHECK ("bucketEncryption" = 'NONE' OR "bucketEncryption" = 'SSE_AES256' OR "bucketEncryption" = 'SSE_KMS_DEFAULT')
+);
+
+CREATE TABLE "storage_profile_s3_sts"
+(
+    "id"                UUID NOT NULL,
+    "name"              VARCHAR,
+
+  -- (1) bucket creation, template upload and client profile
+    "scheme"            VARCHAR,
+    "hostname"          VARCHAR,
+    "port"              INT4,
+    "withPathStyleAccessEnabled"
+                        bool NOT NULL,
+    "storageClass" VARCHAR NOT NULL,
+
+  -- (2) bucket creation only (only relevant for Desktop client)
+    "region"            VARCHAR,
+    "regions"           text[],
+    "bucketPrefix"      VARCHAR NOT NULL,
+    "stsRoleCreateBucketClient"  VARCHAR NOT NULL,
+    "stsRoleCreateBucketHub"     VARCHAR NOT NULL,
+    "stsEndpoint"       VARCHAR,
+    "bucketVersioning"  bool NOT NULL,
+    "bucketAcceleration" bool,
+    "bucketEncryption" VARCHAR NOT NULL,
+
+  -- (3) client profile
+  -- (3a) client profile attributes
+    "protocol"           VARCHAR NOT NULL,
+    "archived"           bool NOT NULL,
+  -- (3b) client profile custom properties
+    "stsRoleAccessBucketAssumeRoleWithWebIdentity"  VARCHAR NOT NULL,
+    "stsRoleAccessBucketAssumeRoleTaggedSession"    VARCHAR,
+    "stsDurationSeconds" INT4,
+    "stsSessionTag"      VARCHAR,
+
+  CONSTRAINT "STORAGE_PROFILE_S3_STS_PK" PRIMARY KEY ("id"),
+  CONSTRAINT "STORAGE_PROFILE_S3_STS_CHK_STORAGE_CLASS" CHECK ("storageClass" = 'STANDARD' OR "storageClass" = 'INTELLIGENT_TIERING' OR "storageClass" = 'STANDARD_IA' OR "storageClass" = 'ONEZONE_IA' OR "storageClass" = 'GLACIER' OR "storageClass" = 'GLACIER_IR' OR "storageClass" = 'DEEP_ARCHIVE'),
+  CONSTRAINT "STORAGE_PROFILE_S3_STS_CHK_BUCKET_ENCRYPTION" CHECK ("bucketEncryption" = 'NONE' OR "bucketEncryption" = 'SSE_AES256' OR "bucketEncryption" = 'SSE_KMS_DEFAULT')
+);
\ No newline at end of file
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V21__Move_Picture_URL_to_Authority.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V21__Move_Picture_URL_to_Authority.sql
new file mode 100644
index 000000000..29ad2250c
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V21__Move_Picture_URL_to_Authority.sql
@@ -0,0 +1,3 @@
+-- noinspection SqlNoDataSourceInspectionForFile
+ALTER TABLE "user_details" DROP COLUMN "picture_url";
+ALTER TABLE "authority" ADD "picture_url" VARCHAR;
\ No newline at end of file
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V22__Optimize_Group_Membership.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V22__Optimize_Group_Membership.sql
new file mode 100644
index 000000000..c6b768828
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V22__Optimize_Group_Membership.sql
@@ -0,0 +1,47 @@
+-- noinspection SqlNoDataSourceInspectionForFile
+
+-- top down lookups ("get members of a group") is already efficient due to PK
+-- bottom up lookups ("get groups of a member") need an additional index:
+CREATE INDEX GROUP_MEMBERSHIP_IDX_MEMBER ON "group_membership" ("member_id");
+
+-- temporarily drop views
+DROP VIEW "effective_vault_access";
+DROP VIEW "effective_group_membership";
+
+-- replace effective_group_membership with a table to optimize lookups
+CREATE TABLE "effective_group_membership" (
+    "group_id" VARCHAR(255) NOT NULL,
+    "intermediate_group_ids" VARCHAR[] NOT NULL,
+    "member_id" VARCHAR(255) NOT NULL,
+    PRIMARY KEY ("group_id", "member_id"),
+	CONSTRAINT "EFFECTIVE_GROUP_MEMBERSHIP_FK_GROUP" FOREIGN KEY ("group_id") REFERENCES "authority" ("id") ON DELETE CASCADE,
+	CONSTRAINT "EFFECTIVE_GROUP_MEMBERSHIP_FK_MEMBER" FOREIGN KEY ("member_id") REFERENCES "authority" ("id") ON DELETE CASCADE,
+	CONSTRAINT "EFFECTIVE_GROUP_MEMBERSHIP_CHK_NOTSAME" CHECK ("group_id" <> "member_id")
+);
+
+-- top down lookups ("get members of a group") is already efficient due to PK
+-- bottom up lookups ("get groups of a member") need an additional index:
+CREATE INDEX EFFECTIVE_GROUP_MEMBERSHIP_IDX_MEMBER ON "effective_group_membership" ("member_id");
+
+-- index to speed up queries filtering by intermediate groups
+CREATE INDEX EFFECTIVE_GROUP_MEMBERSHIP_IDX_INTERMEDIATE on "effective_group_membership" USING GIN("intermediate_group_ids");
+
+-- @formatter:off
+INSERT INTO "effective_group_membership" ("group_id", "intermediate_group_ids", "member_id")
+WITH RECURSIVE "members" ("root","intermediate_group_ids","member_id", "depth") AS (
+    SELECT "group_id", ARRAY["group_id"]::varchar[], "member_id", 0
+        FROM "group_membership"
+    UNION
+    SELECT "parent"."root", array_append("parent"."intermediate_group_ids", "child"."group_id"), "child"."member_id", "parent"."depth" + 1
+        FROM "group_membership" "child"
+        INNER JOIN "members" "parent" ON "child"."group_id" = "parent"."member_id"
+        WHERE "parent"."depth" < 10
+) SELECT "root", "intermediate_group_ids", "member_id" FROM "members"
+ON CONFLICT DO NOTHING;
+
+CREATE VIEW "effective_vault_access" ("vault_id", "authority_id", "role") AS
+	SELECT "va"."vault_id", "va"."authority_id", "va"."role" FROM "vault_access" "va"
+	UNION
+	SELECT "va"."vault_id", "gm"."member_id", "va"."role" FROM "vault_access" "va"
+		INNER JOIN "effective_group_membership" "gm" ON "va"."authority_id" = "gm"."group_id";
+-- @formatter:on
\ No newline at end of file
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V23__User_Firstname_Lastname.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V23__User_Firstname_Lastname.sql
new file mode 100644
index 000000000..420d005bf
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V23__User_Firstname_Lastname.sql
@@ -0,0 +1,4 @@
+ALTER TABLE "user_details"
+ADD COLUMN "firstname" VARCHAR,
+ADD COLUMN "lastname" VARCHAR,
+ADD COLUMN "realm_roles" VARCHAR[] NOT NULL DEFAULT ARRAY['user'];
\ No newline at end of file
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V24__Emergency_Access.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V24__Emergency_Access.sql
new file mode 100644
index 000000000..577c6fa26
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V24__Emergency_Access.sql
@@ -0,0 +1,123 @@
+ALTER TABLE "settings" ADD "default_required_emergency_key_shares" INTEGER NOT NULL DEFAULT 2;
+ALTER TABLE "settings" ADD "default_min_members" INTEGER NOT NULL DEFAULT 3;
+ALTER TABLE "settings" ADD "allow_choosing_emergency_council" BOOLEAN NOT NULL DEFAULT FALSE;
+ALTER TABLE "settings" ADD "enable_emergency_access" BOOLEAN NOT NULL DEFAULT FALSE;
+
+ALTER TABLE "vault" ADD "required_emergency_key_shares" INTEGER NOT NULL DEFAULT 0;
+
+CREATE TABLE "default_emergency_council"
+(
+	"settings_id" INT4 DEFAULT 0 NOT NULL,
+	"member_id" VARCHAR(255) COLLATE "C" NOT NULL,
+	CONSTRAINT "DEFAULT_EMERGENCY_COUNCIL_PK" PRIMARY KEY ("member_id"),
+	CONSTRAINT "DEFAULT_EMERGENCY_COUNCIL_FK_SETTINGS" FOREIGN KEY ("settings_id") REFERENCES "settings" ("id") ON DELETE CASCADE,
+	CONSTRAINT "DEFAULT_EMERGENCY_COUNCIL_FK_USER" FOREIGN KEY ("member_id") REFERENCES "user_details" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "emergency_key_shares"
+(
+	"vault_id" UUID NOT NULL,
+	"council_member_id" VARCHAR(255) COLLATE "C" NOT NULL,
+	"emergency_key_share" TEXT NOT NULL,
+	CONSTRAINT "EMERGENCY_KEYS_PK" PRIMARY KEY ("vault_id", "council_member_id"),
+	CONSTRAINT "EMERGENCY_KEYS_FK_VAULT" FOREIGN KEY ("vault_id") REFERENCES "vault" ("id") ON DELETE CASCADE,
+	CONSTRAINT "EMERGENCY_KEYS_FK_USER" FOREIGN KEY ("council_member_id") REFERENCES "user_details" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "emergency_recovery_processes"
+(
+    "id" UUID NOT NULL,
+    "vault_id" UUID NOT NULL,
+    "type" VARCHAR(50) NOT NULL,
+    "details" TEXT,
+    "required_key_shares" INTEGER NOT NULL,
+    "process_public_key" TEXT NOT NULL,
+    CONSTRAINT "EMERGENCY_RECOVERY_PROCESSES_PK" PRIMARY KEY ("id"),
+    CONSTRAINT "EMERGENCY_RECOVERY_PROCESSES_FK_VAULT" FOREIGN KEY ("vault_id") REFERENCES "vault" ("id") ON DELETE CASCADE,
+    CONSTRAINT "EMERGENCY_RECOVERY_PROCESSES_TYPE" CHECK ("type" = 'CHANGE_PERMISSIONS' OR "type" = 'COUNCIL_CHANGE'),
+    CONSTRAINT "EMERGENCY_RECOVERY_PROCESSES_UNIQUE_VAULT_AND_TYPE" UNIQUE ("vault_id", "type")
+);
+
+CREATE TABLE "recovered_emergency_key_shares"
+(
+    "recovery_process_id" UUID NOT NULL,
+	"council_member_id" VARCHAR(255) COLLATE "C" NOT NULL,
+    "process_private_key" TEXT NOT NULL,
+    "unrecovered_key_share" TEXT NOT NULL,
+    "recovered_key_share" TEXT,
+    "signed_process_info" TEXT,
+    CONSTRAINT "RECOVERED_EMERGENCY_KEY_SHARES_PK" PRIMARY KEY ("recovery_process_id", "council_member_id"),
+    CONSTRAINT "RECOVERED_EMERGENCY_KEY_SHARES_FK_PROCESS" FOREIGN KEY ("recovery_process_id") REFERENCES "emergency_recovery_processes" ("id") ON DELETE CASCADE,
+	CONSTRAINT "RECOVERED_EMERGENCY_KEY_SHARES_FK_USER" FOREIGN KEY ("council_member_id") REFERENCES "user_details" ("id") ON DELETE CASCADE
+);
+
+-- Events
+
+CREATE TABLE "audit_event_emergaccess_settings_updated"
+(
+	"id"                     BIGINT NOT NULL,
+	"admin_id"               VARCHAR(255) COLLATE "C" NOT NULL,
+	"enable_emergency_access" 	BOOLEAN NOT NULL,
+	"council_member_ids"     TEXT NOT NULL,
+	"required_key_shares"    INTEGER NOT NULL,
+	"min_members"			 INTEGER NOT NULL,
+	"allow_choosing_council" BOOLEAN NOT NULL,
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_SETTINGS_UPDATED_PK" PRIMARY KEY ("id"),
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_SETTINGS_UPDATED_FK_AUDIT_EVENT" FOREIGN KEY ("id") REFERENCES "audit_event" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "audit_event_emergaccess_setup"
+(
+	"id"           BIGINT NOT NULL,
+	"vault_id"     UUID NOT NULL,
+	"owner_id"     VARCHAR(255) COLLATE "C" NOT NULL,
+	"settings"     TEXT NOT NULL,
+	"ip_address"   VARCHAR(46) NOT NULL,
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_SETUP_PK" PRIMARY KEY ("id"),
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_SETUP_FK_AUDIT_EVENT" FOREIGN KEY ("id") REFERENCES "audit_event" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "audit_event_emergaccess_recovery_started"
+(
+	"id"                BIGINT NOT NULL,
+	"vault_id"          UUID NOT NULL,
+	"process_id"        UUID NOT NULL,
+	"council_member_id" VARCHAR(255) COLLATE "C" NOT NULL,
+	"process_type"      VARCHAR(50) NOT NULL,
+	"details"           TEXT NOT NULL,
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_RECOVERY_STARTED_PK" PRIMARY KEY ("id"),
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_RECOVERY_STARTED_FK_AUDIT_EVENT" FOREIGN KEY ("id") REFERENCES "audit_event" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "audit_event_emergaccess_recovery_approved"
+(
+	"id"                BIGINT NOT NULL,
+	"process_id"        UUID NOT NULL,
+	"council_member_id" VARCHAR(255) COLLATE "C" NOT NULL,
+	"ip_address"        VARCHAR(46) NOT NULL,
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_RECOVERY_APPROVED_PK" PRIMARY KEY ("id"),
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_RECOVERY_APPROVED_FK_AUDIT_EVENT" FOREIGN KEY ("id") REFERENCES "audit_event" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "audit_event_emergaccess_recovery_completed"
+(
+	"id"                BIGINT NOT NULL,
+	"process_id"        UUID NOT NULL,
+	"council_member_id" VARCHAR(255) COLLATE "C" NOT NULL,
+    "ip_address"        VARCHAR(46) NOT NULL,
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_RECOVERY_COMPLETED_PK" PRIMARY KEY ("id"),
+	CONSTRAINT "AUDIT_EVENT_EMERGACCESS_RECOVERY_COMPLETED_FK_AUDIT_EVENT" FOREIGN KEY ("id") REFERENCES "audit_event" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "audit_event_emergaccess_recovery_aborted"
+(
+    "id"                BIGINT      NOT NULL,
+    "vault_id"          UUID        NOT NULL,
+    "process_id"        UUID        NOT NULL,
+    "council_member_id" VARCHAR(255) COLLATE "C" NOT NULL,
+    "ip_address"        VARCHAR(46) NOT NULL,
+    CONSTRAINT "AUDIT_EVENT_EMERGACCESS_RECOVERY_ABORTED_PK"
+        PRIMARY KEY ("id"),
+    CONSTRAINT "AUDIT_EVENT_EMERGACCESS_RECOVERY_ABORTED_FK_AUDIT_EVENT"
+        FOREIGN KEY ("id") REFERENCES "audit_event" ("id") ON DELETE CASCADE
+);
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V25__User_Enabled.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V25__User_Enabled.sql
new file mode 100644
index 000000000..2b29c09b1
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V25__User_Enabled.sql
@@ -0,0 +1 @@
+ALTER TABLE "user_details" ADD COLUMN "enabled" BOOLEAN NOT NULL DEFAULT TRUE;
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V21__UVF_Support.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V26__UVF_Support.sql
similarity index 100%
rename from backend/src/main/resources/org/cryptomator/hub/flyway/V21__UVF_Support.sql
rename to backend/src/main/resources/org/cryptomator/hub/flyway/V26__UVF_Support.sql
diff --git a/backend/src/test/java/org/cryptomator/hub/RollbackTestIT.java b/backend/src/test/java/org/cryptomator/hub/RollbackTestIT.java
index e2fc8733d..aeb51dfef 100644
--- a/backend/src/test/java/org/cryptomator/hub/RollbackTestIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/RollbackTestIT.java
@@ -29,7 +29,7 @@ class WithFlywayCleanup {
 		@Test
 		@Order(1)
 		@DBRollbackAfter
-		public void changeDB() throws SQLException {
+		void changeDB() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						UPDATE "settings"
@@ -41,7 +41,7 @@ public void changeDB() throws SQLException {
 
 		@Test
 		@Order(2)
-		public void testDB() throws SQLException {
+		void testDB() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				var result = s.executeQuery("""
 						SELECT *
@@ -60,7 +60,7 @@ class NoCleanup {
 
 		@Test
 		@Order(1)
-		public void changeDB() throws SQLException {
+		void changeDB() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						UPDATE "settings"
@@ -72,7 +72,7 @@ public void changeDB() throws SQLException {
 
 		@Test
 		@Order(2)
-		public void testDB() throws SQLException {
+		void testDB() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				var result = s.executeQuery("""
 						SELECT *
diff --git a/backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java
index 4a75e9a4b..5b7428944 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java
@@ -4,6 +4,7 @@
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.security.TestSecurity;
 import io.restassured.RestAssured;
+import org.cryptomator.hub.license.HubLicenseEntitlements;
 import org.cryptomator.hub.license.LicenseHolder;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeAll;
@@ -24,20 +25,21 @@ public class AuditLogResourceIT {
 	LicenseHolder licenseHolder;
 
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
 	@BeforeEach
-	public void beforeEach() {
-		Mockito.doReturn(true).when(licenseHolder).isSet();
+	void beforeEach() {
+		var entitlements = HubLicenseEntitlements.create().withAuditLogRetentionDays(Long.MAX_VALUE); // unlimited retention for tests
+		Mockito.doReturn(entitlements).when(licenseHolder).getEntitlements();
 		Mockito.doReturn(false).when(licenseHolder).isExpired();
 	}
 
 	@Test
 	@TestSecurity(user = "Admin", roles = {"admin"})
 	@DisplayName("As admin, GET /auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999Z&paginationId=9999 returns 200 with 20 entries")
-	public void testGetAuditLogEntries() {
+	void testGetAuditLogEntries() {
 		given().param("startDate", "2020-02-20T00:00:00.000Z")
 				.param("endDate", "2020-02-20T23:59:59.999Z")
 				.param("paginationId", 9999L)
@@ -49,7 +51,7 @@ public void testGetAuditLogEntries() {
 	@Test
 	@TestSecurity(user = "Admin", roles = {"admin"})
 	@DisplayName("As admin, GET /auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999Z&pageSize=10&paginationId=1000&order=asc returns 200 with 3 entries")
-	public void testGetAuditLogEntriesPageSizeAsc() {
+	void testGetAuditLogEntriesPageSizeAsc() {
 		given().param("startDate", "2020-02-20T00:00:00.000Z")
 				.param("endDate", "2020-02-20T23:59:59.999Z")
 				.param("pageSize", 3)
@@ -63,7 +65,7 @@ public void testGetAuditLogEntriesPageSizeAsc() {
 	@Test
 	@TestSecurity(user = "User", roles = {"user"})
 	@DisplayName("As user, GET /auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999Z&pageSize=10 returns 403")
-	public void testGetAuditLogEntriesAsUser() {
+	void testGetAuditLogEntriesAsUser() {
 		when().get("/auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999ZZ&pageSize=10")
 				.then().statusCode(403);
 	}
diff --git a/backend/src/test/java/org/cryptomator/hub/api/AuthorityResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/AuthorityResourceIT.java
index bc8889e8a..590d661e7 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/AuthorityResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/AuthorityResourceIT.java
@@ -5,7 +5,6 @@
 import io.quarkus.test.security.oidc.Claim;
 import io.quarkus.test.security.oidc.OidcSecurity;
 import io.restassured.RestAssured;
-import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
@@ -14,14 +13,18 @@
 import static io.restassured.RestAssured.given;
 import static io.restassured.RestAssured.when;
 import static org.hamcrest.CoreMatchers.hasItems;
-import static org.hamcrest.Matchers.*;
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.nullValue;
 
 @QuarkusTest
 @DisplayName("Resource /authorities")
 public class AuthorityResourceIT {
 
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
@@ -35,7 +38,7 @@ public class Search {
 
 		@Test
 		@DisplayName("GET /search?query=U returns 200 with \"user1\", \"user2\", \"group1\"")
-		public void testGetAll() {
+		void testGetAll() {
 			when().get("/authorities/search?query=U")
 					.then().statusCode(200)
 					.body("id", hasItems("user1", "user2", "group1"));
@@ -43,7 +46,7 @@ public void testGetAll() {
 
 		@Test
 		@DisplayName("GET /search?query=u returns 200 with \"user1\", \"user2\", \"group1\"")
-		public void testGetAllIgnoreCase() {
+		void testGetAllIgnoreCase() {
 			when().get("/authorities/search?query=u")
 					.then().statusCode(200)
 					.body("id", hasItems("user1", "user2", "group1"));
@@ -51,7 +54,7 @@ public void testGetAllIgnoreCase() {
 
 		@Test
 		@DisplayName("GET /search?query=User returns 200 with \"user1\", \"user2\"")
-		public void testGetUser() {
+		void testGetUser() {
 			when().get("/authorities/search?query=User")
 					.then().statusCode(200)
 					.body("id", hasItems("user1", "user2"));
@@ -59,7 +62,7 @@ public void testGetUser() {
 
 		@Test
 		@DisplayName("GET /search?query=Group Name 1 returns 200 with \"group1\"")
-		public void testGetExactMatch() {
+		void testGetExactMatch() {
 			when().get("/authorities/search?query=Group Name 1")
 					.then().statusCode(200)
 					.body("id", hasItems("group1"));
@@ -67,7 +70,7 @@ public void testGetExactMatch() {
 
 		@Test
 		@DisplayName("GET /search?query=User Name 3000 returns 200 with empty body")
-		public void testGetEmpty() {
+		void testGetEmpty() {
 			when().get("/authorities/search?query=User Name 3000")
 					.then().statusCode(200)
 					.body("id", empty());
@@ -75,7 +78,7 @@ public void testGetEmpty() {
 
 		@Test
 		@DisplayName("GET /search?query=1 returns 200 with \"user1\", \"group1\"")
-		public void testGetSameUserGroupName() {
+		void testGetSameUserGroupName() {
 			when().get("/authorities/search?query=1")
 					.then().statusCode(200)
 					.body("find { it.id == 'user1' }.memberSize", nullValue())
@@ -84,7 +87,7 @@ public void testGetSameUserGroupName() {
 
 		@Test
 		@DisplayName("GET /search?query=1&withMemberSize=true returns 200 with \"group1\" and \"memberSize\"=true")
-		public void testGetSameUserGroupNameWithMemberSize() {
+		void testGetSameUserGroupNameWithMemberSize() {
 			when().get("/authorities/search?query=1&withMemberSize=true")
 					.then().statusCode(200)
 					.body("find { it.id == 'user1' }.memberSize", nullValue())
@@ -102,7 +105,7 @@ public class GetSome {
 
 		@Test
 		@DisplayName("GET /authorities returns 200 with empty body")
-		public void testGetSomeEmpty() {
+		void testGetSomeEmpty() {
 			when().get("/authorities")
 					.then().statusCode(200)
 					.body("", hasSize(0));
@@ -110,7 +113,7 @@ public void testGetSomeEmpty() {
 
 		@Test
 		@DisplayName("GET /authorities?ids=iDoNotExist returns 200 with empty body")
-		public void testGetSomeNotExisting() {
+		void testGetSomeNotExisting() {
 			given().param("ids", "iDoNotExist")
 					.when().get("/authorities")
 					.then().statusCode(200)
@@ -119,7 +122,7 @@ public void testGetSomeNotExisting() {
 
 		@Test
 		@DisplayName("GET /authorities?ids=user1&ids=group2 returns 200 with body containing user1 and group2")
-		public void testGetSome() {
+		void testGetSome() {
 			given().param("ids", "user1", "group2")
 					.when().get("/authorities")
 					.then().statusCode(200)
diff --git a/backend/src/test/java/org/cryptomator/hub/api/BillingResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/BillingResourceIT.java
index da47f9ffe..80fd98ee6 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/BillingResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/BillingResourceIT.java
@@ -2,8 +2,8 @@
 
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.exceptions.JWTVerificationException;
-import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.InjectMock;
+import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.oidc.Claim;
 import io.quarkus.test.security.oidc.OidcSecurity;
@@ -22,7 +22,6 @@
 import static io.restassured.RestAssured.given;
 import static io.restassured.RestAssured.when;
 import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.CoreMatchers.nullValue;
 
 @QuarkusTest
 @DisplayName("Resource /billing")
@@ -32,7 +31,7 @@ public class BillingResourceIT {
 	LicenseHolder licenseHolder;
 
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
@@ -52,24 +51,9 @@ public class AsAdmin {
 		private static final String MALFORMED_TOKEN = "hello world";
 
 		@Test
-		@DisplayName("GET /billing returns 200 with empty license self-hosted")
-		public void testGetEmptySelfHosted() {
-			Mockito.when(licenseHolder.get()).thenReturn(null);
-			Mockito.when(licenseHolder.getSeats()).thenReturn(5L);
-			when().get("/billing")
-					.then().statusCode(200)
-					.body("hubId", is("42"))
-					.body("hasLicense", is(false))
-					.body("email", nullValue())
-					.body("licensedSeats", is(5)) //community license
-					.body("usedSeats", is(2)) //depends on the flyway test data migration
-					.body("issuedAt", nullValue())
-					.body("expiresAt", nullValue());
-		}
-
-		@Test
+		@Order(2)
 		@DisplayName("PUT /billing/token returns 204 for initial token")
-		public void testPutInitialToken() {
+		void testPutInitialToken() {
 			given().contentType(ContentType.TEXT).body(INITIAL_TOKEN)
 					.when().put("/billing/token")
 					.then().statusCode(204);
@@ -78,12 +62,11 @@ public void testPutInitialToken() {
 		@Test
 		@Order(3)
 		@DisplayName("GET /billing returns 200 with initial license")
-		public void testGetInitial() {
+		void testGetInitial() {
 			Mockito.when(licenseHolder.get()).thenReturn(JWT.decode(INITIAL_TOKEN));
 			when().get("/billing")
 					.then().statusCode(200)
 					.body("hubId", is("42"))
-					.body("hasLicense", is(true))
 					.body("email", is("hub@cryptomator.org"))
 					.body("licensedSeats", is(5))
 					.body("usedSeats", is(2))
@@ -93,7 +76,7 @@ public void testGetInitial() {
 
 		@Test
 		@DisplayName("PUT /billing/token returns 204 for updated token")
-		public void testPutUpdatedToken() {
+		void testPutUpdatedToken() {
 			given().contentType(ContentType.TEXT).body(UPDATED_TOKEN)
 					.when().put("/billing/token")
 					.then().statusCode(204);
@@ -101,12 +84,11 @@ public void testPutUpdatedToken() {
 
 		@Test
 		@DisplayName("GET /billing returns 200 with updated license")
-		public void testGetUpdated() {
+		void testGetUpdated() {
 			Mockito.when(licenseHolder.get()).thenReturn(JWT.decode(UPDATED_TOKEN));
 			when().get("/billing")
 					.then().statusCode(200)
 					.body("hubId", is("42"))
-					.body("hasLicense", is(true))
 					.body("email", is("hub@cryptomator.org"))
 					.body("licensedSeats", is(5))
 					.body("usedSeats", is(2))
@@ -116,7 +98,7 @@ public void testGetUpdated() {
 
 		@Test
 		@DisplayName("PUT /billing/token returns 400 due to expired token")
-		public void testPutExpiredToken() {
+		void testPutExpiredToken() {
 			Mockito.doThrow(JWTVerificationException.class).when(licenseHolder).set(EXPIRED_TOKEN);
 			given().contentType(ContentType.TEXT).body(EXPIRED_TOKEN)
 					.when().put("/billing/token")
@@ -125,7 +107,7 @@ public void testPutExpiredToken() {
 
 		@Test
 		@DisplayName("PUT /billing/token returns 400 due to invalid signature")
-		public void testPutTokenWithInvalidSignature() {
+		void testPutTokenWithInvalidSignature() {
 			Mockito.doThrow(JWTVerificationException.class).when(licenseHolder).set(TOKEN_WITH_INVALID_SIGNATURE);
 			given().contentType(ContentType.TEXT).body(TOKEN_WITH_INVALID_SIGNATURE)
 					.when().put("/billing/token")
@@ -135,7 +117,7 @@ public void testPutTokenWithInvalidSignature() {
 		@Test
 		@Order(8)
 		@DisplayName("PUT /billing/token returns 400 due to malformed token")
-		public void testPutMalformedToken() {
+		void testPutMalformedToken() {
 			given().contentType(ContentType.TEXT).body(MALFORMED_TOKEN)
 					.when().put("/billing/token")
 					.then().statusCode(400);
@@ -153,14 +135,14 @@ public class AsAnyOtherRole {
 
 		@Test
 		@DisplayName("GET /billing returns 403 Forbidden")
-		public void testGet() {
+		void testGet() {
 			when().get("/billing")
 					.then().statusCode(403);
 		}
 
 		@Test
 		@DisplayName("PUT /billing/token returns 403 Forbidden")
-		public void testPut() {
+		void testPut() {
 			given().contentType(ContentType.TEXT).body("")
 					.when().put("/billing/token")
 					.then().statusCode(403);
@@ -174,14 +156,14 @@ public class AsAnonymous {
 
 		@Test
 		@DisplayName("GET /billing returns 401 Unauthorized")
-		public void testGet() {
+		void testGet() {
 			when().get("/billing")
 					.then().statusCode(401);
 		}
 
 		@Test
 		@DisplayName("PUT /billing/token returns 401 Unauthorized")
-		public void testPut() {
+		void testPut() {
 			given().contentType(ContentType.TEXT).body("")
 					.when().put("/billing/token")
 					.then().statusCode(401);
diff --git a/backend/src/test/java/org/cryptomator/hub/api/BillingResourceManagedInstanceIT.java b/backend/src/test/java/org/cryptomator/hub/api/BillingResourceManagedInstanceIT.java
index 53d3b8483..47419588e 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/BillingResourceManagedInstanceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/BillingResourceManagedInstanceIT.java
@@ -1,7 +1,8 @@
 package org.cryptomator.hub.api;
 
-import io.agroal.api.AgroalDataSource;
-import io.quarkus.arc.Arc;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import io.quarkus.test.InjectMock;
+import io.quarkus.test.Mock;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.junit.QuarkusTestProfile;
 import io.quarkus.test.junit.TestProfile;
@@ -9,18 +10,19 @@
 import io.quarkus.test.security.oidc.Claim;
 import io.quarkus.test.security.oidc.OidcSecurity;
 import io.restassured.RestAssured;
-import jakarta.inject.Inject;
 import org.cryptomator.hub.license.LicenseHolder;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
 
-import java.sql.SQLException;
+import java.time.Instant;
+import java.util.Date;
 import java.util.Map;
 
 import static io.restassured.RestAssured.when;
 import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.CoreMatchers.nullValue;
 
 @QuarkusTest
 @DisplayName("Resource /billing managed instance")
@@ -31,13 +33,27 @@
 @TestProfile(BillingResourceManagedInstanceIT.ManagedInstanceTestProfile.class)
 public class BillingResourceManagedInstanceIT {
 
-	@Inject
-	AgroalDataSource dataSource;
+	@InjectMock
+	LicenseHolder licenseHolder;
 
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
-		Arc.container().instance(LicenseHolder.class).destroy();
+	}
+
+	@BeforeEach
+	public void setup() {
+		var licenseToken = Mockito.mock(DecodedJWT.class);
+		Mockito.doReturn(true).when(licenseHolder).isManagedInstance();
+		Mockito.doReturn(licenseToken).when(licenseHolder).get();
+		Mockito.doReturn("42").when(licenseToken).getId();
+		Mockito.doReturn("hub@cryptomator.org").when(licenseToken).getSubject();
+		var seatsClaim = Mockito.mock(com.auth0.jwt.interfaces.Claim.class);
+		Mockito.doReturn(seatsClaim).when(licenseToken).getClaim("seats");
+		Mockito.doReturn(5).when(seatsClaim).asInt();
+		Mockito.doReturn(Date.from(Instant.parse("2022-03-23T15:29:20Z"))).when(licenseToken).getIssuedAt();
+		Mockito.doReturn(Date.from(Instant.parse("9999-12-31T00:00:00Z"))).when(licenseToken).getExpiresAt();
+		Mockito.doReturn("foo").when(licenseToken).getToken();
 	}
 
 	public static class ManagedInstanceTestProfile implements QuarkusTestProfile {
@@ -48,24 +64,16 @@ public Map<String, String> getConfigOverrides() {
 	}
 
 	@Test
-	@DisplayName("GET /billing returns 401 with empty license managed instance")
-	public void testGetEmptyManagedInstance() throws SQLException {
-		try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-			s.execute("""
-					UPDATE "settings"
-					SET "hub_id" = '42', "license_key" = null
-					WHERE "id" = 0;
-					""");
-		}
-
+	@DisplayName("GET /billing returns 200 billing data with managedInstance=true")
+	public void testGetInitial() {
 		when().get("/billing")
 				.then().statusCode(200)
 				.body("hubId", is("42"))
-				.body("hasLicense", is(false))
-				.body("email", nullValue())
-				.body("licensedSeats", is(0))
+				.body("email", is("hub@cryptomator.org"))
+				.body("licensedSeats", is(5))
 				.body("usedSeats", is(2))
-				.body("issuedAt", nullValue())
-				.body("expiresAt", nullValue());
+				.body("issuedAt", is("2022-03-23T15:29:20Z"))
+				.body("expiresAt", is("9999-12-31T00:00:00Z"))
+				.body("managedInstance", is(true));
 	}
 }
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/api/ConfigResourceTest.java b/backend/src/test/java/org/cryptomator/hub/api/ConfigResourceTest.java
index 80b9280cd..700a0e264 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/ConfigResourceTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/ConfigResourceTest.java
@@ -10,7 +10,7 @@ public class ConfigResourceTest {
 	ConfigResource configResource;
 
 	@BeforeEach
-	public void init() {
+	void init() {
 		this.configResource = new ConfigResource();
 	}
 
@@ -19,7 +19,8 @@ public void init() {
 			"foobar,baz,bar,foobar",
 			"foo,foo,bar,bar",
 			"foo,'',bar,barfoo",
-			"'',baz,bar,''"})
+			"'',baz,bar,''"
+	})
 	void testReplacePrefix(String str, String prefix, String replacement, String expected) {
 		String out = configResource.replacePrefix(str, prefix, replacement);
 
@@ -31,7 +32,8 @@ void testReplacePrefix(String str, String prefix, String replacement, String exp
 			"foo/,foo",
 			"foo//,foo/",
 			"'',''",
-			"/,''"})
+			"/,''"
+	})
 	void testTrimTrailingSlash(String in, String expected) {
 		String out = configResource.trimTrailingSlash(in);
 
diff --git a/backend/src/test/java/org/cryptomator/hub/api/DeviceResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/DeviceResourceIT.java
index 259a55aef..33a3b37a2 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/DeviceResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/DeviceResourceIT.java
@@ -35,7 +35,7 @@ public class DeviceResourceIT {
 	AgroalDataSource dataSource;
 
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
@@ -51,7 +51,7 @@ public class AsAuthorzedUser1 {
 		@Test
 		@Order(1)
 		@DisplayName("PUT /devices/device1 without DTO returns 400")
-		public void testCreateNoDeviceDto() {
+		void testCreateNoDeviceDto() {
 			given().contentType(ContentType.JSON).body("")
 					.when().put("/devices/{deviceId}", "device1")
 					.then().statusCode(400);
@@ -60,7 +60,7 @@ public void testCreateNoDeviceDto() {
 		@Test
 		@Order(1)
 		@DisplayName("PUT /devices/  with DTO returns 400")
-		public void testCreateNoDeviceId() {
+		void testCreateNoDeviceId() {
 			var deviceDto = new DeviceResource.DeviceDto("device1", "Computer 1", Device.Type.DESKTOP, "publickey1", "jwe.jwe.jwe.user1.device1", "user1", Instant.parse("2020-02-20T20:20:20Z"), null, null, false);
 			given().contentType(ContentType.JSON).body(deviceDto)
 					.when().put("/devices/{deviceId}", " ") //a whitespace
@@ -70,7 +70,7 @@ public void testCreateNoDeviceId() {
 		@Test
 		@Order(1)
 		@DisplayName("GET /devices/device1 returns 200")
-		public void testGet1() {
+		void testGet1() {
 			given().when().get("/devices/{deviceId}", "device1")
 					.then().statusCode(200)
 					.body("id", is("device1"))
@@ -81,7 +81,7 @@ public void testGet1() {
 		@Test
 		@Order(1)
 		@DisplayName("GET /devices/legacyDevice1/legacy-access-tokens returns 200")
-		public void testGetLegacyAccessTokens1() {
+		void testGetLegacyAccessTokens1() {
 			given().when().get("/devices/{deviceId}/legacy-access-tokens", "legacyDevice1")
 					.then().statusCode(200)
 					.body("7e57c0de-0000-4000-8000-000100001111", is("legacy.jwe.jwe.vault1.device1"));
@@ -90,7 +90,7 @@ public void testGetLegacyAccessTokens1() {
 		@Test
 		@Order(1)
 		@DisplayName("GET /devices/legacyDevice2/legacy-access-tokens returns empty list (owned by different user)")
-		public void testGetLegacyAccessTokens2() {
+		void testGetLegacyAccessTokens2() {
 			given().when().get("/devices/{deviceId}/legacy-access-tokens", "legacyDevice2")
 					.then().statusCode(200)
 					.body(is("{}"));
@@ -99,7 +99,7 @@ public void testGetLegacyAccessTokens2() {
 		@Test
 		@Order(1)
 		@DisplayName("GET /devices/legacyDevice3/legacy-access-tokens returns 200")
-		public void testGetLegacyAccessTokens3() {
+		void testGetLegacyAccessTokens3() {
 			given().when().get("/devices/{deviceId}/legacy-access-tokens", "legacyDevice3")
 					.then().statusCode(200)
 					.body("7e57c0de-0000-4000-8000-000100002222", is("legacy.jwe.jwe.vault2.device3"));
@@ -108,7 +108,7 @@ public void testGetLegacyAccessTokens3() {
 		@Test
 		@Order(1)
 		@DisplayName("GET /devices/noSuchDevice/legacy-access-tokens returns empty list (no such device)")
-		public void testGetLegacyAccessTokens4() {
+		void testGetLegacyAccessTokens4() {
 			given().when().get("/devices/{deviceId}/legacy-access-tokens", "noSuchDevice")
 					.then().statusCode(200)
 					.body(is("{}"));
@@ -117,7 +117,7 @@ public void testGetLegacyAccessTokens4() {
 		@Test
 		@Order(1)
 		@DisplayName("GET /devices/device2 returns 404 (owned by other user)")
-		public void testGet2() {
+		void testGet2() {
 			given().when().get("/devices/{deviceId}", "device2")
 					.then().statusCode(404);
 		}
@@ -125,7 +125,7 @@ public void testGet2() {
 		@Test
 		@Order(1)
 		@DisplayName("GET /devices/noSuchDevice returns 404 (no such device)")
-		public void testGetNonExistingDeviceToken() {
+		void testGetNonExistingDeviceToken() {
 			when().get("/devices/{deviceId}", "noSuchDevice")
 					.then().statusCode(404);
 		}
@@ -133,7 +133,7 @@ public void testGetNonExistingDeviceToken() {
 		@Test
 		@Order(2)
 		@DisplayName("PUT /devices/device999 returns 201 (creating new device)")
-		public void testCreate999() throws SQLException {
+		void testCreate999() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						INSERT INTO "device_legacy" ("id", "owner_id", "name", "type", "publickey", "creation_time")
@@ -159,7 +159,7 @@ public void testCreate999() throws SQLException {
 		@Test
 		@Order(2)
 		@DisplayName("PUT /devices/deviceX returns 201 (creating new device with same name as device1)")
-		public void testCreateX() {
+		void testCreateX() {
 			var deviceDto = new DeviceResource.DeviceDto("deviceX", "Computer 1", Device.Type.DESKTOP, "publickey1", "jwe.jwe.jwe.user1.deviceX", "user1", Instant.parse("2020-02-20T20:20:20Z"), null, null, false);
 
 			given().contentType(ContentType.JSON).body(deviceDto)
@@ -170,7 +170,7 @@ public void testCreateX() {
 		@Test
 		@Order(3)
 		@DisplayName("PUT /devices/deviceY returns 409 (creating new device with the key of deviceX conflicts)")
-		public void testCreateYWithKeyOfDeviceX() {
+		void testCreateYWithKeyOfDeviceX() {
 			var deviceDto = new DeviceResource.DeviceDto("deviceY", "Computer 2", Device.Type.DESKTOP, "publickey1", "jwe.jwe.jwe.user1.deviceX", "user1", Instant.parse("2020-02-20T20:20:20Z"), null, null, false);
 
 			given().contentType(ContentType.JSON).body(deviceDto)
@@ -181,7 +181,7 @@ public void testCreateYWithKeyOfDeviceX() {
 		@Test
 		@Order(4)
 		@DisplayName("GET /devices/device999 returns 200")
-		public void testGet999AfterCreate() {
+		void testGet999AfterCreate() {
 			given().when().get("/devices/{deviceId}", "device999")
 					.then().statusCode(200)
 					.body("id", is("device999"))
@@ -191,7 +191,7 @@ public void testGet999AfterCreate() {
 		@Test
 		@Order(5)
 		@DisplayName("PUT /devices/device999 returns 201 (updating existing device)")
-		public void testUpdate1() {
+		void testUpdate1() {
 			var deviceDto = new DeviceResource.DeviceDto("device999", "Computer 999 got a new name", Device.Type.DESKTOP, "publickey999", "jwe.jwe.jwe.user1.device999", "user1", Instant.parse("2020-02-20T20:20:20Z"), null, null, false);
 
 			given().contentType(ContentType.JSON).body(deviceDto)
@@ -202,7 +202,7 @@ public void testUpdate1() {
 		@Test
 		@Order(6)
 		@DisplayName("GET /devices/device999 returns 200 (with updated name)")
-		public void testGet999AfterUpdate() {
+		void testGet999AfterUpdate() {
 			given().when().get("/devices/{deviceId}", "device999")
 					.then().statusCode(200)
 					.body("id", is("device999"))
@@ -212,7 +212,7 @@ public void testGet999AfterUpdate() {
 		@Test
 		@Order(7)
 		@DisplayName("DELETE /devices/  returns 400")
-		public void testDeleteNoDeviceId() {
+		void testDeleteNoDeviceId() {
 			when().delete("/devices/{deviceId}", " ") //a whitespace
 					.then().statusCode(400);
 		}
@@ -220,7 +220,7 @@ public void testDeleteNoDeviceId() {
 		@Test
 		@Order(7)
 		@DisplayName("DELETE /devices/device0 returns 404")
-		public void testDeleteNotExisting() {
+		void testDeleteNotExisting() {
 			when().delete("/devices/{deviceId}", "device0") //
 					.then().statusCode(404);
 		}
@@ -228,7 +228,7 @@ public void testDeleteNotExisting() {
 		@Test
 		@Order(7)
 		@DisplayName("DELETE /devices/device2 returns 404")
-		public void testDeleteNotOwner() {
+		void testDeleteNotOwner() {
 			when().delete("/devices/{deviceId}", "device2") //
 					.then().statusCode(404);
 		}
@@ -236,7 +236,7 @@ public void testDeleteNotOwner() {
 		@Test
 		@Order(7)
 		@DisplayName("DELETE /devices/device999/legacy-device as legacy device returns 404")
-		public void testDeleteExistingDeviceAsLegacyDevice() {
+		void testDeleteExistingDeviceAsLegacyDevice() {
 			when().delete("/devices/{deviceId}/legacy-device", "device999") //
 					.then().statusCode(404);
 		}
@@ -244,7 +244,7 @@ public void testDeleteExistingDeviceAsLegacyDevice() {
 		@Test
 		@Order(7)
 		@DisplayName("DELETE /devices/device15000 as non legacy device returns 404")
-		public void testDeleteExistingLegacyDeviceAsDevice() throws SQLException {
+		void testDeleteExistingLegacyDeviceAsDevice() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						INSERT INTO "device_legacy" ("id", "owner_id", "name", "type", "publickey", "creation_time")
@@ -271,7 +271,7 @@ public void testDeleteExistingLegacyDeviceAsDevice() throws SQLException {
 		@Test
 		@Order(7)
 		@DisplayName("DELETE /devices/device999 returns 204")
-		public void testDeleteValid() {
+		void testDeleteValid() {
 			when().delete("/devices/{deviceId}", "device999") //
 					.then().statusCode(204);
 		}
@@ -279,7 +279,7 @@ public void testDeleteValid() {
 		@Test
 		@Order(7)
 		@DisplayName("DELETE /devices/device15000 returns 204")
-		public void testDeleteValidLegacyDevice() throws SQLException {
+		void testDeleteValidLegacyDevice() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						INSERT INTO "device_legacy" ("id", "owner_id", "name", "type", "publickey", "creation_time")
@@ -307,7 +307,7 @@ public class AsAnonymous {
 
 		@Test
 		@DisplayName("PUT /devices/device1 returns 401")
-		public void testCreate1() {
+		void testCreate1() {
 			var deviceDto = new DeviceResource.DeviceDto("device1", "Device 1", Device.Type.BROWSER, "publickey1", "jwe.jwe.jwe.user1.device1", "user1", Instant.parse("2020-02-20T20:20:20Z"), null, null, false);
 
 			given().contentType(ContentType.JSON).body(deviceDto)
@@ -317,7 +317,7 @@ public void testCreate1() {
 
 		@Test
 		@DisplayName("DELETE /devices/device1 returns 401")
-		public void testDelete() {
+		void testDelete() {
 			when().delete("/devices/{deviceId}", "device1") //
 					.then().statusCode(401);
 		}
@@ -334,7 +334,7 @@ public class GetSome {
 
 		@Test
 		@DisplayName("GET /devices returns 200 with empty body")
-		public void testGetSomeEmpty() {
+		void testGetSomeEmpty() {
 			when().get("/devices")
 					.then().statusCode(200)
 					.body("", hasSize(0));
@@ -342,7 +342,7 @@ public void testGetSomeEmpty() {
 
 		@Test
 		@DisplayName("GET /devices?ids=iDoNotExist returns 200 with empty body")
-		public void testGetSomeNotExisting() {
+		void testGetSomeNotExisting() {
 			given().param("ids", "iDoNotExist")
 					.when().get("/devices")
 					.then().statusCode(200)
@@ -351,7 +351,7 @@ public void testGetSomeNotExisting() {
 
 		@Test
 		@DisplayName("GET /devices?ids=device2&ids=device3&ids=legacyDevice1 returns 200 with body containing device2 and device3")
-		public void testGetSome() {
+		void testGetSome() {
 			given().param("ids", "device2", "device3", "legacyDevice1")
 					.when().get("/devices")
 					.then().statusCode(200)
@@ -362,7 +362,7 @@ public void testGetSome() {
 
 		@Test
 		@DisplayName("GET /devices/legacy-devices?ids=legacyDevice1&ids=device2&ids=device3 returns 200 with body containing device2, device3 and legacyDevice1")
-		public void testGetSomeLegacyDevices() {
+		void testGetSomeLegacyDevices() {
 			given().param("ids", "device2", "device3", "legacyDevice1")
 					.when().get("/devices/legacy-devices")
 					.then().statusCode(200)
@@ -376,7 +376,7 @@ public void testGetSomeLegacyDevices() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user1")
 		})
-		public void testGetSomeAsUser() {
+		void testGetSomeAsUser() {
 			given().param("ids", "device2", "device3")
 					.when().get("/devices")
 					.then().statusCode(403);
diff --git a/backend/src/test/java/org/cryptomator/hub/api/ExceedingLicenseLimitsIT.java b/backend/src/test/java/org/cryptomator/hub/api/ExceedingLicenseLimitsIT.java
new file mode 100644
index 000000000..e6d252530
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/api/ExceedingLicenseLimitsIT.java
@@ -0,0 +1,264 @@
+package org.cryptomator.hub.api;
+
+import io.quarkus.test.InjectMock;
+import io.quarkus.test.junit.QuarkusMock;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.security.TestSecurity;
+import io.quarkus.test.security.oidc.Claim;
+import io.quarkus.test.security.oidc.OidcSecurity;
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import org.cryptomator.hub.entities.EffectiveGroupMembership;
+import org.cryptomator.hub.entities.Group;
+import org.cryptomator.hub.entities.User;
+import org.cryptomator.hub.entities.Vault;
+import org.cryptomator.hub.entities.VaultAccess;
+import org.cryptomator.hub.katta.KeycloakCryptomatorVaultsHelper;
+import org.cryptomator.hub.license.HubLicenseEntitlements;
+import org.cryptomator.hub.license.LicenseHolder;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.MethodOrderer;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
+import org.junit.jupiter.api.TestMethodOrder;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.mockito.Mockito;
+
+import java.sql.SQLException;
+import java.time.Instant;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import static io.restassured.RestAssured.given;
+import static io.restassured.RestAssured.when;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.text.IsEqualIgnoringCase.equalToIgnoringCase;
+
+@QuarkusTest
+@TestSecurity(user = "User Name 1", roles = {"user", "create-vaults"})
+@OidcSecurity(claims = {
+		@Claim(key = "sub", value = "user1")
+})
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+class ExceedingLicenseLimitsIT {
+
+	@Inject
+	Group.Repository groupRepo;
+	@Inject
+	User.Repository userRepo;
+	@Inject
+	EffectiveGroupMembership.Repository effectiveGroupMembershipRepo;
+	@Inject
+	Vault.Repository vaultRepo;
+	@Inject
+	VaultAccess.Repository vaultAccessRepo;
+	@InjectMock
+	LicenseHolder licenseHolder;
+
+	private final VaultResourceIT vaultResourceIT;
+
+	public ExceedingLicenseLimitsIT(VaultResourceIT vaultResourceIT) {
+		this.vaultResourceIT = vaultResourceIT;
+	}
+
+	@BeforeAll
+	static void beforeAll() {
+		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
+		// https://quarkus.io/guides/getting-started-testing#quarkus_mock
+		VaultResourceIT.KeycloakCryptomatorVaultsHelperMock mock = Mockito.mock(VaultResourceIT.KeycloakCryptomatorVaultsHelperMock.class);
+		QuarkusMock.installMockForType(mock, KeycloakCryptomatorVaultsHelper.class);
+	}
+
+	@BeforeAll
+	@Transactional
+	void setupTestData() {
+		var user91 = new User();
+		user91.setId("user91");
+		user91.setName("user name 91");
+
+		var user92 = new User();
+		user92.setId("user92");
+		user92.setName("user name 92");
+
+		var user93 = new User();
+		user93.setId("user93");
+		user93.setName("user name 93");
+
+		var user94 = new User();
+		user94.setId("user94");
+		user94.setName("user name 94");
+
+		var user95A = new User();
+		user95A.setId("user95_A");
+		user95A.setName("user name Archived");
+
+		userRepo.persist(user91, user92, user93, user94, user95A);
+
+		var group91 = new Group();
+		group91.setId("group91");
+		group91.setName("Group 91");
+		group91.getMembers().add(user91);
+		group91.getMembers().add(user92);
+		group91.getMembers().add(user93);
+		group91.getMembers().add(user94);
+		groupRepo.persist(group91);
+
+		effectiveGroupMembershipRepo.updateGroups(List.of("group91"));
+
+		var access = new VaultAccess();
+		access.setVault(vaultRepo.findById(UUID.fromString("7E57C0DE-0000-4000-8000-00010000AAAA")));
+		access.setAuthority(user95A);
+		access.setRole(VaultAccess.Role.MEMBER);
+		vaultAccessRepo.persist(access);
+	}
+
+	@AfterAll
+	@Transactional
+	void cleanupTestData() {
+		groupRepo.deleteById("group91");
+		userRepo.deleteByIds(List.of("user91", "user92", "user93", "user94", "user95_A"));
+	}
+
+	@BeforeEach
+	void setup() {
+		var entitlements = HubLicenseEntitlements.create().withSeats(5L);
+		Mockito.doReturn(entitlements).when(licenseHolder).getEntitlements();
+		Mockito.doReturn(false).when(licenseHolder).isExpired();
+	}
+
+	@Test
+	@Order(0)
+	@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 402 for [user91, user92, user93, user94]")
+	void grantAccessExceedingSeats() {
+		Assumptions.assumeTrue(vaultResourceIT.effectiveVaultAccessRepo.countSeatOccupyingUsers() == 2);
+		var body = Map.of(
+				"user91", "jwe.jwe.jwe.vault1.user91", //
+				"user92", "jwe.jwe.jwe.vault1.user92", //
+				"user93", "jwe.jwe.jwe.vault1.user93", //
+				"user94", "jwe.jwe.jwe.vault1.user94" //
+		);
+
+		given().contentType(ContentType.JSON).body(body)
+				.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
+				.then().statusCode(402);
+	}
+
+	@Test
+	@Order(1)
+	@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/groups/group91 returns 402")
+	void addGroupToVaultExceedingSeats() {
+		Assumptions.assumeTrue(vaultResourceIT.effectiveVaultAccessRepo.countSeatOccupyingUsers() == 2);
+
+		given().when().put("/vaults/{vaultId}/groups/{groupId}", "7E57C0DE-0000-4000-8000-000100001111", "group91")
+				.then().statusCode(402);
+	}
+
+	@Order(2)
+	@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/users/userXX returns 201")
+	@ParameterizedTest(name = "Adding user {0} succeeds")
+	@CsvSource(value = {"0,user91", "1,user92", "2,user93"})
+	void addUserToVaultNotExceedingSeats(String run, String userId) {
+		Assumptions.assumeTrue(vaultResourceIT.effectiveVaultAccessRepo.countSeatOccupyingUsers() == 2 + Integer.parseInt(run));
+
+		given().when().put("/vaults/{vaultId}/users/{usersId}", "7E57C0DE-0000-4000-8000-000100001111", userId)
+				.then().statusCode(201);
+	}
+
+	@Test
+	@Order(3)
+	@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/users/user94 returns 402")
+	void addUserToVaultExceedingSeats() {
+		Assumptions.assumeTrue(vaultResourceIT.effectiveVaultAccessRepo.countSeatOccupyingUsers() == 5);
+
+		given().when().put("/vaults/{vaultId}/users/{usersId}", "7E57C0DE-0000-4000-8000-000100001111", "user94")
+				.then().statusCode(402);
+	}
+
+	@Test
+	@Order(4)
+	@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111 (as user1) returns 200 with only updated name, description and archive flag, despite exceeding license")
+	void testUpdateVaultDespiteLicenseExceeded() {
+		Assumptions.assumeTrue(vaultResourceIT.effectiveVaultAccessRepo.countSeatOccupyingUsers() == 5);
+		var vaultId = "7E57C0DE-0000-4000-8000-000100001111";
+
+		var vaultDto = new VaultResource.VaultDto(UUID.fromString(vaultId), "Vault 1", Instant.parse("2222-11-11T11:11:11Z"), "This is a testvault.", false, 0, Map.of(), "doNotUpdate", "doNotUpdate", "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate");
+		given().contentType(ContentType.JSON)
+				.body(vaultDto)
+				.when().put("/vaults/{vaultId}", vaultId)
+				.then().statusCode(200)
+				.body("id", equalToIgnoringCase(vaultId))
+				.body("name", equalTo("Vault 1"))
+				.body("description", equalTo("This is a testvault."))
+				.body("archived", equalTo(false));
+	}
+
+	@Test
+	@Order(5)
+	@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-0001FFFF3333 (as user1) exceeding the license returns 402")
+	void testCreateVaultExceedingSeats() throws SQLException {
+		try (var c = vaultResourceIT.dataSource.getConnection(); var s = c.createStatement()) {
+			s.execute("""
+					INSERT INTO "vault_access" ("vault_id", "authority_id")
+					VALUES
+						('7E57C0DE-0000-4000-8000-000100001111', 'group91');
+					""");
+		}
+
+		Assumptions.assumeTrue(vaultResourceIT.effectiveVaultAccessRepo.countSeatOccupyingUsers() > 5);
+
+		var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-0001FFFF3333");
+		var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", Instant.parse("2112-12-21T21:12:21Z"), "Test vault 4", false, 0, Map.of(), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+		given().contentType(ContentType.JSON).body(vaultDto)
+				.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-0001FFFF3333")
+				.then().statusCode(402);
+	}
+
+	@Test
+	@Order(7)
+	@DisplayName("unlock/legacyUnlock is granted, if (effective vault user) > license seats but (effective vault user with access token) <= license seat")
+	void testUnlockAllowedExceedingLicenseSoftLimit() {
+		Assumptions.assumeTrue(vaultResourceIT.effectiveVaultAccessRepo.countSeatOccupyingUsersWithAccessToken() <= 5);
+
+		when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-000100001111")
+				.then().statusCode(200);
+		when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100002222", "legacyDevice3")
+				.then().statusCode(200)
+				.body(is("legacy.jwe.jwe.vault2.device3"));
+	}
+
+	@Test
+	@Order(8)
+	@DisplayName("Unlock/legacyUnlock is blocked if (effective vault users with token) > license seats")
+	void testUnlockBlockedExceedingLicenseHardLimit() throws SQLException {
+		try (var c = vaultResourceIT.dataSource.getConnection(); var s = c.createStatement()) {
+			s.execute("""
+					INSERT INTO "access_token" ("user_id", "vault_id", "vault_masterkey")
+						VALUES ('user91', '7E57C0DE-0000-4000-8000-000100001111', 'jwe.jwe.jwe.vault1.user91');
+					INSERT INTO "access_token" ("user_id", "vault_id", "vault_masterkey")
+						VALUES ('user92', '7E57C0DE-0000-4000-8000-000100001111', 'jwe.jwe.jwe.vault1.user92');
+					INSERT INTO "access_token" ("user_id", "vault_id", "vault_masterkey")
+						VALUES ('user93', '7E57C0DE-0000-4000-8000-000100001111', 'jwe.jwe.jwe.vault1.user93');
+					INSERT INTO "access_token" ("user_id", "vault_id", "vault_masterkey")
+						VALUES ('user94', '7E57C0DE-0000-4000-8000-000100001111', 'jwe.jwe.jwe.vault1.user94');
+					""");
+		}
+		Assumptions.assumeTrue(vaultResourceIT.effectiveVaultAccessRepo.countSeatOccupyingUsersWithAccessToken() > 5);
+
+		when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-000100001111")
+				.then().statusCode(402);
+		when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100002222", "legacyDevice3")
+				.then().statusCode(402);
+	}
+
+}
diff --git a/backend/src/test/java/org/cryptomator/hub/api/GroupsResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/GroupsResourceIT.java
index 41325d7d5..547ca3a40 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/GroupsResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/GroupsResourceIT.java
@@ -1,20 +1,35 @@
 package org.cryptomator.hub.api;
 
 import io.agroal.api.AgroalDataSource;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.oidc.Claim;
 import io.quarkus.test.security.oidc.OidcSecurity;
 import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
 import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import jakarta.ws.rs.NotFoundException;
+import org.cryptomator.hub.entities.EffectiveGroupMembership;
+import org.cryptomator.hub.entities.Group;
+import org.cryptomator.hub.entities.User;
+import org.cryptomator.hub.keycloak.KeycloakAdminService;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
+import org.keycloak.representations.idm.GroupRepresentation;
+import org.mockito.Mockito;
 
 import java.sql.SQLException;
+import java.util.List;
 
 import static io.restassured.RestAssured.given;
 import static io.restassured.RestAssured.when;
@@ -23,27 +38,67 @@
 
 @QuarkusTest
 @DisplayName("Resource /groups")
-public class GroupsResourceIT {
+class GroupsResourceIT {
 
 	@Inject
 	AgroalDataSource dataSource;
 
+	@Inject
+	Group.Repository groupRepo;
+
+	@Inject
+	User.Repository userRepo;
+
+	@Inject
+	EffectiveGroupMembership.Repository effectiveGroupMembershipRepo;
+
+	@InjectMock
+	KeycloakAdminService keycloakAdminService;
+
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
+	@BeforeEach
+	@Transactional
+	void setupTestData() {
+		var user999 = new User();
+		user999.setId("user999");
+		user999.setName("User 999");
+		userRepo.persist(user999);
+
+		var group999 = new Group();
+		group999.setId("group999");
+		group999.setName("Group 999");
+		group999.getMembers().add(user999);
+		groupRepo.persist(group999);
+
+		var group1 = groupRepo.findById("group1");
+		group1.getMembers().add(group999);
+		groupRepo.persist(group1);
+
+		effectiveGroupMembershipRepo.updateGroups(List.of("group1", "group999"));
+	}
+
+	@AfterEach
+	@Transactional
+	void cleanupTestData() {
+		groupRepo.deleteById("group999");
+		userRepo.deleteById("user999");
+	}
+
 	@Nested
-	@DisplayName("As user1")
-	@TestSecurity(user = "User Name 1", roles = {"user"})
+	@DisplayName("As admin")
+	@TestSecurity(user = "Admin User", roles = {"admin"})
 	@OidcSecurity(claims = {
-			@Claim(key = "sub", value = "user1")
+			@Claim(key = "sub", value = "admin")
 	})
-	public class AsAuthorzedUser1 {
+	class AsAdmin {
 
 		@Test
 		@DisplayName("GET /groups returns 200")
-		public void testGetAll() {
+		void testGetAll() {
 			when().get("/groups")
 					.then().statusCode(200)
 					.body("id", hasItems("group1", "group2"));
@@ -51,33 +106,10 @@ public void testGetAll() {
 
 		@Test
 		@DisplayName("GET /groups/group1/effective-members contains direct and subgroup members")
-		public void testGetEffectiveUsers() throws SQLException {
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				s.execute("""
-						INSERT INTO "authority" ("id", "type", "name")
-						VALUES
-							('user999', 'USER', 'User 999'),
-							('group999', 'GROUP', 'Group 999');
-
-						INSERT INTO "user_details" ("id") VALUES ('user999');
-						INSERT INTO "group_details" ("id") VALUES ('group999');
-
-						INSERT INTO "group_membership" ("group_id", "member_id")
-						VALUES
-							('group999', 'user999'),
-							('group1', 'group999');
-						""");
-			}
-
+		void testGetEffectiveUsers() throws SQLException {
 			when().get("/groups/{groupId}/effective-members", "group1")
 					.then().statusCode(200)
 					.body("id", hasItems("user1", "user999"));
-
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				s.execute("""
-						DELETE FROM "authority" WHERE "id" = 'user999' OR "id" = 'group999';
-						""");
-			}
 		}
 
 	}
@@ -89,13 +121,241 @@ public class AsAnonymous {
 		@DisplayName("401 Unauthorized")
 		@ParameterizedTest(name = "{0} {1}")
 		@CsvSource(value = {
-				"GET, /users"
+				"GET, /groups"
 		})
-		public void testGet(String method, String path) {
+		void testGet(String method, String path) {
 			when().request(method, path)
 					.then().statusCode(401);
 		}
 
 	}
 
+	@Nested
+	@DisplayName("Group CRUD Operations")
+	@TestSecurity(user = "Admin User", roles = {"admin"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "admin")
+	})
+	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+	public class GroupCrudOperations {
+
+		@BeforeEach
+		void resetMocks() {
+			Mockito.reset(keycloakAdminService);
+		}
+
+		@BeforeAll
+		void setup() throws SQLException {
+			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
+				s.execute("""
+						INSERT INTO "authority" ("id", "type", "name") VALUES ('newGroupId123', 'GROUP', 'New Group');
+						INSERT INTO "group_details" ("id") VALUES ('newGroupId123');
+						""");
+			}
+		}
+
+		@AfterAll
+		void tearDown() throws SQLException {
+			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
+				s.execute("""
+						DELETE FROM "authority" WHERE "id" = 'newGroupId123';
+						""");
+			}
+		}
+
+		@Test
+		@DisplayName("POST /groups returns 201 when group created successfully")
+		void testCreateGroupSuccess() {
+			var groupRep = new GroupRepresentation();
+			groupRep.setId("newGroupId123");
+			groupRep.setName("New Group");
+
+			Mockito.when(keycloakAdminService.createGroup(
+					Mockito.eq("New Group"),
+					Mockito.isNull()
+			)).thenReturn(groupRep);
+
+			var body = """
+					{
+						"name": "New Group"
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().post("/groups")
+					.then().statusCode(201);
+		}
+
+		@Test
+		@DisplayName("POST /groups returns 409 when group name already exists")
+		void testCreateGroupConflict() {
+			Mockito.when(keycloakAdminService.createGroup(
+					Mockito.anyString(),
+					Mockito.any()
+			)).thenThrow(new jakarta.ws.rs.ClientErrorException("GROUP_NAME_EXISTS", jakarta.ws.rs.core.Response.Status.CONFLICT));
+
+			var body = """
+					{
+						"name": "Existing Group"
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().post("/groups")
+					.then().statusCode(409);
+		}
+
+		@Test
+		@DisplayName("POST /groups returns 400 for invalid body")
+		void testCreateGroupInvalidBody() {
+			var body = """
+					{
+						"pictureUrl": "http://example.com/pic.jpg"
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().post("/groups")
+					.then().statusCode(400);
+		}
+
+		@Test
+		@DisplayName("GET /groups/{id} returns 200 for existing group")
+		void testGetGroupSuccess() {
+			when().get("/groups/group1")
+					.then().statusCode(200)
+					.body("id", is("group1"));
+		}
+
+		@Test
+		@DisplayName("GET /groups/{id} returns 404 for non-existing group")
+		void testGetGroupNotFound() {
+			when().get("/groups/nonexistent")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("PUT /groups/{id} returns 200 when update successful")
+		void testUpdateGroupSuccess() {
+			var groupRep = new GroupRepresentation();
+			groupRep.setId("group1");
+			groupRep.setName("Updated Group");
+
+			Mockito.when(keycloakAdminService.updateGroup(
+					Mockito.eq("group1"),
+					Mockito.eq("Updated Group"),
+					Mockito.isNull()
+			)).thenReturn(groupRep);
+
+			var body = """
+					{
+						"name": "Updated Group"
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().put("/groups/group1")
+					.then().statusCode(200);
+		}
+
+		@Test
+		@DisplayName("PUT /groups/{id} returns 404 for non-existing group")
+		void testUpdateGroupNotFound() {
+			Mockito.when(keycloakAdminService.updateGroup(
+					Mockito.eq("nonexistent"),
+					Mockito.any(),
+					Mockito.any()
+			)).thenThrow(new NotFoundException("Group not found"));
+
+			var body = """
+					{
+						"name": "Updated Group"
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().put("/groups/nonexistent")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("DELETE /groups/{id} returns 204 when deleted successfully")
+		void testDeleteGroupSuccess() {
+			Mockito.doNothing().when(keycloakAdminService).deleteGroup("mockedGroupId");
+
+			when().delete("/groups/mockedGroupId")
+					.then().statusCode(204);
+
+			Mockito.verify(keycloakAdminService).deleteGroup("mockedGroupId");
+		}
+
+		@Test
+		@DisplayName("DELETE /groups/{id} returns 404 for non-existing group")
+		void testDeleteGroupNotFound() {
+			Mockito.doThrow(new NotFoundException("Group not found"))
+					.when(keycloakAdminService).deleteGroup("nonexistent");
+
+			when().delete("/groups/nonexistent")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("POST /groups/{groupId}/members/{userId} returns 204 when member added")
+		void testAddMemberSuccess() {
+			Mockito.doNothing().when(keycloakAdminService).addUserToGroup("group1", "user2");
+
+			when().post("/groups/group1/members/user2")
+					.then().statusCode(204);
+
+			Mockito.verify(keycloakAdminService).addUserToGroup("group1", "user2");
+		}
+
+		@Test
+		@DisplayName("POST /groups/{groupId}/members/{userId} returns 404 for non-existing group")
+		void testAddMemberGroupNotFound() {
+			Mockito.doThrow(new NotFoundException("Group not found"))
+					.when(keycloakAdminService).addUserToGroup("nonexistent", "user1");
+
+			when().post("/groups/nonexistent/members/user1")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("POST /groups/{groupId}/members/{userId} returns 404 for non-existing user")
+		void testAddMemberUserNotFound() {
+			Mockito.doThrow(new NotFoundException("User not found"))
+					.when(keycloakAdminService).addUserToGroup("group1", "nonexistent");
+
+			when().post("/groups/group1/members/nonexistent")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("DELETE /groups/{groupId}/members/{userId} returns 204 when member removed")
+		void testRemoveMemberSuccess() {
+			Mockito.doNothing().when(keycloakAdminService).removeUserFromGroup("group1", "user1");
+
+			when().delete("/groups/group1/members/user1")
+					.then().statusCode(204);
+
+			Mockito.verify(keycloakAdminService).removeUserFromGroup("group1", "user1");
+		}
+
+		@Test
+		@DisplayName("DELETE /groups/{groupId}/members/{userId} returns 404 for non-existing group")
+		void testRemoveMemberGroupNotFound() {
+			Mockito.doThrow(new NotFoundException("Group not found"))
+					.when(keycloakAdminService).removeUserFromGroup("nonexistent", "user1");
+
+			when().delete("/groups/nonexistent/members/user1")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("DELETE /groups/{groupId}/members/{userId} returns 404 for non-existing user")
+		void testRemoveMemberUserNotFound() {
+			Mockito.doThrow(new NotFoundException("User not found"))
+					.when(keycloakAdminService).removeUserFromGroup("group1", "nonexistent");
+
+			when().delete("/groups/group1/members/nonexistent")
+					.then().statusCode(404);
+		}
+
+	}
+
 }
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/api/SettingsResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/SettingsResourceIT.java
index cdb7243e3..6cec13f54 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/SettingsResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/SettingsResourceIT.java
@@ -14,6 +14,8 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestMethodOrder;
 
+import java.util.Set;
+
 import static io.restassured.RestAssured.given;
 import static io.restassured.RestAssured.when;
 import static org.hamcrest.CoreMatchers.is;
@@ -23,7 +25,7 @@
 public class SettingsResourceIT {
 
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
@@ -39,18 +41,20 @@ public class AsAdmin {
 		@Test
 		@Order(1)
 		@DisplayName("GET /settings returns 200")
-		public void testGetInitial() {
+		void testGetInitial() {
 			when().get("/settings")
 					.then().statusCode(200)
 					.body("wotMaxDepth", is(3))
-					.body("wotIdVerifyLen", is(2));
+					.body("wotIdVerifyLen", is(2))
+					.body("defaultRequiredEmergencyKeyShares", is(2))
+					.body("allowChoosingEmergencyCouncil", is(false));
 		}
 
 		@Test
 		@Order(2)
 		@DisplayName("PUT /settings returns 204 No Content")
-		public void testPut() {
-			var dto = new SettingsResource.SettingsDto("42", 5, 8);
+		void testPut() {
+			var dto = new SettingsResource.SettingsDto("42", 5, 8, true, 2, 3, false, Set.of());
 			given().contentType(ContentType.JSON).body(dto)
 					.when().put("/settings")
 					.then().statusCode(204);
@@ -59,7 +63,7 @@ public void testPut() {
 		@Test
 		@Order(3)
 		@DisplayName("GET /settings returns 200")
-		public void testGetModify() {
+		void testGetModify() {
 			when().get("/settings")
 					.then().statusCode(200)
 					.body("wotMaxDepth", is(5))
@@ -69,8 +73,8 @@ public void testGetModify() {
 		@Test
 		@Order(4)
 		@DisplayName("PUT /settings returns 204 No Content")
-		public void testPutBackToDefault() {
-			var dto = new SettingsResource.SettingsDto("42", 3, 2);
+		void testPutBackToDefault() {
+			var dto = new SettingsResource.SettingsDto("42", 3, 2, true, 2, 3, false, Set.of());
 			given().contentType(ContentType.JSON).body(dto)
 					.when().put("/settings")
 					.then().statusCode(204);
@@ -89,14 +93,14 @@ public class AsNormalUser {
 
 		@Test
 		@DisplayName("GET /settings returns 200")
-		public void testGet() {
+		void testGet() {
 			when().get("/settings")
 					.then().statusCode(200);
 		}
 
 		@Test
 		@DisplayName("PUT /settings returns 403 Forbidden")
-		public void testPut() {
+		void testPut() {
 			given().contentType(ContentType.JSON).body("")
 					.when().put("/settings")
 					.then().statusCode(403);
@@ -110,14 +114,14 @@ public class AsAnonymous {
 
 		@Test
 		@DisplayName("GET /billing returns 401 Unauthorized")
-		public void testGet() {
+		void testGet() {
 			when().get("/settings")
 					.then().statusCode(401);
 		}
 
 		@Test
 		@DisplayName("PUT /settings returns 401 Unauthorized")
-		public void testPut() {
+		void testPut() {
 			given().contentType(ContentType.JSON).body("")
 					.when().put("/settings")
 					.then().statusCode(401);
diff --git a/backend/src/test/java/org/cryptomator/hub/api/UsersResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/UsersResourceIT.java
index cd905e36c..329ada865 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/UsersResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/UsersResourceIT.java
@@ -9,9 +9,16 @@
 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
 import jakarta.inject.Inject;
+import jakarta.ws.rs.ClientErrorException;
+import jakarta.ws.rs.ForbiddenException;
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.keycloak.KeycloakAdminService;
+import org.cryptomator.hub.license.HubLicenseEntitlements;
 import org.cryptomator.hub.license.LicenseHolder;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.MethodOrderer;
 import org.junit.jupiter.api.Nested;
@@ -21,6 +28,7 @@
 import org.junit.jupiter.api.TestMethodOrder;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
+import org.keycloak.representations.idm.UserRepresentation;
 import org.mockito.Mockito;
 
 import java.sql.SQLException;
@@ -39,7 +47,7 @@
 
 @QuarkusTest
 @DisplayName("Resource /users")
-public class UsersResourceIT {
+class UsersResourceIT {
 
 	@Inject
 	AgroalDataSource dataSource;
@@ -47,8 +55,11 @@ public class UsersResourceIT {
 	@InjectMock
 	LicenseHolder licenseHolder;
 
+	@InjectMock
+	KeycloakAdminService keycloakAdminService;
+
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
@@ -58,18 +69,18 @@ public static void beforeAll() {
 	@OidcSecurity(claims = {
 			@Claim(key = "sub", value = "user1")
 	})
-	public class AsAuthorzedUser1 {
+	class AsAuthorzedUser1 {
 
 		@Test
 		@DisplayName("PUT /users/me returns 201")
-		public void testSyncMe() {
+		void testSyncMe() {
 			when().put("/users/me")
 					.then().statusCode(201);
 		}
 
 		@Test
 		@DisplayName("GET /users/me returns 200")
-		public void testGetMe1() {
+		void testGetMe1() {
 			when().get("/users/me")
 					.then().statusCode(200)
 					.body("id", is("user1"))
@@ -78,7 +89,7 @@ public void testGetMe1() {
 
 		@Test
 		@DisplayName("GET /users/me?withDevices=true returns 200")
-		public void testGetMe2() throws SQLException {
+		void testGetMe2() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						INSERT INTO "audit_event" (id, timestamp, type) VALUES (30000, '2020-02-20T20:20:24.242Z', 'VAULT_KEY_RETRIEVE');
@@ -106,7 +117,7 @@ public void testGetMe2() throws SQLException {
 
 		@Test
 		@DisplayName("GET /users/me-with-legacy-devices-and-access returns 200")
-		public void testGetMe3() throws SQLException {
+		void testGetMe3() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						INSERT INTO "audit_event" (id, timestamp, type) VALUES (30000, '2020-02-20T20:20:24.242Z', 'VAULT_KEY_RETRIEVE');
@@ -131,17 +142,9 @@ public void testGetMe3() throws SQLException {
 			}
 		}
 
-		@Test
-		@DisplayName("GET /users returns 200")
-		public void testGetAll() {
-			when().get("/users")
-					.then().statusCode(200)
-					.body("id", hasItems("user1", "user2"));
-		}
-
 		@Test
 		@DisplayName("POST /users/me/access-tokens returns 200")
-		public void testPostAccessTokens1() {
+		void testPostAccessTokens1() {
 			var body = """
 					{
 						"7E57C0DE-0000-4000-8000-000100001111": "jwe.jwe.jwe.vault1.user1",
@@ -155,7 +158,7 @@ public void testPostAccessTokens1() {
 
 		@Test
 		@DisplayName("POST /users/me/access-tokens returns 200 for empty list")
-		public void testPostAccessTokens2() {
+		void testPostAccessTokens2() {
 			given().contentType(ContentType.JSON).body("{}")
 					.when().post("/users/me/access-tokens")
 					.then().statusCode(200);
@@ -163,7 +166,7 @@ public void testPostAccessTokens2() {
 
 		@Test
 		@DisplayName("POST /users/me/access-tokens returns 400 for malformed body")
-		public void testPostAccessTokens3() {
+		void testPostAccessTokens3() {
 			given().contentType(ContentType.JSON).body("")
 					.when().post("/users/me/access-tokens")
 					.then().statusCode(400);
@@ -173,7 +176,7 @@ public void testPostAccessTokens3() {
 
 	@Nested
 	@DisplayName("As unauthenticated user")
-	public class AsAnonymous {
+	class AsAnonymous {
 
 		@DisplayName("401 Unauthorized")
 		@ParameterizedTest(name = "{0} {1}")
@@ -182,7 +185,7 @@ public class AsAnonymous {
 				"PUT, /users/me",
 				"GET, /users"
 		})
-		public void testGet(String method, String path) {
+		void testGet(String method, String path) {
 			when().request(method, path)
 					.then().statusCode(401);
 		}
@@ -193,12 +196,12 @@ public void testGet(String method, String path) {
 	@DisplayName("Test Web of Trust")
 	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
 	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-	public class WebOfTrust {
+	class WebOfTrust {
 
 		private Instant testStart;
 
 		@BeforeAll
-		public void setup() throws SQLException {
+		void setup() throws SQLException {
 			testStart = Instant.now();
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
@@ -219,7 +222,7 @@ public void setup() throws SQLException {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user997")
 		})
-		public void test997Trusts998() {
+		void test997Trusts998() {
 			given().contentType(ContentType.TEXT).body("997 trusts 998")
 					.when().put("/users/trusted/user998")
 					.then().statusCode(204);
@@ -232,7 +235,7 @@ public void test997Trusts998() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user998")
 		})
-		public void test998Trusts999() {
+		void test998Trusts999() {
 			given().contentType(ContentType.TEXT).body("998 trusts 999")
 					.when().put("/users/trusted/user999")
 					.then().statusCode(204);
@@ -245,7 +248,7 @@ public void test998Trusts999() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user998")
 		})
-		public void test998Trusts997() {
+		void test998Trusts997() {
 			given().contentType(ContentType.TEXT).body("998 trusts 997")
 					.when().put("/users/trusted/user997")
 					.then().statusCode(204);
@@ -258,7 +261,7 @@ public void test998Trusts997() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user997")
 		})
-		public void testGetTrustedBy997() {
+		void testGetTrustedBy997() {
 			given().when().get("/users/trusted")
 					.then().statusCode(200)
 					.body("$", hasSize(2))
@@ -274,7 +277,7 @@ public void testGetTrustedBy997() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user998")
 		})
-		public void testGetTrustedBy998() {
+		void testGetTrustedBy998() {
 			given().when().get("/users/trusted")
 					.then().statusCode(200)
 					.body("$", hasSize(2))
@@ -290,7 +293,7 @@ public void testGetTrustedBy998() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user999")
 		})
-		public void testGetTrustedBy999() {
+		void testGetTrustedBy999() {
 			given().when().get("/users/trusted")
 					.then().statusCode(200)
 					.body("$", hasSize(0));
@@ -303,7 +306,7 @@ public void testGetTrustedBy999() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user997")
 		})
-		public void test997Gets998() {
+		void test997Gets998() {
 			given().when().get("/users/trusted/user998")
 					.then().statusCode(200)
 					.body("signatureChain", hasItems("997 trusts 998"));
@@ -316,7 +319,7 @@ public void test997Gets998() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user997")
 		})
-		public void test997Gets999() {
+		void test997Gets999() {
 			given().when().get("/users/trusted/user999")
 					.then().statusCode(200)
 					.body("signatureChain", hasItems("997 trusts 998", "998 trusts 999"));
@@ -329,7 +332,7 @@ public void test997Gets999() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user999")
 		})
-		public void test999Gets998() {
+		void test999Gets998() {
 			given().when().get("/users/trusted/user998")
 					.then().statusCode(404);
 		}
@@ -338,8 +341,9 @@ public void test999Gets998() {
 		@Order(4)
 		@TestSecurity(user = "Admin", roles = {"admin"})
 		@DisplayName("As admin, GET /auditlog contains signature events")
-		public void testGetAuditLogEntries() {
-			Mockito.doReturn(true).when(licenseHolder).isSet();
+		void testGetAuditLogEntries() {
+			var entitlements = HubLicenseEntitlements.create().withAuditLogRetentionDays(7L);
+			Mockito.doReturn(entitlements).when(licenseHolder).getEntitlements();
 			Mockito.doReturn(false).when(licenseHolder).isExpired();
 
 			given().param("startDate", DateTimeFormatter.ISO_INSTANT.format(testStart))
@@ -352,7 +356,7 @@ public void testGetAuditLogEntries() {
 
 
 		@AfterAll
-		public void tearDown() throws SQLException {
+		void tearDown() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						DELETE FROM "authority" WHERE "id" IN ('user997', 'user998', 'user999');
@@ -362,4 +366,286 @@ public void tearDown() throws SQLException {
 
 	}
 
+	@Nested
+	@DisplayName("User CRUD Operations")
+	@TestSecurity(user = "Admin User", roles = {"admin"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "admin")
+	})
+	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+	class UserCrudOperations {
+
+		@BeforeEach
+		void resetMocks() {
+			Mockito.reset(keycloakAdminService);
+		}
+
+		@BeforeAll
+		void setup() throws SQLException {
+			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
+				s.execute("""
+						INSERT INTO "authority" ("id", "type", "name") VALUES ('newUserId123', 'USER', 'newuser');
+						INSERT INTO "user_details" ("id") VALUES ('newUserId123');
+						""");
+			}
+		}
+
+		@AfterAll
+		void tearDown() throws SQLException {
+			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
+				s.execute("""
+						DELETE FROM "authority" WHERE "id" = 'newUserId123';
+						""");
+			}
+		}
+
+		@Test
+		@DisplayName("GET /users returns 200")
+		void testGetAll() {
+			when().get("/users")
+					.then().statusCode(200)
+					.body("id", hasItems("user1", "user2"));
+		}
+
+		@Test
+		@DisplayName("POST /users returns 201 when user created successfully")
+		void testCreateUserSuccess() {
+			var userRep = new UserRepresentation();
+			userRep.setId("newUserId123");
+			userRep.setUsername("newuser");
+			userRep.setEmail("newuser@example.com");
+
+			Mockito.when(keycloakAdminService.createUser(
+					Mockito.eq("newuser"),
+					Mockito.eq("newuser@example.com"),
+					Mockito.eq("New"),
+					Mockito.eq("User"),
+					Mockito.eq("password123"),
+					Mockito.isNull(),
+					Mockito.isNull()
+			)).thenReturn(userRep);
+
+			var body = """
+					{
+						"name": "newuser",
+						"email": "newuser@example.com",
+						"firstName": "New",
+						"lastName": "User",
+						"password": "password123",
+						"realmRoles": []
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().post("/users")
+					.then().statusCode(201);
+		}
+
+		@Test
+		@DisplayName("POST /users returns 409 when username already exists")
+		void testCreateUserConflictUsername() {
+			Mockito.when(keycloakAdminService.createUser(
+					Mockito.anyString(),
+					Mockito.anyString(),
+					Mockito.anyString(),
+					Mockito.anyString(),
+					Mockito.anyString(),
+					Mockito.any(),
+					Mockito.any()
+			)).thenThrow(new ClientErrorException("USERNAME_EXISTS", Response.Status.CONFLICT));
+
+			var body = """
+					{
+						"name": "existinguser",
+						"email": "new@example.com",
+						"firstName": "Test",
+						"lastName": "User",
+						"password": "password123",
+						"realmRoles": []
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().post("/users")
+					.then().statusCode(409);
+		}
+
+		@Test
+		@DisplayName("POST /users returns 409 when email already exists")
+		void testCreateUserConflictEmail() {
+			Mockito.when(keycloakAdminService.createUser(
+					Mockito.anyString(),
+					Mockito.anyString(),
+					Mockito.anyString(),
+					Mockito.anyString(),
+					Mockito.anyString(),
+					Mockito.any(),
+					Mockito.any()
+			)).thenThrow(new ClientErrorException("EMAIL_EXISTS", Response.Status.CONFLICT));
+
+			var body = """
+					{
+						"name": "newuser",
+						"email": "existing@example.com",
+						"firstName": "Test",
+						"lastName": "User",
+						"password": "password123",
+						"realmRoles": []
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().post("/users")
+					.then().statusCode(409);
+		}
+
+		@Test
+		@DisplayName("POST /users returns 400 for invalid body")
+		void testCreateUserInvalidBody() {
+			var body = """
+					{
+						"username": "newuser"
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().post("/users")
+					.then().statusCode(400);
+		}
+
+		@Test
+		@DisplayName("GET /users/{id} returns 200 for existing user")
+		void testGetUserSuccess() {
+			when().get("/users/user1")
+					.then().statusCode(200)
+					.body("id", is("user1"));
+		}
+
+		@Test
+		@DisplayName("GET /users/{id} returns 404 for non-existing user")
+		void testGetUserNotFound() {
+			when().get("/users/nonexistent")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("PUT /users/{id} returns 200 when update successful")
+		void testUpdateUserSuccess() {
+			var userRep = new UserRepresentation();
+			userRep.setId("user1");
+			userRep.setEmail("email1");
+			userRep.setUsername("User Name 1");
+			userRep.setFirstName("Updated");
+			userRep.setLastName("Name");
+
+			Mockito.when(keycloakAdminService.updateUser(
+					Mockito.eq("user1"),
+					Mockito.isNull(),
+					Mockito.eq("Updated"),
+					Mockito.eq("Name"),
+					Mockito.isNull(),
+					Mockito.isNull()
+			)).thenReturn(userRep);
+
+			var body = """
+					{
+						"firstName": "Updated",
+						"lastName": "Name",
+						"realmRoles": []
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().put("/users/user1")
+					.then().statusCode(200);
+		}
+
+		@Test
+		@DisplayName("PUT /users/{id} returns 404 for non-existing user")
+		void testUpdateUserNotFound() {
+			Mockito.when(keycloakAdminService.updateUser(
+					Mockito.eq("nonexistent"),
+					Mockito.any(),
+					Mockito.any(),
+					Mockito.any(),
+					Mockito.any(),
+					Mockito.any()
+			)).thenThrow(new NotFoundException("User not found"));
+
+			var body = """
+					{
+						"firstName": "Updated",
+						"lastName": "Name",
+						"realmRoles": []
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().put("/users/nonexistent")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("PUT /users/{id} returns 403 for federated user")
+		void testUpdateUserForbidden() {
+			Mockito.when(keycloakAdminService.updateUser(
+					Mockito.eq("federatedUser"),
+					Mockito.any(),
+					Mockito.any(),
+					Mockito.any(),
+					Mockito.any(),
+					Mockito.any()
+			)).thenThrow(new ForbiddenException("User has a federated identity"));
+
+			var body = """
+					{
+						"firstName": "Updated",
+						"lastName": "Name",
+						"realmRoles": []
+					}
+					""";
+			given().contentType(ContentType.JSON).body(body)
+					.when().put("/users/federatedUser")
+					.then().statusCode(403);
+		}
+
+		@Test
+		@DisplayName("PUT /users/{id}/enabled returns 204 when disabled successfully")
+		void testSetUserEnabledSuccess() {
+			Mockito.doNothing().when(keycloakAdminService).setUserEnabled("user1", false);
+
+			given().contentType(ContentType.TEXT).body("false")
+					.when().put("/users/user1/enabled")
+					.then().statusCode(204);
+
+			Mockito.verify(keycloakAdminService).setUserEnabled("user1", false);
+		}
+
+		@Test
+		@DisplayName("DELETE /users/{id} returns 204 when deleted successfully")
+		void testDeleteUserSuccess() {
+			Mockito.doNothing().when(keycloakAdminService).deleteUser("mockedUserId");
+
+			when().delete("/users/mockedUserId")
+					.then().statusCode(204);
+
+			Mockito.verify(keycloakAdminService).deleteUser("mockedUserId");
+		}
+
+		@Test
+		@DisplayName("DELETE /users/{id} returns 404 for non-existing user")
+		void testDeleteUserNotFound() {
+			Mockito.doThrow(new NotFoundException("User not found"))
+					.when(keycloakAdminService).deleteUser("nonexistent");
+
+			when().delete("/users/nonexistent")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@DisplayName("DELETE /users/{id} returns 403 for federated user")
+		void testDeleteUserForbidden() {
+			Mockito.doThrow(new ForbiddenException("User has a federated identity"))
+					.when(keycloakAdminService).deleteUser("federatedUser");
+
+			when().delete("/users/federatedUser")
+					.then().statusCode(403);
+		}
+
+	}
+
 }
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
index 34f7d776c..c6205548f 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java
@@ -4,6 +4,8 @@
 import com.auth0.jwt.algorithms.Algorithm;
 import io.agroal.api.AgroalDataSource;
 import io.quarkus.narayana.jta.QuarkusTransaction;
+import io.quarkus.test.InjectMock;
+import io.quarkus.test.junit.QuarkusMock;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.oidc.Claim;
@@ -11,18 +13,30 @@
 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
 import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
 import jakarta.validation.Validator;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.katta.KeycloakCryptomatorVaultsHelper;
+import org.cryptomator.hub.entities.EffectiveGroupMembership;
 import org.cryptomator.hub.entities.EffectiveVaultAccess;
+import org.cryptomator.hub.entities.Group;
+import org.cryptomator.hub.entities.User;
 import org.cryptomator.hub.entities.Vault;
+import org.cryptomator.hub.entities.VaultAccess;
+import org.cryptomator.hub.entities.events.EventLogger;
+import org.cryptomator.hub.entities.events.VaultKeyRetrievedEvent;
+import org.cryptomator.hub.license.HubLicenseEntitlements;
+import org.cryptomator.hub.license.LicenseHolder;
+import org.cryptomator.hub.metrics.VaultUnlockMetrics;
 import org.cryptomator.hub.rollback.DBRollbackAfter;
 import org.cryptomator.hub.rollback.DBRollbackBefore;
 import org.flywaydb.core.Flyway;
 import org.hamcrest.MatcherAssert;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.MethodOrderer;
 import org.junit.jupiter.api.Nested;
@@ -32,19 +46,32 @@
 import org.junit.jupiter.api.TestMethodOrder;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.ClientScopeResource;
+import org.keycloak.admin.client.resource.ClientScopesResource;
+import org.keycloak.admin.client.resource.ClientsResource;
+import org.keycloak.admin.client.resource.GroupResource;
+import org.keycloak.admin.client.resource.GroupsResource;
+import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.admin.client.resource.RoleMappingResource;
+import org.keycloak.admin.client.resource.RoleResource;
+import org.keycloak.admin.client.resource.RoleScopeResource;
+import org.keycloak.admin.client.resource.RolesResource;
+import org.keycloak.admin.client.resource.UserResource;
+import org.keycloak.admin.client.resource.UsersResource;
+import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.RoleRepresentation;
+import org.mockito.Mockito;
 
 import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
 import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
 import java.security.interfaces.ECPrivateKey;
 import java.security.spec.ECGenParameterSpec;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.PKCS8EncodedKeySpec;
 import java.sql.SQLException;
 import java.time.Instant;
 import java.util.Base64;
+import java.util.List;
 import java.util.Map;
 import java.util.UUID;
 
@@ -62,6 +89,9 @@
 @DisplayName("Resource /vaults")
 public class VaultResourceIT {
 
+	@InjectMock
+	EventLogger eventLogger;
+
 	@Inject
 	AgroalDataSource dataSource;
 	@Inject
@@ -69,22 +99,72 @@ public class VaultResourceIT {
 	@Inject
 	Vault.Repository vaultRepo;
 	@Inject
+	Group.Repository groupRepo;
+	@Inject
+	User.Repository userRepo;
+	@Inject
+	EffectiveGroupMembership.Repository effectiveGroupMembershipRepo;
+	@Inject
 	Validator validator;
+	@InjectMock
+	LicenseHolder licenseHolder;
+	@InjectMock
+	VaultUnlockMetrics vaultUnlockMetrics;
+
 	@Inject
+	@SuppressWarnings("unused") // needed for @DBRollbackBefore, @DBRollbackAfter
 	public Flyway flyway;
 
+	@InjectMock
+	KeycloakCryptomatorVaultsHelper keycloakCryptomatorVaultsHelper;
+
 	@BeforeAll
-	public static void beforeAll() {
+	static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
+		// https://quarkus.io/guides/getting-started-testing#quarkus_mock
+		KeycloakCryptomatorVaultsHelperMock mock = Mockito.mock(KeycloakCryptomatorVaultsHelperMock.class);
+		QuarkusMock.installMockForType(mock, KeycloakCryptomatorVaultsHelper.class);
 	}
 
-	private static PrivateKey getPrivateKey(String keyBytes) throws NoSuchAlgorithmException, InvalidKeySpecException {
-		return KeyFactory.getInstance("EC").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(keyBytes)));
+	@BeforeEach
+	@Transactional
+	void setupTestData() {
+		var user998 = new User();
+		user998.setId("user998");
+		user998.setName("User 998");
+
+		var user999 = new User();
+		user999.setId("user999");
+		user999.setName("User 999");
+		user999.setEcdhPublicKey("ecdh_public999");
+		user999.setEcdsaPublicKey("ecdsa_public999");
+		user999.setPrivateKeys("private999");
+		user999.setSetupCode("setup999");
+
+		userRepo.persist(user998, user999);
+
+		var group2 = groupRepo.findById("group2");
+		group2.getMembers().add(user998);
+		group2.getMembers().add(user999);
+		groupRepo.persist(group2);
+
+		effectiveGroupMembershipRepo.updateUsers(List.of("user998", "user999"));
+		effectiveGroupMembershipRepo.updateGroups(List.of("group2"));
+
+		var entitlements = HubLicenseEntitlements.create().withSeats(5L);
+		Mockito.doReturn(entitlements).when(licenseHolder).getEntitlements();
+		Mockito.doReturn(false).when(licenseHolder).isExpired();
+	}
+
+	@AfterEach
+	@Transactional
+	void cleanupTestData() {
+		userRepo.deleteByIds(List.of("user998", "user999"));
 	}
 
 	@Nested
 	@DisplayName("Test VaultDto validation")
-	public class TestVaultDtoValidation {
+	class TestVaultDtoValidation {
 
 		private static final UUID VALID_ID = UUID.fromString("7E57C0DE-0000-4000-8000-000100001111");
 		private static final String VALID_NAME = "foobar";
@@ -96,8 +176,8 @@ public class TestVaultDtoValidation {
 		private static final String VALID_UVF_RECOVERY_KEY = "base64";
 
 		@Test
-		public void testValidDto() {
-			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, "foobarbaz", false, Instant.parse("2020-02-20T20:20:20Z"), VALID_UVF_METADATA_FILE, VALID_UVF_RECOVERY_KEY, VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB, VALID_AUTH_PRI);
+		void testValidDto() {
+			var dto = new VaultResource.VaultDto(VALID_ID, VALID_NAME, Instant.parse("2020-02-20T20:20:20Z"), "foobarbaz", false, 0, Map.of(), VALID_UVF_METADATA_FILE, VALID_UVF_RECOVERY_KEY, VALID_MASTERKEY, 8, VALID_SALT, VALID_AUTH_PUB, VALID_AUTH_PRI);
 			var violations = validator.validate(dto);
 			MatcherAssert.assertThat(violations, Matchers.empty());
 		}
@@ -110,11 +190,11 @@ public void testValidDto() {
 	@OidcSecurity(claims = {
 			@Claim(key = "sub", value = "user1")
 	})
-	public class AsAuthorizedUser1 {
+	class AsAuthorizedUser1 {
 
 		@Test
 		@DisplayName("GET /vaults/accessible returns 200")
-		public void testGetSharedOrOwnedNotArchived() {
+		void testGetSharedOrOwnedNotArchived() {
 			when().get("/vaults/accessible")
 					.then().statusCode(200)
 					.body("id", hasItems(equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100001111"), equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100002222")));
@@ -122,7 +202,7 @@ public void testGetSharedOrOwnedNotArchived() {
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111 returns 200")
-		public void testGetVault1() {
+		void testGetVault1() {
 			when().get("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200)
 					.body("id", equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100001111"));
@@ -130,71 +210,84 @@ public void testGetVault1() {
 
 		@Test
 		@DisplayName("GET /vaults/nonExistingVault returns 404")
-		public void testGetVault2() {
-			when().get("/vaults/{vaultId}", "nonExistingVault")
+		void testGetVault2() {
+			when().get("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-BADBADBADBAD")
 					.then().statusCode(404);
 		}
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/access-token returns 200 using user access")
-		public void testUnlock1() {
+		void testUnlock1() {
 			when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200)
 					.body(is("jwe.jwe.jwe.vault1.user1"));
+			Mockito.verify(vaultUnlockMetrics).recordUnlock();
+			Mockito.verify(vaultUnlockMetrics).recordSuccess();
 		}
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/access-token returns 200 using group access")
-		public void testUnlock2() {
+		void testUnlock2() {
 			when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-000100002222")
 					.then().statusCode(200)
 					.body(is("jwe.jwe.jwe.vault2.user1"));
+			Mockito.verify(vaultUnlockMetrics).recordUnlock();
+			Mockito.verify(vaultUnlockMetrics).recordSuccess();
 		}
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/access-token returns 200 using user access with evenIfArchived set")
-		public void testUnlock3() {
+		void testUnlock3() {
 			when().get("/vaults/{vaultId}/access-token?evenIfArchived=true", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200)
 					.body(is("jwe.jwe.jwe.vault1.user1"));
+			Mockito.verify(vaultUnlockMetrics).recordUnlock();
+			Mockito.verify(vaultUnlockMetrics).recordSuccess();
 		}
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/access-token with remote IP and device ID stores it in audit log")
-		public void testUnlock4() throws SQLException {
+		void testUnlock4() {
 			given().header("HUB-DEVICE-ID", "123456789123456789")
 					.header("X-Forwarded-For", "1.2.3.4")
 					.when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200)
 					.body(is("jwe.jwe.jwe.vault1.user1"));
 
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				var rs = s.executeQuery("""
-						SELECT * FROM "audit_event_vault_key_retrieve" WHERE "device_id" = '123456789123456789' AND "ip_address" = '1.2.3.4';
-						""");
-				Assertions.assertTrue(rs.next());
-			}
+			Mockito.verify(eventLogger).logVaultKeyRetrieved(
+					"user1",
+					UUID.fromString("7E57C0DE-0000-4000-8000-000100001111"),
+					VaultKeyRetrievedEvent.Result.SUCCESS,
+					"1.2.3.4",
+					"123456789123456789"
+			);
 		}
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/access-token returns 410 for archived vaults")
-		public void testUnlockArchived1() {
+		void testUnlockArchived1() {
 			when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-00010000AAAA")
 					.then().statusCode(410);
+			Mockito.verify(vaultUnlockMetrics).recordUnlock();
+			Mockito.verify(vaultUnlockMetrics).recordFailure();
 		}
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/access-token returns 410 for archived vaults with evenIfArchived set to false")
-		public void testUnlockArchived2() {
+		void testUnlockArchived2() {
 			when().get("/vaults/{vaultId}/access-token?evenIfArchived=false", "7E57C0DE-0000-4000-8000-00010000AAAA")
 					.then().statusCode(410);
+			Mockito.verify(vaultUnlockMetrics).recordUnlock();
+			Mockito.verify(vaultUnlockMetrics).recordFailure();
 		}
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/access-token returns 200 for archived vaults with evenIfArchived set to true")
-		public void testUnlockArchived3() throws SQLException {
+		void testUnlockArchived3() throws SQLException {
 			when().get("/vaults/{vaultId}/access-token?evenIfArchived=true", "7E57C0DE-0000-4000-8000-00010000AAAA")
 					.then().statusCode(200);
+			Mockito.verify(vaultUnlockMetrics).recordUnlock();
+			Mockito.verify(vaultUnlockMetrics).recordSuccess();
 		}
 
 		@Nested
@@ -203,11 +296,11 @@ public void testUnlockArchived3() throws SQLException {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user1")
 		})
-		public class LegacyUnlock {
+		class LegacyUnlock {
 
 			@Test
 			@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/keys/legacyDevice1 returns 200 using user access")
-			public void testUnlock1() {
+			void testUnlock1() {
 				when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100001111", "legacyDevice1")
 						.then().statusCode(200)
 						.body(is("legacy.jwe.jwe.vault1.device1"));
@@ -215,29 +308,30 @@ public void testUnlock1() {
 
 			@Test
 			@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/keys/legacyDevice3 returns 200 using group access")
-			public void testUnlock2() {
+			void testUnlock2() {
 				when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100002222", "legacyDevice3")
 						.then().statusCode(200)
 						.body(is("legacy.jwe.jwe.vault2.device3"));
 			}
 
 			@Test
-			@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/keys/noSuchDevice returns 403") // legacy unlock must not encourage to register a legacy device by responding with 404 here
-			public void testUnlock3() {
+			@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/keys/noSuchDevice returns 403")
+				// legacy unlock must not encourage to register a legacy device by responding with 404 here
+			void testUnlock3() {
 				when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100001111", "noSuchDevice")
 						.then().statusCode(403);
 			}
 
 			@Test
 			@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/keys/legacyDevice2 returns 403")
-			public void testUnlock4() {
+			void testUnlock4() {
 				when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100001111", "legacyDevice2")
 						.then().statusCode(403);
 			}
 
 			@Test
 			@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/keys/someDevice returns 410 for archived vaults")
-			public void testUnlockArchived() {
+			void testUnlockArchived() {
 				when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-00010000AAAA", "legacyDevice1")
 						.then().statusCode(410);
 			}
@@ -252,25 +346,26 @@ public void testUnlockArchived() {
 	@OidcSecurity(claims = {
 			@Claim(key = "sub", value = "user2")
 	})
-	public class AsAuthorizedUser2 {
+	class AsAuthorizedUser2 {
 
 		@Test
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/access-token returns 449, because user2 is not initialized")
 		@DBRollbackBefore
-		public void testUnlock() {
+		void testUnlock() {
 			when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(449);
 		}
 
 		@Test
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 403 for missing role")
-		public void testCreateVaultWithMissingRole() {
+		void testCreateVaultWithMissingRole() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", Instant.parse("2112-12-21T21:12:21Z"), "Test vault 3", false, 0, Map.of(), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
 					.then().statusCode(403);
+
 		}
 
 	}
@@ -282,14 +377,14 @@ public void testCreateVaultWithMissingRole() {
 			@Claim(key = "sub", value = "user1")
 	})
 	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-	public class CreateVaults {
+	class CreateVaults {
 
 		@Test
 		@Order(1)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 201")
-		public void testCreateVault1() {
+		void testCreateVault1() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 3", false, Instant.parse("2112-12-21T21:12:21Z"), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", Instant.parse("2112-12-21T21:12:21Z"), "Test vault 3", false, 0, Map.of(), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -303,7 +398,7 @@ public void testCreateVault1() {
 		@Test
 		@Order(1)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-BADBADBADBAD returns 400 due to malformed request body")
-		public void testCreateVault2() {
+		void testCreateVault2() {
 			given().contentType(ContentType.JSON)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-BADBADBADBAD") // invalid body (expected json)
 					.then().statusCode(400);
@@ -312,9 +407,9 @@ public void testCreateVault2() {
 		@Test
 		@Order(1)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100004444 returns 201 ignoring archived flag")
-		public void testCreateVault3() {
+		void testCreateVault3() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100004444");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", true, Instant.parse("2112-12-21T21:12:21Z"), "uvfMetadata4", "uvfKeySet4","masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4");
+			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", Instant.parse("2112-12-21T21:12:21Z"), "Test vault 4", true, 0, Map.of(), "uvfMetadata4", "uvfKeySet4", "masterkey4", 42, "NaCl", "authPubKey4", "authPrvKey4");
 
 			given().contentType(ContentType.JSON).body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100004444")
@@ -328,9 +423,9 @@ public void testCreateVault3() {
 		@Test
 		@Order(2)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100003333 returns 200, updating only name, description and archive flag")
-		public void testUpdateVault() {
+		void testUpdateVault() {
 			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100003333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", "Vault updated.", true, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", "doNotUpdate", "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate");
+			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", Instant.parse("2222-11-11T11:11:11Z"), "Vault updated.", true, 0, Map.of(), "doNotUpdate", "doNotUpdate", "doNotUpdate", 27, "doNotUpdate", "doNotUpdate", "doNotUpdate");
 			given().contentType(ContentType.JSON)
 					.body(vaultDto)
 					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100003333")
@@ -345,17 +440,17 @@ public void testUpdateVault() {
 	}
 
 	@Nested
-	@DisplayName("As vault admin user1")
+	@DisplayName("As vault owner user1")
 	@TestSecurity(user = "User Name 1", roles = {"user"})
 	@OidcSecurity(claims = {
 			@Claim(key = "sub", value = "user1")
 	})
 	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
-	public class GrantAccess {
+	class GrantAccess {
 
 		@Test
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 404 for [user1, user666]")
-		public void testGrantAccess0() {
+		void testGrantAccess0() {
 			given().contentType(ContentType.JSON).body(Map.of("user1", "jwe.jwe.jwe.vault1.user1", "user666", "jwe.jwe.jwe.vault1.user666"))
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(404);
@@ -363,33 +458,18 @@ public void testGrantAccess0() {
 
 		@Test
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 200 for [user998, user999]")
-		public void testGrantAccess1() throws SQLException {
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				s.execute("""
-						INSERT INTO "authority" ("id", "type", "name") VALUES ('user998', 'USER', 'User 998');
-						INSERT INTO "authority" ("id", "type", "name") VALUES ('user999', 'USER', 'User 999');
-						INSERT INTO "user_details" ("id") VALUES ('user998');
-						INSERT INTO "user_details" ("id") VALUES ('user999');
-						INSERT INTO "group_membership" ("group_id", "member_id") VALUES ('group2', 'user998');
-						INSERT INTO "group_membership" ("group_id", "member_id") VALUES ('group2', 'user999');
-						""");
-			}
+		void testGrantAccess1() {
 
 			given().contentType(ContentType.JSON).body(Map.of("user998", "jwe.jwe.jwe.vault1.user998", "user999", "jwe.jwe.jwe.vault1.user999"))
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200);
 
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				s.execute("""
-						DELETE FROM "authority" WHERE "id" = 'user998';
-						DELETE FROM "authority" WHERE "id" = 'user999';
-						""");
-			}
+
 		}
 
 		@Test
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 200 for user1")
-		public void testGrantAccess2() {
+		void testGrantAccess2() {
 			given().contentType(ContentType.JSON).body(Map.of("user1", "jwe.jwe.jwe.vault1.user1"))
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200);
@@ -397,7 +477,7 @@ public void testGrantAccess2() {
 
 		@Test
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-BADBADBADBAD/access-tokens returns 403 (not owning this vault)")
-		public void testGrantAccess3() {
+		void testGrantAccess3() {
 			given().contentType(ContentType.JSON).body(Map.of("user1", "jwe.jwe.jwe.vault666.user1"))
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-BADBADBADBAD")
 					.then().statusCode(403);
@@ -405,7 +485,7 @@ public void testGrantAccess3() {
 
 		@Test
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 404 for nonExistingUser")
-		public void testGrantAccess4() {
+		void testGrantAccess4() {
 			given().contentType(ContentType.JSON).body(Map.of("user666", "jwe.jwe.jwe.vault1.user666"))
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(404);
@@ -413,7 +493,7 @@ public void testGrantAccess4() {
 
 		@Test
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 400 for empty body")
-		public void testGrantAccess5() {
+		void testGrantAccess5() {
 			given().contentType(ContentType.JSON).body(Map.of())
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(400);
@@ -421,7 +501,7 @@ public void testGrantAccess5() {
 
 		@Test
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/access-tokens returns 200 for user1 and vault archived")
-		public void testGrantAccessArchived() {
+		void testGrantAccessArchived() {
 			given().contentType(ContentType.JSON).body(Map.of("user1", "jwe.jwe.jwe.vaultAAA.user1"))
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-00010000AAAA")
 					.then().statusCode(200);
@@ -429,6 +509,33 @@ public void testGrantAccessArchived() {
 
 	}
 
+
+	@Nested
+	@DisplayName("Keycloak sync")
+	@TestSecurity(user = "User Name 1", roles = {"user", "create-vaults"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "user1")
+	})
+	public class KeycloakVaultsHelper {
+		@ParameterizedTest
+		@CsvSource(nullValues = "null", value = {"true,true", "true,false", "false,true", "false,false", "true,null", "null,true", "null,null"})
+		public void test(final Boolean minio, final Boolean aws) {
+			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100008888");
+			var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", Instant.parse("2222-11-11T11:11:11Z"), "Vault updated.", true, 0, Map.of(), "Rainbow", "Rainbow", "Rainbow", 27, "Rainbow", "Rainbow", "Rainbow");
+			given().contentType(ContentType.JSON)
+					.body(vaultDto)
+					.queryParam("minio", minio)
+					.queryParam("aws", aws)
+					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100008888")
+					.then()
+					.body("id", equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100008888"))
+					.body("name", equalTo("VaultUpdated"))
+					.body("description", equalTo("Vault updated."))
+					.body("creationTime", not("2222-11-11T11:11:11Z"));
+			Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(1)).keycloakPrepareVault("7e57c0de-0000-4000-8000-000100008888", minio, aws);
+		}
+	}
+
 	@Nested
 	@DisplayName("Managing members as user2")
 	@TestSecurity(user = "User Name 2", roles = {"user"})
@@ -436,12 +543,12 @@ public void testGrantAccessArchived() {
 			@Claim(key = "sub", value = "user2")
 	})
 	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-	public class ManageAccessAsUser2 {
+	class ManageAccessAsUser2 {
 
 		@Test
 		@Order(1)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100002222/users/user9999 returns 404 - no such user")
-		public void addNonExistingUser() {
+		void addNonExistingUser() {
 			given().when().put("/vaults/{vaultId}/users/{userId}", "7E57C0DE-0000-4000-8000-000100002222", "user9999")
 					.then().statusCode(404);
 		}
@@ -449,7 +556,7 @@ public void addNonExistingUser() {
 		@Test
 		@Order(2)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-BADBADBADBAD/users/user2 returns 403 - not owning a nonexisting vault")
-		public void addUserToNonExistingVault() {
+		void addUserToNonExistingVault() {
 			given().when().put("/vaults/{vaultId}/users/{userId}", "7E57C0DE-0000-4000-8000-BADBADBADBAD", "user2")
 					.then().statusCode(403);
 		}
@@ -457,7 +564,7 @@ public void addUserToNonExistingVault() {
 		@Test
 		@Order(4)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/members does not contain user2")
-		public void getMembersOfVault2a() {
+		void getMembersOfVault2a() {
 			given().when().get("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
 					.then().statusCode(200)
 					.body("users.id", not(hasItems("user2")));
@@ -466,7 +573,7 @@ public void getMembersOfVault2a() {
 		@Test
 		@Order(4)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/members returns 403")
-		public void getMembersOfVault1() {
+		void getMembersOfVault1() {
 			when().get("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(403);
 		}
@@ -474,7 +581,7 @@ public void getMembersOfVault1() {
 		@Test
 		@Order(5)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/users-requiring-access-grant contains user2 via group membership")
-		public void testGetUsersRequiringAccess1() throws SQLException {
+		void testGetUsersRequiringAccess1() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						UPDATE "user_details"
@@ -499,7 +606,7 @@ public void testGetUsersRequiringAccess1() throws SQLException {
 		@Test
 		@Order(6)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100002222/members/user2 returns 201")
-		public void testGrantDirectAccessToSelf() {
+		void testGrantDirectAccessToSelf() {
 			given().when().put("/vaults/{vaultId}/users/{userId}", "7E57C0DE-0000-4000-8000-000100002222", "user2")
 					.then().statusCode(201);
 		}
@@ -507,7 +614,7 @@ public void testGrantDirectAccessToSelf() {
 		@Test
 		@Order(7)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/members does contain user2 directly")
-		public void getMembersOfVault2b() {
+		void getMembersOfVault2b() {
 			given().when().get("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
 					.then().statusCode(200)
 					.body("id", hasItems("user2"));
@@ -516,7 +623,7 @@ public void getMembersOfVault2b() {
 		@Test
 		@Order(10)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/users-requiring-access-grant contains user2")
-		public void testGetUsersRequiringAccess2() throws SQLException {
+		void testGetUsersRequiringAccess2() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						UPDATE
@@ -541,7 +648,7 @@ public void testGetUsersRequiringAccess2() throws SQLException {
 		@Test
 		@Order(11)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100002222/access-tokens for user2 returns 200")
-		public void testGrantAccess() {
+		void testGrantAccess() {
 			given().contentType(ContentType.JSON).body(Map.of("user2", "jwe.jwe.jwe.vault2.user2"))
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100002222")
 					.then().statusCode(200);
@@ -550,7 +657,7 @@ public void testGrantAccess() {
 		@Test
 		@Order(12)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/users-requiring-access-grant contains not user2")
-		public void testGetUsersRequiringAccess3() {
+		void testGetUsersRequiringAccess3() {
 			given().when().get("/vaults/{vaultId}/users-requiring-access-grant", "7E57C0DE-0000-4000-8000-000100002222")
 					.then().statusCode(200)
 					.body("id", not(hasItems("user2")));
@@ -559,19 +666,57 @@ public void testGetUsersRequiringAccess3() {
 		@Test
 		@Order(13)
 		@DisplayName("DELETE /vaults/7E57C0DE-0000-4000-8000-000100002222/members/user2 returns 204")
-		public void testRevokeAccess() { // previously added in testGrantAccess()
+		void testRevokeAccess() { // previously added in testGrantAccess()
 			given().when().delete("/vaults/{vaultId}/authority/{userId}", "7E57C0DE-0000-4000-8000-000100002222", "user2")
 					.then().statusCode(204);
 		}
 
 		@Test
 		@Order(14)
+		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100002222/members adds, removes and updates members")
+		void setMembersOfVault2() {
+			given().when().contentType(ContentType.JSON).body("""
+							{
+								"user1": "MEMBER",
+								"user2": "OWNER",
+								"group2": "MEMBER"
+							}
+							""").put("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
+					.then().statusCode(204);
+			var vaultId = UUID.fromString("7E57C0DE-0000-4000-8000-000100002222");
+			Mockito.verify(eventLogger).logVaultMemberAdded("user2", vaultId, "user1", VaultAccess.Role.MEMBER);
+			Mockito.verify(eventLogger).logVaultMemberAdded("user2", vaultId, "user2", VaultAccess.Role.OWNER);
+			Mockito.verify(eventLogger).logVaultMemberRemoved("user2", vaultId, "group1");
+			Mockito.verify(eventLogger).logVaultMemberUpdated("user2", vaultId, "group2", VaultAccess.Role.MEMBER);
+		}
+
+		@Test
+		@Order(15)
+		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100002222/members restores original members")
+		void restoreOriginalMembersOfVault2() { // as defined in V9999__Tst_Data.sql
+			given().when().contentType(ContentType.JSON).body("""
+							{
+								"group1": "MEMBER",
+								"group2": "OWNER"
+							}
+							""").put("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
+					.then().statusCode(204);
+			var vaultId = UUID.fromString("7E57C0DE-0000-4000-8000-000100002222");
+			Mockito.verify(eventLogger).logVaultMemberRemoved("user2", vaultId, "user1");
+			Mockito.verify(eventLogger).logVaultMemberRemoved("user2", vaultId, "user2");
+			Mockito.verify(eventLogger).logVaultMemberAdded("user2", vaultId, "group1", VaultAccess.Role.MEMBER);
+			Mockito.verify(eventLogger).logVaultMemberUpdated("user2", vaultId, "group2", VaultAccess.Role.OWNER);
+
+		}
+
+		@Test
+		@Order(16)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/members does not contain user2")
 		@DBRollbackAfter
-		public void getMembersOfVault2c() {
+		void getMembersOfVault2c() {
 			given().when().get("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
 					.then().statusCode(200)
-					.body("id", not(hasItems("user2")));
+					.body("id", not(hasItems("user2"))).body("id", hasItems("group1", "group2"));
 		}
 	}
 
@@ -583,24 +728,13 @@ public void getMembersOfVault2c() {
 	})
 	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
 	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-	public class ManageAccessAsUser1 {
+	class ManageAccessAsUser1 {
 
-		@BeforeAll
-		public void setup() throws SQLException {
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				// user999 will be deleted in #cleanup()
-				s.execute("""
-						INSERT INTO "authority" ("id", "type", "name") VALUES ('user999', 'USER', 'User 999');
-						INSERT INTO "user_details" ("id", "ecdh_publickey", "ecdsa_publickey", "privatekeys", "setupcode") VALUES ('user999', 'ecdh_public999', 'ecdsa_public999', 'private999', 'setup999');
-						INSERT INTO "group_membership" ("group_id", "member_id") VALUES ('group2', 'user999')
-						""");
-			}
-		}
 
 		@Test
 		@Order(1)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/groups/group3000 returns 404")
-		public void addNonExistingGroup() {
+		void addNonExistingGroup() {
 			given().when().put("/vaults/{vaultId}/groups/{groupId}", "7E57C0DE-0000-4000-8000-000100001111", "group3000")
 					.then().statusCode(404);
 		}
@@ -608,24 +742,24 @@ public void addNonExistingGroup() {
 		@Test
 		@Order(2)
 		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/groups/group2 returns 201")
-		public void addGroupToVault() {
+		void addGroupToVault() {
 			given().when().put("/vaults/{vaultId}/groups/{groupId}", "7E57C0DE-0000-4000-8000-000100001111", "group2")
 					.then().statusCode(201);
 		}
 
 		@Test
 		@Order(3)
-		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/members does contain group2")
-		public void getMembersOfVault1a() {
+		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/members does contain group2with memberSize=3")
+		void getMembersOfVault1a() {
 			given().when().get("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200)
-					.body("id", hasItems("group2"));
+					.body("find { it.id == 'group2' }.memberSize", equalTo(3));
 		}
 
 		@Test
 		@Order(3)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/members returns 403")
-		public void getMembersOfVault2() {
+		void getMembersOfVault2() {
 			given().when().get("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
 					.then().statusCode(403);
 		}
@@ -633,7 +767,7 @@ public void getMembersOfVault2() {
 		@Test
 		@Order(4)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/users-requiring-access-grant contains user999")
-		public void testGetUsersRequiringAccess3() {
+		void testGetUsersRequiringAccess3() {
 			given().when().get("/vaults/{vaultId}/users-requiring-access-grant", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200)
 					.body("id", hasItems("user999"));
@@ -642,16 +776,12 @@ public void testGetUsersRequiringAccess3() {
 		@Test
 		@Order(5)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens for user999 returns 200")
-		public void testGrantAccess2() {
+		void testGrantAccess2() {
 			given().contentType(ContentType.JSON).body(Map.of("user999", "jwe.jwe.jwe.vault2.user999"))
 					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200);
-		}
 
-		@Test
-		@Order(6)
-		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/users-requiring-access-grant does no longer contain user999")
-		public void testGetUsersRequiringAccess4() {
+
 			given().when().get("/vaults/{vaultId}/users-requiring-access-grant", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200)
 					.body("id", not(hasItems("user999")));
@@ -660,7 +790,7 @@ public void testGetUsersRequiringAccess4() {
 		@Test
 		@Order(7)
 		@DisplayName("DELETE /vaults/7E57C0DE-0000-4000-8000-000100001111/groups/group2 returns 204")
-		public void removeGroup2() {
+		void removeGroup2() {
 			given().when().delete("/vaults/{vaultId}/authority/{groupId}", "7E57C0DE-0000-4000-8000-000100001111", "group2")
 					.then().statusCode(204);
 		}
@@ -669,7 +799,7 @@ public void removeGroup2() {
 		@Order(8)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100001111/members does not contain group2")
 		@DBRollbackAfter
-		public void getMembersOfVault1b() {
+		void getMembersOfVault1b() {
 			given().when().get("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100001111")
 					.then().statusCode(200)
 					.body("id", not(hasItems("group2")));
@@ -677,191 +807,6 @@ public void getMembersOfVault1b() {
 
 	}
 
-	@Nested
-	@DisplayName("When exceeding 5 seats in license")
-	@TestSecurity(user = "User Name 1", roles = {"user", "create-vaults"})
-	@OidcSecurity(claims = {
-			@Claim(key = "sub", value = "user1")
-	})
-	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
-	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-	public class ExceedingLicenseLimits {
-
-		@BeforeAll
-		public void setup() throws SQLException {
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				s.execute("""
-						INSERT INTO "authority" ("id", "type", "name")
-						VALUES
-							('user91', 'USER', 'user name 91'),
-							('user92', 'USER', 'user name 92'),
-							('user93', 'USER', 'user name 93'),
-							('user94', 'USER', 'user name 94'),
-							('user95_A', 'USER', 'user name Archived'),
-							('group91', 'GROUP', 'group name 91');
-							
-						INSERT INTO "group_details" ("id")
-						VALUES
-							('group91');
-							
-						INSERT INTO "user_details" ("id")
-						VALUES
-							('user91'),
-							('user92'),
-							('user93'),
-							('user94'),
-							('user95_A');
-							
-						INSERT INTO "group_membership" ("group_id", "member_id")
-						VALUES
-							('group91', 'user91'),
-							('group91', 'user92'),
-							('group91', 'user93'),
-							('group91', 'user94');
-							
-						INSERT INTO "vault_access" ("vault_id", "authority_id")
-						VALUES
-							('7E57C0DE-0000-4000-8000-00010000AAAA', 'user95_A');
-						""");
-			}
-		}
-
-		@Test
-		@Order(0)
-		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100001111/access-tokens returns 402 for [user91, user92, user93, user94]")
-		public void grantAccessExceedingSeats() {
-			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() == 2);
-			var body = Map.of(
-					"user91", "jwe.jwe.jwe.vault1.user91", //
-					"user92", "jwe.jwe.jwe.vault1.user92", //
-					"user93", "jwe.jwe.jwe.vault1.user93", //
-					"user94", "jwe.jwe.jwe.vault1.user94" //
-			);
-
-			given().contentType(ContentType.JSON).body(body)
-					.when().post("/vaults/{vaultId}/access-tokens/", "7E57C0DE-0000-4000-8000-000100001111")
-					.then().statusCode(402);
-		}
-
-		@Test
-		@Order(1)
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/groups/group91 returns 402")
-		public void addGroupToVaultExceedingSeats() {
-			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() == 2);
-
-			given().when().put("/vaults/{vaultId}/groups/{groupId}", "7E57C0DE-0000-4000-8000-000100001111", "group91")
-					.then().statusCode(402);
-		}
-
-		@Order(2)
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/users/userXX returns 201")
-		@ParameterizedTest(name = "Adding user {0} succeeds")
-		@CsvSource(value = {"0,user91", "1,user92", "2,user93"})
-		public void addUserToVaultNotExceedingSeats(String run, String userId) {
-			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() == 2 + Integer.parseInt(run));
-
-			given().when().put("/vaults/{vaultId}/users/{usersId}", "7E57C0DE-0000-4000-8000-000100001111", userId)
-					.then().statusCode(201);
-		}
-
-		@Test
-		@Order(3)
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/users/user94 returns 402")
-		public void addUserToVaultExceedingSeats() {
-			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() == 5);
-
-			given().when().put("/vaults/{vaultId}/users/{usersId}", "7E57C0DE-0000-4000-8000-000100001111", "user94")
-					.then().statusCode(402);
-		}
-
-		@Test
-		@Order(4)
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111 (as user1) returns 200 with only updated name, description and archive flag, despite exceeding license")
-		public void testUpdateVaultDespiteLicenseExceeded() {
-			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() == 5);
-			var vaultId = "7E57C0DE-0000-4000-8000-000100001111";
-
-			var vaultDto = new VaultResource.VaultDto(UUID.fromString(vaultId), "Vault 1", "This is a testvault.", false, Instant.parse("2222-11-11T11:11:11Z"), "doNotUpdate", "doNotUpdate", "someVaule", -1, "doNotUpdate", "doNotUpdate", "doNotUpdate");
-			given().contentType(ContentType.JSON)
-					.body(vaultDto)
-					.when().put("/vaults/{vaultId}", vaultId)
-					.then().statusCode(200)
-					.body("id", equalToIgnoringCase(vaultId))
-					.body("name", equalTo("Vault 1"))
-					.body("description", equalTo("This is a testvault."))
-					.body("archived", equalTo(false));
-		}
-
-		@Test
-		@Order(5)
-		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-0001FFFF3333 (as user1) exceeding the license returns 402")
-		public void testCreateVaultExceedingSeats() throws SQLException {
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				s.execute("""
-						INSERT INTO "vault_access" ("vault_id", "authority_id")
-						VALUES
-							('7E57C0DE-0000-4000-8000-000100001111', 'group91');
-						""");
-			}
-
-			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsers() > 5);
-
-			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-0001FFFF3333");
-			var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", "Test vault 4", false, Instant.parse("2112-12-21T21:12:21Z"), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
-			given().contentType(ContentType.JSON).body(vaultDto)
-					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-0001FFFF3333")
-					.then().statusCode(402);
-		}
-
-		@Test
-		@Order(7)
-		@DisplayName("unlock/legacyUnlock is granted, if (effective vault user) > license seats but (effective vault user with access token) <= license seat")
-		public void testUnlockAllowedExceedingLicenseSoftLimit() {
-			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsersWithAccessToken() <= 5);
-
-			when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-000100001111")
-					.then().statusCode(200);
-			when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100002222", "legacyDevice3")
-					.then().statusCode(200)
-					.body(is("legacy.jwe.jwe.vault2.device3"));
-		}
-
-		@Test
-		@Order(8)
-		@DisplayName("Unlock/legacyUnlock is blocked if (effective vault users with toke) > license seats")
-		public void testUnockBlockedExceedingLicenseHardLimit() throws SQLException {
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				s.execute("""
-						INSERT INTO "access_token" ("user_id", "vault_id", "vault_masterkey")
-							VALUES ('user91', '7E57C0DE-0000-4000-8000-000100001111', 'jwe.jwe.jwe.vault1.user91');
-						INSERT INTO "access_token" ("user_id", "vault_id", "vault_masterkey")
-							VALUES ('user92', '7E57C0DE-0000-4000-8000-000100001111', 'jwe.jwe.jwe.vault1.user92');
-						INSERT INTO "access_token" ("user_id", "vault_id", "vault_masterkey")
-							VALUES ('user93', '7E57C0DE-0000-4000-8000-000100001111', 'jwe.jwe.jwe.vault1.user93');
-						INSERT INTO "access_token" ("user_id", "vault_id", "vault_masterkey")
-							VALUES ('user94', '7E57C0DE-0000-4000-8000-000100001111', 'jwe.jwe.jwe.vault1.user94');
-						""");
-			}
-			Assumptions.assumeTrue(effectiveVaultAccessRepo.countSeatOccupyingUsersWithAccessToken() > 5);
-
-			when().get("/vaults/{vaultId}/access-token", "7E57C0DE-0000-4000-8000-000100001111")
-					.then().statusCode(402);
-			when().get("/vaults/{vaultId}/keys/{deviceId}", "7E57C0DE-0000-4000-8000-000100002222", "legacyDevice3")
-					.then().statusCode(402);
-		}
-
-		@AfterAll
-		public void reset() throws SQLException {
-			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
-				s.execute("""
-						DELETE FROM "authority"
-						WHERE "id" IN ('user91', 'user92', 'user93', 'user94', 'user95_A', 'group91');
-						""");
-			}
-		}
-
-	}
-
 	@Nested
 	@DisplayName("Claim Ownership")
 	@TestSecurity(user = "User Name 1", roles = {"user"})
@@ -870,12 +815,12 @@ public void reset() throws SQLException {
 	})
 	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
 	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-	public class ClaimOwnership {
+	class ClaimOwnership {
 
 		private static Algorithm JWT_ALG;
 
 		@BeforeAll
-		public void setup() throws GeneralSecurityException {
+		void setup() throws GeneralSecurityException {
 			var keyPairGen = KeyPairGenerator.getInstance("EC");
 			keyPairGen.initialize(new ECGenParameterSpec("secp384r1"));
 			var keyPair = keyPairGen.generateKeyPair();
@@ -898,7 +843,7 @@ public void setup() throws GeneralSecurityException {
 		@Test
 		@Order(1)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 400 - JWT has wrong SUB")
-		public void testClaimOwnershipIncorrectJWT1() {
+		void testClaimOwnershipIncorrectJWT1() {
 			var proof = JWT.create()
 					.withNotBefore(Instant.now().minusSeconds(10))
 					.withExpiresAt(Instant.now().plusSeconds(10))
@@ -914,7 +859,7 @@ public void testClaimOwnershipIncorrectJWT1() {
 		@Test
 		@Order(1)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 400 - JWT missing NBF")
-		public void testClaimOwnershipIncorrectJWT2() {
+		void testClaimOwnershipIncorrectJWT2() {
 			var proof = JWT.create()
 					.withExpiresAt(Instant.now().plusSeconds(10))
 					.withSubject("user1")
@@ -929,7 +874,7 @@ public void testClaimOwnershipIncorrectJWT2() {
 		@Test
 		@Order(1)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 400 - JWT not yet valid")
-		public void testClaimOwnershipIncorrectJWT3() {
+		void testClaimOwnershipIncorrectJWT3() {
 			var proof = JWT.create()
 					.withNotBefore(Instant.now().plusSeconds(60))
 					.withExpiresAt(Instant.now().plusSeconds(10))
@@ -945,7 +890,7 @@ public void testClaimOwnershipIncorrectJWT3() {
 		@Test
 		@Order(1)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 400 - JWT missing EXP")
-		public void testClaimOwnershipIncorrectJWT4() {
+		void testClaimOwnershipIncorrectJWT4() {
 			var proof = JWT.create()
 					.withNotBefore(Instant.now().minusSeconds(10))
 					.withSubject("user1")
@@ -960,7 +905,7 @@ public void testClaimOwnershipIncorrectJWT4() {
 		@Test
 		@Order(1)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 400 - JWT expired")
-		public void testClaimOwnershipIncorrectJWT5() {
+		void testClaimOwnershipIncorrectJWT5() {
 			var proof = JWT.create()
 					.withNotBefore(Instant.now().minusSeconds(10))
 					.withExpiresAt(Instant.now().minusSeconds(60))
@@ -976,7 +921,7 @@ public void testClaimOwnershipIncorrectJWT5() {
 		@Test
 		@Order(1)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 400 - JWT wrong vaultId")
-		public void testClaimOwnershipIncorrectJWT6() {
+		void testClaimOwnershipIncorrectJWT6() {
 			var proof = JWT.create()
 					.withNotBefore(Instant.now().minusSeconds(10))
 					.withExpiresAt(Instant.now().plusSeconds(10))
@@ -992,7 +937,7 @@ public void testClaimOwnershipIncorrectJWT6() {
 		@Test
 		@Order(1)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 400 - JWT wrong signature")
-		public void testClaimOwnershipIncorrectJWT7() throws GeneralSecurityException {
+		void testClaimOwnershipIncorrectJWT7() throws GeneralSecurityException {
 			var keyPairGen = KeyPairGenerator.getInstance("EC");
 			keyPairGen.initialize(new ECGenParameterSpec("secp384r1"));
 			var differentKey = keyPairGen.generateKeyPair();
@@ -1013,7 +958,7 @@ public void testClaimOwnershipIncorrectJWT7() throws GeneralSecurityException {
 		@Test
 		@Order(1)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-BADBADBADBAD/claim-ownership returns 404")
-		public void testClaimOwnershipNoSuchVault() {
+		void testClaimOwnershipNoSuchVault() {
 			var proof = JWT.create()
 					.withJWTId(UUID.randomUUID().toString())
 					.withSubject("user1")
@@ -1029,7 +974,7 @@ public void testClaimOwnershipNoSuchVault() {
 		@Test
 		@Order(2)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 200")
-		public void testClaimOwnershipSuccess() {
+		void testClaimOwnershipSuccess() {
 			var proof = JWT.create()
 					.withNotBefore(Instant.now().minusSeconds(10))
 					.withExpiresAt(Instant.now().plusSeconds(10))
@@ -1045,7 +990,7 @@ public void testClaimOwnershipSuccess() {
 		@Test
 		@Order(3)
 		@DisplayName("POST /vaults/7E57C0DE-0000-4000-8000-000100009999/claim-ownership returns 409")
-		public void testClaimOwnershipAlreadyClaimed() {
+		void testClaimOwnershipAlreadyClaimed() {
 			var proof = JWT.create()
 					.withNotBefore(Instant.now().minusSeconds(10))
 					.withExpiresAt(Instant.now().plusSeconds(10))
@@ -1059,7 +1004,7 @@ public void testClaimOwnershipAlreadyClaimed() {
 		}
 
 		@AfterAll
-		public void cleanup() throws SQLException {
+		void cleanup() throws SQLException {
 			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 				s.execute("""
 						DELETE FROM "vault" WHERE "id" = '7E57C0DE-0000-4000-8000-000100009999';
@@ -1069,9 +1014,70 @@ public void cleanup() throws SQLException {
 
 	}
 
+	@Nested
+	@DisplayName("As admin user2 (non-owner)")
+	@TestSecurity(user = "User Name 2", roles = {"user", "admin"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "user2")
+	})
+	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+	class AdminArchiveVault {
+
+		@Test
+		@Order(1)
+		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111/archived returns 200 for admin archiving vault")
+		@DBRollbackAfter
+		void testAdminArchiveVault() {
+			given().contentType(ContentType.TEXT).body("true")
+					.when().put("/vaults/{vaultId}/archived", "7E57C0DE-0000-4000-8000-000100001111")
+					.then().statusCode(200)
+					.body("id", equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100001111"))
+					.body("name", equalTo("Vault 1"))
+					.body("archived", equalTo(true));
+		}
+
+		@Test
+		@Order(2)
+		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-00010000AAAA/archived returns 200 for admin unarchiving vault")
+		@DBRollbackAfter
+		void testAdminUnarchiveVault() {
+			given().contentType(ContentType.TEXT).body("false")
+					.when().put("/vaults/{vaultId}/archived", "7E57C0DE-0000-4000-8000-00010000AAAA")
+					.then().statusCode(200)
+					.body("id", equalToIgnoringCase("7E57C0DE-0000-4000-8000-00010000AAAA"))
+					.body("name", equalTo("Vault Archived"))
+					.body("archived", equalTo(false));
+		}
+
+		@Test
+		@Order(3)
+		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100001111 returns 403 for admin updating vault they don't own")
+		void testAdminCannotUpdateVaultTheyDontOwn() {
+			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100001111");
+			var vaultDto = new VaultResource.VaultDto(uuid, "Vault 1", Instant.parse("2020-02-20T20:20:20Z"), "This is a testvault.", true, 0, Map.of(), "uvfMetadata1", "uvfKeySet1", "masterkey1", 42, "salt1", "authPubKey1", "authPrvKey1");
+
+			given().contentType(ContentType.JSON).body(vaultDto)
+					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100001111")
+					.then().statusCode(403);
+		}
+
+		@Test
+		@Order(4)
+		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100005555 returns 403 for admin creating vault without create-vaults role")
+		void testAdminCannotCreateVaultWithoutCreateVaultsRole() {
+			var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100005555");
+			var vaultDto = new VaultResource.VaultDto(uuid, "New Vault", Instant.parse("2112-12-21T21:12:21Z"), "Should not be created", false, 0, Map.of(), "uvfMetadata5", "uvfKeySet5", "masterkey5", 42, "NaCl", "authPubKey5", "authPrvKey5");
+
+			given().contentType(ContentType.JSON).body(vaultDto)
+					.when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100005555")
+					.then().statusCode(403);
+		}
+
+	}
+
 	@Nested
 	@DisplayName("As unauthenticated user")
-	public class AsAnonymous {
+	class AsAnonymous {
 
 		@DisplayName("401 Unauthorized")
 		@ParameterizedTest(name = "{0} {1}")
@@ -1079,12 +1085,14 @@ public class AsAnonymous {
 				"GET, /vaults/accessible",
 				"GET, /vaults/7E57C0DE-0000-4000-8000-000100001111",
 				"GET, /vaults/7E57C0DE-0000-4000-8000-000100001111/members",
+				"PUT, /vaults/7E57C0DE-0000-4000-8000-000100001111/members",
 				"PUT, /vaults/7E57C0DE-0000-4000-8000-000100001111/users/user1",
 				"DELETE, /vaults/7E57C0DE-0000-4000-8000-000100001111/authority/user1",
 				"GET, /vaults/7E57C0DE-0000-4000-8000-000100001111/users-requiring-access-grant",
-				"GET, /vaults/7E57C0DE-0000-4000-8000-000100001111/access-token"
+				"GET, /vaults/7E57C0DE-0000-4000-8000-000100001111/access-token",
+				"PUT, /vaults/7E57C0DE-0000-4000-8000-000100001111/archived"
 		})
-		public void testGet(String method, String path) {
+		void testGet(String method, String path) {
 			when().request(method, path)
 					.then().statusCode(401);
 		}
@@ -1093,7 +1101,7 @@ public void testGet(String method, String path) {
 
 	@Nested
 	@DisplayName("/vaults/all")
-	public class GetAllVaults {
+	class GetAllVaults {
 
 		@Test
 		@DisplayName("GET /vaults/all returns 403 as user")
@@ -1101,7 +1109,7 @@ public class GetAllVaults {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user1")
 		})
-		public void testGetAllVaultsAsUser() {
+		void testGetAllVaultsAsUser() {
 			when().get("/vaults/all")
 					.then().statusCode(403);
 		}
@@ -1112,7 +1120,7 @@ public void testGetAllVaultsAsUser() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user1")
 		})
-		public void testGetAllVaultsAsAdmin() {
+		void testGetAllVaultsAsAdmin() {
 			when().get("/vaults/all")
 					.then().statusCode(200)
 					.body("id", hasItems(equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100001111"), equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100002222"), equalToIgnoringCase("7E57C0DE-0000-4000-8000-00010000AAAA")));
@@ -1121,7 +1129,7 @@ public void testGetAllVaultsAsAdmin() {
 
 	@Nested
 	@DisplayName("/vaults/some")
-	public class GetSomeVaults {
+	class GetSomeVaults {
 
 		@Nested
 		@DisplayName("as admin")
@@ -1129,11 +1137,11 @@ public class GetSomeVaults {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user1")
 		})
-		public class AsAdmin {
+		class AsAdmin {
 
 			@Test
 			@DisplayName("GET /vaults/some?ids=7e57c0de-0000-4000-8000-000100001111&ids=7e57c0de-0000-4000-8000-000100002222")
-			public void testListSomeVaults() {
+			void testListSomeVaults() {
 				given().param("ids", "7e57c0de-0000-4000-8000-000100001111", "7e57c0de-0000-4000-8000-000100002222")
 						.when().get("/vaults/some")
 						.then().statusCode(200)
@@ -1142,7 +1150,7 @@ public void testListSomeVaults() {
 
 			@Test
 			@DisplayName("GET /vaults/some?ids=7e57c0de-0000-4000-8000-BADBADBADBAD")
-			public void testListSomeVaultsNotExistingId() {
+			void testListSomeVaultsNotExistingId() {
 				given().param("ids", "7e57c0de-0000-4000-8000-BADBADBADBAD")
 						.when().get("/vaults/some")
 						.then().statusCode(200)
@@ -1151,7 +1159,7 @@ public void testListSomeVaultsNotExistingId() {
 
 			@Test
 			@DisplayName("GET /vaults/some")
-			public void testListSomeVaultsNoParams() {
+			void testListSomeVaultsNoParams() {
 				given().when().get("/vaults/some")
 						.then().statusCode(200)
 						.body("", hasSize(0));
@@ -1164,10 +1172,56 @@ public void testListSomeVaultsNoParams() {
 		@OidcSecurity(claims = {
 				@Claim(key = "sub", value = "user1")
 		})
-		public void testListSomeVaultsAsUser() {
+		void testListSomeVaultsAsUser() {
 			given().param("ids", "7e57c0de-0000-4000-8000-000100001111")
 					.when().get("/vaults/some")
 					.then().statusCode(403);
 		}
 	}
-}
+
+
+	public static class KeycloakCryptomatorVaultsHelperMock extends KeycloakCryptomatorVaultsHelper {
+		@Override
+		public Keycloak getKeycloak() {
+			final Keycloak keycloakMock = Mockito.mock(Keycloak.class);
+			final RealmResource realmResourceMock = Mockito.mock(RealmResource.class);
+			final ClientsResource clientsResourceMock = Mockito.mock(ClientsResource.class);
+			final ClientResource clientResourceMock = Mockito.mock(ClientResource.class);
+			final ClientRepresentation clientRepresentationMock = Mockito.mock(ClientRepresentation.class);
+			final ClientScopesResource clientScopesResourceMock = Mockito.mock(ClientScopesResource.class);
+			final ClientScopeResource clientScopeResourceMock = Mockito.mock(ClientScopeResource.class);
+			final RoleMappingResource roleMappingResourceMock = Mockito.mock(RoleMappingResource.class);
+			final RoleScopeResource roleScopeResourceMock = Mockito.mock(RoleScopeResource.class);
+			final Response responseMock = Mockito.mock(Response.class);
+			final RolesResource rolesResourceMock = Mockito.mock(RolesResource.class);
+			final RoleResource roleResourceMock = Mockito.mock(RoleResource.class);
+			final RoleRepresentation roleRepresentationMock = Mockito.mock(RoleRepresentation.class);
+			final org.keycloak.admin.client.resource.UsersResource usersResourceMock = Mockito.mock(UsersResource.class);
+			final UserResource userResourceMock = Mockito.mock(UserResource.class);
+			final org.keycloak.admin.client.resource.GroupsResource groupsResourceMock = Mockito.mock(GroupsResource.class);
+			final GroupResource groupResourceMock = Mockito.mock(GroupResource.class);
+			Mockito.when(keycloakMock.realm(Mockito.anyString())).thenReturn(realmResourceMock);
+			Mockito.when(realmResourceMock.clients()).thenReturn(clientsResourceMock);
+			Mockito.when(realmResourceMock.clientScopes()).thenReturn(clientScopesResourceMock);
+			Mockito.when(clientScopesResourceMock.findAll()).thenReturn(List.of());
+			Mockito.when(clientScopesResourceMock.create(Mockito.any())).thenReturn(responseMock);
+			Mockito.when(clientScopesResourceMock.get(Mockito.anyString())).thenReturn(clientScopeResourceMock);
+			Mockito.when(responseMock.getStatus()).thenReturn(201);
+			Mockito.when(clientsResourceMock.findByClientId(Mockito.anyString())).thenReturn(List.of(clientRepresentationMock));
+			Mockito.when(clientsResourceMock.get(Mockito.anyString())).thenReturn(clientResourceMock);
+			Mockito.when(clientScopeResourceMock.getScopeMappings()).thenReturn(roleMappingResourceMock);
+			Mockito.when(clientRepresentationMock.getId()).thenReturn("");
+			Mockito.when(clientResourceMock.roles()).thenReturn(rolesResourceMock);
+			Mockito.when(roleMappingResourceMock.clientLevel(Mockito.anyString())).thenReturn(roleScopeResourceMock);
+			Mockito.when(rolesResourceMock.get(Mockito.anyString())).thenReturn(roleResourceMock);
+			Mockito.when(roleResourceMock.toRepresentation()).thenReturn(roleRepresentationMock);
+			Mockito.when(realmResourceMock.users()).thenReturn(usersResourceMock);
+			Mockito.when(usersResourceMock.get(Mockito.anyString())).thenReturn(userResourceMock);
+			Mockito.when(userResourceMock.roles()).thenReturn(roleMappingResourceMock);
+			Mockito.when(realmResourceMock.groups()).thenReturn(groupsResourceMock);
+			Mockito.when(groupsResourceMock.group(Mockito.anyString())).thenReturn(groupResourceMock);
+			Mockito.when(groupResourceMock.roles()).thenReturn(roleMappingResourceMock);
+			return keycloakMock;
+		}
+	}
+}
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java
new file mode 100644
index 000000000..bc1c80526
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/api/VaultResourceTest.java
@@ -0,0 +1,139 @@
+package org.cryptomator.hub.api;
+
+import io.quarkus.security.identity.SecurityIdentity;
+import jakarta.ws.rs.NotFoundException;
+import org.cryptomator.hub.api.katta.KattaConfig;
+import org.cryptomator.hub.entities.EffectiveVaultAccess;
+import org.cryptomator.hub.entities.Group;
+import org.cryptomator.hub.entities.User;
+import org.cryptomator.hub.entities.Vault;
+import org.cryptomator.hub.entities.VaultAccess;
+import org.cryptomator.hub.entities.events.EventLogger;
+import org.cryptomator.hub.katta.KeycloakCryptomatorVaultsHelper;
+import org.cryptomator.hub.license.HubLicenseEntitlements;
+import org.cryptomator.hub.license.LicenseHolder;
+import org.eclipse.microprofile.jwt.JsonWebToken;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.mockito.Mockito;
+
+import java.time.Instant;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.UUID;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class VaultResourceTest {
+	private VaultResource vaultResource;
+
+	private final UUID vaultId = UUID.randomUUID();
+
+	private final EventLogger eventLogger = Mockito.mock(EventLogger.class);
+	private final User.Repository userRepo = Mockito.mock(User.Repository.class);
+	private final Group.Repository groupRepo = Mockito.mock(Group.Repository.class);
+	private final EffectiveVaultAccess.Repository effectiveVaultAccessRepo = Mockito.mock(EffectiveVaultAccess.Repository.class);
+	private final Vault.Repository vaultRepo = Mockito.mock(Vault.Repository.class);
+	private final VaultAccess.Repository vaultAccessRepo = Mockito.mock(VaultAccess.Repository.class);
+
+	private final SecurityIdentity identity = Mockito.mock(SecurityIdentity.class);
+	private final LicenseHolder license = Mockito.mock(LicenseHolder.class);
+	private final KeycloakCryptomatorVaultsHelper keycloakCryptomatorVaultsHelper = Mockito.mock(KeycloakCryptomatorVaultsHelper.class);
+	private final KattaConfig kattaConfig = Mockito.mock(KattaConfig.class);
+
+
+	@BeforeEach
+	void setUp() {
+		vaultResource = new VaultResource();
+		vaultResource.eventLogger = eventLogger;
+		vaultResource.userRepo = userRepo;
+		vaultResource.groupRepo = groupRepo;
+		vaultResource.effectiveVaultAccessRepo = effectiveVaultAccessRepo;
+		vaultResource.vaultRepo = vaultRepo;
+		vaultResource.vaultAccessRepo = vaultAccessRepo;
+		vaultResource.jwt = new JsonWebToken() {
+			@Override
+			public String getName() {
+				return "";
+			}
+
+			@Override
+			public Set<String> getClaimNames() {
+				return Set.of("sub");
+			}
+
+			@Override
+			public String getClaim(String claimName) {
+				switch (claimName) {
+					case "sub":
+						return "alice";
+				}
+				return null;
+			}
+		};
+		vaultResource.identity = identity;
+		vaultResource.license = license;
+		vaultResource.keycloakCryptomatorVaultsHelper = keycloakCryptomatorVaultsHelper;
+		vaultResource.kattaConfig = kattaConfig;
+
+		final User user = Mockito.mock(User.class);
+		Mockito.when(userRepo.findById("alice")).thenReturn(user);
+		Mockito.when(userRepo.findByIdOptional("alice")).thenReturn(Optional.of(user));
+		Mockito.when(kattaConfig.keycloakClientIdCryptomatorVaults()).thenReturn("pesto");
+		Mockito.when(license.getEntitlements()).thenReturn(HubLicenseEntitlements.create().withSeats(1L));
+		Mockito.when(vaultRepo.findById(vaultId)).thenReturn(new Vault());
+		Mockito.when(groupRepo.findByIdOptional("good cops")).thenReturn(Optional.of(new Group()));
+		Mockito.when(vaultAccessRepo.deleteById(new VaultAccess.Id(vaultId, "good cops"))).thenReturn(true);
+	}
+
+	@ParameterizedTest
+	@CsvSource({"false,false", "false,true", "true,false", "true,true"})
+	public void testCreateOrUpdate(final boolean minio, final boolean aws) {
+		final UUID vaultId = UUID.randomUUID();
+		var vaultDto = new VaultResource.VaultDto(vaultId, "My Vault", Instant.parse("2112-12-21T21:12:21Z"), "Test vault 4", false, 0, Map.of(), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+
+		vaultResource.createOrUpdate(vaultId, vaultDto, minio, aws);
+
+		Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(1)).keycloakPrepareVault(vaultId.toString(), minio, aws);
+		Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(1)).keycloakGrantAccessToVault(vaultId.toString(), "alice", "pesto", false);
+	}
+
+	@Test
+	public void testAddUser() {
+		vaultResource.addUser(vaultId, "alice", VaultAccess.Role.MEMBER);
+		Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(1)).keycloakGrantAccessToVault(vaultId.toString(), "alice", "pesto", false);
+	}
+
+	@Test
+	public void testAddUserFailing() {
+		assertThrows(NotFoundException.class, () -> vaultResource.addUser(vaultId, "bob", VaultAccess.Role.MEMBER));
+		Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(0)).keycloakGrantAccessToVault(vaultId.toString(), "bob", "pesto", false);
+	}
+
+	@Test
+	public void testAddGroup() {
+		vaultResource.addGroup(vaultId, "good cops", VaultAccess.Role.MEMBER);
+		Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(1)).keycloakGrantAccessToVault(vaultId.toString(), "good cops", "pesto", true);
+	}
+
+	@Test
+	public void testAddGroupFailing() {
+		assertThrows(NotFoundException.class, () -> vaultResource.addGroup(vaultId, "bad cops", VaultAccess.Role.MEMBER));
+		Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(0)).keycloakGrantAccessToVault(vaultId.toString(), "bad cops", "pesto", true);
+	}
+
+	@Test
+	public void testRemoveAuthority() {
+		vaultResource.removeAuthority(vaultId, "good cops");
+		Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(1)).keycloakRemoveAccessToVault(vaultId.toString(), "good cops", "pesto", true);
+	}
+
+	@Test
+	public void testRemoveAuthorityFailing() {
+		assertThrows(NotFoundException.class, () -> vaultResource.removeAuthority(vaultId, "bad cops"));
+		Mockito.verify(keycloakCryptomatorVaultsHelper, Mockito.times(0)).keycloakRemoveAccessToVault(vaultId.toString(), "bad cops", "pesto", true);
+	}
+}
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/api/katta/StorageProfileResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/katta/StorageProfileResourceIT.java
new file mode 100644
index 000000000..5c03412a5
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/api/katta/StorageProfileResourceIT.java
@@ -0,0 +1,362 @@
+package org.cryptomator.hub.api.katta;
+
+import io.quarkus.test.InjectMock;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.security.TestSecurity;
+import io.quarkus.test.security.oidc.Claim;
+import io.quarkus.test.security.oidc.OidcSecurity;
+import io.restassured.common.mapper.TypeRef;
+import io.restassured.http.ContentType;
+import org.cryptomator.hub.api.katta.storage.S3StorageHelper;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.MethodOrderer;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestMethodOrder;
+import org.mockito.Mockito;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.text.IsEqualIgnoringCase.equalToIgnoringCase;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.Mockito.*;
+@QuarkusTest
+@DisplayName("Resource /storageprofile")
+public class StorageProfileResourceIT {
+	@InjectMock
+	S3StorageHelper s3StorageHelper;
+
+	@Nested
+	@DisplayName("As admin user1")
+	@TestSecurity(user = "User Name 1", roles = {"admin", "user"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "user1")
+	})
+	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+	public class CreateStorageProfile {
+		@Test
+		@Order(1)
+		@DisplayName("POST /storageprofile/s3static returns 201")
+		public void testPostS3StorageProfile() {
+			var vaultDto = new StorageProfileS3StaticDto(
+					UUID.fromString("72736c19-283c-49d3-80a5-ab74b5202543"),
+					"AWS S3 static",
+					StorageProfileDto.Protocol.s3static,
+					false,
+					"https",
+					null,
+					443,
+					false,
+					StorageProfileS3StaticDto.S3_STORAGE_CLASSES.STANDARD,
+					"eu-central-1",
+					Arrays.
+							asList("eu-central-1"),
+					"katta-test-",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					null,
+					true,
+					null,
+					StorageProfileS3StaticDto.S3_SERVERSIDE_ENCRYPTION.NONE
+			);
+			given().contentType(ContentType.JSON).body(vaultDto)
+					.when().post("/storageprofile/s3static")
+					.then().statusCode(201)
+					.body("id", equalToIgnoringCase("72736c19-283c-49d3-80a5-ab74b5202543"))
+					.body("name", equalToIgnoringCase("AWS S3 static"));
+		}
+
+		@Test
+		@Order(1)
+		@DisplayName("POST /storageprofile/s3sts returns 201")
+		public void testPostS3STSStorageProfile() {
+			var vaultDto = new StorageProfileS3STSDto(
+					UUID.fromString("844bd517-96d4-4787-bcfa-238e103149f6"),
+					"AWS S3 STS",
+					StorageProfileDto.Protocol.valueOf("s3static"),
+					false,
+					null,
+					null,
+					null,
+					false,
+					StorageProfileS3StaticDto.S3_STORAGE_CLASSES.STANDARD,
+					"eu-west-1",
+					Arrays.asList("eu-west-1", "eu-west-2", "eu-west-3"),
+					"katta-test-",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					null,
+					true,
+					null,
+					StorageProfileS3StaticDto.S3_SERVERSIDE_ENCRYPTION.NONE,
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-01",
+					"JsonNullable[arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-02]",
+					null,
+					"Vault"
+			);
+
+			given().contentType(ContentType.JSON).body(vaultDto)
+					.when().post("/storageprofile/s3sts")
+					.then().statusCode(201)
+					.body("id", equalToIgnoringCase("844bd517-96d4-4787-bcfa-238e103149f6"))
+					.body("name", equalToIgnoringCase("AWS S3 STS"));
+		}
+
+		@Test
+		@Order(2)
+		@DisplayName("GET /storageprofile returns 200")
+		public void testGetStorageProfiles() {
+			final List<StorageProfileS3STSDto> dtos = given()
+					.when().get("/storageprofile/")
+					.then().statusCode(200)
+					.extract()
+					.as(new TypeRef<List<StorageProfileS3STSDto>>() {
+					});
+			assertEquals(2, dtos.size());
+			assertEquals(1, dtos.stream().filter(dto -> dto.protocol.equals(StorageProfileS3StaticDto.Protocol.s3static)).count());
+			assertEquals(1, dtos.stream().filter(dto -> dto.protocol.equals(StorageProfileS3StaticDto.Protocol.s3sts)).count());
+			final StorageProfileS3STSDto s3STSDto = dtos.stream().filter(dto -> dto.protocol.equals(StorageProfileS3StaticDto.Protocol.s3sts)).map(StorageProfileS3STSDto.class::cast).findFirst().get();
+			assertEquals("arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-01", s3STSDto.stsRoleAccessBucketAssumeRoleWithWebIdentity);
+			assertFalse(s3STSDto.archived);
+		}
+
+		@Test
+		@Order(2)
+		@DisplayName("GET /storageprofile/{profileId} returns 200")
+		public void testGetS3StorageProfile() {
+			final StorageProfileS3STSDto dto = given()
+					.when().get("/storageprofile/{profileId}", "72736c19-283c-49d3-80a5-ab74b5202543")
+					.then().statusCode(200)
+					.extract()
+					.as(StorageProfileS3STSDto.class);
+
+			assertEquals(UUID.fromString("72736c19-283c-49d3-80a5-ab74b5202543"), dto.id);
+			assertNull(dto.stsRoleAccessBucketAssumeRoleWithWebIdentity);
+			assertFalse(dto.archived);
+		}
+
+		@Test
+		@Order(2)
+		@DisplayName("GET /storageprofile/{profileId} returns 200")
+		public void testGetS3STSStorageProfile() {
+			final StorageProfileS3STSDto dto = given()
+					.when().get("/storageprofile/{profileId}", "844bd517-96d4-4787-bcfa-238e103149f6")
+					.then().statusCode(200)
+					.extract()
+					.as(StorageProfileS3STSDto.class);
+
+			assertEquals(UUID.fromString("844bd517-96d4-4787-bcfa-238e103149f6"), dto.id);
+			assertEquals("arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-01", dto.stsRoleAccessBucketAssumeRoleWithWebIdentity);
+			assertFalse(dto.archived);
+		}
+
+		@Test
+		@Order(3)
+		@DisplayName("POST /storageprofile/s3static again returns 409")
+		public void testPostS3StorageProfileAgain() {
+			var vaultDto = new StorageProfileS3StaticDto(
+					UUID.fromString("72736c19-283c-49d3-80a5-ab74b5202543"),
+					"AWS S3 static",
+					StorageProfileDto.Protocol.s3static,
+					false,
+					"https",
+					null,
+					443,
+					false,
+					StorageProfileS3StaticDto.S3_STORAGE_CLASSES.STANDARD,
+					"eu-central-1",
+					Arrays.asList("eu-central-1"),
+					"katta-test-",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					null,
+					true,
+					null,
+					StorageProfileS3StaticDto.S3_SERVERSIDE_ENCRYPTION.NONE
+			);
+			given().contentType(ContentType.JSON).body(vaultDto)
+					.when().post("/storageprofile/s3static")
+					.then().statusCode(409);
+		}
+
+		@Test
+		@Order(3)
+		@DisplayName("POST /storageprofile/s3sts again returns 409")
+		public void testPostS3STSStorageProfileAgain() {
+			var vaultDto = new StorageProfileS3STSDto(
+					UUID.fromString("844bd517-96d4-4787-bcfa-238e103149f6"),
+					"AWS S3 STS",
+					StorageProfileDto.Protocol.valueOf("s3static"),
+					false,
+					null,
+					null,
+					null,
+					false,
+					StorageProfileS3StaticDto.S3_STORAGE_CLASSES.STANDARD,
+					"eu-west-1",
+					Arrays.asList("eu-west-1", "eu-west-2", "eu-west-3"),
+					"katta-test-",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					null,
+					true,
+					null,
+					StorageProfileS3StaticDto.S3_SERVERSIDE_ENCRYPTION.NONE,
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-01",
+					"JsonNullable[arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-02]",
+					null,
+					"Vault"
+			);
+
+			given().contentType(ContentType.JSON).body(vaultDto)
+					.when().post("/storageprofile/s3sts")
+					.then().statusCode(409);
+		}
+
+		@Test
+		@Order(4)
+		@DisplayName("PUT /storage/{vaultId} returns 201")
+		public void testCreateStorage() {
+			final String vaultId = UUID.randomUUID().toString();
+			var createS3STSBucketDto = new CreateS3STSBucketDto(
+					vaultId,
+					UUID.fromString("844bd517-96d4-4787-bcfa-238e103149f6"),
+					"",
+					"",
+					"",
+					"",
+					"",
+					"",
+					""
+			);
+			var vaultDto = new StorageProfileS3STSDto(
+					UUID.fromString("844bd517-96d4-4787-bcfa-238e103149f6"),
+					"AWS S3 STS",
+					StorageProfileDto.Protocol.valueOf("s3static"),
+					false,
+					null,
+					null,
+					null,
+					false,
+					StorageProfileS3StaticDto.S3_STORAGE_CLASSES.STANDARD,
+					"eu-west-1",
+					Arrays.asList("eu-west-1", "eu-west-2", "eu-west-3"),
+					"katta-test-",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-createbucket",
+					null,
+					true,
+					null,
+					StorageProfileS3StaticDto.S3_SERVERSIDE_ENCRYPTION.NONE,
+					"arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-01",
+					"JsonNullable[arn:aws:iam::430118840017:role/testing.katta.cloud-kc-realms-chipotle-sts-chain-02]",
+					null,
+					"Vault"
+			);
+			given().contentType(ContentType.JSON).body(createS3STSBucketDto)
+					.when().put("/storage/{vaultId}", vaultId)
+					.then().statusCode(201);
+			Mockito.verify(s3StorageHelper, times(1)).makeS3Bucket(vaultDto, createS3STSBucketDto);
+		}
+
+		@Test
+		@Order(4)
+		@DisplayName("PUT /storageprofile/{profileId} archiving returns 204")
+		public void testArchiveS3StorageProfile() {
+			given().formParam("archived", true)
+					.when().put("/storageprofile/{profileId}", "72736c19-283c-49d3-80a5-ab74b5202543")
+					.then().statusCode(204);
+
+		}
+
+		@Test
+		@Order(4)
+		@DisplayName("PUT /storageprofile/{profileId} archiving returns 204")
+		public void testArchiveS3STSStorageProfile() {
+			given().formParam("archived", true)
+					.when().put("/storageprofile/{profileId}", "844bd517-96d4-4787-bcfa-238e103149f6")
+					.then().statusCode(204);
+		}
+
+		@Test
+		@Order(5)
+		@DisplayName("GET /storageprofile/{profileId} returns 200 with vault archived")
+		public void testGetArchivedS3StorageProfile() {
+			final StorageProfileS3STSDto dto = given()
+					.when().get("/storageprofile/{profileId}", "72736c19-283c-49d3-80a5-ab74b5202543")
+					.then().statusCode(200)
+					.extract()
+					.as(StorageProfileS3STSDto.class);
+			assertTrue(dto.archived);
+		}
+
+		@Test
+		@Order(5)
+		@DisplayName("GET /storageprofile/{profileId} returns 200 with vault archived")
+		public void testGetArchivedS3STSStorageProfile() {
+			final StorageProfileS3STSDto dto = given()
+					.when().get("/storageprofile/{profileId}", "844bd517-96d4-4787-bcfa-238e103149f6")
+					.then().statusCode(200)
+					.extract()
+					.as(StorageProfileS3STSDto.class);
+			assertTrue(dto.archived);
+		}
+
+		@Test
+		@Order(4)
+		@DisplayName("PUT /storage/{vaultId} returns 410")
+		public void testCreateStorageArchived() {
+			final String vaultId = UUID.randomUUID().toString();
+			var createS3STSBucketDto = new CreateS3STSBucketDto(
+					vaultId,
+					UUID.fromString("844bd517-96d4-4787-bcfa-238e103149f6"),
+					"",
+					"",
+					"",
+					"",
+					"",
+					"",
+					""
+			);
+			given().contentType(ContentType.JSON).body(createS3STSBucketDto)
+					.when().put("/storage/{vaultId}", vaultId)
+					.then().statusCode(410);
+		}
+
+		@Test
+		@Order(6)
+		@DisplayName("GET /storageprofile returns 200")
+		public void testGetArchivedStorageProfiles() {
+			final List<StorageProfileS3STSDto> dtos = given()
+					.queryParam("archived", true)
+					.when().get("/storageprofile/")
+					.then().statusCode(200)
+					.extract()
+					.as(new TypeRef<List<StorageProfileS3STSDto>>() {
+					});
+			assertEquals(2, dtos.size());
+		}
+
+		@Test
+		@Order(6)
+		@DisplayName("GET /storageprofile returns 200")
+		public void testGetNonArchivedStorageProfiles() {
+			final List<StorageProfileS3STSDto> dtos = given()
+					.queryParam("archived", false)
+					.when().get("/storageprofile/")
+					.then().statusCode(200)
+					.extract()
+					.as(new TypeRef<List<StorageProfileS3STSDto>>() {
+					});
+			assertEquals(0, dtos.size());
+		}
+
+	}
+}
diff --git a/backend/src/test/java/org/cryptomator/hub/entities/BatchTest.java b/backend/src/test/java/org/cryptomator/hub/entities/BatchTest.java
new file mode 100644
index 000000000..859872d39
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/entities/BatchTest.java
@@ -0,0 +1,73 @@
+package org.cryptomator.hub.entities;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.mockito.Mockito;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.function.BiFunction;
+import java.util.function.Consumer;
+
+class BatchTest {
+
+	@ParameterizedTest
+	@ValueSource(ints = {-1, 0})
+	void testInvalidBatchSize(int batchSize) {
+		Assertions.assertThrows(IllegalArgumentException.class, () -> {
+			Batch.of(batchSize);
+		});
+	}
+
+	@ParameterizedTest
+	@ValueSource(ints = {1, 2, 3, 5, 10})
+	void testBatchSizes(int batchSize) {
+		List<Integer> result = new ArrayList<>();
+		Batch.of(batchSize).run(List.of(1, 2, 3, 4, 5, 6, 7), result::addAll);
+
+		Assertions.assertEquals(List.of(1, 2, 3, 4, 5, 6, 7), result);
+	}
+
+	@Test
+	void testNoopIfInputIsEmpty() {
+		Consumer<List<String>> job = Mockito.mock();
+
+		Batch.of(10).run(List.of(), job);
+
+		Mockito.verifyNoInteractions(job);
+	}
+
+	@Test
+	void testNoopIfInputIsNull() {
+		Consumer<List<String>> job = Mockito.mock();
+
+		Batch.of(10).run(null, job);
+
+		Mockito.verifyNoInteractions(job);
+	}
+
+	@ParameterizedTest
+	@ValueSource(ints = {1, 2, 3, 5, 10})
+	void testBatchSizesReduce(int batchSize) {
+		int result = Batch.of(batchSize).run(List.of(1, 2, 3, 4, 5, 6, 7), 0, (sublist, r) -> {
+			for (int i : sublist) {
+				r += i;
+			}
+			return r;
+		});
+
+		Assertions.assertEquals(1 + 2 + 3 + 4 + 5 + 6 + 7, result);
+	}
+
+	@Test
+	void testNoopIfReduceInputIsEmpty() {
+		BiFunction<List<Integer>, Integer, Integer> job = Mockito.mock();
+
+		Batch.of(10).run(List.of(), 0, job);
+
+		Mockito.verifyNoInteractions(job);
+	}
+
+}
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/entities/EffectiveGroupMembershipIT.java b/backend/src/test/java/org/cryptomator/hub/entities/EffectiveGroupMembershipIT.java
new file mode 100644
index 000000000..b28db4de7
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/entities/EffectiveGroupMembershipIT.java
@@ -0,0 +1,196 @@
+package org.cryptomator.hub.entities;
+
+import io.quarkus.test.junit.QuarkusTest;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+@QuarkusTest
+class EffectiveGroupMembershipIT {
+
+	@Inject
+	User.Repository userRepo;
+
+	@Inject
+	Group.Repository groupRepo;
+
+	@Inject
+	Authority.Repository authorityRepo;
+
+	@Inject
+	EffectiveGroupMembership.Repository effectiveGroupMembershipRepo;
+
+	@BeforeEach
+	@Transactional
+	void setup() {
+		for (int i = 1; i <= 5; i++) {
+			User u = new User();
+			u.setId("u" + i);
+			u.setName("User " + i);
+			userRepo.persist(u);
+		}
+
+		for (int i = 1; i <= 5; i++) {
+			Group g = new Group();
+			g.setId("g" + i);
+			g.setName("Group " + i);
+			groupRepo.persist(g);
+		}
+
+		/**
+		 *
+		 * g1/
+		 * ├─ u1/
+		 * ├─ g2/
+		 *    ├─ u2
+		 *    ├─ u4
+		 *    ├─ g3/
+		 *       ├─ u3
+		 *       ├─ u4
+		 */
+		addMembers("g1", "u1", "g2");
+		addMembers("g2", "u2", "u4", "g3");
+		addMembers("g3", "u3", "u4");
+		effectiveGroupMembershipRepo.fullUpdate();
+	}
+
+	@AfterEach
+	@Transactional
+	void teardown() {
+		userRepo.deleteByIds(List.of("u1", "u2", "u3", "u4", "u5"));
+		groupRepo.deleteByIds(List.of("g1", "g2", "g3", "g4", "g5"));
+	}
+
+	@Test
+	@DisplayName("validate data after full update")
+	@Transactional
+	void testDataAfterFullUpdate() {
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g1", "u1"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g1", "u2"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g1", "u3"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g2", "u2"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g2", "u3"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g2", "u4"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g3", "u3"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g3", "u4"));
+
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g2", "u1"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g3", "u1"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g1", "u5"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g2", "u5"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g3", "u5"));
+
+	}
+
+	/* update groups */
+
+	@Test
+	@DisplayName("updateGroups after adding g5/u5")
+	@Transactional
+	void updateGroupAfterAddingG5U5() {
+		addMembers("g5", "u5");
+		effectiveGroupMembershipRepo.updateGroups(List.of("g5"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g5", "u5"));
+	}
+
+	@Test
+	@DisplayName("updateGroups after removing g2/g3")
+	@Transactional
+	void updateGroupAfterRemovingG2G3() {
+		removeMembers("g2", "g3");
+		effectiveGroupMembershipRepo.updateGroups(List.of("g2"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g2", "u2"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g2", "g3"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g2", "u3"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g1", "g3"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g1", "u3"));
+	}
+
+	/* update users */
+
+	@Test
+	@DisplayName("updateUsers after adding g5/u5")
+	@Transactional
+	void updateUsersAfterAddingG5U5() {
+		addMembers("g5", "u5");
+		effectiveGroupMembershipRepo.updateUsers(List.of("u5"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g5", "u5"));
+	}
+
+	@Test
+	@DisplayName("updateUsers after adding g3/u5")
+	@Transactional
+	void updateUsersAfterAddingG3U5() {
+		addMembers("g3", "u5");
+		effectiveGroupMembershipRepo.updateUsers(List.of("u5"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g3", "u5"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g2", "u5"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g1", "u5"));
+	}
+
+	@Test
+	@DisplayName("updateUsers after removing g2/u2")
+	@Transactional
+	void updateUsersAfterRemovingG2U2() {
+		removeMembers("g2", "u2");
+		effectiveGroupMembershipRepo.updateUsers(List.of("u2"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g2", "u2"));
+		Assertions.assertFalse(effectiveGroupMembershipRepo.isMember("g1", "u2"));
+	}
+
+	@Test
+	@DisplayName("updateUsers after removing g2/u4")
+	@Transactional
+	void updateUsersAfterRemovingG2U4() {
+		removeMembers("g2", "u4");
+		effectiveGroupMembershipRepo.updateUsers(List.of("u4"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g3", "u4"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g2", "u4"));
+		Assertions.assertTrue(effectiveGroupMembershipRepo.isMember("g1", "u4"));
+	}
+
+	/* helpers */
+
+	private void addMembers(String groupId, String... memberIds) {
+		if (memberIds.length == 0) {
+			throw new IllegalArgumentException("At least one memberId must be provided");
+		}
+		Group group = groupRepo.findById(groupId);
+		if (group == null) {
+			throw new IllegalArgumentException("Group " + groupId + " does not exist");
+		}
+		for (String memberId : memberIds) {
+			Authority member = authorityRepo.findById(memberId);
+			if (member == null) {
+				throw new IllegalArgumentException("Member " + memberId + " does not exist");
+			}
+			group.getMembers().add(member);
+		}
+		groupRepo.persist(group);
+	}
+
+	private void removeMembers(String groupId, String... memberIds) {
+		if (memberIds.length == 0) {
+			throw new IllegalArgumentException("At least one memberId must be provided");
+		}
+		Group group = groupRepo.findById(groupId);
+		if (group == null) {
+			throw new IllegalArgumentException("Group " + groupId + " does not exist");
+		}
+		for (String memberId : memberIds) {
+			Authority member = authorityRepo.findById(memberId);
+			if (member == null) {
+				throw new IllegalArgumentException("Member " + memberId + " does not exist");
+			}
+			group.getMembers().remove(member);
+		}
+		groupRepo.persist(group);
+	}
+
+}
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/entities/EntityIT.java b/backend/src/test/java/org/cryptomator/hub/entities/EntityIT.java
index cf590c65e..08ed41013 100644
--- a/backend/src/test/java/org/cryptomator/hub/entities/EntityIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/entities/EntityIT.java
@@ -25,7 +25,7 @@ public class EntityIT {
 	@Test
 	@TestTransaction
 	@DisplayName("Removing a User cascades to Access")
-	public void removingUserCascadesToAccess() throws SQLException {
+	void removingUserCascadesToAccess() throws SQLException {
 		try (var c = dataSource.getConnection(); var s = c.createStatement()) {
 			// test data will be removed via @TestTransaction
 			s.execute("""
@@ -44,7 +44,7 @@ public void removingUserCascadesToAccess() throws SQLException {
 	@Test
 	@TestTransaction
 	@DisplayName("Retrieve the correct token when a user has access to multiple vaults")
-	public void testGetCorrectTokenForDeviceWithAcessToMultipleVaults() {
+	void testGetCorrectTokenForDeviceWithAccessToMultipleVaults() {
 		var token = accessTokenRepo.unlock(UUID.fromString("7E57C0DE-0000-4000-8000-000100001111"), "user1");
 		Assertions.assertEquals(UUID.fromString("7E57C0DE-0000-4000-8000-000100001111"), token.getVault().getId());
 		Assertions.assertEquals("user1", token.getUser().getId());
diff --git a/backend/src/test/java/org/cryptomator/hub/filters/ActiveLicenseFilterTest.java b/backend/src/test/java/org/cryptomator/hub/filters/ActiveLicenseFilterTest.java
index cc952481b..001a90f84 100644
--- a/backend/src/test/java/org/cryptomator/hub/filters/ActiveLicenseFilterTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/filters/ActiveLicenseFilterTest.java
@@ -15,13 +15,13 @@ public class ActiveLicenseFilterTest {
 	ActiveLicenseFilter filter = new ActiveLicenseFilter();
 
 	@BeforeEach
-	public void setup() {
+	void setup() {
 		filter.license = Mockito.mock(LicenseHolder.class);
 	}
 
 	@Test
 	@DisplayName("abort when providing expired license")
-	public void testFilterWithExpiredLicense() {
+	void testFilterWithExpiredLicense() {
 		Mockito.doReturn(true).when(filter.license).isExpired();
 
 		filter.filter(context);
@@ -31,7 +31,7 @@ public void testFilterWithExpiredLicense() {
 
 	@Test
 	@DisplayName("continue when seats are still available")
-	public void testDontFilterWhenLicenseIsNotExpired() {
+	void testDontFilterWhenLicenseIsNotExpired() {
 		Mockito.doReturn(false).when(filter.license).isExpired();
 
 		filter.filter(context);
diff --git a/backend/src/test/java/org/cryptomator/hub/filters/VaultRoleFilterTest.java b/backend/src/test/java/org/cryptomator/hub/filters/VaultRoleFilterTest.java
index 34049a816..a748ab063 100644
--- a/backend/src/test/java/org/cryptomator/hub/filters/VaultRoleFilterTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/filters/VaultRoleFilterTest.java
@@ -9,22 +9,24 @@
 import jakarta.ws.rs.core.SecurityContext;
 import jakarta.ws.rs.core.UriInfo;
 import org.cryptomator.hub.entities.EffectiveVaultAccess;
+import org.cryptomator.hub.entities.EmergencyRecoveryProcess;
 import org.cryptomator.hub.entities.Vault;
 import org.cryptomator.hub.entities.VaultAccess;
+import org.cryptomator.hub.keycloak.RealmRole;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentMatchers;
 import org.mockito.Mockito;
 
 import java.util.Map;
-import java.util.Optional;
 import java.util.Set;
+import java.util.UUID;
+import java.util.stream.Stream;
 
-public class VaultRoleFilterTest {
+class VaultRoleFilterTest {
 
 	private final ResourceInfo resourceInfo = Mockito.mock(ResourceInfo.class);
 	private final UriInfo uriInfo = Mockito.mock(UriInfo.class);
@@ -32,14 +34,16 @@ public class VaultRoleFilterTest {
 	private final SecurityContext securityContext = Mockito.mock(SecurityContext.class);
 	private final JsonWebToken jwt = Mockito.mock(JsonWebToken.class);
 	private final EffectiveVaultAccess.Repository effectiveVaultAccessRepo = Mockito.mock(EffectiveVaultAccess.Repository.class);
+	private final EmergencyRecoveryProcess.Repository recoveryRepo = Mockito.mock(EmergencyRecoveryProcess.Repository.class);
 	private final Vault.Repository vaultRepo = Mockito.mock(Vault.Repository.class);
 	private final VaultRoleFilter filter = new VaultRoleFilter();
 
 	@BeforeEach
-	public void setup() {
+	void setup() {
 		filter.resourceInfo = resourceInfo;
 		filter.jwt = jwt;
 		filter.effectiveVaultAccessRepo = effectiveVaultAccessRepo;
+		filter.recoveryRepo = recoveryRepo;
 		filter.vaultRepo = vaultRepo;
 
 		Mockito.doReturn(uriInfo).when(context).getUriInfo();
@@ -47,17 +51,17 @@ public void setup() {
 	}
 
 	@Test
-	@DisplayName("error 403 if annotated resource has no vaultId path param")
-	public void testFilterWithMissingVaultId() throws NoSuchMethodException {
+	@DisplayName("error 404 if annotated resource has no vaultId path param")
+	void testFilterWithMissingVaultId() throws NoSuchMethodException {
 		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("allowMember")).when(resourceInfo).getResourceMethod();
 		Mockito.doReturn(new MultivaluedHashMap<>()).when(uriInfo).getPathParameters();
 
-		Assertions.assertThrows(ForbiddenException.class, () -> filter.filter(context));
+		Assertions.assertThrows(NotFoundException.class, () -> filter.filter(context));
 	}
 
 	@Test
 	@DisplayName("error 401 if JWT is missing")
-	public void testFilterWithMissingJWT() throws NoSuchMethodException {
+	void testFilterWithMissingJWT() throws NoSuchMethodException {
 		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("allowMember")).when(resourceInfo).getResourceMethod();
 		Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-000100001111"))).when(uriInfo).getPathParameters();
 
@@ -66,13 +70,12 @@ public void testFilterWithMissingJWT() throws NoSuchMethodException {
 
 	@Test
 	@DisplayName("error 403 if user2 tries to access 7E57C0DE-0000-4000-8000-000100001111")
-	public void testFilterWithInsufficientPrivileges() throws NoSuchMethodException {
+	void testFilterWithInsufficientPrivileges() throws NoSuchMethodException {
 		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("allowOwner")).when(resourceInfo).getResourceMethod();
 		Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-000100001111"))).when(uriInfo).getPathParameters();
 		Mockito.doReturn("user2").when(jwt).getSubject();
-
-		Mockito.when(vaultRepo.findByIdOptional(ArgumentMatchers.argThat(uuid -> uuid.toString().equalsIgnoreCase("7E57C0DE-0000-4000-8000-000100001111")))).thenReturn(Optional.of(Mockito.mock(Vault.class)));
-		Mockito.when(effectiveVaultAccessRepo.listRoles(Mockito.argThat(uuid -> uuid.toString().equalsIgnoreCase("7E57C0DE-0000-4000-8000-000100001111")), Mockito.eq("user2"))).thenReturn(Set.of());
+		Mockito.when(vaultRepo.findById(uuid("7E57C0DE-0000-4000-8000-000100001111"))).thenReturn(Mockito.mock(Vault.class));
+		Mockito.when(effectiveVaultAccessRepo.listRoles(uuid("7E57C0DE-0000-4000-8000-000100001111"), Mockito.eq("user2"))).thenReturn(Set.of());
 
 		var e = Assertions.assertThrows(ForbiddenException.class, () -> filter.filter(context));
 
@@ -81,53 +84,114 @@ public void testFilterWithInsufficientPrivileges() throws NoSuchMethodException
 
 	@Test
 	@DisplayName("pass if user1 tries to access 7E57C0DE-0000-4000-8000-000100001111 (user1 is OWNER of vault)")
-	public void testFilterSuccess1() throws NoSuchMethodException {
+	void testFilterSuccess1() throws NoSuchMethodException {
 		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("allowOwner")).when(resourceInfo).getResourceMethod();
 		Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-000100001111"))).when(uriInfo).getPathParameters();
 		Mockito.doReturn("user1").when(jwt).getSubject();
-
-		Mockito.when(vaultRepo.findByIdOptional(ArgumentMatchers.argThat(uuid -> uuid.toString().equalsIgnoreCase("7E57C0DE-0000-4000-8000-000100001111")))).thenReturn(Optional.of(Mockito.mock(Vault.class)));
-		Mockito.when(effectiveVaultAccessRepo.listRoles(Mockito.argThat(uuid -> uuid.toString().equalsIgnoreCase("7E57C0DE-0000-4000-8000-000100001111")), Mockito.eq("user1"))).thenReturn(Set.of(VaultAccess.Role.OWNER));
+		Mockito.when(vaultRepo.findById(uuid("7E57C0DE-0000-4000-8000-000100001111"))).thenReturn(Mockito.mock(Vault.class));
+		Mockito.when(effectiveVaultAccessRepo.listRoles(uuid("7E57C0DE-0000-4000-8000-000100001111"), Mockito.eq("user1"))).thenReturn(Set.of(VaultAccess.Role.OWNER));
 
 		Assertions.assertDoesNotThrow(() -> filter.filter(context));
 	}
 
 	@Test
 	@DisplayName("pass if user2 tries to access 7E57C0DE-0000-4000-8000-000100002222 (user2 is member of group2, which is OWNER of the vault)")
-	public void testFilterSuccess2() throws NoSuchMethodException {
+	void testFilterSuccess2() throws NoSuchMethodException {
 		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("allowOwner")).when(resourceInfo).getResourceMethod();
 		Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-000100002222"))).when(uriInfo).getPathParameters();
 		Mockito.doReturn("user2").when(jwt).getSubject();
+		Mockito.when(vaultRepo.findById(uuid("7E57C0DE-0000-4000-8000-000100002222"))).thenReturn(Mockito.mock(Vault.class));
+		Mockito.when(effectiveVaultAccessRepo.listRoles(uuid("7E57C0DE-0000-4000-8000-000100002222"), Mockito.eq("user2"))).thenReturn(Set.of(VaultAccess.Role.OWNER));
 
-		Mockito.when(vaultRepo.findByIdOptional(ArgumentMatchers.argThat(uuid -> uuid.toString().equalsIgnoreCase("7E57C0DE-0000-4000-8000-000100002222")))).thenReturn(Optional.of(Mockito.mock(Vault.class)));
-		Mockito.when(effectiveVaultAccessRepo.listRoles(Mockito.argThat(uuid -> uuid.toString().equalsIgnoreCase("7E57C0DE-0000-4000-8000-000100002222")), Mockito.eq("user2"))).thenReturn(Set.of(VaultAccess.Role.OWNER));
+		Assertions.assertDoesNotThrow(() -> filter.filter(context));
+	}
+
+	@Test
+	@DisplayName("pass if user3 tries to access 7E57C0DE-0000-4000-8000-000100001111 (user3 is recovery council member)")
+	void testFilterSuccess3() throws NoSuchMethodException {
+		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("byPassRecoveryCouncilMembers")).when(resourceInfo).getResourceMethod();
+		Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-000100001111"))).when(uriInfo).getPathParameters();
+		Mockito.doReturn("user3").when(jwt).getSubject();
+		var vault = Mockito.mock(Vault.class);
+		Mockito.doReturn(Map.of("user3", "recovery-key-share-3000")).when(vault).getEmergencyKeyShares();
+		Mockito.doReturn(vault).when(vaultRepo).findById(uuid("7E57C0DE-0000-4000-8000-000100001111"));
 
 		Assertions.assertDoesNotThrow(() -> filter.filter(context));
+
+		Mockito.verify(effectiveVaultAccessRepo, Mockito.never()).listRoles(Mockito.any(), Mockito.any());
+	}
+
+	@Test
+	@DisplayName("pass if user4 tries to access 7E57C0DE-0000-4000-8000-000100001111 (user4 is member of started recovery process)")
+	void testFilterSuccess4() throws NoSuchMethodException {
+		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("byPassRecoveryCouncilMembers")).when(resourceInfo).getResourceMethod();
+		Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-000100001111"))).when(uriInfo).getPathParameters();
+		Mockito.doReturn("user4").when(jwt).getSubject();
+		var vault = Mockito.mock(Vault.class);
+		Mockito.doReturn(UUID.fromString("7E57C0DE-0000-4000-8000-000100001111")).when(vault).getId();
+		Mockito.doReturn(Map.of()).when(vault).getEmergencyKeyShares();
+		var process = Mockito.mock(EmergencyRecoveryProcess.class);
+		Mockito.doReturn(Map.of("user4", "recovery-key-share-3000")).when(process).getRecoveredKeyShares();
+		Mockito.doReturn(Stream.of(process)).when(recoveryRepo).findByVaultId(uuid("7E57C0DE-0000-4000-8000-000100001111"));
+		Mockito.doReturn(vault).when(vaultRepo).findById(uuid("7E57C0DE-0000-4000-8000-000100001111"));
+
+		Assertions.assertDoesNotThrow(() -> filter.filter(context));
+
+		Mockito.verify(effectiveVaultAccessRepo, Mockito.never()).listRoles(Mockito.any(), Mockito.any());
+	}
+
+	@Test
+	@DisplayName("pass if admin user tries to access 7E57C0DE-0000-4000-8000-000100001111 (admin bypasses vault role check)")
+	void testFilterBypassForAdmin() throws NoSuchMethodException {
+		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("byPassForRealmRole")).when(resourceInfo).getResourceMethod();
+		Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-000100001111"))).when(uriInfo).getPathParameters();
+		Mockito.doReturn("user2").when(jwt).getSubject();
+		Mockito.when(vaultRepo.findById(uuid("7E57C0DE-0000-4000-8000-000100001111"))).thenReturn(Mockito.mock(Vault.class));
+		Mockito.doReturn(true).when(securityContext).isUserInRole("admin");
+
+		Assertions.assertDoesNotThrow(() -> filter.filter(context));
+
+		Mockito.verify(effectiveVaultAccessRepo, Mockito.never()).listRoles(Mockito.any(), Mockito.any());
+	}
+
+	@Test
+	@DisplayName("error 403 if non-admin user tries to access 7E57C0DE-0000-4000-8000-000100001111 (bypassForRealmRole has no effect)")
+	void testFilterNoBypassForNonAdmin() throws NoSuchMethodException {
+		Mockito.doReturn(VaultRoleFilterTest.class.getMethod("byPassForRealmRole")).when(resourceInfo).getResourceMethod();
+		Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-000100001111"))).when(uriInfo).getPathParameters();
+		Mockito.doReturn("user2").when(jwt).getSubject();
+		Mockito.when(vaultRepo.findById(uuid("7E57C0DE-0000-4000-8000-000100001111"))).thenReturn(Mockito.mock(Vault.class));
+		Mockito.when(effectiveVaultAccessRepo.listRoles(uuid("7E57C0DE-0000-4000-8000-000100001111"), Mockito.eq("user2"))).thenReturn(Set.of());
+		Mockito.doReturn(false).when(securityContext).isUserInRole("admin");
+
+		var e = Assertions.assertThrows(ForbiddenException.class, () -> filter.filter(context));
+
+		Assertions.assertEquals("Vault role required: OWNER", e.getMessage());
 	}
 
 	@Nested
 	@DisplayName("when attempting to access archived vault")
-	public class OnArchivedVault {
+	class OnArchivedVault {
 
 		@BeforeEach
-		public void setup() {
+		void setup() {
 			Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-00010000AAAA"))).when(uriInfo).getPathParameters();
 		}
 
 		@Test
 		@DisplayName("pass if user1 tries to access 7E57C0DE-0000-4000-8000-00010000AAAA (user1 is OWNER of vault)")
-		public void testFilterSuccess() throws NoSuchMethodException {
+		void testFilterSuccess() throws NoSuchMethodException {
 			Mockito.doReturn(VaultRoleFilterTest.class.getMethod("allowOwner")).when(resourceInfo).getResourceMethod();
 			Mockito.doReturn("user1").when(jwt).getSubject();
-			Mockito.when(vaultRepo.findByIdOptional(ArgumentMatchers.argThat(uuid -> uuid.toString().equalsIgnoreCase("7E57C0DE-0000-4000-8000-00010000AAAA")))).thenReturn(Optional.of(Mockito.mock(Vault.class)));
-			Mockito.when(effectiveVaultAccessRepo.listRoles(Mockito.argThat(uuid -> uuid.toString().equalsIgnoreCase("7E57C0DE-0000-4000-8000-00010000AAAA")), Mockito.eq("user1"))).thenReturn(Set.of(VaultAccess.Role.OWNER));
+			Mockito.when(vaultRepo.findById(uuid("7E57C0DE-0000-4000-8000-00010000AAAA"))).thenReturn(Mockito.mock(Vault.class));
+			Mockito.when(effectiveVaultAccessRepo.listRoles(uuid("7E57C0DE-0000-4000-8000-00010000AAAA"), Mockito.eq("user1"))).thenReturn(Set.of(VaultAccess.Role.OWNER));
 
 			Assertions.assertDoesNotThrow(() -> filter.filter(context));
 		}
 
 		@Test
 		@DisplayName("error 403 if user2 tries to access 7E57C0DE-0000-4000-8000-00010000AAAA")
-		public void testFilterWithInsufficientPrivileges() throws NoSuchMethodException {
+		void testFilterWithInsufficientPrivileges() throws NoSuchMethodException {
 			Mockito.doReturn(VaultRoleFilterTest.class.getMethod("allowOwner")).when(resourceInfo).getResourceMethod();
 			Mockito.doReturn("user2").when(jwt).getSubject();
 
@@ -140,17 +204,17 @@ public void testFilterWithInsufficientPrivileges() throws NoSuchMethodException
 
 	@Nested
 	@DisplayName("when attempting to access non-existing vault")
-	public class OnMissingVault {
+	class OnMissingVault {
 
 		@BeforeEach
-		public void setup() {
+		void setup() {
 			Mockito.doReturn(new MultivaluedHashMap<>(Map.of(VaultRole.DEFAULT_VAULT_ID_PARAM, "7E57C0DE-0000-4000-8000-BADBADBADBAD"))).when(uriInfo).getPathParameters();
 			Mockito.doReturn("user1").when(jwt).getSubject();
 		}
 
 		@Test
 		@DisplayName("error 403 if annotated with @VaultRole(onMissingVault = OnMissingVault.FORBIDDEN)")
-		public void testForbidden() throws NoSuchMethodException {
+		void testForbidden() throws NoSuchMethodException {
 			Mockito.doReturn(NonExistingVault.class.getMethod("forbidden")).when(resourceInfo).getResourceMethod();
 
 			var e = Assertions.assertThrows(ForbiddenException.class, () -> filter.filter(context));
@@ -160,7 +224,7 @@ public void testForbidden() throws NoSuchMethodException {
 
 		@Test
 		@DisplayName("error 404 if annotated with @VaultRole(onMissingVault = OnMissingVault.NOT_FOUND)")
-		public void testNotFound() throws NoSuchMethodException {
+		void testNotFound() throws NoSuchMethodException {
 			Mockito.doReturn(NonExistingVault.class.getMethod("notFound")).when(resourceInfo).getResourceMethod();
 
 			var e = Assertions.assertThrows(NotFoundException.class, () -> filter.filter(context));
@@ -170,7 +234,7 @@ public void testNotFound() throws NoSuchMethodException {
 
 		@Test
 		@DisplayName("pass if annotated with @VaultRole(onMissingVault = OnMissingVault.PASS)")
-		public void testPass() throws NoSuchMethodException {
+		void testPass() throws NoSuchMethodException {
 			Mockito.doReturn(NonExistingVault.class.getMethod("pass")).when(resourceInfo).getResourceMethod();
 
 			Assertions.assertDoesNotThrow(() -> filter.filter(context));
@@ -178,26 +242,55 @@ public void testPass() throws NoSuchMethodException {
 
 		@Nested
 		@DisplayName("if @VaultRole(onMissingVault = OnMissingVault.REQUIRE_REALM_ROLE)")
-		public class RequireRealmRole {
+		class RequireRealmRole {
 
 			@BeforeEach
-			public void setup() throws NoSuchMethodException {
+			void setup() throws NoSuchMethodException {
 				Mockito.doReturn(NonExistingVault.class.getMethod("requireRealmRole")).when(resourceInfo).getResourceMethod();
 			}
 
 			@Test
-			@DisplayName("error 403 if user lacks realm role required by @VaultRole(realmRole = \"foobar\")")
-			public void testMissesRole() {
-				Mockito.doReturn(false).when(securityContext).isUserInRole("foobar");
+			@DisplayName("error 403 if user lacks realm role required by @VaultRole(realmRole = RealmRole.ADMIN)")
+			void testMissesRole() {
+				Mockito.doReturn(false).when(securityContext).isUserInRole("admin");
 
 				Assertions.assertThrows(ForbiddenException.class, () -> filter.filter(context));
 			}
 
 
 			@Test
-			@DisplayName("pass if user has realm role required by @VaultRole(realmRole = \"foobar\")")
-			public void testHasRole() {
-				Mockito.doReturn(true).when(securityContext).isUserInRole("foobar");
+			@DisplayName("pass if user has realm role required by @VaultRole(realmRole = RealmRole.ADMIN)")
+			void testHasRole() {
+				Mockito.doReturn(true).when(securityContext).isUserInRole("admin");
+
+				Assertions.assertDoesNotThrow(() -> filter.filter(context));
+			}
+
+		}
+
+		@Nested
+		@DisplayName("if @VaultRole(bypassForRealmRole = true, onMissingVault = REQUIRE_REALM_ROLE, realmRole = CREATE_VAULTS)")
+		class BypassRealmRoleWithRequireRealmRole {
+
+			@BeforeEach
+			void setup() throws NoSuchMethodException {
+				Mockito.doReturn(NonExistingVault.class.getMethod("bypassRealmRoleWithRequireRealmRole")).when(resourceInfo).getResourceMethod();
+			}
+
+			@Test
+			@DisplayName("error 403 if admin lacks create-vaults role (bypass does not apply for non-existing vault)")
+			void testAdminWithoutCreateVaultsRole() {
+				Mockito.doReturn(true).when(securityContext).isUserInRole("admin");
+				Mockito.doReturn(false).when(securityContext).isUserInRole("create-vaults");
+
+				Assertions.assertThrows(ForbiddenException.class, () -> filter.filter(context));
+			}
+
+			@Test
+			@DisplayName("pass if user has create-vaults role (onMissingVault checks realmRole, not bypassRealmRole)")
+			void testUserWithCreateVaultsRole() {
+				Mockito.doReturn(false).when(securityContext).isUserInRole("admin");
+				Mockito.doReturn(true).when(securityContext).isUserInRole("create-vaults");
 
 				Assertions.assertDoesNotThrow(() -> filter.filter(context));
 			}
@@ -210,24 +303,50 @@ public void testHasRole() {
 	 * "real" methods for testing below, as we can not mock Method.class without breaking Mockito
 	 */
 
+	@VaultRole(value = {VaultAccess.Role.OWNER}, bypassForEmergencyAccess = true)
+	public void byPassRecoveryCouncilMembers() {
+	}
+
+	@VaultRole(value = {VaultAccess.Role.OWNER}, bypassForRealmRole = true)
+	public void byPassForRealmRole() {
+	}
+
 	@VaultRole({VaultAccess.Role.MEMBER})
-	public void allowMember() {}
+	public void allowMember() {
+	}
 
 	@VaultRole({VaultAccess.Role.OWNER})
-	public void allowOwner() {}
+	public void allowOwner() {
+	}
 
 	public static class NonExistingVault {
 		@VaultRole(value = {VaultAccess.Role.OWNER}, onMissingVault = VaultRole.OnMissingVault.FORBIDDEN)
-		public void forbidden() {}
+		public void forbidden() {
+		}
 
 		@VaultRole(value = {VaultAccess.Role.OWNER}, onMissingVault = VaultRole.OnMissingVault.NOT_FOUND)
-		public void notFound() {}
+		public void notFound() {
+		}
 
 		@VaultRole(value = {VaultAccess.Role.OWNER}, onMissingVault = VaultRole.OnMissingVault.PASS)
-		public void pass() {}
+		public void pass() {
+		}
+
+		@VaultRole(value = {VaultAccess.Role.OWNER}, bypassForRealmRole = true, onMissingVault = VaultRole.OnMissingVault.REQUIRE_REALM_ROLE, realmRole = RealmRole.CREATE_VAULTS)
+		public void bypassRealmRoleWithRequireRealmRole() {
+		}
+
+		@VaultRole(value = {VaultAccess.Role.OWNER}, onMissingVault = VaultRole.OnMissingVault.REQUIRE_REALM_ROLE, realmRole = RealmRole.ADMIN)
+		public void requireRealmRole() {
+		}
+	}
+
+	/*
+	 * utils
+	 */
 
-		@VaultRole(value = {VaultAccess.Role.OWNER}, onMissingVault = VaultRole.OnMissingVault.REQUIRE_REALM_ROLE, realmRole = "foobar")
-		public void requireRealmRole() {}
+	private static UUID uuid(String uuid) {
+		return Mockito.argThat(arg -> arg.toString().equalsIgnoreCase(uuid));
 	}
 
 
diff --git a/backend/src/test/java/org/cryptomator/hub/filters/VueHistoryModeFilterTest.java b/backend/src/test/java/org/cryptomator/hub/filters/VueHistoryModeFilterTest.java
index ba2674ae1..8c6b32016 100644
--- a/backend/src/test/java/org/cryptomator/hub/filters/VueHistoryModeFilterTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/filters/VueHistoryModeFilterTest.java
@@ -20,7 +20,7 @@ public class VueHistoryModeFilterTest {
 
 	@Test
 	@DisplayName("redirect /app/* subresources to index.html")
-	public void testFilter() throws ServletException, IOException {
+	void testFilter() throws ServletException, IOException {
 		var dispatcher = Mockito.mock(RequestDispatcher.class);
 		Mockito.doReturn(dispatcher).when(req).getRequestDispatcher("/index.html");
 
diff --git a/backend/src/test/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsHelperIT.java b/backend/src/test/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsHelperIT.java
new file mode 100644
index 000000000..38dd50414
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/katta/KeycloakCryptomatorVaultsHelperIT.java
@@ -0,0 +1,89 @@
+package org.cryptomator.hub.katta;
+
+import dasniko.testcontainers.keycloak.KeycloakContainer;
+import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.test.junit.QuarkusTest;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.jboss.resteasy.reactive.ClientWebApplicationException;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.admin.client.resource.ClientScopeResource;
+import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.admin.client.resource.ServerInfoResource;
+
+import java.util.UUID;
+
+import static org.cryptomator.hub.katta.KeycloakCryptomatorVaultsHelper.keycloakGrantAccessToVault;
+import static org.cryptomator.hub.katta.KeycloakCryptomatorVaultsHelper.keycloakPrepareVault;
+import static org.cryptomator.hub.katta.KeycloakCryptomatorVaultsHelper.keycloakRemoveAccessToVault;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+@QuarkusTest
+@QuarkusTestResource(value = KeycloakTestResourceLifecycleManager.class, restrictToAnnotatedClass = true)// alice must be clean.
+class KeycloakCryptomatorVaultsHelperIT {
+    @ConfigProperty(name = "hub.keycloak.realm")
+    String keycloakRealm;
+
+    @ConfigProperty(name = "hub.keycloak.oidc.cryptomator-vaults-client-id", defaultValue = "")
+    String keycloakClientIdCryptomatorVaults;
+
+    @KeycloakTestResourceLifecycleManager.InjectKeycloakContainer
+    KeycloakContainer container;
+
+
+    @ParameterizedTest
+    @CsvSource(nullValues = "null", value = {"true,true,2", "true,false,1", "false,true,1", "false,false,0", "true,null,1", "null,true,1", "null,null,0"})
+    public void testKeycloakPrepareVault(final Boolean minio, final Boolean aws, final int expected) {
+        final Keycloak keycloak = container.getKeycloakAdminClient();
+
+        Keycloak admin = container.getKeycloakAdminClient();
+        ServerInfoResource serverInfoResource = admin.serverInfo();
+        assertNotNull(serverInfoResource.getInfo());
+
+        final RealmResource realm = keycloak.realm(keycloakRealm);
+        final String vaultId = UUID.randomUUID().toString();
+
+        final ClientScopeResource clientScopeResource = realm.clientScopes().get(vaultId);
+        final ClientWebApplicationException exc = assertThrows(ClientWebApplicationException.class, () -> clientScopeResource.getProtocolMappers().getMappers());
+        assertEquals(404, exc.getResponse().getStatus());
+        keycloakPrepareVault(vaultId, keycloak, keycloakRealm, minio, aws);
+        assertEquals(expected, clientScopeResource.getProtocolMappers().getMappers().size());
+        // must not change:
+        keycloakPrepareVault(vaultId, keycloak, keycloakRealm, null, null);
+        assertEquals(expected, clientScopeResource.getProtocolMappers().getMappers().size());
+        // must not change:
+        keycloakPrepareVault(vaultId, keycloak, keycloakRealm, minio, null);
+        assertEquals(expected, clientScopeResource.getProtocolMappers().getMappers().size());
+        // must not change:
+        keycloakPrepareVault(vaultId, keycloak, keycloakRealm, null, aws);
+        assertEquals(expected, clientScopeResource.getProtocolMappers().getMappers().size());
+        // must not change:
+        keycloakPrepareVault(vaultId, keycloak, keycloakRealm, true, true);
+        assertEquals(2, clientScopeResource.getProtocolMappers().getMappers().size());
+
+        keycloakPrepareVault(vaultId, keycloak, keycloakRealm, false, null);
+        assertEquals(1, clientScopeResource.getProtocolMappers().getMappers().size());
+        keycloakPrepareVault(vaultId, keycloak, keycloakRealm, null, false);
+        assertEquals(0, clientScopeResource.getProtocolMappers().getMappers().size());
+    }
+
+    @Test
+    public void testKeycloakGrantRemoveAccessToVault() {
+        final Keycloak keycloak = container.getKeycloakAdminClient();
+        final RealmResource realm = keycloak.realm(keycloakRealm);
+
+        final String vaultId = UUID.randomUUID().toString();
+        final String alice = realm.users().searchByFirstName("alice", true).getFirst().getId();
+        assertNull(realm.users().get(alice).roles().getAll().getClientMappings());
+        keycloakGrantAccessToVault(vaultId, alice, keycloakClientIdCryptomatorVaults, keycloak, keycloakRealm, false);
+        assertTrue(realm.users().get(alice).roles().getAll().getClientMappings().get(keycloakClientIdCryptomatorVaults).getMappings().stream().anyMatch(r -> r.getName().equals(vaultId)));
+        keycloakRemoveAccessToVault(vaultId, alice, keycloakClientIdCryptomatorVaults, keycloak, keycloakRealm, false);
+        assertNull(realm.users().get(alice).roles().getAll().getClientMappings());
+    }
+}
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/katta/KeycloakTestResourceLifecycleManager.java b/backend/src/test/java/org/cryptomator/hub/katta/KeycloakTestResourceLifecycleManager.java
new file mode 100644
index 000000000..95d3d33b4
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/katta/KeycloakTestResourceLifecycleManager.java
@@ -0,0 +1,70 @@
+package org.cryptomator.hub.katta;
+
+import dasniko.testcontainers.keycloak.KeycloakContainer;
+import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
+import io.restassured.RestAssured;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import java.util.Map;
+
+// We need to use TLS to circumvent to nasty unresolved bug in Docker Desktop not allowing for HTTPS-only, see e.g. https://github.com/dasniko/testcontainers-keycloak/issues/208.
+// N.B. we do not use @QuarkusTest+keycloak-devservices:
+// - to configure TLS easily (see e.g. https://www.orpiske.net/2025/08/programmatic-keycloak-configuration-for-quarkus-integration-tests/, https://quarkus.io/guides/security-openid-connect-dev-services#configuration-reference)
+// - not to start Keycloak for all tests (too heavy - however, this might be achieved using a profile for tests requiring Keycloak: https://quarkus.io/guides/getting-started-testing#writing-a-profile).
+// Alternatively, instead of dasniko.testcontainers.keycloak, custom io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager might be used.
+public class KeycloakTestResourceLifecycleManager implements QuarkusTestResourceLifecycleManager {
+    private static final String currentKeycloakImage = "quay.io/keycloak/keycloak:26.5.5";
+    private static KeycloakContainer container;
+
+    @Override
+    public Map<String, String> start() {
+        try {
+            RestAssured.useRelaxedHTTPSValidation();
+            container = new KeycloakContainer(currentKeycloakImage)
+                    // comment in for local debugging:
+                    //				.withDebugFixedPort(5005, false)
+                    //				.withCustomCommand("--log-level=DEBUG")
+                    .withRealmImportFile("/cryptomator-realm.json")
+                    .useTls();
+            container.start();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+        System.out.println(container.getAuthServerUrl());
+        return Map.of("quarkus.oidc.auth-server-url", container.getAuthServerUrl() + "/realms/cryptomator");
+    }
+
+    @Override
+    public void inject(TestInjector testInjector) {
+        testInjector.injectIntoFields(container, new TestInjector.AnnotatedAndMatchesType(InjectKeycloakContainer.class, KeycloakContainer.class));
+    }
+
+    @Override
+    public void stop() {
+        container.stop();
+    }
+
+
+    @Documented
+    @Retention(RetentionPolicy.RUNTIME)
+    @Target({ElementType.FIELD})
+    public @interface InjectKeycloakContainer {
+    }
+
+    public static void main(String[] args) throws InterruptedException {
+        container = new KeycloakContainer(currentKeycloakImage)
+                // comment in for local debugging:
+                //				.withDebugFixedPort(5005, false)
+                //				.withCustomCommand("--log-level=DEBUG")
+                .withRealmImportFile("/cryptomator-realm.json")
+                .useTls();
+        container.start();
+        System.out.println(container.getAuthServerUrl());
+        Thread.sleep(5000000);
+    }
+}
diff --git a/backend/src/test/java/org/cryptomator/hub/katta/TokenExchangeIT.java b/backend/src/test/java/org/cryptomator/hub/katta/TokenExchangeIT.java
new file mode 100644
index 000000000..9bc9b1ed2
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/katta/TokenExchangeIT.java
@@ -0,0 +1,124 @@
+package org.cryptomator.hub.katta;
+
+import com.auth0.jwt.JWT;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.github.coffeelibs.tinyoauth2client.TinyOAuth2;
+import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.test.junit.QuarkusTest;
+import jakarta.inject.Inject;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.http.ssl.TrustStrategy;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
+import org.htmlunit.SilentCssErrorHandler;
+import org.htmlunit.WebClient;
+import org.htmlunit.html.HtmlForm;
+import org.htmlunit.html.HtmlPage;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import static io.restassured.RestAssured.given;
+
+@QuarkusTest
+@QuarkusTestResource(value = KeycloakTestResourceLifecycleManager.class, restrictToAnnotatedClass = true)
+public class TokenExchangeIT {
+
+    @Inject
+    @ConfigProperty(name = "quarkus.oidc.auth-server-url")
+    String authServerUrl;
+
+    @Test
+    @DisplayName("authenticate as public client 'cryptomator' and exchange token for 'cryptomatorvaults'")
+    public void testTokenExchange() throws GeneralSecurityException, IOException, InterruptedException {
+        // 1. Authenticate as public client using Authorization Code Flow with PKCE
+        var authResponse = TinyOAuth2.client("cryptomator") //
+                .withTokenEndpoint(URI.create(authServerUrl + "/protocol/openid-connect/token")) //
+                .authorizationCodeGrant(URI.create(authServerUrl + "/protocol/openid-connect/auth")) //
+                .authorize(newTrustingHttpClient(), uri -> {
+                    try (var webClient = new WebClient()) {
+                        webClient.setCssErrorHandler(new SilentCssErrorHandler());
+                        webClient.getOptions().setUseInsecureSSL(true);
+                        HtmlPage page = webClient.getPage(uri.toASCIIString());
+                        HtmlForm form = page.getForms().getFirst();
+                        form.getInputByName("username").type("alice");
+                        form.getInputByName("password").type("asd");
+                        form.getButtonByName("login").click();
+                    } catch (IOException e) {
+                        throw new UncheckedIOException(e);
+                    }
+                }, "openid", "profile", "email"); // scopes of initial token
+        Assertions.assertEquals(200, authResponse.statusCode());
+        var initialAccessToken = new ObjectMapper().reader().readTree(authResponse.body()).get("access_token").asText();
+
+        // 2. Call the token exchange endpoint
+        var tokenExchangeResponse = given()
+                .auth().oauth2(initialAccessToken)
+                .queryParam("vault", "address") // "address" is one of cryptomatorvaults' optional client scope. In production there will be scopes for each vault
+                .post("/storage/s3-token");
+        Assertions.assertEquals(200, tokenExchangeResponse.statusCode());
+
+        var exchangedAccessToken = new ObjectMapper().reader().readTree(tokenExchangeResponse.body().asString()).get("access_token").asText();
+        var jwt = JWT.decode(exchangedAccessToken);
+        Assertions.assertEquals(1, jwt.getAudience().size());
+        Assertions.assertEquals("cryptomatorvaults", jwt.getAudience().getFirst());
+        Assertions.assertEquals("cryptomatorvaults", jwt.getClaim("azp").asString());
+        MatcherAssert.assertThat(jwt.getClaim("scope").asString(), Matchers.containsStringIgnoringCase("address"));
+    }
+
+    @Test
+    @DisplayName("Ensure 400 from Keycloak is mapped to 400 and exception is logged")
+    public void testFailingTokenExchange() throws IOException, InterruptedException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
+        // 1. Authenticate as public client using Authorization Code Flow with PKCE
+        var authResponse = TinyOAuth2.client("cryptomator") //
+                .withTokenEndpoint(URI.create(authServerUrl + "/protocol/openid-connect/token")) //
+                .authorizationCodeGrant(URI.create(authServerUrl + "/protocol/openid-connect/auth")) //
+                .authorize(newTrustingHttpClient(), uri -> {
+                    try (var webClient = new WebClient()) {
+                        webClient.setCssErrorHandler(new SilentCssErrorHandler());
+                        webClient.getOptions().setUseInsecureSSL(true);
+                        HtmlPage page = webClient.getPage(uri.toASCIIString());
+                        HtmlForm form = page.getForms().getFirst();
+                        form.getInputByName("username").type("alice");
+                        form.getInputByName("password").type("asd");
+                        form.getButtonByName("login").click();
+                    } catch (IOException e) {
+                        throw new UncheckedIOException(e);
+                    }
+                }, "openid", "profile", "email"); // scopes of initial token
+        Assertions.assertEquals(200, authResponse.statusCode());
+        var initialAccessToken = new ObjectMapper().reader().readTree(authResponse.body()).get("access_token").asText();
+
+        // 2. Call the token exchange endpoint
+        var tokenExchangeResponse = given()
+                .auth().oauth2(initialAccessToken)
+                .queryParam("vault", "666") // "666" is none of cryptomatorvaults' optional client scopes.
+                .post("/storage/s3-token");
+        Assertions.assertEquals(400, tokenExchangeResponse.statusCode());
+        Assertions.assertEquals("Received: 'Bad Request', status code 400 from Keycloak.", tokenExchangeResponse.body().asString());
+    }
+
+    private static HttpClient newTrustingHttpClient() throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException {
+        return HttpClient.newBuilder()
+                .sslContext(
+                        new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
+                            public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
+                                return true;
+                            }
+                        }).build()
+                )
+                .build();
+    }
+}
diff --git a/backend/src/test/java/org/cryptomator/hub/katta/VaultResourceKeycloakIT.java b/backend/src/test/java/org/cryptomator/hub/katta/VaultResourceKeycloakIT.java
new file mode 100644
index 000000000..b1e398929
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/katta/VaultResourceKeycloakIT.java
@@ -0,0 +1,119 @@
+package org.cryptomator.hub.katta;
+
+import dasniko.testcontainers.keycloak.KeycloakContainer;
+import io.quarkus.test.InjectMock;
+import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.test.junit.QuarkusMock;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.security.TestSecurity;
+import io.quarkus.test.security.oidc.Claim;
+import io.quarkus.test.security.oidc.OidcSecurity;
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import org.cryptomator.hub.api.VaultResource;
+import org.cryptomator.hub.license.HubLicenseEntitlements;
+import org.cryptomator.hub.license.LicenseHolder;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.MethodOrderer;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestMethodOrder;
+import org.keycloak.admin.client.Keycloak;
+import org.mockito.Mockito;
+
+import java.time.Instant;
+import java.util.Map;
+import java.util.UUID;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.text.IsEqualIgnoringCase.equalToIgnoringCase;
+
+
+
+@QuarkusTest
+@DisplayName("Resource /vaults")
+@QuarkusTestResource(value = KeycloakTestResourceLifecycleManager.class, restrictToAnnotatedClass = true)
+public class VaultResourceKeycloakIT {
+    @ConfigProperty(name = "hub.keycloak.realm")
+    String keycloakRealm;
+
+    @KeycloakTestResourceLifecycleManager.InjectKeycloakContainer
+    KeycloakContainer container;
+
+    @InjectMock
+    LicenseHolder licenseHolder;
+
+    @BeforeEach
+    public void setup() {
+        RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
+        // https://quarkus.io/guides/getting-started-testing#quarkus_mock
+        KeycloakCryptomatorVaultsHelperFromContainer mock = new KeycloakCryptomatorVaultsHelperFromContainer();
+
+        QuarkusMock.installMockForType(mock, KeycloakCryptomatorVaultsHelper.class);
+
+        var entitlements = HubLicenseEntitlements.create().withSeats(5L);
+        Mockito.doReturn(entitlements).when(licenseHolder).getEntitlements();
+        Mockito.doReturn(false).when(licenseHolder).isExpired();
+    }
+
+    public class KeycloakCryptomatorVaultsHelperFromContainer extends KeycloakCryptomatorVaultsHelper {
+        KeycloakCryptomatorVaultsHelperFromContainer() {
+            super.keycloakRealm = VaultResourceKeycloakIT.this.keycloakRealm;
+        }
+
+        @Override
+        public Keycloak getKeycloak() {
+            return container.getKeycloakAdminClient();
+        }
+    }
+
+    @Nested
+    @DisplayName("As vault admin user1")
+    @TestSecurity(user = "alice", roles = {"user", "create-vaults"})
+    @OidcSecurity(claims = {
+            // needs to be user ID and not the user name
+            @Claim(key = "sub", value = "alice")
+    })
+    @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+    public class CreateVaults {
+
+        @Test
+        @Order(1)
+        @DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100007777 returns 201")
+        public void testCreateVault1() {
+            var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100007777");
+            var vaultDto = new VaultResource.VaultDto(uuid, "My Vault", Instant.parse("2112-12-21T21:12:21Z"), "Test vault 3", false, 0, Map.of(), "uvfMetadata3", "uvfKeySet3", "masterkey3", 42, "NaCl", "authPubKey3", "authPrvKey3");
+            given().contentType(ContentType.JSON).body(vaultDto)
+                    .queryParam("minio", true)
+                    .queryParam("aws", true)
+                    .when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100007777")
+                    .then().statusCode(201)
+                    .body("id", equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100007777"))
+                    .body("name", equalTo("My Vault"))
+                    .body("description", equalTo("Test vault 3"))
+                    .body("archived", equalTo(false));
+        }
+
+        @Test
+        @Order(2)
+        @DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100007777 returns 200, updating only name, description and archive flag")
+        public void testUpdateVault() {
+            var uuid = UUID.fromString("7E57C0DE-0000-4000-8000-000100007777");
+            var vaultDto = new VaultResource.VaultDto(uuid, "VaultUpdated", Instant.parse("2222-11-11T11:11:11Z"), "Vault updated.", true, 0, Map.of(), "doNotUpdateEither", "doNotUpdateEither", "doNotUpdateEither", 27, "doNotUpdateEither", "doNotUpdateEither", "doNotUpdateEither");
+            given().contentType(ContentType.JSON)
+                    .body(vaultDto)
+                    .when().put("/vaults/{vaultId}", "7E57C0DE-0000-4000-8000-000100007777")
+                    .then().statusCode(200)
+                    .body("id", equalToIgnoringCase("7E57C0DE-0000-4000-8000-000100007777"))
+                    .body("name", equalTo("VaultUpdated"))
+                    .body("description", equalTo("Vault updated."))
+                    .body("archived", equalTo(true))
+                    .body("creationTime", not("2222-11-11T11:11:11Z"));
+        }
+    }
+}
diff --git a/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakUserProviderTest.java b/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityProviderTest.java
similarity index 75%
rename from backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakUserProviderTest.java
rename to backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityProviderTest.java
index dc79de88d..de266bdd1 100644
--- a/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakUserProviderTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityProviderTest.java
@@ -1,5 +1,7 @@
 package org.cryptomator.hub.keycloak;
 
+import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
@@ -10,6 +12,8 @@
 import org.keycloak.admin.client.resource.GroupResource;
 import org.keycloak.admin.client.resource.GroupsResource;
 import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.admin.client.resource.RoleResource;
+import org.keycloak.admin.client.resource.RolesResource;
 import org.keycloak.admin.client.resource.UsersResource;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.GroupRepresentation;
@@ -20,7 +24,7 @@
 import java.util.List;
 import java.util.Map;
 
-class KeycloakUserProviderTest {
+class KeycloakAuthorityProviderTest {
 
 	private RealmResource realm = Mockito.mock(RealmResource.class);
 	private UsersResource usersResource = Mockito.mock(UsersResource.class);
@@ -47,11 +51,13 @@ void setUp() {
 		Mockito.when(user1.getId()).thenReturn("id3000");
 		Mockito.when(user1.getUsername()).thenReturn("username3000");
 		Mockito.when(user1.getEmail()).thenReturn("email3000");
+		Mockito.when(user1.isEnabled()).thenReturn(true);
 		Mockito.when(user1.getAttributes()).thenReturn(Map.of("picture", List.of("picture3000")));
 
 		Mockito.when(user2.getId()).thenReturn("id3001");
 		Mockito.when(user2.getUsername()).thenReturn("username3001");
 		Mockito.when(user2.getEmail()).thenReturn("email3001");
+		Mockito.when(user2.isEnabled()).thenReturn(false);
 
 		keycloakRemoteUserProvider = new KeycloakAuthorityProvider();
 	}
@@ -72,11 +78,13 @@ void testListUser() {
 		Assertions.assertEquals("username3000", resultUser1.name());
 		Assertions.assertEquals("email3000", resultUser1.email());
 		Assertions.assertEquals("picture3000", resultUser1.pictureUrl());
+		Assertions.assertTrue(resultUser1.enabled());
 
 		Assertions.assertEquals("id3001", resultUser2.id());
 		Assertions.assertEquals("username3001", resultUser2.name());
 		Assertions.assertEquals("email3001", resultUser2.email());
 		Assertions.assertNull(resultUser2.pictureUrl());
+		Assertions.assertFalse(resultUser2.enabled());
 	}
 
 	@Test
@@ -110,11 +118,13 @@ void testListUserIncludingHubCliUser() {
 		Assertions.assertEquals("username3000", resultUser1.name());
 		Assertions.assertEquals("email3000", resultUser1.email());
 		Assertions.assertEquals("picture3000", resultUser1.pictureUrl());
+		Assertions.assertTrue(resultUser1.enabled());
 
 		Assertions.assertEquals("id3001", resultUser2.id());
 		Assertions.assertEquals("username3001", resultUser2.name());
 		Assertions.assertEquals("email3001", resultUser2.email());
 		Assertions.assertNull(resultUser2.pictureUrl());
+		Assertions.assertFalse(resultUser2.enabled());
 
 		Assertions.assertEquals("cryptomatorHubCliUserId", resultUser3.id());
 		Assertions.assertEquals("cryptomatorHubCliUserUsername", resultUser3.name());
@@ -136,9 +146,11 @@ class Groups {
 		public Groups() {
 			Mockito.when(group1.getId()).thenReturn("grpId3000");
 			Mockito.when(group1.getName()).thenReturn("grpName3000");
+			Mockito.when(group1.getAttributes()).thenReturn(Map.of("picture", List.of("grpPicture3000")));
 
 			Mockito.when(group2.getId()).thenReturn("grpId3001");
 			Mockito.when(group2.getName()).thenReturn("grpName3001");
+			Mockito.when(group2.getAttributes()).thenReturn(Map.of("picture", List.of("grpPicture3001")));
 
 			Mockito.when(realm.groups()).thenReturn(groupsResource);
 			Mockito.when(realm.groups().group("grpId3000")).thenReturn(groupResource1);
@@ -150,8 +162,8 @@ public Groups() {
 
 		@Test
 		@DisplayName("test groups listing contains two groups with members in group2")
-		public void testListGroups() {
-			Mockito.when(groupsResource.groups(0, KeycloakAuthorityProvider.MAX_COUNT_PER_REQUEST)).thenReturn(List.of(group1, group2));
+		void testListGroups() {
+			Mockito.when(groupsResource.groups(null, 0, KeycloakAuthorityProvider.MAX_COUNT_PER_REQUEST, false)).thenReturn(List.of(group1, group2));
 
 			var result = keycloakRemoteUserProvider.groups(realm);
 
@@ -162,10 +174,12 @@ public void testListGroups() {
 
 			Assertions.assertEquals("grpId3000", resultGroup1.id());
 			Assertions.assertEquals("grpName3000", resultGroup1.name());
+			Assertions.assertEquals("grpPicture3000", resultGroup1.pictureUrl());
 			Assertions.assertEquals(0, resultGroup1.members().size());
 
 			Assertions.assertEquals("grpId3001", resultGroup2.id());
 			Assertions.assertEquals("grpName3001", resultGroup2.name());
+			Assertions.assertEquals("grpPicture3001", resultGroup2.pictureUrl());
 			Assertions.assertEquals(2, resultGroup2.members().size());
 
 			var membersGroup2 = resultGroup2.members().stream().sorted(Comparator.comparing(KeycloakUserDto::id)).toList();
@@ -176,11 +190,49 @@ public void testListGroups() {
 			Assertions.assertEquals("username3000", member1Group2.name());
 			Assertions.assertEquals("email3000", member1Group2.email());
 			Assertions.assertEquals("picture3000", member1Group2.pictureUrl());
+			Assertions.assertTrue(member1Group2.enabled());
 
 			Assertions.assertEquals("id3001", member2Group2.id());
 			Assertions.assertEquals("username3001", member2Group2.name());
 			Assertions.assertEquals("email3001", member2Group2.email());
 			Assertions.assertNull(member2Group2.pictureUrl());
+			Assertions.assertFalse(member2Group2.enabled());
+		}
+	}
+
+	@Nested
+	@DisplayName("Test roles")
+	class Roles {
+
+		private RolesResource rolesResource = Mockito.mock(RolesResource.class);
+		private RoleResource roleResource1 = Mockito.mock(RoleResource.class);
+		private RoleResource roleResource2 = Mockito.mock(RoleResource.class);
+
+		@BeforeEach
+		void setup() {
+			Mockito.doReturn(rolesResource).when(realm).roles();
+			Mockito.doReturn(roleResource1).when(rolesResource).get("role1");
+			Mockito.doReturn(roleResource2).when(rolesResource).get("role2");
+
+			Mockito.doReturn(List.of(user1, user2)).when(roleResource1).getUserMembers(true, 0, KeycloakAuthorityProvider.MAX_COUNT_PER_REQUEST);
+			Mockito.doReturn(List.of()).when(roleResource2).getUserMembers(true, 0, KeycloakAuthorityProvider.MAX_COUNT_PER_REQUEST);
+		}
+
+		@Test
+		@DisplayName("users having role1: user1, user2")
+		void testListUsersInRole1() {
+			var result = keycloakRemoteUserProvider.usersInRole(realm, "role1");
+
+			Assertions.assertEquals(2, result.size());
+			MatcherAssert.assertThat(result, Matchers.containsInAnyOrder(user1, user2));
+		}
+
+		@Test
+		@DisplayName("users having role2: <none>")
+		void testListUsersInRole2() {
+			var result = keycloakRemoteUserProvider.usersInRole(realm, "role2");
+
+			Assertions.assertEquals(0, result.size());
 		}
 	}
 
diff --git a/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPullerTest.java b/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPullerTest.java
index a6f989d02..0842abcfb 100644
--- a/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPullerTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/keycloak/KeycloakAuthorityPullerTest.java
@@ -1,10 +1,12 @@
 package org.cryptomator.hub.keycloak;
 
 import org.cryptomator.hub.entities.Authority;
+import org.cryptomator.hub.entities.EffectiveGroupMembership;
 import org.cryptomator.hub.entities.Group;
 import org.cryptomator.hub.entities.User;
 import org.hamcrest.MatcherAssert;
 import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Nested;
@@ -15,22 +17,27 @@
 import org.junit.jupiter.params.provider.CsvSource;
 import org.mockito.Mockito;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.argThat;
 
 class KeycloakAuthorityPullerTest {
 
 	private final KeycloakAuthorityProvider remoteUserProvider = Mockito.mock(KeycloakAuthorityProvider.class);
 	private final User.Repository userRepo = Mockito.mock(User.Repository.class);
 	private final Group.Repository groupRepo = Mockito.mock(Group.Repository.class);
+	private final EffectiveGroupMembership.Repository effectiveGroupMembershipRepo = Mockito.mock(EffectiveGroupMembership.Repository.class);
+
+	private final List<User> persistedUsers = new ArrayList<>();
+	private final List<Group> persistedGroups = new ArrayList<>();
 
 	private KeycloakAuthorityPuller remoteUserPuller;
 
@@ -40,13 +47,24 @@ void setUp() {
 		remoteUserPuller.remoteUserProvider = remoteUserProvider;
 		remoteUserPuller.userRepo = userRepo;
 		remoteUserPuller.groupRepo = groupRepo;
-		Mockito.doNothing().when(userRepo).persist((User) Mockito.any());
-		Mockito.doNothing().when(groupRepo).persist((Group) Mockito.any());
+		remoteUserPuller.effectiveGroupMembershipRepo = effectiveGroupMembershipRepo;
+		persistedUsers.clear();
+		Mockito.doAnswer(invocation -> {
+			Iterable<User> iterable = invocation.getArgument(0);
+			iterable.forEach(persistedUsers::add);
+			return null;
+		}).when(userRepo).persist(Mockito.<Iterable<User>>any());
+		persistedGroups.clear();
+		Mockito.doAnswer(invocation -> {
+			Iterable<Group> iterable = invocation.getArgument(0);
+			iterable.forEach(persistedGroups::add);
+			return null;
+		}).when(groupRepo).persist(Mockito.<Iterable<Group>>any());
 	}
 
 	@Nested
 	@DisplayName("Test add/delete Users")
-	public class AddDeleteUsers {
+	class AddDeleteUsers {
 
 		@DisplayName("test add users")
 		@ParameterizedTest(name = "KCUser: {0} DBUser: {1} AddedUser: {2}")
@@ -58,30 +76,38 @@ public class AddDeleteUsers {
 				",;foo,bar,baz;,",
 				",;,;,"
 		}, delimiterString = ";")
-		public void testAddUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] addedUserIdString) {
-			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock(Map.class);
-			Map<String, User> databaseUsers = Mockito.mock(Map.class);
+		void testAddUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] addedUserIdString) {
+			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock();
+			Map<String, User> databaseUsers = Mockito.mock();
 
-			var keycloakUserIds = Arrays.stream(keycloakUserIdString).collect(Collectors.toSet());
-			var databaseUserIds = Arrays.stream(databaseUserIdString).collect(Collectors.toSet());
-			var addedUserIds = Arrays.stream(addedUserIdString).collect(Collectors.toSet());
+			var keycloakUserIds = Set.of(keycloakUserIdString);
+			var databaseUserIds = Set.of(databaseUserIdString);
+			var addedUserIds = Set.of(addedUserIdString);
 
 			Mockito.when(keycloakUsers.keySet()).thenReturn(keycloakUserIds);
 			Mockito.when(databaseUsers.keySet()).thenReturn(databaseUserIds);
 
 			for (var userId : addedUserIds) {
-				var keycloakUser = new KeycloakUserDto(userId, "name " + userId, "email " + userId, "pic " + userId);
+				var keycloakUser = new KeycloakUserDto(userId, "name " + userId, "email " + userId, "first " + userId, "last " + userId, "pic " + userId, true, Set.of());
 				Mockito.when(keycloakUsers.get(userId)).thenReturn(keycloakUser);
 			}
 
-			remoteUserPuller.syncAddedUsers(keycloakUsers, databaseUsers);
+			var added = remoteUserPuller.syncAddedUsers(keycloakUsers, databaseUsers);
 
+			Assertions.assertEquals(addedUserIds, added.keySet());
+			Mockito.verify(userRepo).persist(Mockito.<Iterable<User>>any());
+			Mockito.verify(effectiveGroupMembershipRepo).updateUsers(Mockito.argThat(addedUserIds::containsAll));
 			for (var userId : addedUserIds) {
-				Mockito.verify(userRepo).persist(argThat((User u) ->
-						u.getId().equals(userId)
-								&& u.getName().equals("name " + userId)
-								&& u.getEmail().equals("email " + userId)
-								&& u.getPictureUrl().equals("pic " + userId)
+				MatcherAssert.assertThat(persistedUsers, Matchers.hasItem(
+						Matchers.allOf(
+								Matchers.hasProperty("id", Matchers.equalTo(userId)),
+								Matchers.hasProperty("name", Matchers.equalTo("name " + userId)),
+								Matchers.hasProperty("email", Matchers.equalTo("email " + userId)),
+								Matchers.hasProperty("firstName", Matchers.equalTo("first " + userId)),
+								Matchers.hasProperty("lastName", Matchers.equalTo("last " + userId)),
+								Matchers.hasProperty("pictureUrl", Matchers.equalTo("pic " + userId)),
+								Matchers.hasProperty("enabled", Matchers.equalTo(true))
+						)
 				));
 			}
 		}
@@ -96,9 +122,9 @@ public void testAddUsers(@ConvertWith(StringArrayConverter.class) String[] keycl
 				",;foo,bar,baz;foo,bar,baz",
 				",;,;,"
 		}, delimiterString = ";")
-		public void testDeleteUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] deletedUserIdString) {
-			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock(Map.class);
-			Map<String, User> databaseUsers = Mockito.mock(Map.class);
+		void testDeleteUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] deletedUserIdString) {
+			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock();
+			Map<String, User> databaseUsers = Mockito.mock();
 
 			var keycloakUserIds = Arrays.stream(keycloakUserIdString).collect(Collectors.toSet());
 			var databaseUserIds = Arrays.stream(databaseUserIdString).collect(Collectors.toSet());
@@ -112,18 +138,16 @@ public void testDeleteUsers(@ConvertWith(StringArrayConverter.class) String[] ke
 
 			var result = remoteUserPuller.syncDeletedUsers(keycloakUsers, databaseUsers);
 
-			for (var id : deletedUserIdString) {
-				Mockito.verify(userRepo).delete(deletedMap.get(id));
-			}
-
 			var expected = Arrays.stream(deletedUserIdString).collect(Collectors.toSet());
 			MatcherAssert.assertThat(result, Matchers.equalTo(expected));
+			Mockito.verify(userRepo).deleteByIds(expected);
+			Mockito.verify(effectiveGroupMembershipRepo).updateUsers(Mockito.argThat(expected::containsAll));
 		}
 	}
 
 	@Nested
 	@DisplayName("Test update Users")
-	public class UpdateUsers {
+	class UpdateUsers {
 
 		@DisplayName("test update users")
 		@ParameterizedTest(name = "KCUser: {0} DBUser: {1} Deleted: {2} Updated: {3}")
@@ -134,9 +158,9 @@ public class UpdateUsers {
 				"foo,bar,baz;,;,;,", // all new
 				",;,;,;," // all empty
 		}, delimiterString = ";")
-		public void testUpdateUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] deletedUserIdString, @ConvertWith(StringArrayConverter.class) String[] updatedUserIdString) {
-			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock(Map.class);
-			Map<String, User> databaseUsers = Mockito.mock(Map.class);
+		void testUpdateUsers(@ConvertWith(StringArrayConverter.class) String[] keycloakUserIdString, @ConvertWith(StringArrayConverter.class) String[] databaseUserIdString, @ConvertWith(StringArrayConverter.class) String[] deletedUserIdString, @ConvertWith(StringArrayConverter.class) String[] updatedUserIdString) {
+			Map<String, KeycloakUserDto> keycloakUsers = Mockito.mock();
+			Map<String, User> databaseUsers = Mockito.mock();
 
 			var keycloakUserIds = Arrays.stream(keycloakUserIdString).collect(Collectors.toSet());
 			var databaseUserIds = Arrays.stream(databaseUserIdString).collect(Collectors.toSet());
@@ -147,7 +171,7 @@ public void testUpdateUsers(@ConvertWith(StringArrayConverter.class) String[] ke
 			Mockito.when(databaseUsers.keySet()).thenReturn(databaseUserIds);
 
 			for (var userId : updatedUserIds) {
-				var keycloakUser = new KeycloakUserDto(userId, "name " + userId, "email " + userId, "pic " + userId);
+				var keycloakUser = new KeycloakUserDto(userId, "name " + userId, "email " + userId, "first " + userId, "last " + userId, "pic " + userId, true, Set.of());
 				Mockito.when(keycloakUsers.get(userId)).thenReturn(keycloakUser);
 
 				var databaseUser = Mockito.mock(User.class);
@@ -161,7 +185,10 @@ public void testUpdateUsers(@ConvertWith(StringArrayConverter.class) String[] ke
 				var databaseUser = databaseUsers.get(userId);
 				Mockito.verify(databaseUser).setName("name " + userId);
 				Mockito.verify(databaseUser).setEmail("email " + userId);
+				Mockito.verify(databaseUser).setFirstName("first " + userId);
+				Mockito.verify(databaseUser).setLastName("last " + userId);
 				Mockito.verify(databaseUser).setPictureUrl("pic " + userId);
+				Mockito.verify(databaseUser).setEnabled(true);
 			}
 			Mockito.verify(userRepo, Mockito.never()).persist(any(User.class));
 		}
@@ -169,7 +196,7 @@ public void testUpdateUsers(@ConvertWith(StringArrayConverter.class) String[] ke
 
 	@Nested
 	@DisplayName("Test add/delete Groups")
-	public class AddDeleteGroups {
+	class AddDeleteGroups {
 
 		@DisplayName("test add groups")
 		@ParameterizedTest(name = "KCGroup: {0} DBGroup: {1} AddedGroup: {2}")
@@ -181,19 +208,19 @@ public class AddDeleteGroups {
 				",;foo,bar,baz;,",
 				",;,;,"
 		}, delimiterString = ";")
-		public void testAddGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGroupIdString, @ConvertWith(StringArrayConverter.class) String[] databaseGroupIdString, @ConvertWith(StringArrayConverter.class) String[] addedGroupIdString) {
+		void testAddGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGroupIdString, @ConvertWith(StringArrayConverter.class) String[] databaseGroupIdString, @ConvertWith(StringArrayConverter.class) String[] addedGroupIdString) {
 			Map<String, KeycloakUserDto> kcUsers = new HashMap<>();
 			for (var gid : keycloakGroupIdString) {
-				kcUsers.put(gid, new KeycloakUserDto(gid, "name " + gid, "email " + gid, "pic " + gid));
+				kcUsers.put(gid, new KeycloakUserDto(gid, "username", "email", "first", "last", "pic", true, Set.of()));
 			}
 
 			Map<String, KeycloakGroupDto> keycloakGroups = new HashMap<>();
 			for (var gid : keycloakGroupIdString) {
-				var dto = new KeycloakGroupDto(gid, "Name " + gid, Set.of(kcUsers.get(gid)));
+				var dto = new KeycloakGroupDto(gid, "name " + gid, "pic " + gid, Set.of(kcUsers.get(gid)));
 				keycloakGroups.put(gid, dto);
 			}
 
-			Map<String, User> databaseUsers = new HashMap<>();
+			Map<String, Authority> databaseUsers = new HashMap<>();
 			for (var keycloakUser : kcUsers.values()) {
 				var databaseUser = Mockito.mock(User.class);
 				Mockito.when(databaseUser.getId()).thenReturn(keycloakUser.id());
@@ -207,16 +234,21 @@ public void testAddGroups(@ConvertWith(StringArrayConverter.class) String[] keyc
 				databaseGroups.put(gid, databaseGroup);
 			}
 
-			remoteUserPuller.syncAddedGroups(keycloakGroups, databaseGroups, databaseUsers);
-
-			for (var newGid : addedGroupIdString) {
-				Mockito.verify(groupRepo).persist(argThat((Group created) -> {
-					if (!created.getId().equals(newGid)) {
-						return false;
-					}
-					var members = created.getMembers();
-					return members.stream().anyMatch(m -> m.getId().equals(newGid));
-				}));
+			var added = remoteUserPuller.syncAddedGroups(keycloakGroups, databaseGroups, databaseUsers);
+
+			var addedGroupIds = Set.of(addedGroupIdString);
+			Assertions.assertEquals(addedGroupIds, added.keySet());
+			Mockito.verify(groupRepo).persist(Mockito.<Iterable<Group>>any());
+			Mockito.verify(effectiveGroupMembershipRepo).updateGroups(Mockito.argThat(addedGroupIds::containsAll));
+			for (var groupId : addedGroupIds) {
+				MatcherAssert.assertThat(persistedGroups, Matchers.hasItem(
+						Matchers.allOf(
+								Matchers.hasProperty("id", Matchers.equalTo(groupId)),
+								Matchers.hasProperty("pictureUrl", Matchers.equalTo("pic " + groupId)),
+								Matchers.hasProperty("name", Matchers.equalTo("name " + groupId)),
+								Matchers.hasProperty("members", Matchers.contains(Matchers.hasProperty("id", Matchers.equalTo(groupId))))
+						)
+				));
 			}
 		}
 
@@ -230,9 +262,9 @@ public void testAddGroups(@ConvertWith(StringArrayConverter.class) String[] keyc
 				",;foo,bar,baz;foo,bar,baz",
 				",;,;,"
 		}, delimiterString = ";")
-		public void testDeleteGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGroupIdString, @ConvertWith(StringArrayConverter.class) String[] databaseGroupIdString, @ConvertWith(StringArrayConverter.class) String[] deletedGroupIdString) {
-			Map<String, KeycloakGroupDto> keycloakGroups = Mockito.mock(Map.class);
-			Map<String, Group> databaseGroups = Mockito.mock(Map.class);
+		void testDeleteGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGroupIdString, @ConvertWith(StringArrayConverter.class) String[] databaseGroupIdString, @ConvertWith(StringArrayConverter.class) String[] deletedGroupIdString) {
+			Map<String, KeycloakGroupDto> keycloakGroups = Mockito.mock();
+			Map<String, Group> databaseGroups = Mockito.mock();
 
 			var kcGroupIds = Arrays.stream(keycloakGroupIdString).collect(Collectors.toSet());
 			var dbGroupIds = Arrays.stream(databaseGroupIdString).collect(Collectors.toSet());
@@ -245,11 +277,10 @@ public void testDeleteGroups(@ConvertWith(StringArrayConverter.class) String[] k
 
 			var result = remoteUserPuller.syncDeletedGroups(keycloakGroups, databaseGroups);
 
-			for (var id : deletedGroupIdString) {
-				Mockito.verify(groupRepo).delete(deletedMap.get(id));
-			}
 			var expected = Arrays.stream(deletedGroupIdString).collect(Collectors.toSet());
 			MatcherAssert.assertThat(result, Matchers.equalTo(expected));
+			Mockito.verify(groupRepo).deleteByIds(expected);
+			Mockito.verify(effectiveGroupMembershipRepo).updateGroups(Mockito.argThat(expected::containsAll));
 		}
 	}
 
@@ -262,14 +293,14 @@ public void testDeleteGroups(@ConvertWith(StringArrayConverter.class) String[] k
 			"foo,bar,baz;,;,;,",
 			",;,;,;,"
 	}, delimiterString = ";")
-	public void testUpdateGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGroupIdString, @ConvertWith(StringArrayConverter.class) String[] databaseGroupIdString, @ConvertWith(StringArrayConverter.class) String[] deletedGroupIdString, @ConvertWith(StringArrayConverter.class) String[] updatedGroupIdString) {
+	void testUpdateGroups(@ConvertWith(StringArrayConverter.class) String[] keycloakGroupIdString, @ConvertWith(StringArrayConverter.class) String[] databaseGroupIdString, @ConvertWith(StringArrayConverter.class) String[] deletedGroupIdString, @ConvertWith(StringArrayConverter.class) String[] updatedGroupIdString) {
 		var dbOnlyUser = Mockito.mock(User.class);
 		Mockito.when(dbOnlyUser.getId()).thenReturn("U_dbOnly");
 		var otherKCUser = Mockito.mock(User.class);
 		Mockito.when(otherKCUser.getId()).thenReturn("U_otherKC");
 
-		Map<String, KeycloakGroupDto> keycloakGroups = Mockito.mock(Map.class);
-		Map<String, Group> databaseGroups = Mockito.mock(Map.class);
+		Map<String, KeycloakGroupDto> keycloakGroups = Mockito.mock();
+		Map<String, Group> databaseGroups = Mockito.mock();
 
 		var keycloakGroupIds = Arrays.stream(keycloakGroupIdString).collect(Collectors.toSet());
 		var databaseGroupIds = Arrays.stream(databaseGroupIdString).collect(Collectors.toSet());
@@ -282,9 +313,10 @@ public void testUpdateGroups(@ConvertWith(StringArrayConverter.class) String[] k
 		for (var groupId : updatedGroupIds) {
 			var kcDto = Mockito.mock(KeycloakGroupDto.class);
 			Mockito.when(kcDto.name()).thenReturn(String.format("name %s", groupId));
+			Mockito.when(kcDto.pictureUrl()).thenReturn(String.format("pic %s", groupId));
 			Mockito.when(kcDto.members()).thenReturn(Set.of(
-					new KeycloakUserDto("U_user", "n", "e", "p"),
-					new KeycloakUserDto("U_otherKC", "n", "e", "p")
+					new KeycloakUserDto("U_user", "n", "e", "f", "l", "p", true, Set.of()),
+					new KeycloakUserDto("U_otherKC", "n", "e", "f", "l", "p", true, Set.of())
 			));
 
 			var dbGroup = Mockito.mock(Group.class);
@@ -295,7 +327,7 @@ public void testUpdateGroups(@ConvertWith(StringArrayConverter.class) String[] k
 			Mockito.when(databaseGroups.get(groupId)).thenReturn(dbGroup);
 		}
 
-		Map<String, User> databaseUsers = new HashMap<>();
+		Map<String, Authority> databaseUsers = new HashMap<>();
 		var userMock = Mockito.mock(User.class);
 		Mockito.when(userMock.getId()).thenReturn("U_user");
 		databaseUsers.put("U_user", userMock);
@@ -306,6 +338,7 @@ public void testUpdateGroups(@ConvertWith(StringArrayConverter.class) String[] k
 		for (var groupId : updatedGroupIdString) {
 			var dbGroup = databaseGroups.get(groupId);
 			Mockito.verify(dbGroup).setName(String.format("name %s", groupId));
+			Mockito.verify(dbGroup).setPictureUrl(String.format("pic %s", groupId));
 			MatcherAssert.assertThat(dbGroupMembers, Matchers.containsInAnyOrder(userMock, otherKCUser));
 		}
 	}
diff --git a/backend/src/test/java/org/cryptomator/hub/license/LicenseHolderTest.java b/backend/src/test/java/org/cryptomator/hub/license/LicenseHolderTest.java
index 2e2e7db6e..d8210de77 100644
--- a/backend/src/test/java/org/cryptomator/hub/license/LicenseHolderTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/license/LicenseHolderTest.java
@@ -3,6 +3,7 @@
 import com.auth0.jwt.exceptions.JWTVerificationException;
 import com.auth0.jwt.interfaces.Claim;
 import com.auth0.jwt.interfaces.DecodedJWT;
+import jakarta.ws.rs.InternalServerErrorException;
 import org.cryptomator.hub.entities.Settings;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
@@ -10,7 +11,7 @@
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.CsvSource;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.mockito.Mockito;
 
@@ -24,16 +25,14 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.argThat;
 import static org.mockito.ArgumentMatchers.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.*;
 
 public class LicenseHolderTest {
 
 	Settings.Repository settingsRepo = mock(Settings.Repository.class);
-	RandomMinuteSleeper randomMinuteSleeper = mock(RandomMinuteSleeper.class);
+	RandomSleeper randomSleeper = mock(RandomSleeper.class);
 	LicenseValidator validator = mock(LicenseValidator.class);
+	LicenseApi licenseApi = mock(LicenseApi.class);
 
 	LicenseHolder licenseHolder;
 
@@ -42,122 +41,141 @@ public void resetTestclass() {
 		licenseHolder = new LicenseHolder();
 		licenseHolder.licenseValidator = validator;
 		licenseHolder.settingsRepo = settingsRepo;
-		licenseHolder.randomMinuteSleeper = randomMinuteSleeper;
+		licenseHolder.randomSleeper = randomSleeper;
+		licenseHolder.licenseApi = licenseApi;
+		licenseHolder.managedApiUsername = Optional.empty();
+		licenseHolder.managedApiPassword = Optional.empty();
 	}
 
 	@Nested
-	@DisplayName("Testing Init Method")
-	class TestInit {
+	@DisplayName("Testing ensureLicenseExists()")
+	class TestEnsureLicenseExists {
+
+		private Settings settings;
+		private LicenseHolder licenseHolderSpy;
+
+		@BeforeEach
+		void setup() {
+			settings = mock(Settings.class);
+			licenseHolderSpy = Mockito.spy(licenseHolder);
+			Mockito.doReturn(settings).when(settingsRepo).get();
+		}
 
 		@Test
-		@DisplayName("If db token and hubId is set, call validateExisting")
-		public void testTokenAndIdPresentInDatabase() {
+		@DisplayName("call validateExistingLicense(), if DB contains existing token")
+		void testValidateExistingLicense() {
 			//to show check, that db has higher precedence
-			licenseHolder.initialId = Optional.of("43");
-			licenseHolder.initialLicenseToken = Optional.of("initToken");
-
-			Settings settings = mock(Settings.class);
+			licenseHolderSpy.initialId = Optional.of("43");
+			licenseHolderSpy.initialLicenseToken = Optional.of("initToken");
 			when(settings.getLicenseKey()).thenReturn("token");
 			when(settings.getHubId()).thenReturn("42");
-			when(settingsRepo.get()).thenReturn(settings);
+			var license = Mockito.mock(DecodedJWT.class);
+			Mockito.doReturn(license).when(licenseHolderSpy).validateExistingLicense(any());
 
-			var licenseHolderSpy = Mockito.spy(licenseHolder);
-			licenseHolderSpy.init();
-			verify(licenseHolderSpy).validateOrResetExistingLicense(settings);
+			licenseHolderSpy.ensureLicenseExists();
+
+			verify(licenseHolderSpy).validateExistingLicense(settings);
+			verify(licenseHolderSpy, never()).validateAndApplyInitLicense(any(), any(), any());
+			verify(licenseHolderSpy, never()).requestAnonTrialLicense(settings);
 		}
 
-		@DisplayName("If dbToken or dbHubId is null, use set init config values")
+		@DisplayName("call validateAndApplyInitLicense(), if DB doesn't contain token but init config does")
 		@ParameterizedTest
-		@MethodSource("provideInitValuesCases")
-		public void testInitValues(String dbToken, String dbHubId) {
-			Settings settings = mock(Settings.class);
+		@CsvSource(value = {
+				"dbToken, null",
+				"null, null",
+				"null, 42"
+		}, nullValues = {"null"})
+		void testApplyInitLicense(String dbToken, String dbHubId) {
+			licenseHolderSpy.initialLicenseToken = Optional.of("token");
+			licenseHolderSpy.initialId = Optional.of("43");
 			when(settings.getLicenseKey()).thenReturn(dbToken);
 			when(settings.getHubId()).thenReturn(dbHubId);
-			when(settingsRepo.get()).thenReturn(settings);
+			var license = Mockito.mock(DecodedJWT.class);
+			Mockito.doReturn(license).when(licenseHolderSpy).validateAndApplyInitLicense(any(), any(), any());
 
-			licenseHolder.initialLicenseToken = Optional.of("token");
-			licenseHolder.initialId = Optional.of("43");
+			licenseHolderSpy.ensureLicenseExists();
 
-			var licenseHolderSpy = Mockito.spy(licenseHolder);
-			licenseHolderSpy.init();
+			verify(licenseHolderSpy, never()).validateExistingLicense(any());
 			verify(licenseHolderSpy).validateAndApplyInitLicense(settings, "token", "43");
+			verify(licenseHolderSpy, never()).requestAnonTrialLicense(settings);
 		}
 
-		public static Stream<Arguments> provideInitValuesCases() {
-			return Stream.of(
-					Arguments.of("dbToken", null),
-					Arguments.of(null, null),
-					Arguments.of(null, "42")
-			);
-		}
-
-		@DisplayName("Do nothing, if db and init have a null value")
+		@DisplayName("call requestAnonTrialLicense(), if neither DB nor init config contains token")
 		@ParameterizedTest
-		@MethodSource("provideDoNothingCases")
-		public void testDoNothingCases(String dbToken, String dbHubId, String initToken, String initId) {
-			Settings settings = mock(Settings.class);
+		@CsvSource(value = {
+				"dbToken, null, null, 43",
+				"null, 42, null, 43",
+				"dbToken, null, initToken, null"
+		}, nullValues = {"null"})
+		void testRequestTrialLicense(String dbToken, String dbHubId, String initToken, String initId) {
+			licenseHolderSpy.initialLicenseToken = Optional.ofNullable(initToken);
+			licenseHolderSpy.initialId = Optional.ofNullable(initId);
 			when(settings.getLicenseKey()).thenReturn(dbToken);
 			when(settings.getHubId()).thenReturn(dbHubId);
-			when(settingsRepo.get()).thenReturn(settings);
+			var license = Mockito.mock(DecodedJWT.class);
+			Mockito.doReturn(license).when(licenseHolderSpy).requestAnonTrialLicense(settings);
 
-			licenseHolder.initialLicenseToken = Optional.ofNullable(initToken);
-			licenseHolder.initialId = Optional.ofNullable(initId);
+			licenseHolderSpy.ensureLicenseExists();
 
-			var licenseHolderSpy = Mockito.spy(licenseHolder);
-			licenseHolderSpy.init();
-			verify(licenseHolderSpy, never()).validateOrResetExistingLicense(settings);
+			verify(licenseHolderSpy, never()).validateExistingLicense(settings);
 			verify(licenseHolderSpy, never()).validateAndApplyInitLicense(Mockito.eq(settings), any(), any());
+			verify(licenseHolderSpy).requestAnonTrialLicense(settings);
 		}
 
-		public static Stream<Arguments> provideDoNothingCases() {
-			return Stream.of(
-					Arguments.of("dbToken", null, null, "43"),
-					Arguments.of(null, "42", null, "43"),
-					Arguments.of(null, "42", "initToken", null),
-					Arguments.of("dbToken", null, "initToken", null)
-			);
+		@DisplayName("requestAnonTrialLicense() fails when server doesn't respond as expected")
+		@Test
+		void testFailingRequestTrialLicense() {
+			licenseHolderSpy.initialLicenseToken = Optional.empty();
+			licenseHolderSpy.initialId = Optional.empty();
+			doReturn(null).when(settings).getLicenseKey();
+			doReturn(null).when(settings).getHubId();
+			doCallRealMethod().when(licenseHolderSpy).requestAnonTrialLicense(Mockito.any());
+			doThrow(new InternalServerErrorException()).when(licenseApi).generateChallenge();
+
+			Assertions.assertThrows(InternalServerErrorException.class, licenseHolderSpy::ensureLicenseExists);
+
+			verify(validator, never()).validate(any(), any());
+			verify(settings, never()).setLicenseKey(any());
+			verify(settings, never()).setHubId(any());
 		}
 	}
 
 	@Test
 	@DisplayName("Valid db token does not change settings")
-	public void testValidateExistingSuccess() {
+	void testValidateExistingSuccess() {
 		Settings settings = mock(Settings.class);
 		when(settings.getLicenseKey()).thenReturn("token");
 		when(settings.getHubId()).thenReturn("42");
 		when(settingsRepo.get()).thenReturn(settings);
-
 		when(validator.validate("token", "42")).thenReturn(Mockito.mock(DecodedJWT.class));
 
-		licenseHolder.validateOrResetExistingLicense(settings);
+		licenseHolder.validateExistingLicense(settings);
+
 		verify(settings, never()).setHubId(any());
 		verify(settings, never()).setLicenseKey(any());
 	}
 
 	@Test
-	@DisplayName("Invalid db token is set to null and persisted")
-	public void testValidateExistingFailure() {
+	@DisplayName("Invalid db token fails validation")
+	void testValidateExistingFailure() {
 		Settings settings = mock(Settings.class);
 		when(settings.getLicenseKey()).thenReturn("token");
 		when(settings.getHubId()).thenReturn("42");
 		when(settingsRepo.get()).thenReturn(settings);
-
 		when(validator.validate("token", "42")).thenThrow(JWTVerificationException.class);
 
-		licenseHolder.validateOrResetExistingLicense(settings);
-		verify(settings, never()).setHubId(any());
-		verify(settings).setLicenseKey(Mockito.isNull());
-		verify(settingsRepo).persistAndFlush(settings);
+		Assertions.assertThrows(JWTVerificationException.class, () -> licenseHolder.validateExistingLicense(settings));
 	}
 
 	@Test
 	@DisplayName("Valid init token is persisted with hubID to db")
-	public void testApplyInitSuccess() {
+	void testApplyInitSuccess() {
 		Settings settings = mock(Settings.class);
-
 		when(validator.validate("token", "42")).thenReturn(Mockito.mock(DecodedJWT.class));
 
 		licenseHolder.validateAndApplyInitLicense(settings, "token", "42");
+
 		verify(settings).setHubId("42");
 		verify(settings).setLicenseKey("token");
 		verify(settingsRepo).persistAndFlush(settings);
@@ -165,31 +183,55 @@ public void testApplyInitSuccess() {
 
 	@Test
 	@DisplayName("Invalid init token does not change settings")
-	public void testApplyInitFailure() {
+	void testApplyInitFailure() {
 		Settings settings = mock(Settings.class);
 		when(settings.getLicenseKey()).thenReturn("token");
 		when(settings.getHubId()).thenReturn("42");
 		when(settingsRepo.get()).thenReturn(settings);
-
 		when(validator.validate("token", "42")).thenThrow(JWTVerificationException.class);
 
-		licenseHolder.validateAndApplyInitLicense(settings, "token", "42");
+		Assertions.assertThrows(JWTVerificationException.class, () -> licenseHolder.validateAndApplyInitLicense(settings, "token", "42"));
+
 		verify(settings, never()).setHubId(any());
 		verify(settings, never()).setLicenseKey(any());
 	}
 
+	@Test
+	@DisplayName("Requesting a trial license contacts the license server")
+	void testRequestAnonTrialLicense() {
+		LicenseHolder licenseHolderSpy = Mockito.spy(licenseHolder);
+		Settings settings = mock(Settings.class);
+		LicenseApi.Challenge challenge = mock(LicenseApi.Challenge.class);
+		LicenseApi.Solution solution = mock(LicenseApi.Solution.class);
+		LicenseApi.TrialLicenseResponse trialLicenseResponse = mock(LicenseApi.TrialLicenseResponse.class);
+		doReturn(challenge).when(licenseApi).generateChallenge();
+		doReturn("captcha").when(solution).toCaptcha();
+		doReturn(solution).when(licenseHolderSpy).solveChallenge(challenge);
+		doReturn(trialLicenseResponse).when(licenseApi).generateTrialLicense("captcha");
+		doReturn("token").when(trialLicenseResponse).licenseKey();
+		doReturn(mock(DecodedJWT.class)).when(validator).validate(Mockito.eq("token"), Mockito.any());
+
+		licenseHolderSpy.requestAnonTrialLicense(settings);
+
+		verify(licenseApi).generateChallenge();
+		verify(licenseApi).generateTrialLicense("captcha");
+		verify(settings).setHubId(Mockito.any());
+		verify(settings).setLicenseKey("token");
+		verify(settingsRepo).persistAndFlush(settings);
+	}
+
 	@Nested
 	@DisplayName("Testing  set() method")
 	class TestSetter {
 
 		@BeforeEach
-		public void setup() throws InterruptedException {
-			Mockito.doNothing().when(randomMinuteSleeper).sleep();
+		void setup() throws InterruptedException {
+			Mockito.doNothing().when(randomSleeper).sleep(Mockito.anyInt(), Mockito.anyInt(), Mockito.any());
 		}
 
 		@Test
 		@DisplayName("Setting a valid token validates and persists it to db")
-		public void testSetValidToken() {
+		void testSetValidToken() {
 			var decodedJWT = mock(DecodedJWT.class);
 			when(validator.validate("token", "42")).thenReturn(decodedJWT);
 
@@ -207,19 +249,16 @@ public void testSetValidToken() {
 
 		@Test
 		@DisplayName("Setting an invalid token fails with exception")
-		public void testSetInvalidToken() {
-			when(validator.validate("token", "42")).thenAnswer(invocationOnMock -> {
-				throw new JWTVerificationException("");
-			});
+		void testSetInvalidToken() {
 			Settings settings = mock(Settings.class);
-			when(settings.getHubId()).thenReturn("42");
-			when(settingsRepo.get()).thenReturn(settings);
+			Mockito.doReturn(settings).when(settingsRepo).get();
+			Mockito.doReturn("42").when(settings).getHubId();
+			Mockito.doThrow(new JWTVerificationException("")).when(validator).validate("token", "42");
 
 			Assertions.assertThrows(JWTVerificationException.class, () -> licenseHolder.set("token"));
 
 			verify(validator).validate("token", "42");
 			verify(settingsRepo, never()).persist((Settings) any());
-			Assertions.assertNull(licenseHolder.get()); //TODO: not very unit test like
 		}
 	}
 
@@ -227,16 +266,30 @@ public void testSetInvalidToken() {
 	@DisplayName("Testing refreshLicense()")
 	class RefreshLicense {
 
+		private LicenseHolder licenseHolderSpy;
+		private Claim refreshClaim;
+		private DecodedJWT licenseJwt;
+
+		@BeforeEach
+		void setup() {
+			licenseHolderSpy = Mockito.spy(licenseHolder);
+			refreshClaim = mock(Claim.class);
+			licenseJwt = mock(DecodedJWT.class);
+
+			Mockito.doReturn("http://localhost:3000").when(refreshClaim).asString();
+			Mockito.doReturn(refreshClaim).when(licenseJwt).getClaim("refreshUrl");
+			Mockito.doReturn("token").when(licenseJwt).getToken();
+			Mockito.doReturn(licenseJwt).when(licenseHolderSpy).get();
+		}
+
 		@Test
 		@DisplayName("If license does not have a refreshUrl, skip refresh")
-		public void testRefreshLicenseNoRefreshURL() throws InterruptedException, IOException {
-			var licenseHolderSpy = Mockito.spy(licenseHolder);
-
-			var licenseJwt = mock(DecodedJWT.class);
-			when(licenseJwt.getClaim("refreshUrl")).thenReturn(null);
-			when(licenseHolderSpy.get()).thenReturn(licenseJwt);
+		void testRefreshLicenseNoRefreshURL() throws InterruptedException, IOException {
+			var missingClaim = mock(Claim.class);
+			Mockito.doReturn(true).when(missingClaim).isMissing();
+			Mockito.doReturn(missingClaim).when(licenseJwt).getClaim("refreshUrl");
 
-			licenseHolderSpy.refreshLicense();
+			Assertions.assertThrows(IllegalStateException.class, licenseHolderSpy::refreshLicense);
 
 			verify(licenseHolderSpy, never()).requestLicenseRefresh(any(), any());
 			verify(licenseHolderSpy, never()).set(any());
@@ -246,17 +299,11 @@ public void testRefreshLicenseNoRefreshURL() throws InterruptedException, IOExce
 
 
 		@Test
-		@DisplayName("If license does not have a valid refreshUrl, skip refresh")
-		public void testRefreshLicenseBadURL() throws InterruptedException, IOException {
-			var licenseHolderSpy = Mockito.spy(licenseHolder);
+		@DisplayName("If license does not have a valid refreshUrl, throw ISE")
+		void testRefreshLicenseBadURL() throws InterruptedException, IOException {
+			Mockito.doReturn("*:not:an::uri").when(refreshClaim).asString();
 
-			var refreshClaim = mock(Claim.class);
-			when(refreshClaim.asString()).thenReturn("*:not:an::uri");
-			var licenseJwt = mock(DecodedJWT.class);
-			when(licenseJwt.getClaim("refreshUrl")).thenReturn(refreshClaim);
-			when(licenseHolderSpy.get()).thenReturn(licenseJwt);
-
-			licenseHolderSpy.refreshLicense();
+			Assertions.assertThrows(IllegalStateException.class, licenseHolderSpy::refreshLicense);
 
 			verify(licenseHolderSpy, never()).requestLicenseRefresh(any(), any());
 			verify(licenseHolderSpy, never()).set(any());
@@ -267,18 +314,10 @@ public void testRefreshLicenseBadURL() throws InterruptedException, IOException
 		@DisplayName("If license request throws, do not set license")
 		@ParameterizedTest
 		@MethodSource("provideRefreshLicenseFailingRequestCases")
-		public void testRefreshLicenseFailingRequest(Throwable t) throws InterruptedException, IOException {
-			var licenseHolderSpy = Mockito.spy(licenseHolder);
-
-			var refreshClaim = mock(Claim.class);
-			when(refreshClaim.asString()).thenReturn("http://localhost:3000");
-			var licenseJwt = mock(DecodedJWT.class);
-			when(licenseJwt.getClaim("refreshUrl")).thenReturn(refreshClaim);
-			when(licenseJwt.getToken()).thenReturn("token");
-			when(licenseHolderSpy.get()).thenReturn(licenseJwt);
+		void testRefreshLicenseFailingRequest(Throwable t) throws InterruptedException, IOException {
 			Mockito.doThrow(t).when(licenseHolderSpy).requestLicenseRefresh(any(), eq("token"));
 
-			licenseHolderSpy.refreshLicense();
+			Assertions.assertThrows(IOException.class, licenseHolderSpy::refreshLicense);
 
 			verify(licenseHolderSpy).requestLicenseRefresh(any(), eq("token"));
 			verify(licenseHolderSpy, never()).set(any());
@@ -292,19 +331,11 @@ static Stream<Throwable> provideRefreshLicenseFailingRequestCases() {
 
 		@Test
 		@DisplayName("Successful refresh request, but failing validation")
-		public void testRefreshLicenseFailedValidation() throws InterruptedException, IOException {
-			var licenseHolderSpy = Mockito.spy(licenseHolder);
-
-			var refreshClaim = mock(Claim.class);
-			when(refreshClaim.asString()).thenReturn("http://localhost:3000");
-			var licenseJwt = mock(DecodedJWT.class);
-			when(licenseJwt.getClaim("refreshUrl")).thenReturn(refreshClaim);
-			when(licenseJwt.getToken()).thenReturn("token");
-			when(licenseHolderSpy.get()).thenReturn(licenseJwt);
+		void testRefreshLicenseFailedValidation() throws InterruptedException, IOException {
 			Mockito.doReturn("newToken").when(licenseHolderSpy).requestLicenseRefresh(any(), eq("token"));
 			Mockito.doThrow(JWTVerificationException.class).when(licenseHolderSpy).set("newToken");
 
-			licenseHolderSpy.refreshLicense();
+			Assertions.assertThrows(IOException.class, licenseHolderSpy::refreshLicense);
 
 			verify(licenseHolderSpy).requestLicenseRefresh(any(), eq("token"));
 			verify(licenseHolderSpy).set("newToken");
@@ -313,25 +344,20 @@ public void testRefreshLicenseFailedValidation() throws InterruptedException, IO
 		}
 
 		@Test
-		@DisplayName("Successful refresh request, but failing validation")
-		public void testRefreshLicenseSuccess() throws InterruptedException, IOException {
-			var licenseHolderSpy = Mockito.spy(licenseHolder);
-
-			var refreshClaim = mock(Claim.class);
-			when(refreshClaim.asString()).thenReturn("http://localhost:3000");
-			var licenseJwt = mock(DecodedJWT.class);
-			when(licenseJwt.getClaim("refreshUrl")).thenReturn(refreshClaim);
-			when(licenseJwt.getToken()).thenReturn("token");
-			when(licenseHolderSpy.get()).thenReturn(licenseJwt);
+		@DisplayName("Successful refresh")
+		void testRefreshLicenseSuccess() throws InterruptedException, IOException {
+			var settings = Mockito.mock(Settings.class);
+			Mockito.doReturn("42").when(settings).getHubId();
+			Mockito.doReturn(settings).when(settingsRepo).get();
 			Mockito.doReturn("newToken").when(licenseHolderSpy).requestLicenseRefresh(any(), eq("token"));
-			Mockito.doThrow(JWTVerificationException.class).when(licenseHolderSpy).set("newToken");
 
 			licenseHolderSpy.refreshLicense();
 
 			verify(licenseHolderSpy).requestLicenseRefresh(any(), eq("token"));
 			verify(licenseHolderSpy).set("newToken");
-			verify(settingsRepo, never()).get();
-			verify(settingsRepo, never()).persistAndFlush(any());
+			verify(validator).validate("newToken", "42");
+			verify(settings).setLicenseKey("newToken");
+			verify(settingsRepo).persistAndFlush(settings);
 		}
 
 	}
@@ -340,8 +366,19 @@ public void testRefreshLicenseSuccess() throws InterruptedException, IOException
 	@DisplayName("Testing requestLicenseRefresh()")
 	class RequestLicenseRefresh {
 
+		private LicenseHolder licenseHolderSpy;
+		private LicenseApi.Solution solvedChallenge;
+
+		@BeforeEach
+		void setup() {
+			licenseHolderSpy = Mockito.spy(licenseHolder);
+			solvedChallenge = Mockito.mock(LicenseApi.Solution.class);
+			Mockito.doReturn(solvedChallenge).when(licenseHolderSpy).solveChallenge();
+			Mockito.doReturn("fooBar123").when(solvedChallenge).toCaptcha();
+		}
+
 		@Test
-		public void testSucess() throws IOException, InterruptedException {
+		void testSucess() throws IOException, InterruptedException {
 			URI refreshUrl = URI.create("https://localhost:3000");
 			try (var httpClientMock = Mockito.mockStatic(HttpClient.class)) {
 				var httpClient = mock(HttpClient.class);
@@ -355,13 +392,13 @@ public void testSucess() throws IOException, InterruptedException {
 				when(response.body()).thenReturn("newToken");
 				when(httpClient.send(argThat(request -> request.uri().equals(refreshUrl)), any())).thenReturn(response);
 
-				var result = licenseHolder.requestLicenseRefresh(refreshUrl, "token");
+				var result = licenseHolderSpy.requestLicenseRefresh(refreshUrl, "token");
 				Assertions.assertEquals("newToken", result);
 			}
 		}
 
 		@Test
-		public void test500Response() throws IOException, InterruptedException {
+		void test500Response() throws IOException, InterruptedException {
 			URI refreshUrl = URI.create("https://localhost:3000");
 			try (var httpClientMock = Mockito.mockStatic(HttpClient.class)) {
 				var httpClient = mock(HttpClient.class);
@@ -375,12 +412,12 @@ public void test500Response() throws IOException, InterruptedException {
 				when(response.body()).thenReturn("newToken");
 				when(httpClient.send(argThat(request -> request.uri().equals(refreshUrl)), any())).thenReturn(response);
 
-				Assertions.assertThrows(LicenseHolder.LicenseRefreshFailedException.class, () -> licenseHolder.requestLicenseRefresh(refreshUrl, "token"));
+				Assertions.assertThrows(LicenseHolder.LicenseRefreshFailedException.class, () -> licenseHolderSpy.requestLicenseRefresh(refreshUrl, "token"));
 			}
 		}
 
 		@Test
-		public void testEmtyBody() throws IOException, InterruptedException {
+		void testEmtyBody() throws IOException, InterruptedException {
 			URI refreshUrl = URI.create("https://localhost:3000");
 			try (var httpClientMock = Mockito.mockStatic(HttpClient.class)) {
 				var httpClient = mock(HttpClient.class);
@@ -394,7 +431,7 @@ public void testEmtyBody() throws IOException, InterruptedException {
 				when(response.body()).thenReturn("");
 				when(httpClient.send(argThat(request -> request.uri().equals(refreshUrl)), any())).thenReturn(response);
 
-				Assertions.assertThrows(LicenseHolder.LicenseRefreshFailedException.class, () -> licenseHolder.requestLicenseRefresh(refreshUrl, "token"));
+				Assertions.assertThrows(LicenseHolder.LicenseRefreshFailedException.class, () -> licenseHolderSpy.requestLicenseRefresh(refreshUrl, "token"));
 			}
 		}
 	}
diff --git a/backend/src/test/java/org/cryptomator/hub/license/LicenseValidatorTest.java b/backend/src/test/java/org/cryptomator/hub/license/LicenseValidatorTest.java
index e0c63ac29..aa9ad6350 100644
--- a/backend/src/test/java/org/cryptomator/hub/license/LicenseValidatorTest.java
+++ b/backend/src/test/java/org/cryptomator/hub/license/LicenseValidatorTest.java
@@ -1,28 +1,51 @@
 package org.cryptomator.hub.license;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.InvalidClaimException;
 import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.exceptions.JWTVerificationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
 import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 
-import java.util.Optional;
+import java.security.KeyFactory;
+import java.security.interfaces.ECPrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.List;
+import java.util.Map;
 
-public class LicenseValidatorTest {
+class LicenseValidatorTest {
 
-	private static final String VALID_TOKEN = "eyJhbGciOiJFUzUxMiJ9.eyJqdGkiOiI0MiIsImlhdCI6MTY0ODA0OTM2MCwiaXNzIjoiU2t5bWF0aWMiLCJhdWQiOiJDcnlwdG9tYXRvciBIdWIiLCJzdWIiOiJodWJAY3J5cHRvbWF0b3Iub3JnIiwic2VhdHMiOjUsImV4cCI6MjUzNDAyMjE0NDAwLCJyZWZyZXNoVXJsIjoiaHR0cDovL2xvY2FsaG9zdDo4Nzg3L2h1Yi9zdWJzY3JpcHRpb24_aHViX2lkPTQyIn0.AKyoZ0WQ8xhs8vPymWPHCsc6ch6pZpfxBcrF5QjVLSQVnYz2s5QF3nnkwn4AGR7V14TuhkJMZLUZxMdQAYLyL95sAV2Fu0E4-e1v3IVKlNKtze89eqYvEs6Ak9jWjtecOgPWNWjz2itI4MfJBDmbFtTnehOtqRqUdsDoC9NFik2C7tHm";
-	private static final String EXPIRED_TOKEN = "eyJhbGciOiJFUzUxMiJ9.eyJqdGkiOiI0MiIsImlhdCI6MTY3NzA4MzI1OSwiaXNzIjoiU2t5bWF0aWMiLCJhdWQiOiJDcnlwdG9tYXRvciBIdWIiLCJzdWIiOiJodWJAY3J5cHRvbWF0b3Iub3JnIiwic2VhdHMiOjUsImV4cCI6OTQ2Njg0ODAwLCJyZWZyZXNoVXJsIjoiaHR0cDovL2xvY2FsaG9zdDo4Nzg3L2h1Yi9zdWJzY3JpcHRpb24_aHViX2lkPTQyIn0.APQnWig9ZyT6_xRviPVs3YPTaP1w_YXTpWULgvsUpCGmGQwEmT6nl0x2jNB_jkQi93E7tr9WvipvX5DkXUOYJP3OAJjzPdN7rTX2tnXTKO8irshkcqmvt79v1E4k50YLkwP-1NIwiO_ltp5sezhLbzOVPXRag6mQfc0KvS6PiZTYGYQh";
-	private static final String FUTURE_TOKEN = "eyJhbGciOiJFUzUxMiJ9.eyJqdGkiOjQyLCJpYXQiOjE3MDEyNDkzMzEzMSwiaXNzIjoiU2t5bWF0aWMiLCJhdWQiOiJDcnlwdG9tYXRvciBIdWIiLCJzdWIiOiJ0b2JpYXMuaGFnZW1hbm5Ac2t5bWF0aWMuZGUiLCJzZWF0cyI6NSwiZXhwIjoxNzIyMzg0MDAwLCJyZWZyZXNoVXJsIjoiaHR0cDovL2xvY2FsaG9zdDo4Nzg3L2h1Yi9zdWJzY3JpcHRpb24_aHViX2lkPTQyIn0.ALd0oyPR3kgntysXp8TZ1LvmHYDiDIGlbmaq52d5wAE1V8MZ1asWvufXgL9YExXvJhFbGCnLu66XgA387rxjrxKeASL_q43ZZUEDxtm8aa7uH2VMOvdM3gXEibSHUzNwO0MRWFbeYWOc8daRNWdxgOcrpX6NcMV7vPZH7yZSEct_cqf5";
+	private static final String VALID_LEGACY_TOKEN = "eyJhbGciOiJFUzUxMiJ9.eyJqdGkiOiI0MiIsImlhdCI6MTY0ODA0OTM2MCwiaXNzIjoiU2t5bWF0aWMiLCJhdWQiOiJDcnlwdG9tYXRvciBIdWIiLCJzdWIiOiJodWJAY3J5cHRvbWF0b3Iub3JnIiwic2VhdHMiOjUsImV4cCI6MjUzNDAyMjE0NDAwLCJyZWZyZXNoVXJsIjoiaHR0cDovL2xvY2FsaG9zdDo4Nzg3L2h1Yi9zdWJzY3JpcHRpb24_aHViX2lkPTQyIn0.AKyoZ0WQ8xhs8vPymWPHCsc6ch6pZpfxBcrF5QjVLSQVnYz2s5QF3nnkwn4AGR7V14TuhkJMZLUZxMdQAYLyL95sAV2Fu0E4-e1v3IVKlNKtze89eqYvEs6Ak9jWjtecOgPWNWjz2itI4MfJBDmbFtTnehOtqRqUdsDoC9NFik2C7tHm";
+	private static final String EXPIRED_TOKEN = "eyJ4NWMiOlsiTUlJQ0REQ0NBYjZnQXdJQkFnSVVETU96eEpZMzgxSmpkTjgyY1c3cWQrQjN2aDB3QlFZREsyVndNRTR4Q3pBSkJnTlZCQVlUQWtSRk1SWXdGQVlEVlFRS0RBMVRhM2x0WVhScFl5QkhiV0pJTVNjd0pRWURWUVFEREI1TWFXTmxibk5sSUVsdWRHVnliV1ZrYVdGMFpTQkRRU0FvVkdWemRDa3dIaGNOTWpZd01qSTJNVFUwTURNMldoY05Nell3TWpJME1UVTBNRE0yV2pCSU1Rc3dDUVlEVlFRR0V3SkVSVEVXTUJRR0ExVUVDZ3dOVTJ0NWJXRjBhV01nUjIxaVNERWhNQjhHQTFVRUF3d1lUR2xqWlc1elpTQkpjM04xWlhJZ1EwRWdLRlJsYzNRcE1JR2JNQkFHQnlxR1NNNDlBZ0VHQlN1QkJBQWpBNEdHQUFRQmlVVlEwSGhaTXVBT3FpTzJsUElUK01NU0g0YmNsNkJPV25GbjIwNWJ6VGNSSTlSdVJkdHJYVk53cFwvSVB0ak1WWFRqXC9vVzByMTJIY3JFZExtaTlRSTZRQVNURUJ5V0xOVFNcL2Q5NElvWG1SWVFUbkMrUnRIK0hcLzRJMVRXWXc5MGFpaWcyeVYwRzFzMHFDZ0FpeUtzd2orU1Q2cjcxTk1cL2dlcG1sVzMrcWl2OVwvUFdqUWpCQU1CMEdBMVVkRGdRV0JCU05qQnd2K1wvaVlRdnBPT3F6MDJ1N3hhQVNTSVRBZkJnTlZIU01FR0RBV2dCUk1BU3NwMWtpYXdKbThZb0o2KzhcL3NxMjFYNHpBRkJnTXJaWEFEUVFBNE9rXC8reTBiZHptMlJVbWtIZDZRRlM2V2JCS2Y5TzR6ejNVYzdpQk1wS0lxMWtCbHErN1RiYmdNSEp1K2FZYk9EY1JXVCsrNXN4NGkyT3Nwa2dPc0oiLCJNSUlCdFRDQ0FXZWdBd0lCQWdJVUpteDhVcXRnbktjYXVRYnFiMDRUYVVCRytVSXdCUVlESzJWd01EOHhDekFKQmdOVkJBWVRBa1JGTVJZd0ZBWURWUVFLREExVGEzbHRZWFJwWXlCSGJXSklNUmd3RmdZRFZRUUREQTlNYVdObGJuTmxJRlJsYzNRZ1EwRXdIaGNOTWpZd01qSTJNVFV6TmpNMldoY05Nell3TWpJME1UVXpOak0yV2pCT01Rc3dDUVlEVlFRR0V3SkVSVEVXTUJRR0ExVUVDZ3dOVTJ0NWJXRjBhV01nUjIxaVNERW5NQ1VHQTFVRUF3d2VUR2xqWlc1elpTQkpiblJsY20xbFpHbGhkR1VnUTBFZ0tGUmxjM1FwTUNvd0JRWURLMlZ3QXlFQUczdnI4Tks3WVpzMXE2cFF0SmhIRGJUMnhNRDNDMnlzbXNuZW13MUZRbGFqWmpCa01CSUdBMVVkRXdFQlwvd1FJTUFZQkFmOENBUUF3RGdZRFZSMFBBUUhcL0JBUURBZ0VHTUIwR0ExVWREZ1FXQkJSTUFTc3Axa2lhd0ptOFlvSjYrOFwvc3EyMVg0ekFmQmdOVkhTTUVHREFXZ0JRQmlPK3lxTVRhZzU5ZUg4ZmdjRjlnTXNYZUV6QUZCZ01yWlhBRFFRQktkR0cybmpWa3JqMEwxbWVXVTROcGxaZHlHUTJxYUNxNFBSenk1OUg5WW1EUzc5M1JsTWE0TU9ad0FtVGtVUTV2YWt1dnR6MTM0SWl6NmpKa0RCZ0YiXSwiYWxnIjoiRVM1MTIifQ.eyJhdWQiOiJDcnlwdG9tYXRvciBIdWIiLCJzdWIiOiJodWJAZXhhbXBsZS5jb20iLCJyZWZyZXNoVXJsIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODFcL1wvaHViXC9yZWZyZXNoIiwia2lkIjoiWUVWMUVJdjl2WUxHWV9HVGhDRU9Ma2V5bXFQMGVlWFVVN01tbEpocWdHQSIsIm9yZy5jcnlwdG9tYXRvci5odWIuZW50aXRsZW1lbnRzIjp7InNlYXRzIjo1LCJzaG93VHJpYWxIaW50IjpmYWxzZSwiYXVkaXRMb2dSZXRlbnRpb25EYXlzIjo3LCJlbWVyZ2VuY3lBY2Nlc3NFbmFibGVkIjpmYWxzZSwia2V5Y2xvYWtBY2Nlc3NFbmFibGVkIjp0cnVlfSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODFcLyIsImV4cCI6OTQ2Njg0ODAwLCJpYXQiOjE3NzIxMjE1ODIsInNlYXRzIjo1LCJqdGkiOiI0MiJ9.AGYclI1IqLqBhh0_giYH3B83Ffmga5_Lr7YuE1S_upyBXedI70cYJTyMAWQcakFdIKF9k9exWHjldCdnF3QoyhHfANgmnnb4bAkSlX59WFXePMbks97SvVvMXExaCIvKAQWbGJ0jNw4aid-6plrNYP855jATfEZh800Fcsbp81eChysO";
+	private static final String FUTURE_TOKEN = "eyJ4NWMiOlsiTUlJQ0REQ0NBYjZnQXdJQkFnSVVETU96eEpZMzgxSmpkTjgyY1c3cWQrQjN2aDB3QlFZREsyVndNRTR4Q3pBSkJnTlZCQVlUQWtSRk1SWXdGQVlEVlFRS0RBMVRhM2x0WVhScFl5QkhiV0pJTVNjd0pRWURWUVFEREI1TWFXTmxibk5sSUVsdWRHVnliV1ZrYVdGMFpTQkRRU0FvVkdWemRDa3dIaGNOTWpZd01qSTJNVFUwTURNMldoY05Nell3TWpJME1UVTBNRE0yV2pCSU1Rc3dDUVlEVlFRR0V3SkVSVEVXTUJRR0ExVUVDZ3dOVTJ0NWJXRjBhV01nUjIxaVNERWhNQjhHQTFVRUF3d1lUR2xqWlc1elpTQkpjM04xWlhJZ1EwRWdLRlJsYzNRcE1JR2JNQkFHQnlxR1NNNDlBZ0VHQlN1QkJBQWpBNEdHQUFRQmlVVlEwSGhaTXVBT3FpTzJsUElUK01NU0g0YmNsNkJPV25GbjIwNWJ6VGNSSTlSdVJkdHJYVk53cFwvSVB0ak1WWFRqXC9vVzByMTJIY3JFZExtaTlRSTZRQVNURUJ5V0xOVFNcL2Q5NElvWG1SWVFUbkMrUnRIK0hcLzRJMVRXWXc5MGFpaWcyeVYwRzFzMHFDZ0FpeUtzd2orU1Q2cjcxTk1cL2dlcG1sVzMrcWl2OVwvUFdqUWpCQU1CMEdBMVVkRGdRV0JCU05qQnd2K1wvaVlRdnBPT3F6MDJ1N3hhQVNTSVRBZkJnTlZIU01FR0RBV2dCUk1BU3NwMWtpYXdKbThZb0o2KzhcL3NxMjFYNHpBRkJnTXJaWEFEUVFBNE9rXC8reTBiZHptMlJVbWtIZDZRRlM2V2JCS2Y5TzR6ejNVYzdpQk1wS0lxMWtCbHErN1RiYmdNSEp1K2FZYk9EY1JXVCsrNXN4NGkyT3Nwa2dPc0oiLCJNSUlCdFRDQ0FXZWdBd0lCQWdJVUpteDhVcXRnbktjYXVRYnFiMDRUYVVCRytVSXdCUVlESzJWd01EOHhDekFKQmdOVkJBWVRBa1JGTVJZd0ZBWURWUVFLREExVGEzbHRZWFJwWXlCSGJXSklNUmd3RmdZRFZRUUREQTlNYVdObGJuTmxJRlJsYzNRZ1EwRXdIaGNOTWpZd01qSTJNVFV6TmpNMldoY05Nell3TWpJME1UVXpOak0yV2pCT01Rc3dDUVlEVlFRR0V3SkVSVEVXTUJRR0ExVUVDZ3dOVTJ0NWJXRjBhV01nUjIxaVNERW5NQ1VHQTFVRUF3d2VUR2xqWlc1elpTQkpiblJsY20xbFpHbGhkR1VnUTBFZ0tGUmxjM1FwTUNvd0JRWURLMlZ3QXlFQUczdnI4Tks3WVpzMXE2cFF0SmhIRGJUMnhNRDNDMnlzbXNuZW13MUZRbGFqWmpCa01CSUdBMVVkRXdFQlwvd1FJTUFZQkFmOENBUUF3RGdZRFZSMFBBUUhcL0JBUURBZ0VHTUIwR0ExVWREZ1FXQkJSTUFTc3Axa2lhd0ptOFlvSjYrOFwvc3EyMVg0ekFmQmdOVkhTTUVHREFXZ0JRQmlPK3lxTVRhZzU5ZUg4ZmdjRjlnTXNYZUV6QUZCZ01yWlhBRFFRQktkR0cybmpWa3JqMEwxbWVXVTROcGxaZHlHUTJxYUNxNFBSenk1OUg5WW1EUzc5M1JsTWE0TU9ad0FtVGtVUTV2YWt1dnR6MTM0SWl6NmpKa0RCZ0YiXSwiYWxnIjoiRVM1MTIifQ.eyJhdWQiOiJDcnlwdG9tYXRvciBIdWIiLCJzdWIiOiJodWJAZXhhbXBsZS5jb20iLCJyZWZyZXNoVXJsIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODFcL1wvaHViXC9yZWZyZXNoIiwia2lkIjoiWUVWMUVJdjl2WUxHWV9HVGhDRU9Ma2V5bXFQMGVlWFVVN01tbEpocWdHQSIsIm9yZy5jcnlwdG9tYXRvci5odWIuZW50aXRsZW1lbnRzIjp7InNlYXRzIjo1LCJzaG93VHJpYWxIaW50IjpmYWxzZSwiYXVkaXRMb2dSZXRlbnRpb25EYXlzIjo3LCJlbWVyZ2VuY3lBY2Nlc3NFbmFibGVkIjpmYWxzZSwia2V5Y2xvYWtBY2Nlc3NFbmFibGVkIjp0cnVlfSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODFcLyIsImV4cCI6MTc3MjEyMTg5OCwiaWF0IjozMjUwMzY4MDAwMCwic2VhdHMiOjUsImp0aSI6IjQyIn0.AZB8nxX0_x319_6ZIzLV2nol18k5BzBtujiF5BCqUfXkBzaKbNzhGGmVOvr1w_0LS2Yb8sJjlgDRw_bO3fIiAX8jAaWdo_M4yXFLxJrejvB1mi1oOujE1kecTXPuayrkLAOi99VYdcXqJB7pptqJcXC374QorZRQKFK-PnZ6YT6hNv5Z";
 	private static final String TOKEN_WITH_INVALID_SIGNATURE = "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.AbVUinMiT3J_03je8WTOIl-VdggzvoFgnOsdouAs-DLOtQzau9valrq-S6pETyi9Q18HH-EuwX49Q7m3KC0GuNBJAc9Tksulgsdq8GqwIqZqDKmG7hNmDzaQG1Dpdezn2qzv-otf3ZZe-qNOXUMRImGekfQFIuH_MjD2e8RZyww6lbZk";
 	private static final String MALFORMED_TOKEN = "hello world";
+	private static final String ROOT_CERTIFICATE = "MIIBpjCCAVigAwIBAgIUJWMTr10U1lkxgPhxjed4kPqSu4EwBQYDK2VwMD8xCzAJBgNVBAYTAkRFMRYwFAYDVQQKDA1Ta3ltYXRpYyBHbWJIMRgwFgYDVQQDDA9MaWNlbnNlIFRlc3QgQ0EwHhcNMjYwMjI2MTUzMzIwWhcNMzYwMjI0MTUzMzIwWjA/MQswCQYDVQQGEwJERTEWMBQGA1UECgwNU2t5bWF0aWMgR21iSDEYMBYGA1UEAwwPTGljZW5zZSBUZXN0IENBMCowBQYDK2VwAyEAVi5WsfyHgHiL0vr4d2Lt1g7kPgC5m8u0DIKLalKJqHSjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQBiO+yqMTag59eH8fgcF9gMsXeEzAfBgNVHSMEGDAWgBQBiO+yqMTag59eH8fgcF9gMsXeEzAFBgMrZXADQQD1I6bFKdHW+MaSpNVl/seCJny0Tp5L3+v6IyybvV0e66ks8BhsRWbqoSSBEaF4zlX7gAPzNuOIEFadM4s1fVMC";
+	private static final String INTERMEDIATE_CERTIFICATE = "MIIBtTCCAWegAwIBAgIUJmx8UqtgnKcauQbqb04TaUBG+UIwBQYDK2VwMD8xCzAJBgNVBAYTAkRFMRYwFAYDVQQKDA1Ta3ltYXRpYyBHbWJIMRgwFgYDVQQDDA9MaWNlbnNlIFRlc3QgQ0EwHhcNMjYwMjI2MTUzNjM2WhcNMzYwMjI0MTUzNjM2WjBOMQswCQYDVQQGEwJERTEWMBQGA1UECgwNU2t5bWF0aWMgR21iSDEnMCUGA1UEAwweTGljZW5zZSBJbnRlcm1lZGlhdGUgQ0EgKFRlc3QpMCowBQYDK2VwAyEAG3vr8NK7YZs1q6pQtJhHDbT2xMD3C2ysmsnemw1FQlajZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRMASsp1kiawJm8YoJ6+8/sq21X4zAfBgNVHSMEGDAWgBQBiO+yqMTag59eH8fgcF9gMsXeEzAFBgMrZXADQQBKdGG2njVkrj0L1meWU4NplZdyGQ2qaCq4PRzy59H9YmDS793RlMa4MOZwAmTkUQ5vakuvtz134Iiz6jJkDBgF";
+	private static final String INTERMEDIATE_CN = "License Intermediate CA (Test)";
+	private static final String LEAF_CERTIFICATE = "MIICDDCCAb6gAwIBAgIUDMOzxJY381JjdN82cW7qd+B3vh0wBQYDK2VwME4xCzAJBgNVBAYTAkRFMRYwFAYDVQQKDA1Ta3ltYXRpYyBHbWJIMScwJQYDVQQDDB5MaWNlbnNlIEludGVybWVkaWF0ZSBDQSAoVGVzdCkwHhcNMjYwMjI2MTU0MDM2WhcNMzYwMjI0MTU0MDM2WjBIMQswCQYDVQQGEwJERTEWMBQGA1UECgwNU2t5bWF0aWMgR21iSDEhMB8GA1UEAwwYTGljZW5zZSBJc3N1ZXIgQ0EgKFRlc3QpMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBiUVQ0HhZMuAOqiO2lPIT+MMSH4bcl6BOWnFn205bzTcRI9RuRdtrXVNwp/IPtjMVXTj/oW0r12HcrEdLmi9QI6QASTEByWLNTS/d94IoXmRYQTnC+RtH+H/4I1TWYw90aiig2yV0G1s0qCgAiyKswj+ST6r71NM/gepmlW3+qiv9/PWjQjBAMB0GA1UdDgQWBBSNjBwv+/iYQvpOOqz02u7xaASSITAfBgNVHSMEGDAWgBRMASsp1kiawJm8YoJ6+8/sq21X4zAFBgMrZXADQQA4Ok/+y0bdzm2RUmkHd6QFS6WbBKf9O4zz3Uc7iBMpKIq1kBlq+7TbbgMHJu+aYbODcRWT++5sx4i2OspkgOsJ";
+	private static final String LEAF_PRIVATE_KEY = "MGACAQAwEAYHKoZIzj0CAQYFK4EEACMESTBHAgEBBEIA+tBtqmK6OyXS+0ATPadXIF3mf1uwAY/ujIbhtox+dcqolusy8fR8cIVYNqbRb8wUZvbY++xn24nsDAiw6Za4NTg=";
 
 	LicenseValidator validator = new LicenseValidator();
 
+	@BeforeEach
+	void setup() {
+		var verifierProducer = new LicenseVerifierProducer();
+		verifierProducer.licenseChainRequiredCn = "";
+		validator.verifier = verifierProducer.produceLicenseVerifier(ROOT_CERTIFICATE, INTERMEDIATE_CN);
+	}
+
 	@Test
-	@DisplayName("validate valid token")
-	public void testValidateValidToken() {
-		var jwt = validator.validate(VALID_TOKEN, "42");
+	@DisplayName("validate valid legacy token (pre org.cryptomator.hub.entitlements)")
+		// TODO: eventually remove this test when legacy tokens are no longer supported, see https://github.com/cryptomator/hub/issues/391
+	void testValidateValidToken() {
+		var jwt = validator.validate(VALID_LEGACY_TOKEN, "42");
 		Assertions.assertEquals("ES512", jwt.getAlgorithm());
 		Assertions.assertEquals("42", jwt.getId());
 		Assertions.assertEquals("Skymatic", jwt.getIssuer());
@@ -35,29 +58,29 @@ public void testValidateValidToken() {
 
 	@Test
 	@DisplayName("validate valid token with mismatching hub id")
-	public void testValidateValidTokenWithMismatchingHubId() {
+	void testValidateValidTokenWithMismatchingHubId() {
 		Assertions.assertThrows(InvalidClaimException.class, () -> {
-			validator.validate(VALID_TOKEN, "123");
+			validator.validate(VALID_LEGACY_TOKEN, "123");
 		});
 	}
 
 	@Test
 	@DisplayName("validate expired token")
-	public void testValidateExpiredToken() {
+	void testValidateExpiredToken() {
 		// this should not throw an exception and return a JWT with an expired date
 		validator.validate(EXPIRED_TOKEN, "42");
 	}
 
 	@Test
 	@DisplayName("validate future token")
-	public void testValidateFutureToken() {
+	void testValidateFutureToken() {
 		// this should not throw an exception and return a JWT with an issued at in the future
 		validator.validate(FUTURE_TOKEN, "42");
 	}
 
 	@Test
 	@DisplayName("validate token with invalid signature")
-	public void testValidateTokenWithInvalidSignature() {
+	void testValidateTokenWithInvalidSignature() {
 		Assertions.assertThrows(SignatureVerificationException.class, () -> {
 			validator.validate(TOKEN_WITH_INVALID_SIGNATURE, "42");
 		});
@@ -65,10 +88,82 @@ public void testValidateTokenWithInvalidSignature() {
 
 	@Test
 	@DisplayName("validate malformed token")
-	public void testValidateMalformedToken() {
+	void testValidateMalformedToken() {
 		Assertions.assertThrows(JWTDecodeException.class, () -> {
 			validator.validate(MALFORMED_TOKEN, "42");
 		});
 	}
 
+	@Test
+	@DisplayName("validate token with x5c certificate chain")
+	void testValidateTokenWithX5cCertificateChain() {
+		var token = JWT.create()
+				.withHeader(Map.of("x5c", List.of(LEAF_CERTIFICATE, INTERMEDIATE_CERTIFICATE)))
+				.withJWTId("42")
+				.withSubject("hub@cryptomator.org")
+				.withIssuedAt(new java.util.Date())
+				.withExpiresAt(new java.util.Date(System.currentTimeMillis() + 60_000))
+				.withClaim("seats", 5)
+				.sign(Algorithm.ECDSA512(null, decodePrivateKey(LEAF_PRIVATE_KEY)));
+		var jwt = validator.validate(token, "42");
+		Assertions.assertEquals("42", jwt.getId());
+	}
+
+	@Test
+	@DisplayName("reject token with invalid x5c certificate chain")
+	void testRejectTokenWithInvalidX5cCertificateChain() {
+		var verifierProducer = new LicenseVerifierProducer();
+		validator.verifier = verifierProducer.produceLicenseVerifier(ROOT_CERTIFICATE, INTERMEDIATE_CN);
+		var token = JWT.create()
+				.withHeader(Map.of("x5c", List.of(LEAF_CERTIFICATE)))
+				.withJWTId("42")
+				.withSubject("hub@cryptomator.org")
+				.withIssuedAt(new java.util.Date())
+				.withExpiresAt(new java.util.Date(System.currentTimeMillis() + 60_000))
+				.withClaim("seats", 5)
+				.sign(Algorithm.ECDSA512(null, decodePrivateKey(LEAF_PRIVATE_KEY)));
+		Assertions.assertThrows(JWTVerificationException.class, () -> {
+			validator.validate(token, "42");
+		});
+	}
+
+	@Test
+	@DisplayName("validate token with matching intermediate cert cn")
+	void testValidateTokenWithMatchingIntermediateCn() {
+		var token = JWT.create()
+				.withHeader(Map.of("x5c", List.of(LEAF_CERTIFICATE, INTERMEDIATE_CERTIFICATE)))
+				.withJWTId("42")
+				.withSubject("hub@cryptomator.org")
+				.withIssuedAt(new java.util.Date())
+				.withExpiresAt(new java.util.Date(System.currentTimeMillis() + 60_000))
+				.withClaim("seats", 5)
+				.sign(Algorithm.ECDSA512(null, decodePrivateKey(LEAF_PRIVATE_KEY)));
+		var jwt = validator.validate(token, "42");
+		Assertions.assertEquals("42", jwt.getId());
+	}
+
+	@Test
+	@DisplayName("reject token with mismatching intermediate cert cn")
+	void testRejectTokenWithMismatchingIntermediateCn() {
+		var verifierProducer = new LicenseVerifierProducer();
+		validator.verifier = verifierProducer.produceLicenseVerifier(ROOT_CERTIFICATE, "some other CN");
+		var token = JWT.create()
+				.withHeader(Map.of("x5c", List.of(LEAF_CERTIFICATE, INTERMEDIATE_CERTIFICATE)))
+				.withJWTId("42")
+				.withSubject("hub@cryptomator.org")
+				.withIssuedAt(new java.util.Date())
+				.withExpiresAt(new java.util.Date(System.currentTimeMillis() + 60_000))
+				.withClaim("seats", 5)
+				.sign(Algorithm.ECDSA512(null, decodePrivateKey(LEAF_PRIVATE_KEY)));
+		Assertions.assertThrows(JWTVerificationException.class, () -> validator.validate(token, "42"));
+	}
+
+	private static ECPrivateKey decodePrivateKey(String encodedPkcs8PrivateKey) {
+		try {
+			var keyBytes = Base64.getDecoder().decode(encodedPkcs8PrivateKey);
+			return (ECPrivateKey) KeyFactory.getInstance("EC").generatePrivate(new PKCS8EncodedKeySpec(keyBytes));
+		} catch (InvalidKeySpecException | java.security.NoSuchAlgorithmException e) {
+			throw new IllegalStateException("Cannot decode test private key", e);
+		}
+	}
 }
diff --git a/backend/src/test/java/org/cryptomator/hub/rollback/DBRollbackAfterExtension.java b/backend/src/test/java/org/cryptomator/hub/rollback/DBRollbackAfterExtension.java
index 671637f51..8957b7960 100644
--- a/backend/src/test/java/org/cryptomator/hub/rollback/DBRollbackAfterExtension.java
+++ b/backend/src/test/java/org/cryptomator/hub/rollback/DBRollbackAfterExtension.java
@@ -18,10 +18,10 @@ public class DBRollbackAfterExtension implements QuarkusTestAfterConstructCallba
 	@Override
 	public void afterTestExecution(QuarkusTestMethodContext context) {
 		var isAnnotationPresent = context.getTestMethod().getAnnotation(DBRollbackAfter.class) != null;
-		if(isAnnotationPresent) {
+		if (isAnnotationPresent) {
 			var flyway = INSTANCE.get();
-			if(flyway == null) {
-				throw new IllegalStateException("Flyway instance was not set. Please ensure that test class (or enclosing class) have a public non-null, Flyway field.");
+			if (flyway == null) {
+				throw new IllegalStateException("Flyway instance was not set. Please ensure that test class (or enclosing class) are public and have a public non-null, Flyway field.");
 			}
 
 			flyway.clean();
@@ -44,7 +44,7 @@ private Object getTopLevelTestInstance(Object testInstance) throws NoSuchFieldEx
 		var hasEnclosingClass = testClazz.getEnclosingClass() != null;
 		var isNotStatic = !Modifier.isStatic(testClazz.getModifiers());
 		var isNested = testClazz.getAnnotation(Nested.class) != null;
-		if(hasEnclosingClass && isNotStatic && isNested) {
+		if (hasEnclosingClass && isNotStatic && isNested) {
 			Field field = testClazz.getDeclaredField("this$0");
 			field.setAccessible(true);
 			return getTopLevelTestInstance(field.get(testInstance));
diff --git a/backend/src/test/java/org/cryptomator/hub/rollback/DBRollbackBeforeExtension.java b/backend/src/test/java/org/cryptomator/hub/rollback/DBRollbackBeforeExtension.java
index 47d8c3885..4d834a2ee 100644
--- a/backend/src/test/java/org/cryptomator/hub/rollback/DBRollbackBeforeExtension.java
+++ b/backend/src/test/java/org/cryptomator/hub/rollback/DBRollbackBeforeExtension.java
@@ -1,7 +1,6 @@
 package org.cryptomator.hub.rollback;
 
 import io.quarkus.test.junit.callback.QuarkusTestAfterConstructCallback;
-import io.quarkus.test.junit.callback.QuarkusTestAfterTestExecutionCallback;
 import io.quarkus.test.junit.callback.QuarkusTestBeforeTestExecutionCallback;
 import io.quarkus.test.junit.callback.QuarkusTestMethodContext;
 import org.flywaydb.core.Flyway;
@@ -19,10 +18,10 @@ public class DBRollbackBeforeExtension implements QuarkusTestAfterConstructCallb
 	@Override
 	public void beforeTestExecution(QuarkusTestMethodContext context) {
 		var isAnnotationPresent = context.getTestMethod().getAnnotation(DBRollbackAfter.class) != null;
-		if(isAnnotationPresent) {
+		if (isAnnotationPresent) {
 			var flyway = INSTANCE.get();
-			if(flyway == null) {
-				throw new IllegalStateException("Flyway instance was not set. Please ensure that test class (or enclosing class) have a public non-null, Flyway field.");
+			if (flyway == null) {
+				throw new IllegalStateException("Flyway instance was not set. Please ensure that test class (or enclosing class) are public and have a public non-null, Flyway field.");
 			}
 
 			flyway.clean();
@@ -45,7 +44,7 @@ private Object getTopLevelTestInstance(Object testInstance) throws NoSuchFieldEx
 		var hasEnclosingClass = testClazz.getEnclosingClass() != null;
 		var isNotStatic = !Modifier.isStatic(testClazz.getModifiers());
 		var isNested = testClazz.getAnnotation(Nested.class) != null;
-		if(hasEnclosingClass && isNotStatic && isNested) {
+		if (hasEnclosingClass && isNotStatic && isNested) {
 			Field field = testClazz.getDeclaredField("this$0");
 			field.setAccessible(true);
 			return getTopLevelTestInstance(field.get(testInstance));
diff --git a/backend/src/test/java/org/cryptomator/hub/util/RawJsonTest.java b/backend/src/test/java/org/cryptomator/hub/util/RawJsonTest.java
new file mode 100644
index 000000000..504d810de
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/util/RawJsonTest.java
@@ -0,0 +1,110 @@
+package org.cryptomator.hub.util;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.JsonMappingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+class RawJsonTest {
+
+	record TestEntity(@JsonProperty("str") String str, @JsonProperty("raw") @RawJson String raw) {
+	}
+
+	@Test
+	@DisplayName("serialize entity with @RawJson field containing JSON string")
+	void testSerialization() throws Exception {
+		TestEntity entity = new TestEntity("test", "{\"key\":\"value\"}");
+		ObjectMapper objectMapper = new ObjectMapper();
+
+		String json = objectMapper.writeValueAsString(entity);
+
+		MatcherAssert.assertThat(json, Matchers.containsString("""
+				"raw":{"key":"value"}\
+				"""));
+		MatcherAssert.assertThat(json, Matchers.containsString("""
+				"str":"test"\
+				"""));
+	}
+
+	@Test
+	@DisplayName("serialize entity with @RawJson field containing null")
+	void testNullSerialization() throws Exception {
+		TestEntity entity = new TestEntity("test", null);
+		ObjectMapper objectMapper = new ObjectMapper();
+
+		String json = objectMapper.writeValueAsString(entity);
+
+		MatcherAssert.assertThat(json, Matchers.containsString("""
+				"raw":null\
+				"""));
+		MatcherAssert.assertThat(json, Matchers.containsString("""
+				"str":"test"\
+				"""));
+	}
+
+	@Test
+	@DisplayName("fail serialization if @RawJson field contains non-JSON string")
+	void testBrokenSerialization() throws Exception {
+		TestEntity entity = new TestEntity("test", "NOT JSON");
+		ObjectMapper objectMapper = new ObjectMapper();
+
+		Assertions.assertThrows(JsonMappingException.class, () -> {
+			objectMapper.writeValueAsString(entity);
+		});
+	}
+
+	@Test
+	@DisplayName("deserialize json with arbitrary data in @RawJson field")
+	void testDeserialization() throws Exception {
+		String json = """
+				{
+					"str": "test",
+					"raw": {"key": 42}
+				}
+				""";
+		ObjectMapper objectMapper = new ObjectMapper();
+
+		TestEntity entity = objectMapper.readValue(json, TestEntity.class);
+
+		Assertions.assertEquals("test", entity.str);
+		Assertions.assertEquals("{\"key\":42}", entity.raw);
+	}
+
+	@Test
+	@DisplayName("deserialize json with null in @RawJson field")
+	void testNullDeserialization() throws Exception {
+		String json = """
+				{
+					"str": "test",
+					"raw": null
+				}
+				""";
+		ObjectMapper objectMapper = new ObjectMapper();
+
+		TestEntity entity = objectMapper.readValue(json, TestEntity.class);
+
+		Assertions.assertEquals("test", entity.str);
+		Assertions.assertNull(entity.raw);
+	}
+
+	@Test
+	@DisplayName("deserialize json with missing @RawJson field")
+	void testUndefinedDeserialization() throws Exception {
+		String json = """
+				{
+					"str": "test"
+				}
+				""";
+		ObjectMapper objectMapper = new ObjectMapper();
+
+		TestEntity entity = objectMapper.readValue(json, TestEntity.class);
+
+		Assertions.assertEquals("test", entity.str);
+		Assertions.assertNull(entity.raw);
+	}
+
+}
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/validation/ValidationIT.java b/backend/src/test/java/org/cryptomator/hub/validation/ValidationIT.java
index 1597c84d0..a43d35aa3 100644
--- a/backend/src/test/java/org/cryptomator/hub/validation/ValidationIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/validation/ValidationIT.java
@@ -29,7 +29,7 @@ public class ValidationIT {
 	Validator validator;
 
 	@Test
-	public void testOk() {
+	void testOk() {
 		when().get("/test/nothing")
 				.then().statusCode(200);
 	}
@@ -41,7 +41,7 @@ public class IdTest {
 		@DisplayName("Valid ids are accepted")
 		@ParameterizedTest
 		@ValueSource(strings = {"2fa854c2-e289-4a4d-9cf5-8dd81e6ae710", "myPersonalId", "_-.-_"})
-		public void testIdValid(String toTest) {
+		void testIdValid(String toTest) {
 			when().get("/test/validid/{id}", toTest)
 					.then().statusCode(200);
 		}
@@ -50,7 +50,7 @@ public void testIdValid(String toTest) {
 		@ParameterizedTest
 		@ValueSource(strings = {"WHITE SPACE", "\u5207ä="})
 		@ArgumentsSource(MalicousStringsProvider.class)
-		public void testIdInvalid(String toTest) {
+		void testIdInvalid(String toTest) {
 			when().get("/test/validid/{id}", toTest)
 					.then().statusCode(400);
 		}
@@ -62,7 +62,7 @@ public class HtmlOrScriptCharsTest {
 
 		@DisplayName("Valid input is accepted")
 		@Test
-		public void testNoHtmlOrScriptCharsInvalid() {
+		void testNoHtmlOrScriptCharsInvalid() {
 			var dto = new ValidationTestResource.NoHtmlOrScriptCharsDto("Collin 老子 O´Connor");
 			var violations = validator.validate(dto);
 			MatcherAssert.assertThat(violations, Matchers.empty());
@@ -71,7 +71,7 @@ public void testNoHtmlOrScriptCharsInvalid() {
 		@DisplayName("Invalid input is rejected")
 		@ParameterizedTest
 		@ArgumentsSource(MalicousStringsProvider.class)
-		public void testNoHtmlOrScriptCharsInvalid(String data) {
+		void testNoHtmlOrScriptCharsInvalid(String data) {
 			var dto = new ValidationTestResource.NoHtmlOrScriptCharsDto(data);
 			var violations = validator.validate(dto);
 			MatcherAssert.assertThat(violations, Matchers.not(Matchers.empty()));
@@ -85,7 +85,7 @@ public class Base64CharsTest {
 		@DisplayName("Strings only containing base64-chars are accepted")
 		@ParameterizedTest
 		@ValueSource(strings = {"abcdefghijklmnopqrstuvwxyz0123456789+/", "bGlnaHQgd29yaw==", "x======"})
-		public void testOnlyBase64CharsValid(String toTest) {
+		void testOnlyBase64CharsValid(String toTest) {
 			when().get("/test/onlybase64chars/{b64String}", toTest)
 					.then().statusCode(200);
 		}
@@ -94,7 +94,7 @@ public void testOnlyBase64CharsValid(String toTest) {
 		@ParameterizedTest
 		@ValueSource(strings = {"\u5207ä=", "foo_-", "abc==abc", "==="})
 		@ArgumentsSource(MalicousStringsProvider.class)
-		public void testOnlyBase64CharsInvalid(String toTest) {
+		void testOnlyBase64CharsInvalid(String toTest) {
 			when().get("/test/onlybase64chars/{b64String}", toTest)
 					.then().statusCode(400);
 		}
@@ -107,7 +107,7 @@ public class JWETest {
 		@DisplayName("Valid JWE compact serializations strings are accepted")
 		@ParameterizedTest
 		@ValueSource(strings = {"foo=.b4r.baz==.bas.asd=", "fo0=...bar.", "foo.=.=.bar.===="})
-		public void testJWEValid(String toTest) {
+		void testJWEValid(String toTest) {
 			when().get("/test/validjwe/{jwe}", toTest)
 					.then().statusCode(200);
 		}
@@ -116,7 +116,7 @@ public void testJWEValid(String toTest) {
 		@ParameterizedTest
 		@ValueSource(strings = {"foo=.bar.baz.bas", ".bar=.baz.bas.asd=", "föö=.bar.baz.bas.asd", "foo=bar.baz.bas.asd.qwe"})
 		@ArgumentsSource(MalicousStringsProvider.class)
-		public void testJWEInvalid(String toTest) {
+		void testJWEInvalid(String toTest) {
 			when().get("/test/validjwe/{jwe}", toTest)
 					.then().statusCode(400);
 		}
@@ -129,7 +129,7 @@ public class JWSTest {
 		@DisplayName("Valid JWS compact serializations strings are accepted")
 		@ParameterizedTest
 		@ValueSource(strings = {"fo0.b4r.baz", "f0o..", "fo0.=.bar="})
-		public void testJWSValid(String toTest) {
+		void testJWSValid(String toTest) {
 			when().get("/test/validjws/{jws}", toTest)
 					.then().statusCode(200);
 		}
@@ -138,7 +138,7 @@ public void testJWSValid(String toTest) {
 		@ParameterizedTest
 		@ValueSource(strings = {"foo=.bar", ".bar=.baz", "föö=.bar.baz", "foo=bar.baz.bas"})
 		@ArgumentsSource(MalicousStringsProvider.class)
-		public void testJWSInvalid(String toTest) {
+		void testJWSInvalid(String toTest) {
 			when().get("/test/validjws/{jws}", toTest)
 					.then().statusCode(400);
 		}
diff --git a/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql b/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
index 1aa04f42b..de425e38f 100644
--- a/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
+++ b/backend/src/test/resources/org/cryptomator/hub/flyway/V9999__Test_Data.sql
@@ -4,12 +4,19 @@
 
 UPDATE "settings"
 SET "hub_id" = '42',
-	"license_key"  = 'eyJhbGciOiJFUzUxMiJ9.eyJqdGkiOiI0MiIsImlhdCI6MTY0ODA0OTM2MCwiaXNzIjoiU2t5bWF0aWMiLCJhdWQiOiJDcnlwdG9tYXRvciBIdWIiLCJzdWIiOiJodWJAY3J5cHRvbWF0b3Iub3JnIiwic2VhdHMiOjUsImV4cCI6MjUzNDAyMjE0NDAwLCJyZWZyZXNoVXJsIjoiaHR0cDovL2xvY2FsaG9zdDo4Nzg3L2h1Yi9zdWJzY3JpcHRpb24_aHViX2lkPTQyIn0.AKyoZ0WQ8xhs8vPymWPHCsc6ch6pZpfxBcrF5QjVLSQVnYz2s5QF3nnkwn4AGR7V14TuhkJMZLUZxMdQAYLyL95sAV2Fu0E4-e1v3IVKlNKtze89eqYvEs6Ak9jWjtecOgPWNWjz2itI4MfJBDmbFtTnehOtqRqUdsDoC9NFik2C7tHm'
+	"license_key"  = 'eyJhbGciOiJFUzUxMiJ9.eyJqdGkiOiI0MiIsImlhdCI6MTY0ODA0OTM2MCwiaXNzIjoiU2t5bWF0aWMiLCJhdWQiOiJDcnlwdG9tYXRvciBIdWIiLCJzdWIiOiJodWJAY3J5cHRvbWF0b3Iub3JnIiwic2VhdHMiOjUsImV4cCI6MjUzNDAyMjE0NDAwLCJyZWZyZXNoVXJsIjoiaHR0cDovL2xvY2FsaG9zdDo4Nzg3L2h1Yi9zdWJzY3JpcHRpb24_aHViX2lkPTQyIn0.AHPY1r-KmULaNTFTYrGUZrFZny2zouW9BcICBhs_bD_juv_evnOpbwbZAYZC7k8dx0s_94eBF82stgjW9HbBj4wnAHQohMCMK8Gq4b8TyJqBWPnk36KIK40V7qMv9hyrJG5aTfI3Q2D7fAnKCUxwO2v8t6lA4g89acJBbGipHh_2HhD7',
+	"default_required_emergency_key_shares" = 2,
+    "default_min_members" = 3,
+	"allow_choosing_emergency_council" = FALSE,
+    "enable_emergency_access" = FALSE
 WHERE "id" = 0;
 
 INSERT INTO "authority" ("id", "type", "name")
 VALUES
 	('user1', 'USER', 'User Name 1'),
+	-- / katta start addition (ITs going through to Keycloak as well use alice user; user repo must contain the currentUser, alice in this in this case)
+	('alice', 'USER', 'Alice for ITs accessing Keycloak'),
+	-- \ katta end addition
 	('user2', 'USER', 'User Name 2'),
 	('group1', 'GROUP', 'Group Name 1'),
     ('group2', 'GROUP', 'Group Name 2');
@@ -17,6 +24,9 @@ VALUES
 INSERT INTO "user_details" ("id", "ecdh_publickey", "ecdsa_publickey", "privatekeys", "setupcode")
 VALUES
 	('user1', 'ecdh_public1', 'ecdsa_public1', 'private1', 'setup1'),
+	-- / katta start addition
+	('alice', NULL, NULL, NULL, NULL),
+	-- \ katta end addition
 	('user2', NULL, NULL, NULL, NULL);
 
 INSERT INTO "group_details" ("id")
@@ -29,6 +39,11 @@ VALUES
 	('group1', 'user1'),
 	('group2', 'user2');
 
+INSERT INTO "effective_group_membership" ("group_id", "intermediate_group_ids", "member_id")
+VALUES
+    ('group1', ARRAY['group1'], 'user1'),
+    ('group2', ARRAY['group2'], 'user2');
+
 INSERT INTO "vault" ("id", "name", "description", "creation_time", "salt", "iterations", "masterkey", "auth_pubkey", "auth_prvkey", "archived")
 VALUES
 	('7E57C0DE-0000-4000-8000-000100001111', 'Vault 1', 'This is a testvault.', '2020-02-20 20:20:20', 'salt1', 42, 'masterkey1',
diff --git a/charts/cryptomator-hub/.helmignore b/charts/cryptomator-hub/.helmignore
new file mode 100644
index 000000000..26a165ea6
--- /dev/null
+++ b/charts/cryptomator-hub/.helmignore
@@ -0,0 +1,5 @@
+.DS_Store
+.git/
+.github/
+*.swp
+*.tmp
diff --git a/charts/cryptomator-hub/Chart.yaml b/charts/cryptomator-hub/Chart.yaml
new file mode 100644
index 000000000..f1fb1f6fe
--- /dev/null
+++ b/charts/cryptomator-hub/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: cryptomator-hub
+home: https://cryptomator.org/hub/
+icon: https://cryptomator.org/img/logo.png
+description: Helm chart for deploying Cryptomator Hub with optional Keycloak and PostgreSQL
+type: application
+version: 0.1.3
+appVersion: "1.5.0-alpha3"
+kubeVersion: ">=1.27.0-0"
+sources:
+  - https://github.com/cryptomator/hub
+keywords:
+  - cryptomator
+  - cryptomator hub
diff --git a/charts/cryptomator-hub/README.md b/charts/cryptomator-hub/README.md
new file mode 100644
index 000000000..f12627f05
--- /dev/null
+++ b/charts/cryptomator-hub/README.md
@@ -0,0 +1,105 @@
+# Cryptomator Hub Helm Chart
+
+This chart deploys:
+
+- Cryptomator Hub (required)
+- Keycloak (optional, enabled by default)
+- PostgreSQL (optional, enabled by default)
+
+Image repositories/tags are fixed in templates:
+- Hub: `ghcr.io/cryptomator/hub:<appVersion from Chart.yaml>`
+- Keycloak: `ghcr.io/cryptomator/keycloak:26.5.3`
+- PostgreSQL: `postgres:17-alpine`
+
+TLS termination is currently expected to be done by ingress controller.
+Supported ingress controller templates:
+- `ingress.controller=nginx`
+- `ingress.controller=traefik`
+- `ingress.controller=contour`
+
+
+## Quick Start (Full Internal Stack)
+
+Assuming you have a local KIND cluster, e.g. via [Podman Desktop](https://podman-desktop.io/) with contour ingress on port 9090:
+
+```bash
+helm install hub charts/cryptomator-hub \
+  --namespace cryptomator \
+  --create-namespace \
+  --wait --timeout 5m \
+  --set urls.hub.public=http://localhost:9090/hub \
+  --set urls.kc.public=http://localhost:9090/kc \
+  --set ingress.controller=contour \
+  --set hub.admin.password=password
+```
+
+Passwords are optional by default. If unset, the chart generates random values and
+prints commands in `helm` notes to retrieve them from Kubernetes Secrets.
+
+The Keycloak realm import is rendered from a dedicated template using:
+
+- `keycloak.realmBootstrap.realmId`
+- `hub.secrets.systemClientSecret` (optional; auto-generated when chart-managed Hub secret is used)
+- `hub.admin.*` (realm-level Hub admin user; separate from `keycloak.admin.*` bootstrap user)
+
+## Metrics Endpoint
+
+Hub metrics are configured via:
+
+- `hub.metrics.enabled`
+- `hub.metrics.username`
+- `hub.metrics.password` (optional; auto-generated if unset)
+
+When metrics are enabled, the chart creates:
+
+- Secret `<release>-secrets-hub-metrics` of type `kubernetes.io/basic-auth`
+- Metrics ingress route on Hub management endpoint path `/q/metrics`
+- Basic-auth protection for metrics ingress on `nginx` and `traefik` controllers
+
+## Hub with External PostgreSQL and Keycloak
+
+```bash
+helm install hub charts/cryptomator-hub \
+  --namespace cryptomator \
+  --create-namespace \
+  --wait --timeout 5m \
+  --set keycloak.enabled=false \
+  --set postgres.enabled=false \
+  --set hub.database.jdbcUrl='jdbc:postgresql://db.example:5432/hub' \
+  --set hub.database.username='hub' \
+  --set hub.config.keycloakPublicUrl='https://sso.example/kc' \
+  --set hub.config.keycloakLocalUrl='http://keycloak.svc.cluster.local:8080/kc' \
+  --set hub.oidc.authServerUrl='http://keycloak.svc.cluster.local:8080/kc/realms/cryptomator' \
+  --set hub.oidc.tokenIssuer='https://sso.example/kc/realms/cryptomator'
+```
+
+### Importing `realm.json`
+
+Even with `keycloak.enabled=false`, the chart still renders `realm.json` in Secret `<release>-keycloak` so you can manually export/import it for your existing Keycloak.
+
+Assuming namespace `cryptomator` and name `hub`:
+
+```bash
+kubectl get secret -n cryptomator hub-secrets-kc -o jsonpath='{.data.realm\.json}' | base64 -d | ...
+```
+
+## Verify Published Chart (Signature + Provenance)
+
+This chart contains a OCI chart signature, which can be verified as follows (assuming chart version `0.1.0`):
+
+```bash
+cosign verify \
+  --certificate-identity-regexp 'https://github.com/cryptomator/hub/.github/workflows/helm-chart.yml@refs/(heads|tags)/.+' \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  ghcr.io/cryptomator/charts/cryptomator-hub:0.1.1
+```
+
+You can additionally inspect provenance attestations:
+
+```bash
+cosign verify-attestation \
+  --type https://slsa.dev/provenance/v1 \
+  --certificate-identity-regexp 'https://github.com/cryptomator/hub/.github/workflows/helm-chart.yml@refs/(heads|tags)/.+' \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  ghcr.io/cryptomator/charts/cryptomator-hub:0.1.1
+```
diff --git a/charts/cryptomator-hub/templates/NOTES.txt b/charts/cryptomator-hub/templates/NOTES.txt
new file mode 100644
index 000000000..7ded7ad39
--- /dev/null
+++ b/charts/cryptomator-hub/templates/NOTES.txt
@@ -0,0 +1,62 @@
+{{- $useColor := .Values.notes.useColor }}
+{{- $ns := .Release.Namespace }}
+{{- $hubSvc := printf "%s-service-hub" (include "cryptomator-hub.fullname" .) }}
+{{- $kcSvc := printf "%s-service-kc" (include "cryptomator-hub.fullname" .) }}
+{{- $pgSvc := printf "%s-service-pg" (include "cryptomator-hub.fullname" .) }}
+{{- $hubSecret := printf "%s-secrets-hub" (include "cryptomator-hub.fullname" .) }}
+{{- $hubMetricsSecret := printf "%s-secrets-hub-metrics" (include "cryptomator-hub.fullname" .) }}
+{{- $kcSecret := printf "%s-secrets-kc" (include "cryptomator-hub.fullname" .) }}
+{{- $pgSecret := printf "%s-secrets-pg" (include "cryptomator-hub.fullname" .) }}
+{{- $cTitle := ternary "\033[1;36m" "" $useColor }}
+{{- $cSection := ternary "\033[1;34m" "" $useColor }}
+{{- $cReset := ternary "\033[0m" "" $useColor }}
+{{ printf "%s✅ Cryptomator Hub Installed%s\n" $cTitle $cReset }}
+
+{{ printf "%s📦 Services%s" $cSection $cReset }}
+- Namespace: `{{ $ns }}`
+- Hub: `{{ $hubSvc }}:{{ .Values.hub.service.port }}`
+{{- if .Values.keycloak.enabled }}
+- Keycloak: `{{ $kcSvc }}:{{ .Values.keycloak.service.httpPort }}`
+{{- end }}
+{{- if .Values.postgres.enabled }}
+- PostgreSQL: `{{ $pgSvc }}:{{ .Values.postgres.service.port }}`
+{{- end }}
+
+{{ printf "%s🌐 Ingress%s" $cSection $cReset }}
+{{- if .Values.ingress.controller }}
+- Hub: {{ .Values.urls.hub.public }}
+{{- if .Values.hub.metrics.enabled }}
+- Hub metrics: {{ .Values.urls.hub.public }}/q/metrics
+{{- end }}
+{{- if .Values.keycloak.enabled }}
+- Keycloak: {{ .Values.urls.kc.public }}
+{{- end }}
+{{- else }}
+Ingress is disabled. Configure ingress manually to the services above.
+{{- end }}
+
+{{ printf "%s🔐 Credentials%s" $cSection $cReset }}
+{{- if .Values.hub.secrets.create }}
+- Hub admin password (realm user): `kubectl get secret -n {{ $ns }} {{ $hubSecret }} -o jsonpath='{.data.hub_admin_password}' | base64 -d && echo`
+- Hub DB password: `kubectl get secret -n {{ $ns }} {{ $hubSecret }} -o jsonpath='{.data.hub_db_password}' | base64 -d && echo`
+{{- end }}
+{{- if .Values.hub.metrics.enabled }}
+- Hub metrics username: `kubectl get secret -n {{ $ns }} {{ $hubMetricsSecret }} -o jsonpath='{.data.username}' | base64 -d && echo`
+- Hub metrics password: `kubectl get secret -n {{ $ns }} {{ $hubMetricsSecret }} -o jsonpath='{.data.password}' | base64 -d && echo`
+{{- end }}
+{{- if .Values.keycloak.enabled }}
+- Keycloak admin password: `kubectl get secret -n {{ $ns }} {{ $kcSecret }} -o jsonpath='{.data.kc_admin_password}' | base64 -d && echo`
+- Keycloak DB password: `kubectl get secret -n {{ $ns }} {{ $kcSecret }} -o jsonpath='{.data.kc_db_password}' | base64 -d && echo`
+{{- end }}
+{{- if .Values.postgres.enabled }}
+- PostgreSQL admin password: `kubectl get secret -n {{ $ns }} {{ $pgSecret }} -o jsonpath='{.data.pg_admin_password}' | base64 -d && echo`
+{{- end }}
+
+{{ if and .Values.hub.metrics.enabled (eq .Values.ingress.controller "contour") }}
+⚠️ Contour doesn't support authentication, so the metrics endpoint isn't protected. Please secure it manually or set `hub.metrics.enabled` to `false` to avoid exposing it.
+{{ end }}
+
+{{ if not .Values.keycloak.enabled }}
+{{ printf "%s📥 Manual Realm Import%s" $cSection $cReset }}
+- `kubectl get secret -n {{ $ns }} {{ $kcSecret }} -o jsonpath='{.data.realm\.json}' | base64 -d`
+{{ end }}
diff --git a/charts/cryptomator-hub/templates/_helpers.tpl b/charts/cryptomator-hub/templates/_helpers.tpl
new file mode 100644
index 000000000..1390a29a4
--- /dev/null
+++ b/charts/cryptomator-hub/templates/_helpers.tpl
@@ -0,0 +1,216 @@
+{{- define "cryptomator-hub.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.labels" -}}
+app.kubernetes.io/name: {{ include "cryptomator-hub.name" . }}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "cryptomator-hub.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cryptomator-hub.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/* 
+
+Compute relative URLs for hub and keycloak based on their public URLs and whether ingress is enabled.
+This allows users to set the public URLs to the actual external URLs of the services, and we can derive the relative paths required for configuring the services to work correctly both with and without ingress.
+
+*/}}
+
+{{- define "cryptomator-hub.hubRelativePath" -}}
+{{- $path := regexReplaceAll "^https?://[^/]+" (required "urls.hub.public must be set" .Values.urls.hub.public) "" -}}
+{{- $trimmed := trimAll "/" $path -}}
+{{- printf "/%s" $trimmed -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.keycloakRelativePath" -}}
+{{- $path := regexReplaceAll "^https?://[^/]+" (required "urls.kc.public must be set" .Values.urls.kc.public) "" -}}
+{{- $trimmed := trimAll "/" $path -}}
+{{- printf "/%s" $trimmed -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.keycloakLocalUrl" -}}
+{{- if .Values.urls.kc.clusterInternal -}}
+{{- trimSuffix "/" .Values.urls.kc.clusterInternal -}}
+{{- else if .Values.keycloak.enabled -}}
+{{- printf "http://%s:%v%s" (print (include "cryptomator-hub.fullname" .) "-service-kc") .Values.keycloak.service.httpPort (include "cryptomator-hub.keycloakRelativePath" .) -}}
+{{- else -}}
+{{/* if keycloak isn't part of the deployment, use public url: */}}
+{{- trimSuffix "/" (required "urls.kc.public must be set" .Values.urls.kc.public) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.hubJdbcUrl" -}}
+{{- if .Values.hub.database.jdbcUrl -}}
+{{- .Values.hub.database.jdbcUrl -}}
+{{- else if .Values.postgres.enabled -}}
+{{- printf "jdbc:postgresql://%s:%v/%s" (print (include "cryptomator-hub.fullname" .) "-service-pg") .Values.postgres.service.port .Values.hub.database.name -}}
+{{- else -}}
+{{- required "hub.database.jdbcUrl must be set when postgres.enabled=false" .Values.hub.database.jdbcUrl -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.oidcAuthServerUrl" -}}
+{{- if .Values.urls.kc.authServerUrl -}}
+{{- .Values.urls.kc.authServerUrl -}}
+{{- else -}}
+{{- printf "%s/realms/%s" (trimSuffix "/" (include "cryptomator-hub.keycloakLocalUrl" .)) .Values.hub.config.keycloakRealm -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.oidcTokenIssuer" -}}
+{{- if .Values.urls.kc.tokenIssuer -}}
+{{- .Values.urls.kc.tokenIssuer -}}
+{{- else -}}
+{{- printf "%s/realms/%s" (trimSuffix "/" .Values.urls.kc.public) .Values.hub.config.keycloakRealm -}}
+{{- end -}}
+{{- end -}}
+
+{{/* 
+
+Auto-generated secrets below:
+
+1. try to use cached value (required so we don't generate a new random value on every template rendering)
+2. try to use value from values.yaml (if user has set it, e.g. `hub.secrets.systemClientSecret`)
+3. try to look up existing secret in cluster and use it if it exists (this allows users to upgrade from older versions of the chart without losing their secrets)
+4. if all else fails, generate a new random value
+
+*/}}
+
+{{- define "cryptomator-hub.resolvedSystemClientSecret" -}}
+{{- if hasKey .Values "_resolvedSystemClientSecret" -}}
+{{- index .Values "_resolvedSystemClientSecret" -}}
+{{- else if .Values.hub.secrets.systemClientSecret -}}
+{{- $_ := set .Values "_resolvedSystemClientSecret" .Values.hub.secrets.systemClientSecret -}}
+{{- index .Values "_resolvedSystemClientSecret" -}}
+{{- else -}}
+{{- $secretName := print (include "cryptomator-hub.fullname" .) "-secrets-hub" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if and $existing (hasKey $existing.data "hub_system_client_secret") -}}
+{{- $_ := set .Values "_resolvedSystemClientSecret" (index $existing.data "hub_system_client_secret" | b64dec) -}}
+{{- else -}}
+{{- $_ := set .Values "_resolvedSystemClientSecret" (randAlphaNum 32) -}}
+{{- end -}}
+{{- index .Values "_resolvedSystemClientSecret" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.resolvedHubDbPassword" -}}
+{{- if hasKey .Values "_resolvedHubDbPassword" -}}
+{{- index .Values "_resolvedHubDbPassword" -}}
+{{- else if .Values.hub.database.password -}}
+{{- $_ := set .Values "_resolvedHubDbPassword" .Values.hub.database.password -}}
+{{- index .Values "_resolvedHubDbPassword" -}}
+{{- else -}}
+{{- $secretName := print (include "cryptomator-hub.fullname" .) "-secrets-hub" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if and $existing (hasKey $existing.data "hub_db_password") -}}
+{{- $_ := set .Values "_resolvedHubDbPassword" (index $existing.data "hub_db_password" | b64dec) -}}
+{{- else -}}
+{{- $_ := set .Values "_resolvedHubDbPassword" (randAlphaNum 32) -}}
+{{- end -}}
+{{- index .Values "_resolvedHubDbPassword" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.resolvedHubAdminPassword" -}}
+{{- if hasKey .Values "_resolvedHubAdminPassword" -}}
+{{- index .Values "_resolvedHubAdminPassword" -}}
+{{- else if .Values.hub.admin.password -}}
+{{- $_ := set .Values "_resolvedHubAdminPassword" .Values.hub.admin.password -}}
+{{- index .Values "_resolvedHubAdminPassword" -}}
+{{- else -}}
+{{- $secretName := print (include "cryptomator-hub.fullname" .) "-secrets-hub" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if and $existing (hasKey $existing.data "hub_admin_password") -}}
+{{- $_ := set .Values "_resolvedHubAdminPassword" (index $existing.data "hub_admin_password" | b64dec) -}}
+{{- else -}}
+{{- $_ := set .Values "_resolvedHubAdminPassword" (randAlphaNum 32) -}}
+{{- end -}}
+{{- index .Values "_resolvedHubAdminPassword" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.resolvedHubMetricsPassword" -}}
+{{- if hasKey .Values "_resolvedHubMetricsPassword" -}}
+{{- index .Values "_resolvedHubMetricsPassword" -}}
+{{- else if .Values.hub.metrics.password -}}
+{{- $_ := set .Values "_resolvedHubMetricsPassword" .Values.hub.metrics.password -}}
+{{- index .Values "_resolvedHubMetricsPassword" -}}
+{{- else -}}
+{{- $secretName := print (include "cryptomator-hub.fullname" .) "-secrets-hub-metrics" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if and $existing (hasKey $existing.data "password") -}}
+{{- $_ := set .Values "_resolvedHubMetricsPassword" (index $existing.data "password" | b64dec) -}}
+{{- else -}}
+{{- $_ := set .Values "_resolvedHubMetricsPassword" (randAlphaNum 32) -}}
+{{- end -}}
+{{- index .Values "_resolvedHubMetricsPassword" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.resolvedKeycloakDbPassword" -}}
+{{- if hasKey .Values "_resolvedKeycloakDbPassword" -}}
+{{- index .Values "_resolvedKeycloakDbPassword" -}}
+{{- else if .Values.keycloak.database.password -}}
+{{- $_ := set .Values "_resolvedKeycloakDbPassword" .Values.keycloak.database.password -}}
+{{- index .Values "_resolvedKeycloakDbPassword" -}}
+{{- else -}}
+{{- $secretName := print (include "cryptomator-hub.fullname" .) "-secrets-kc" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if and $existing (hasKey $existing.data "kc_db_password") -}}
+{{- $_ := set .Values "_resolvedKeycloakDbPassword" (index $existing.data "kc_db_password" | b64dec) -}}
+{{- else -}}
+{{- $_ := set .Values "_resolvedKeycloakDbPassword" (randAlphaNum 32) -}}
+{{- end -}}
+{{- index .Values "_resolvedKeycloakDbPassword" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.resolvedKeycloakAdminPassword" -}}
+{{- if hasKey .Values "_resolvedKeycloakAdminPassword" -}}
+{{- index .Values "_resolvedKeycloakAdminPassword" -}}
+{{- else if .Values.keycloak.admin.password -}}
+{{- $_ := set .Values "_resolvedKeycloakAdminPassword" .Values.keycloak.admin.password -}}
+{{- index .Values "_resolvedKeycloakAdminPassword" -}}
+{{- else -}}
+{{- $secretName := print (include "cryptomator-hub.fullname" .) "-secrets-kc" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if and $existing (hasKey $existing.data "kc_admin_password") -}}
+{{- $_ := set .Values "_resolvedKeycloakAdminPassword" (index $existing.data "kc_admin_password" | b64dec) -}}
+{{- else -}}
+{{- $_ := set .Values "_resolvedKeycloakAdminPassword" (randAlphaNum 32) -}}
+{{- end -}}
+{{- index .Values "_resolvedKeycloakAdminPassword" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cryptomator-hub.resolvedPostgresAdminPassword" -}}
+{{- if hasKey .Values "_resolvedPostgresAdminPassword" -}}
+{{- index .Values "_resolvedPostgresAdminPassword" -}}
+{{- else if .Values.postgres.auth.adminPassword -}}
+{{- $_ := set .Values "_resolvedPostgresAdminPassword" .Values.postgres.auth.adminPassword -}}
+{{- index .Values "_resolvedPostgresAdminPassword" -}}
+{{- else -}}
+{{- $secretName := print (include "cryptomator-hub.fullname" .) "-secrets-pg" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if and $existing (hasKey $existing.data "pg_admin_password") -}}
+{{- $_ := set .Values "_resolvedPostgresAdminPassword" (index $existing.data "pg_admin_password" | b64dec) -}}
+{{- else -}}
+{{- $_ := set .Values "_resolvedPostgresAdminPassword" (randAlphaNum 32) -}}
+{{- end -}}
+{{- index .Values "_resolvedPostgresAdminPassword" -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/cryptomator-hub/templates/_realm.tpl b/charts/cryptomator-hub/templates/_realm.tpl
new file mode 100644
index 000000000..a55bb9338
--- /dev/null
+++ b/charts/cryptomator-hub/templates/_realm.tpl
@@ -0,0 +1,170 @@
+{{- define "cryptomator-hub.realmJson" -}}
+{
+  {{- if .Values.keycloak.realmBootstrap.realmId }}
+  "id": {{ .Values.keycloak.realmBootstrap.realmId | quote }},
+  {{- end }}
+  "realm": {{ .Values.hub.config.keycloakRealm | quote }},
+  "displayName": "Cryptomator Hub",
+  "loginTheme": "cryptomator",
+  "enabled": true,
+  "sslRequired": "external",
+  "defaultRole": {
+    "name": "user",
+    "description": "User"
+  },
+  "roles": {
+    "realm": [
+      {
+        "name": "user",
+        "description": "User",
+        "composite": false
+      },
+      {
+        "name": "create-vaults",
+        "description": "Can create vaults",
+        "composite": false
+      },
+      {
+        "name": "admin",
+        "description": "Administrator",
+        "composite": true,
+        "composites": {
+          "realm": [
+            "user",
+            "create-vaults"
+          ],
+          "client": {
+            "realm-management": [
+              "realm-admin"
+            ]
+          }
+        }
+      }
+    ]
+  },
+  "users": [
+    {
+      "username": {{ .Values.hub.admin.username | quote }},
+      "enabled": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": {{ include "cryptomator-hub.resolvedHubAdminPassword" . | quote }},
+          "temporary": {{ .Values.hub.admin.passwordTemporary }}
+        }
+      ],
+      {{- if .Values.hub.admin.passwordTemporary }}
+      "requiredActions": [
+        "UPDATE_PASSWORD"
+      ],
+      {{- end }}
+      "realmRoles": [
+        "admin"
+      ]
+    },
+    {
+      "username": "system",
+      "email": "system@localhost",
+      "enabled": true,
+      "serviceAccountClientId": "cryptomatorhub-system",
+      "clientRoles": {
+        "realm-management": [
+          "realm-admin",
+          "view-system"
+        ]
+      }
+    }
+  ],
+  "scopeMappings": [
+    {
+      "client": "cryptomatorhub",
+      "roles": [
+        "user",
+        "admin"
+      ]
+    }
+  ],
+  "clients": [
+    {{- $hubPublicUrl := trimSuffix "/" .Values.urls.hub.public -}}
+    {
+      "clientId": "cryptomatorhub",
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "name": "Cryptomator Hub",
+      "enabled": true,
+      "redirectUris": [
+        {{ printf "%s/*" $hubPublicUrl | quote }}
+      ],
+      "webOrigins": [
+        "+"
+      ],
+      "bearerOnly": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "pkce.code.challenge.method": "S256"
+      },
+      "protocolMappers": [
+        {
+          "name": "realm roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "access.token.claim": "true",
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        },
+        {
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        }
+      ]
+    },
+    {
+      "clientId": "cryptomator",
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "name": "Cryptomator App",
+      "enabled": true,
+      "redirectUris": [
+        "http://127.0.0.1/*",
+        "org.cryptomator.ios:/hub/auth",
+        "org.cryptomator.android:/hub/auth"
+      ],
+      "webOrigins": [
+        "+"
+      ],
+      "bearerOnly": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "pkce.code.challenge.method": "S256"
+      }
+    },
+    {
+      "clientId": "cryptomatorhub-system",
+      "serviceAccountsEnabled": true,
+      "publicClient": false,
+      "name": "Cryptomator Hub System",
+      "enabled": true,
+      "clientAuthenticatorType": "client-secret",
+      "secret": {{ include "cryptomator-hub.resolvedSystemClientSecret" . | quote }},
+      "standardFlowEnabled": false
+    }
+  ],
+  "browserSecurityHeaders": {
+    "contentSecurityPolicy": {{ printf "frame-src 'self'; frame-ancestors 'self' %s; object-src 'none';" $hubPublicUrl | quote }}
+  }
+}
+{{- end -}}
diff --git a/charts/cryptomator-hub/templates/hub-configmap.yaml b/charts/cryptomator-hub/templates/hub-configmap.yaml
new file mode 100644
index 000000000..b6f720938
--- /dev/null
+++ b/charts/cryptomator-hub/templates/hub-configmap.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-config-hub
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+data:
+  HUB_PUBLIC_ROOT_PATH: {{ include "cryptomator-hub.hubRelativePath" . | trimSuffix "/" | printf "%s/" | quote }}
+  HUB_KEYCLOAK_PUBLIC_URL: {{ .Values.urls.kc.public | quote }}
+  HUB_KEYCLOAK_LOCAL_URL: {{ include "cryptomator-hub.keycloakLocalUrl" . | quote }}
+  HUB_KEYCLOAK_REALM: {{ .Values.hub.config.keycloakRealm | quote }}
+  HUB_KEYCLOAK_SYSTEM_CLIENT_ID: "cryptomatorhub-system"
+  HUB_KEYCLOAK_SYNCER_PERIOD: {{ .Values.hub.config.keycloakSyncerPeriod | quote }}
+  HUB_KEYCLOAK_OIDC_CRYPTOMATOR_CLIENT_ID: "cryptomator"
+  {{- if .Values.hub.license.chain.requiredCn }}
+  HUB_LICENSE_CHAIN_REQUIRED_CN: {{ .Values.hub.license.chain.requiredCn | quote }}
+  {{- end }}
+  {{- if and .Values.hub.license.managedApi.username .Values.hub.license.managedApi.password }}
+  HUB_MANAGED_API_USERNAME: {{ .Values.hub.license.managedApi.username | quote }}
+  HUB_MANAGED_API_PASSWORD: {{ .Values.hub.license.managedApi.password | quote }}
+  {{- end }}
+  QUARKUS_OIDC_AUTH_SERVER_URL: {{ include "cryptomator-hub.oidcAuthServerUrl" . | quote }}
+  QUARKUS_OIDC_TOKEN_ISSUER: {{ include "cryptomator-hub.oidcTokenIssuer" . | quote }}
+  QUARKUS_OIDC_CLIENT_ID: {{ .Values.hub.oidc.clientId | quote }}
+  QUARKUS_DATASOURCE_JDBC_URL: {{ include "cryptomator-hub.hubJdbcUrl" . | quote }}
+  QUARKUS_DATASOURCE_USERNAME: {{ .Values.hub.database.username | quote }}
+  QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: "true"
+  QUARKUS_MANAGEMENT_ENABLED: "true"
+  QUARKUS_MANAGEMENT_HOST: "0.0.0.0"
+  QUARKUS_MANAGEMENT_PORT: "9000"
+  QUARKUS_SMALLRYE_HEALTH_MANAGEMENT_ENABLED: "true"
+  QUARKUS_MICROMETER_EXPORT_PROMETHEUS_ENABLED: {{ .Values.hub.metrics.enabled | quote }}
diff --git a/charts/cryptomator-hub/templates/hub-deployment.yaml b/charts/cryptomator-hub/templates/hub-deployment.yaml
new file mode 100644
index 000000000..a7e1eb476
--- /dev/null
+++ b/charts/cryptomator-hub/templates/hub-deployment.yaml
@@ -0,0 +1,144 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-hub
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+    app.kubernetes.io/component: hub
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "cryptomator-hub.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: hub
+  template:
+    metadata:
+      labels:
+        {{- include "cryptomator-hub.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: hub
+      annotations:
+        checksum/hub-config: {{ include (print $.Template.BasePath "/hub-configmap.yaml") . | sha256sum }}
+        checksum/hub-secret: {{ if .Values.hub.secrets.create }}{{ include (print $.Template.BasePath "/hub-secret.yaml") . | sha256sum }}{{ else }}{{ print (include "cryptomator-hub.fullname" .) "-secrets-hub" | sha256sum }}{{ end }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      initContainers:
+        - name: wait-for-postgres
+          image: busybox:1.36
+          securityContext:
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -eux
+              jdbc_url="{{ include "cryptomator-hub.hubJdbcUrl" . }}"
+              host_port="${jdbc_url#jdbc:postgresql://}"
+              host_port="${host_port%%/*}"
+              db_host="${host_port%%:*}"
+              if [ "$host_port" = "$db_host" ]; then
+                db_port=""
+              else
+                db_port="${host_port#*:}"
+              fi
+              if [ -z "$db_port" ]; then
+                db_port="5432"
+              fi
+              until nc -zw 10 "$db_host" "$db_port"; do
+                echo "waiting for postgres..."
+              done
+        - name: wait-for-oidc
+          image: alpine/curl:8.17.0
+          securityContext:
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -eux
+              until [ "$(curl -sS -o /dev/null -w "%{http_code}" "{{ include "cryptomator-hub.oidcAuthServerUrl" . }}/.well-known/openid-configuration")" = "200" ]; do
+                echo "waiting for OIDC discovery endpoint..."
+                sleep 5
+              done
+      containers:
+        - name: hub
+          image: "ghcr.io/cryptomator/hub:{{ .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.hub.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: management
+              containerPort: 9000
+              protocol: TCP
+          startupProbe:
+            httpGet:
+              path: /q/health/started
+              port: management
+            periodSeconds: 5
+            failureThreshold: 24
+          readinessProbe:
+            httpGet:
+              path: /q/health/ready
+              port: management
+            periodSeconds: 5
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /q/health/live
+              port: management
+            periodSeconds: 10
+            failureThreshold: 3
+          envFrom:
+            - configMapRef:
+                name: {{ include "cryptomator-hub.fullname" . }}-config-hub
+          env:
+            - name: HUB_KEYCLOAK_SYSTEM_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cryptomator-hub.fullname" . }}-secrets-hub
+                  key: hub_system_client_secret
+            - name: QUARKUS_DATASOURCE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cryptomator-hub.fullname" . }}-secrets-hub
+                  key: hub_db_password
+            - name: HUB_INITIAL_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cryptomator-hub.fullname" . }}-secrets-hub
+                  key: hub_initial_id
+                  optional: true
+            - name: HUB_INITIAL_LICENSE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cryptomator-hub.fullname" . }}-secrets-hub
+                  key: hub_initial_license
+                  optional: true
+          resources:
+            {{- toYaml .Values.hub.resources | nindent 12 }}
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: tmp
+          emptyDir: {}
diff --git a/charts/cryptomator-hub/templates/hub-metrics-secret.yaml b/charts/cryptomator-hub/templates/hub-metrics-secret.yaml
new file mode 100644
index 000000000..1bfe46d3c
--- /dev/null
+++ b/charts/cryptomator-hub/templates/hub-metrics-secret.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.hub.metrics.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-secrets-hub-metrics
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+type: kubernetes.io/basic-auth
+stringData:
+  username: {{ .Values.hub.metrics.username | quote }}
+  password: {{ include "cryptomator-hub.resolvedHubMetricsPassword" . | quote }}
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/hub-secret.yaml b/charts/cryptomator-hub/templates/hub-secret.yaml
new file mode 100644
index 000000000..8689c1257
--- /dev/null
+++ b/charts/cryptomator-hub/templates/hub-secret.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.hub.secrets.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-secrets-hub
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  hub_system_client_secret: {{ include "cryptomator-hub.resolvedSystemClientSecret" . | quote }}
+  hub_admin_password: {{ include "cryptomator-hub.resolvedHubAdminPassword" . | quote }}
+  hub_db_password: {{ include "cryptomator-hub.resolvedHubDbPassword" . | quote }}
+  hub_initial_id: {{ .Values.hub.secrets.initialId | quote }}
+  hub_initial_license: {{ .Values.hub.secrets.initialLicense | quote }}
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/hub-service.yaml b/charts/cryptomator-hub/templates/hub-service.yaml
new file mode 100644
index 000000000..a37b32458
--- /dev/null
+++ b/charts/cryptomator-hub/templates/hub-service.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-service-hub
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.hub.service.type }}
+  selector:
+    {{- include "cryptomator-hub.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: hub
+  ports:
+    - name: http
+      protocol: TCP
+      port: {{ .Values.hub.service.port }}
+      targetPort: http
+    - name: mgmt
+      protocol: TCP
+      port: {{ .Values.hub.service.managementPort }}
+      targetPort: management
diff --git a/charts/cryptomator-hub/templates/ingress-contour.yaml b/charts/cryptomator-hub/templates/ingress-contour.yaml
new file mode 100644
index 000000000..393b0634f
--- /dev/null
+++ b/charts/cryptomator-hub/templates/ingress-contour.yaml
@@ -0,0 +1,78 @@
+{{- if eq .Values.ingress.controller "contour" }}
+{{- $hubHost := regexReplaceAll "^https?://([^:/]+).*" (required "urls.hub.public must be set" .Values.urls.hub.public) "${1}" -}}
+{{- $hubPath := include "cryptomator-hub.hubRelativePath" . -}}
+{{- $hubMetricsPath := printf "%s/q/metrics" $hubPath -}}
+{{- $kcHost := regexReplaceAll "^https?://([^:/]+).*" (required "urls.kc.public must be set" .Values.urls.kc.public) "${1}" -}}
+{{- $kcPath := include "cryptomator-hub.keycloakRelativePath" . -}}
+{{- $sameHost := and .Values.keycloak.enabled (eq $hubHost $kcHost) -}}
+---
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-proxy-hub
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+spec:
+  virtualhost:
+    fqdn: {{ $hubHost | quote }}
+    {{- if .Values.ingress.tls.enabled }}
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | required "ingress.tls.secretName must be set when ingress.tls.enabled=true" }}
+    {{- end }}
+  routes:
+    {{- if .Values.hub.metrics.enabled }}
+    - conditions:
+        - prefix: {{ $hubMetricsPath | quote }}
+      {{- if ne $hubPath "/" }}
+      pathRewritePolicy:
+        replacePrefix:
+          - prefix: {{ $hubMetricsPath | quote }}
+            replacement: "/q/metrics"
+      {{- end }}
+      services:
+        - name: {{ include "cryptomator-hub.fullname" . }}-service-hub
+          port: {{ .Values.hub.service.managementPort }}
+    {{- end }}
+    - conditions:
+        - prefix: {{ $hubPath | quote }}
+      {{- if ne $hubPath "/" }}
+      pathRewritePolicy:
+        replacePrefix:
+          - prefix: {{ $hubPath | quote }}
+            replacement: "/"
+      {{- end }}
+      services:
+        - name: {{ include "cryptomator-hub.fullname" . }}-service-hub
+          port: {{ .Values.hub.service.port }}
+{{- if $sameHost }}
+    - conditions:
+        - prefix: {{ $kcPath | quote }}
+      services:
+        - name: {{ include "cryptomator-hub.fullname" . }}-service-kc
+          port: {{ .Values.keycloak.service.httpPort }}
+{{- end }}
+{{- if and .Values.keycloak.enabled (not $sameHost) }}
+---
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-proxy-kc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+spec:
+  virtualhost:
+    fqdn: {{ $kcHost | quote }}
+    {{- if .Values.ingress.tls.enabled }}
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | required "ingress.tls.secretName must be set when ingress.tls.enabled=true" }}
+    {{- end }}
+  routes:
+    - conditions:
+        - prefix: {{ $kcPath | quote }}
+      services:
+        - name: {{ include "cryptomator-hub.fullname" . }}-service-kc
+          port: {{ .Values.keycloak.service.httpPort }}
+{{- end }}
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/ingress-nginx.yaml b/charts/cryptomator-hub/templates/ingress-nginx.yaml
new file mode 100644
index 000000000..0362db587
--- /dev/null
+++ b/charts/cryptomator-hub/templates/ingress-nginx.yaml
@@ -0,0 +1,121 @@
+{{- if eq .Values.ingress.controller "nginx" }}
+{{- $hubHost := regexReplaceAll "^https?://([^:/]+).*" (required "urls.hub.public must be set" .Values.urls.hub.public) "${1}" -}}
+{{- $hubPath := include "cryptomator-hub.hubRelativePath" . -}}
+{{- $hubMetricsPath := printf "%s/q/metrics" $hubPath -}}
+{{- $kcHost := regexReplaceAll "^https?://([^:/]+).*" (required "urls.kc.public must be set" .Values.urls.kc.public) "${1}" -}}
+{{- $kcPath := include "cryptomator-hub.keycloakRelativePath" . -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-ingress-hub
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if ne $hubPath "/" }}
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: "/$2"
+    {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ $hubHost | quote }}
+      http:
+        paths:
+          - path: {{ if eq $hubPath "/" }}{{ "/" | quote }}{{ else }}{{ printf "%s(/|$)(.*)" $hubPath | quote }}{{ end }}
+            pathType: {{ if eq $hubPath "/" }}Prefix{{ else }}ImplementationSpecific{{ end }}
+            backend:
+              service:
+                name: {{ include "cryptomator-hub.fullname" . }}-service-hub
+                port:
+                  number: {{ .Values.hub.service.port }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ $hubHost | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | required "ingress.tls.secretName must be set when ingress.tls.enabled=true" }}
+  {{- end }}
+{{- if .Values.hub.metrics.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-ingress-hub-metrics
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    nginx.ingress.kubernetes.io/auth-type: "basic"
+    nginx.ingress.kubernetes.io/auth-secret: {{ printf "%s-secrets-hub-metrics" (include "cryptomator-hub.fullname" .) | quote }}
+    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
+    {{- if ne $hubPath "/" }}
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: "/q/metrics$1$2"
+    {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ $hubHost | quote }}
+      http:
+        paths:
+          - path: {{ if eq $hubPath "/" }}{{ $hubMetricsPath | quote }}{{ else }}{{ printf "%s(/|$)(.*)" $hubMetricsPath | quote }}{{ end }}
+            pathType: {{ if eq $hubPath "/" }}Prefix{{ else }}ImplementationSpecific{{ end }}
+            backend:
+              service:
+                name: {{ include "cryptomator-hub.fullname" . }}-service-hub
+                port:
+                  number: {{ .Values.hub.service.managementPort }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ $hubHost | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | required "ingress.tls.secretName must be set when ingress.tls.enabled=true" }}
+  {{- end }}
+{{- end }}
+{{- if .Values.keycloak.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-ingress-kc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ $kcHost | quote }}
+      http:
+        paths:
+          - path: {{ $kcPath | quote }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "cryptomator-hub.fullname" . }}-service-kc
+                port:
+                  number: {{ .Values.keycloak.service.httpPort }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ $kcHost | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | required "ingress.tls.secretName must be set when ingress.tls.enabled=true" }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/ingress-traefik.yaml b/charts/cryptomator-hub/templates/ingress-traefik.yaml
new file mode 100644
index 000000000..3bc6aaf40
--- /dev/null
+++ b/charts/cryptomator-hub/templates/ingress-traefik.yaml
@@ -0,0 +1,143 @@
+{{- if eq .Values.ingress.controller "traefik" }}
+{{- $hubHost := regexReplaceAll "^https?://([^:/]+).*" (required "urls.hub.public must be set" .Values.urls.hub.public) "${1}" -}}
+{{- $hubPath := include "cryptomator-hub.hubRelativePath" . -}}
+{{- $hubMetricsPath := printf "%s/q/metrics" $hubPath -}}
+{{- $kcHost := regexReplaceAll "^https?://([^:/]+).*" (required "urls.kc.public must be set" .Values.urls.kc.public) "${1}" -}}
+{{- $kcPath := include "cryptomator-hub.keycloakRelativePath" . -}}
+{{- if ne $hubPath "/" }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-stripprefix
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+spec:
+  stripPrefix:
+    prefixes:
+      - {{ $hubPath | quote }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-ingress-hub
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  annotations:
+    {{- if ne $hubPath "/" }}
+    traefik.ingress.kubernetes.io/router.middlewares: {{ printf "%s-%s-stripprefix@kubernetescrd" .Release.Namespace (include "cryptomator-hub.fullname" .) | quote }}
+    {{- end }}
+    {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ $hubHost | quote }}
+      http:
+        paths:
+          - path: {{ $hubPath | quote }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "cryptomator-hub.fullname" . }}-service-hub
+                port:
+                  number: {{ .Values.hub.service.port }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ $hubHost | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | required "ingress.tls.secretName must be set when ingress.tls.enabled=true" }}
+  {{- end }}
+{{- if .Values.hub.metrics.enabled }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-metrics-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+spec:
+  basicAuth:
+    secret: {{ include "cryptomator-hub.fullname" . }}-secrets-hub-metrics
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-ingress-hub-metrics
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  {{- $metricsMiddleware := printf "%s-%s-metrics-auth@kubernetescrd" .Release.Namespace (include "cryptomator-hub.fullname" .) -}}
+  {{- if ne $hubPath "/" -}}
+    {{- $metricsMiddleware = printf "%[1]s-%[2]s-stripprefix@kubernetescrd,%[1]s-%[2]s-metrics-auth@kubernetescrd" .Release.Namespace (include "cryptomator-hub.fullname" .) -}}
+  {{- end }}
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: {{ $metricsMiddleware | quote }}
+    {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ $hubHost | quote }}
+      http:
+        paths:
+          - path: {{ $hubMetricsPath | quote }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "cryptomator-hub.fullname" . }}-service-hub
+                port:
+                  number: {{ .Values.hub.service.managementPort }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ $hubHost | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | required "ingress.tls.secretName must be set when ingress.tls.enabled=true" }}
+  {{- end }}
+{{- end }}
+{{- if .Values.keycloak.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-ingress-kc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  rules:
+    - host: {{ $kcHost | quote }}
+      http:
+        paths:
+          - path: {{ $kcPath | quote }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "cryptomator-hub.fullname" . }}-service-kc
+                port:
+                  number: {{ .Values.keycloak.service.httpPort }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ $kcHost | quote }}
+      secretName: {{ .Values.ingress.tls.secretName | required "ingress.tls.secretName must be set when ingress.tls.enabled=true" }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/keycloak-deployment.yaml b/charts/cryptomator-hub/templates/keycloak-deployment.yaml
new file mode 100644
index 000000000..8f41f1ca5
--- /dev/null
+++ b/charts/cryptomator-hub/templates/keycloak-deployment.yaml
@@ -0,0 +1,126 @@
+{{- if .Values.keycloak.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-kc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+    app.kubernetes.io/component: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "cryptomator-hub.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: keycloak
+  template:
+    metadata:
+      labels:
+        {{- include "cryptomator-hub.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: keycloak
+      annotations:
+        checksum/keycloak-secret: {{ include (print $.Template.BasePath "/keycloak-secret.yaml") . | sha256sum }}
+        checksum/keycloak-config: {{ include (print $.Template.BasePath "/keycloak-realm-configmap.yaml") . | sha256sum }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      {{- if .Values.postgres.enabled }}
+      initContainers:
+        - name: wait-for-postgres
+          image: busybox:1.36
+          securityContext:
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -eux
+              until nc -zw 10 {{ include "cryptomator-hub.fullname" . }}-service-pg {{ .Values.postgres.service.port }}; do
+                echo "waiting for postgres..."
+              done
+      {{- end }}
+      containers:
+        - name: keycloak
+          image: "ghcr.io/cryptomator/keycloak:26.5.3"
+          imagePullPolicy: {{ .Values.keycloak.imagePullPolicy }}
+          command:
+            - /opt/keycloak/bin/kc.sh
+            - start
+            - --optimized
+            - --import-realm
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: management
+              containerPort: 9000
+              protocol: TCP
+          env:
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cryptomator-hub.fullname" . }}-secrets-kc
+                  key: kc_db_password
+            - name: KC_BOOTSTRAP_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cryptomator-hub.fullname" . }}-secrets-kc
+                  key: kc_admin_password
+          envFrom:
+            - configMapRef:
+                name: {{ include "cryptomator-hub.fullname" . }}-config-kc
+          startupProbe:
+            httpGet:
+              path: {{ printf "%s/health/started" (include "cryptomator-hub.keycloakRelativePath" .) }}
+              port: management
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            failureThreshold: 36
+          livenessProbe:
+            httpGet:
+              path: {{ printf "%s/health/live" (include "cryptomator-hub.keycloakRelativePath" .) }}
+              port: management
+            periodSeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: {{ printf "%s/health/ready" (include "cryptomator-hub.keycloakRelativePath" .) }}
+              port: management
+            periodSeconds: 5
+            failureThreshold: 6
+          resources:
+            {{- toYaml .Values.keycloak.resources | nindent 12 }}
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+              subPath: tmp
+            - name: tmp
+              mountPath: /opt/keycloak/data/tmp
+              subPath: data-tmp
+            - name: realm
+              mountPath: /opt/keycloak/data/import/realm.json
+              subPath: realm.json
+              readOnly: true
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: realm
+          secret:
+            secretName: {{ include "cryptomator-hub.fullname" . }}-secrets-kc
+            items:
+              - key: realm.json
+                path: realm.json
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/keycloak-realm-configmap.yaml b/charts/cryptomator-hub/templates/keycloak-realm-configmap.yaml
new file mode 100644
index 000000000..6b71fd435
--- /dev/null
+++ b/charts/cryptomator-hub/templates/keycloak-realm-configmap.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.keycloak.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-config-kc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+data:
+  KC_DB: "postgres"
+  KC_DB_URL: {{ if .Values.postgres.enabled }}{{ printf "jdbc:postgresql://%s:%v/%s" (print (include "cryptomator-hub.fullname" .) "-service-pg") .Values.postgres.service.port .Values.keycloak.database.name | quote }}{{ else }}{{ required "keycloak.database.jdbcUrl must be set when keycloak.enabled=true and postgres.enabled=false" .Values.keycloak.database.jdbcUrl | quote }}{{ end }}
+  KC_DB_USERNAME: {{ .Values.keycloak.database.username | quote }}
+  KC_BOOTSTRAP_ADMIN_USERNAME: {{ .Values.keycloak.admin.username | quote }}
+  KC_HEALTH_ENABLED: "true"
+  KC_METRICS_ENABLED: "true"
+  KC_HTTP_ENABLED: "true"
+  KC_PROXY_HEADERS: {{ .Values.keycloak.config.proxyHeaders | quote }}
+  KC_HTTP_RELATIVE_PATH: {{ include "cryptomator-hub.keycloakRelativePath" . | quote }}
+  KC_HOSTNAME: {{ trimSuffix "/" (required "urls.kc.public must be set" .Values.urls.kc.public) | quote }}
+  QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: "false"
+  KC_HOSTNAME_BACKCHANNEL_DYNAMIC: "true"
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/keycloak-secret.yaml b/charts/cryptomator-hub/templates/keycloak-secret.yaml
new file mode 100644
index 000000000..b72a756ee
--- /dev/null
+++ b/charts/cryptomator-hub/templates/keycloak-secret.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-secrets-kc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{- if .Values.keycloak.enabled }}
+  kc_admin_password: {{ include "cryptomator-hub.resolvedKeycloakAdminPassword" . | quote }}
+  kc_db_password: {{ include "cryptomator-hub.resolvedKeycloakDbPassword" . | quote }}
+  {{- end }}
+  realm.json: |
+{{ include "cryptomator-hub.realmJson" . | indent 4 }}
\ No newline at end of file
diff --git a/charts/cryptomator-hub/templates/keycloak-service.yaml b/charts/cryptomator-hub/templates/keycloak-service.yaml
new file mode 100644
index 000000000..9fe1c3b77
--- /dev/null
+++ b/charts/cryptomator-hub/templates/keycloak-service.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.keycloak.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-service-kc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+    app.kubernetes.io/component: keycloak
+spec:
+  type: {{ .Values.keycloak.service.type }}
+  selector:
+    {{- include "cryptomator-hub.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: keycloak
+  ports:
+    - name: http
+      protocol: TCP
+      port: {{ .Values.keycloak.service.httpPort }}
+      targetPort: http
+    - name: mgmt
+      protocol: TCP
+      port: {{ .Values.keycloak.service.managementPort }}
+      targetPort: management
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/postgres-secret.yaml b/charts/cryptomator-hub/templates/postgres-secret.yaml
new file mode 100644
index 000000000..b2b6b8369
--- /dev/null
+++ b/charts/cryptomator-hub/templates/postgres-secret.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.postgres.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-secrets-pg
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  pg_admin_password: {{ include "cryptomator-hub.resolvedPostgresAdminPassword" . | quote }}
+  initdb.sql: |-
+    {{- if .Values.keycloak.enabled }}
+    CREATE USER {{ .Values.keycloak.database.username }} WITH ENCRYPTED PASSWORD '{{ include "cryptomator-hub.resolvedKeycloakDbPassword" . | replace "'" "''" }}';
+    CREATE DATABASE {{ .Values.keycloak.database.name }} WITH ENCODING 'UTF8' OWNER {{ .Values.keycloak.database.username }};
+    {{- end }}
+    CREATE USER {{ .Values.hub.database.username }} WITH ENCRYPTED PASSWORD '{{ include "cryptomator-hub.resolvedHubDbPassword" . | replace "'" "''" }}';
+    CREATE DATABASE {{ .Values.hub.database.name }} WITH ENCODING 'UTF8' OWNER {{ .Values.hub.database.username }};
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/postgres-service.yaml b/charts/cryptomator-hub/templates/postgres-service.yaml
new file mode 100644
index 000000000..779380c96
--- /dev/null
+++ b/charts/cryptomator-hub/templates/postgres-service.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.postgres.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-service-pg
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+    app.kubernetes.io/component: postgres
+spec:
+  type: {{ .Values.postgres.service.type }}
+  selector:
+    {{- include "cryptomator-hub.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: postgres
+  ports:
+    - name: postgres
+      protocol: TCP
+      port: {{ .Values.postgres.service.port }}
+      targetPort: postgres
+{{- end }}
diff --git a/charts/cryptomator-hub/templates/postgres-statefulset.yaml b/charts/cryptomator-hub/templates/postgres-statefulset.yaml
new file mode 100644
index 000000000..c4b33767c
--- /dev/null
+++ b/charts/cryptomator-hub/templates/postgres-statefulset.yaml
@@ -0,0 +1,134 @@
+{{- if .Values.postgres.enabled }}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "cryptomator-hub.fullname" . }}-pg
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cryptomator-hub.labels" . | nindent 4 }}
+    app.kubernetes.io/component: postgres
+spec:
+  serviceName: {{ include "cryptomator-hub.fullname" . }}-service-pg
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "cryptomator-hub.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: postgres
+  template:
+    metadata:
+      labels:
+        {{- include "cryptomator-hub.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: postgres
+      annotations:
+        checksum/postgres-secret: {{ include (print $.Template.BasePath "/postgres-secret.yaml") . | sha256sum }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 70
+        runAsGroup: 70
+        fsGroup: 70
+      initContainers:
+        - name: fix-permissions
+          image: busybox:1.36
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -eux
+              mkdir -p /var/lib/postgresql/data /var/run/postgresql
+              chown -R 70:70 /var/lib/postgresql/data /var/run/postgresql
+              chmod 700 /var/lib/postgresql/data
+              chmod 775 /var/run/postgresql
+          securityContext:
+            runAsNonRoot: false
+            runAsUser: 0
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+              subPath: pgdata
+            - name: run
+              mountPath: /var/run/postgresql
+      containers:
+        - name: postgres
+          image: "postgres:17-alpine"
+          imagePullPolicy: {{ .Values.postgres.imagePullPolicy }}
+          ports:
+            - name: postgres
+              containerPort: 5432
+              protocol: TCP
+          env:
+            - name: POSTGRES_INITDB_ARGS
+              value: --encoding=UTF8
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cryptomator-hub.fullname" . }}-secrets-pg
+                  key: pg_admin_password
+            - name: POSTGRES_USER
+              value: {{ .Values.postgres.auth.adminUsername | quote }}
+          livenessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - {{ .Values.postgres.auth.adminUsername }}
+            periodSeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - {{ .Values.postgres.auth.adminUsername }}
+            periodSeconds: 5
+            failureThreshold: 6
+          resources:
+            {{- toYaml .Values.postgres.resources | nindent 12 }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 70
+            runAsGroup: 70
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: initdb
+              mountPath: /docker-entrypoint-initdb.d/initdb.sql
+              subPath: initdb.sql
+              readOnly: true
+            - name: data
+              mountPath: /var/lib/postgresql/data
+              subPath: pgdata
+            - name: run
+              mountPath: /var/run/postgresql
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: initdb
+          secret:
+            secretName: {{ include "cryptomator-hub.fullname" . }}-secrets-pg
+            items:
+              - key: initdb.sql
+                path: initdb.sql
+        - name: run
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - {{ .Values.postgres.storage.accessMode }}
+        resources:
+          requests:
+            storage: {{ .Values.postgres.storage.size }}
+        {{- if .Values.postgres.storage.storageClassName }}
+        storageClassName: {{ .Values.postgres.storage.storageClassName }}
+        {{- end }}
+{{- end }}
diff --git a/charts/cryptomator-hub/values-dev.yaml b/charts/cryptomator-hub/values-dev.yaml
new file mode 100644
index 000000000..416a7b01e
--- /dev/null
+++ b/charts/cryptomator-hub/values-dev.yaml
@@ -0,0 +1,28 @@
+global:
+  host: ""
+
+hub:
+  database:
+    password: top-secret
+  admin:
+    username: admin
+    password: admin
+    passwordTemporary: true
+
+keycloak:
+  enabled: true
+  database:
+    password: top-secret
+  admin:
+    password: admin
+
+postgres:
+  enabled: true
+  auth:
+    adminPassword: top-secret
+  storage:
+    size: 1Gi
+  resources:
+    requests:
+      cpu: 25m
+      memory: 128Mi
diff --git a/charts/cryptomator-hub/values-prod.yaml b/charts/cryptomator-hub/values-prod.yaml
new file mode 100644
index 000000000..213181c5a
--- /dev/null
+++ b/charts/cryptomator-hub/values-prod.yaml
@@ -0,0 +1,45 @@
+global:
+  host: hub.example.com
+
+hub:
+  database:
+    password: replace-me
+  admin:
+    username: admin
+    password: replace-me
+    passwordTemporary: true
+  resources:
+    requests:
+      cpu: 50m
+      memory: 32Mi
+    limits:
+      cpu: 1000m
+      memory: 128Mi
+
+keycloak:
+  enabled: true
+  database:
+    password: replace-me
+  admin:
+    password: replace-me
+  resources:
+    requests:
+      cpu: 100m
+      memory: 512Mi
+    limits:
+      cpu: 500m
+      memory: 1Gi
+
+postgres:
+  enabled: true
+  auth:
+    adminPassword: replace-me
+  storage:
+    size: 20Gi
+  resources:
+    requests:
+      cpu: 100m
+      memory: 64Mi
+    limits:
+      cpu: 2000m
+      memory: 1Gi
diff --git a/charts/cryptomator-hub/values.yaml b/charts/cryptomator-hub/values.yaml
new file mode 100644
index 000000000..f07d1617c
--- /dev/null
+++ b/charts/cryptomator-hub/values.yaml
@@ -0,0 +1,113 @@
+urls:
+  hub:
+    public: ""
+  kc:
+    public: ""
+    clusterInternal: ""
+    authServerUrl: ""
+    tokenIssuer: ""
+
+notes:
+  useColor: true
+
+ingress:
+  # supported: nginx, traefik, contour
+  controller: ""
+  className: ""
+  annotations: {}
+  tls:
+    enabled: false
+    secretName: ""
+
+hub:
+  imagePullPolicy: IfNotPresent
+  service:
+    type: ClusterIP
+    port: 8080
+    managementPort: 9000
+  resources:
+    requests:
+      cpu: 10m
+      memory: 16Mi
+    limits:
+      cpu: 500m
+      memory: 256Mi
+  config:
+    keycloakRealm: cryptomator
+    keycloakSyncerPeriod: 5m
+    keycloakPublicUrl: ""
+    keycloakLocalUrl: ""
+  metrics:
+    enabled: true
+    username: metrics
+    password: ""
+  oidc:
+    clientId: cryptomatorhub
+  database:
+    jdbcUrl: ""
+    name: hub
+    username: hub
+    password: ""
+  admin:
+    username: admin
+    password: ""
+    passwordTemporary: true
+  secrets:
+    create: true
+    systemClientSecret: "" # optional; auto-generated when chart manages Hub secret
+    initialId: ""
+    initialLicense: ""
+  license:
+    chain:
+      requiredCn: ""
+    managedApi:
+      username: ""
+      password: ""
+
+keycloak:
+  enabled: true
+  imagePullPolicy: IfNotPresent
+  service:
+    type: ClusterIP
+    httpPort: 8080
+    managementPort: 9000
+  resources:
+    requests:
+      cpu: 20m
+      memory: 128Mi
+    limits:
+      cpu: 1000m
+      memory: 640Mi
+  admin:
+    username: admin
+    password: ""
+  config:
+    proxyHeaders: xforwarded
+  database:
+    jdbcUrl: ""
+    name: keycloak
+    username: keycloak
+    password: ""
+  realmBootstrap:
+    realmId: ""
+
+postgres:
+  enabled: true
+  imagePullPolicy: IfNotPresent
+  service:
+    type: ClusterIP
+    port: 5432
+  storage:
+    size: 10Gi
+    storageClassName: ""
+    accessMode: ReadWriteOnce
+  resources:
+    requests:
+      cpu: 10m
+      memory: 32Mi
+    limits:
+      cpu: 1000m
+      memory: 256Mi
+  auth:
+    adminUsername: postgres
+    adminPassword: ""
diff --git a/frontend/README.md b/frontend/README.md
index c85e4c59b..d4c8c0903 100644
--- a/frontend/README.md
+++ b/frontend/README.md
@@ -1,4 +1,4 @@
-# Cryptomator Frontend
+# Katta Frontend
 
 This project uses Vue 3 + Typescript + Vite.
 
diff --git a/frontend/eslint.config.js b/frontend/eslint.config.js
index 1904a7fe5..8a32e32de 100644
--- a/frontend/eslint.config.js
+++ b/frontend/eslint.config.js
@@ -2,13 +2,21 @@
 import eslint from "@eslint/js";
 import pluginVue from 'eslint-plugin-vue';
 import tseslint from 'typescript-eslint';
+import { defineConfig } from 'eslint/config';
 
-export default tseslint.config(
+export default defineConfig(
+{
+    ignores: [
+        'coverage/**',
+        'dist/**',
+        'node_modules/**'
+    ]
+},
 {
     files: ['src/**/*.ts', 'test/**/*.ts'],
     extends: [
         eslint.configs.recommended,
-        ...tseslint.configs.recommended,
+        tseslint.configs.recommended,
     ],
     plugins: {
         '@typescript-eslint': tseslint.plugin,
@@ -39,6 +47,7 @@ export default tseslint.config(
         'semi': ['error', 'always'],
         'space-infix-ops': 'error',
         'indent': ['error', 2, { SwitchCase: 1 }],
+        'complexity': ['warn', { max: 10 }],
     }
 },
 {
@@ -51,8 +60,8 @@ export default tseslint.config(
     files: ['src/**/*.vue'],
     extends: [
         eslint.configs.recommended,
-        ...tseslint.configs.recommended,
-        ...pluginVue.configs["flat/recommended"],
+        tseslint.configs.recommended,
+        pluginVue.configs["flat/recommended"],
     ],
     plugins: {
         '@typescript-eslint': tseslint.plugin,
@@ -89,9 +98,11 @@ export default tseslint.config(
         'vue/html-closing-bracket-spacing': 'off',
         'vue/html-self-closing': 'off',
         'vue/max-attributes-per-line': 'off',
+        'vue/multi-word-component-names': 'off',
         'vue/padding-line-between-blocks': 'error',
         'vue/singleline-html-element-content-newline': 'off',
         'vue/space-infix-ops': 'error',
+        'complexity': ['warn', { max: 15 }],
     },
 }
 );
\ No newline at end of file
diff --git a/frontend/index.html b/frontend/index.html
index f71ff158c..5d4949e61 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -5,9 +5,9 @@
     <meta charset="UTF-8" />
     <link rel="icon" href="/favicon.ico" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Cryptomator Hub</title>
+    <title>Katta</title>
   </head>
-  <body class="bg-gray-100">
+  <body>
     <div id="app"></div>
     <script type="module" src="/src/main.ts"></script>
   </body>
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index 057899509..9ef938ccd 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -1,1307 +1,1355 @@
 {
-  "name": "cryptomator-hub",
+  "name": "katta",
   "version": "1.5.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
-      "name": "cryptomator-hub",
+      "name": "katta",
       "version": "1.5.0",
       "license": "AGPL-3.0-or-later",
       "dependencies": {
+        "@aws-sdk/client-s3": "^3.454.0",
+        "@aws-sdk/client-sts": "^3.421.0",
         "@headlessui/tailwindcss": "^0.2.2",
         "@headlessui/vue": "^1.7.23",
         "@heroicons/vue": "^2.2.0",
-        "axios": "^1.12.2",
+        "@noble/ciphers": "^2.1.1",
+        "@scure/base": "^2.0.0",
+        "axios": "^1.14.0",
         "file-saver": "^2.0.5",
         "jdenticon": "^3.3.0",
         "jszip": "^3.10.1",
-        "keycloak-js": "^26.2.1",
-        "miscreant": "^0.3.2",
-        "remeda": "^2.32.0",
-        "rfc4648": "^1.5.4",
-        "semver": "^7.7.3",
-        "vue": "^3.5.17",
-        "vue-i18n": "^11.1.12",
-        "vue-router": "^4.6.3"
+        "keycloak-js": "^26.2.3",
+        "remeda": "^2.33.7",
+        "semver": "^7.7.4",
+        "shamir-secret-sharing": "^0.0.4",
+        "vue": "^3.5.25",
+        "vue-i18n": "^11.3.0",
+        "vue-router": "^5.0.4"
       },
       "devDependencies": {
-        "@intlify/devtools-types": "^11.1.12",
-        "@intlify/unplugin-vue-i18n": "^11.0.1",
-        "@tailwindcss/forms": "^0.5.10",
-        "@tailwindcss/vite": "^4.1.14",
+        "@eslint/js": "^10.0.0",
+        "@intlify/devtools-types": "^11.2.2",
+        "@intlify/unplugin-vue-i18n": "^11.0.7",
+        "@tailwindcss/forms": "^0.5.11",
+        "@tailwindcss/vite": "^4.2.2",
         "@types/blueimp-md5": "^2.18.2",
         "@types/file-saver": "^2.0.7",
-        "@types/node": "^22.18.11",
+        "@types/node": "^22.19.15",
         "@types/semver": "^7.7.1",
-        "@vitejs/plugin-vue": "^6.0.1",
-        "@vitest/coverage-v8": "^3.2.4",
+        "@vitejs/plugin-vue": "^6.0.5",
+        "@vitest/coverage-v8": "^4.1.2",
         "@vue/compiler-sfc": "^3.5.12",
-        "eslint": "^9.37.0",
-        "eslint-plugin-vue": "^10.5.1",
-        "happy-dom": "^20.0.4",
+        "eslint": "^10.1.0",
+        "eslint-plugin-vue": "^10.8.0",
+        "happy-dom": "^20.8.9",
         "tailwindcss": "^4.1.11",
         "ts-node": "^10.9.2",
-        "typescript": "^5.8.3",
-        "typescript-eslint": "^8.46.1",
-        "vite": "^7.1.10",
-        "vitest": "^3.2.4",
-        "vue-tsc": "^3.1.1"
-      },
-      "optionalDependencies": {
-        "@rollup/rollup-linux-x64-gnu": "4.46.2"
+        "typescript": "^5.9.3",
+        "typescript-eslint": "^8.58.0",
+        "vite": "^7.3.1",
+        "vitest": "^4.0.15",
+        "vue-tsc": "^3.2.6"
       }
     },
-    "node_modules/@ampproject/remapping": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
-      "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
-      "dev": true,
+    "node_modules/@aws-crypto/crc32": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/crc32/-/crc32-5.2.0.tgz",
+      "integrity": "sha512-nLbCWqQNgUiwwtFsen1AdzAtvuLRsQS8rYgMuxCrdKf9kOssamGLuPwyTY9wyYblNr9+1XM8v6zoDTPPSIeANg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@jridgewell/gen-mapping": "^0.3.5",
-        "@jridgewell/trace-mapping": "^0.3.24"
+        "@aws-crypto/util": "^5.2.0",
+        "@aws-sdk/types": "^3.222.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=6.0.0"
+        "node": ">=16.0.0"
       }
     },
-    "node_modules/@babel/helper-string-parser": {
-      "version": "7.27.1",
-      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
-      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
-      "license": "MIT",
+    "node_modules/@aws-crypto/crc32c": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/crc32c/-/crc32c-5.2.0.tgz",
+      "integrity": "sha512-+iWb8qaHLYKrNvGRbiYRHSdKRWhto5XlZUEBwDjYNf+ly5SVYG6zEoYIdxvf5R3zyeP16w4PLBn3rH1xc74Rag==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/util": "^5.2.0",
+        "@aws-sdk/types": "^3.222.0",
+        "tslib": "^2.6.2"
+      }
+    },
+    "node_modules/@aws-crypto/sha1-browser": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/sha1-browser/-/sha1-browser-5.2.0.tgz",
+      "integrity": "sha512-OH6lveCFfcDjX4dbAvCFSYUjJZjDr/3XJ3xHtjn3Oj5b9RjojQo8npoLeA/bNwkOkrSQ0wgrHzXk4tDRxGKJeg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/supports-web-crypto": "^5.2.0",
+        "@aws-crypto/util": "^5.2.0",
+        "@aws-sdk/types": "^3.222.0",
+        "@aws-sdk/util-locate-window": "^3.0.0",
+        "@smithy/util-utf8": "^2.0.0",
+        "tslib": "^2.6.2"
+      }
+    },
+    "node_modules/@aws-crypto/sha1-browser/node_modules/@smithy/is-array-buffer": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-2.2.0.tgz",
+      "integrity": "sha512-GGP3O9QFD24uGeAXYUjwSTXARoqpZykHadOmA8G5vfJPK0/DC67qa//0qvqrJzL1xc8WQWX7/yc7fwudjPHPhA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=6.9.0"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@babel/helper-validator-identifier": {
-      "version": "7.27.1",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.27.1.tgz",
-      "integrity": "sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==",
-      "license": "MIT",
+    "node_modules/@aws-crypto/sha1-browser/node_modules/@smithy/util-buffer-from": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-2.2.0.tgz",
+      "integrity": "sha512-IJdWBbTcMQ6DA0gdNhh/BwrLkDR+ADW5Kr1aZmd4k3DIF6ezMV4R2NIAmT08wQJ3yUK82thHWmC/TnK/wpMMIA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/is-array-buffer": "^2.2.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=6.9.0"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@babel/parser": {
-      "version": "7.28.0",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.0.tgz",
-      "integrity": "sha512-jVZGvOxOuNSsuQuLRTh13nU0AogFlw32w/MT+LV6D3sP5WdbW61E77RnkbaO2dUvmPAYrBDJXGn5gGS6tH4j8g==",
-      "license": "MIT",
+    "node_modules/@aws-crypto/sha1-browser/node_modules/@smithy/util-utf8": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-2.3.0.tgz",
+      "integrity": "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "@babel/types": "^7.28.0"
+        "@smithy/util-buffer-from": "^2.2.0",
+        "tslib": "^2.6.2"
       },
-      "bin": {
-        "parser": "bin/babel-parser.js"
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@aws-crypto/sha256-browser": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/sha256-browser/-/sha256-browser-5.2.0.tgz",
+      "integrity": "sha512-AXfN/lGotSQwu6HNcEsIASo7kWXZ5HYWvfOmSNKDsEqC4OashTp8alTmaz+F7TC2L083SFv5RdB+qU3Vs1kZqw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/sha256-js": "^5.2.0",
+        "@aws-crypto/supports-web-crypto": "^5.2.0",
+        "@aws-crypto/util": "^5.2.0",
+        "@aws-sdk/types": "^3.222.0",
+        "@aws-sdk/util-locate-window": "^3.0.0",
+        "@smithy/util-utf8": "^2.0.0",
+        "tslib": "^2.6.2"
+      }
+    },
+    "node_modules/@aws-crypto/sha256-browser/node_modules/@smithy/is-array-buffer": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-2.2.0.tgz",
+      "integrity": "sha512-GGP3O9QFD24uGeAXYUjwSTXARoqpZykHadOmA8G5vfJPK0/DC67qa//0qvqrJzL1xc8WQWX7/yc7fwudjPHPhA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=6.0.0"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@babel/types": {
-      "version": "7.28.2",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.2.tgz",
-      "integrity": "sha512-ruv7Ae4J5dUYULmeXw1gmb7rYRz57OWCPM57pHojnLq/3Z1CK2lNSLTCVjxVk1F/TZHwOZZrOWi0ur95BbLxNQ==",
-      "license": "MIT",
+    "node_modules/@aws-crypto/sha256-browser/node_modules/@smithy/util-buffer-from": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-2.2.0.tgz",
+      "integrity": "sha512-IJdWBbTcMQ6DA0gdNhh/BwrLkDR+ADW5Kr1aZmd4k3DIF6ezMV4R2NIAmT08wQJ3yUK82thHWmC/TnK/wpMMIA==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "@babel/helper-string-parser": "^7.27.1",
-        "@babel/helper-validator-identifier": "^7.27.1"
+        "@smithy/is-array-buffer": "^2.2.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=6.9.0"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@bcoe/v8-coverage": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
-      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
-      "dev": true,
-      "license": "MIT",
+    "node_modules/@aws-crypto/sha256-browser/node_modules/@smithy/util-utf8": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-2.3.0.tgz",
+      "integrity": "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/util-buffer-from": "^2.2.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@cspotcode/source-map-support": {
-      "version": "0.8.1",
-      "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz",
-      "integrity": "sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==",
-      "dev": true,
-      "license": "MIT",
+    "node_modules/@aws-crypto/sha256-js": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/sha256-js/-/sha256-js-5.2.0.tgz",
+      "integrity": "sha512-FFQQyu7edu4ufvIZ+OadFpHHOt+eSTBaYaki44c+akjg7qZg9oOQeLlk77F6tSYqjDAFClrHJk9tMf0HdVyOvA==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "@jridgewell/trace-mapping": "0.3.9"
+        "@aws-crypto/util": "^5.2.0",
+        "@aws-sdk/types": "^3.222.0",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": ">=12"
+        "node": ">=16.0.0"
       }
     },
-    "node_modules/@cspotcode/source-map-support/node_modules/@jridgewell/trace-mapping": {
-      "version": "0.3.9",
-      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.9.tgz",
-      "integrity": "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==",
-      "dev": true,
-      "license": "MIT",
+    "node_modules/@aws-crypto/supports-web-crypto": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/supports-web-crypto/-/supports-web-crypto-5.2.0.tgz",
+      "integrity": "sha512-iAvUotm021kM33eCdNfwIN//F77/IADDSs58i+MDaOqFrVjZo9bAal0NK7HurRuWLLpF1iLX7gbWrjHjeo+YFg==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "@jridgewell/resolve-uri": "^3.0.3",
-        "@jridgewell/sourcemap-codec": "^1.4.10"
+        "tslib": "^2.6.2"
       }
     },
-    "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.8.tgz",
-      "integrity": "sha512-urAvrUedIqEiFR3FYSLTWQgLu5tb+m0qZw0NBEasUeo6wuqatkMDaRT+1uABiGXEu5vqgPd7FGE1BhsAIy9QVA==",
-      "cpu": [
-        "ppc64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "aix"
-      ],
-      "engines": {
-        "node": ">=18"
+    "node_modules/@aws-crypto/util": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@aws-crypto/util/-/util-5.2.0.tgz",
+      "integrity": "sha512-4RkU9EsI6ZpBve5fseQlGNUWKMa1RLPQ1dnjnQoe07ldfIzcsGb5hC5W0Dm7u423KWzawlrpbjXBrXCEv9zazQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "^3.222.0",
+        "@smithy/util-utf8": "^2.0.0",
+        "tslib": "^2.6.2"
       }
     },
-    "node_modules/@esbuild/android-arm": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.8.tgz",
-      "integrity": "sha512-RONsAvGCz5oWyePVnLdZY/HHwA++nxYWIX1atInlaW6SEkwq6XkP3+cb825EUcRs5Vss/lGh/2YxAb5xqc07Uw==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+    "node_modules/@aws-crypto/util/node_modules/@smithy/is-array-buffer": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-2.2.0.tgz",
+      "integrity": "sha512-GGP3O9QFD24uGeAXYUjwSTXARoqpZykHadOmA8G5vfJPK0/DC67qa//0qvqrJzL1xc8WQWX7/yc7fwudjPHPhA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@esbuild/android-arm64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.8.tgz",
-      "integrity": "sha512-OD3p7LYzWpLhZEyATcTSJ67qB5D+20vbtr6vHlHWSQYhKtzUYrETuWThmzFpZtFsBIxRvhO07+UgVA9m0i/O1w==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+    "node_modules/@aws-crypto/util/node_modules/@smithy/util-buffer-from": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-2.2.0.tgz",
+      "integrity": "sha512-IJdWBbTcMQ6DA0gdNhh/BwrLkDR+ADW5Kr1aZmd4k3DIF6ezMV4R2NIAmT08wQJ3yUK82thHWmC/TnK/wpMMIA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/is-array-buffer": "^2.2.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@esbuild/android-x64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.8.tgz",
-      "integrity": "sha512-yJAVPklM5+4+9dTeKwHOaA+LQkmrKFX96BM0A/2zQrbS6ENCmxc4OVoBs5dPkCCak2roAD+jKCdnmOqKszPkjA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+    "node_modules/@aws-crypto/util/node_modules/@smithy/util-utf8": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-2.3.0.tgz",
+      "integrity": "sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/util-buffer-from": "^2.2.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.8.tgz",
-      "integrity": "sha512-Jw0mxgIaYX6R8ODrdkLLPwBqHTtYHJSmzzd+QeytSugzQ0Vg4c5rDky5VgkoowbZQahCbsv1rT1KW72MPIkevw==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
+    "node_modules/@aws-sdk/client-s3": {
+      "version": "3.850.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-s3/-/client-s3-3.850.0.tgz",
+      "integrity": "sha512-tX5bUfqiLOh6jtAlaiAuOUKFYh8KDG9k9zFLUdgGplC5TP47AYTreUEg+deCTHo4DD3YCvrLuyZ8tIDgKu7neQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/sha1-browser": "5.2.0",
+        "@aws-crypto/sha256-browser": "5.2.0",
+        "@aws-crypto/sha256-js": "5.2.0",
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/credential-provider-node": "3.848.0",
+        "@aws-sdk/middleware-bucket-endpoint": "3.840.0",
+        "@aws-sdk/middleware-expect-continue": "3.840.0",
+        "@aws-sdk/middleware-flexible-checksums": "3.846.0",
+        "@aws-sdk/middleware-host-header": "3.840.0",
+        "@aws-sdk/middleware-location-constraint": "3.840.0",
+        "@aws-sdk/middleware-logger": "3.840.0",
+        "@aws-sdk/middleware-recursion-detection": "3.840.0",
+        "@aws-sdk/middleware-sdk-s3": "3.846.0",
+        "@aws-sdk/middleware-ssec": "3.840.0",
+        "@aws-sdk/middleware-user-agent": "3.848.0",
+        "@aws-sdk/region-config-resolver": "3.840.0",
+        "@aws-sdk/signature-v4-multi-region": "3.846.0",
+        "@aws-sdk/types": "3.840.0",
+        "@aws-sdk/util-endpoints": "3.848.0",
+        "@aws-sdk/util-user-agent-browser": "3.840.0",
+        "@aws-sdk/util-user-agent-node": "3.848.0",
+        "@aws-sdk/xml-builder": "3.821.0",
+        "@smithy/config-resolver": "^4.1.4",
+        "@smithy/core": "^3.7.0",
+        "@smithy/eventstream-serde-browser": "^4.0.4",
+        "@smithy/eventstream-serde-config-resolver": "^4.1.2",
+        "@smithy/eventstream-serde-node": "^4.0.4",
+        "@smithy/fetch-http-handler": "^5.1.0",
+        "@smithy/hash-blob-browser": "^4.0.4",
+        "@smithy/hash-node": "^4.0.4",
+        "@smithy/hash-stream-node": "^4.0.4",
+        "@smithy/invalid-dependency": "^4.0.4",
+        "@smithy/md5-js": "^4.0.4",
+        "@smithy/middleware-content-length": "^4.0.4",
+        "@smithy/middleware-endpoint": "^4.1.15",
+        "@smithy/middleware-retry": "^4.1.16",
+        "@smithy/middleware-serde": "^4.0.8",
+        "@smithy/middleware-stack": "^4.0.4",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/node-http-handler": "^4.1.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/smithy-client": "^4.4.7",
+        "@smithy/types": "^4.3.1",
+        "@smithy/url-parser": "^4.0.4",
+        "@smithy/util-base64": "^4.0.0",
+        "@smithy/util-body-length-browser": "^4.0.0",
+        "@smithy/util-body-length-node": "^4.0.0",
+        "@smithy/util-defaults-mode-browser": "^4.0.23",
+        "@smithy/util-defaults-mode-node": "^4.0.23",
+        "@smithy/util-endpoints": "^3.0.6",
+        "@smithy/util-middleware": "^4.0.4",
+        "@smithy/util-retry": "^4.0.6",
+        "@smithy/util-stream": "^4.2.3",
+        "@smithy/util-utf8": "^4.0.0",
+        "@smithy/util-waiter": "^4.0.6",
+        "@types/uuid": "^9.0.1",
+        "tslib": "^2.6.2",
+        "uuid": "^9.0.1"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/darwin-x64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.8.tgz",
-      "integrity": "sha512-Vh2gLxxHnuoQ+GjPNvDSDRpoBCUzY4Pu0kBqMBDlK4fuWbKgGtmDIeEC081xi26PPjn+1tct+Bh8FjyLlw1Zlg==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
+    "node_modules/@aws-sdk/client-sso": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sso/-/client-sso-3.848.0.tgz",
+      "integrity": "sha512-mD+gOwoeZQvbecVLGoCmY6pS7kg02BHesbtIxUj+PeBqYoZV5uLvjUOmuGfw1SfoSobKvS11urxC9S7zxU/Maw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/sha256-browser": "5.2.0",
+        "@aws-crypto/sha256-js": "5.2.0",
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/middleware-host-header": "3.840.0",
+        "@aws-sdk/middleware-logger": "3.840.0",
+        "@aws-sdk/middleware-recursion-detection": "3.840.0",
+        "@aws-sdk/middleware-user-agent": "3.848.0",
+        "@aws-sdk/region-config-resolver": "3.840.0",
+        "@aws-sdk/types": "3.840.0",
+        "@aws-sdk/util-endpoints": "3.848.0",
+        "@aws-sdk/util-user-agent-browser": "3.840.0",
+        "@aws-sdk/util-user-agent-node": "3.848.0",
+        "@smithy/config-resolver": "^4.1.4",
+        "@smithy/core": "^3.7.0",
+        "@smithy/fetch-http-handler": "^5.1.0",
+        "@smithy/hash-node": "^4.0.4",
+        "@smithy/invalid-dependency": "^4.0.4",
+        "@smithy/middleware-content-length": "^4.0.4",
+        "@smithy/middleware-endpoint": "^4.1.15",
+        "@smithy/middleware-retry": "^4.1.16",
+        "@smithy/middleware-serde": "^4.0.8",
+        "@smithy/middleware-stack": "^4.0.4",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/node-http-handler": "^4.1.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/smithy-client": "^4.4.7",
+        "@smithy/types": "^4.3.1",
+        "@smithy/url-parser": "^4.0.4",
+        "@smithy/util-base64": "^4.0.0",
+        "@smithy/util-body-length-browser": "^4.0.0",
+        "@smithy/util-body-length-node": "^4.0.0",
+        "@smithy/util-defaults-mode-browser": "^4.0.23",
+        "@smithy/util-defaults-mode-node": "^4.0.23",
+        "@smithy/util-endpoints": "^3.0.6",
+        "@smithy/util-middleware": "^4.0.4",
+        "@smithy/util-retry": "^4.0.6",
+        "@smithy/util-utf8": "^4.0.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.8.tgz",
-      "integrity": "sha512-YPJ7hDQ9DnNe5vxOm6jaie9QsTwcKedPvizTVlqWG9GBSq+BuyWEDazlGaDTC5NGU4QJd666V0yqCBL2oWKPfA==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ],
+    "node_modules/@aws-sdk/client-sts": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.848.0.tgz",
+      "integrity": "sha512-NA0ODCELiO76LAi9/aanufPpX+YDAgpLFMkqJTwLVrBvtCMYsgGi/ttYzGKHdxgQljOBmGLu99fTDq5mbuY55g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/sha256-browser": "5.2.0",
+        "@aws-crypto/sha256-js": "5.2.0",
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/credential-provider-node": "3.848.0",
+        "@aws-sdk/middleware-host-header": "3.840.0",
+        "@aws-sdk/middleware-logger": "3.840.0",
+        "@aws-sdk/middleware-recursion-detection": "3.840.0",
+        "@aws-sdk/middleware-user-agent": "3.848.0",
+        "@aws-sdk/region-config-resolver": "3.840.0",
+        "@aws-sdk/types": "3.840.0",
+        "@aws-sdk/util-endpoints": "3.848.0",
+        "@aws-sdk/util-user-agent-browser": "3.840.0",
+        "@aws-sdk/util-user-agent-node": "3.848.0",
+        "@smithy/config-resolver": "^4.1.4",
+        "@smithy/core": "^3.7.0",
+        "@smithy/fetch-http-handler": "^5.1.0",
+        "@smithy/hash-node": "^4.0.4",
+        "@smithy/invalid-dependency": "^4.0.4",
+        "@smithy/middleware-content-length": "^4.0.4",
+        "@smithy/middleware-endpoint": "^4.1.15",
+        "@smithy/middleware-retry": "^4.1.16",
+        "@smithy/middleware-serde": "^4.0.8",
+        "@smithy/middleware-stack": "^4.0.4",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/node-http-handler": "^4.1.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/smithy-client": "^4.4.7",
+        "@smithy/types": "^4.3.1",
+        "@smithy/url-parser": "^4.0.4",
+        "@smithy/util-base64": "^4.0.0",
+        "@smithy/util-body-length-browser": "^4.0.0",
+        "@smithy/util-body-length-node": "^4.0.0",
+        "@smithy/util-defaults-mode-browser": "^4.0.23",
+        "@smithy/util-defaults-mode-node": "^4.0.23",
+        "@smithy/util-endpoints": "^3.0.6",
+        "@smithy/util-middleware": "^4.0.4",
+        "@smithy/util-retry": "^4.0.6",
+        "@smithy/util-utf8": "^4.0.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.8.tgz",
-      "integrity": "sha512-MmaEXxQRdXNFsRN/KcIimLnSJrk2r5H8v+WVafRWz5xdSVmWLoITZQXcgehI2ZE6gioE6HirAEToM/RvFBeuhw==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ],
+    "node_modules/@aws-sdk/core": {
+      "version": "3.846.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.846.0.tgz",
+      "integrity": "sha512-7CX0pM906r4WSS68fCTNMTtBCSkTtf3Wggssmx13gD40gcWEZXsU00KzPp1bYheNRyPlAq3rE22xt4wLPXbuxA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.840.0",
+        "@aws-sdk/xml-builder": "3.821.0",
+        "@smithy/core": "^3.7.0",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/signature-v4": "^5.1.2",
+        "@smithy/smithy-client": "^4.4.7",
+        "@smithy/types": "^4.3.1",
+        "@smithy/util-base64": "^4.0.0",
+        "@smithy/util-body-length-browser": "^4.0.0",
+        "@smithy/util-middleware": "^4.0.4",
+        "@smithy/util-utf8": "^4.0.0",
+        "fast-xml-parser": "5.2.5",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-arm": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.8.tgz",
-      "integrity": "sha512-FuzEP9BixzZohl1kLf76KEVOsxtIBFwCaLupVuk4eFVnOZfU+Wsn+x5Ryam7nILV2pkq2TqQM9EZPsOBuMC+kg==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/credential-provider-env": {
+      "version": "3.846.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.846.0.tgz",
+      "integrity": "sha512-QuCQZET9enja7AWVISY+mpFrEIeHzvkx/JEEbHYzHhUkxcnC2Kq2c0bB7hDihGD0AZd3Xsm653hk1O97qu69zg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-arm64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.8.tgz",
-      "integrity": "sha512-WIgg00ARWv/uYLU7lsuDK00d/hHSfES5BzdWAdAig1ioV5kaFNrtK8EqGcUBJhYqotlUByUKz5Qo6u8tt7iD/w==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/credential-provider-http": {
+      "version": "3.846.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.846.0.tgz",
+      "integrity": "sha512-Jh1iKUuepdmtreMYozV2ePsPcOF5W9p3U4tWhi3v6nDvz0GsBjzjAROW+BW8XMz9vAD3I9R+8VC3/aq63p5nlw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/fetch-http-handler": "^5.1.0",
+        "@smithy/node-http-handler": "^4.1.0",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/smithy-client": "^4.4.7",
+        "@smithy/types": "^4.3.1",
+        "@smithy/util-stream": "^4.2.3",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-ia32": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.8.tgz",
-      "integrity": "sha512-A1D9YzRX1i+1AJZuFFUMP1E9fMaYY+GnSQil9Tlw05utlE86EKTUA7RjwHDkEitmLYiFsRd9HwKBPEftNdBfjg==",
-      "cpu": [
-        "ia32"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/credential-provider-ini": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.848.0.tgz",
+      "integrity": "sha512-r6KWOG+En2xujuMhgZu7dzOZV3/M5U/5+PXrG8dLQ3rdPRB3vgp5tc56KMqLwm/EXKRzAOSuw/UE4HfNOAB8Hw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/credential-provider-env": "3.846.0",
+        "@aws-sdk/credential-provider-http": "3.846.0",
+        "@aws-sdk/credential-provider-process": "3.846.0",
+        "@aws-sdk/credential-provider-sso": "3.848.0",
+        "@aws-sdk/credential-provider-web-identity": "3.848.0",
+        "@aws-sdk/nested-clients": "3.848.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/credential-provider-imds": "^4.0.6",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/shared-ini-file-loader": "^4.0.4",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-loong64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.8.tgz",
-      "integrity": "sha512-O7k1J/dwHkY1RMVvglFHl1HzutGEFFZ3kNiDMSOyUrB7WcoHGf96Sh+64nTRT26l3GMbCW01Ekh/ThKM5iI7hQ==",
-      "cpu": [
-        "loong64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/credential-provider-node": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.848.0.tgz",
+      "integrity": "sha512-AblNesOqdzrfyASBCo1xW3uweiSro4Kft9/htdxLeCVU1KVOnFWA5P937MNahViRmIQm2sPBCqL8ZG0u9lnh5g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/credential-provider-env": "3.846.0",
+        "@aws-sdk/credential-provider-http": "3.846.0",
+        "@aws-sdk/credential-provider-ini": "3.848.0",
+        "@aws-sdk/credential-provider-process": "3.846.0",
+        "@aws-sdk/credential-provider-sso": "3.848.0",
+        "@aws-sdk/credential-provider-web-identity": "3.848.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/credential-provider-imds": "^4.0.6",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/shared-ini-file-loader": "^4.0.4",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.8.tgz",
-      "integrity": "sha512-uv+dqfRazte3BzfMp8PAQXmdGHQt2oC/y2ovwpTteqrMx2lwaksiFZ/bdkXJC19ttTvNXBuWH53zy/aTj1FgGw==",
-      "cpu": [
-        "mips64el"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/credential-provider-process": {
+      "version": "3.846.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.846.0.tgz",
+      "integrity": "sha512-mEpwDYarJSH+CIXnnHN0QOe0MXI+HuPStD6gsv3z/7Q6ESl8KRWon3weFZCDnqpiJMUVavlDR0PPlAFg2MQoPg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/shared-ini-file-loader": "^4.0.4",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.8.tgz",
-      "integrity": "sha512-GyG0KcMi1GBavP5JgAkkstMGyMholMDybAf8wF5A70CALlDM2p/f7YFE7H92eDeH/VBtFJA5MT4nRPDGg4JuzQ==",
-      "cpu": [
-        "ppc64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/credential-provider-sso": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.848.0.tgz",
+      "integrity": "sha512-pozlDXOwJZL0e7w+dqXLgzVDB7oCx4WvtY0sk6l4i07uFliWF/exupb6pIehFWvTUcOvn5aFTTqcQaEzAD5Wsg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/client-sso": "3.848.0",
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/token-providers": "3.848.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/shared-ini-file-loader": "^4.0.4",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.8.tgz",
-      "integrity": "sha512-rAqDYFv3yzMrq7GIcen3XP7TUEG/4LK86LUPMIz6RT8A6pRIDn0sDcvjudVZBiiTcZCY9y2SgYX2lgK3AF+1eg==",
-      "cpu": [
-        "riscv64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/credential-provider-web-identity": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.848.0.tgz",
+      "integrity": "sha512-D1fRpwPxtVDhcSc/D71exa2gYweV+ocp4D3brF0PgFd//JR3XahZ9W24rVnTQwYEcK9auiBZB89Ltv+WbWN8qw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/nested-clients": "3.848.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-s390x": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.8.tgz",
-      "integrity": "sha512-Xutvh6VjlbcHpsIIbwY8GVRbwoviWT19tFhgdA7DlenLGC/mbc3lBoVb7jxj9Z+eyGqvcnSyIltYUrkKzWqSvg==",
-      "cpu": [
-        "s390x"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/middleware-bucket-endpoint": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-bucket-endpoint/-/middleware-bucket-endpoint-3.840.0.tgz",
+      "integrity": "sha512-+gkQNtPwcSMmlwBHFd4saVVS11In6ID1HczNzpM3MXKXRBfSlbZJbCt6wN//AZ8HMklZEik4tcEOG0qa9UY8SQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.840.0",
+        "@aws-sdk/util-arn-parser": "3.804.0",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/types": "^4.3.1",
+        "@smithy/util-config-provider": "^4.0.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/linux-x64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.8.tgz",
-      "integrity": "sha512-ASFQhgY4ElXh3nDcOMTkQero4b1lgubskNlhIfJrsH5OKZXDpUAKBlNS0Kx81jwOBp+HCeZqmoJuihTv57/jvQ==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+    "node_modules/@aws-sdk/middleware-expect-continue": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-expect-continue/-/middleware-expect-continue-3.840.0.tgz",
+      "integrity": "sha512-iJg2r6FKsKKvdiU4oCOuCf7Ro/YE0Q2BT/QyEZN3/Rt8Nr4SAZiQOlcBXOCpGvuIKOEAhvDOUnW3aDHL01PdVw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.8.tgz",
-      "integrity": "sha512-d1KfruIeohqAi6SA+gENMuObDbEjn22olAR7egqnkCD9DGBG0wsEARotkLgXDu6c4ncgWTZJtN5vcgxzWRMzcw==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "netbsd"
-      ],
+    "node_modules/@aws-sdk/middleware-flexible-checksums": {
+      "version": "3.846.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-flexible-checksums/-/middleware-flexible-checksums-3.846.0.tgz",
+      "integrity": "sha512-CdkeVfkwt3+bDLhmOwBxvkUf6oY9iUhvosaUnqkoPsOqIiUEN54yTGOnO8A0wLz6mMsZ6aBlfFrQhFnxt3c+yw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/crc32": "5.2.0",
+        "@aws-crypto/crc32c": "5.2.0",
+        "@aws-crypto/util": "5.2.0",
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/is-array-buffer": "^4.0.0",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/types": "^4.3.1",
+        "@smithy/util-middleware": "^4.0.4",
+        "@smithy/util-stream": "^4.2.3",
+        "@smithy/util-utf8": "^4.0.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.8.tgz",
-      "integrity": "sha512-nVDCkrvx2ua+XQNyfrujIG38+YGyuy2Ru9kKVNyh5jAys6n+l44tTtToqHjino2My8VAY6Lw9H7RI73XFi66Cg==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "netbsd"
-      ],
+    "node_modules/@aws-sdk/middleware-host-header": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.840.0.tgz",
+      "integrity": "sha512-ub+hXJAbAje94+Ya6c6eL7sYujoE8D4Bumu1NUI8TXjUhVVn0HzVWQjpRLshdLsUp1AW7XyeJaxyajRaJQ8+Xg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.8.tgz",
-      "integrity": "sha512-j8HgrDuSJFAujkivSMSfPQSAa5Fxbvk4rgNAS5i3K+r8s1X0p1uOO2Hl2xNsGFppOeHOLAVgYwDVlmxhq5h+SQ==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ],
+    "node_modules/@aws-sdk/middleware-location-constraint": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-location-constraint/-/middleware-location-constraint-3.840.0.tgz",
+      "integrity": "sha512-KVLD0u0YMF3aQkVF8bdyHAGWSUY6N1Du89htTLgqCcIhSxxAJ9qifrosVZ9jkAzqRW99hcufyt2LylcVU2yoKQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.8.tgz",
-      "integrity": "sha512-1h8MUAwa0VhNCDp6Af0HToI2TJFAn1uqT9Al6DJVzdIBAd21m/G0Yfc77KDM3uF3T/YaOgQq3qTJHPbTOInaIQ==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ],
+    "node_modules/@aws-sdk/middleware-logger": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.840.0.tgz",
+      "integrity": "sha512-lSV8FvjpdllpGaRspywss4CtXV8M7NNNH+2/j86vMH+YCOZ6fu2T/TyFd/tHwZ92vDfHctWkRbQxg0bagqwovA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.25.8.tgz",
-      "integrity": "sha512-r2nVa5SIK9tSWd0kJd9HCffnDHKchTGikb//9c7HX+r+wHYCpQrSgxhlY6KWV1nFo1l4KFbsMlHk+L6fekLsUg==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openharmony"
-      ],
+    "node_modules/@aws-sdk/middleware-recursion-detection": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.840.0.tgz",
+      "integrity": "sha512-Gu7lGDyfddyhIkj1Z1JtrY5NHb5+x/CRiB87GjaSrKxkDaydtX2CU977JIABtt69l9wLbcGDIQ+W0uJ5xPof7g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/sunos-x64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.8.tgz",
-      "integrity": "sha512-zUlaP2S12YhQ2UzUfcCuMDHQFJyKABkAjvO5YSndMiIkMimPmxA+BYSBikWgsRpvyxuRnow4nS5NPnf9fpv41w==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "sunos"
-      ],
+    "node_modules/@aws-sdk/middleware-sdk-s3": {
+      "version": "3.846.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-s3/-/middleware-sdk-s3-3.846.0.tgz",
+      "integrity": "sha512-jP9x+2Q87J5l8FOP+jlAd7vGLn0cC6G9QGmf386e5OslBPqxXKcl3RjqGLIOKKos2mVItY3ApP5xdXQx7jGTVA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/types": "3.840.0",
+        "@aws-sdk/util-arn-parser": "3.804.0",
+        "@smithy/core": "^3.7.0",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/signature-v4": "^5.1.2",
+        "@smithy/smithy-client": "^4.4.7",
+        "@smithy/types": "^4.3.1",
+        "@smithy/util-config-provider": "^4.0.0",
+        "@smithy/util-middleware": "^4.0.4",
+        "@smithy/util-stream": "^4.2.3",
+        "@smithy/util-utf8": "^4.0.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/win32-arm64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.8.tgz",
-      "integrity": "sha512-YEGFFWESlPva8hGL+zvj2z/SaK+pH0SwOM0Nc/d+rVnW7GSTFlLBGzZkuSU9kFIGIo8q9X3ucpZhu8PDN5A2sQ==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
+    "node_modules/@aws-sdk/middleware-ssec": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-ssec/-/middleware-ssec-3.840.0.tgz",
+      "integrity": "sha512-CBZP9t1QbjDFGOrtnUEHL1oAvmnCUUm7p0aPNbIdSzNtH42TNKjPRN3TuEIJDGjkrqpL3MXyDSmNayDcw/XW7Q==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/win32-ia32": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.8.tgz",
-      "integrity": "sha512-hiGgGC6KZ5LZz58OL/+qVVoZiuZlUYlYHNAmczOm7bs2oE1XriPFi5ZHHrS8ACpV5EjySrnoCKmcbQMN+ojnHg==",
-      "cpu": [
-        "ia32"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
+    "node_modules/@aws-sdk/middleware-user-agent": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.848.0.tgz",
+      "integrity": "sha512-rjMuqSWJEf169/ByxvBqfdei1iaduAnfolTshsZxwcmLIUtbYrFUmts0HrLQqsAG8feGPpDLHA272oPl+NTCCA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/types": "3.840.0",
+        "@aws-sdk/util-endpoints": "3.848.0",
+        "@smithy/core": "^3.7.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@esbuild/win32-x64": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.8.tgz",
-      "integrity": "sha512-cn3Yr7+OaaZq1c+2pe+8yxC8E144SReCQjN6/2ynubzYjvyqZjTXfQJpAcQpsdJq3My7XADANiYGHoFC69pLQw==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
+    "node_modules/@aws-sdk/nested-clients": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.848.0.tgz",
+      "integrity": "sha512-joLsyyo9u61jnZuyYzo1z7kmS7VgWRAkzSGESVzQHfOA1H2PYeUFek6vLT4+c9xMGrX/Z6B0tkRdzfdOPiatLg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/sha256-browser": "5.2.0",
+        "@aws-crypto/sha256-js": "5.2.0",
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/middleware-host-header": "3.840.0",
+        "@aws-sdk/middleware-logger": "3.840.0",
+        "@aws-sdk/middleware-recursion-detection": "3.840.0",
+        "@aws-sdk/middleware-user-agent": "3.848.0",
+        "@aws-sdk/region-config-resolver": "3.840.0",
+        "@aws-sdk/types": "3.840.0",
+        "@aws-sdk/util-endpoints": "3.848.0",
+        "@aws-sdk/util-user-agent-browser": "3.840.0",
+        "@aws-sdk/util-user-agent-node": "3.848.0",
+        "@smithy/config-resolver": "^4.1.4",
+        "@smithy/core": "^3.7.0",
+        "@smithy/fetch-http-handler": "^5.1.0",
+        "@smithy/hash-node": "^4.0.4",
+        "@smithy/invalid-dependency": "^4.0.4",
+        "@smithy/middleware-content-length": "^4.0.4",
+        "@smithy/middleware-endpoint": "^4.1.15",
+        "@smithy/middleware-retry": "^4.1.16",
+        "@smithy/middleware-serde": "^4.0.8",
+        "@smithy/middleware-stack": "^4.0.4",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/node-http-handler": "^4.1.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/smithy-client": "^4.4.7",
+        "@smithy/types": "^4.3.1",
+        "@smithy/url-parser": "^4.0.4",
+        "@smithy/util-base64": "^4.0.0",
+        "@smithy/util-body-length-browser": "^4.0.0",
+        "@smithy/util-body-length-node": "^4.0.0",
+        "@smithy/util-defaults-mode-browser": "^4.0.23",
+        "@smithy/util-defaults-mode-node": "^4.0.23",
+        "@smithy/util-endpoints": "^3.0.6",
+        "@smithy/util-middleware": "^4.0.4",
+        "@smithy/util-retry": "^4.0.6",
+        "@smithy/util-utf8": "^4.0.0",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@eslint-community/eslint-utils": {
-      "version": "4.9.0",
-      "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.9.0.tgz",
-      "integrity": "sha512-ayVFHdtZ+hsq1t2Dy24wCmGXGe4q9Gu3smhLYALJrr473ZH27MsnSL+LKUlimp4BWJqMDMLmPpx/Q9R3OAlL4g==",
-      "dev": true,
-      "license": "MIT",
+    "node_modules/@aws-sdk/region-config-resolver": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.840.0.tgz",
+      "integrity": "sha512-Qjnxd/yDv9KpIMWr90ZDPtRj0v75AqGC92Lm9+oHXZ8p1MjG5JE2CW0HL8JRgK9iKzgKBL7pPQRXI8FkvEVfrA==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "eslint-visitor-keys": "^3.4.3"
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/types": "^4.3.1",
+        "@smithy/util-config-provider": "^4.0.0",
+        "@smithy/util-middleware": "^4.0.4",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/eslint"
-      },
-      "peerDependencies": {
-        "eslint": "^6.0.0 || ^7.0.0 || >=8.0.0"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@eslint-community/regexpp": {
-      "version": "4.12.1",
-      "resolved": "https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.12.1.tgz",
-      "integrity": "sha512-CCZCDJuduB9OUkFkY2IgppNZMi2lBQgD2qzwXkEia16cge2pijY/aXi96CJMquDMn3nJdlPV1A5KrJEXwfLNzQ==",
-      "dev": true,
-      "license": "MIT",
+    "node_modules/@aws-sdk/signature-v4-multi-region": {
+      "version": "3.846.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.846.0.tgz",
+      "integrity": "sha512-ZMfIMxUljqZzPJGOcraC6erwq/z1puNMU35cO1a/WdhB+LdYknMn1lr7SJuH754QwNzzIlZbEgg4hoHw50+DpQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/middleware-sdk-s3": "3.846.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/protocol-http": "^5.1.2",
+        "@smithy/signature-v4": "^5.1.2",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
+      },
       "engines": {
-        "node": "^12.0.0 || ^14.0.0 || >=16.0.0"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@eslint/config-array": {
-      "version": "0.21.0",
-      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.0.tgz",
-      "integrity": "sha512-ENIdc4iLu0d93HeYirvKmrzshzofPw6VkZRKQGe9Nv46ZnWUzcF1xV01dcvEg/1wXUR61OmmlSfyeyO7EvjLxQ==",
-      "dev": true,
+    "node_modules/@aws-sdk/token-providers": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.848.0.tgz",
+      "integrity": "sha512-oNPyM4+Di2Umu0JJRFSxDcKQ35+Chl/rAwD47/bS0cDPI8yrao83mLXLeDqpRPHyQW4sXlP763FZcuAibC0+mg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@eslint/object-schema": "^2.1.6",
-        "debug": "^4.3.1",
-        "minimatch": "^3.1.2"
+        "@aws-sdk/core": "3.846.0",
+        "@aws-sdk/nested-clients": "3.848.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/property-provider": "^4.0.4",
+        "@smithy/shared-ini-file-loader": "^4.0.4",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-      }
-    },
-    "node_modules/@eslint/config-array/node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@eslint/config-array/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
-      "dev": true,
-      "license": "ISC",
+    "node_modules/@aws-sdk/types": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.840.0.tgz",
+      "integrity": "sha512-xliuHaUFZxEx1NSXeLLZ9Dyu6+EJVQKEoD+yM+zqUo3YDZ7medKJWY6fIOKiPX/N7XbLdBYwajb15Q7IL8KkeA==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "brace-expansion": "^1.1.7"
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": "*"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@eslint/config-helpers": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/@eslint/config-helpers/-/config-helpers-0.4.0.tgz",
-      "integrity": "sha512-WUFvV4WoIwW8Bv0KeKCIIEgdSiFOsulyN0xrMu+7z43q/hkOLXjvb5u7UC9jDxvRzcrbEmuZBX5yJZz1741jog==",
-      "dev": true,
+    "node_modules/@aws-sdk/util-arn-parser": {
+      "version": "3.804.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-arn-parser/-/util-arn-parser-3.804.0.tgz",
+      "integrity": "sha512-wmBJqn1DRXnZu3b4EkE6CWnoWMo1ZMvlfkqU5zPz67xx1GMaXlDCchFvKAXMjk4jn/L1O3tKnoFDNsoLV1kgNQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@eslint/core": "^0.16.0"
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@eslint/core": {
-      "version": "0.16.0",
-      "resolved": "https://registry.npmjs.org/@eslint/core/-/core-0.16.0.tgz",
-      "integrity": "sha512-nmC8/totwobIiFcGkDza3GIKfAw1+hLiYVrh3I1nIomQ8PEr5cxg34jnkmGawul/ep52wGRAcyeDCNtWKSOj4Q==",
-      "dev": true,
+    "node_modules/@aws-sdk/util-endpoints": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.848.0.tgz",
+      "integrity": "sha512-fY/NuFFCq/78liHvRyFKr+aqq1aA/uuVSANjzr5Ym8c+9Z3HRPE9OrExAHoMrZ6zC8tHerQwlsXYYH5XZ7H+ww==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@types/json-schema": "^7.0.15"
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/types": "^4.3.1",
+        "@smithy/url-parser": "^4.0.4",
+        "@smithy/util-endpoints": "^3.0.6",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@eslint/eslintrc": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.1.tgz",
-      "integrity": "sha512-gtF186CXhIl1p4pJNGZw8Yc6RlshoePRvE0X91oPGb3vZ8pM3qOS9W9NGPat9LziaBV7XrJWGylNQXkGcnM3IQ==",
-      "dev": true,
-      "license": "MIT",
+    "node_modules/@aws-sdk/util-locate-window": {
+      "version": "3.804.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-locate-window/-/util-locate-window-3.804.0.tgz",
+      "integrity": "sha512-zVoRfpmBVPodYlnMjgVjfGoEZagyRF5IPn3Uo6ZvOZp24chnW/FRstH7ESDHDDRga4z3V+ElUQHKpFDXWyBW5A==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "ajv": "^6.12.4",
-        "debug": "^4.3.2",
-        "espree": "^10.0.1",
-        "globals": "^14.0.0",
-        "ignore": "^5.2.0",
-        "import-fresh": "^3.2.1",
-        "js-yaml": "^4.1.0",
-        "minimatch": "^3.1.2",
-        "strip-json-comments": "^3.1.1"
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/eslint"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@eslint/eslintrc/node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
-      "dev": true,
-      "license": "MIT",
+    "node_modules/@aws-sdk/util-user-agent-browser": {
+      "version": "3.840.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.840.0.tgz",
+      "integrity": "sha512-JdyZM3EhhL4PqwFpttZu1afDpPJCCc3eyZOLi+srpX11LsGj6sThf47TYQN75HT1CarZ7cCdQHGzP2uy3/xHfQ==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/types": "^4.3.1",
+        "bowser": "^2.11.0",
+        "tslib": "^2.6.2"
       }
     },
-    "node_modules/@eslint/eslintrc/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
-      "dev": true,
-      "license": "ISC",
+    "node_modules/@aws-sdk/util-user-agent-node": {
+      "version": "3.848.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.848.0.tgz",
+      "integrity": "sha512-Zz1ft9NiLqbzNj/M0jVNxaoxI2F4tGXN0ZbZIj+KJ+PbJo+w5+Jo6d0UDAtbj3AEd79pjcCaP4OA9NTVzItUdw==",
+      "license": "Apache-2.0",
       "dependencies": {
-        "brace-expansion": "^1.1.7"
+        "@aws-sdk/middleware-user-agent": "3.848.0",
+        "@aws-sdk/types": "3.840.0",
+        "@smithy/node-config-provider": "^4.1.3",
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": "*"
-      }
-    },
-    "node_modules/@eslint/js": {
-      "version": "9.37.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.37.0.tgz",
-      "integrity": "sha512-jaS+NJ+hximswBG6pjNX0uEJZkrT0zwpVi3BA3vX22aFGjJjmgSTSmPpZCRKmoBL5VY/M6p0xsSJx7rk7sy5gg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": ">=18.0.0"
       },
-      "funding": {
-        "url": "https://eslint.org/donate"
-      }
-    },
-    "node_modules/@eslint/object-schema": {
-      "version": "2.1.6",
-      "resolved": "https://registry.npmjs.org/@eslint/object-schema/-/object-schema-2.1.6.tgz",
-      "integrity": "sha512-RBMg5FRL0I0gs51M/guSAj5/e14VQ4tpZnQNWwuDT66P14I43ItmPfIZRhO9fUVIPOAQXU47atlywZ/czoqFPA==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      "peerDependencies": {
+        "aws-crt": ">=1.0.0"
+      },
+      "peerDependenciesMeta": {
+        "aws-crt": {
+          "optional": true
+        }
       }
     },
-    "node_modules/@eslint/plugin-kit": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.4.0.tgz",
-      "integrity": "sha512-sB5uyeq+dwCWyPi31B2gQlVlo+j5brPlWx4yZBrEaRo/nhdDE8Xke1gsGgtiBdaBTxuTkceLVuVt/pclrasb0A==",
-      "dev": true,
+    "node_modules/@aws-sdk/xml-builder": {
+      "version": "3.821.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.821.0.tgz",
+      "integrity": "sha512-DIIotRnefVL6DiaHtO6/21DhJ4JZnnIwdNbpwiAhdt/AVbttcE4yw925gsjur0OGv5BTYXQXU3YnANBYnZjuQA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@eslint/core": "^0.16.0",
-        "levn": "^0.4.1"
+        "@smithy/types": "^4.3.1",
+        "tslib": "^2.6.2"
       },
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-      }
-    },
-    "node_modules/@headlessui/tailwindcss": {
-      "version": "0.2.2",
-      "resolved": "https://registry.npmjs.org/@headlessui/tailwindcss/-/tailwindcss-0.2.2.tgz",
-      "integrity": "sha512-xNe42KjdyA4kfUKLLPGzME9zkH7Q3rOZ5huFihWNWOQFxnItxPB3/67yBI8/qBfY8nwBRx5GHn4VprsoluVMGw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=10"
-      },
-      "peerDependencies": {
-        "tailwindcss": "^3.0 || ^4.0"
+        "node": ">=18.0.0"
       }
     },
-    "node_modules/@headlessui/vue": {
-      "version": "1.7.23",
-      "resolved": "https://registry.npmjs.org/@headlessui/vue/-/vue-1.7.23.tgz",
-      "integrity": "sha512-JzdCNqurrtuu0YW6QaDtR2PIYCKPUWq28csDyMvN4zmGccmE7lz40Is6hc3LA4HFeCI7sekZ/PQMTNmn9I/4Wg==",
+    "node_modules/@babel/generator": {
+      "version": "7.29.1",
+      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
+      "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
       "license": "MIT",
       "dependencies": {
-        "@tanstack/vue-virtual": "^3.0.0-beta.60"
+        "@babel/parser": "^7.29.0",
+        "@babel/types": "^7.29.0",
+        "@jridgewell/gen-mapping": "^0.3.12",
+        "@jridgewell/trace-mapping": "^0.3.28",
+        "jsesc": "^3.0.2"
       },
       "engines": {
-        "node": ">=10"
-      },
-      "peerDependencies": {
-        "vue": "^3.2.0"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@heroicons/vue": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/@heroicons/vue/-/vue-2.2.0.tgz",
-      "integrity": "sha512-G3dbSxoeEKqbi/DFalhRxJU4mTXJn7GwZ7ae8NuEQzd1bqdd0jAbdaBZlHPcvPD2xI1iGzNVB4k20Un2AguYPw==",
+    "node_modules/@babel/helper-string-parser": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
+      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
       "license": "MIT",
-      "peerDependencies": {
-        "vue": ">= 3"
+      "engines": {
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@humanfs/core": {
-      "version": "0.19.1",
-      "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz",
-      "integrity": "sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==",
-      "dev": true,
-      "license": "Apache-2.0",
+    "node_modules/@babel/helper-validator-identifier": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+      "license": "MIT",
       "engines": {
-        "node": ">=18.18.0"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@humanfs/node": {
-      "version": "0.16.6",
-      "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.6.tgz",
-      "integrity": "sha512-YuI2ZHQL78Q5HbhDiBA1X4LmYdXCKCMQIfw0pw7piHJwyREFebJUvrQN4cMssyES6x+vfUbx1CIpaQUKYdQZOw==",
-      "dev": true,
-      "license": "Apache-2.0",
+    "node_modules/@babel/parser": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+      "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
+      "license": "MIT",
       "dependencies": {
-        "@humanfs/core": "^0.19.1",
-        "@humanwhocodes/retry": "^0.3.0"
+        "@babel/types": "^7.29.0"
+      },
+      "bin": {
+        "parser": "bin/babel-parser.js"
       },
       "engines": {
-        "node": ">=18.18.0"
+        "node": ">=6.0.0"
       }
     },
-    "node_modules/@humanfs/node/node_modules/@humanwhocodes/retry": {
-      "version": "0.3.1",
-      "resolved": "https://registry.npmjs.org/@humanwhocodes/retry/-/retry-0.3.1.tgz",
-      "integrity": "sha512-JBxkERygn7Bv/GbN5Rv8Ul6LVknS+5Bp6RgDC/O8gEBU/yeH5Ui5C/OlWrTb6qct7LjjfT6Re2NxB0ln0yYybA==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "engines": {
-        "node": ">=18.18"
+    "node_modules/@babel/types": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-string-parser": "^7.27.1",
+        "@babel/helper-validator-identifier": "^7.28.5"
       },
-      "funding": {
-        "type": "github",
-        "url": "https://github.com/sponsors/nzakas"
-      }
-    },
-    "node_modules/@humanwhocodes/module-importer": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz",
-      "integrity": "sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==",
-      "dev": true,
-      "license": "Apache-2.0",
       "engines": {
-        "node": ">=12.22"
-      },
-      "funding": {
-        "type": "github",
-        "url": "https://github.com/sponsors/nzakas"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@humanwhocodes/retry": {
-      "version": "0.4.3",
-      "resolved": "https://registry.npmjs.org/@humanwhocodes/retry/-/retry-0.4.3.tgz",
-      "integrity": "sha512-bV0Tgo9K4hfPCek+aMAn81RppFKv2ySDQeMoSZuvTASywNTnVJCArCZE2FWqpvIatKu7VMRLWlR1EazvVhDyhQ==",
+    "node_modules/@bcoe/v8-coverage": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
+      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
       "dev": true,
-      "license": "Apache-2.0",
+      "license": "MIT",
       "engines": {
-        "node": ">=18.18"
-      },
-      "funding": {
-        "type": "github",
-        "url": "https://github.com/sponsors/nzakas"
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/bundle-utils": {
-      "version": "11.0.1",
-      "resolved": "https://registry.npmjs.org/@intlify/bundle-utils/-/bundle-utils-11.0.1.tgz",
-      "integrity": "sha512-5l10G5wE2cQRsZMS9y0oSFMOLW5IG/SgbkIUltqnwF1EMRrRbUAHFiPabXdGTHeexCsMTcxj/1w9i0rzjJU9IQ==",
+    "node_modules/@cspotcode/source-map-support": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz",
+      "integrity": "sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@intlify/message-compiler": "^11.1.10",
-        "@intlify/shared": "^11.1.10",
-        "acorn": "^8.8.2",
-        "esbuild": "^0.25.4",
-        "escodegen": "^2.1.0",
-        "estree-walker": "^2.0.2",
-        "jsonc-eslint-parser": "^2.3.0",
-        "source-map-js": "^1.0.2",
-        "yaml-eslint-parser": "^1.2.2"
+        "@jridgewell/trace-mapping": "0.3.9"
       },
       "engines": {
-        "node": ">= 20"
-      },
-      "peerDependenciesMeta": {
-        "petite-vue-i18n": {
-          "optional": true
-        },
-        "vue-i18n": {
-          "optional": true
-        }
+        "node": ">=12"
       }
     },
-    "node_modules/@intlify/core-base": {
-      "version": "11.1.12",
-      "resolved": "https://registry.npmjs.org/@intlify/core-base/-/core-base-11.1.12.tgz",
-      "integrity": "sha512-whh0trqRsSqVLNEUCwU59pyJZYpU8AmSWl8M3Jz2Mv5ESPP6kFh4juas2NpZ1iCvy7GlNRffUD1xr84gceimjg==",
+    "node_modules/@cspotcode/source-map-support/node_modules/@jridgewell/trace-mapping": {
+      "version": "0.3.9",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.9.tgz",
+      "integrity": "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@intlify/message-compiler": "11.1.12",
-        "@intlify/shared": "11.1.12"
-      },
-      "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/kazupon"
+        "@jridgewell/resolve-uri": "^3.0.3",
+        "@jridgewell/sourcemap-codec": "^1.4.10"
       }
     },
-    "node_modules/@intlify/devtools-types": {
-      "version": "11.1.12",
-      "resolved": "https://registry.npmjs.org/@intlify/devtools-types/-/devtools-types-11.1.12.tgz",
-      "integrity": "sha512-WYgdadYwOxZOAuhiCirQy2yjs7ZLBLEpllkbTbBEjFA7RsvzztJuYaEhHM+NIssyBcWWiWyC+IjgL2wnfK4uUQ==",
+    "node_modules/@esbuild/aix-ppc64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.12.tgz",
+      "integrity": "sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==",
+      "cpu": [
+        "ppc64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@intlify/core-base": "11.1.12",
-        "@intlify/shared": "11.1.12"
-      },
+      "optional": true,
+      "os": [
+        "aix"
+      ],
       "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/kazupon"
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/message-compiler": {
-      "version": "11.1.12",
-      "resolved": "https://registry.npmjs.org/@intlify/message-compiler/-/message-compiler-11.1.12.tgz",
-      "integrity": "sha512-Fv9iQSJoJaXl4ZGkOCN1LDM3trzze0AS2zRz2EHLiwenwL6t0Ki9KySYlyr27yVOj5aVz0e55JePO+kELIvfdQ==",
+    "node_modules/@esbuild/android-arm": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.12.tgz",
+      "integrity": "sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@intlify/shared": "11.1.12",
-        "source-map-js": "^1.0.2"
-      },
+      "optional": true,
+      "os": [
+        "android"
+      ],
       "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/kazupon"
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/shared": {
-      "version": "11.1.12",
-      "resolved": "https://registry.npmjs.org/@intlify/shared/-/shared-11.1.12.tgz",
-      "integrity": "sha512-Om86EjuQtA69hdNj3GQec9ZC0L0vPSAnXzB3gP/gyJ7+mA7t06d9aOAiqMZ+xEOsumGP4eEBlfl8zF2LOTzf2A==",
+    "node_modules/@esbuild/android-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.12.tgz",
+      "integrity": "sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
       "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/kazupon"
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/unplugin-vue-i18n": {
-      "version": "11.0.1",
-      "resolved": "https://registry.npmjs.org/@intlify/unplugin-vue-i18n/-/unplugin-vue-i18n-11.0.1.tgz",
-      "integrity": "sha512-nH5NJdNjy/lO6Ne8LDtZzv4SbpVsMhPE+LbvBDmMeIeJDiino8sOJN2QB3MXzTliYTnqe3aB9Fw5+LJ/XVaXCg==",
-      "dev": true,
+    "node_modules/@esbuild/android-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.12.tgz",
+      "integrity": "sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@eslint-community/eslint-utils": "^4.4.0",
-        "@intlify/bundle-utils": "11.0.1",
-        "@intlify/shared": "^11.1.10",
-        "@intlify/vue-i18n-extensions": "^8.0.0",
-        "@rollup/pluginutils": "^5.1.0",
-        "@typescript-eslint/scope-manager": "^8.13.0",
-        "@typescript-eslint/typescript-estree": "^8.13.0",
-        "debug": "^4.3.3",
-        "fast-glob": "^3.2.12",
-        "pathe": "^2.0.3",
-        "picocolors": "^1.0.0",
-        "unplugin": "^2.3.4",
-        "vue": "^3.5.14"
-      },
+      "optional": true,
+      "os": [
+        "android"
+      ],
       "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "petite-vue-i18n": "*",
-        "vue": "^3.2.25",
-        "vue-i18n": "*"
-      },
-      "peerDependenciesMeta": {
-        "petite-vue-i18n": {
-          "optional": true
-        },
-        "vue-i18n": {
-          "optional": true
-        }
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/vue-i18n-extensions": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/@intlify/vue-i18n-extensions/-/vue-i18n-extensions-8.0.0.tgz",
-      "integrity": "sha512-w0+70CvTmuqbskWfzeYhn0IXxllr6mU+IeM2MU0M+j9OW64jkrvqY+pYFWrUnIIC9bEdij3NICruicwd5EgUuQ==",
+    "node_modules/@esbuild/darwin-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.12.tgz",
+      "integrity": "sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@babel/parser": "^7.24.6",
-        "@intlify/shared": "^10.0.0",
-        "@vue/compiler-dom": "^3.2.45",
-        "vue-i18n": "^10.0.0"
-      },
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
       "engines": {
-        "node": ">= 18"
-      },
-      "peerDependencies": {
-        "@intlify/shared": "^9.0.0 || ^10.0.0 || ^11.0.0",
-        "@vue/compiler-dom": "^3.0.0",
-        "vue": "^3.0.0",
-        "vue-i18n": "^9.0.0 || ^10.0.0 || ^11.0.0"
-      },
-      "peerDependenciesMeta": {
-        "@intlify/shared": {
-          "optional": true
-        },
-        "@vue/compiler-dom": {
-          "optional": true
-        },
-        "vue": {
-          "optional": true
-        },
-        "vue-i18n": {
-          "optional": true
-        }
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/vue-i18n-extensions/node_modules/@intlify/core-base": {
-      "version": "10.0.8",
-      "resolved": "https://registry.npmjs.org/@intlify/core-base/-/core-base-10.0.8.tgz",
-      "integrity": "sha512-FoHslNWSoHjdUBLy35bpm9PV/0LVI/DSv9L6Km6J2ad8r/mm0VaGg06C40FqlE8u2ADcGUM60lyoU7Myo4WNZQ==",
+    "node_modules/@esbuild/darwin-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.12.tgz",
+      "integrity": "sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@intlify/message-compiler": "10.0.8",
-        "@intlify/shared": "10.0.8"
-      },
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
       "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/kazupon"
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/vue-i18n-extensions/node_modules/@intlify/message-compiler": {
-      "version": "10.0.8",
-      "resolved": "https://registry.npmjs.org/@intlify/message-compiler/-/message-compiler-10.0.8.tgz",
-      "integrity": "sha512-DV+sYXIkHVd5yVb2mL7br/NEUwzUoLBsMkV3H0InefWgmYa34NLZUvMCGi5oWX+Hqr2Y2qUxnVrnOWF4aBlgWg==",
+    "node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.12.tgz",
+      "integrity": "sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@intlify/shared": "10.0.8",
-        "source-map-js": "^1.0.2"
-      },
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
       "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/kazupon"
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/vue-i18n-extensions/node_modules/@intlify/shared": {
-      "version": "10.0.8",
-      "resolved": "https://registry.npmjs.org/@intlify/shared/-/shared-10.0.8.tgz",
-      "integrity": "sha512-BcmHpb5bQyeVNrptC3UhzpBZB/YHHDoEREOUERrmF2BRxsyOEuRrq+Z96C/D4+2KJb8kuHiouzAei7BXlG0YYw==",
+    "node_modules/@esbuild/freebsd-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.12.tgz",
+      "integrity": "sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
       "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/kazupon"
+        "node": ">=18"
       }
     },
-    "node_modules/@intlify/vue-i18n-extensions/node_modules/vue-i18n": {
-      "version": "10.0.8",
-      "resolved": "https://registry.npmjs.org/vue-i18n/-/vue-i18n-10.0.8.tgz",
-      "integrity": "sha512-mIjy4utxMz9lMMo6G9vYePv7gUFt4ztOMhY9/4czDJxZ26xPeJ49MAGa9wBAE3XuXbYCrtVPmPxNjej7JJJkZQ==",
+    "node_modules/@esbuild/linux-arm": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.12.tgz",
+      "integrity": "sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw==",
+      "cpu": [
+        "arm"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@intlify/core-base": "10.0.8",
-        "@intlify/shared": "10.0.8",
-        "@vue/devtools-api": "^6.5.0"
-      },
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">= 16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/kazupon"
-      },
-      "peerDependencies": {
-        "vue": "^3.0.0"
+        "node": ">=18"
       }
     },
-    "node_modules/@isaacs/cliui": {
-      "version": "8.0.2",
-      "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
-      "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==",
+    "node_modules/@esbuild/linux-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.12.tgz",
+      "integrity": "sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "string-width": "^5.1.2",
-        "string-width-cjs": "npm:string-width@^4.2.0",
-        "strip-ansi": "^7.0.1",
-        "strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
-        "wrap-ansi": "^8.1.0",
-        "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0"
-      },
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=12"
+        "node": ">=18"
       }
     },
-    "node_modules/@isaacs/fs-minipass": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz",
-      "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==",
+    "node_modules/@esbuild/linux-ia32": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.12.tgz",
+      "integrity": "sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA==",
+      "cpu": [
+        "ia32"
+      ],
       "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "minipass": "^7.0.4"
-      },
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=18.0.0"
+        "node": ">=18"
       }
     },
-    "node_modules/@istanbuljs/schema": {
-      "version": "0.1.3",
-      "resolved": "https://registry.npmjs.org/@istanbuljs/schema/-/schema-0.1.3.tgz",
-      "integrity": "sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==",
+    "node_modules/@esbuild/linux-loong64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.12.tgz",
+      "integrity": "sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng==",
+      "cpu": [
+        "loong64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=8"
+        "node": ">=18"
       }
     },
-    "node_modules/@jridgewell/gen-mapping": {
-      "version": "0.3.12",
-      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.12.tgz",
-      "integrity": "sha512-OuLGC46TjB5BbN1dH8JULVVZY4WTdkF7tV9Ys6wLL1rubZnCMstOhNHueU5bLCrnRuDhKPDM4g6sw4Bel5Gzqg==",
+    "node_modules/@esbuild/linux-mips64el": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.12.tgz",
+      "integrity": "sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw==",
+      "cpu": [
+        "mips64el"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@jridgewell/sourcemap-codec": "^1.5.0",
-        "@jridgewell/trace-mapping": "^0.3.24"
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
       }
     },
-    "node_modules/@jridgewell/remapping": {
-      "version": "2.3.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
-      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+    "node_modules/@esbuild/linux-ppc64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.12.tgz",
+      "integrity": "sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA==",
+      "cpu": [
+        "ppc64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@jridgewell/gen-mapping": "^0.3.5",
-        "@jridgewell/trace-mapping": "^0.3.24"
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
       }
     },
-    "node_modules/@jridgewell/resolve-uri": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
-      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+    "node_modules/@esbuild/linux-riscv64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.12.tgz",
+      "integrity": "sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w==",
+      "cpu": [
+        "riscv64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=6.0.0"
+        "node": ">=18"
       }
     },
-    "node_modules/@jridgewell/sourcemap-codec": {
-      "version": "1.5.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
-      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
-      "license": "MIT"
-    },
-    "node_modules/@jridgewell/trace-mapping": {
-      "version": "0.3.29",
-      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.29.tgz",
-      "integrity": "sha512-uw6guiW/gcAGPDhLmd77/6lW8QLeiV5RUTsAX46Db6oLhGaVj4lhnPwb184s1bkc8kdVg/+h988dro8GRDpmYQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@jridgewell/resolve-uri": "^3.1.0",
-        "@jridgewell/sourcemap-codec": "^1.4.14"
-      }
-    },
-    "node_modules/@nodelib/fs.scandir": {
-      "version": "2.1.5",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
-      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@nodelib/fs.stat": "2.0.5",
-        "run-parallel": "^1.1.9"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/@nodelib/fs.stat": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
-      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/@nodelib/fs.walk": {
-      "version": "1.2.8",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
-      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@nodelib/fs.scandir": "2.1.5",
-        "fastq": "^1.6.0"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/@pkgjs/parseargs": {
-      "version": "0.11.0",
-      "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz",
-      "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==",
+    "node_modules/@esbuild/linux-s390x": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.12.tgz",
+      "integrity": "sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg==",
+      "cpu": [
+        "s390x"
+      ],
       "dev": true,
       "license": "MIT",
       "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=14"
-      }
-    },
-    "node_modules/@rolldown/pluginutils": {
-      "version": "1.0.0-beta.29",
-      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-beta.29.tgz",
-      "integrity": "sha512-NIJgOsMjbxAXvoGq/X0gD7VPMQ8j9g0BiDaNjVNVjvl+iKXxL3Jre0v31RmBYeLEmkbj2s02v8vFTbUXi5XS2Q==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/@rollup/pluginutils": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/@rollup/pluginutils/-/pluginutils-5.2.0.tgz",
-      "integrity": "sha512-qWJ2ZTbmumwiLFomfzTyt5Kng4hwPi9rwCYN4SHb6eaRU1KNO4ccxINHr/VhH4GgPlt1XfSTLX2LBTme8ne4Zw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/estree": "^1.0.0",
-        "estree-walker": "^2.0.2",
-        "picomatch": "^4.0.2"
-      },
-      "engines": {
-        "node": ">=14.0.0"
-      },
-      "peerDependencies": {
-        "rollup": "^1.20.0||^2.0.0||^3.0.0||^4.0.0"
-      },
-      "peerDependenciesMeta": {
-        "rollup": {
-          "optional": true
-        }
+        "node": ">=18"
       }
     },
-    "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.46.2.tgz",
-      "integrity": "sha512-Zj3Hl6sN34xJtMv7Anwb5Gu01yujyE/cLBDB2gnHTAHaWS1Z38L7kuSG+oAh0giZMqG060f/YBStXtMH6FvPMA==",
+    "node_modules/@esbuild/linux-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.12.tgz",
+      "integrity": "sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw==",
       "cpu": [
-        "arm"
+        "x64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "android"
-      ]
-    },
-    "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.46.2.tgz",
-      "integrity": "sha512-nTeCWY83kN64oQ5MGz3CgtPx8NSOhC5lWtsjTs+8JAJNLcP3QbLCtDDgUKQc/Ro/frpMq4SHUaHN6AMltcEoLQ==",
-      "cpu": [
-        "arm64"
+        "linux"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ]
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.46.2.tgz",
-      "integrity": "sha512-HV7bW2Fb/F5KPdM/9bApunQh68YVDU8sO8BvcW9OngQVN3HHHkw99wFupuUJfGR9pYLLAjcAOA6iO+evsbBaPQ==",
+    "node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.12.tgz",
+      "integrity": "sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg==",
       "cpu": [
         "arm64"
       ],
@@ -1309,13 +1357,16 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "darwin"
-      ]
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.46.2.tgz",
-      "integrity": "sha512-SSj8TlYV5nJixSsm/y3QXfhspSiLYP11zpfwp6G/YDXctf3Xkdnk4woJIF5VQe0of2OjzTt8EsxnJDCdHd2xMA==",
+    "node_modules/@esbuild/netbsd-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.12.tgz",
+      "integrity": "sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ==",
       "cpu": [
         "x64"
       ],
@@ -1323,13 +1374,16 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "darwin"
-      ]
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.46.2.tgz",
-      "integrity": "sha512-ZyrsG4TIT9xnOlLsSSi9w/X29tCbK1yegE49RYm3tu3wF1L/B6LVMqnEWyDB26d9Ecx9zrmXCiPmIabVuLmNSg==",
+    "node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.12.tgz",
+      "integrity": "sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A==",
       "cpu": [
         "arm64"
       ],
@@ -1337,13 +1391,16 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "freebsd"
-      ]
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.46.2.tgz",
-      "integrity": "sha512-pCgHFoOECwVCJ5GFq8+gR8SBKnMO+xe5UEqbemxBpCKYQddRQMgomv1104RnLSg7nNvgKy05sLsY51+OVRyiVw==",
+    "node_modules/@esbuild/openbsd-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.12.tgz",
+      "integrity": "sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw==",
       "cpu": [
         "x64"
       ],
@@ -1351,55 +1408,50 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "freebsd"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.46.2.tgz",
-      "integrity": "sha512-EtP8aquZ0xQg0ETFcxUbU71MZlHaw9MChwrQzatiE8U/bvi5uv/oChExXC4mWhjiqK7azGJBqU0tt5H123SzVA==",
-      "cpu": [
-        "arm"
+        "openbsd"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.46.2.tgz",
-      "integrity": "sha512-qO7F7U3u1nfxYRPM8HqFtLd+raev2K137dsV08q/LRKRLEc7RsiDWihUnrINdsWQxPR9jqZ8DIIZ1zJJAm5PjQ==",
+    "node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.25.12.tgz",
+      "integrity": "sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg==",
       "cpu": [
-        "arm"
+        "arm64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
+        "openharmony"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.46.2.tgz",
-      "integrity": "sha512-3dRaqLfcOXYsfvw5xMrxAk9Lb1f395gkoBYzSFcc/scgRFptRXL9DOaDpMiehf9CO8ZDRJW2z45b6fpU5nwjng==",
+    "node_modules/@esbuild/sunos-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.12.tgz",
+      "integrity": "sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w==",
       "cpu": [
-        "arm64"
+        "x64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.46.2.tgz",
-      "integrity": "sha512-fhHFTutA7SM+IrR6lIfiHskxmpmPTJUXpWIsBXpeEwNgZzZZSg/q4i6FU4J8qOGyJ0TR+wXBwx/L7Ho9z0+uDg==",
+    "node_modules/@esbuild/win32-arm64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.12.tgz",
+      "integrity": "sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg==",
       "cpu": [
         "arm64"
       ],
@@ -1407,152 +1459,1749 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-loongarch64-gnu": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loongarch64-gnu/-/rollup-linux-loongarch64-gnu-4.46.2.tgz",
-      "integrity": "sha512-i7wfGFXu8x4+FRqPymzjD+Hyav8l95UIZ773j7J7zRYc3Xsxy2wIn4x+llpunexXe6laaO72iEjeeGyUFmjKeA==",
-      "cpu": [
-        "loong64"
+        "win32"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.46.2.tgz",
-      "integrity": "sha512-B/l0dFcHVUnqcGZWKcWBSV2PF01YUt0Rvlurci5P+neqY/yMKchGU8ullZvIv5e8Y1C6wOn+U03mrDylP5q9Yw==",
+    "node_modules/@esbuild/win32-ia32": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.12.tgz",
+      "integrity": "sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ==",
       "cpu": [
-        "ppc64"
+        "ia32"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.46.2.tgz",
-      "integrity": "sha512-32k4ENb5ygtkMwPMucAb8MtV8olkPT03oiTxJbgkJa7lJ7dZMr0GCFJlyvy+K8iq7F/iuOr41ZdUHaOiqyR3iQ==",
+    "node_modules/@esbuild/win32-x64": {
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.12.tgz",
+      "integrity": "sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA==",
       "cpu": [
-        "riscv64"
+        "x64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.46.2.tgz",
-      "integrity": "sha512-t5B2loThlFEauloaQkZg9gxV05BYeITLvLkWOkRXogP4qHXLkWSbSHKM9S6H1schf/0YGP/qNKtiISlxvfmmZw==",
-      "cpu": [
-        "riscv64"
+        "win32"
       ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@eslint-community/eslint-utils": {
+      "version": "4.9.1",
+      "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.9.1.tgz",
+      "integrity": "sha512-phrYmNiYppR7znFEdqgfWHXR6NCkZEK7hwWDHZUjit/2/U0r6XvkDl0SYnoM51Hq7FhCGdLDT6zxCCOY1hexsQ==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "dependencies": {
+        "eslint-visitor-keys": "^3.4.3"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      },
+      "peerDependencies": {
+        "eslint": "^6.0.0 || ^7.0.0 || >=8.0.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.46.2.tgz",
-      "integrity": "sha512-YKjekwTEKgbB7n17gmODSmJVUIvj8CX7q5442/CK80L8nqOUbMtf8b01QkG3jOqyr1rotrAnW6B/qiHwfcuWQA==",
-      "cpu": [
-        "s390x"
-      ],
+    "node_modules/@eslint-community/regexpp": {
+      "version": "4.12.2",
+      "resolved": "https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.12.2.tgz",
+      "integrity": "sha512-EriSTlt5OC9/7SXkRSCAhfSxxoSUgBm33OH+IkwbdpgoqsSsUg7y3uh+IICI/Qg4BBWr3U2i39RpmycbxMq4ew==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "engines": {
+        "node": "^12.0.0 || ^14.0.0 || >=16.0.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.46.2.tgz",
-      "integrity": "sha512-Jj5a9RUoe5ra+MEyERkDKLwTXVu6s3aACP51nkfnK9wJTraCC8IMe3snOfALkrjTYd2G1ViE1hICj0fZ7ALBPA==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+    "node_modules/@eslint/config-array": {
+      "version": "0.23.3",
+      "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.23.3.tgz",
+      "integrity": "sha512-j+eEWmB6YYLwcNOdlwQ6L2OsptI/LO6lNBuLIqe5R7RetD658HLoF+Mn7LzYmAWWNNzdC6cqP+L6r8ujeYXWLw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@eslint/object-schema": "^3.0.3",
+        "debug": "^4.3.1",
+        "minimatch": "^10.2.4"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24"
+      }
     },
-    "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.46.2.tgz",
-      "integrity": "sha512-7kX69DIrBeD7yNp4A5b81izs8BqoZkCIaxQaOpumcJ1S/kmqNFjPhDu1LHeVXv0SexfHQv5cqHsxLOjETuqDuA==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@eslint/config-helpers": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/@eslint/config-helpers/-/config-helpers-0.5.3.tgz",
+      "integrity": "sha512-lzGN0onllOZCGroKJmRwY6QcEHxbjBw1gwB8SgRSqK8YbbtEXMvKynsXc3553ckIEBxsbMBU7oOZXKIPGZNeZw==",
       "dev": true,
-      "license": "MIT",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@eslint/core": "^1.1.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24"
+      }
+    },
+    "node_modules/@eslint/core": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.1.tgz",
+      "integrity": "sha512-QUPblTtE51/7/Zhfv8BDwO0qkkzQL7P/aWWbqcf4xWLEYn1oKjdO0gglQBB4GAsu7u6wjijbCmzsUTy6mnk6oQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@types/json-schema": "^7.0.15"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24"
+      }
+    },
+    "node_modules/@eslint/js": {
+      "version": "10.0.1",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-10.0.1.tgz",
+      "integrity": "sha512-zeR9k5pd4gxjZ0abRoIaxdc7I3nDktoXZk2qOv9gCNWx3mVwEn32VRhyLaRsDiJjTs0xq/T8mfPtyuXu7GWBcA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24"
+      },
+      "funding": {
+        "url": "https://eslint.org/donate"
+      },
+      "peerDependencies": {
+        "eslint": "^10.0.0"
+      },
+      "peerDependenciesMeta": {
+        "eslint": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@eslint/object-schema": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/@eslint/object-schema/-/object-schema-3.0.3.tgz",
+      "integrity": "sha512-iM869Pugn9Nsxbh/YHRqYiqd23AmIbxJOcpUMOuWCVNdoQJ5ZtwL6h3t0bcZzJUlC3Dq9jCFCESBZnX0GTv7iQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24"
+      }
+    },
+    "node_modules/@eslint/plugin-kit": {
+      "version": "0.6.1",
+      "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.6.1.tgz",
+      "integrity": "sha512-iH1B076HoAshH1mLpHMgwdGeTs0CYwL0SPMkGuSebZrwBp16v415e9NZXg2jtrqPVQjf6IANe2Vtlr5KswtcZQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@eslint/core": "^1.1.1",
+        "levn": "^0.4.1"
+      },
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24"
+      }
+    },
+    "node_modules/@headlessui/tailwindcss": {
+      "version": "0.2.2",
+      "resolved": "https://registry.npmjs.org/@headlessui/tailwindcss/-/tailwindcss-0.2.2.tgz",
+      "integrity": "sha512-xNe42KjdyA4kfUKLLPGzME9zkH7Q3rOZ5huFihWNWOQFxnItxPB3/67yBI8/qBfY8nwBRx5GHn4VprsoluVMGw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "tailwindcss": "^3.0 || ^4.0"
+      }
+    },
+    "node_modules/@headlessui/vue": {
+      "version": "1.7.23",
+      "resolved": "https://registry.npmjs.org/@headlessui/vue/-/vue-1.7.23.tgz",
+      "integrity": "sha512-JzdCNqurrtuu0YW6QaDtR2PIYCKPUWq28csDyMvN4zmGccmE7lz40Is6hc3LA4HFeCI7sekZ/PQMTNmn9I/4Wg==",
+      "license": "MIT",
+      "dependencies": {
+        "@tanstack/vue-virtual": "^3.0.0-beta.60"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "vue": "^3.2.0"
+      }
+    },
+    "node_modules/@heroicons/vue": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/@heroicons/vue/-/vue-2.2.0.tgz",
+      "integrity": "sha512-G3dbSxoeEKqbi/DFalhRxJU4mTXJn7GwZ7ae8NuEQzd1bqdd0jAbdaBZlHPcvPD2xI1iGzNVB4k20Un2AguYPw==",
+      "license": "MIT",
+      "peerDependencies": {
+        "vue": ">= 3"
+      }
+    },
+    "node_modules/@humanfs/core": {
+      "version": "0.19.1",
+      "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz",
+      "integrity": "sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18.18.0"
+      }
+    },
+    "node_modules/@humanfs/node": {
+      "version": "0.16.7",
+      "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.7.tgz",
+      "integrity": "sha512-/zUx+yOsIrG4Y43Eh2peDeKCxlRt/gET6aHfaKpuq267qXdYDFViVHfMaLyygZOnl0kGWxFIgsBy8QFuTLUXEQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@humanfs/core": "^0.19.1",
+        "@humanwhocodes/retry": "^0.4.0"
+      },
+      "engines": {
+        "node": ">=18.18.0"
+      }
+    },
+    "node_modules/@humanwhocodes/module-importer": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz",
+      "integrity": "sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=12.22"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/nzakas"
+      }
+    },
+    "node_modules/@humanwhocodes/retry": {
+      "version": "0.4.3",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/retry/-/retry-0.4.3.tgz",
+      "integrity": "sha512-bV0Tgo9K4hfPCek+aMAn81RppFKv2ySDQeMoSZuvTASywNTnVJCArCZE2FWqpvIatKu7VMRLWlR1EazvVhDyhQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18.18"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/nzakas"
+      }
+    },
+    "node_modules/@intlify/bundle-utils": {
+      "version": "11.0.7",
+      "resolved": "https://registry.npmjs.org/@intlify/bundle-utils/-/bundle-utils-11.0.7.tgz",
+      "integrity": "sha512-fEO3CJGPymxieGh8BHox7d6stgajDQae7wgpH6YYw7WX+cdW6jTTXyljZqz7OV3JcwlS9M9UHSoO+YwiO56IhA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@intlify/message-compiler": "^11.1.12",
+        "@intlify/shared": "^11.1.12",
+        "acorn": "^8.8.2",
+        "esbuild": "^0.25.4",
+        "escodegen": "^2.1.0",
+        "estree-walker": "^2.0.2",
+        "jsonc-eslint-parser": "^2.3.0",
+        "source-map-js": "^1.2.1",
+        "yaml-eslint-parser": "^1.2.2"
+      },
+      "engines": {
+        "node": ">= 20"
+      },
+      "peerDependenciesMeta": {
+        "petite-vue-i18n": {
+          "optional": true
+        },
+        "vue-i18n": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@intlify/core-base": {
+      "version": "11.3.0",
+      "resolved": "https://registry.npmjs.org/@intlify/core-base/-/core-base-11.3.0.tgz",
+      "integrity": "sha512-NNX5jIwF4TJBe7RtSKDMOA6JD9mp2mRcBHAwt2X+Q8PvnZub0yj5YYXlFu2AcESdgQpEv/5Yx2uOCV/yh7YkZg==",
+      "license": "MIT",
+      "dependencies": {
+        "@intlify/devtools-types": "11.3.0",
+        "@intlify/message-compiler": "11.3.0",
+        "@intlify/shared": "11.3.0"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/kazupon"
+      }
+    },
+    "node_modules/@intlify/devtools-types": {
+      "version": "11.3.0",
+      "resolved": "https://registry.npmjs.org/@intlify/devtools-types/-/devtools-types-11.3.0.tgz",
+      "integrity": "sha512-G9CNL4WpANWVdUjubOIIS7/D2j/0j+1KJmhBJxHilWNKr9mmt3IjFV3Hq4JoBP23uOoC5ynxz/FHZ42M+YxfGw==",
+      "license": "MIT",
+      "dependencies": {
+        "@intlify/core-base": "11.3.0",
+        "@intlify/shared": "11.3.0"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/kazupon"
+      }
+    },
+    "node_modules/@intlify/message-compiler": {
+      "version": "11.3.0",
+      "resolved": "https://registry.npmjs.org/@intlify/message-compiler/-/message-compiler-11.3.0.tgz",
+      "integrity": "sha512-RAJp3TMsqohg/Wa7bVF3cChRhecSYBLrTCQSj7j0UtWVFLP+6iEJoE2zb7GU5fp+fmG5kCbUdzhmlAUCWXiUJw==",
+      "license": "MIT",
+      "dependencies": {
+        "@intlify/shared": "11.3.0",
+        "source-map-js": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/kazupon"
+      }
+    },
+    "node_modules/@intlify/shared": {
+      "version": "11.3.0",
+      "resolved": "https://registry.npmjs.org/@intlify/shared/-/shared-11.3.0.tgz",
+      "integrity": "sha512-LC6P/uay7rXL5zZ5+5iRJfLs/iUN8apu9tm8YqQVmW3Uq3X4A0dOFUIDuAmB7gAC29wTHOS3EiN/IosNSz0eNQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/kazupon"
+      }
+    },
+    "node_modules/@intlify/unplugin-vue-i18n": {
+      "version": "11.0.7",
+      "resolved": "https://registry.npmjs.org/@intlify/unplugin-vue-i18n/-/unplugin-vue-i18n-11.0.7.tgz",
+      "integrity": "sha512-wswKprS1D8VfnxxVhKxug5wa3MbDSOcCoXOBjnzhMK+6NfP6h6UI8pFqSBIvcW8nPDuzweTc0Sk3PeBCcubfoQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@eslint-community/eslint-utils": "^4.4.0",
+        "@intlify/bundle-utils": "11.0.7",
+        "@intlify/shared": "^11.1.12",
+        "@intlify/vue-i18n-extensions": "^8.0.0",
+        "@rollup/pluginutils": "^5.1.0",
+        "@typescript-eslint/scope-manager": "^8.13.0",
+        "@typescript-eslint/typescript-estree": "^8.13.0",
+        "debug": "^4.3.3",
+        "fast-glob": "^3.2.12",
+        "pathe": "^2.0.3",
+        "picocolors": "^1.0.0",
+        "unplugin": "^2.3.4",
+        "vue": "^3.5.21"
+      },
+      "engines": {
+        "node": ">= 20"
+      },
+      "peerDependencies": {
+        "petite-vue-i18n": "*",
+        "vue": "^3.2.25",
+        "vue-i18n": "*"
+      },
+      "peerDependenciesMeta": {
+        "petite-vue-i18n": {
+          "optional": true
+        },
+        "vue-i18n": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@intlify/vue-i18n-extensions": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/@intlify/vue-i18n-extensions/-/vue-i18n-extensions-8.0.0.tgz",
+      "integrity": "sha512-w0+70CvTmuqbskWfzeYhn0IXxllr6mU+IeM2MU0M+j9OW64jkrvqY+pYFWrUnIIC9bEdij3NICruicwd5EgUuQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.24.6",
+        "@intlify/shared": "^10.0.0",
+        "@vue/compiler-dom": "^3.2.45",
+        "vue-i18n": "^10.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "peerDependencies": {
+        "@intlify/shared": "^9.0.0 || ^10.0.0 || ^11.0.0",
+        "@vue/compiler-dom": "^3.0.0",
+        "vue": "^3.0.0",
+        "vue-i18n": "^9.0.0 || ^10.0.0 || ^11.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@intlify/shared": {
+          "optional": true
+        },
+        "@vue/compiler-dom": {
+          "optional": true
+        },
+        "vue": {
+          "optional": true
+        },
+        "vue-i18n": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@intlify/vue-i18n-extensions/node_modules/@intlify/core-base": {
+      "version": "10.0.8",
+      "resolved": "https://registry.npmjs.org/@intlify/core-base/-/core-base-10.0.8.tgz",
+      "integrity": "sha512-FoHslNWSoHjdUBLy35bpm9PV/0LVI/DSv9L6Km6J2ad8r/mm0VaGg06C40FqlE8u2ADcGUM60lyoU7Myo4WNZQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@intlify/message-compiler": "10.0.8",
+        "@intlify/shared": "10.0.8"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/kazupon"
+      }
+    },
+    "node_modules/@intlify/vue-i18n-extensions/node_modules/@intlify/message-compiler": {
+      "version": "10.0.8",
+      "resolved": "https://registry.npmjs.org/@intlify/message-compiler/-/message-compiler-10.0.8.tgz",
+      "integrity": "sha512-DV+sYXIkHVd5yVb2mL7br/NEUwzUoLBsMkV3H0InefWgmYa34NLZUvMCGi5oWX+Hqr2Y2qUxnVrnOWF4aBlgWg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@intlify/shared": "10.0.8",
+        "source-map-js": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/kazupon"
+      }
+    },
+    "node_modules/@intlify/vue-i18n-extensions/node_modules/@intlify/shared": {
+      "version": "10.0.8",
+      "resolved": "https://registry.npmjs.org/@intlify/shared/-/shared-10.0.8.tgz",
+      "integrity": "sha512-BcmHpb5bQyeVNrptC3UhzpBZB/YHHDoEREOUERrmF2BRxsyOEuRrq+Z96C/D4+2KJb8kuHiouzAei7BXlG0YYw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/kazupon"
+      }
+    },
+    "node_modules/@intlify/vue-i18n-extensions/node_modules/vue-i18n": {
+      "version": "10.0.8",
+      "resolved": "https://registry.npmjs.org/vue-i18n/-/vue-i18n-10.0.8.tgz",
+      "integrity": "sha512-mIjy4utxMz9lMMo6G9vYePv7gUFt4ztOMhY9/4czDJxZ26xPeJ49MAGa9wBAE3XuXbYCrtVPmPxNjej7JJJkZQ==",
+      "deprecated": "v9 and v10 no longer supported. please migrate to v11. about maintenance status, see https://vue-i18n.intlify.dev/guide/maintenance.html",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@intlify/core-base": "10.0.8",
+        "@intlify/shared": "10.0.8",
+        "@vue/devtools-api": "^6.5.0"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/kazupon"
+      },
+      "peerDependencies": {
+        "vue": "^3.0.0"
+      }
+    },
+    "node_modules/@jridgewell/gen-mapping": {
+      "version": "0.3.13",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
+      "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/sourcemap-codec": "^1.5.0",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/remapping": {
+      "version": "2.3.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
+      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/resolve-uri": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@jridgewell/sourcemap-codec": {
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
+      "license": "MIT"
+    },
+    "node_modules/@jridgewell/trace-mapping": {
+      "version": "0.3.31",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz",
+      "integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/resolve-uri": "^3.1.0",
+        "@jridgewell/sourcemap-codec": "^1.4.14"
+      }
+    },
+    "node_modules/@noble/ciphers": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@noble/ciphers/-/ciphers-2.1.1.tgz",
+      "integrity": "sha512-bysYuiVfhxNJuldNXlFEitTVdNnYUc+XNJZd7Qm2a5j1vZHgY+fazadNFWFaMK/2vye0JVlxV3gHmC0WDfAOQw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 20.19.0"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      }
+    },
+    "node_modules/@nodelib/fs.scandir": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
+      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.stat": "2.0.5",
+        "run-parallel": "^1.1.9"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.stat": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
+      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.walk": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
+      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.scandir": "2.1.5",
+        "fastq": "^1.6.0"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@rolldown/pluginutils": {
+      "version": "1.0.0-rc.2",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.2.tgz",
+      "integrity": "sha512-izyXV/v+cHiRfozX62W9htOAvwMo4/bXKDrQ+vom1L1qRuexPock/7VZDAhnpHCLNejd3NJ6hiab+tO0D44Rgw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@rollup/pluginutils": {
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/@rollup/pluginutils/-/pluginutils-5.3.0.tgz",
+      "integrity": "sha512-5EdhGZtnu3V88ces7s53hhfK5KSASnJZv8Lulpc04cWO3REESroJXg73DFsOmgbU2BhwV0E20bu2IDZb3VKW4Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "^1.0.0",
+        "estree-walker": "^2.0.2",
+        "picomatch": "^4.0.2"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      },
+      "peerDependencies": {
+        "rollup": "^1.20.0||^2.0.0||^3.0.0||^4.0.0"
+      },
+      "peerDependenciesMeta": {
+        "rollup": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@rollup/rollup-android-arm-eabi": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.60.1.tgz",
+      "integrity": "sha512-d6FinEBLdIiK+1uACUttJKfgZREXrF0Qc2SmLII7W2AD8FfiZ9Wjd+rD/iRuf5s5dWrr1GgwXCvPqOuDquOowA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ]
+    },
+    "node_modules/@rollup/rollup-android-arm64": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.60.1.tgz",
+      "integrity": "sha512-YjG/EwIDvvYI1YvYbHvDz/BYHtkY4ygUIXHnTdLhG+hKIQFBiosfWiACWortsKPKU/+dUwQQCKQM3qrDe8c9BA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ]
+    },
+    "node_modules/@rollup/rollup-darwin-arm64": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.60.1.tgz",
+      "integrity": "sha512-mjCpF7GmkRtSJwon+Rq1N8+pI+8l7w5g9Z3vWj4T7abguC4Czwi3Yu/pFaLvA3TTeMVjnu3ctigusqWUfjZzvw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@rollup/rollup-darwin-x64": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.60.1.tgz",
+      "integrity": "sha512-haZ7hJ1JT4e9hqkoT9R/19XW2QKqjfJVv+i5AGg57S+nLk9lQnJ1F/eZloRO3o9Scy9CM3wQ9l+dkXtcBgN5Ew==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@rollup/rollup-freebsd-arm64": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.60.1.tgz",
+      "integrity": "sha512-czw90wpQq3ZsAVBlinZjAYTKduOjTywlG7fEeWKUA7oCmpA8xdTkxZZlwNJKWqILlq0wehoZcJYfBvOyhPTQ6w==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-freebsd-x64": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.60.1.tgz",
+      "integrity": "sha512-KVB2rqsxTHuBtfOeySEyzEOB7ltlB/ux38iu2rBQzkjbwRVlkhAGIEDiiYnO2kFOkJp+Z7pUXKyrRRFuFUKt+g==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.60.1.tgz",
+      "integrity": "sha512-L+34Qqil+v5uC0zEubW7uByo78WOCIrBvci69E7sFASRl0X7b/MB6Cqd1lky/CtcSVTydWa2WZwFuWexjS5o6g==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.60.1.tgz",
+      "integrity": "sha512-n83O8rt4v34hgFzlkb1ycniJh7IR5RCIqt6mz1VRJD6pmhRi0CXdmfnLu9dIUS6buzh60IvACM842Ffb3xd6Gg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm64-gnu": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.60.1.tgz",
+      "integrity": "sha512-Nql7sTeAzhTAja3QXeAI48+/+GjBJ+QmAH13snn0AJSNL50JsDqotyudHyMbO2RbJkskbMbFJfIJKWA6R1LCJQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm64-musl": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.60.1.tgz",
+      "integrity": "sha512-+pUymDhd0ys9GcKZPPWlFiZ67sTWV5UU6zOJat02M1+PiuSGDziyRuI/pPue3hoUwm2uGfxdL+trT6Z9rxnlMA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-loong64-gnu": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.60.1.tgz",
+      "integrity": "sha512-VSvgvQeIcsEvY4bKDHEDWcpW4Yw7BtlKG1GUT4FzBUlEKQK0rWHYBqQt6Fm2taXS+1bXvJT6kICu5ZwqKCnvlQ==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-loong64-musl": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.60.1.tgz",
+      "integrity": "sha512-4LqhUomJqwe641gsPp6xLfhqWMbQV04KtPp7/dIp0nzPxAkNY1AbwL5W0MQpcalLYk07vaW9Kp1PBhdpZYYcEw==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.60.1.tgz",
+      "integrity": "sha512-tLQQ9aPvkBxOc/EUT6j3pyeMD6Hb8QF2BTBnCQWP/uu1lhc9AIrIjKnLYMEroIz/JvtGYgI9dF3AxHZNaEH0rw==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-ppc64-musl": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.60.1.tgz",
+      "integrity": "sha512-RMxFhJwc9fSXP6PqmAz4cbv3kAyvD1etJFjTx4ONqFP9DkTkXsAMU4v3Vyc5BgzC+anz7nS/9tp4obsKfqkDHg==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.60.1.tgz",
+      "integrity": "sha512-QKgFl+Yc1eEk6MmOBfRHYF6lTxiiiV3/z/BRrbSiW2I7AFTXoBFvdMEyglohPj//2mZS4hDOqeB0H1ACh3sBbg==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-riscv64-musl": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.60.1.tgz",
+      "integrity": "sha512-RAjXjP/8c6ZtzatZcA1RaQr6O1TRhzC+adn8YZDnChliZHviqIjmvFwHcxi4JKPSDAt6Uhf/7vqcBzQJy0PDJg==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-s390x-gnu": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.60.1.tgz",
+      "integrity": "sha512-wcuocpaOlaL1COBYiA89O6yfjlp3RwKDeTIA0hM7OpmhR1Bjo9j31G1uQVpDlTvwxGn2nQs65fBFL5UFd76FcQ==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-x64-gnu": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.60.1.tgz",
+      "integrity": "sha512-77PpsFQUCOiZR9+LQEFg9GClyfkNXj1MP6wRnzYs0EeWbPcHs02AXu4xuUbM1zhwn3wqaizle3AEYg5aeoohhg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-x64-musl": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.60.1.tgz",
+      "integrity": "sha512-5cIATbk5vynAjqqmyBjlciMJl1+R/CwX9oLk/EyiFXDWd95KpHdrOJT//rnUl4cUcskrd0jCCw3wpZnhIHdD9w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ]
     },
-    "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.46.2.tgz",
-      "integrity": "sha512-wiJWMIpeaak/jsbaq2HMh/rzZxHVW1rU6coyeNNpMwk5isiPjSTx0a4YLSlYDwBH/WBvLz+EtsNqQScZTLJy3g==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
+    "node_modules/@rollup/rollup-openbsd-x64": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.60.1.tgz",
+      "integrity": "sha512-cl0w09WsCi17mcmWqqglez9Gk8isgeWvoUZ3WiJFYSR3zjBQc2J5/ihSjpl+VLjPqjQ/1hJRcqBfLjssREQILw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-openharmony-arm64": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.60.1.tgz",
+      "integrity": "sha512-4Cv23ZrONRbNtbZa37mLSueXUCtN7MXccChtKpUnQNgF010rjrjfHx3QxkS2PI7LqGT5xXyYs1a7LbzAwT0iCA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-arm64-msvc": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.60.1.tgz",
+      "integrity": "sha512-i1okWYkA4FJICtr7KpYzFpRTHgy5jdDbZiWfvny21iIKky5YExiDXP+zbXzm3dUcFpkEeYNHgQ5fuG236JPq0g==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-ia32-msvc": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.60.1.tgz",
+      "integrity": "sha512-u09m3CuwLzShA0EYKMNiFgcjjzwqtUMLmuCJLeZWjjOYA3IT2Di09KaxGBTP9xVztWyIWjVdsB2E9goMjZvTQg==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-x64-gnu": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.60.1.tgz",
+      "integrity": "sha512-k+600V9Zl1CM7eZxJgMyTUzmrmhB/0XZnF4pRypKAlAgxmedUA+1v9R+XOFv56W4SlHEzfeMtzujLJD22Uz5zg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-x64-msvc": {
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.60.1.tgz",
+      "integrity": "sha512-lWMnixq/QzxyhTV6NjQJ4SFo1J6PvOX8vUx5Wb4bBPsEb+8xZ89Bz6kOXpfXj9ak9AHTQVQzlgzBEc1SyM27xQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@scure/base": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@scure/base/-/base-2.0.0.tgz",
+      "integrity": "sha512-3E1kpuZginKkek01ovG8krQ0Z44E3DHPjc5S2rjJw9lZn3KSQOs8S7wqikF/AH7iRanHypj85uGyxk0XAyC37w==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      }
+    },
+    "node_modules/@smithy/abort-controller": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-4.2.12.tgz",
+      "integrity": "sha512-xolrFw6b+2iYGl6EcOL7IJY71vvyZ0DJ3mcKtpykqPe2uscwtzDZJa1uVQXyP7w9Dd+kGwYnPbMsJrGISKiY/Q==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/chunked-blob-reader": {
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/chunked-blob-reader/-/chunked-blob-reader-5.2.2.tgz",
+      "integrity": "sha512-St+kVicSyayWQca+I1rGitaOEH6uKgE8IUWoYnnEX26SWdWQcL6LvMSD19Lg+vYHKdT9B2Zuu7rd3i6Wnyb/iw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/chunked-blob-reader-native": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/@smithy/chunked-blob-reader-native/-/chunked-blob-reader-native-4.2.3.tgz",
+      "integrity": "sha512-jA5k5Udn7Y5717L86h4EIv06wIr3xn8GM1qHRi/Nf31annXcXHJjBKvgztnbn2TxH3xWrPBfgwHsOwZf0UmQWw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/util-base64": "^4.3.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/config-resolver": {
+      "version": "4.4.11",
+      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.11.tgz",
+      "integrity": "sha512-YxFiiG4YDAtX7WMN7RuhHZLeTmRRAOyCbr+zB8e3AQzHPnUhS8zXjB1+cniPVQI3xbWsQPM0X2aaIkO/ME0ymw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-config-provider": "^4.2.2",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/core": {
+      "version": "3.23.12",
+      "resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.23.12.tgz",
+      "integrity": "sha512-o9VycsYNtgC+Dy3I0yrwCqv9CWicDnke0L7EVOrZtJpjb2t0EjaEofmMrYc0T1Kn3yk32zm6cspxF9u9Bj7e5w==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-stream": "^4.5.20",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/uuid": "^1.1.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/credential-provider-imds": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-4.2.12.tgz",
+      "integrity": "sha512-cr2lR792vNZcYMriSIj+Um3x9KWrjcu98kn234xA6reOAFMmbRpQMOv8KPgEmLLtx3eldU6c5wALKFqNOhugmg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/eventstream-codec": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-codec/-/eventstream-codec-4.2.12.tgz",
+      "integrity": "sha512-FE3bZdEl62ojmy8x4FHqxq2+BuOHlcxiH5vaZ6aqHJr3AIZzwF5jfx8dEiU/X0a8RboyNDjmXjlbr8AdEyLgiA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-crypto/crc32": "5.2.0",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-hex-encoding": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/eventstream-serde-browser": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-browser/-/eventstream-serde-browser-4.2.12.tgz",
+      "integrity": "sha512-XUSuMxlTxV5pp4VpqZf6Sa3vT/Q75FVkLSpSSE3KkWBvAQWeuWt1msTv8fJfgA4/jcJhrbrbMzN1AC/hvPmm5A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/eventstream-serde-universal": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/eventstream-serde-config-resolver": {
+      "version": "4.3.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-config-resolver/-/eventstream-serde-config-resolver-4.3.12.tgz",
+      "integrity": "sha512-7epsAZ3QvfHkngz6RXQYseyZYHlmWXSTPOfPmXkiS+zA6TBNo1awUaMFL9vxyXlGdoELmCZyZe1nQE+imbmV+Q==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/eventstream-serde-node": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-node/-/eventstream-serde-node-4.2.12.tgz",
+      "integrity": "sha512-D1pFuExo31854eAvg89KMn9Oab/wEeJR6Buy32B49A9Ogdtx5fwZPqBHUlDzaCDpycTFk2+fSQgX689Qsk7UGA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/eventstream-serde-universal": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/eventstream-serde-universal": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-universal/-/eventstream-serde-universal-4.2.12.tgz",
+      "integrity": "sha512-+yNuTiyBACxOJUTvbsNsSOfH9G9oKbaJE1lNL3YHpGcuucl6rPZMi3nrpehpVOVR2E07YqFFmtwpImtpzlouHQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/eventstream-codec": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/fetch-http-handler": {
+      "version": "5.3.15",
+      "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-5.3.15.tgz",
+      "integrity": "sha512-T4jFU5N/yiIfrtrsb9uOQn7RdELdM/7HbyLNr6uO/mpkj1ctiVs7CihVr51w4LyQlXWDpXFn4BElf1WmQvZu/A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/querystring-builder": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-base64": "^4.3.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/hash-blob-browser": {
+      "version": "4.2.13",
+      "resolved": "https://registry.npmjs.org/@smithy/hash-blob-browser/-/hash-blob-browser-4.2.13.tgz",
+      "integrity": "sha512-YrF4zWKh+ghLuquldj6e/RzE3xZYL8wIPfkt0MqCRphVICjyyjH8OwKD7LLlKpVEbk4FLizFfC1+gwK6XQdR3g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/chunked-blob-reader": "^5.2.2",
+        "@smithy/chunked-blob-reader-native": "^4.2.3",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/hash-node": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-4.2.12.tgz",
+      "integrity": "sha512-QhBYbGrbxTkZ43QoTPrK72DoYviDeg6YKDrHTMJbbC+A0sml3kSjzFtXP7BtbyJnXojLfTQldGdUR0RGD8dA3w==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-buffer-from": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/hash-stream-node": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/hash-stream-node/-/hash-stream-node-4.2.12.tgz",
+      "integrity": "sha512-O3YbmGExeafuM/kP7Y8r6+1y0hIh3/zn6GROx0uNlB54K9oihAL75Qtc+jFfLNliTi6pxOAYZrRKD9A7iA6UFw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-utf8": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/invalid-dependency": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-4.2.12.tgz",
+      "integrity": "sha512-/4F1zb7Z8LOu1PalTdESFHR0RbPwHd3FcaG1sI3UEIriQTWakysgJr65lc1jj6QY5ye7aFsisajotH6UhWfm/g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/is-array-buffer": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-4.2.2.tgz",
+      "integrity": "sha512-n6rQ4N8Jj4YTQO3YFrlgZuwKodf4zUFs7EJIWH86pSCWBaAtAGBFfCM7Wx6D2bBJ2xqFNxGBSrUWswT3M0VJow==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/md5-js": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/md5-js/-/md5-js-4.2.12.tgz",
+      "integrity": "sha512-W/oIpHCpWU2+iAkfZYyGWE+qkpuf3vEXHLxQQDx9FPNZTTdnul0dZ2d/gUFrtQ5je1G2kp4cjG0/24YueG2LbQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-utf8": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/middleware-content-length": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-4.2.12.tgz",
+      "integrity": "sha512-YE58Yz+cvFInWI/wOTrB+DbvUVz/pLn5mC5MvOV4fdRUc6qGwygyngcucRQjAhiCEbmfLOXX0gntSIcgMvAjmA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/middleware-endpoint": {
+      "version": "4.4.26",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.26.tgz",
+      "integrity": "sha512-8Qfikvd2GVKSm8S6IbjfwFlRY9VlMrj0Dp4vTwAuhqbX7NhJKE5DQc2bnfJIcY0B+2YKMDBWfvexbSZeejDgeg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/core": "^3.23.12",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-middleware": "^4.2.12",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/middleware-retry": {
+      "version": "4.4.43",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.43.tgz",
+      "integrity": "sha512-ZwsifBdyuNHrFGmbc7bAfP2b54+kt9J2rhFd18ilQGAB+GDiP4SrawqyExbB7v455QVR7Psyhb2kjULvBPIhvA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/service-error-classification": "^4.2.12",
+        "@smithy/smithy-client": "^4.12.6",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/uuid": "^1.1.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/middleware-serde": {
+      "version": "4.2.15",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-4.2.15.tgz",
+      "integrity": "sha512-ExYhcltZSli0pgAKOpQQe1DLFBLryeZ22605y/YS+mQpdNWekum9Ujb/jMKfJKgjtz1AZldtwA/wCYuKJgjjlg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/core": "^3.23.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/middleware-stack": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-4.2.12.tgz",
+      "integrity": "sha512-kruC5gRHwsCOuyCd4ouQxYjgRAym2uDlCvQ5acuMtRrcdfg7mFBg6blaxcJ09STpt3ziEkis6bhg1uwrWU7txw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/node-config-provider": {
+      "version": "4.3.12",
+      "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-4.3.12.tgz",
+      "integrity": "sha512-tr2oKX2xMcO+rBOjobSwVAkV05SIfUKz8iI53rzxEmgW3GOOPOv0UioSDk+J8OpRQnpnhsO3Af6IEBabQBVmiw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/node-http-handler": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-4.5.0.tgz",
+      "integrity": "sha512-Rnq9vQWiR1+/I6NZZMNzJHV6pZYyEHt2ZnuV3MG8z2NNenC4i/8Kzttz7CjZiHSmsN5frhXhg17z3Zqjjhmz1A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/abort-controller": "^4.2.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/querystring-builder": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/property-provider": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.2.12.tgz",
+      "integrity": "sha512-jqve46eYU1v7pZ5BM+fmkbq3DerkSluPr5EhvOcHxygxzD05ByDRppRwRPPpFrsFo5yDtCYLKu+kreHKVrvc7A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/protocol-http": {
+      "version": "5.3.12",
+      "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-5.3.12.tgz",
+      "integrity": "sha512-fit0GZK9I1xoRlR4jXmbLhoN0OdEpa96ul8M65XdmXnxXkuMxM0Y8HDT0Fh0Xb4I85MBvBClOzgSrV1X2s1Hxw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/querystring-builder": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-4.2.12.tgz",
+      "integrity": "sha512-6wTZjGABQufekycfDGMEB84BgtdOE/rCVTov+EDXQ8NHKTUNIp/j27IliwP7tjIU9LR+sSzyGBOXjeEtVgzCHg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-uri-escape": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/querystring-parser": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-4.2.12.tgz",
+      "integrity": "sha512-P2OdvrgiAKpkPNKlKUtWbNZKB1XjPxM086NeVhK+W+wI46pIKdWBe5QyXvhUm3MEcyS/rkLvY8rZzyUdmyDZBw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/service-error-classification": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-4.2.12.tgz",
+      "integrity": "sha512-LlP29oSQN0Tw0b6D0Xo6BIikBswuIiGYbRACy5ujw/JgWSzTdYj46U83ssf6Ux0GyNJVivs2uReU8pt7Eu9okQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/shared-ini-file-loader": {
+      "version": "4.4.7",
+      "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-4.4.7.tgz",
+      "integrity": "sha512-HrOKWsUb+otTeo1HxVWeEb99t5ER1XrBi/xka2Wv6NVmTbuCUC1dvlrksdvxFtODLBjsC+PHK+fuy2x/7Ynyiw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/signature-v4": {
+      "version": "5.3.12",
+      "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.3.12.tgz",
+      "integrity": "sha512-B/FBwO3MVOL00DaRSXfXfa/TRXRheagt/q5A2NM13u7q+sHS59EOVGQNfG7DkmVtdQm5m3vOosoKAXSqn/OEgw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/is-array-buffer": "^4.2.2",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-hex-encoding": "^4.2.2",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-uri-escape": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/smithy-client": {
+      "version": "4.12.6",
+      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.12.6.tgz",
+      "integrity": "sha512-aib3f0jiMsJ6+cvDnXipBsGDL7ztknYSVqJs1FdN9P+u9tr/VzOR7iygSh6EUOdaBeMCMSh3N0VdyYsG4o91DQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/core": "^3.23.12",
+        "@smithy/middleware-endpoint": "^4.4.26",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-stream": "^4.5.20",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/types": {
+      "version": "4.13.1",
+      "resolved": "https://registry.npmjs.org/@smithy/types/-/types-4.13.1.tgz",
+      "integrity": "sha512-787F3yzE2UiJIQ+wYW1CVg2odHjmaWLGksnKQHUrK/lYZSEcy1msuLVvxaR/sI2/aDe9U+TBuLsXnr3vod1g0g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/url-parser": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-4.2.12.tgz",
+      "integrity": "sha512-wOPKPEpso+doCZGIlr+e1lVI6+9VAKfL4kZWFgzVgGWY2hZxshNKod4l2LXS3PRC9otH/JRSjtEHqQ/7eLciRA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/querystring-parser": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-base64": {
+      "version": "4.3.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-base64/-/util-base64-4.3.2.tgz",
+      "integrity": "sha512-XRH6b0H/5A3SgblmMa5ErXQ2XKhfbQB+Fm/oyLZ2O2kCUrwgg55bU0RekmzAhuwOjA9qdN5VU2BprOvGGUkOOQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/util-buffer-from": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-body-length-browser": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-browser/-/util-body-length-browser-4.2.2.tgz",
+      "integrity": "sha512-JKCrLNOup3OOgmzeaKQwi4ZCTWlYR5H4Gm1r2uTMVBXoemo1UEghk5vtMi1xSu2ymgKVGW631e2fp9/R610ZjQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-body-length-node": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-node/-/util-body-length-node-4.2.3.tgz",
+      "integrity": "sha512-ZkJGvqBzMHVHE7r/hcuCxlTY8pQr1kMtdsVPs7ex4mMU+EAbcXppfo5NmyxMYi2XU49eqaz56j2gsk4dHHPG/g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-buffer-from": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-4.2.2.tgz",
+      "integrity": "sha512-FDXD7cvUoFWwN6vtQfEta540Y/YBe5JneK3SoZg9bThSoOAC/eGeYEua6RkBgKjGa/sz6Y+DuBZj3+YEY21y4Q==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/is-array-buffer": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-config-provider": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-config-provider/-/util-config-provider-4.2.2.tgz",
+      "integrity": "sha512-dWU03V3XUprJwaUIFVv4iOnS1FC9HnMHDfUrlNDSh4315v0cWyaIErP8KiqGVbf5z+JupoVpNM7ZB3jFiTejvQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-defaults-mode-browser": {
+      "version": "4.3.42",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.42.tgz",
+      "integrity": "sha512-0vjwmcvkWAUtikXnWIUOyV6IFHTEeQUYh3JUZcDgcszF+hD/StAsQ3rCZNZEPHgI9kVNcbnyc8P2CBHnwgmcwg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/smithy-client": "^4.12.6",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-defaults-mode-node": {
+      "version": "4.2.45",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.45.tgz",
+      "integrity": "sha512-q5dOqqfTgUcLe38TAGiFn9srToKj2YCHJ34QGOLzM+xYLLA+qRZv7N+33kl1MERVusue36ZHnlNaNEvY/PzSrw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/config-resolver": "^4.4.11",
+        "@smithy/credential-provider-imds": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/smithy-client": "^4.12.6",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-endpoints": {
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-3.3.3.tgz",
+      "integrity": "sha512-VACQVe50j0HZPjpwWcjyT51KUQ4AnsvEaQ2lKHOSL4mNLD0G9BjEniQ+yCt1qqfKfiAHRAts26ud7hBjamrwig==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-hex-encoding": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-hex-encoding/-/util-hex-encoding-4.2.2.tgz",
+      "integrity": "sha512-Qcz3W5vuHK4sLQdyT93k/rfrUwdJ8/HZ+nMUOyGdpeGA1Wxt65zYwi3oEl9kOM+RswvYq90fzkNDahPS8K0OIg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-middleware": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-4.2.12.tgz",
+      "integrity": "sha512-Er805uFUOvgc0l8nv0e0su0VFISoxhJ/AwOn3gL2NWNY2LUEldP5WtVcRYSQBcjg0y9NfG8JYrCJaYDpupBHJQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-retry": {
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-4.2.12.tgz",
+      "integrity": "sha512-1zopLDUEOwumjcHdJ1mwBHddubYF8GMQvstVCLC54Y46rqoHwlIU+8ZzUeaBcD+WCJHyDGSeZ2ml9YSe9aqcoQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/service-error-classification": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-stream": {
+      "version": "4.5.20",
+      "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-4.5.20.tgz",
+      "integrity": "sha512-4yXLm5n/B5SRBR2p8cZ90Sbv4zL4NKsgxdzCzp/83cXw2KxLEumt5p+GAVyRNZgQOSrzXn9ARpO0lUe8XSlSDw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-buffer-from": "^4.2.2",
+        "@smithy/util-hex-encoding": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-uri-escape": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-uri-escape/-/util-uri-escape-4.2.2.tgz",
+      "integrity": "sha512-2kAStBlvq+lTXHyAZYfJRb/DfS3rsinLiwb+69SstC9Vb0s9vNWkRwpnj918Pfi85mzi42sOqdV72OLxWAISnw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@smithy/util-utf8": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-4.2.2.tgz",
+      "integrity": "sha512-75MeYpjdWRe8M5E3AW0O4Cx3UadweS+cwdXjwYGBW5h/gxxnbeZ877sLPX/ZJA9GVTlL/qG0dXP29JWFCD1Ayw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/util-buffer-from": "^4.2.2",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
     },
-    "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.46.2.tgz",
-      "integrity": "sha512-gBgaUDESVzMgWZhcyjfs9QFK16D8K6QZpwAaVNJxYDLHWayOta4ZMjGm/vsAEy3hvlS2GosVFlBlP9/Wb85DqQ==",
-      "cpu": [
-        "ia32"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
+    "node_modules/@smithy/util-waiter": {
+      "version": "4.2.13",
+      "resolved": "https://registry.npmjs.org/@smithy/util-waiter/-/util-waiter-4.2.13.tgz",
+      "integrity": "sha512-2zdZ9DTHngRtcYxJK1GUDxruNr53kv5W2Lupe0LMU+Imr6ohQg8M2T14MNkj1Y0wS3FFwpgpGQyvuaMF7CiTmQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@smithy/abort-controller": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
     },
-    "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.46.2.tgz",
-      "integrity": "sha512-CvUo2ixeIQGtF6WvuB87XWqPQkoFAFqW+HUo/WzHwuHDvIwZCtjdWXoYCcr06iKGydiqTclC4jU/TNObC/xKZg==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@smithy/uuid": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@smithy/uuid/-/uuid-1.1.2.tgz",
+      "integrity": "sha512-O/IEdcCUKkubz60tFbGA7ceITTAJsty+lBjNoorP4Z6XRqaFb/OjQjZODophEcuq68nKm6/0r+6/lLQ+XVpk8g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.6.2"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/@standard-schema/spec": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@standard-schema/spec/-/spec-1.1.0.tgz",
+      "integrity": "sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w==",
       "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
+      "license": "MIT"
     },
     "node_modules/@tailwindcss/forms": {
-      "version": "0.5.10",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.10.tgz",
-      "integrity": "sha512-utI1ONF6uf/pPNO68kmN1b8rEwNXv3czukalo8VtJH8ksIkZXr3Q3VYudZLkCsDd4Wku120uF02hYK25XGPorw==",
+      "version": "0.5.11",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.11.tgz",
+      "integrity": "sha512-h9wegbZDPurxG22xZSoWtdzc41/OlNEUQERNqI/0fOwa2aVlWGu7C35E/x6LDyD3lgtztFSSjKZyuVM0hxhbgA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1563,54 +3212,49 @@
       }
     },
     "node_modules/@tailwindcss/node": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.1.14.tgz",
-      "integrity": "sha512-hpz+8vFk3Ic2xssIA3e01R6jkmsAhvkQdXlEbRTk6S10xDAtiQiM3FyvZVGsucefq764euO/b8WUW9ysLdThHw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.2.tgz",
+      "integrity": "sha512-pXS+wJ2gZpVXqFaUEjojq7jzMpTGf8rU6ipJz5ovJV6PUGmlJ+jvIwGrzdHdQ80Sg+wmQxUFuoW1UAAwHNEdFA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@jridgewell/remapping": "^2.3.4",
-        "enhanced-resolve": "^5.18.3",
-        "jiti": "^2.6.0",
-        "lightningcss": "1.30.1",
-        "magic-string": "^0.30.19",
+        "@jridgewell/remapping": "^2.3.5",
+        "enhanced-resolve": "^5.19.0",
+        "jiti": "^2.6.1",
+        "lightningcss": "1.32.0",
+        "magic-string": "^0.30.21",
         "source-map-js": "^1.2.1",
-        "tailwindcss": "4.1.14"
+        "tailwindcss": "4.2.2"
       }
     },
     "node_modules/@tailwindcss/oxide": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.1.14.tgz",
-      "integrity": "sha512-23yx+VUbBwCg2x5XWdB8+1lkPajzLmALEfMb51zZUBYaYVPDQvBSD/WYDqiVyBIo2BZFa3yw1Rpy3G2Jp+K0dw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.2.tgz",
+      "integrity": "sha512-qEUA07+E5kehxYp9BVMpq9E8vnJuBHfJEC0vPC5e7iL/hw7HR61aDKoVoKzrG+QKp56vhNZe4qwkRmMC0zDLvg==",
       "dev": true,
-      "hasInstallScript": true,
       "license": "MIT",
-      "dependencies": {
-        "detect-libc": "^2.0.4",
-        "tar": "^7.5.1"
-      },
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       },
       "optionalDependencies": {
-        "@tailwindcss/oxide-android-arm64": "4.1.14",
-        "@tailwindcss/oxide-darwin-arm64": "4.1.14",
-        "@tailwindcss/oxide-darwin-x64": "4.1.14",
-        "@tailwindcss/oxide-freebsd-x64": "4.1.14",
-        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.1.14",
-        "@tailwindcss/oxide-linux-arm64-gnu": "4.1.14",
-        "@tailwindcss/oxide-linux-arm64-musl": "4.1.14",
-        "@tailwindcss/oxide-linux-x64-gnu": "4.1.14",
-        "@tailwindcss/oxide-linux-x64-musl": "4.1.14",
-        "@tailwindcss/oxide-wasm32-wasi": "4.1.14",
-        "@tailwindcss/oxide-win32-arm64-msvc": "4.1.14",
-        "@tailwindcss/oxide-win32-x64-msvc": "4.1.14"
+        "@tailwindcss/oxide-android-arm64": "4.2.2",
+        "@tailwindcss/oxide-darwin-arm64": "4.2.2",
+        "@tailwindcss/oxide-darwin-x64": "4.2.2",
+        "@tailwindcss/oxide-freebsd-x64": "4.2.2",
+        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.2",
+        "@tailwindcss/oxide-linux-arm64-gnu": "4.2.2",
+        "@tailwindcss/oxide-linux-arm64-musl": "4.2.2",
+        "@tailwindcss/oxide-linux-x64-gnu": "4.2.2",
+        "@tailwindcss/oxide-linux-x64-musl": "4.2.2",
+        "@tailwindcss/oxide-wasm32-wasi": "4.2.2",
+        "@tailwindcss/oxide-win32-arm64-msvc": "4.2.2",
+        "@tailwindcss/oxide-win32-x64-msvc": "4.2.2"
       }
     },
     "node_modules/@tailwindcss/oxide-android-arm64": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.1.14.tgz",
-      "integrity": "sha512-a94ifZrGwMvbdeAxWoSuGcIl6/DOP5cdxagid7xJv6bwFp3oebp7y2ImYsnZBMTwjn5Ev5xESvS3FFYUGgPODQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.2.tgz",
+      "integrity": "sha512-dXGR1n+P3B6748jZO/SvHZq7qBOqqzQ+yFrXpoOWWALWndF9MoSKAT3Q0fYgAzYzGhxNYOoysRvYlpixRBBoDg==",
       "cpu": [
         "arm64"
       ],
@@ -1621,13 +3265,13 @@
         "android"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-arm64": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.1.14.tgz",
-      "integrity": "sha512-HkFP/CqfSh09xCnrPJA7jud7hij5ahKyWomrC3oiO2U9i0UjP17o9pJbxUN0IJ471GTQQmzwhp0DEcpbp4MZTA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.2.tgz",
+      "integrity": "sha512-iq9Qjr6knfMpZHj55/37ouZeykwbDqF21gPFtfnhCCKGDcPI/21FKC9XdMO/XyBM7qKORx6UIhGgg6jLl7BZlg==",
       "cpu": [
         "arm64"
       ],
@@ -1638,13 +3282,13 @@
         "darwin"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-x64": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.1.14.tgz",
-      "integrity": "sha512-eVNaWmCgdLf5iv6Qd3s7JI5SEFBFRtfm6W0mphJYXgvnDEAZ5sZzqmI06bK6xo0IErDHdTA5/t7d4eTfWbWOFw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.2.tgz",
+      "integrity": "sha512-BlR+2c3nzc8f2G639LpL89YY4bdcIdUmiOOkv2GQv4/4M0vJlpXEa0JXNHhCHU7VWOKWT/CjqHdTP8aUuDJkuw==",
       "cpu": [
         "x64"
       ],
@@ -1655,13 +3299,13 @@
         "darwin"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-freebsd-x64": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.1.14.tgz",
-      "integrity": "sha512-QWLoRXNikEuqtNb0dhQN6wsSVVjX6dmUFzuuiL09ZeXju25dsei2uIPl71y2Ic6QbNBsB4scwBoFnlBfabHkEw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.2.tgz",
+      "integrity": "sha512-YUqUgrGMSu2CDO82hzlQ5qSb5xmx3RUrke/QgnoEx7KvmRJHQuZHZmZTLSuuHwFf0DJPybFMXMYf+WJdxHy/nQ==",
       "cpu": [
         "x64"
       ],
@@ -1672,13 +3316,13 @@
         "freebsd"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm-gnueabihf": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.1.14.tgz",
-      "integrity": "sha512-VB4gjQni9+F0VCASU+L8zSIyjrLLsy03sjcR3bM0V2g4SNamo0FakZFKyUQ96ZVwGK4CaJsc9zd/obQy74o0Fw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.2.tgz",
+      "integrity": "sha512-FPdhvsW6g06T9BWT0qTwiVZYE2WIFo2dY5aCSpjG/S/u1tby+wXoslXS0kl3/KXnULlLr1E3NPRRw0g7t2kgaQ==",
       "cpu": [
         "arm"
       ],
@@ -1689,81 +3333,93 @@
         "linux"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-gnu": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.1.14.tgz",
-      "integrity": "sha512-qaEy0dIZ6d9vyLnmeg24yzA8XuEAD9WjpM5nIM1sUgQ/Zv7cVkharPDQcmm/t/TvXoKo/0knI3me3AGfdx6w1w==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.2.tgz",
+      "integrity": "sha512-4og1V+ftEPXGttOO7eCmW7VICmzzJWgMx+QXAJRAhjrSjumCwWqMfkDrNu1LXEQzNAwz28NCUpucgQPrR4S2yw==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-musl": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.1.14.tgz",
-      "integrity": "sha512-ISZjT44s59O8xKsPEIesiIydMG/sCXoMBCqsphDm/WcbnuWLxxb+GcvSIIA5NjUw6F8Tex7s5/LM2yDy8RqYBQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.2.tgz",
+      "integrity": "sha512-oCfG/mS+/+XRlwNjnsNLVwnMWYH7tn/kYPsNPh+JSOMlnt93mYNCKHYzylRhI51X+TbR+ufNhhKKzm6QkqX8ag==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-gnu": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.1.14.tgz",
-      "integrity": "sha512-02c6JhLPJj10L2caH4U0zF8Hji4dOeahmuMl23stk0MU1wfd1OraE7rOloidSF8W5JTHkFdVo/O7uRUJJnUAJg==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.2.tgz",
+      "integrity": "sha512-rTAGAkDgqbXHNp/xW0iugLVmX62wOp2PoE39BTCGKjv3Iocf6AFbRP/wZT/kuCxC9QBh9Pu8XPkv/zCZB2mcMg==",
       "cpu": [
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-musl": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.1.14.tgz",
-      "integrity": "sha512-TNGeLiN1XS66kQhxHG/7wMeQDOoL0S33x9BgmydbrWAb9Qw0KYdd8o1ifx4HOGDWhVmJ+Ul+JQ7lyknQFilO3Q==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.2.tgz",
+      "integrity": "sha512-XW3t3qwbIwiSyRCggeO2zxe3KWaEbM0/kW9e8+0XpBgyKU4ATYzcVSMKteZJ1iukJ3HgHBjbg9P5YPRCVUxlnQ==",
       "cpu": [
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-wasm32-wasi": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.1.14.tgz",
-      "integrity": "sha512-uZYAsaW/jS/IYkd6EWPJKW/NlPNSkWkBlaeVBi/WsFQNP05/bzkebUL8FH1pdsqx4f2fH/bWFcUABOM9nfiJkQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.2.tgz",
+      "integrity": "sha512-eKSztKsmEsn1O5lJ4ZAfyn41NfG7vzCg496YiGtMDV86jz1q/irhms5O0VrY6ZwTUkFy/EKG3RfWgxSI3VbZ8Q==",
       "bundleDependencies": [
         "@napi-rs/wasm-runtime",
         "@emnapi/core",
@@ -1779,21 +3435,21 @@
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@emnapi/core": "^1.5.0",
-        "@emnapi/runtime": "^1.5.0",
+        "@emnapi/core": "^1.8.1",
+        "@emnapi/runtime": "^1.8.1",
         "@emnapi/wasi-threads": "^1.1.0",
-        "@napi-rs/wasm-runtime": "^1.0.5",
+        "@napi-rs/wasm-runtime": "^1.1.1",
         "@tybys/wasm-util": "^0.10.1",
-        "tslib": "^2.4.0"
+        "tslib": "^2.8.1"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.1.14.tgz",
-      "integrity": "sha512-Az0RnnkcvRqsuoLH2Z4n3JfAef0wElgzHD5Aky/e+0tBUxUhIeIqFBTMNQvmMRSP15fWwmvjBxZ3Q8RhsDnxAA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.2.tgz",
+      "integrity": "sha512-qPmaQM4iKu5mxpsrWZMOZRgZv1tOZpUm+zdhhQP0VhJfyGGO3aUKdbh3gDZc/dPLQwW4eSqWGrrcWNBZWUWaXQ==",
       "cpu": [
         "arm64"
       ],
@@ -1804,13 +3460,13 @@
         "win32"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/oxide-win32-x64-msvc": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.1.14.tgz",
-      "integrity": "sha512-ttblVGHgf68kEE4om1n/n44I0yGPkCPbLsqzjvybhpwa6mKKtgFfAzy6btc3HRmuW7nHe0OOrSeNP9sQmmH9XA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.2.tgz",
+      "integrity": "sha512-1T/37VvI7WyH66b+vqHj/cLwnCxt7Qt3WFu5Q8hk65aOvlwAhs7rAp1VkulBJw/N4tMirXjVnylTR72uI0HGcA==",
       "cpu": [
         "x64"
       ],
@@ -1821,28 +3477,28 @@
         "win32"
       ],
       "engines": {
-        "node": ">= 10"
+        "node": ">= 20"
       }
     },
     "node_modules/@tailwindcss/vite": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.1.14.tgz",
-      "integrity": "sha512-BoFUoU0XqgCUS1UXWhmDJroKKhNXeDzD7/XwabjkDIAbMnc4ULn5e2FuEuBbhZ6ENZoSYzKlzvZ44Yr6EUDUSA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.2.2.tgz",
+      "integrity": "sha512-mEiF5HO1QqCLXoNEfXVA1Tzo+cYsrqV7w9Juj2wdUFyW07JRenqMG225MvPwr3ZD9N1bFQj46X7r33iHxLUW0w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@tailwindcss/node": "4.1.14",
-        "@tailwindcss/oxide": "4.1.14",
-        "tailwindcss": "4.1.14"
+        "@tailwindcss/node": "4.2.2",
+        "@tailwindcss/oxide": "4.2.2",
+        "tailwindcss": "4.2.2"
       },
       "peerDependencies": {
-        "vite": "^5.2.0 || ^6 || ^7"
+        "vite": "^5.2.0 || ^6 || ^7 || ^8"
       }
     },
     "node_modules/@tanstack/virtual-core": {
-      "version": "3.13.12",
-      "resolved": "https://registry.npmjs.org/@tanstack/virtual-core/-/virtual-core-3.13.12.tgz",
-      "integrity": "sha512-1YBOJfRHV4sXUmWsFSf5rQor4Ss82G8dQWLRbnk3GA4jeP8hQt1hxXh0tmflpC0dz3VgEv/1+qwPyLeWkQuPFA==",
+      "version": "3.13.23",
+      "resolved": "https://registry.npmjs.org/@tanstack/virtual-core/-/virtual-core-3.13.23.tgz",
+      "integrity": "sha512-zSz2Z2HNyLjCplANTDyl3BcdQJc2k1+yyFoKhNRmCr7V7dY8o8q5m8uFTI1/Pg1kL+Hgrz6u3Xo6eFUB7l66cg==",
       "license": "MIT",
       "funding": {
         "type": "github",
@@ -1850,12 +3506,12 @@
       }
     },
     "node_modules/@tanstack/vue-virtual": {
-      "version": "3.13.12",
-      "resolved": "https://registry.npmjs.org/@tanstack/vue-virtual/-/vue-virtual-3.13.12.tgz",
-      "integrity": "sha512-vhF7kEU9EXWXh+HdAwKJ2m3xaOnTTmgcdXcF2pim8g4GvI7eRrk2YRuV5nUlZnd/NbCIX4/Ja2OZu5EjJL06Ww==",
+      "version": "3.13.23",
+      "resolved": "https://registry.npmjs.org/@tanstack/vue-virtual/-/vue-virtual-3.13.23.tgz",
+      "integrity": "sha512-b5jPluAR6U3eOq6GWAYSpj3ugnAIZgGR0e6aGAgyRse0Yu6MVQQ0ZWm9SArSXWtageogn6bkVD8D//c4IjW3xQ==",
       "license": "MIT",
       "dependencies": {
-        "@tanstack/virtual-core": "3.13.12"
+        "@tanstack/virtual-core": "3.13.23"
       },
       "funding": {
         "type": "github",
@@ -1866,9 +3522,9 @@
       }
     },
     "node_modules/@tsconfig/node10": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.11.tgz",
-      "integrity": "sha512-DcRjDCujK/kCk/cUe8Xz8ZSpm8mS3mNNpta+jGCA6USEDfktlNvm1+IuZ9eTcDbNk41BHwpHHeW+N1lKCz4zOw==",
+      "version": "1.0.12",
+      "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.12.tgz",
+      "integrity": "sha512-UCYBaeFvM11aU2y3YPZ//O5Rhj+xKyzy7mvcIoAjASbigy8mHMryP5cK7dgjlz2hWxh1g5pLw084E0a/wlUSFQ==",
       "dev": true,
       "license": "MIT"
     },
@@ -1901,13 +3557,14 @@
       "license": "MIT"
     },
     "node_modules/@types/chai": {
-      "version": "5.2.2",
-      "resolved": "https://registry.npmjs.org/@types/chai/-/chai-5.2.2.tgz",
-      "integrity": "sha512-8kB30R7Hwqf40JPiKhVzodJs2Qc1ZJ5zuT3uzw5Hq/dhNCl3G3l83jfpdI1e20BP348+fV7VIL/+FxaXkqBmWg==",
+      "version": "5.2.3",
+      "resolved": "https://registry.npmjs.org/@types/chai/-/chai-5.2.3.tgz",
+      "integrity": "sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@types/deep-eql": "*"
+        "@types/deep-eql": "*",
+        "assertion-error": "^2.0.1"
       }
     },
     "node_modules/@types/deep-eql": {
@@ -1917,6 +3574,13 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@types/esrecurse": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@types/esrecurse/-/esrecurse-4.3.1.tgz",
+      "integrity": "sha512-xJBAbDifo5hpffDBuHl0Y8ywswbiAp/Wi7Y/GtAgSlZyIABppyurxVueOPE8LUQOxdlgi6Zqce7uoEpqNTeiUw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/estree": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
@@ -1939,11 +3603,10 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "22.18.11",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.18.11.tgz",
-      "integrity": "sha512-Gd33J2XIrXurb+eT2ktze3rJAfAp9ZNjlBdh4SVgyrKEOADwCbdUDaK7QgJno8Ue4kcajscsKqu6n8OBG3hhCQ==",
+      "version": "22.19.15",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.19.15.tgz",
+      "integrity": "sha512-F0R/h2+dsy5wJAUe3tAU6oqa2qbWY5TpNfL/RGmo1y38hiyO1w3x2jPtt76wmuaJI4DQnOBu21cNXQ2STIUUWg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "undici-types": "~6.21.0"
       }
@@ -1955,6 +3618,12 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@types/uuid": {
+      "version": "9.0.8",
+      "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-9.0.8.tgz",
+      "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA==",
+      "license": "MIT"
+    },
     "node_modules/@types/whatwg-mimetype": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/@types/whatwg-mimetype/-/whatwg-mimetype-3.0.2.tgz",
@@ -1962,22 +3631,31 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@types/ws": {
+      "version": "8.18.1",
+      "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.18.1.tgz",
+      "integrity": "sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.46.1.tgz",
-      "integrity": "sha512-rUsLh8PXmBjdiPY+Emjz9NX2yHvhS11v0SR6xNJkm5GM1MO9ea/1GoDKlHHZGrOJclL/cZ2i/vRUYVtjRhrHVQ==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.0.tgz",
+      "integrity": "sha512-RLkVSiNuUP1C2ROIWfqX+YcUfLaSnxGE/8M+Y57lopVwg9VTYYfhuz15Yf1IzCKgZj6/rIbYTmJCUSqr76r0Wg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@eslint-community/regexpp": "^4.10.0",
-        "@typescript-eslint/scope-manager": "8.46.1",
-        "@typescript-eslint/type-utils": "8.46.1",
-        "@typescript-eslint/utils": "8.46.1",
-        "@typescript-eslint/visitor-keys": "8.46.1",
-        "graphemer": "^1.4.0",
-        "ignore": "^7.0.0",
+        "@eslint-community/regexpp": "^4.12.2",
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/type-utils": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
+        "ignore": "^7.0.5",
         "natural-compare": "^1.4.0",
-        "ts-api-utils": "^2.1.0"
+        "ts-api-utils": "^2.5.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -1987,9 +3665,9 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.46.1",
-        "eslint": "^8.57.0 || ^9.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "@typescript-eslint/parser": "^8.58.0",
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin/node_modules/ignore": {
@@ -2003,18 +3681,17 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.46.1.tgz",
-      "integrity": "sha512-6JSSaBZmsKvEkbRUkf7Zj7dru/8ZCrJxAqArcLaVMee5907JdtEbKGsZ7zNiIm/UAkpGUkaSMZEXShnN2D1HZA==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.0.tgz",
+      "integrity": "sha512-rLoGZIf9afaRBYsPUMtvkDWykwXwUPL60HebR4JgTI8mxfFe2cQTu3AGitANp4b9B2QlVru6WzjgB2IzJKiCSA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.46.1",
-        "@typescript-eslint/types": "8.46.1",
-        "@typescript-eslint/typescript-estree": "8.46.1",
-        "@typescript-eslint/visitor-keys": "8.46.1",
-        "debug": "^4.3.4"
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
+        "debug": "^4.4.3"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2024,20 +3701,20 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "eslint": "^8.57.0 || ^9.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.46.1.tgz",
-      "integrity": "sha512-FOIaFVMHzRskXr5J4Jp8lFVV0gz5ngv3RHmn+E4HYxSJ3DgDzU7fVI1/M7Ijh1zf6S7HIoaIOtln1H5y8V+9Zg==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.0.tgz",
+      "integrity": "sha512-8Q/wBPWLQP1j16NxoPNIKpDZFMaxl7yWIoqXWYeWO+Bbd2mjgvoF0dxP2jKZg5+x49rgKdf7Ck473M8PC3V9lg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.46.1",
-        "@typescript-eslint/types": "^8.46.1",
-        "debug": "^4.3.4"
+        "@typescript-eslint/tsconfig-utils": "^8.58.0",
+        "@typescript-eslint/types": "^8.58.0",
+        "debug": "^4.4.3"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2047,18 +3724,18 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.46.1.tgz",
-      "integrity": "sha512-weL9Gg3/5F0pVQKiF8eOXFZp8emqWzZsOJuWRUNtHT+UNV2xSJegmpCNQHy37aEQIbToTq7RHKhWvOsmbM680A==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.0.tgz",
+      "integrity": "sha512-W1Lur1oF50FxSnNdGp3Vs6P+yBRSmZiw4IIjEeYxd8UQJwhUF0gDgDD/W/Tgmh73mxgEU3qX0Bzdl/NGuSPEpQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.1",
-        "@typescript-eslint/visitor-keys": "8.46.1"
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2069,9 +3746,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.46.1.tgz",
-      "integrity": "sha512-X88+J/CwFvlJB+mK09VFqx5FE4H5cXD+H/Bdza2aEWkSb8hnWIQorNcscRl4IEo1Cz9VI/+/r/jnGWkbWPx54g==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.0.tgz",
+      "integrity": "sha512-doNSZEVJsWEu4htiVC+PR6NpM+pa+a4ClH9INRWOWCUzMst/VA9c4gXq92F8GUD1rwhNvRLkgjfYtFXegXQF7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2082,21 +3759,21 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.46.1.tgz",
-      "integrity": "sha512-+BlmiHIiqufBxkVnOtFwjah/vrkF4MtKKvpXrKSPLCkCtAp8H01/VV43sfqA98Od7nJpDcFnkwgyfQbOG0AMvw==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.0.tgz",
+      "integrity": "sha512-aGsCQImkDIqMyx1u4PrVlbi/krmDsQUs4zAcCV6M7yPcPev+RqVlndsJy9kJ8TLihW9TZ0kbDAzctpLn5o+lOg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.1",
-        "@typescript-eslint/typescript-estree": "8.46.1",
-        "@typescript-eslint/utils": "8.46.1",
-        "debug": "^4.3.4",
-        "ts-api-utils": "^2.1.0"
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0",
+        "debug": "^4.4.3",
+        "ts-api-utils": "^2.5.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2106,14 +3783,14 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "eslint": "^8.57.0 || ^9.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.46.1.tgz",
-      "integrity": "sha512-C+soprGBHwWBdkDpbaRC4paGBrkIXxVlNohadL5o0kfhsXqOC6GYH2S/Obmig+I0HTDl8wMaRySwrfrXVP8/pQ==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.0.tgz",
+      "integrity": "sha512-O9CjxypDT89fbHxRfETNoAnHj/i6IpRK0CvbVN3qibxlLdo5p5hcLmUuCCrHMpxiWSwKyI8mCP7qRNYuOJ0Uww==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2125,22 +3802,21 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.46.1.tgz",
-      "integrity": "sha512-uIifjT4s8cQKFQ8ZBXXyoUODtRoAd7F7+G8MKmtzj17+1UbdzFl52AzRyZRyKqPHhgzvXunnSckVu36flGy8cg==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.0.tgz",
+      "integrity": "sha512-7vv5UWbHqew/dvs+D3e1RvLv1v2eeZ9txRHPnEEBUgSNLx5ghdzjHa0sgLWYVKssH+lYmV0JaWdoubo0ncGYLA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.46.1",
-        "@typescript-eslint/tsconfig-utils": "8.46.1",
-        "@typescript-eslint/types": "8.46.1",
-        "@typescript-eslint/visitor-keys": "8.46.1",
-        "debug": "^4.3.4",
-        "fast-glob": "^3.3.2",
-        "is-glob": "^4.0.3",
-        "minimatch": "^9.0.4",
-        "semver": "^7.6.0",
-        "ts-api-utils": "^2.1.0"
+        "@typescript-eslint/project-service": "8.58.0",
+        "@typescript-eslint/tsconfig-utils": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
+        "debug": "^4.4.3",
+        "minimatch": "^10.2.2",
+        "semver": "^7.7.3",
+        "tinyglobby": "^0.2.15",
+        "ts-api-utils": "^2.5.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2150,20 +3826,20 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/utils": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.46.1.tgz",
-      "integrity": "sha512-vkYUy6LdZS7q1v/Gxb2Zs7zziuXN0wxqsetJdeZdRe/f5dwJFglmuvZBfTUivCtjH725C1jWCDfpadadD95EDQ==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.0.tgz",
+      "integrity": "sha512-RfeSqcFeHMHlAWzt4TBjWOAtoW9lnsAGiP3GbaX9uVgTYYrMbVnGONEfUCiSss+xMHFl+eHZiipmA8WkQ7FuNA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.46.1",
-        "@typescript-eslint/types": "8.46.1",
-        "@typescript-eslint/typescript-estree": "8.46.1"
+        "@eslint-community/eslint-utils": "^4.9.1",
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2173,19 +3849,19 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "eslint": "^8.57.0 || ^9.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.46.1.tgz",
-      "integrity": "sha512-ptkmIf2iDkNUjdeu2bQqhFPV1m6qTnFFjg7PPDjxKWaMaP0Z6I9l30Jr3g5QqbZGdw8YdYvLp+XnqnWWZOg/NA==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.0.tgz",
+      "integrity": "sha512-XJ9UD9+bbDo4a4epraTwG3TsNPeiB9aShrUneAVXy8q4LuwowN+qu89/6ByLMINqvIMeI9H9hOHQtg/ijrYXzQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.46.1",
-        "eslint-visitor-keys": "^4.2.1"
+        "@typescript-eslint/types": "8.58.0",
+        "eslint-visitor-keys": "^5.0.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2196,62 +3872,59 @@
       }
     },
     "node_modules/@typescript-eslint/visitor-keys/node_modules/eslint-visitor-keys": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
-      "integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-5.0.1.tgz",
+      "integrity": "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA==",
       "dev": true,
       "license": "Apache-2.0",
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": "^20.19.0 || ^22.13.0 || >=24"
       },
       "funding": {
         "url": "https://opencollective.com/eslint"
       }
     },
     "node_modules/@vitejs/plugin-vue": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-6.0.1.tgz",
-      "integrity": "sha512-+MaE752hU0wfPFJEUAIxqw18+20euHHdxVtMvbFcOEpjEyfqXH/5DCoTHiVJ0J29EhTJdoTkjEv5YBKU9dnoTw==",
+      "version": "6.0.5",
+      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-6.0.5.tgz",
+      "integrity": "sha512-bL3AxKuQySfk1iGcBsQnoRVexTPJq0Z/ixFVM8OhVJAP6ZXXXLtM7NFKWhLl30Kg7uTBqIaPXbh+nuQCuBDedg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rolldown/pluginutils": "1.0.0-beta.29"
+        "@rolldown/pluginutils": "1.0.0-rc.2"
       },
       "engines": {
         "node": "^20.19.0 || >=22.12.0"
       },
       "peerDependencies": {
-        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0",
+        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0",
         "vue": "^3.2.25"
       }
     },
     "node_modules/@vitest/coverage-v8": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-3.2.4.tgz",
-      "integrity": "sha512-EyF9SXU6kS5Ku/U82E259WSnvg6c8KTjppUncuNdm5QHpe17mwREHnjDzozC8x9MZ0xfBUFSaLkRv4TMA75ALQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.2.tgz",
+      "integrity": "sha512-sPK//PHO+kAkScb8XITeB1bf7fsk85Km7+rt4eeuRR3VS1/crD47cmV5wicisJmjNdfeokTZwjMk4Mj2d58Mgg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@ampproject/remapping": "^2.3.0",
         "@bcoe/v8-coverage": "^1.0.2",
-        "ast-v8-to-istanbul": "^0.3.3",
-        "debug": "^4.4.1",
+        "@vitest/utils": "4.1.2",
+        "ast-v8-to-istanbul": "^1.0.0",
         "istanbul-lib-coverage": "^3.2.2",
         "istanbul-lib-report": "^3.0.1",
-        "istanbul-lib-source-maps": "^5.0.6",
-        "istanbul-reports": "^3.1.7",
-        "magic-string": "^0.30.17",
-        "magicast": "^0.3.5",
-        "std-env": "^3.9.0",
-        "test-exclude": "^7.0.1",
-        "tinyrainbow": "^2.0.0"
+        "istanbul-reports": "^3.2.0",
+        "magicast": "^0.5.2",
+        "obug": "^2.1.1",
+        "std-env": "^4.0.0-rc.1",
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       },
       "peerDependencies": {
-        "@vitest/browser": "3.2.4",
-        "vitest": "3.2.4"
+        "@vitest/browser": "4.1.2",
+        "vitest": "4.1.2"
       },
       "peerDependenciesMeta": {
         "@vitest/browser": {
@@ -2260,39 +3933,40 @@
       }
     },
     "node_modules/@vitest/expect": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-3.2.4.tgz",
-      "integrity": "sha512-Io0yyORnB6sikFlt8QW5K7slY4OjqNX9jmJQ02QDda8lyM6B5oNgVWoSoKPac8/kgnCUzuHQKrSLtu/uOqqrig==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.2.tgz",
+      "integrity": "sha512-gbu+7B0YgUJ2nkdsRJrFFW6X7NTP44WlhiclHniUhxADQJH5Szt9mZ9hWnJPJ8YwOK5zUOSSlSvyzRf0u1DSBQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
+        "@standard-schema/spec": "^1.1.0",
         "@types/chai": "^5.2.2",
-        "@vitest/spy": "3.2.4",
-        "@vitest/utils": "3.2.4",
-        "chai": "^5.2.0",
-        "tinyrainbow": "^2.0.0"
+        "@vitest/spy": "4.1.2",
+        "@vitest/utils": "4.1.2",
+        "chai": "^6.2.2",
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/mocker": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-3.2.4.tgz",
-      "integrity": "sha512-46ryTE9RZO/rfDd7pEqFl7etuyzekzEhUbTW3BvmeO/BcCMEgq59BKhek3dXDWgAj4oMK6OZi+vRr1wPW6qjEQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.2.tgz",
+      "integrity": "sha512-Ize4iQtEALHDttPRCmN+FKqOl2vxTiNUhzobQFFt/BM1lRUTG7zRCLOykG/6Vo4E4hnUdfVLo5/eqKPukcWW7Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/spy": "3.2.4",
+        "@vitest/spy": "4.1.2",
         "estree-walker": "^3.0.3",
-        "magic-string": "^0.30.17"
+        "magic-string": "^0.30.21"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       },
       "peerDependencies": {
         "msw": "^2.4.9",
-        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0"
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
       },
       "peerDependenciesMeta": {
         "msw": {
@@ -2314,42 +3988,42 @@
       }
     },
     "node_modules/@vitest/pretty-format": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-3.2.4.tgz",
-      "integrity": "sha512-IVNZik8IVRJRTr9fxlitMKeJeXFFFN0JaB9PHPGQ8NKQbGpfjlTx9zO4RefN8gp7eqjNy8nyK3NZmBzOPeIxtA==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.2.tgz",
+      "integrity": "sha512-dwQga8aejqeuB+TvXCMzSQemvV9hNEtDDpgUKDzOmNQayl2OG241PSWeJwKRH3CiC+sESrmoFd49rfnq7T4RnA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "tinyrainbow": "^2.0.0"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/runner": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-3.2.4.tgz",
-      "integrity": "sha512-oukfKT9Mk41LreEW09vt45f8wx7DordoWUZMYdY/cyAk7w5TWkTRCNZYF7sX7n2wB7jyGAl74OxgwhPgKaqDMQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.2.tgz",
+      "integrity": "sha512-Gr+FQan34CdiYAwpGJmQG8PgkyFVmARK8/xSijia3eTFgVfpcpztWLuP6FttGNfPLJhaZVP/euvujeNYar36OQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/utils": "3.2.4",
-        "pathe": "^2.0.3",
-        "strip-literal": "^3.0.0"
+        "@vitest/utils": "4.1.2",
+        "pathe": "^2.0.3"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/snapshot": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-3.2.4.tgz",
-      "integrity": "sha512-dEYtS7qQP2CjU27QBC5oUOxLE/v5eLkGqPE0ZKEIDGMs4vKWe7IjgLOeauHsR0D5YuuycGRO5oSRXnwnmA78fQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.2.tgz",
+      "integrity": "sha512-g7yfUmxYS4mNxk31qbOYsSt2F4m1E02LFqO53Xpzg3zKMhLAPZAjjfyl9e6z7HrW6LvUdTwAQR3HHfLjpko16A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/pretty-format": "3.2.4",
-        "magic-string": "^0.30.17",
+        "@vitest/pretty-format": "4.1.2",
+        "@vitest/utils": "4.1.2",
+        "magic-string": "^0.30.21",
         "pathe": "^2.0.3"
       },
       "funding": {
@@ -2357,110 +4031,134 @@
       }
     },
     "node_modules/@vitest/spy": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-3.2.4.tgz",
-      "integrity": "sha512-vAfasCOe6AIK70iP5UD11Ac4siNUNJ9i/9PZ3NKx07sG6sUxeag1LWdNrMWeKKYBLlzuK+Gn65Yd5nyL6ds+nw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.2.tgz",
+      "integrity": "sha512-DU4fBnbVCJGNBwVA6xSToNXrkZNSiw59H8tcuUspVMsBDBST4nfvsPsEHDHGtWRRnqBERBQu7TrTKskmjqTXKA==",
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "tinyspy": "^4.0.3"
-      },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/utils": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-3.2.4.tgz",
-      "integrity": "sha512-fB2V0JFrQSMsCo9HiSq3Ezpdv4iYaXRG1Sx8edX3MwxfyNn83mKiGzOcH+Fkxt4MHxr3y42fQi1oeAInqgX2QA==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.2.tgz",
+      "integrity": "sha512-xw2/TiX82lQHA06cgbqRKFb5lCAy3axQ4H4SoUFhUsg+wztiet+co86IAMDtF6Vm1hc7J6j09oh/rgDn+JdKIQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/pretty-format": "3.2.4",
-        "loupe": "^3.1.4",
-        "tinyrainbow": "^2.0.0"
+        "@vitest/pretty-format": "4.1.2",
+        "convert-source-map": "^2.0.0",
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@volar/language-core": {
-      "version": "2.4.23",
-      "resolved": "https://registry.npmjs.org/@volar/language-core/-/language-core-2.4.23.tgz",
-      "integrity": "sha512-hEEd5ET/oSmBC6pi1j6NaNYRWoAiDhINbT8rmwtINugR39loROSlufGdYMF9TaKGfz+ViGs1Idi3mAhnuPcoGQ==",
+      "version": "2.4.28",
+      "resolved": "https://registry.npmjs.org/@volar/language-core/-/language-core-2.4.28.tgz",
+      "integrity": "sha512-w4qhIJ8ZSitgLAkVay6AbcnC7gP3glYM3fYwKV3srj8m494E3xtrCv6E+bWviiK/8hs6e6t1ij1s2Endql7vzQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@volar/source-map": "2.4.23"
+        "@volar/source-map": "2.4.28"
       }
     },
     "node_modules/@volar/source-map": {
-      "version": "2.4.23",
-      "resolved": "https://registry.npmjs.org/@volar/source-map/-/source-map-2.4.23.tgz",
-      "integrity": "sha512-Z1Uc8IB57Lm6k7q6KIDu/p+JWtf3xsXJqAX/5r18hYOTpJyBn0KXUR8oTJ4WFYOcDzWC9n3IflGgHowx6U6z9Q==",
+      "version": "2.4.28",
+      "resolved": "https://registry.npmjs.org/@volar/source-map/-/source-map-2.4.28.tgz",
+      "integrity": "sha512-yX2BDBqJkRXfKw8my8VarTyjv48QwxdJtvRgUpNE5erCsgEUdI2DsLbpa+rOQVAJYshY99szEcRDmyHbF10ggQ==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/@volar/typescript": {
-      "version": "2.4.23",
-      "resolved": "https://registry.npmjs.org/@volar/typescript/-/typescript-2.4.23.tgz",
-      "integrity": "sha512-lAB5zJghWxVPqfcStmAP1ZqQacMpe90UrP5RJ3arDyrhy4aCUQqmxPPLB2PWDKugvylmO41ljK7vZ+t6INMTag==",
+      "version": "2.4.28",
+      "resolved": "https://registry.npmjs.org/@volar/typescript/-/typescript-2.4.28.tgz",
+      "integrity": "sha512-Ja6yvWrbis2QtN4ClAKreeUZPVYMARDYZl9LMEv1iQ1QdepB6wn0jTRxA9MftYmYa4DQ4k/DaSZpFPUfxl8giw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@volar/language-core": "2.4.23",
+        "@volar/language-core": "2.4.28",
         "path-browserify": "^1.0.1",
         "vscode-uri": "^3.0.8"
       }
     },
+    "node_modules/@vue-macros/common": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/@vue-macros/common/-/common-3.1.2.tgz",
+      "integrity": "sha512-h9t4ArDdniO9ekYHAD95t9AZcAbb19lEGK+26iAjUODOIJKmObDNBSe4+6ELQAA3vtYiFPPBtHh7+cQCKi3Dng==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/compiler-sfc": "^3.5.22",
+        "ast-kit": "^2.1.2",
+        "local-pkg": "^1.1.2",
+        "magic-string-ast": "^1.0.2",
+        "unplugin-utils": "^0.3.0"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/vue-macros"
+      },
+      "peerDependencies": {
+        "vue": "^2.7.0 || ^3.2.25"
+      },
+      "peerDependenciesMeta": {
+        "vue": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/@vue/compiler-core": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.18.tgz",
-      "integrity": "sha512-3slwjQrrV1TO8MoXgy3aynDQ7lslj5UqDxuHnrzHtpON5CBinhWjJETciPngpin/T3OuW3tXUf86tEurusnztw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.31.tgz",
+      "integrity": "sha512-k/ueL14aNIEy5Onf0OVzR8kiqF/WThgLdFhxwa4e/KF/0qe38IwIdofoSWBTvvxQOesaz6riAFAUaYjoF9fLLQ==",
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.28.0",
-        "@vue/shared": "3.5.18",
-        "entities": "^4.5.0",
+        "@babel/parser": "^7.29.2",
+        "@vue/shared": "3.5.31",
+        "entities": "^7.0.1",
         "estree-walker": "^2.0.2",
         "source-map-js": "^1.2.1"
       }
     },
     "node_modules/@vue/compiler-dom": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.18.tgz",
-      "integrity": "sha512-RMbU6NTU70++B1JyVJbNbeFkK+A+Q7y9XKE2EM4NLGm2WFR8x9MbAtWxPPLdm0wUkuZv9trpwfSlL6tjdIa1+A==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.31.tgz",
+      "integrity": "sha512-BMY/ozS/xxjYqRFL+tKdRpATJYDTTgWSo0+AJvJNg4ig+Hgb0dOsHPXvloHQ5hmlivUqw1Yt2pPIqp4e0v1GUw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-core": "3.5.18",
-        "@vue/shared": "3.5.18"
+        "@vue/compiler-core": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/compiler-sfc": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.18.tgz",
-      "integrity": "sha512-5aBjvGqsWs+MoxswZPoTB9nSDb3dhd1x30xrrltKujlCxo48j8HGDNj3QPhF4VIS0VQDUrA1xUfp2hEa+FNyXA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.31.tgz",
+      "integrity": "sha512-M8wpPgR9UJ8MiRGjppvx9uWJfLV7A/T+/rL8s/y3QG3u0c2/YZgff3d6SuimKRIhcYnWg5fTfDMlz2E6seUW8Q==",
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.28.0",
-        "@vue/compiler-core": "3.5.18",
-        "@vue/compiler-dom": "3.5.18",
-        "@vue/compiler-ssr": "3.5.18",
-        "@vue/shared": "3.5.18",
+        "@babel/parser": "^7.29.2",
+        "@vue/compiler-core": "3.5.31",
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31",
         "estree-walker": "^2.0.2",
-        "magic-string": "^0.30.17",
-        "postcss": "^8.5.6",
+        "magic-string": "^0.30.21",
+        "postcss": "^8.5.8",
         "source-map-js": "^1.2.1"
       }
     },
     "node_modules/@vue/compiler-ssr": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.18.tgz",
-      "integrity": "sha512-xM16Ak7rSWHkM3m22NlmcdIM+K4BMyFARAfV9hYFl+SFuRzrZ3uGMNW05kA5pmeMa0X9X963Kgou7ufdbpOP9g==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.31.tgz",
+      "integrity": "sha512-h0xIMxrt/LHOvJKMri+vdYT92BrK3HFLtDqq9Pr/lVVfE4IyKZKvWf0vJFW10Yr6nX02OR4MkJwI0c1HDa1hog==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.18",
-        "@vue/shared": "3.5.18"
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/devtools-api": {
@@ -2469,87 +4167,95 @@
       "integrity": "sha512-sGhTPMuXqZ1rVOk32RylztWkfXTRhuS7vgAKv0zjqk8gbsHkJ7xfFf+jbySxt7tWObEJwyKaHMikV/WGDiQm8g==",
       "license": "MIT"
     },
+    "node_modules/@vue/devtools-kit": {
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-kit/-/devtools-kit-8.1.1.tgz",
+      "integrity": "sha512-gVBaBv++i+adg4JpH71k9ppl4soyR7Y2McEqO5YNgv0BI1kMZ7BDX5gnwkZ5COYgiCyhejZG+yGNrBAjj6Coqg==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/devtools-shared": "^8.1.1",
+        "birpc": "^2.6.1",
+        "hookable": "^5.5.3",
+        "perfect-debounce": "^2.0.0"
+      }
+    },
+    "node_modules/@vue/devtools-shared": {
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-shared/-/devtools-shared-8.1.1.tgz",
+      "integrity": "sha512-+h4ttmJYl/txpxHKaoZcaKpC+pvckgLzIDiSQlaQ7kKthKh8KuwoLW2D8hPJEnqKzXOvu15UHEoGyngAXCz0EQ==",
+      "license": "MIT"
+    },
     "node_modules/@vue/language-core": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/@vue/language-core/-/language-core-3.1.1.tgz",
-      "integrity": "sha512-qjMY3Q+hUCjdH+jLrQapqgpsJ0rd/2mAY02lZoHG3VFJZZZKLjAlV+Oo9QmWIT4jh8+Rx8RUGUi++d7T9Wb6Mw==",
+      "version": "3.2.6",
+      "resolved": "https://registry.npmjs.org/@vue/language-core/-/language-core-3.2.6.tgz",
+      "integrity": "sha512-xYYYX3/aVup576tP/23sEUpgiEnujrENaoNRbaozC1/MA9I6EGFQRJb4xrt/MmUCAGlxTKL2RmT8JLTPqagCkg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@volar/language-core": "2.4.23",
+        "@volar/language-core": "2.4.28",
         "@vue/compiler-dom": "^3.5.0",
         "@vue/shared": "^3.5.0",
         "alien-signals": "^3.0.0",
         "muggle-string": "^0.4.1",
         "path-browserify": "^1.0.1",
         "picomatch": "^4.0.2"
-      },
-      "peerDependencies": {
-        "typescript": "*"
-      },
-      "peerDependenciesMeta": {
-        "typescript": {
-          "optional": true
-        }
       }
     },
     "node_modules/@vue/reactivity": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.18.tgz",
-      "integrity": "sha512-x0vPO5Imw+3sChLM5Y+B6G1zPjwdOri9e8V21NnTnlEvkxatHEH5B5KEAJcjuzQ7BsjGrKtfzuQ5eQwXh8HXBg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.31.tgz",
+      "integrity": "sha512-DtKXxk9E/KuVvt8VxWu+6Luc9I9ETNcqR1T1oW1gf02nXaZ1kuAx58oVu7uX9XxJR0iJCro6fqBLw9oSBELo5g==",
       "license": "MIT",
       "dependencies": {
-        "@vue/shared": "3.5.18"
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/runtime-core": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.18.tgz",
-      "integrity": "sha512-DUpHa1HpeOQEt6+3nheUfqVXRog2kivkXHUhoqJiKR33SO4x+a5uNOMkV487WPerQkL0vUuRvq/7JhRgLW3S+w==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.31.tgz",
+      "integrity": "sha512-AZPmIHXEAyhpkmN7aWlqjSfYynmkWlluDNPHMCZKFHH+lLtxP/30UJmoVhXmbDoP1Ng0jG0fyY2zCj1PnSSA6Q==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.18",
-        "@vue/shared": "3.5.18"
+        "@vue/reactivity": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/runtime-dom": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.18.tgz",
-      "integrity": "sha512-YwDj71iV05j4RnzZnZtGaXwPoUWeRsqinblgVJwR8XTXYZ9D5PbahHQgsbmzUvCWNF6x7siQ89HgnX5eWkr3mw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.31.tgz",
+      "integrity": "sha512-xQJsNRmGPeDCJq/u813tyonNgWBFjzfVkBwDREdEWndBnGdHLHgkwNBQxLtg4zDrzKTEcnikUy1UUNecb3lJ6g==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.18",
-        "@vue/runtime-core": "3.5.18",
-        "@vue/shared": "3.5.18",
-        "csstype": "^3.1.3"
+        "@vue/reactivity": "3.5.31",
+        "@vue/runtime-core": "3.5.31",
+        "@vue/shared": "3.5.31",
+        "csstype": "^3.2.3"
       }
     },
     "node_modules/@vue/server-renderer": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.18.tgz",
-      "integrity": "sha512-PvIHLUoWgSbDG7zLHqSqaCoZvHi6NNmfVFOqO+OnwvqMz/tqQr3FuGWS8ufluNddk7ZLBJYMrjcw1c6XzR12mA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.31.tgz",
+      "integrity": "sha512-GJuwRvMcdZX/CriUnyIIOGkx3rMV3H6sOu0JhdKbduaeCji6zb60iOGMY7tFoN24NfsUYoFBhshZtGxGpxO4iA==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-ssr": "3.5.18",
-        "@vue/shared": "3.5.18"
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31"
       },
       "peerDependencies": {
-        "vue": "3.5.18"
+        "vue": "3.5.31"
       }
     },
     "node_modules/@vue/shared": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.18.tgz",
-      "integrity": "sha512-cZy8Dq+uuIXbxCZpuLd2GJdeSO/lIzIspC2WtkqIpje5QyFbvLaI5wZtdUjLHjGZrlVX6GilejatWwVYYRc8tA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.31.tgz",
+      "integrity": "sha512-nBxuiuS9Lj5bPkPbWogPUnjxxWpkRniX7e5UBQDWl6Fsf4roq9wwV+cR7ezQ4zXswNvPIlsdj1slcLB7XCsRAw==",
       "license": "MIT"
     },
     "node_modules/acorn": {
-      "version": "8.15.0",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
-      "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
-      "dev": true,
+      "version": "8.16.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
+      "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -2568,9 +4274,9 @@
       }
     },
     "node_modules/acorn-walk": {
-      "version": "8.3.4",
-      "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-8.3.4.tgz",
-      "integrity": "sha512-ueEepnujpqee2o5aIYnvHU6C0A42MNdsIDeqy5BydrkuC5R1ZuUFnm27EeFJGoEHJQgn3uleRvmTXaJgfXbt4g==",
+      "version": "8.3.5",
+      "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-8.3.5.tgz",
+      "integrity": "sha512-HEHNfbars9v4pgpW6SO1KSPkfoS0xVOM/9UzkJltjlsHZmJasxg8aXkuZa7SMf8vKGIBhpUsPluQSqhJFCqebw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2581,9 +4287,9 @@
       }
     },
     "node_modules/ajv": {
-      "version": "6.12.6",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
-      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+      "version": "6.14.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
+      "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2598,41 +4304,12 @@
       }
     },
     "node_modules/alien-signals": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/alien-signals/-/alien-signals-3.0.1.tgz",
-      "integrity": "sha512-ec02Wv5iOg7yG979PH9ykv5KN/KHznOxMlKy/Jr8lnBo3T94d4MUGo7FVdM8B2fM0e94twzEcWCyWzfIyeV19g==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/alien-signals/-/alien-signals-3.1.2.tgz",
+      "integrity": "sha512-d9dYqZTS90WLiU0I5c6DHj/HcKkF8ZyGN3G5x8wSbslulz70KOxaqCT0hQCo9KOyhVqzqGojvNdJXoTumZOtcw==",
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/ansi-regex": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz",
-      "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
-      }
-    },
-    "node_modules/ansi-styles": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "color-convert": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
-      }
-    },
     "node_modules/arg": {
       "version": "4.1.3",
       "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz",
@@ -2640,13 +4317,6 @@
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/argparse": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
-      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
-      "dev": true,
-      "license": "Python-2.0"
-    },
     "node_modules/assertion-error": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
@@ -2657,16 +4327,32 @@
         "node": ">=12"
       }
     },
+    "node_modules/ast-kit": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/ast-kit/-/ast-kit-2.2.0.tgz",
+      "integrity": "sha512-m1Q/RaVOnTp9JxPX+F+Zn7IcLYMzM8kZofDImfsKZd8MbR+ikdOzTeztStWqfrqIxZnYWryyI9ePm3NGjnZgGw==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.28.5",
+        "pathe": "^2.0.3"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sxzz"
+      }
+    },
     "node_modules/ast-v8-to-istanbul": {
-      "version": "0.3.3",
-      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-0.3.3.tgz",
-      "integrity": "sha512-MuXMrSLVVoA6sYN/6Hke18vMzrT4TZNbZIj/hvh0fnYFpO+/kFXcLIaiPwXXWaQUPg4yJD8fj+lfJ7/1EBconw==",
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-1.0.0.tgz",
+      "integrity": "sha512-1fSfIwuDICFA4LKkCzRPO7F0hzFf0B7+Xqrl27ynQaa+Rh0e1Es0v6kWHPott3lU10AyAr7oKHa65OppjLn3Rg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@jridgewell/trace-mapping": "^0.3.25",
+        "@jridgewell/trace-mapping": "^0.3.31",
         "estree-walker": "^3.0.3",
-        "js-tokens": "^9.0.1"
+        "js-tokens": "^10.0.0"
       }
     },
     "node_modules/ast-v8-to-istanbul/node_modules/estree-walker": {
@@ -2679,6 +4365,22 @@
         "@types/estree": "^1.0.0"
       }
     },
+    "node_modules/ast-walker-scope": {
+      "version": "0.8.3",
+      "resolved": "https://registry.npmjs.org/ast-walker-scope/-/ast-walker-scope-0.8.3.tgz",
+      "integrity": "sha512-cbdCP0PGOBq0ASG+sjnKIoYkWMKhhz+F/h9pRexUdX2Hd38+WOlBkRKlqkGOSm0YQpcFMQBJeK4WspUAkwsEdg==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.28.4",
+        "ast-kit": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sxzz"
+      }
+    },
     "node_modules/asynckit": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
@@ -2686,22 +4388,34 @@
       "license": "MIT"
     },
     "node_modules/axios": {
-      "version": "1.12.2",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.12.2.tgz",
-      "integrity": "sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==",
+      "version": "1.14.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.14.0.tgz",
+      "integrity": "sha512-3Y8yrqLSwjuzpXuZ0oIYZ/XGgLwUIBU3uLvbcpb0pidD9ctpShJd43KSlEEkVQg6DS0G9NKyzOvBfUtDKEyHvQ==",
       "license": "MIT",
       "dependencies": {
-        "follow-redirects": "^1.15.6",
-        "form-data": "^4.0.4",
-        "proxy-from-env": "^1.1.0"
+        "follow-redirects": "^1.15.11",
+        "form-data": "^4.0.5",
+        "proxy-from-env": "^2.1.0"
       }
     },
     "node_modules/balanced-match": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
-      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
+      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
+    },
+    "node_modules/birpc": {
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/birpc/-/birpc-2.9.0.tgz",
+      "integrity": "sha512-KrayHS5pBi69Xi9JmvoqrIgYGDkD6mcSe/i6YKi3w5kekCLzrX4+nawcXqrj2tIp50Kw/mT/s3p+GVK0A0sKxw==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/antfu"
+      }
     },
     "node_modules/boolbase": {
       "version": "1.0.0",
@@ -2710,14 +4424,23 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/bowser": {
+      "version": "2.11.0",
+      "resolved": "https://registry.npmjs.org/bowser/-/bowser-2.11.0.tgz",
+      "integrity": "sha512-AlcaJBi/pqqJBIQ8U9Mcpc9i8Aqxn88Skv5d+xBX006BY5u8N3mGLHa5Lgppa7L/HfwgwLgZ6NYs+Ag6uUmJRA==",
+      "license": "MIT"
+    },
     "node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "balanced-match": "^1.0.0"
+        "balanced-match": "^4.0.2"
+      },
+      "engines": {
+        "node": "18 || 20 || >=22"
       }
     },
     "node_modules/braces": {
@@ -2733,16 +4456,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/cac": {
-      "version": "6.7.14",
-      "resolved": "https://registry.npmjs.org/cac/-/cac-6.7.14.tgz",
-      "integrity": "sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
     "node_modules/call-bind-apply-helpers": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
@@ -2756,16 +4469,6 @@
         "node": ">= 0.4"
       }
     },
-    "node_modules/callsites": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
-      "integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=6"
-      }
-    },
     "node_modules/canvas-renderer": {
       "version": "2.2.1",
       "resolved": "https://registry.npmjs.org/canvas-renderer/-/canvas-renderer-2.2.1.tgz",
@@ -2776,79 +4479,30 @@
       }
     },
     "node_modules/chai": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/chai/-/chai-5.2.1.tgz",
-      "integrity": "sha512-5nFxhUrX0PqtyogoYOA8IPswy5sZFTOsBFl/9bNsmDLgsxYTzSZQJDPppDnZPTQbzSEm0hqGjWPzRemQCYbD6A==",
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/chai/-/chai-6.2.2.tgz",
+      "integrity": "sha512-NUPRluOfOiTKBKvWPtSD4PhFvWCqOi0BGStNWs57X9js7XGTprSmFoz5F0tWhR4WPjNeR9jXqdC7/UpSJTnlRg==",
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "assertion-error": "^2.0.1",
-        "check-error": "^2.1.1",
-        "deep-eql": "^5.0.1",
-        "loupe": "^3.1.0",
-        "pathval": "^2.0.0"
-      },
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/chalk": {
-      "version": "4.1.2",
-      "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
-      "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
-      "dev": true,
+    "node_modules/chokidar": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-5.0.0.tgz",
+      "integrity": "sha512-TQMmc3w+5AxjpL8iIiwebF73dRDF4fBIieAqGn9RGCWaEVwQ6Fb2cGe31Yns0RRIzii5goJ1Y7xbMwo1TxMplw==",
       "license": "MIT",
       "dependencies": {
-        "ansi-styles": "^4.1.0",
-        "supports-color": "^7.1.0"
+        "readdirp": "^5.0.0"
       },
       "engines": {
-        "node": ">=10"
+        "node": ">= 20.19.0"
       },
       "funding": {
-        "url": "https://github.com/chalk/chalk?sponsor=1"
-      }
-    },
-    "node_modules/check-error": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/check-error/-/check-error-2.1.1.tgz",
-      "integrity": "sha512-OAlb+T7V4Op9OwdkjmguYRqncdlx5JiofwOAUkmTF+jNdHwzTaTs4sRAGpzLF3oOz5xAyDGrPgeIDFQmDOTiJw==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">= 16"
-      }
-    },
-    "node_modules/chownr": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz",
-      "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==",
-      "dev": true,
-      "license": "BlueOak-1.0.0",
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/color-convert": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
-      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "color-name": "~1.1.4"
-      },
-      "engines": {
-        "node": ">=7.0.0"
+        "url": "https://paulmillr.com/funding/"
       }
     },
-    "node_modules/color-name": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
-      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/combined-stream": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
@@ -2861,10 +4515,16 @@
         "node": ">= 0.8"
       }
     },
-    "node_modules/concat-map": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
-      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
+    "node_modules/confbox": {
+      "version": "0.2.4",
+      "resolved": "https://registry.npmjs.org/confbox/-/confbox-0.2.4.tgz",
+      "integrity": "sha512-ysOGlgTFbN2/Y6Cg3Iye8YKulHw+R2fNXHrgSmXISQdMnomY6eNDprVdW9R5xBguEqI954+S6709UyiO7B+6OQ==",
+      "license": "MIT"
+    },
+    "node_modules/convert-source-map": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
+      "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==",
       "dev": true,
       "license": "MIT"
     },
@@ -2910,15 +4570,15 @@
       }
     },
     "node_modules/csstype": {
-      "version": "3.1.3",
-      "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.3.tgz",
-      "integrity": "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==",
+      "version": "3.2.3",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
+      "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==",
       "license": "MIT"
     },
     "node_modules/debug": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz",
-      "integrity": "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==",
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2929,18 +4589,8 @@
       },
       "peerDependenciesMeta": {
         "supports-color": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/deep-eql": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/deep-eql/-/deep-eql-5.0.2.tgz",
-      "integrity": "sha512-h5k/5U50IJJFpzfL6nO9jaaumfjO/f2NjK/oYB2Djzm4p9L+3T9qWpZqZ2hAbLPuuYq9wrU08WQyBTL5GbPk5Q==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=6"
+          "optional": true
+        }
       }
     },
     "node_modules/deep-is": {
@@ -2960,25 +4610,15 @@
       }
     },
     "node_modules/detect-libc": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.4.tgz",
-      "integrity": "sha512-3UDv+G9CsCKO1WKMGw9fwq/SWJYbI0c5Y7LU1AXYoDdbhE2AHQ6N6Nb34sG8Fj7T5APy8qXDCKuuIHd1BR0tVA==",
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
       "dev": true,
       "license": "Apache-2.0",
       "engines": {
         "node": ">=8"
       }
     },
-    "node_modules/diff": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
-      "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==",
-      "dev": true,
-      "license": "BSD-3-Clause",
-      "engines": {
-        "node": ">=0.3.1"
-      }
-    },
     "node_modules/dunder-proto": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
@@ -2993,38 +4633,24 @@
         "node": ">= 0.4"
       }
     },
-    "node_modules/eastasianwidth": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
-      "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/emoji-regex": {
-      "version": "9.2.2",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz",
-      "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/enhanced-resolve": {
-      "version": "5.18.3",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.3.tgz",
-      "integrity": "sha512-d4lC8xfavMeBjzGr2vECC3fsGXziXZQyJxD868h2M/mBI3PwAuODxAkLkq5HYuvrPYcUtiLzsTo8U3PgX3Ocww==",
+      "version": "5.20.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz",
+      "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "graceful-fs": "^4.2.4",
-        "tapable": "^2.2.0"
+        "tapable": "^2.3.0"
       },
       "engines": {
         "node": ">=10.13.0"
       }
     },
     "node_modules/entities": {
-      "version": "4.5.0",
-      "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
-      "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-7.0.1.tgz",
+      "integrity": "sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==",
       "license": "BSD-2-Clause",
       "engines": {
         "node": ">=0.12"
@@ -3052,9 +4678,9 @@
       }
     },
     "node_modules/es-module-lexer": {
-      "version": "1.7.0",
-      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
-      "integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==",
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-2.0.0.tgz",
+      "integrity": "sha512-5POEcUuZybH7IdmGsD8wlf0AI55wMecM9rVBTI/qEAy2c1kTOm3DjFYjrBdI2K3BaJjJYfYFeRtM0t9ssnRuxw==",
       "dev": true,
       "license": "MIT"
     },
@@ -3086,9 +4712,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.25.8",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.8.tgz",
-      "integrity": "sha512-vVC0USHGtMi8+R4Kz8rt6JhEWLxsv9Rnu/lGYbPR8u47B+DCBksq9JarW0zOO7bs37hyOK1l2/oqtbciutL5+Q==",
+      "version": "0.25.12",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.12.tgz",
+      "integrity": "sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -3099,32 +4725,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.25.8",
-        "@esbuild/android-arm": "0.25.8",
-        "@esbuild/android-arm64": "0.25.8",
-        "@esbuild/android-x64": "0.25.8",
-        "@esbuild/darwin-arm64": "0.25.8",
-        "@esbuild/darwin-x64": "0.25.8",
-        "@esbuild/freebsd-arm64": "0.25.8",
-        "@esbuild/freebsd-x64": "0.25.8",
-        "@esbuild/linux-arm": "0.25.8",
-        "@esbuild/linux-arm64": "0.25.8",
-        "@esbuild/linux-ia32": "0.25.8",
-        "@esbuild/linux-loong64": "0.25.8",
-        "@esbuild/linux-mips64el": "0.25.8",
-        "@esbuild/linux-ppc64": "0.25.8",
-        "@esbuild/linux-riscv64": "0.25.8",
-        "@esbuild/linux-s390x": "0.25.8",
-        "@esbuild/linux-x64": "0.25.8",
-        "@esbuild/netbsd-arm64": "0.25.8",
-        "@esbuild/netbsd-x64": "0.25.8",
-        "@esbuild/openbsd-arm64": "0.25.8",
-        "@esbuild/openbsd-x64": "0.25.8",
-        "@esbuild/openharmony-arm64": "0.25.8",
-        "@esbuild/sunos-x64": "0.25.8",
-        "@esbuild/win32-arm64": "0.25.8",
-        "@esbuild/win32-ia32": "0.25.8",
-        "@esbuild/win32-x64": "0.25.8"
+        "@esbuild/aix-ppc64": "0.25.12",
+        "@esbuild/android-arm": "0.25.12",
+        "@esbuild/android-arm64": "0.25.12",
+        "@esbuild/android-x64": "0.25.12",
+        "@esbuild/darwin-arm64": "0.25.12",
+        "@esbuild/darwin-x64": "0.25.12",
+        "@esbuild/freebsd-arm64": "0.25.12",
+        "@esbuild/freebsd-x64": "0.25.12",
+        "@esbuild/linux-arm": "0.25.12",
+        "@esbuild/linux-arm64": "0.25.12",
+        "@esbuild/linux-ia32": "0.25.12",
+        "@esbuild/linux-loong64": "0.25.12",
+        "@esbuild/linux-mips64el": "0.25.12",
+        "@esbuild/linux-ppc64": "0.25.12",
+        "@esbuild/linux-riscv64": "0.25.12",
+        "@esbuild/linux-s390x": "0.25.12",
+        "@esbuild/linux-x64": "0.25.12",
+        "@esbuild/netbsd-arm64": "0.25.12",
+        "@esbuild/netbsd-x64": "0.25.12",
+        "@esbuild/openbsd-arm64": "0.25.12",
+        "@esbuild/openbsd-x64": "0.25.12",
+        "@esbuild/openharmony-arm64": "0.25.12",
+        "@esbuild/sunos-x64": "0.25.12",
+        "@esbuild/win32-arm64": "0.25.12",
+        "@esbuild/win32-ia32": "0.25.12",
+        "@esbuild/win32-x64": "0.25.12"
       }
     },
     "node_modules/escape-string-regexp": {
@@ -3163,35 +4789,30 @@
       }
     },
     "node_modules/eslint": {
-      "version": "9.37.0",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.37.0.tgz",
-      "integrity": "sha512-XyLmROnACWqSxiGYArdef1fItQd47weqB7iwtfr9JHwRrqIXZdcFMvvEcL9xHCmL0SNsOvF0c42lWyM1U5dgig==",
+      "version": "10.1.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.1.0.tgz",
+      "integrity": "sha512-S9jlY/ELKEUwwQnqWDO+f+m6sercqOPSqXM5Go94l7DOmxHVDgmSFGWEzeE/gwgTAr0W103BWt0QLe/7mabIvA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
-        "@eslint-community/regexpp": "^4.12.1",
-        "@eslint/config-array": "^0.21.0",
-        "@eslint/config-helpers": "^0.4.0",
-        "@eslint/core": "^0.16.0",
-        "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "9.37.0",
-        "@eslint/plugin-kit": "^0.4.0",
+        "@eslint-community/regexpp": "^4.12.2",
+        "@eslint/config-array": "^0.23.3",
+        "@eslint/config-helpers": "^0.5.3",
+        "@eslint/core": "^1.1.1",
+        "@eslint/plugin-kit": "^0.6.1",
         "@humanfs/node": "^0.16.6",
         "@humanwhocodes/module-importer": "^1.0.1",
         "@humanwhocodes/retry": "^0.4.2",
         "@types/estree": "^1.0.6",
-        "@types/json-schema": "^7.0.15",
-        "ajv": "^6.12.4",
-        "chalk": "^4.0.0",
+        "ajv": "^6.14.0",
         "cross-spawn": "^7.0.6",
         "debug": "^4.3.2",
         "escape-string-regexp": "^4.0.0",
-        "eslint-scope": "^8.4.0",
-        "eslint-visitor-keys": "^4.2.1",
-        "espree": "^10.4.0",
-        "esquery": "^1.5.0",
+        "eslint-scope": "^9.1.2",
+        "eslint-visitor-keys": "^5.0.1",
+        "espree": "^11.2.0",
+        "esquery": "^1.7.0",
         "esutils": "^2.0.2",
         "fast-deep-equal": "^3.1.3",
         "file-entry-cache": "^8.0.0",
@@ -3201,8 +4822,7 @@
         "imurmurhash": "^0.1.4",
         "is-glob": "^4.0.0",
         "json-stable-stringify-without-jsonify": "^1.0.1",
-        "lodash.merge": "^4.6.2",
-        "minimatch": "^3.1.2",
+        "minimatch": "^10.2.4",
         "natural-compare": "^1.4.0",
         "optionator": "^0.9.3"
       },
@@ -3210,7 +4830,7 @@
         "eslint": "bin/eslint.js"
       },
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": "^20.19.0 || ^22.13.0 || >=24"
       },
       "funding": {
         "url": "https://eslint.org/donate"
@@ -3225,16 +4845,16 @@
       }
     },
     "node_modules/eslint-plugin-vue": {
-      "version": "10.5.1",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-vue/-/eslint-plugin-vue-10.5.1.tgz",
-      "integrity": "sha512-SbR9ZBUFKgvWAbq3RrdCtWaW0IKm6wwUiApxf3BVTNfqUIo4IQQmreMg2iHFJJ6C/0wss3LXURBJ1OwS/MhFcQ==",
+      "version": "10.8.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-vue/-/eslint-plugin-vue-10.8.0.tgz",
+      "integrity": "sha512-f1J/tcbnrpgC8suPN5AtdJ5MQjuXbSU9pGRSSYAuF3SHoiYCOdEX6O22pLaRyLHXvDcOe+O5ENgc1owQ587agA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.4.0",
         "natural-compare": "^1.4.0",
         "nth-check": "^2.1.1",
-        "postcss-selector-parser": "^6.0.15",
+        "postcss-selector-parser": "^7.1.0",
         "semver": "^7.6.3",
         "xml-name-validator": "^4.0.0"
       },
@@ -3244,7 +4864,7 @@
       "peerDependencies": {
         "@stylistic/eslint-plugin": "^2.0.0 || ^3.0.0 || ^4.0.0 || ^5.0.0",
         "@typescript-eslint/parser": "^7.0.0 || ^8.0.0",
-        "eslint": "^8.57.0 || ^9.0.0",
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
         "vue-eslint-parser": "^10.0.0"
       },
       "peerDependenciesMeta": {
@@ -3257,17 +4877,19 @@
       }
     },
     "node_modules/eslint-scope": {
-      "version": "8.4.0",
-      "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.4.0.tgz",
-      "integrity": "sha512-sNXOfKCn74rt8RICKMvJS7XKV/Xk9kA7DyJr8mJik3S7Cwgy3qlkkmyS2uQB3jiJg6VNdZd/pDBJu0nvG2NlTg==",
+      "version": "9.1.2",
+      "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-9.1.2.tgz",
+      "integrity": "sha512-xS90H51cKw0jltxmvmHy2Iai1LIqrfbw57b79w/J7MfvDfkIkFZ+kj6zC3BjtUwh150HsSSdxXZcsuv72miDFQ==",
       "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
+        "@types/esrecurse": "^4.3.1",
+        "@types/estree": "^1.0.8",
         "esrecurse": "^4.3.0",
         "estraverse": "^5.2.0"
       },
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": "^20.19.0 || ^22.13.0 || >=24"
       },
       "funding": {
         "url": "https://opencollective.com/eslint"
@@ -3286,69 +4908,45 @@
         "url": "https://opencollective.com/eslint"
       }
     },
-    "node_modules/eslint/node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
-      }
-    },
     "node_modules/eslint/node_modules/eslint-visitor-keys": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
-      "integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-5.0.1.tgz",
+      "integrity": "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA==",
       "dev": true,
       "license": "Apache-2.0",
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": "^20.19.0 || ^22.13.0 || >=24"
       },
       "funding": {
         "url": "https://opencollective.com/eslint"
       }
     },
-    "node_modules/eslint/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
-      "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^1.1.7"
-      },
-      "engines": {
-        "node": "*"
-      }
-    },
     "node_modules/espree": {
-      "version": "10.4.0",
-      "resolved": "https://registry.npmjs.org/espree/-/espree-10.4.0.tgz",
-      "integrity": "sha512-j6PAQ2uUr79PZhBjP5C5fhl8e39FmRnOjsD5lGnWrFU8i2G776tBK7+nP8KuQUTTyAZUwfQqXAgrVH5MbH9CYQ==",
+      "version": "11.2.0",
+      "resolved": "https://registry.npmjs.org/espree/-/espree-11.2.0.tgz",
+      "integrity": "sha512-7p3DrVEIopW1B1avAGLuCSh1jubc01H2JHc8B4qqGblmg5gI9yumBgACjWo4JlIc04ufug4xJ3SQI8HkS/Rgzw==",
       "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
-        "acorn": "^8.15.0",
+        "acorn": "^8.16.0",
         "acorn-jsx": "^5.3.2",
-        "eslint-visitor-keys": "^4.2.1"
+        "eslint-visitor-keys": "^5.0.1"
       },
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": "^20.19.0 || ^22.13.0 || >=24"
       },
       "funding": {
         "url": "https://opencollective.com/eslint"
       }
     },
     "node_modules/espree/node_modules/eslint-visitor-keys": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
-      "integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-5.0.1.tgz",
+      "integrity": "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA==",
       "dev": true,
       "license": "Apache-2.0",
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": "^20.19.0 || ^22.13.0 || >=24"
       },
       "funding": {
         "url": "https://opencollective.com/eslint"
@@ -3369,9 +4967,9 @@
       }
     },
     "node_modules/esquery": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.6.0.tgz",
-      "integrity": "sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==",
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.7.0.tgz",
+      "integrity": "sha512-Ap6G0WQwcU/LHsvLwON1fAQX9Zp0A2Y6Y/cJBl9r/JbW90Zyg4/zbG6zzKa2OTALELarYHmKu0GhpM5EO+7T0g==",
       "dev": true,
       "license": "BSD-3-Clause",
       "dependencies": {
@@ -3421,15 +5019,21 @@
       }
     },
     "node_modules/expect-type": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.2.2.tgz",
-      "integrity": "sha512-JhFGDVJ7tmDJItKhYgJCGLOWjuK9vPxiXoUFLwLDc99NlmklilbiQJwoctZtt13+xMw91MCk/REan6MWHqDjyA==",
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
+      "integrity": "sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==",
       "dev": true,
       "license": "Apache-2.0",
       "engines": {
         "node": ">=12.0.0"
       }
     },
+    "node_modules/exsolve": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/exsolve/-/exsolve-1.0.8.tgz",
+      "integrity": "sha512-LmDxfWXwcTArk8fUEnOfSZpHOJ6zOMUJKOtFLFqJLoKJetuQG874Uc7/Kki7zFLzYybmZhp1M7+98pfMqeX8yA==",
+      "license": "MIT"
+    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -3481,10 +5085,28 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/fast-xml-parser": {
+      "version": "5.2.5",
+      "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.2.5.tgz",
+      "integrity": "sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "strnum": "^2.1.0"
+      },
+      "bin": {
+        "fxparser": "src/cli/cli.js"
+      }
+    },
     "node_modules/fastq": {
-      "version": "1.19.1",
-      "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.19.1.tgz",
-      "integrity": "sha512-GwLTyxkCXjXbxqIhTsMI2Nui8huMPtnxg7krajPJAjnEG/iiOS7i+zCtWGZR9G0NBKbXKh6X9m9UIsYX/N6vvQ==",
+      "version": "1.20.1",
+      "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.20.1.tgz",
+      "integrity": "sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -3495,7 +5117,6 @@
       "version": "6.5.0",
       "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
       "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
-      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">=12.0.0"
@@ -3573,16 +5194,16 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
       "dev": true,
       "license": "ISC"
     },
     "node_modules/follow-redirects": {
-      "version": "1.15.9",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.9.tgz",
-      "integrity": "sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==",
+      "version": "1.15.11",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
+      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
       "funding": [
         {
           "type": "individual",
@@ -3599,27 +5220,10 @@
         }
       }
     },
-    "node_modules/foreground-child": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.1.tgz",
-      "integrity": "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==",
-      "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "cross-spawn": "^7.0.6",
-        "signal-exit": "^4.0.1"
-      },
-      "engines": {
-        "node": ">=14"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
     "node_modules/form-data": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
-      "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
@@ -3693,27 +5297,6 @@
         "node": ">= 0.4"
       }
     },
-    "node_modules/glob": {
-      "version": "10.4.5",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
-      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
-      "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.4",
-        "minipass": "^7.1.2",
-        "package-json-from-dist": "^1.0.0",
-        "path-scurry": "^1.11.1"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
     "node_modules/glob-parent": {
       "version": "6.0.2",
       "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz",
@@ -3727,19 +5310,6 @@
         "node": ">=10.13.0"
       }
     },
-    "node_modules/globals": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-14.0.0.tgz",
-      "integrity": "sha512-oahGvuMGQlPw/ivIYBjVSrWAfWLBeku5tpPE2fOPLi+WHffIWbuh2tCjhyQhTBPMf5E9jDEH4FOmTYgYwbKwtQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
     "node_modules/gopd": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
@@ -3759,38 +5329,24 @@
       "dev": true,
       "license": "ISC"
     },
-    "node_modules/graphemer": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/graphemer/-/graphemer-1.4.0.tgz",
-      "integrity": "sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/happy-dom": {
-      "version": "20.0.4",
-      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-20.0.4.tgz",
-      "integrity": "sha512-WxFtvnij6G64/MtMimnZhF0nKx3LUQKc20zjATD6tKiqOykUwQkd+2FW/DZBAFNjk4oWh0xdv/HBleGJmSY/Iw==",
+      "version": "20.8.9",
+      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-20.8.9.tgz",
+      "integrity": "sha512-Tz23LR9T9jOGVZm2x1EPdXqwA37G/owYMxRwU0E4miurAtFsPMQ1d2Jc2okUaSjZqAFz2oEn3FLXC5a0a+siyA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@types/node": "^20.0.0",
+        "@types/node": ">=20.0.0",
         "@types/whatwg-mimetype": "^3.0.2",
-        "whatwg-mimetype": "^3.0.0"
+        "@types/ws": "^8.18.1",
+        "entities": "^7.0.1",
+        "whatwg-mimetype": "^3.0.0",
+        "ws": "^8.18.3"
       },
       "engines": {
         "node": ">=20.0.0"
       }
     },
-    "node_modules/happy-dom/node_modules/@types/node": {
-      "version": "20.19.9",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.9.tgz",
-      "integrity": "sha512-cuVNgarYWZqxRJDQHEB58GEONhOK79QVR/qYx4S7kcUObQvUwvFnYxJuuHUKm2aieN9X3yZB4LZsuYNU1Qphsw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "undici-types": "~6.21.0"
-      }
-    },
     "node_modules/has-flag": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
@@ -3840,6 +5396,12 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/hookable": {
+      "version": "5.5.3",
+      "resolved": "https://registry.npmjs.org/hookable/-/hookable-5.5.3.tgz",
+      "integrity": "sha512-Yc+BQe8SvoXH1643Qez1zqLRmbA5rCL+sSmk6TVos0LWVfNIB7PGncdlId77WzLGSIB5KaWgTaNTs2lNVEI6VQ==",
+      "license": "MIT"
+    },
     "node_modules/html-escaper": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
@@ -3863,23 +5425,6 @@
       "integrity": "sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ==",
       "license": "MIT"
     },
-    "node_modules/import-fresh": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.1.tgz",
-      "integrity": "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "parent-module": "^1.0.0",
-        "resolve-from": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
     "node_modules/imurmurhash": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
@@ -3906,16 +5451,6 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/is-fullwidth-code-point": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
-      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
     "node_modules/is-glob": {
       "version": "4.0.3",
       "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
@@ -3977,25 +5512,10 @@
         "node": ">=10"
       }
     },
-    "node_modules/istanbul-lib-source-maps": {
-      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/istanbul-lib-source-maps/-/istanbul-lib-source-maps-5.0.6.tgz",
-      "integrity": "sha512-yg2d+Em4KizZC5niWhQaIomgf5WlL4vOOjZ5xGCmF8SnPE/mDWWXgvRExdcpCgh9lLRRa1/fSYp2ymmbJ1pI+A==",
-      "dev": true,
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "@jridgewell/trace-mapping": "^0.3.23",
-        "debug": "^4.1.1",
-        "istanbul-lib-coverage": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
     "node_modules/istanbul-reports": {
-      "version": "3.1.7",
-      "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-3.1.7.tgz",
-      "integrity": "sha512-BewmUXImeuRk2YY0PVbxgKAysvhRPUQE0h5QRM++nVWyubKGV0l8qQ5op8+B2DOmwSe63Jivj0BjkPQVf8fP5g==",
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-3.2.0.tgz",
+      "integrity": "sha512-HGYWWS/ehqTV3xN10i23tkPkpH46MLCIMFNCaaKNavAXTF1RkqxawEPtnjnGZ6XKSInBKkiOA5BKS+aZiY3AvA==",
       "dev": true,
       "license": "BSD-3-Clause",
       "dependencies": {
@@ -4006,22 +5526,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/jackspeak": {
-      "version": "3.4.3",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
-      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
-      "dev": true,
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "@isaacs/cliui": "^8.0.2"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      },
-      "optionalDependencies": {
-        "@pkgjs/parseargs": "^0.11.0"
-      }
-    },
     "node_modules/jdenticon": {
       "version": "3.3.0",
       "resolved": "https://registry.npmjs.org/jdenticon/-/jdenticon-3.3.0.tgz",
@@ -4048,23 +5552,22 @@
       }
     },
     "node_modules/js-tokens": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-9.0.1.tgz",
-      "integrity": "sha512-mxa9E9ITFOt0ban3j6L5MpjwegGz6lBQmM1IJkWeBZGcMxto50+eWdjC/52xDbS2vy0k7vIMK0Fe2wfL9OQSpQ==",
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
+      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/js-yaml": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
-      "dev": true,
+    "node_modules/jsesc": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
+      "integrity": "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==",
       "license": "MIT",
-      "dependencies": {
-        "argparse": "^2.0.1"
-      },
       "bin": {
-        "js-yaml": "bin/js-yaml.js"
+        "jsesc": "bin/jsesc"
+      },
+      "engines": {
+        "node": ">=6"
       }
     },
     "node_modules/json-buffer": {
@@ -4088,10 +5591,22 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/json5": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+      "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
+      "license": "MIT",
+      "bin": {
+        "json5": "lib/cli.js"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/jsonc-eslint-parser": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/jsonc-eslint-parser/-/jsonc-eslint-parser-2.4.1.tgz",
-      "integrity": "sha512-uuPNLJkKN8NXAlZlQ6kmUF9qO+T6Kyd7oV4+/7yy8Jz6+MZNyhPq8EdLpdfnPVzUC8qSf1b4j1azKaGnFsjmsw==",
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/jsonc-eslint-parser/-/jsonc-eslint-parser-2.4.2.tgz",
+      "integrity": "sha512-1e4qoRgnn448pRuMvKGsFFymUCquZV0mpGgOyIKNgD3JVDTsVJyRBGH/Fm0tBb8WsWGgmB1mDe6/yJMQM37DUA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4138,9 +5653,9 @@
       }
     },
     "node_modules/keycloak-js": {
-      "version": "26.2.1",
-      "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-26.2.1.tgz",
-      "integrity": "sha512-bZt6fQj/TLBAmivXSxSlqAJxBx/knNZDQGJIW4ensGYGN4N6tUKV8Zj3Y7/LOV8eIpvWsvqV70fbACihK8Ze0Q==",
+      "version": "26.2.3",
+      "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-26.2.3.tgz",
+      "integrity": "sha512-widjzw/9T6bHRgEp6H/Se3NCCarU7u5CwFKBcwtu7xfA1IfdZb+7Q7/KGusAnBo34Vtls8Oz9vzSqkQvQ7+b4Q==",
       "license": "Apache-2.0",
       "workspaces": [
         "test"
@@ -4180,9 +5695,9 @@
       }
     },
     "node_modules/lightningcss": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.30.1.tgz",
-      "integrity": "sha512-xi6IyHML+c9+Q3W0S4fCQJOym42pyurFiJUHEcEyHS0CeKzia4yZDEsLlqOFykxOdHpNy0NmvVO31vcSqAxJCg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+      "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
       "dev": true,
       "license": "MPL-2.0",
       "dependencies": {
@@ -4196,22 +5711,44 @@
         "url": "https://opencollective.com/parcel"
       },
       "optionalDependencies": {
-        "lightningcss-darwin-arm64": "1.30.1",
-        "lightningcss-darwin-x64": "1.30.1",
-        "lightningcss-freebsd-x64": "1.30.1",
-        "lightningcss-linux-arm-gnueabihf": "1.30.1",
-        "lightningcss-linux-arm64-gnu": "1.30.1",
-        "lightningcss-linux-arm64-musl": "1.30.1",
-        "lightningcss-linux-x64-gnu": "1.30.1",
-        "lightningcss-linux-x64-musl": "1.30.1",
-        "lightningcss-win32-arm64-msvc": "1.30.1",
-        "lightningcss-win32-x64-msvc": "1.30.1"
+        "lightningcss-android-arm64": "1.32.0",
+        "lightningcss-darwin-arm64": "1.32.0",
+        "lightningcss-darwin-x64": "1.32.0",
+        "lightningcss-freebsd-x64": "1.32.0",
+        "lightningcss-linux-arm-gnueabihf": "1.32.0",
+        "lightningcss-linux-arm64-gnu": "1.32.0",
+        "lightningcss-linux-arm64-musl": "1.32.0",
+        "lightningcss-linux-x64-gnu": "1.32.0",
+        "lightningcss-linux-x64-musl": "1.32.0",
+        "lightningcss-win32-arm64-msvc": "1.32.0",
+        "lightningcss-win32-x64-msvc": "1.32.0"
+      }
+    },
+    "node_modules/lightningcss-android-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+      "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
       }
     },
     "node_modules/lightningcss-darwin-arm64": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.30.1.tgz",
-      "integrity": "sha512-c8JK7hyE65X1MHMN+Viq9n11RRC7hgin3HhYKhrMyaXflk5GVplZ60IxyoVtzILeKr+xAJwg6zK6sjTBJ0FKYQ==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+      "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
       "cpu": [
         "arm64"
       ],
@@ -4230,9 +5767,9 @@
       }
     },
     "node_modules/lightningcss-darwin-x64": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.30.1.tgz",
-      "integrity": "sha512-k1EvjakfumAQoTfcXUcHQZhSpLlkAuEkdMBsI/ivWw9hL+7FtilQc0Cy3hrx0AAQrVtQAbMI7YjCgYgvn37PzA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+      "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
       "cpu": [
         "x64"
       ],
@@ -4251,9 +5788,9 @@
       }
     },
     "node_modules/lightningcss-freebsd-x64": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.30.1.tgz",
-      "integrity": "sha512-kmW6UGCGg2PcyUE59K5r0kWfKPAVy4SltVeut+umLCFoJ53RdCUWxcRDzO1eTaxf/7Q2H7LTquFHPL5R+Gjyig==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+      "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
       "cpu": [
         "x64"
       ],
@@ -4272,9 +5809,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm-gnueabihf": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.30.1.tgz",
-      "integrity": "sha512-MjxUShl1v8pit+6D/zSPq9S9dQ2NPFSQwGvxBCYaBYLPlCWuPh9/t1MRS8iUaR8i+a6w7aps+B4N0S1TYP/R+Q==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+      "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
       "cpu": [
         "arm"
       ],
@@ -4293,13 +5830,16 @@
       }
     },
     "node_modules/lightningcss-linux-arm64-gnu": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.30.1.tgz",
-      "integrity": "sha512-gB72maP8rmrKsnKYy8XUuXi/4OctJiuQjcuqWNlJQ6jZiWqtPvqFziskH3hnajfvKB27ynbVCucKSm2rkQp4Bw==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+      "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MPL-2.0",
       "optional": true,
       "os": [
@@ -4314,13 +5854,16 @@
       }
     },
     "node_modules/lightningcss-linux-arm64-musl": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.30.1.tgz",
-      "integrity": "sha512-jmUQVx4331m6LIX+0wUhBbmMX7TCfjF5FoOH6SD1CttzuYlGNVpA7QnrmLxrsub43ClTINfGSYyHe2HWeLl5CQ==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+      "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
       "cpu": [
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "MPL-2.0",
       "optional": true,
       "os": [
@@ -4335,13 +5878,16 @@
       }
     },
     "node_modules/lightningcss-linux-x64-gnu": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.30.1.tgz",
-      "integrity": "sha512-piWx3z4wN8J8z3+O5kO74+yr6ze/dKmPnI7vLqfSqI8bccaTGY5xiSGVIJBDd5K5BHlvVLpUB3S2YCfelyJ1bw==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+      "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
       "cpu": [
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MPL-2.0",
       "optional": true,
       "os": [
@@ -4356,13 +5902,16 @@
       }
     },
     "node_modules/lightningcss-linux-x64-musl": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.30.1.tgz",
-      "integrity": "sha512-rRomAK7eIkL+tHY0YPxbc5Dra2gXlI63HL+v1Pdi1a3sC+tJTcFrHX+E86sulgAXeI7rSzDYhPSeHHjqFhqfeQ==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+      "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
       "cpu": [
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "MPL-2.0",
       "optional": true,
       "os": [
@@ -4377,9 +5926,9 @@
       }
     },
     "node_modules/lightningcss-win32-arm64-msvc": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.30.1.tgz",
-      "integrity": "sha512-mSL4rqPi4iXq5YVqzSsJgMVFENoa4nGTT/GjO2c0Yl9OuQfPsIfncvLrEW6RbbB24WtZ3xP/2CCmI3tNkNV4oA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+      "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
       "cpu": [
         "arm64"
       ],
@@ -4398,9 +5947,9 @@
       }
     },
     "node_modules/lightningcss-win32-x64-msvc": {
-      "version": "1.30.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.30.1.tgz",
-      "integrity": "sha512-PVqXh48wh4T53F/1CCu8PIPCxLzWyCnn/9T5W1Jpmdy5h9Cwd+0YQS6/LwhHXSafuc61/xg9Lv5OrCby6a++jg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+      "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
       "cpu": [
         "x64"
       ],
@@ -4418,6 +5967,23 @@
         "url": "https://opencollective.com/parcel"
       }
     },
+    "node_modules/local-pkg": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/local-pkg/-/local-pkg-1.1.2.tgz",
+      "integrity": "sha512-arhlxbFRmoQHl33a0Zkle/YWlmNwoyt6QNZEIJcqNbdrsix5Lvc4HyyI3EnwxTYlZYc32EbYrQ8SzEZ7dqgg9A==",
+      "license": "MIT",
+      "dependencies": {
+        "mlly": "^1.7.4",
+        "pkg-types": "^2.3.0",
+        "quansync": "^0.2.11"
+      },
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/antfu"
+      }
+    },
     "node_modules/locate-path": {
       "version": "6.0.0",
       "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz",
@@ -4434,46 +6000,40 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/lodash.merge": {
-      "version": "4.6.2",
-      "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
-      "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/loupe": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/loupe/-/loupe-3.2.0.tgz",
-      "integrity": "sha512-2NCfZcT5VGVNX9mSZIxLRkEAegDGBpuQZBy13desuHeVORmBDyAET4TkJr4SjqQy3A8JDofMN6LpkK8Xcm/dlw==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/lru-cache": {
-      "version": "10.4.3",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
-      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
-      "dev": true,
-      "license": "ISC"
-    },
     "node_modules/magic-string": {
-      "version": "0.30.19",
-      "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.19.tgz",
-      "integrity": "sha512-2N21sPY9Ws53PZvsEpVtNuSW+ScYbQdp4b9qUaL+9QkHUrGFKo56Lg9Emg5s9V/qrtNBmiR01sYhUOwu3H+VOw==",
+      "version": "0.30.21",
+      "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
+      "integrity": "sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==",
       "license": "MIT",
       "dependencies": {
         "@jridgewell/sourcemap-codec": "^1.5.5"
       }
     },
+    "node_modules/magic-string-ast": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/magic-string-ast/-/magic-string-ast-1.0.3.tgz",
+      "integrity": "sha512-CvkkH1i81zl7mmb94DsRiFeG9V2fR2JeuK8yDgS8oiZSFa++wWLEgZ5ufEOyLHbvSbD1gTRKv9NdX69Rnvr9JA==",
+      "license": "MIT",
+      "dependencies": {
+        "magic-string": "^0.30.19"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sxzz"
+      }
+    },
     "node_modules/magicast": {
-      "version": "0.3.5",
-      "resolved": "https://registry.npmjs.org/magicast/-/magicast-0.3.5.tgz",
-      "integrity": "sha512-L0WhttDl+2BOsybvEOLK7fW3UA0OQ0IQ2d6Zl2x/a6vVRs3bAY0ECOSHHeL5jD+SbOpOCUEi0y1DgHEn9Qn1AQ==",
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/magicast/-/magicast-0.5.2.tgz",
+      "integrity": "sha512-E3ZJh4J3S9KfwdjZhe2afj6R9lGIN5Pher1pF39UGrXRqq/VDaGVIGN13BjHd2u8B61hArAGOnso7nBOouW3TQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.25.4",
-        "@babel/types": "^7.25.4",
-        "source-map-js": "^1.2.0"
+        "@babel/parser": "^7.29.0",
+        "@babel/types": "^7.29.0",
+        "source-map-js": "^1.2.1"
       }
     },
     "node_modules/make-dir": {
@@ -4533,9 +6093,9 @@
       }
     },
     "node_modules/micromatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4577,50 +6137,50 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "version": "10.2.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz",
+      "integrity": "sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==",
       "dev": true,
-      "license": "ISC",
+      "license": "BlueOak-1.0.0",
       "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^5.0.5"
       },
       "engines": {
-        "node": ">=16 || 14 >=14.17"
+        "node": "18 || 20 || >=22"
       },
       "funding": {
         "url": "https://github.com/sponsors/isaacs"
       }
     },
-    "node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "dev": true,
-      "license": "ISC",
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      }
-    },
-    "node_modules/minizlib": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.1.0.tgz",
-      "integrity": "sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==",
-      "dev": true,
+    "node_modules/mlly": {
+      "version": "1.8.2",
+      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.8.2.tgz",
+      "integrity": "sha512-d+ObxMQFmbt10sretNDytwt85VrbkhhUA/JBGm1MPaWJ65Cl4wOgLaB1NYvJSZ0Ef03MMEU/0xpPMXUIQ29UfA==",
       "license": "MIT",
       "dependencies": {
-        "minipass": "^7.1.2"
-      },
-      "engines": {
-        "node": ">= 18"
+        "acorn": "^8.16.0",
+        "pathe": "^2.0.3",
+        "pkg-types": "^1.3.1",
+        "ufo": "^1.6.3"
       }
     },
-    "node_modules/miscreant": {
-      "version": "0.3.2",
-      "resolved": "https://registry.npmjs.org/miscreant/-/miscreant-0.3.2.tgz",
-      "integrity": "sha512-fL9KxsQz9BJB2KGPMHFrReioywkiomBiuaLk6EuChijK0BsJsIKJXdVomR+/bPj5mvbFD6wM0CM3bZio9g7OHA==",
+    "node_modules/mlly/node_modules/confbox": {
+      "version": "0.1.8",
+      "resolved": "https://registry.npmjs.org/confbox/-/confbox-0.1.8.tgz",
+      "integrity": "sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w==",
       "license": "MIT"
     },
+    "node_modules/mlly/node_modules/pkg-types": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/pkg-types/-/pkg-types-1.3.1.tgz",
+      "integrity": "sha512-/Jm5M4RvtBFVkKWRu2BLUTNP8/M2a+UwuAX+ae4770q1qVGtfjG+WTCupoZixokjmHiry8uI+dlY8KXYV5HVVQ==",
+      "license": "MIT",
+      "dependencies": {
+        "confbox": "^0.1.8",
+        "mlly": "^1.7.4",
+        "pathe": "^2.0.1"
+      }
+    },
     "node_modules/ms": {
       "version": "2.1.3",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
@@ -4632,7 +6192,6 @@
       "version": "0.4.1",
       "resolved": "https://registry.npmjs.org/muggle-string/-/muggle-string-0.4.1.tgz",
       "integrity": "sha512-VNTrAak/KhO2i8dqqnqnAHOa3cYBwXEZe9h+D5h/1ZqFSTEFHdM65lR7RoIqq3tBBYavsOXV84NoHXZ0AkPyqQ==",
-      "dev": true,
       "license": "MIT"
     },
     "node_modules/nanoid": {
@@ -4673,6 +6232,17 @@
         "url": "https://github.com/fb55/nth-check?sponsor=1"
       }
     },
+    "node_modules/obug": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/obug/-/obug-2.1.1.tgz",
+      "integrity": "sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==",
+      "dev": true,
+      "funding": [
+        "https://github.com/sponsors/sxzz",
+        "https://opencollective.com/debug"
+      ],
+      "license": "MIT"
+    },
     "node_modules/optionator": {
       "version": "0.9.4",
       "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz",
@@ -4723,32 +6293,12 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/package-json-from-dist": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
-      "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
-      "dev": true,
-      "license": "BlueOak-1.0.0"
-    },
     "node_modules/pako": {
       "version": "1.0.11",
       "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.11.tgz",
       "integrity": "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==",
       "license": "(MIT AND Zlib)"
     },
-    "node_modules/parent-module": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
-      "integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "callsites": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=6"
-      }
-    },
     "node_modules/path-browserify": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/path-browserify/-/path-browserify-1.0.1.tgz",
@@ -4771,44 +6321,22 @@
       "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
       "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
       "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/path-scurry": {
-      "version": "1.11.1",
-      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz",
-      "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==",
-      "dev": true,
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "lru-cache": "^10.2.0",
-        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
-      },
+      "license": "MIT",
       "engines": {
-        "node": ">=16 || 14 >=14.18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
+        "node": ">=8"
       }
     },
     "node_modules/pathe": {
       "version": "2.0.3",
       "resolved": "https://registry.npmjs.org/pathe/-/pathe-2.0.3.tgz",
       "integrity": "sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==",
-      "dev": true,
       "license": "MIT"
     },
-    "node_modules/pathval": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/pathval/-/pathval-2.0.1.tgz",
-      "integrity": "sha512-//nshmD55c46FuFw26xV/xFAaB5HF9Xdap7HJBBnrKdAd6/GxDBaNA1870O79+9ueg61cZLSVc+OaFlfmObYVQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">= 14.16"
-      }
+    "node_modules/perfect-debounce": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/perfect-debounce/-/perfect-debounce-2.1.0.tgz",
+      "integrity": "sha512-LjgdTytVFXeUgtHZr9WYViYSM/g8MkcTPYDlPa3cDqMirHjKiSZPYd6DoL7pK8AJQr+uWkQvCjHNdiMqsrJs+g==",
+      "license": "MIT"
     },
     "node_modules/picocolors": {
       "version": "1.1.1",
@@ -4817,10 +6345,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
-      "dev": true,
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "license": "MIT",
       "engines": {
         "node": ">=12"
@@ -4829,10 +6356,21 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
+    "node_modules/pkg-types": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/pkg-types/-/pkg-types-2.3.0.tgz",
+      "integrity": "sha512-SIqCzDRg0s9npO5XQ3tNZioRY1uK06lA41ynBC1YmFTmnY6FjUjVt6s4LoADmwoig1qqD0oK8h1p/8mlMx8Oig==",
+      "license": "MIT",
+      "dependencies": {
+        "confbox": "^0.2.2",
+        "exsolve": "^1.0.7",
+        "pathe": "^2.0.3"
+      }
+    },
     "node_modules/postcss": {
-      "version": "8.5.6",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-      "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+      "version": "8.5.8",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
+      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
       "funding": [
         {
           "type": "opencollective",
@@ -4858,9 +6396,9 @@
       }
     },
     "node_modules/postcss-selector-parser": {
-      "version": "6.1.2",
-      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.1.2.tgz",
-      "integrity": "sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.1.tgz",
+      "integrity": "sha512-orRsuYpJVw8LdAwqqLykBj9ecS5/cRHlI5+nvTo8LcCKmzDmqVORXtOIYEEQuL9D4BxtA1lm5isAqzQZCoQ6Eg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4888,10 +6426,13 @@
       "license": "MIT"
     },
     "node_modules/proxy-from-env": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
-      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
-      "license": "MIT"
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz",
+      "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      }
     },
     "node_modules/punycode": {
       "version": "2.3.1",
@@ -4903,6 +6444,22 @@
         "node": ">=6"
       }
     },
+    "node_modules/quansync": {
+      "version": "0.2.11",
+      "resolved": "https://registry.npmjs.org/quansync/-/quansync-0.2.11.tgz",
+      "integrity": "sha512-AifT7QEbW9Nri4tAwR5M/uzpBuqfZf+zwaEM/QkzEjj7NBuFD2rBuy0K3dE+8wltbezDV7JMA0WfnCPYRSYbXA==",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/antfu"
+        },
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/sxzz"
+        }
+      ],
+      "license": "MIT"
+    },
     "node_modules/queue-microtask": {
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
@@ -4939,23 +6496,26 @@
         "util-deprecate": "~1.0.1"
       }
     },
-    "node_modules/remeda": {
-      "version": "2.32.0",
-      "resolved": "https://registry.npmjs.org/remeda/-/remeda-2.32.0.tgz",
-      "integrity": "sha512-BZx9DsT4FAgXDTOdgJIc5eY6ECIXMwtlSPQoPglF20ycSWigttDDe88AozEsPPT4OWk5NujroGSBC1phw5uU+w==",
+    "node_modules/readdirp": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-5.0.0.tgz",
+      "integrity": "sha512-9u/XQ1pvrQtYyMpZe7DXKv2p5CNvyVwzUB6uhLAnQwHMSgKMBR62lc7AHljaeteeHXn11XTAaLLUVZYVZyuRBQ==",
       "license": "MIT",
-      "dependencies": {
-        "type-fest": "^4.41.0"
+      "engines": {
+        "node": ">= 20.19.0"
+      },
+      "funding": {
+        "type": "individual",
+        "url": "https://paulmillr.com/funding/"
       }
     },
-    "node_modules/resolve-from": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
-      "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==",
-      "dev": true,
+    "node_modules/remeda": {
+      "version": "2.33.7",
+      "resolved": "https://registry.npmjs.org/remeda/-/remeda-2.33.7.tgz",
+      "integrity": "sha512-cXlyjevWx5AcslOUEETG4o8XYi9UkoCXcJmj7XhPFVbla+ITuOBxv6ijBrmbeg+ZhzmDThkNdO+iXKUfrJep1w==",
       "license": "MIT",
-      "engines": {
-        "node": ">=4"
+      "funding": {
+        "url": "https://github.com/sponsors/remeda"
       }
     },
     "node_modules/reusify": {
@@ -4969,19 +6529,12 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/rfc4648": {
-      "version": "1.5.4",
-      "resolved": "https://registry.npmjs.org/rfc4648/-/rfc4648-1.5.4.tgz",
-      "integrity": "sha512-rRg/6Lb+IGfJqO05HZkN50UtY7K/JhxJag1kP23+zyMfrvoB0B7RWv06MbOzoc79RgCdNTiUaNsTT1AJZ7Z+cg==",
-      "license": "MIT"
-    },
     "node_modules/rollup": {
-      "version": "4.46.2",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.46.2.tgz",
-      "integrity": "sha512-WMmLFI+Boh6xbop+OAGo9cQ3OgX9MIg7xOQjn+pTCwOkk+FNDAeAemXkJ3HzDJrVXleLOFVa1ipuc1AmEx1Dwg==",
+      "version": "4.60.1",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.60.1.tgz",
+      "integrity": "sha512-VmtB2rFU/GroZ4oL8+ZqXgSA38O6GR8KSIvWmEFv63pQ0G6KaBH9s07PO8XTXP4vI+3UJUEypOfjkGfmSBBR0w==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@types/estree": "1.0.8"
       },
@@ -4993,26 +6546,31 @@
         "npm": ">=8.0.0"
       },
       "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.46.2",
-        "@rollup/rollup-android-arm64": "4.46.2",
-        "@rollup/rollup-darwin-arm64": "4.46.2",
-        "@rollup/rollup-darwin-x64": "4.46.2",
-        "@rollup/rollup-freebsd-arm64": "4.46.2",
-        "@rollup/rollup-freebsd-x64": "4.46.2",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.46.2",
-        "@rollup/rollup-linux-arm-musleabihf": "4.46.2",
-        "@rollup/rollup-linux-arm64-gnu": "4.46.2",
-        "@rollup/rollup-linux-arm64-musl": "4.46.2",
-        "@rollup/rollup-linux-loongarch64-gnu": "4.46.2",
-        "@rollup/rollup-linux-ppc64-gnu": "4.46.2",
-        "@rollup/rollup-linux-riscv64-gnu": "4.46.2",
-        "@rollup/rollup-linux-riscv64-musl": "4.46.2",
-        "@rollup/rollup-linux-s390x-gnu": "4.46.2",
-        "@rollup/rollup-linux-x64-gnu": "4.46.2",
-        "@rollup/rollup-linux-x64-musl": "4.46.2",
-        "@rollup/rollup-win32-arm64-msvc": "4.46.2",
-        "@rollup/rollup-win32-ia32-msvc": "4.46.2",
-        "@rollup/rollup-win32-x64-msvc": "4.46.2",
+        "@rollup/rollup-android-arm-eabi": "4.60.1",
+        "@rollup/rollup-android-arm64": "4.60.1",
+        "@rollup/rollup-darwin-arm64": "4.60.1",
+        "@rollup/rollup-darwin-x64": "4.60.1",
+        "@rollup/rollup-freebsd-arm64": "4.60.1",
+        "@rollup/rollup-freebsd-x64": "4.60.1",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.60.1",
+        "@rollup/rollup-linux-arm-musleabihf": "4.60.1",
+        "@rollup/rollup-linux-arm64-gnu": "4.60.1",
+        "@rollup/rollup-linux-arm64-musl": "4.60.1",
+        "@rollup/rollup-linux-loong64-gnu": "4.60.1",
+        "@rollup/rollup-linux-loong64-musl": "4.60.1",
+        "@rollup/rollup-linux-ppc64-gnu": "4.60.1",
+        "@rollup/rollup-linux-ppc64-musl": "4.60.1",
+        "@rollup/rollup-linux-riscv64-gnu": "4.60.1",
+        "@rollup/rollup-linux-riscv64-musl": "4.60.1",
+        "@rollup/rollup-linux-s390x-gnu": "4.60.1",
+        "@rollup/rollup-linux-x64-gnu": "4.60.1",
+        "@rollup/rollup-linux-x64-musl": "4.60.1",
+        "@rollup/rollup-openbsd-x64": "4.60.1",
+        "@rollup/rollup-openharmony-arm64": "4.60.1",
+        "@rollup/rollup-win32-arm64-msvc": "4.60.1",
+        "@rollup/rollup-win32-ia32-msvc": "4.60.1",
+        "@rollup/rollup-win32-x64-gnu": "4.60.1",
+        "@rollup/rollup-win32-x64-msvc": "4.60.1",
         "fsevents": "~2.3.2"
       }
     },
@@ -5046,10 +6604,16 @@
       "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
       "license": "MIT"
     },
+    "node_modules/scule": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/scule/-/scule-1.3.0.tgz",
+      "integrity": "sha512-6FtHJEvt+pVMIB9IBY+IcCJ6Z5f1iQnytgyfKMhDKgmzYG+TeH/wx1y3l27rshSbLiSanrR9ffZDrEsmjlQF2g==",
+      "license": "MIT"
+    },
     "node_modules/semver": {
-      "version": "7.7.3",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz",
-      "integrity": "sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==",
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
+      "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
       "license": "ISC",
       "bin": {
         "semver": "bin/semver.js"
@@ -5064,6 +6628,12 @@
       "integrity": "sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA==",
       "license": "MIT"
     },
+    "node_modules/shamir-secret-sharing": {
+      "version": "0.0.4",
+      "resolved": "https://registry.npmjs.org/shamir-secret-sharing/-/shamir-secret-sharing-0.0.4.tgz",
+      "integrity": "sha512-ui8u/cIg2j16b9on/LH3V/glL6wHdwiTo/Iajzqx0STniBvuOzl6VYUxhrow3waF0dggovJfYiBZSWfTAN4XLQ==",
+      "license": "Apache-2.0"
+    },
     "node_modules/shebang-command": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
@@ -5094,658 +6664,979 @@
       "dev": true,
       "license": "ISC"
     },
-    "node_modules/signal-exit": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
-      "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
+    "node_modules/source-map": {
+      "version": "0.6.1",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
       "dev": true,
-      "license": "ISC",
+      "license": "BSD-3-Clause",
+      "optional": true,
       "engines": {
-        "node": ">=14"
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/source-map-js": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
+      "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/stackback": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
+      "integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/std-env": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/std-env/-/std-env-4.0.0.tgz",
+      "integrity": "sha512-zUMPtQ/HBY3/50VbpkupYHbRroTRZJPRLvreamgErJVys0ceuzMkD44J/QjqhHjOzK42GQ3QZIeFG1OYfOtKqQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "license": "MIT",
+      "dependencies": {
+        "safe-buffer": "~5.1.0"
+      }
+    },
+    "node_modules/strnum": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz",
+      "integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/NaturalIntelligence"
+        }
+      ],
+      "license": "MIT"
+    },
+    "node_modules/supports-color": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
+      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "has-flag": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/tailwindcss": {
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
+      "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
+      "license": "MIT"
+    },
+    "node_modules/tapable": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz",
+      "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
       },
       "funding": {
-        "url": "https://github.com/sponsors/isaacs"
+        "type": "opencollective",
+        "url": "https://opencollective.com/webpack"
       }
     },
-    "node_modules/source-map": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+    "node_modules/tinybench": {
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
+      "integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/tinyexec": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.4.tgz",
+      "integrity": "sha512-u9r3uZC0bdpGOXtlxUIdwf9pkmvhqJdrVCH9fapQtgy/OeTTMZ1nqH7agtvEfmGui6e1XxjcdrlxvxJvc3sMqw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tinyglobby": {
+      "version": "0.2.15",
+      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
+      "integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
+      "license": "MIT",
+      "dependencies": {
+        "fdir": "^6.5.0",
+        "picomatch": "^4.0.3"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/SuperchupuDev"
+      }
+    },
+    "node_modules/tinyrainbow": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.1.0.tgz",
+      "integrity": "sha512-Bf+ILmBgretUrdJxzXM0SgXLZ3XfiaUuOj/IKQHuTXip+05Xn+uyEYdVg0kYDipTBcLrCVyUzAPz7QmArb0mmw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/to-regex-range": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "is-number": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8.0"
+      }
+    },
+    "node_modules/ts-api-utils": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.5.0.tgz",
+      "integrity": "sha512-OJ/ibxhPlqrMM0UiNHJ/0CKQkoKF243/AEmplt3qpRgkW8VG7IfOS41h7V8TjITqdByHzrjcS/2si+y4lIh8NA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.12"
+      },
+      "peerDependencies": {
+        "typescript": ">=4.8.4"
+      }
+    },
+    "node_modules/ts-node": {
+      "version": "10.9.2",
+      "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.9.2.tgz",
+      "integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@cspotcode/source-map-support": "^0.8.0",
+        "@tsconfig/node10": "^1.0.7",
+        "@tsconfig/node12": "^1.0.7",
+        "@tsconfig/node14": "^1.0.0",
+        "@tsconfig/node16": "^1.0.2",
+        "acorn": "^8.4.1",
+        "acorn-walk": "^8.1.1",
+        "arg": "^4.1.0",
+        "create-require": "^1.1.0",
+        "diff": "^4.0.1",
+        "make-error": "^1.1.1",
+        "v8-compile-cache-lib": "^3.0.1",
+        "yn": "3.1.1"
+      },
+      "bin": {
+        "ts-node": "dist/bin.js",
+        "ts-node-cwd": "dist/bin-cwd.js",
+        "ts-node-esm": "dist/bin-esm.js",
+        "ts-node-script": "dist/bin-script.js",
+        "ts-node-transpile-only": "dist/bin-transpile.js",
+        "ts-script": "dist/bin-script-deprecated.js"
+      },
+      "peerDependencies": {
+        "@swc/core": ">=1.2.50",
+        "@swc/wasm": ">=1.2.50",
+        "@types/node": "*",
+        "typescript": ">=2.7"
+      },
+      "peerDependenciesMeta": {
+        "@swc/core": {
+          "optional": true
+        },
+        "@swc/wasm": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/ts-node/node_modules/diff": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
+      "integrity": "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=0.3.1"
+      }
+    },
+    "node_modules/tslib": {
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+      "license": "0BSD"
+    },
+    "node_modules/type-check": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
+      "integrity": "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==",
       "dev": true,
-      "license": "BSD-3-Clause",
-      "optional": true,
+      "license": "MIT",
+      "dependencies": {
+        "prelude-ls": "^1.2.1"
+      },
       "engines": {
-        "node": ">=0.10.0"
+        "node": ">= 0.8.0"
       }
     },
-    "node_modules/source-map-js": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
-      "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
-      "license": "BSD-3-Clause",
+    "node_modules/typescript": {
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "devOptional": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
       "engines": {
-        "node": ">=0.10.0"
+        "node": ">=14.17"
       }
     },
-    "node_modules/stackback": {
-      "version": "0.0.2",
-      "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
-      "integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
+    "node_modules/typescript-eslint": {
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.0.tgz",
+      "integrity": "sha512-e2TQzKfaI85fO+F3QywtX+tCTsu/D3WW5LVU6nz8hTFKFZ8yBJ6mSYRpXqdR3mFjPWmO0eWsTa5f+UpAOe/FMA==",
       "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@typescript-eslint/eslint-plugin": "8.58.0",
+        "@typescript-eslint/parser": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
+      }
+    },
+    "node_modules/ufo": {
+      "version": "1.6.3",
+      "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.6.3.tgz",
+      "integrity": "sha512-yDJTmhydvl5lJzBmy/hyOAA0d+aqCBuwl818haVdYCRrWV84o7YyeVm4QlVHStqNrrJSTb6jKuFAVqAFsr+K3Q==",
       "license": "MIT"
     },
-    "node_modules/std-env": {
-      "version": "3.9.0",
-      "resolved": "https://registry.npmjs.org/std-env/-/std-env-3.9.0.tgz",
-      "integrity": "sha512-UGvjygr6F6tpH7o2qyqR6QYpwraIjKSdtzyBdyytFOHmPZY917kwdwLG0RbOjWOnKmnm3PeHjaoLLMie7kPLQw==",
-      "dev": true,
+    "node_modules/undici-types": {
+      "version": "6.21.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
+      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
       "license": "MIT"
     },
-    "node_modules/string_decoder": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
-      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+    "node_modules/unplugin": {
+      "version": "2.3.11",
+      "resolved": "https://registry.npmjs.org/unplugin/-/unplugin-2.3.11.tgz",
+      "integrity": "sha512-5uKD0nqiYVzlmCRs01Fhs2BdkEgBS3SAVP6ndrBsuK42iC2+JHyxM05Rm9G8+5mkmRtzMZGY8Ct5+mliZxU/Ww==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
-        "safe-buffer": "~5.1.0"
+        "@jridgewell/remapping": "^2.3.5",
+        "acorn": "^8.15.0",
+        "picomatch": "^4.0.3",
+        "webpack-virtual-modules": "^0.6.2"
+      },
+      "engines": {
+        "node": ">=18.12.0"
       }
     },
-    "node_modules/string-width": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz",
-      "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==",
-      "dev": true,
+    "node_modules/unplugin-utils": {
+      "version": "0.3.1",
+      "resolved": "https://registry.npmjs.org/unplugin-utils/-/unplugin-utils-0.3.1.tgz",
+      "integrity": "sha512-5lWVjgi6vuHhJ526bI4nlCOmkCIF3nnfXkCMDeMJrtdvxTs6ZFCM8oNufGTsDbKv/tJ/xj8RpvXjRuPBZJuJog==",
       "license": "MIT",
       "dependencies": {
-        "eastasianwidth": "^0.2.0",
-        "emoji-regex": "^9.2.2",
-        "strip-ansi": "^7.0.1"
+        "pathe": "^2.0.3",
+        "picomatch": "^4.0.3"
       },
       "engines": {
-        "node": ">=12"
+        "node": ">=20.19.0"
       },
       "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
+        "url": "https://github.com/sponsors/sxzz"
       }
     },
-    "node_modules/string-width-cjs": {
-      "name": "string-width",
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
-      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+    "node_modules/uri-js": {
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
+      "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==",
       "dev": true,
-      "license": "MIT",
+      "license": "BSD-2-Clause",
       "dependencies": {
-        "emoji-regex": "^8.0.0",
-        "is-fullwidth-code-point": "^3.0.0",
-        "strip-ansi": "^6.0.1"
-      },
-      "engines": {
-        "node": ">=8"
+        "punycode": "^2.1.0"
       }
     },
-    "node_modules/string-width-cjs/node_modules/ansi-regex": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
-      "dev": true,
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
+      "license": "MIT"
+    },
+    "node_modules/uuid": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
+      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "funding": [
+        "https://github.com/sponsors/broofa",
+        "https://github.com/sponsors/ctavan"
+      ],
       "license": "MIT",
-      "engines": {
-        "node": ">=8"
+      "bin": {
+        "uuid": "dist/bin/uuid"
       }
     },
-    "node_modules/string-width-cjs/node_modules/emoji-regex": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+    "node_modules/v8-compile-cache-lib": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz",
+      "integrity": "sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==",
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/string-width-cjs/node_modules/strip-ansi": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+    "node_modules/vite": {
+      "version": "7.3.1",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz",
+      "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ansi-regex": "^5.0.1"
+        "esbuild": "^0.27.0",
+        "fdir": "^6.5.0",
+        "picomatch": "^4.0.3",
+        "postcss": "^8.5.6",
+        "rollup": "^4.43.0",
+        "tinyglobby": "^0.2.15"
+      },
+      "bin": {
+        "vite": "bin/vite.js"
       },
       "engines": {
-        "node": ">=8"
+        "node": "^20.19.0 || >=22.12.0"
+      },
+      "funding": {
+        "url": "https://github.com/vitejs/vite?sponsor=1"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.3"
+      },
+      "peerDependencies": {
+        "@types/node": "^20.19.0 || >=22.12.0",
+        "jiti": ">=1.21.0",
+        "less": "^4.0.0",
+        "lightningcss": "^1.21.0",
+        "sass": "^1.70.0",
+        "sass-embedded": "^1.70.0",
+        "stylus": ">=0.54.8",
+        "sugarss": "^5.0.0",
+        "terser": "^5.16.0",
+        "tsx": "^4.8.1",
+        "yaml": "^2.4.2"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        },
+        "jiti": {
+          "optional": true
+        },
+        "less": {
+          "optional": true
+        },
+        "lightningcss": {
+          "optional": true
+        },
+        "sass": {
+          "optional": true
+        },
+        "sass-embedded": {
+          "optional": true
+        },
+        "stylus": {
+          "optional": true
+        },
+        "sugarss": {
+          "optional": true
+        },
+        "terser": {
+          "optional": true
+        },
+        "tsx": {
+          "optional": true
+        },
+        "yaml": {
+          "optional": true
+        }
       }
     },
-    "node_modules/strip-ansi": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz",
-      "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==",
+    "node_modules/vite/node_modules/@esbuild/aix-ppc64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
+      "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
+      "cpu": [
+        "ppc64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "ansi-regex": "^6.0.1"
-      },
+      "optional": true,
+      "os": [
+        "aix"
+      ],
       "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
+        "node": ">=18"
       }
     },
-    "node_modules/strip-ansi-cjs": {
-      "name": "strip-ansi",
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+    "node_modules/vite/node_modules/@esbuild/android-arm": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
+      "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
+      "cpu": [
+        "arm"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "ansi-regex": "^5.0.1"
-      },
+      "optional": true,
+      "os": [
+        "android"
+      ],
       "engines": {
-        "node": ">=8"
+        "node": ">=18"
       }
     },
-    "node_modules/strip-ansi-cjs/node_modules/ansi-regex": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+    "node_modules/vite/node_modules/@esbuild/android-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
+      "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
       "engines": {
-        "node": ">=8"
+        "node": ">=18"
       }
     },
-    "node_modules/strip-json-comments": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
-      "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==",
+    "node_modules/vite/node_modules/@esbuild/android-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
+      "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
       "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
+        "node": ">=18"
       }
     },
-    "node_modules/strip-literal": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/strip-literal/-/strip-literal-3.0.0.tgz",
-      "integrity": "sha512-TcccoMhJOM3OebGhSBEmp3UZ2SfDMZUEBdRA/9ynfLi8yYajyWX3JiXArcJt4Umh4vISpspkQIY8ZZoCqjbviA==",
+    "node_modules/vite/node_modules/@esbuild/darwin-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
+      "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "js-tokens": "^9.0.1"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/antfu"
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
       }
     },
-    "node_modules/supports-color": {
-      "version": "7.2.0",
-      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
-      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+    "node_modules/vite/node_modules/@esbuild/darwin-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
+      "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "has-flag": "^4.0.0"
-      },
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
       "engines": {
-        "node": ">=8"
+        "node": ">=18"
       }
     },
-    "node_modules/tailwindcss": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.14.tgz",
-      "integrity": "sha512-b7pCxjGO98LnxVkKjaZSDeNuljC4ueKUddjENJOADtubtdo8llTaJy7HwBMeLNSSo2N5QIAgklslK1+Ir8r6CA==",
+    "node_modules/vite/node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
       "license": "MIT",
-      "peer": true
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/tapable": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
-      "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
+    "node_modules/vite/node_modules/@esbuild/freebsd-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
+      "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
       "engines": {
-        "node": ">=6"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/webpack"
+        "node": ">=18"
       }
     },
-    "node_modules/tar": {
-      "version": "7.5.1",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.1.tgz",
-      "integrity": "sha512-nlGpxf+hv0v7GkWBK2V9spgactGOp0qvfWRxUMjqHyzrt3SgwE48DIv/FhqPHJYLHpgW1opq3nERbz5Anq7n1g==",
+    "node_modules/vite/node_modules/@esbuild/linux-arm": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
+      "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
+      "cpu": [
+        "arm"
+      ],
       "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "@isaacs/fs-minipass": "^4.0.0",
-        "chownr": "^3.0.0",
-        "minipass": "^7.1.2",
-        "minizlib": "^3.1.0",
-        "yallist": "^5.0.0"
-      },
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/test-exclude": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/test-exclude/-/test-exclude-7.0.1.tgz",
-      "integrity": "sha512-pFYqmTw68LXVjeWJMST4+borgQP2AyMNbg1BpZh9LbyhUeNkeaPF9gzfPGUAnSMV3qPYdWUwDIjjCLiSDOl7vg==",
+    "node_modules/vite/node_modules/@esbuild/linux-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
+      "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "@istanbuljs/schema": "^0.1.2",
-        "glob": "^10.4.1",
-        "minimatch": "^9.0.4"
-      },
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/tinybench": {
-      "version": "2.9.0",
-      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
-      "integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/tinyexec": {
-      "version": "0.3.2",
-      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-0.3.2.tgz",
-      "integrity": "sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA==",
+    "node_modules/vite/node_modules/@esbuild/linux-ia32": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
+      "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
+      "cpu": [
+        "ia32"
+      ],
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/tinyglobby": {
-      "version": "0.2.15",
-      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
-      "integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
+    "node_modules/vite/node_modules/@esbuild/linux-loong64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
+      "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
+      "cpu": [
+        "loong64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "fdir": "^6.5.0",
-        "picomatch": "^4.0.3"
-      },
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=12.0.0"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/SuperchupuDev"
+        "node": ">=18"
       }
     },
-    "node_modules/tinypool": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/tinypool/-/tinypool-1.1.1.tgz",
-      "integrity": "sha512-Zba82s87IFq9A9XmjiX5uZA/ARWDrB03OHlq+Vw1fSdt0I+4/Kutwy8BP4Y/y/aORMo61FQ0vIb5j44vSo5Pkg==",
+    "node_modules/vite/node_modules/@esbuild/linux-mips64el": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
+      "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
+      "cpu": [
+        "mips64el"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": "^18.0.0 || >=20.0.0"
+        "node": ">=18"
       }
     },
-    "node_modules/tinyrainbow": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-2.0.0.tgz",
-      "integrity": "sha512-op4nsTR47R6p0vMUUoYl/a+ljLFVtlfaXkLQmqfLR1qHma1h/ysYk4hEXZ880bf2CYgTskvTa/e196Vd5dDQXw==",
+    "node_modules/vite/node_modules/@esbuild/linux-ppc64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
+      "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
+      "cpu": [
+        "ppc64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=14.0.0"
+        "node": ">=18"
       }
     },
-    "node_modules/tinyspy": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/tinyspy/-/tinyspy-4.0.3.tgz",
-      "integrity": "sha512-t2T/WLB2WRgZ9EpE4jgPJ9w+i66UZfDc8wHh0xrwiRNN+UwH98GIJkTeZqX9rg0i0ptwzqW+uYeIF0T4F8LR7A==",
+    "node_modules/vite/node_modules/@esbuild/linux-riscv64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
+      "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
+      "cpu": [
+        "riscv64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=14.0.0"
+        "node": ">=18"
       }
     },
-    "node_modules/to-regex-range": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
-      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+    "node_modules/vite/node_modules/@esbuild/linux-s390x": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
+      "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
+      "cpu": [
+        "s390x"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "is-number": "^7.0.0"
-      },
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=8.0"
+        "node": ">=18"
       }
     },
-    "node_modules/ts-api-utils": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.1.0.tgz",
-      "integrity": "sha512-CUgTZL1irw8u29bzrOD/nH85jqyc74D6SshFgujOIA7osm2Rz7dYH77agkx7H4FBNxDq7Cjf+IjaX/8zwFW+ZQ==",
+    "node_modules/vite/node_modules/@esbuild/linux-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
+      "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=18.12"
-      },
-      "peerDependencies": {
-        "typescript": ">=4.8.4"
+        "node": ">=18"
       }
     },
-    "node_modules/ts-node": {
-      "version": "10.9.2",
-      "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.9.2.tgz",
-      "integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==",
+    "node_modules/vite/node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@cspotcode/source-map-support": "^0.8.0",
-        "@tsconfig/node10": "^1.0.7",
-        "@tsconfig/node12": "^1.0.7",
-        "@tsconfig/node14": "^1.0.0",
-        "@tsconfig/node16": "^1.0.2",
-        "acorn": "^8.4.1",
-        "acorn-walk": "^8.1.1",
-        "arg": "^4.1.0",
-        "create-require": "^1.1.0",
-        "diff": "^4.0.1",
-        "make-error": "^1.1.1",
-        "v8-compile-cache-lib": "^3.0.1",
-        "yn": "3.1.1"
-      },
-      "bin": {
-        "ts-node": "dist/bin.js",
-        "ts-node-cwd": "dist/bin-cwd.js",
-        "ts-node-esm": "dist/bin-esm.js",
-        "ts-node-script": "dist/bin-script.js",
-        "ts-node-transpile-only": "dist/bin-transpile.js",
-        "ts-script": "dist/bin-script-deprecated.js"
-      },
-      "peerDependencies": {
-        "@swc/core": ">=1.2.50",
-        "@swc/wasm": ">=1.2.50",
-        "@types/node": "*",
-        "typescript": ">=2.7"
-      },
-      "peerDependenciesMeta": {
-        "@swc/core": {
-          "optional": true
-        },
-        "@swc/wasm": {
-          "optional": true
-        }
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
       }
     },
-    "node_modules/type-check": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
-      "integrity": "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==",
+    "node_modules/vite/node_modules/@esbuild/netbsd-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "prelude-ls": "^1.2.1"
-      },
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
       "engines": {
-        "node": ">= 0.8.0"
+        "node": ">=18"
       }
     },
-    "node_modules/type-fest": {
-      "version": "4.41.0",
-      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.41.0.tgz",
-      "integrity": "sha512-TeTSQ6H5YHvpqVwBRcnLDCBnDOHWYu7IvGbHT6N8AOymcr9PJGjc1GTtiWZTYg0NCgYwvnYWEkVChQAr9bjfwA==",
-      "license": "(MIT OR CC0-1.0)",
+    "node_modules/vite/node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
       "engines": {
-        "node": ">=16"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
+        "node": ">=18"
       }
     },
-    "node_modules/typescript": {
-      "version": "5.8.3",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
-      "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
-      "devOptional": true,
-      "license": "Apache-2.0",
-      "peer": true,
-      "bin": {
-        "tsc": "bin/tsc",
-        "tsserver": "bin/tsserver"
-      },
+    "node_modules/vite/node_modules/@esbuild/openbsd-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
       "engines": {
-        "node": ">=14.17"
+        "node": ">=18"
       }
     },
-    "node_modules/typescript-eslint": {
-      "version": "8.46.1",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.46.1.tgz",
-      "integrity": "sha512-VHgijW803JafdSsDO8I761r3SHrgk4T00IdyQ+/UsthtgPRsBWQLqoSxOolxTpxRKi1kGXK0bSz4CoAc9ObqJA==",
+    "node_modules/vite/node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
+      "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.46.1",
-        "@typescript-eslint/parser": "8.46.1",
-        "@typescript-eslint/typescript-estree": "8.46.1",
-        "@typescript-eslint/utils": "8.46.1"
-      },
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/typescript-eslint"
-      },
-      "peerDependencies": {
-        "eslint": "^8.57.0 || ^9.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "node": ">=18"
       }
     },
-    "node_modules/undici-types": {
-      "version": "6.21.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
-      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
-      "license": "MIT"
-    },
-    "node_modules/unplugin": {
-      "version": "2.3.10",
-      "resolved": "https://registry.npmjs.org/unplugin/-/unplugin-2.3.10.tgz",
-      "integrity": "sha512-6NCPkv1ClwH+/BGE9QeoTIl09nuiAt0gS28nn1PvYXsGKRwM2TCbFA2QiilmehPDTXIe684k4rZI1yl3A1PCUw==",
+    "node_modules/vite/node_modules/@esbuild/sunos-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
+      "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@jridgewell/remapping": "^2.3.5",
-        "acorn": "^8.15.0",
-        "picomatch": "^4.0.3",
-        "webpack-virtual-modules": "^0.6.2"
-      },
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
       "engines": {
-        "node": ">=18.12.0"
+        "node": ">=18"
       }
     },
-    "node_modules/uri-js": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
-      "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==",
+    "node_modules/vite/node_modules/@esbuild/win32-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
+      "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
-      "license": "BSD-2-Clause",
-      "dependencies": {
-        "punycode": "^2.1.0"
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
       }
     },
-    "node_modules/util-deprecate": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
-      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
-      "license": "MIT"
-    },
-    "node_modules/v8-compile-cache-lib": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz",
-      "integrity": "sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==",
+    "node_modules/vite/node_modules/@esbuild/win32-ia32": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
+      "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
+      "cpu": [
+        "ia32"
+      ],
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
     },
-    "node_modules/vite": {
-      "version": "7.1.10",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-7.1.10.tgz",
-      "integrity": "sha512-CmuvUBzVJ/e3HGxhg6cYk88NGgTnBoOo7ogtfJJ0fefUWAxN/WDSUa50o+oVBxuIhO8FoEZW0j2eW7sfjs5EtA==",
+    "node_modules/vite/node_modules/@esbuild/win32-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
+      "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "esbuild": "^0.25.0",
-        "fdir": "^6.5.0",
-        "picomatch": "^4.0.3",
-        "postcss": "^8.5.6",
-        "rollup": "^4.43.0",
-        "tinyglobby": "^0.2.15"
-      },
-      "bin": {
-        "vite": "bin/vite.js"
-      },
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": "^20.19.0 || >=22.12.0"
-      },
-      "funding": {
-        "url": "https://github.com/vitejs/vite?sponsor=1"
-      },
-      "optionalDependencies": {
-        "fsevents": "~2.3.3"
-      },
-      "peerDependencies": {
-        "@types/node": "^20.19.0 || >=22.12.0",
-        "jiti": ">=1.21.0",
-        "less": "^4.0.0",
-        "lightningcss": "^1.21.0",
-        "sass": "^1.70.0",
-        "sass-embedded": "^1.70.0",
-        "stylus": ">=0.54.8",
-        "sugarss": "^5.0.0",
-        "terser": "^5.16.0",
-        "tsx": "^4.8.1",
-        "yaml": "^2.4.2"
-      },
-      "peerDependenciesMeta": {
-        "@types/node": {
-          "optional": true
-        },
-        "jiti": {
-          "optional": true
-        },
-        "less": {
-          "optional": true
-        },
-        "lightningcss": {
-          "optional": true
-        },
-        "sass": {
-          "optional": true
-        },
-        "sass-embedded": {
-          "optional": true
-        },
-        "stylus": {
-          "optional": true
-        },
-        "sugarss": {
-          "optional": true
-        },
-        "terser": {
-          "optional": true
-        },
-        "tsx": {
-          "optional": true
-        },
-        "yaml": {
-          "optional": true
-        }
+        "node": ">=18"
       }
     },
-    "node_modules/vite-node": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/vite-node/-/vite-node-3.2.4.tgz",
-      "integrity": "sha512-EbKSKh+bh1E1IFxeO0pg1n4dvoOTt0UDiXMd/qn++r98+jPO1xtJilvXldeuQ8giIB5IkpjCgMleHMNEsGH6pg==",
+    "node_modules/vite/node_modules/esbuild": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
+      "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
       "dev": true,
+      "hasInstallScript": true,
       "license": "MIT",
-      "dependencies": {
-        "cac": "^6.7.14",
-        "debug": "^4.4.1",
-        "es-module-lexer": "^1.7.0",
-        "pathe": "^2.0.3",
-        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0"
-      },
       "bin": {
-        "vite-node": "vite-node.mjs"
+        "esbuild": "bin/esbuild"
       },
       "engines": {
-        "node": "^18.0.0 || ^20.0.0 || >=22.0.0"
+        "node": ">=18"
       },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.27.4",
+        "@esbuild/android-arm": "0.27.4",
+        "@esbuild/android-arm64": "0.27.4",
+        "@esbuild/android-x64": "0.27.4",
+        "@esbuild/darwin-arm64": "0.27.4",
+        "@esbuild/darwin-x64": "0.27.4",
+        "@esbuild/freebsd-arm64": "0.27.4",
+        "@esbuild/freebsd-x64": "0.27.4",
+        "@esbuild/linux-arm": "0.27.4",
+        "@esbuild/linux-arm64": "0.27.4",
+        "@esbuild/linux-ia32": "0.27.4",
+        "@esbuild/linux-loong64": "0.27.4",
+        "@esbuild/linux-mips64el": "0.27.4",
+        "@esbuild/linux-ppc64": "0.27.4",
+        "@esbuild/linux-riscv64": "0.27.4",
+        "@esbuild/linux-s390x": "0.27.4",
+        "@esbuild/linux-x64": "0.27.4",
+        "@esbuild/netbsd-arm64": "0.27.4",
+        "@esbuild/netbsd-x64": "0.27.4",
+        "@esbuild/openbsd-arm64": "0.27.4",
+        "@esbuild/openbsd-x64": "0.27.4",
+        "@esbuild/openharmony-arm64": "0.27.4",
+        "@esbuild/sunos-x64": "0.27.4",
+        "@esbuild/win32-arm64": "0.27.4",
+        "@esbuild/win32-ia32": "0.27.4",
+        "@esbuild/win32-x64": "0.27.4"
       }
     },
     "node_modules/vitest": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/vitest/-/vitest-3.2.4.tgz",
-      "integrity": "sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A==",
-      "dev": true,
-      "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "@types/chai": "^5.2.2",
-        "@vitest/expect": "3.2.4",
-        "@vitest/mocker": "3.2.4",
-        "@vitest/pretty-format": "^3.2.4",
-        "@vitest/runner": "3.2.4",
-        "@vitest/snapshot": "3.2.4",
-        "@vitest/spy": "3.2.4",
-        "@vitest/utils": "3.2.4",
-        "chai": "^5.2.0",
-        "debug": "^4.4.1",
-        "expect-type": "^1.2.1",
-        "magic-string": "^0.30.17",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.2.tgz",
+      "integrity": "sha512-xjR1dMTVHlFLh98JE3i/f/WePqJsah4A0FK9cc8Ehp9Udk0AZk6ccpIZhh1qJ/yxVWRZ+Q54ocnD8TXmkhspGg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/expect": "4.1.2",
+        "@vitest/mocker": "4.1.2",
+        "@vitest/pretty-format": "4.1.2",
+        "@vitest/runner": "4.1.2",
+        "@vitest/snapshot": "4.1.2",
+        "@vitest/spy": "4.1.2",
+        "@vitest/utils": "4.1.2",
+        "es-module-lexer": "^2.0.0",
+        "expect-type": "^1.3.0",
+        "magic-string": "^0.30.21",
+        "obug": "^2.1.1",
         "pathe": "^2.0.3",
-        "picomatch": "^4.0.2",
-        "std-env": "^3.9.0",
+        "picomatch": "^4.0.3",
+        "std-env": "^4.0.0-rc.1",
         "tinybench": "^2.9.0",
-        "tinyexec": "^0.3.2",
-        "tinyglobby": "^0.2.14",
-        "tinypool": "^1.1.1",
-        "tinyrainbow": "^2.0.0",
-        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0",
-        "vite-node": "3.2.4",
+        "tinyexec": "^1.0.2",
+        "tinyglobby": "^0.2.15",
+        "tinyrainbow": "^3.1.0",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0",
         "why-is-node-running": "^2.3.0"
       },
       "bin": {
         "vitest": "vitest.mjs"
       },
       "engines": {
-        "node": "^18.0.0 || ^20.0.0 || >=22.0.0"
+        "node": "^20.0.0 || ^22.0.0 || >=24.0.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       },
       "peerDependencies": {
         "@edge-runtime/vm": "*",
-        "@types/debug": "^4.1.12",
-        "@types/node": "^18.0.0 || ^20.0.0 || >=22.0.0",
-        "@vitest/browser": "3.2.4",
-        "@vitest/ui": "3.2.4",
+        "@opentelemetry/api": "^1.9.0",
+        "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
+        "@vitest/browser-playwright": "4.1.2",
+        "@vitest/browser-preview": "4.1.2",
+        "@vitest/browser-webdriverio": "4.1.2",
+        "@vitest/ui": "4.1.2",
         "happy-dom": "*",
-        "jsdom": "*"
+        "jsdom": "*",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
       },
       "peerDependenciesMeta": {
         "@edge-runtime/vm": {
           "optional": true
         },
-        "@types/debug": {
+        "@opentelemetry/api": {
           "optional": true
         },
         "@types/node": {
           "optional": true
         },
-        "@vitest/browser": {
+        "@vitest/browser-playwright": {
+          "optional": true
+        },
+        "@vitest/browser-preview": {
+          "optional": true
+        },
+        "@vitest/browser-webdriverio": {
           "optional": true
         },
         "@vitest/ui": {
@@ -5756,6 +7647,9 @@
         },
         "jsdom": {
           "optional": true
+        },
+        "vite": {
+          "optional": false
         }
       }
     },
@@ -5767,17 +7661,16 @@
       "license": "MIT"
     },
     "node_modules/vue": {
-      "version": "3.5.18",
-      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.18.tgz",
-      "integrity": "sha512-7W4Y4ZbMiQ3SEo+m9lnoNpV9xG7QVMLa+/0RFwwiAVkeYoyGXqWE85jabU4pllJNUzqfLShJ5YLptewhCWUgNA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.31.tgz",
+      "integrity": "sha512-iV/sU9SzOlmA/0tygSmjkEN6Jbs3nPoIPFhCMLD2STrjgOU8DX7ZtzMhg4ahVwf5Rp9KoFzcXeB1ZrVbLBp5/Q==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
-        "@vue/compiler-dom": "3.5.18",
-        "@vue/compiler-sfc": "3.5.18",
-        "@vue/runtime-dom": "3.5.18",
-        "@vue/server-renderer": "3.5.18",
-        "@vue/shared": "3.5.18"
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-sfc": "3.5.31",
+        "@vue/runtime-dom": "3.5.31",
+        "@vue/server-renderer": "3.5.31",
+        "@vue/shared": "3.5.31"
       },
       "peerDependencies": {
         "typescript": "*"
@@ -5789,16 +7682,17 @@
       }
     },
     "node_modules/vue-eslint-parser": {
-      "version": "10.2.0",
-      "resolved": "https://registry.npmjs.org/vue-eslint-parser/-/vue-eslint-parser-10.2.0.tgz",
-      "integrity": "sha512-CydUvFOQKD928UzZhTp4pr2vWz1L+H99t7Pkln2QSPdvmURT0MoC4wUccfCnuEaihNsu9aYYyk+bep8rlfkUXw==",
+      "version": "10.4.0",
+      "resolved": "https://registry.npmjs.org/vue-eslint-parser/-/vue-eslint-parser-10.4.0.tgz",
+      "integrity": "sha512-Vxi9pJdbN3ZnVGLODVtZ7y4Y2kzAAE2Cm0CZ3ZDRvydVYxZ6VrnBhLikBsRS+dpwj4Jv4UCv21PTEwF5rQ9WXg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "debug": "^4.4.0",
-        "eslint-scope": "^8.2.0",
-        "eslint-visitor-keys": "^4.2.0",
-        "espree": "^10.3.0",
+        "eslint-scope": "^8.2.0 || ^9.0.0",
+        "eslint-visitor-keys": "^4.2.0 || ^5.0.0",
+        "espree": "^10.3.0 || ^11.0.0",
         "esquery": "^1.6.0",
         "semver": "^7.6.3"
       },
@@ -5809,31 +7703,32 @@
         "url": "https://github.com/sponsors/mysticatea"
       },
       "peerDependencies": {
-        "eslint": "^8.57.0 || ^9.0.0"
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0"
       }
     },
     "node_modules/vue-eslint-parser/node_modules/eslint-visitor-keys": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
-      "integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-5.0.1.tgz",
+      "integrity": "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "engines": {
-        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+        "node": "^20.19.0 || ^22.13.0 || >=24"
       },
       "funding": {
         "url": "https://opencollective.com/eslint"
       }
     },
     "node_modules/vue-i18n": {
-      "version": "11.1.12",
-      "resolved": "https://registry.npmjs.org/vue-i18n/-/vue-i18n-11.1.12.tgz",
-      "integrity": "sha512-BnstPj3KLHLrsqbVU2UOrPmr0+Mv11bsUZG0PyCOzsawCivk8W00GMXHeVUWIDOgNaScCuZah47CZFE+Wnl8mw==",
+      "version": "11.3.0",
+      "resolved": "https://registry.npmjs.org/vue-i18n/-/vue-i18n-11.3.0.tgz",
+      "integrity": "sha512-1J+xDfDJTLhDxElkd3+XUhT7FYSZd2b8pa7IRKGxhWH/8yt6PTvi3xmWhGwhYT5EaXdatui11pF2R6tL73/zPA==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
-        "@intlify/core-base": "11.1.12",
-        "@intlify/shared": "11.1.12",
+        "@intlify/core-base": "11.3.0",
+        "@intlify/devtools-types": "11.3.0",
+        "@intlify/shared": "11.3.0",
         "@vue/devtools-api": "^6.5.0"
       },
       "engines": {
@@ -5847,29 +7742,82 @@
       }
     },
     "node_modules/vue-router": {
-      "version": "4.6.3",
-      "resolved": "https://registry.npmjs.org/vue-router/-/vue-router-4.6.3.tgz",
-      "integrity": "sha512-ARBedLm9YlbvQomnmq91Os7ck6efydTSpRP3nuOKCvgJOHNrhRoJDSKtee8kcL1Vf7nz6U+PMBL+hTvR3bTVQg==",
-      "license": "MIT",
-      "dependencies": {
-        "@vue/devtools-api": "^6.6.4"
+      "version": "5.0.4",
+      "resolved": "https://registry.npmjs.org/vue-router/-/vue-router-5.0.4.tgz",
+      "integrity": "sha512-lCqDLCI2+fKVRl2OzXuzdSWmxXFLQRxQbmHugnRpTMyYiT+hNaycV0faqG5FBHDXoYrZ6MQcX87BvbY8mQ20Bg==",
+      "license": "MIT",
+      "dependencies": {
+        "@babel/generator": "^7.28.6",
+        "@vue-macros/common": "^3.1.1",
+        "@vue/devtools-api": "^8.0.6",
+        "ast-walker-scope": "^0.8.3",
+        "chokidar": "^5.0.0",
+        "json5": "^2.2.3",
+        "local-pkg": "^1.1.2",
+        "magic-string": "^0.30.21",
+        "mlly": "^1.8.0",
+        "muggle-string": "^0.4.1",
+        "pathe": "^2.0.3",
+        "picomatch": "^4.0.3",
+        "scule": "^1.3.0",
+        "tinyglobby": "^0.2.15",
+        "unplugin": "^3.0.0",
+        "unplugin-utils": "^0.3.1",
+        "yaml": "^2.8.2"
       },
       "funding": {
         "url": "https://github.com/sponsors/posva"
       },
       "peerDependencies": {
+        "@pinia/colada": ">=0.21.2",
+        "@vue/compiler-sfc": "^3.5.17",
+        "pinia": "^3.0.4",
         "vue": "^3.5.0"
+      },
+      "peerDependenciesMeta": {
+        "@pinia/colada": {
+          "optional": true
+        },
+        "@vue/compiler-sfc": {
+          "optional": true
+        },
+        "pinia": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/vue-router/node_modules/@vue/devtools-api": {
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-api/-/devtools-api-8.1.1.tgz",
+      "integrity": "sha512-bsDMJ07b3GN1puVwJb/fyFnj/U2imyswK5UQVLZwVl7O05jDrt6BHxeG5XffmOOdasOj/bOmIjxJvGPxU7pcqw==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/devtools-kit": "^8.1.1"
+      }
+    },
+    "node_modules/vue-router/node_modules/unplugin": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/unplugin/-/unplugin-3.0.0.tgz",
+      "integrity": "sha512-0Mqk3AT2TZCXWKdcoaufeXNukv2mTrEZExeXlHIOZXdqYoHHr4n51pymnwV8x2BOVxwXbK2HLlI7usrqMpycdg==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/remapping": "^2.3.5",
+        "picomatch": "^4.0.3",
+        "webpack-virtual-modules": "^0.6.2"
+      },
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
     "node_modules/vue-tsc": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/vue-tsc/-/vue-tsc-3.1.1.tgz",
-      "integrity": "sha512-fyixKxFniOVgn+L/4+g8zCG6dflLLt01Agz9jl3TO45Bgk87NZJRmJVPsiK+ouq3LB91jJCbOV+pDkzYTxbI7A==",
+      "version": "3.2.6",
+      "resolved": "https://registry.npmjs.org/vue-tsc/-/vue-tsc-3.2.6.tgz",
+      "integrity": "sha512-gYW/kWI0XrwGzd0PKc7tVB/qpdeAkIZLNZb10/InizkQjHjnT8weZ/vBarZoj4kHKbUTZT/bAVgoOr8x4NsQ/Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@volar/typescript": "2.4.23",
-        "@vue/language-core": "3.1.1"
+        "@volar/typescript": "2.4.28",
+        "@vue/language-core": "3.2.6"
       },
       "bin": {
         "vue-tsc": "bin/vue-tsc.js"
@@ -5882,7 +7830,6 @@
       "version": "0.6.2",
       "resolved": "https://registry.npmjs.org/webpack-virtual-modules/-/webpack-virtual-modules-0.6.2.tgz",
       "integrity": "sha512-66/V2i5hQanC51vBQKPH4aI8NMAcBW59FVBs+rC7eGHupMyfn34q7rZIE+ETlJ+XTevqfUhVVBgSUNSW2flEUQ==",
-      "dev": true,
       "license": "MIT"
     },
     "node_modules/whatwg-mimetype": {
@@ -5938,99 +7885,26 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/wrap-ansi": {
-      "version": "8.1.0",
-      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz",
-      "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "ansi-styles": "^6.1.0",
-        "string-width": "^5.0.1",
-        "strip-ansi": "^7.0.1"
-      },
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
-      }
-    },
-    "node_modules/wrap-ansi-cjs": {
-      "name": "wrap-ansi",
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
-      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "ansi-styles": "^4.0.0",
-        "string-width": "^4.1.0",
-        "strip-ansi": "^6.0.0"
-      },
-      "engines": {
-        "node": ">=10"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
-      }
-    },
-    "node_modules/wrap-ansi-cjs/node_modules/ansi-regex": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/wrap-ansi-cjs/node_modules/string-width": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
-      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+    "node_modules/ws": {
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
+      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "emoji-regex": "^8.0.0",
-        "is-fullwidth-code-point": "^3.0.0",
-        "strip-ansi": "^6.0.1"
-      },
       "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/wrap-ansi-cjs/node_modules/strip-ansi": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "ansi-regex": "^5.0.1"
+        "node": ">=10.0.0"
       },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/wrap-ansi/node_modules/ansi-styles": {
-      "version": "6.2.1",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz",
-      "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12"
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
       },
-      "funding": {
-        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
       }
     },
     "node_modules/xml-name-validator": {
@@ -6043,33 +7917,25 @@
         "node": ">=12"
       }
     },
-    "node_modules/yallist": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz",
-      "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==",
-      "dev": true,
-      "license": "BlueOak-1.0.0",
-      "engines": {
-        "node": ">=18"
-      }
-    },
     "node_modules/yaml": {
-      "version": "2.8.0",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.0.tgz",
-      "integrity": "sha512-4lLa/EcQCB0cJkyts+FpIRx5G/llPxfP6VQU5KByHEhLxY3IJCH0f0Hy1MHI8sClTvsIb8qwRJ6R/ZdlDJ/leQ==",
-      "dev": true,
+      "version": "2.8.3",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
       "license": "ISC",
       "bin": {
         "yaml": "bin.mjs"
       },
       "engines": {
         "node": ">= 14.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/eemeli"
       }
     },
     "node_modules/yaml-eslint-parser": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/yaml-eslint-parser/-/yaml-eslint-parser-1.3.0.tgz",
-      "integrity": "sha512-E/+VitOorXSLiAqtTd7Yqax0/pAS3xaYMP+AUUJGOK1OZG3rhcj9fcJOM5HJ2VrP1FrStVCWr1muTfQCdj4tAA==",
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/yaml-eslint-parser/-/yaml-eslint-parser-1.3.2.tgz",
+      "integrity": "sha512-odxVsHAkZYYglR30aPYRY4nUGJnoJ2y1ww2HDvZALo0BDETv9kWbi16J52eHs+PWRNmF4ub6nZqfVOeesOvntg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/frontend/package.json b/frontend/package.json
index f26fbeeb4..a88737108 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,8 +1,8 @@
 {
   "type": "module",
-  "name": "cryptomator-hub",
+  "name": "katta",
   "version": "1.5.0",
-  "description": "Web-Frontend for Cryptomator Hub",
+  "description": "Web-Frontend for Katta",
   "author": "Skymatic GmbH",
   "license": "AGPL-3.0-or-later",
   "private": true,
@@ -22,46 +22,47 @@
     "test": "./test"
   },
   "devDependencies": {
-    "@intlify/devtools-types": "^11.1.12",
-    "@intlify/unplugin-vue-i18n": "^11.0.1",
-    "@tailwindcss/forms": "^0.5.10",
-    "@tailwindcss/vite": "^4.1.14",
+    "@eslint/js": "^10.0.1",
+    "@intlify/devtools-types": "^11.2.2",
+    "@intlify/unplugin-vue-i18n": "^11.0.7",
+    "@tailwindcss/forms": "^0.5.11",
+    "@tailwindcss/vite": "^4.2.2",
     "@types/blueimp-md5": "^2.18.2",
     "@types/file-saver": "^2.0.7",
-    "@types/node": "^22.18.11",
+    "@types/node": "^22.19.15",
     "@types/semver": "^7.7.1",
-    "@vitejs/plugin-vue": "^6.0.1",
-    "@vitest/coverage-v8": "^3.2.4",
+    "@vitejs/plugin-vue": "^6.0.5",
+    "@vitest/coverage-v8": "^4.1.2",
     "@vue/compiler-sfc": "^3.5.12",
-    "eslint": "^9.37.0",
-    "eslint-plugin-vue": "^10.5.1",
-    "happy-dom": "^20.0.4",
+    "eslint": "^10.1.0",
+    "eslint-plugin-vue": "^10.8.0",
+    "happy-dom": "^20.8.9",
     "tailwindcss": "^4.1.11",
     "ts-node": "^10.9.2",
-    "typescript": "^5.8.3",
-    "typescript-eslint": "^8.46.1",
-    "vite": "^7.1.10",
-    "vitest": "^3.2.4",
-    "vue-tsc": "^3.1.1"
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.58.0",
+    "vite": "^7.3.1",
+    "vitest": "^4.0.15",
+    "vue-tsc": "^3.2.6"
   },
   "dependencies": {
+    "@aws-sdk/client-s3": "^3.454.0",
+    "@aws-sdk/client-sts": "^3.421.0",
     "@headlessui/tailwindcss": "^0.2.2",
     "@headlessui/vue": "^1.7.23",
     "@heroicons/vue": "^2.2.0",
-    "axios": "^1.12.2",
+    "@noble/ciphers": "^2.1.1",
+    "@scure/base": "^2.0.0",
+    "axios": "^1.14.0",
     "file-saver": "^2.0.5",
     "jdenticon": "^3.3.0",
     "jszip": "^3.10.1",
-    "keycloak-js": "^26.2.1",
-    "miscreant": "^0.3.2",
-    "remeda": "^2.32.0",
-    "rfc4648": "^1.5.4",
-    "semver": "^7.7.3",
-    "vue": "^3.5.17",
-    "vue-i18n": "^11.1.12",
-    "vue-router": "^4.6.3"
-  },
-  "optionalDependencies": {
-    "@rollup/rollup-linux-x64-gnu": "4.46.2"
+    "keycloak-js": "^26.2.3",
+    "remeda": "^2.33.7",
+    "semver": "^7.7.4",
+    "shamir-secret-sharing": "^0.0.4",
+    "vue": "^3.5.25",
+    "vue-i18n": "^11.3.0",
+    "vue-router": "^5.0.4"
   }
 }
diff --git a/frontend/public/bg-paper.png b/frontend/public/bg-paper.png
new file mode 100644
index 000000000..fdd2e8431
Binary files /dev/null and b/frontend/public/bg-paper.png differ
diff --git a/frontend/public/favicon.ico b/frontend/public/favicon.ico
index ee4c3c90e..98358173d 100644
Binary files a/frontend/public/favicon.ico and b/frontend/public/favicon.ico differ
diff --git a/frontend/public/logo.png b/frontend/public/logo.png
new file mode 100644
index 000000000..7f3804c81
Binary files /dev/null and b/frontend/public/logo.png differ
diff --git a/frontend/public/logo.svg b/frontend/public/logo.svg
deleted file mode 100644
index 53e7c879a..000000000
--- a/frontend/public/logo.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg width="1110" height="942" viewBox="0 0 1108.12 940.2" preserveAspectRatio="xMidYMid meet" xmlns="http://www.w3.org/2000/svg"><path d="m552.69 0c-169.1 0-262.45 143.46-262.45 283.52h524.9c0-140.06-105.33-283.52-262.45-283.52z" fill="#cfcfcf"/><path d="m552.69 53.2c-137.37 0-213.21 116.54-213.21 230.32l213.21 24.18 213.21-24.18c0-113.78-85.57-230.32-213.21-230.32z" fill="#585e62"/><path d="m89.8 739.52a20 20 0 0 1 -2.23-39.88 42.8 42.8 0 1 0 -42.22-21.82 20 20 0 0 1 -35 19.31 82.79 82.79 0 1 1 81.76 42.26 21.78 21.78 0 0 1 -2.31.13z" fill="#585e62"/><rect fill="#cfcfcf" height="144.19" rx="49.42" transform="matrix(.8902923 .45538953 -.45538953 .8902923 261.57 -5.69)" width="104.68" x="90.27" y="467.98"/><path d="m149.47 401.27h62.8a0 0 0 0 1 0 0v94.55a31.4 31.4 0 0 1 -31.4 31.4 31.4 31.4 0 0 1 -31.4-31.4v-94.55a0 0 0 0 1 0 0z" fill="#585e62" transform="matrix(.8902923 .45538953 -.45538953 .8902923 231.23 -31.44)"/><circle cx="222.59" cy="387.53" fill="#cfcfcf" r="75.05"/><path d="m258.09 321.8a75.09 75.09 0 0 0 -91.23 14.64 75.06 75.06 0 0 1 51.58 126.06 75.06 75.06 0 0 0 39.65-140.7z" fill="#b1b1b1"/><path d="m1018.31 739.52a22.09 22.09 0 0 1 -2.28-.13 82.8 82.8 0 1 1 81.77-42.26 20 20 0 1 1 -35-19.31 42.8 42.8 0 1 0 -42.23 21.82 20 20 0 0 1 -2.23 39.88z" fill="#585e62"/><rect fill="#cfcfcf" height="144.19" rx="49.42" transform="matrix(-.8902923 .45538953 -.45538953 -.8902923 2071.05 581.27)" width="104.68" x="913.18" y="467.98"/><path d="m927.25 401.27a31.4 31.4 0 0 1 31.4 31.4v94.55a0 0 0 0 1 0 0h-62.8a0 0 0 0 1 0 0v-94.55a31.4 31.4 0 0 1 31.4-31.4z" fill="#585e62" transform="matrix(-.8902923 .45538953 -.45538953 -.8902923 1964.18 455.35)"/><circle cx="885.53" cy="387.53" fill="#cfcfcf" r="75.05"/><path d="m850 321.8a75.08 75.08 0 0 1 91.22 14.64 75.06 75.06 0 0 0 -51.54 126.06 75.05 75.05 0 0 1 -39.68-140.7z" fill="#b1b1b1"/><path d="m248.78 940.2c-36.67 0-67-39.85-75.51-99.15-4.56-31.83-2.26-65.19 6.48-94 9.41-31 25.51-53.59 45.32-63.72a51.72 51.72 0 0 1 23.69-5.84h103.52v262.71z" fill="#585e62"/><path d="m351.43 940.2c-21.26 0-38.85-39.85-43.78-99.15-2.64-31.83-1.31-65.19 3.76-94 5.45-31 14.78-53.59 26.27-63.72 4.39-3.87 9-5.84 13.73-5.84s9.34 2 13.75 5.8l49.7 43.83c17.37 15.32 23.39 64 20.23 102-2.43 29.28-10 52.18-20.19 61.28l-49.69 43.82c-4.44 3.99-9.08 5.98-13.78 5.98z" fill="#585e62"/><path d="m360.57 699 49.65 43.79c11.18 9.9 17.78 47.45 14.78 83.91-2 24.27-7.83 41.95-14.77 48.13l-49.65 43.79c-18.58 16.38-37.79-19.43-42.83-80.07s6-123.1 24.58-139.51c6.15-5.42 12.5-5.04 18.24-.04z" fill="#35393b"/><path d="m850.73 940.2c36.66 0 67-39.85 75.51-99.15 4.56-31.83 2.26-65.19-6.48-94-9.41-31-25.51-53.59-45.32-63.72a51.72 51.72 0 0 0 -23.69-5.84h-103.53v262.71z" fill="#585e62"/><path d="m748.08 940.2c21.26 0 38.85-39.85 43.78-99.15 2.64-31.83 1.31-65.19-3.76-94-5.45-31-14.79-53.59-26.27-63.72-4.4-3.87-9-5.84-13.73-5.84s-9.34 2-13.76 5.8l-49.69 43.83c-17.38 15.32-23.39 64-20.23 102 2.43 29.28 10 52.18 20.19 61.28l49.68 43.82c4.45 3.99 9.09 5.98 13.79 5.98z" fill="#585e62"/><path d="m738.94 699-49.65 43.79c-11.19 9.86-17.8 47.41-14.77 83.87 2 24.27 7.83 41.95 14.77 48.13l49.65 43.79c18.61 16.41 37.78-19.43 42.82-80.07s-6-123.1-24.58-139.51c-6.18-5.38-12.5-5-18.24 0z" fill="#35393b"/><path d="m848.63 451.38a83.62 83.62 0 0 1 -.56-45.6c14.74-53.13 5.06-111.78 5.06-111.78-185.07-57.77-300.13-.48-300.13-.48s-114.79-57.64-300-.45c0 0-9.86 58.64 4.72 111.83a83.69 83.69 0 0 1 -.69 45.59c-5.14 17.57-10.72 44.5-10.77 78.8-.37 249 306 326.08 306 326.08s306.58-76.15 306.95-325.16c0-34.3-5.49-61.21-10.58-78.83z" fill="#cfcfcf"/><path d="m552.34 808.87c-50.72-15.87-261.7-93.25-261.42-279.51 0-29.65 4.89-52.42 9-66.31a128.3 128.3 0 0 0 .91-70c-6.2-22.58-6.9-47.13-6.17-65.29 40.48-10.23 80.2-15.37 118.41-15.32 75.66.12 119.86 21 120.3 21.17l20.39 10.23 19.24-10.32c.11 0 44.36-20.75 120-20.64 38.21.06 77.91 5.32 118.37 15.68.67 18.14-.1 42.71-6.37 65.27a128.33 128.33 0 0 0 .69 70c4 13.91 8.82 36.69 8.77 66.35-.28 187.06-211.26 263.09-262.12 278.69z" fill="#49b04a"/><path d="m610.15 478.76a57.46 57.46 0 1 0 -70.15 55.92l-32.29 135.47 44.67 12.85 44.71-12.71-31.84-135.57a57.46 57.46 0 0 0 44.9-55.96z" fill="#35393b"/><g fill="#49b04a"><path d="m454.94 131.08a60.64 60.64 0 0 0 -60.64 60.64h121.28a60.64 60.64 0 0 0 -60.64-60.64z"/><path d="m642.38 131.08a60.64 60.64 0 0 0 -60.64 60.64h121.26a60.64 60.64 0 0 0 -60.62-60.64z"/><circle cx="483.23" cy="229.43" r="11.52"/><circle cx="528.52" cy="229.43" r="11.52"/><circle cx="573.8" cy="229.43" r="11.52"/><circle cx="619.09" cy="229.43" r="11.52"/></g></svg>
\ No newline at end of file
diff --git a/frontend/src/common/auditlog.ts b/frontend/src/common/auditlog.ts
index deeafd256..a90736d21 100644
--- a/frontend/src/common/auditlog.ts
+++ b/frontend/src/common/auditlog.ts
@@ -114,14 +114,62 @@ export type AuditEventVaultOwnershipClaimDto = AuditEventDtoBase & {
   vaultId: string;
 }
 
-export type AuditEventDto = AuditEventDeviceRegisterDto | AuditEventDeviceRemoveDto | AuditEventSettingWotUpdateDto | AuditEventSignedWotIdDto | AuditEventUserAccountResetDto | AuditEventUserKeysChangeDto | AuditEventUserSetupCodeChangeDto | AuditEventVaultCreateDto | AuditEventVaultUpdateDto | AuditEventVaultAccessGrantDto | AuditEventVaultKeyRetrieveDto | AuditEventVaultMemberAddDto | AuditEventVaultMemberRemoveDto | AuditEventVaultMemberUpdateDto | AuditEventVaultOwnershipClaimDto;
+export type AuditEventEmergencyAccessSetupDto = AuditEventDtoBase & {
+  type: 'EMERGENCY_ACCESS_SETUP',
+  vaultId: string;
+  ownerId: string;
+  settings: string; // contains stringified JSON
+  ipAddress: string;
+}
+
+export type AuditEventEmergencyAccessSettingsChangedDto = AuditEventDtoBase & {
+  type: 'EMERGENCY_ACCESS_SETTINGS_UPDATED',
+  adminId: string;
+  enableEmergencyAccess: boolean;
+  councilMemberIds: string;
+  requiredKeyShares: number;
+  minMembers: number;
+  allowChoosingCouncil: boolean;
+}
+
+export type AuditEventEmergencyAccessRecoveryStartedDto = AuditEventDtoBase & {
+  type: 'EMERGENCY_ACCESS_RECOVERY_STARTED',
+  vaultId: string;
+  processId: string;
+  councilMemberId: string;
+  recoveryType: string;
+  details: string;
+}
+
+export type AuditEventEmergencyAccessRecoveryApprovedDto = AuditEventDtoBase & {
+  type: 'EMERGENCY_ACCESS_RECOVERY_APPROVED',
+  processId: string;
+  councilMemberId: string;
+  ipAddress: string;
+}
+
+export type AuditEventEmergencyAccessRecoveryCompletedDto = AuditEventDtoBase & {
+  type: 'EMERGENCY_ACCESS_RECOVERY_COMPLETED',
+  processId: string;
+  councilMemberId: string;
+  ipAddress: string;
+}
+
+export type AuditEventEmergencyAccessRecoveryAbortedDto = AuditEventDtoBase & {
+  type: 'EMERGENCY_ACCESS_RECOVERY_ABORTED';
+  processId: string;
+  councilMemberId: string;
+  ipAddress: string;
+}
+
+export type AuditEventDto = AuditEventDeviceRegisterDto | AuditEventDeviceRemoveDto | AuditEventSettingWotUpdateDto | AuditEventSignedWotIdDto | AuditEventUserAccountResetDto | AuditEventUserKeysChangeDto | AuditEventUserSetupCodeChangeDto | AuditEventVaultCreateDto | AuditEventVaultUpdateDto | AuditEventVaultAccessGrantDto | AuditEventVaultKeyRetrieveDto | AuditEventVaultMemberAddDto | AuditEventVaultMemberRemoveDto | AuditEventVaultMemberUpdateDto | AuditEventVaultOwnershipClaimDto | AuditEventEmergencyAccessSetupDto | AuditEventEmergencyAccessSettingsChangedDto | AuditEventEmergencyAccessRecoveryStartedDto | AuditEventEmergencyAccessRecoveryApprovedDto | AuditEventEmergencyAccessRecoveryCompletedDto | AuditEventEmergencyAccessRecoveryAbortedDto;
 
 /* Entity Cache */
 
 export class AuditLogEntityCache {
-  private vaults: Map<string, Deferred<VaultDto>>;
-  private authorities: Map<string, Deferred<AuthorityDto>>;
-  private devices: Map<string, Deferred<DeviceDto>>;
+  private readonly vaults: Map<string, Deferred<VaultDto>>;
+  private readonly authorities: Map<string, Deferred<AuthorityDto>>;
+  private readonly devices: Map<string, Deferred<DeviceDto>>;
 
   constructor() {
     this.vaults = new Map();
@@ -153,9 +201,9 @@ export class AuditLogEntityCache {
     }
   }
 
-  private debouncedResolvePendingVaults = debounce(async () => await this.resolvePendingEntities<VaultDto>(this.vaults, backend.vaults.listSome), 100);
-  private debouncedResolvePendingAuthorities = debounce(async () => await this.resolvePendingEntities<AuthorityDto>(this.authorities, backend.authorities.listSome), 100);
-  private debouncedResolvePendingDevices = debounce(async () => {
+  private readonly debouncedResolvePendingVaults = debounce(async () => await this.resolvePendingEntities<VaultDto>(this.vaults, backend.vaults.listSome), 100);
+  private readonly debouncedResolvePendingAuthorities = debounce(async () => await this.resolvePendingEntities<AuthorityDto>(this.authorities, backend.authorities.listSome), 100);
+  private readonly debouncedResolvePendingDevices = debounce(async () => {
     await this.resolvePendingEntities<DeviceDto>(
       this.devices,
       (deviceIds: string[]) =>
diff --git a/frontend/src/common/backend.ts b/frontend/src/common/backend.ts
index 3c676b9d9..93fafb1c7 100644
--- a/frontend/src/common/backend.ts
+++ b/frontend/src/common/backend.ts
@@ -1,6 +1,6 @@
-import AxiosStatic, { AxiosHeaders, AxiosRequestConfig, AxiosResponse } from 'axios';
+import { base64 } from '@scure/base';
+import AxiosStatic, { AxiosError, AxiosHeaders, AxiosRequestConfig, AxiosResponse } from 'axios';
 import { JdenticonConfig, toSvg } from 'jdenticon';
-import { base64 } from 'rfc4648';
 import authPromise from './auth';
 import { backendBaseURL } from './config';
 import { JWTHeader } from './jwt';
@@ -34,14 +34,22 @@ axiosAuth.interceptors.request.use(async request => {
   }
 });
 
+export function isAxiosError(error: unknown): error is AxiosError {
+  return AxiosStatic.isAxiosError(error);
+}
+
 // #region DTOs
 
 export type VaultDto = {
   id: string;
   name: string;
+  creationTime: Date;
   description?: string;
   archived: boolean;
-  creationTime: Date;
+  requiredEmergencyKeyShares: number;
+  emergencyKeyShares: Record<string, string>; // <memberId, encryptedKeyShare>
+
+  // Legacy properties ("Vault Admin Password"):
   masterkey?: string;
   iterations?: number;
   salt?: string;
@@ -65,6 +73,12 @@ export type DeviceDto = {
 
 export type VaultRole = 'MEMBER' | 'OWNER';
 
+export type RealmRole = 'user' | 'admin' | 'create-vaults';
+export type SelectableRealmRole = Exclude<RealmRole, 'user'>;
+export function isSelectableRealmRole(role: RealmRole): role is SelectableRealmRole {
+  return role !== 'user';
+}
+
 export type AccessGrant = {
   userId: string,
   token: string
@@ -75,28 +89,57 @@ export type UserDto = {
   id: string;
   name: string;
   pictureUrl?: string;
-  email: string;
+  email?: string;
+  firstName?: string;
+  lastName?: string;
+  realmRoles: RealmRole[];
+  enabled: boolean;
   language?: string;
   devices: DeviceDto[];
-  accessibleVaults: VaultDto[];
+  accessibleVaults: VaultDtoWithRole[];
   ecdhPublicKey?: string;
   ecdsaPublicKey?: string;
   privateKeys?: string;
   setupCode?: string;
 }
 
+export type UserDtoWithCounts = UserDto & {
+  groupsCount?: number;
+  devicesCount?: number;
+  accessibleVaultCount?: number;
+}
+
+export type UserDtoWithDetails = UserDto & {
+  groups: GroupDto[];
+  devices: DeviceDto[];
+  legacyDevices: DeviceDto[];
+}
+
+/**
+ * Represents a user who generated key pairs during the setup process.
+ */
+export type ActivatedUser = UserDto & {
+  ecdhPublicKey: string;
+  ecdsaPublicKey: string;
+}
+
+export function didCompleteSetup(user: UserDto): user is ActivatedUser {
+  return user.ecdhPublicKey !== undefined && user.ecdsaPublicKey !== undefined;
+}
+
 export type GroupDto = {
   type: 'GROUP';
   id: string;
   name: string;
   pictureUrl?: string;
   memberSize?: number;
+  vaultCount?: number;
 }
 
 export type AuthorityDto = UserDto | GroupDto;
 
 export type MemberDto = AuthorityDto & {
-  role: VaultRole
+  vaultRole: VaultRole
 }
 
 export type TrustDto = {
@@ -104,15 +147,36 @@ export type TrustDto = {
   signatureChain: string[]
 }
 
+export type CreateUserDto = Pick<UserDto, 'name' | 'email' | 'firstName' | 'lastName' | 'pictureUrl' | 'realmRoles'> & {
+  password: string;
+};
+
+export type UpdateUserDto = Pick<UserDto, 'email' | 'firstName' | 'lastName' | 'pictureUrl' | 'realmRoles'> & {
+  password?: string;
+};
+
+export type CreateGroupDto = Pick<GroupDto, 'name' | 'pictureUrl'>;
+
+export type UpdateGroupDto = CreateGroupDto;
+
+export type VaultDtoWithRole = VaultDto & {
+  role: VaultRole;
+}
+
+export type GroupDtoWithDetails = GroupDto & {
+  members: AuthorityDto[];
+  vaults: VaultDtoWithRole[];
+}
+
 export type BillingDto = {
   hubId: string;
-  hasLicense: boolean;
   email: string;
   licensedSeats: number;
   usedSeats: number;
   issuedAt: Date;
   expiresAt: Date;
   managedInstance: boolean;
+  licenseKey: string;
 }
 
 export type VersionDto = {
@@ -123,7 +187,45 @@ export type VersionDto = {
 export type SettingsDto = {
   hubId: string,
   wotMaxDepth: number,
-  wotIdVerifyLen: number
+  wotIdVerifyLen: number,
+  defaultRequiredEmergencyKeyShares: number,
+  defaultMinMembers: number,
+  allowChoosingEmergencyCouncil: boolean,
+  emergencyCouncilMemberIds: string[],
+  enableEmergencyAccess: boolean
+}
+
+export type RecoveryProcessSetNewOwner = {
+  type: 'CHANGE_PERMISSIONS',
+  details: {
+    newOwnerIds: string[];
+    newMemberIds: string[];
+  }
+}
+
+export type RecoveryProcessChangeCouncil = {
+  type: 'COUNCIL_CHANGE',
+  details: {
+    newCouncilMemberIds: string[];
+    newRequiredKeyShares: number;
+  }
+}
+
+export type RecoveredKeyShareDto = {
+  processPrivateKey: string;
+  unrecoveredKeyShare: string;
+  recoveredKeyShare?: string;
+  signedProcessInfo?: string;
+};
+
+export type RecoveryProcessDto = (RecoveryProcessSetNewOwner | RecoveryProcessChangeCouncil) & {
+  id: string;
+  vaultId: string;
+  requiredKeyShares: number;
+  processPublicKey: string;
+  recoveredKeyShares: {
+    [councilMemberId: string]: RecoveredKeyShareDto
+  }
 }
 
 export class LicenseUserInfoDto {
@@ -139,14 +241,130 @@ export class LicenseUserInfoDto {
   }
 
   public isExceeded(): boolean {
-    return this.usedSeats > this.licensedSeats;
+    return this.licensedSeats == 0 || this.usedSeats > this.licensedSeats;
   }
 }
+// / start katta extension
+export type StorageDto = {
+    vaultId: string;
+    storageConfigId: string;
+    vaultUvf: string;
+    dirUvf: string;
+    rootDirHash: string;
+    awsAccessKey: string;
+    awsSecretKey: string;
+    sessionToken: string;
+    region: string;
+}
+
+export type ConfigDto = {
+    keycloakUrl: string;
+    keycloakRealm: string;
+    keycloakClientIdHub: string;
+    keycloakClientIdCryptomator: string;
+    keycloakAuthEndpoint: string;
+    keycloakTokenEndpoint: string;
+    serverTime: string;
+    apiLevel: number;
+    uuid: string;
+}
+
+export type StorageProfileDto = {
+    id: string;
+    name: string;
+    protocol: string;
+    bucketPrefix: string;
+    stsRoleCreateBucketClient: string;
+    stsRoleCreateBucketHub: string;
+    stsEndpoint: string;
+    bucketVersioning: string;
+    bucketAcceleration: string;
+    bucketEncryption: string;
+    region: string;
+    regions: string[];
+    withPathStyleAccessEnabled: boolean;
+    storageClass: string;
+    scheme: string;
+    hostname: string;
+    port: number;
+    stsRoleAccessBucketAssumeRoleWithWebIdentity: string;
+    stsRoleAccessBucketAssumeRoleTaggedSession: string;
+    stsDurationSeconds: number;
+    stsSessionTag: string;
+    archived: boolean;
+}
+
+export type VaultMetadataJWEBackendDto = {
+    provider: string;
+
+    defaultPath: string;
+    nickname: string;
+
+    region: string;
+
+    username?: string;
+    password?: string;
+}
+// \ end katta extension
+
+/* Services */
 
 export interface VaultIdHeader extends JWTHeader {
   vaultId: string;
 }
 
+function fillInMissingPicture<T extends AuthorityDto>(authority: T): T & { pictureUrl: string } {
+  if (authority.pictureUrl) {
+    return {
+      ...authority,
+      pictureUrl: authority.pictureUrl
+    };
+  } else {
+    return {
+      ...authority,
+      pictureUrl: generateFallbackPictureUrl(authority.type, authority.id)
+    };
+  }
+}
+
+export function generateFallbackPictureUrl(type: 'USER' | 'GROUP', authorityId: string): string {
+  const cfg = getJdenticonConfig(type);
+  const svg = toSvg(authorityId, 100, cfg);
+  const bytes = UTF8.encode(svg);
+  return `data:image/svg+xml;base64,${base64.encode(bytes)}`;
+}
+
+function getJdenticonConfig(type: 'USER' | 'GROUP'): JdenticonConfig {
+  switch (type) {
+    case 'USER':
+      return {
+        hues: [6, 28, 48, 121, 283],
+        saturation: {
+          color: 0.59,
+        },
+        lightness: {
+          color: [0.32, 0.49],
+          grayscale: [0.32, 0.49]
+        },
+        backColor: '#F7F7F7',
+        padding: 0
+      };
+    case 'GROUP':
+      return {
+        hues: [6, 28, 48, 121, 283],
+        saturation: {
+          color: 0.59
+        },
+        lightness: {
+          color: [0.81, 0.97],
+          grayscale: [0.81, 0.97]
+        },
+        backColor: '#005E71',
+        padding: 0
+      };
+  }
+}
+
 // #endregion DTOs
 // #region Services
 
@@ -156,9 +374,19 @@ class VaultService {
     return axiosAuth.get('/vaults/accessible', { params: queryParams }).then(response => response.data);
   }
 
-  public async listSome(vaultsIds: string[]): Promise<VaultDto[]> {
-    const query = `ids=${vaultsIds.join('&ids=')}`;
-    return axiosAuth.get(`/vaults/some?${query}`).then(response => response.data);
+  public async listRecoverable(): Promise<VaultDto[]> {
+    return axiosAuth.get('/vaults/recoverable').then(response => response.data);
+  }
+
+  public async listSome(vaultIds: string[]): Promise<VaultDto[]> {
+    return axiosAuth.get('/vaults/some', {
+      params: {
+        ids: vaultIds
+      },
+      paramsSerializer: {
+        indexes: null, // disable array indices in query params (e.g. ids[0]=...&ids[1]=...)
+      }
+    }).then(response => response.data);
   }
 
   public async listAll(): Promise<VaultDto[]> {
@@ -175,28 +403,51 @@ class VaultService {
       .catch((error) => rethrowAndConvertIfExpected(error, 404));
   }
 
-  public async getMembers(vaultId: string): Promise<MemberDto[]> {
-    return axiosAuth.get<MemberDto[]>(`/vaults/${vaultId}/members`).then(response => response.data.map(AuthorityService.fillInMissingPicture)).catch(err => rethrowAndConvertIfExpected(err, 403));
+  public async getMembers(vaultId: string, addFallbackPictures: boolean = true): Promise<MemberDto[]> {
+    const members = await axiosAuth.get<MemberDto[]>(`/vaults/${vaultId}/members`).then(response => response.data).catch(err => rethrowAndConvertIfExpected(err, 403));
+    return addFallbackPictures ? members.map(fillInMissingPicture) : members;
+  }
+
+  public async setMembersWithRole(vaultId: string, members: Record<string, VaultRole>): Promise<void> {
+    await axiosAuth.put(`/vaults/${vaultId}/members`, members)
+      .catch((error) => rethrowAndConvertIfExpected(error, 403, 404));
   }
 
   public async addUser(vaultId: string, userId: string, role?: VaultRole): Promise<AxiosResponse<void>> {
-    return axiosAuth.put(`/vaults/${vaultId}/users/${userId}` + (role ? `?role=${role}` : ''))
+    const queryParams = role ? { role: role } : {};
+    return axiosAuth.put(`/vaults/${vaultId}/users/${userId}`, null, { params: queryParams })
       .catch((error) => rethrowAndConvertIfExpected(error, 402, 404, 409));
   }
 
   public async addGroup(vaultId: string, groupId: string, role?: VaultRole): Promise<AxiosResponse<void>> {
-    return axiosAuth.put(`/vaults/${vaultId}/groups/${groupId}` + (role ? `?role=${role}` : ''))
+    const queryParams = role ? { role: role } : {};
+    return axiosAuth.put(`/vaults/${vaultId}/groups/${groupId}`, null, { params: queryParams })
       .catch((error) => rethrowAndConvertIfExpected(error, 402, 404, 409));
   }
 
-  public async getUsersRequiringAccessGrant(vaultId: string): Promise<(MemberDto & UserDto)[]> {
-    return axiosAuth.get<(MemberDto & UserDto)[]>(`/vaults/${vaultId}/users-requiring-access-grant`)
-      .then(response => response.data.map(AuthorityService.fillInMissingPicture))
-      .catch(err => rethrowAndConvertIfExpected(err, 403));
+  public async getUsersRequiringAccessGrant(vaultId: string, addFallbackPictures: boolean = true): Promise<(MemberDto & UserDto)[]> {
+    const users = await axiosAuth.get<(MemberDto & UserDto)[]>(`/vaults/${vaultId}/users-requiring-access-grant`).then(response => response.data).catch(err => rethrowAndConvertIfExpected(err, 403));
+    return addFallbackPictures ? users.map(fillInMissingPicture) : users;
   }
 
-  public async createOrUpdateVault(vault: VaultDto): Promise<VaultDto> {
-    return axiosAuth.put(`/vaults/${vault.id}`, vault)
+  public async setArchived(vaultId: string, archived: boolean): Promise<VaultDto> {
+    return axiosAuth.put<VaultDto>(`/vaults/${vaultId}/archived`, String(archived), { headers: { 'Content-Type': 'text/plain' } })
+      .then(response => {
+        response.data.creationTime = new Date(response.data.creationTime);
+        return response.data;
+      })
+      .catch((error) => rethrowAndConvertIfExpected(error, 403, 404));
+  }
+
+  public async createOrUpdateVault(vault: VaultDto
+    // / start katta extension
+    , aws: boolean | null = null
+    , minio: boolean | null = null
+    // \ end katta extension
+    ): Promise<VaultDto> {
+    // / start katta modification
+    return axiosAuth.put(`/vaults/${vault.id}?aws=${aws}&minio=${minio}` , vault)
+    // \ end katta modification
       .then(response => response.data)
       .catch((error) => rethrowAndConvertIfExpected(error, 402, 404));
   }
@@ -241,8 +492,19 @@ class DeviceService {
 
   /** @deprecated since version 1.3.0, to be removed in https://github.com/cryptomator/hub/issues/333 */
   public async listSomeLegacyDevices(deviceIds: string[]): Promise<DeviceDto[]> {
-    const query = `ids=${deviceIds.join('&ids=')}`;
-    return axiosAuth.get<DeviceDto[]>(`/devices/legacy-devices?${query}`).then(response => response.data);
+    return axiosAuth.get<DeviceDto[]>('/devices/legacy-devices', {
+      params: {
+        ids: deviceIds
+      },
+      paramsSerializer: {
+        indexes: null, // disable array indices in query params (e.g. ids[0]=...&ids[1]=...)
+      }
+    }).then(response => response.data);
+  }
+
+  /** @deprecated since version 1.3.0, to be removed in https://github.com/cryptomator/hub/issues/333 */
+  public async hasLegacyDevices(): Promise<boolean> {
+    return axiosAuth.get<boolean>('/devices/has-legacy-devices').then(response => response.data);
   }
 
   public async removeDevice(deviceId: string): Promise<AxiosResponse<unknown>> {
@@ -261,26 +523,113 @@ class DeviceService {
   }
 }
 
+class GroupService {
+  public async listAll(addFallbackPictures: boolean = true): Promise<GroupDto[]> {
+    const groups = await axiosAuth.get<GroupDto[]>('/groups/').then(response => response.data);
+    return addFallbackPictures ? groups.map(fillInMissingPicture) : groups;
+  }
+
+  public async getGroup(groupId: string, addFallbackPictures: boolean = true): Promise<GroupDtoWithDetails> {
+    const group = await axiosAuth.get<GroupDtoWithDetails>(`/groups/${groupId}`).then(response => response.data).catch((error) => rethrowAndConvertIfExpected(error, 404));
+    if (addFallbackPictures) {
+      return {
+        ...fillInMissingPicture(group),
+        members: group.members.map(m => fillInMissingPicture(m))
+      };
+    } else {
+      return group;
+    }
+  }
+
+  public async createGroup(dto: CreateGroupDto, addFallbackPictures: boolean = true): Promise<GroupDto> {
+    const group = await axiosAuth.post<GroupDto>('/groups/', dto).then(response => response.data);
+    return addFallbackPictures ? fillInMissingPicture(group) : group;
+  }
+
+  public async updateGroup(groupId: string, dto: UpdateGroupDto, addFallbackPictures: boolean = true): Promise<GroupDto> {
+    const group = await axiosAuth.put<GroupDto>(`/groups/${groupId}`, dto).then(response => response.data).catch((error) => rethrowAndConvertIfExpected(error, 404));
+    return addFallbackPictures ? fillInMissingPicture(group) : group;
+  }
+
+  public async removeGroup(groupId: string): Promise<void> {
+    return axiosAuth.delete(`/groups/${groupId}`)
+      .then(() => { })
+      .catch((error) => rethrowAndConvertIfExpected(error, 404));
+  }
+
+  public async getEffectiveMembers(groupId: string, addFallbackPictures: boolean = true): Promise<UserDto[]> {
+    const members = await axiosAuth.get<UserDto[]>(`/groups/${groupId}/effective-members`).then(response => response.data).catch((error) => rethrowAndConvertIfExpected(error, 404));
+    return addFallbackPictures ? members.map(fillInMissingPicture) : members;
+  }
+
+  public async addMember(groupId: string, userId: string): Promise<void> {
+    await axiosAuth.post(`/groups/${groupId}/members/${userId}`).catch((error) => rethrowAndConvertIfExpected(error, 404));
+  }
+
+  public async removeMember(groupId: string, userId: string): Promise<void> {
+    await axiosAuth.delete(`/groups/${groupId}/members/${userId}`).catch((error) => rethrowAndConvertIfExpected(error, 404));
+  }
+}
+
 class UserService {
   public async putMe(dto?: UserDto): Promise<void> {
     return axiosAuth.put('/users/me', dto);
   }
 
-  public async me(withDevices: boolean = false, withLastAccess: boolean = false): Promise<UserDto> {
-    return axiosAuth.get<UserDto>(`/users/me?withDevices=${withDevices}&withLastAccess=${withLastAccess}`).then(response => AuthorityService.fillInMissingPicture(response.data));
+  public async me(withDevices: boolean = false, withLastAccess: boolean = false, addFallbackPictures: boolean = true): Promise<UserDto> {
+    const user = await axiosAuth.get<UserDto>('/users/me', {
+      params: {
+        withDevices: withDevices,
+        withLastAccess: withLastAccess
+      }
+    }).then(response => response.data);
+    return addFallbackPictures ? fillInMissingPicture(user) : user;
   }
 
   /** @deprecated since version 1.3.0, to be removed in https://github.com/cryptomator/hub/issues/333 */
   public async meWithLegacyDevicesAndAccess(): Promise<UserDto> {
-    return axiosAuth.get<UserDto>('/users/me-with-legacy-devices-and-access').then(response => AuthorityService.fillInMissingPicture(response.data));
+    return axiosAuth.get<UserDto>('/users/me-with-legacy-devices-and-access').then(response => fillInMissingPicture(response.data));
+  }
+
+  public async removeUser(userId: string): Promise<void> {
+    return axiosAuth.delete(`/users/${userId}`)
+      .then(() => { })
+      .catch((error) => rethrowAndConvertIfExpected(error, 404));
   }
 
   public async resetMe(): Promise<void> {
     return axiosAuth.post('/users/me/reset');
   }
 
-  public async listAll(): Promise<UserDto[]> {
-    return axiosAuth.get<UserDto[]>('/users/').then(response => response.data.map(AuthorityService.fillInMissingPicture));
+  public async listAll(addFallbackPictures: boolean = true): Promise<UserDtoWithCounts[]> {
+    const users = await axiosAuth.get<UserDtoWithCounts[]>('/users/').then(response => response.data);
+    return addFallbackPictures ? users.map(fillInMissingPicture) : users;
+  }
+
+  public async createUser(dto: CreateUserDto, addFallbackPictures: boolean = true): Promise<UserDto> {
+    const user = await axiosAuth.post<UserDto>('/users/', dto).then(response => response.data);
+    return addFallbackPictures ? fillInMissingPicture(user) : user;
+  }
+
+  public async getUser(userId: string, addFallbackPictures: boolean = true): Promise<UserDtoWithDetails> {
+    const user = await axiosAuth.get<UserDtoWithDetails>(`/users/${userId}`).then(response => response.data).catch((error) => rethrowAndConvertIfExpected(error, 404));
+    if (addFallbackPictures) {
+      return {
+        ...fillInMissingPicture(user),
+        groups: user.groups.map(g => fillInMissingPicture(g))
+      };
+    } else {
+      return user;
+    }
+  }
+
+  public async setUserEnabled(userId: string, enabled: boolean): Promise<void> {
+    await axiosAuth.put(`/users/${userId}/enabled`, enabled, { headers: { 'Content-Type': 'text/plain' } });
+  }
+
+  public async updateUser(userId: string, dto: UpdateUserDto, addFallbackPictures: boolean = true): Promise<UserDto> {
+    const user = await axiosAuth.put<UserDto>(`/users/${userId}`, dto).then(response => response.data).catch((error) => rethrowAndConvertIfExpected(error, 404));
+    return addFallbackPictures ? fillInMissingPicture(user) : user;
   }
 }
 
@@ -303,62 +652,30 @@ class TrustService {
 }
 
 class AuthorityService {
-  public async search(query: string, withMemberSize: boolean = false): Promise<AuthorityDto[]> {
-    return axiosAuth.get<AuthorityDto[]>(`/authorities/search?query=${query}&withMemberSize=${withMemberSize}`).then(response => response.data.map(AuthorityService.fillInMissingPicture));
-  }
-
-  public async listSome(authorityIds: string[]): Promise<AuthorityDto[]> {
-    const query = `ids=${authorityIds.join('&ids=')}`;
-    return axiosAuth.get<AuthorityDto[]>(`/authorities?${query}`).then(response => response.data.map(AuthorityService.fillInMissingPicture));
-  }
-
-  public static fillInMissingPicture<T extends AuthorityDto>(authority: T): T & { pictureUrl: string } {
-    if (authority.pictureUrl) {
-      return {
-        ...authority,
-        pictureUrl: authority.pictureUrl
-      };
-    } else {
-      const cfg = AuthorityService.getJdenticonConfig(authority.type);
-      const svg = toSvg(authority.id, 100, cfg);
-      const bytes = UTF8.encode(svg);
-      const url = `data:image/svg+xml;base64,${base64.stringify(bytes)}`;
-      return {
-        ...authority,
-        pictureUrl: url
-      };
-    }
-  }
-
-  private static getJdenticonConfig(type: 'USER' | 'GROUP'): JdenticonConfig {
-    switch (type) {
-      case 'USER':
-        return {
-          hues: [6, 28, 48, 121, 283],
-          saturation: {
-            color: 0.59,
-          },
-          lightness: {
-            color: [0.32, 0.49],
-            grayscale: [0.32, 0.49]
-          },
-          backColor: '#F7F7F7',
-          padding: 0
-        };
-      case 'GROUP':
-        return {
-          hues: [190],
-          saturation: {
-            color: 0.59
-          },
-          lightness: {
-            color: [0.81, 0.97],
-            grayscale: [0.81, 0.97]
-          },
-          backColor: '#005E71',
-          padding: 0
-        };
+  public async search(query: string, withMemberSize: boolean = false, addFallbackPictures: boolean = true): Promise<AuthorityDto[]> {
+    const authorities = await axiosAuth.get<AuthorityDto[]>('/authorities/search', {
+      params: {
+        query: query,
+        withMemberSize: withMemberSize
+      }
+    }).then(response => response.data);
+    return addFallbackPictures ? authorities.map(fillInMissingPicture) : authorities;
+  }
+
+  public async listSome(authorityIds: string[], addFallbackPictures: boolean = true): Promise<AuthorityDto[]> {
+    if (authorityIds.length === 0) {
+      // safe roundtrip for empty list
+      return [];
     }
+    const authorities = await axiosAuth.get<AuthorityDto[]>('/authorities', {
+      params: {
+        ids: authorityIds
+      },
+      paramsSerializer: {
+        indexes: null, // disable array indices in query params (e.g. ids[0]=...&ids[1]=...)
+      }
+    }).then(response => response.data);
+    return addFallbackPictures ? authorities.map(fillInMissingPicture) : authorities;
   }
 }
 
@@ -382,6 +699,10 @@ class LicenseService {
       return new LicenseUserInfoDto(response.data.licensedSeats, response.data.usedSeats, response.data.expiresAt ? new Date(response.data.expiresAt) : null);
     });
   }
+
+  public async refresh(): Promise<void> {
+    return axiosAuth.post('/license/refresh');
+  }
 }
 
 class VersionService {
@@ -398,7 +719,68 @@ class SettingsService {
   public async put(settings: SettingsDto): Promise<void> {
     return axiosAuth.put('/settings', settings);
   }
+
+  public async update(settings: Partial<SettingsDto>): Promise<void> {
+    const originalSettings = await this.get();
+    const updatedSettings = {
+      ...originalSettings,
+      ...settings
+    };
+    return axiosAuth.put('/settings', updatedSettings);
+  }
+}
+
+class EmergencyAccessService {
+  public async findProcessesForVault(vaultId: string): Promise<RecoveryProcessDto[]> {
+    return axiosAuth.get<RecoveryProcessDto[]>(`/emergency-access/${vaultId}`).then(response => response.data);
+  }
+
+  public async startRecovery(recoveryProcess: RecoveryProcessDto): Promise<void> {
+    return axiosAuth.put(`/emergency-access/${recoveryProcess.id}`, recoveryProcess);
+  }
+
+  public async addMyShare(recoveryProcessId: string, recoveredKeyShare: RecoveredKeyShareDto): Promise<void> {
+    return axiosAuth.post(`/emergency-access/${recoveryProcessId}/recovered-key-shares`, recoveredKeyShare);
+  }
+
+  public async complete(recoveryProcessId: string): Promise<void> {
+    return axiosAuth.delete(`/emergency-access/${recoveryProcessId}/complete`);
+  }
+
+  public async abort(recoveryProcessId: string): Promise<void> {
+    return axiosAuth.delete(`/emergency-access/${recoveryProcessId}/abort`);
+  }
+}
+
+// / start katta extension
+class StorageService {
+  public async put(vaultId: string, dto: StorageDto): Promise<void> {
+    return axiosAuth.put(`/storage/${vaultId}/`, dto);
+  }
+}
+class StorageProfileService {
+  public async get(archived?: boolean): Promise<StorageProfileDto[]> {
+    let query = '';
+    if(archived !== undefined){
+      query = `?archived=${archived}`;
+    }
+    return axiosAuth.get<StorageProfileDto[]>(`/storageprofile${query}`)
+    .then(response => response.data);
+  }
+
+  public async getSingle(storageprofileId: string): Promise<StorageProfileDto> {
+      return axiosAuth.get<StorageProfileDto>(`/storageprofile/${storageprofileId}`)
+      .then(response => response.data);
+    }
+}
+export const axiosUnAuth = AxiosStatic.create(axiosBaseCfg)
+class ConfigService {
+  public async config(): Promise<ConfigDto> {
+      return axiosUnAuth.get('/config')
+        .then(response => response.data);
+    }
 }
+// \ end katta extension
 
 /**
  * Note: Each service can thrown an {@link UnauthorizedError} when the access token is expired!
@@ -412,7 +794,15 @@ const services = {
   billing: new BillingService(),
   version: new VersionService(),
   license: new LicenseService(),
-  settings: new SettingsService()
+  settings: new SettingsService(),
+  groups: new GroupService(),
+  emergencyAccess: new EmergencyAccessService(),
+
+  // / start katta extension
+  storage: new StorageService(),
+  storageprofiles: new StorageProfileService(),
+  config: new ConfigService(),
+  // \ end katta extension
 };
 
 export default services;
diff --git a/frontend/src/common/config.ts b/frontend/src/common/config.ts
index 304663055..81fcf1498 100644
--- a/frontend/src/common/config.ts
+++ b/frontend/src/common/config.ts
@@ -23,6 +23,17 @@ export type ConfigDto = {
   keycloakTokenEndpoint: string;
   serverTime: string;
   apiLevel: number;
+  entitlements: {
+    seats: number;
+    showTrialHint: boolean;
+    auditLogRetentionDays: number;
+    emergencyAccessEnabled: boolean;
+    keycloakAccessEnabled: boolean;
+    iosLicense: string;
+    androidLicense: string;
+    desktopLicense: string;
+  };
+  billingUrl: string;
 };
 
 class ConfigWrapper {
@@ -47,8 +58,9 @@ class ConfigWrapper {
     return this.data;
   }
 
-  public async reload(): Promise<void> {
+  public async reload(): Promise<ConfigDto> {
     this.data = await ConfigWrapper.loadConfig();
+    return this.data;
   }
 }
 
diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index da156c7ff..1d2cc9b99 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -1,5 +1,5 @@
-import { base16, base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
+import { base16, base64, base64urlnopad } from '@scure/base';
 import { JWE, Recipient } from './jwe';
 import { DB, UTF8 } from './util';
 
@@ -46,7 +46,7 @@ export interface AccessTokenProducing {
    * @param userPublicKey the public key of the user
    * @param isOwner whether to also include owner secrets for this user (UVF only)
    */
-  encryptForUser(userPublicKey: CryptoKey | Uint8Array, isOwner?: boolean): Promise<string>;
+  encryptForUser(userPublicKey: CryptoKey | BufferSource, isOwner?: boolean): Promise<string>;
 
 }
 
@@ -61,6 +61,16 @@ export interface VaultTemplateProducing {
 
 }
 
+export interface RecoveryKeyProducing {
+
+  /**
+   * Creates a recovery key and pads it to a multiple of 3 bytes (if necessary), so it can be safely encoded using both base64 and the word encoder.
+   * @return The recovery key as a byte array
+   */
+  createPaddedRecoveryKeyBytes(): Promise<Uint8Array>;
+
+}
+
 /**
  * Represents a vault member by their public key.
  */
@@ -144,13 +154,13 @@ export class UserKeys {
   private static async createFromJwe(jwe: UserKeyPayload, ecdhPublicKey: CryptoKey | BufferSource, ecdsaPublicKey?: CryptoKey | BufferSource): Promise<UserKeys> {
     const ecdhKeyPair: CryptoKeyPair = {
       publicKey: await asPublicKey(ecdhPublicKey, UserKeys.ECDH_KEY_DESIGNATION),
-      privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdhPrivateKey ?? jwe.key, { loose: true }).slice(), UserKeys.ECDH_KEY_DESIGNATION, true, UserKeys.ECDH_PRIV_KEY_USAGES)
+      privateKey: await crypto.subtle.importKey('pkcs8', base64.decode(jwe.ecdhPrivateKey ?? jwe.key) as Uint8Array<ArrayBuffer>, UserKeys.ECDH_KEY_DESIGNATION, true, UserKeys.ECDH_PRIV_KEY_USAGES)
     };
     let ecdsaKeyPair: CryptoKeyPair;
     if (jwe.ecdsaPrivateKey && ecdsaPublicKey) {
       ecdsaKeyPair = {
         publicKey: await asPublicKey(ecdsaPublicKey, UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES),
-        privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdsaPrivateKey, { loose: true }).slice(), UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_PRIV_KEY_USAGES)
+        privateKey: await crypto.subtle.importKey('pkcs8', base64.decode(jwe.ecdsaPrivateKey) as Uint8Array<ArrayBuffer>, UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_PRIV_KEY_USAGES)
       };
     } else {
       // ECDSA key was added in Hub 1.4.0. If it's missing, we generate a new one.
@@ -165,7 +175,7 @@ export class UserKeys {
    */
   public async encodedEcdhPublicKey(): Promise<string> {
     const publicKey = new Uint8Array(await crypto.subtle.exportKey('spki', this.ecdhKeyPair.publicKey));
-    return base64.stringify(publicKey);
+    return base64.encode(publicKey);
   }
 
   /**
@@ -174,7 +184,7 @@ export class UserKeys {
    */
   public async encodedEcdsaPublicKey(): Promise<string> {
     const publicKey = new Uint8Array(await crypto.subtle.exportKey('spki', this.ecdsaKeyPair.publicKey));
-    return base64.stringify(publicKey);
+    return base64.encode(publicKey);
   }
 
   /**
@@ -196,7 +206,7 @@ export class UserKeys {
    * @returns a JWE containing the PKCS#8-encoded private key
    * @see Recipient.ecdhEs
    */
-  public async encryptForDevice(devicePublicKey: CryptoKey | BufferSource): Promise<string> {
+  public async encryptForDevice(devicePublicKey: CryptoKey | Uint8Array<ArrayBuffer>): Promise<string> {
     const publicKey = await asPublicKey(devicePublicKey, BrowserKeys.KEY_DESIGNATION);
     const payload = await this.prepareForEncryption();
     const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('org.cryptomator.hub.deviceKey', publicKey));
@@ -218,9 +228,9 @@ export class UserKeys {
     const encodedEcdsaPrivateKey = new Uint8Array(await crypto.subtle.exportKey('pkcs8', this.ecdsaKeyPair.privateKey));
     try {
       return {
-        key: base64.stringify(encodedEcdhPrivateKey), // redundant for backwards compatibility
-        ecdhPrivateKey: base64.stringify(encodedEcdhPrivateKey),
-        ecdsaPrivateKey: base64.stringify(encodedEcdsaPrivateKey)
+        key: base64.encode(encodedEcdhPrivateKey), // redundant for backwards compatibility
+        ecdhPrivateKey: base64.encode(encodedEcdhPrivateKey),
+        ecdsaPrivateKey: base64.encode(encodedEcdsaPrivateKey)
       };
     } finally {
       encodedEcdhPrivateKey.fill(0x00);
@@ -293,12 +303,12 @@ export class BrowserKeys {
   public async id(): Promise<string> {
     const publicKey = new Uint8Array(await crypto.subtle.exportKey('spki', this.keyPair.publicKey));
     const hash = new Uint8Array(await crypto.subtle.digest({ name: 'SHA-256' }, publicKey));
-    return base16.stringify(hash).toUpperCase();
+    return base16.encode(hash);
   }
 
   public async encodedPublicKey() {
     const publicKey = new Uint8Array(await crypto.subtle.exportKey('spki', this.keyPair.publicKey));
-    return base64.stringify(publicKey);
+    return base64.encode(publicKey);
   }
 }
 
@@ -318,7 +328,7 @@ export async function asPublicKey(publicKey: CryptoKey | BufferSource, keyDesign
  */
 export async function getJwkThumbprintStr(key: JsonWebKey | CryptoKey): Promise<string> {
   const thumbprint = await getJwkThumbprint(key);
-  return base64url.stringify(new Uint8Array(thumbprint), { pad: false });
+  return base64urlnopad.encode(new Uint8Array(thumbprint));
 }
 
 /**
diff --git a/frontend/src/common/emergencyaccess.ts b/frontend/src/common/emergencyaccess.ts
new file mode 100644
index 000000000..12abb727c
--- /dev/null
+++ b/frontend/src/common/emergencyaccess.ts
@@ -0,0 +1,115 @@
+import { base64 } from '@scure/base';
+import { combine, split } from 'shamir-secret-sharing';
+import { ActivatedUser } from './backend';
+import { asPublicKey, UserKeys } from './crypto';
+import { JWE, Recipient } from './jwe';
+
+type KeySharePayload = {
+  keyShare: string;
+}
+
+type ProcessPrivateKeyPayload = {
+  privateKey: JsonWebKey;
+}
+
+export type RecoveryProcess = {
+  recoveryPublicKey: string;
+  recoveryPrivateKeys: Record<string, string>;
+}
+
+export class EmergencyAccess {
+  private static readonly PROCESS_KEY_DESIGNATION: EcKeyImportParams | EcKeyGenParams = { name: 'ECDH', namedCurve: 'P-384' };
+  private static readonly PROCESS_KEY_USAGE: KeyUsage[] = ['deriveBits'];
+
+  /**
+   * Splits a secret into [1..255] shares, where at least `k` shares are needed to reconstruct the secret.
+   * The shares are encrypted for each recipient using ECDH-ES.
+   * @param secret The secret to be split, as a Uint8Array.
+   * @param k Minimum number of shares needed to reconstruct the secret.
+   * @param recipients Array of emergency access council members for whom to create key shares.
+   * @returns one JWE for each recipient (in the same order as the recipients).
+   */
+  public static async split(secret: Uint8Array, k: number, ...recipients: ActivatedUser[]): Promise<Record<string, string>> {
+    const n = recipients.length;
+    let shares: Uint8Array[];
+    if (k < 1) {
+      throw new Error('Threshold k must be at least 1');
+    } else if (n < k) {
+      throw new Error('Not enough recipients provided for secret sharing');
+    } else if (n > 255) {
+      throw new Error('Too many recipients provided for secret sharing');
+    } else if (k == 1) {
+      // no splitting needed // TODO: should we keep this?
+      shares = Array(n).fill(secret);
+    } else {
+      shares = await split(secret, n, k);
+    }
+    const result: Record<string, string> = {};
+    for (let i = 0; i < n; i++) {
+      const recipient = recipients[i];
+      const payload: KeySharePayload = {
+        keyShare: base64.encode(shares[i])
+      };
+      const keyBytes = base64.decode(recipient.ecdhPublicKey) as Uint8Array<ArrayBuffer>;
+      const key = await asPublicKey(keyBytes, UserKeys.ECDH_KEY_DESIGNATION);
+      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('', key));
+      result[recipient.id] = jwe.compactSerialization();
+    }
+    return result;
+  }
+
+  /**
+   * Starts a recovery process by generating a new key pair, whose private key is encrypted for each council member.
+   * @param councilMembers The involved council members
+   * @returns The recovery process, containing the public key and encrypted private keys for each council member.
+   */
+  public static async startRecovery(councilMembers: ActivatedUser[]): Promise<RecoveryProcess> {
+    // Generate a new key pair for the recovery process:
+    const processKeyPair = await crypto.subtle.generateKey(EmergencyAccess.PROCESS_KEY_DESIGNATION, true, EmergencyAccess.PROCESS_KEY_USAGE);
+    // Encrypt the process private key for each council member:
+    const encryptedPrivateKeys = new Map<string, string>();
+    const jwk = await crypto.subtle.exportKey('jwk', processKeyPair.privateKey);
+    const payload: ProcessPrivateKeyPayload = { privateKey: jwk };
+    for (const member of councilMembers) {
+      const keyBytes = base64.decode(member.ecdhPublicKey) as Uint8Array<ArrayBuffer>;
+      const key = await asPublicKey(keyBytes, UserKeys.ECDH_KEY_DESIGNATION);
+      const jwe = await JWE.build(payload).encrypt(Recipient.ecdhEs('', key));
+      encryptedPrivateKeys.set(member.id, jwe.compactSerialization());
+    }
+    // return public key and encrypted private keys:
+    const publicKeyJwk = JSON.stringify(await crypto.subtle.exportKey('jwk', processKeyPair.publicKey)); // TODO: JWK? or SPKI?
+    return {
+      recoveryPublicKey: publicKeyJwk,
+      recoveryPrivateKeys: Object.fromEntries(encryptedPrivateKeys)
+    };
+  }
+
+  /**
+   * Re-encrypts a council member's share for the recovery process.
+   * @param share A JWE containing the key share, encrypted for the council member.
+   * @param userPrivateKey The council member's private key.
+   * @param recoveryProcessPublicKey The public key of the recovery process.
+   * @returns A new JWE containing the key share, encrypted for the recovery process.
+   */
+  public static async recoverShare(share: string, userPrivateKey: CryptoKey, recoveryProcessPublicKey: string): Promise<string> {
+    const decrypted: KeySharePayload = await JWE.parseCompact(share).decrypt(Recipient.ecdhEs('', userPrivateKey));
+    const processPublicKeyJwk = JSON.parse(recoveryProcessPublicKey);
+    const processPublicKey = await crypto.subtle.importKey('jwk', processPublicKeyJwk, EmergencyAccess.PROCESS_KEY_DESIGNATION, false, []);
+    return (await JWE.build(decrypted).encrypt(Recipient.ecdhEs('', processPublicKey))).compactSerialization();
+  }
+
+  /**
+   * Recombines the shares that the council members have recovered.
+   * @param recoveredShares Sufficient recovered shares, e.g. a JWE whose recipient is the recovery process private key.
+   * @param recoveryProcessPrivateKeyJwe a JWE containing the recovery process private key, encrypted for the user.
+   * @param userPrivateKey The user's private key
+   * @returns The combined secret as a Uint8Array.
+   */
+  public static async combineRecoveredShares(recoveredShares: string[], recoveryProcessPrivateKeyJwe: string, userPrivateKey: CryptoKey): Promise<Uint8Array> {
+    const jwePayload: ProcessPrivateKeyPayload = await JWE.parseCompact(recoveryProcessPrivateKeyJwe).decrypt(Recipient.ecdhEs('', userPrivateKey));
+    const recoveryProcessPrivateKey = await crypto.subtle.importKey('jwk', jwePayload.privateKey, EmergencyAccess.PROCESS_KEY_DESIGNATION, false, EmergencyAccess.PROCESS_KEY_USAGE);
+    const decryptedShares: KeySharePayload[] = await Promise.all(recoveredShares.map(share => JWE.parseCompact(share).decrypt(Recipient.ecdhEs('', recoveryProcessPrivateKey))));
+    const keyShares = decryptedShares.map(share => base64.decode(share.keyShare) as Uint8Array<ArrayBuffer>);
+    return combine(keyShares);
+  }
+}
diff --git a/frontend/src/common/formvalidator.ts b/frontend/src/common/formvalidator.ts
new file mode 100644
index 000000000..235328516
--- /dev/null
+++ b/frontend/src/common/formvalidator.ts
@@ -0,0 +1,155 @@
+import i18n from '../i18n';
+
+const { t } = i18n.global;
+
+export interface ValidationResult {
+  valid: boolean;
+  errors: Record<string, string>;
+}
+
+export class FormValidator {
+  /**
+   * Validates user form data
+   */
+  static validateUser(data: {
+    firstName?: string,
+    lastName?: string,
+    username: string,
+    email?: string,
+    password: string,
+    passwordConfirm: string,
+    isEditMode: boolean,
+    initialEmail?: string,
+    pictureUrl?: string,
+    isValidImageUrl?: boolean
+  }): ValidationResult {
+    const errors: Record<string, string> = {};
+
+    // Required fields validation
+    if (!data.firstName?.trim()) errors.firstName = t('userEditCreate.validation.required');
+    if (!data.lastName?.trim()) errors.lastName = t('userEditCreate.validation.required');
+    if (!data.username.trim()) errors.username = t('userEditCreate.validation.required');
+
+    // Email validation
+    const emailTrimmed = data.email?.trim() ?? '';
+    const emailRequired = this.isEmailRequired(data.isEditMode, data.initialEmail);
+
+    if (emailRequired && !emailTrimmed) {
+      errors.email = t('userEditCreate.validation.required');
+    } else if (emailTrimmed && !this.isValidEmail(emailTrimmed)) {
+      errors.email = t('userEditCreate.invalidEmail');
+    }
+
+    // Password confirmation validation
+    if (data.password && data.password !== data.passwordConfirm) {
+      errors.passwordConfirm = t('userEditCreate.validation.passwordMismatch');
+    }
+
+    // For create mode, require password
+    if (!data.isEditMode && !data.password) {
+      errors.password = t('userEditCreate.validation.required');
+    }
+
+    // Validate picture URL
+    const pictureUrlError = this.validatePictureUrl(data.pictureUrl, data.isValidImageUrl, 'userEditCreate.invalidImageUrl');
+    if (pictureUrlError) errors.pictureUrl = pictureUrlError;
+
+    return {
+      valid: Object.keys(errors).length === 0,
+      errors
+    };
+  }
+
+  /**
+   * Validates group form data
+   */
+  static validateGroup(data: {
+    name: string,
+    pictureUrl?: string,
+    isValidImageUrl?: boolean
+  }): ValidationResult {
+    const errors: Record<string, string> = {};
+
+    // Required field validation
+    if (!data.name.trim()) errors.name = t('groupEditCreate.validation.required');
+
+    // Validate picture URL
+    const pictureUrlError = this.validatePictureUrl(data.pictureUrl, data.isValidImageUrl, 'groupEditCreate.invalidImageUrl');
+    if (pictureUrlError) errors.pictureUrl = pictureUrlError;
+
+    return {
+      valid: Object.keys(errors).length === 0,
+      errors
+    };
+  }
+
+  /**
+   * Common validation for picture URLs
+   * @private
+   */
+  private static validatePictureUrl(pictureUrl: string | undefined, isValidImageUrl: boolean | undefined, errorKey: string): string | undefined {
+    if (pictureUrl && !isValidImageUrl) {
+      return t(errorKey);
+    }
+    return undefined;
+  }
+
+  /**
+   * Validates email format
+   */
+  static isValidEmail(email?: string): boolean {
+    if (!email) return false;
+    return /^[^\s@]+@[^\s@]+\.[a-z]{2,}$/i.test(email.trim());
+  }
+
+  /**
+   * Checks if email is required
+   */
+  static isEmailRequired(isEditMode: boolean, initialEmail?: string): boolean {
+    if (isEditMode) {
+      // EDIT: required only if user previously had email
+      return initialEmail !== undefined && initialEmail.trim() !== '';
+    } else {
+      // CREATE: always required
+      return true;
+    }
+  }
+
+  /**
+   * Evaluates password strength
+   */
+  static evaluatePasswordStrength(password: string): 'weak' | 'medium' | 'strong' | '' {
+    if (!password) return '';
+
+    const strong = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_]).{10,}$/;
+    const medium = /^(?=.*[a-zA-Z])(?=.*\d).{6,}$/;
+
+    if (strong.test(password)) return 'strong';
+    if (medium.test(password)) return 'medium';
+    return 'weak';
+  }
+
+  /**
+   * Validates image URL by attempting to load it
+   */
+  static validateImageUrl(url?: string, timeoutMs: number = 1000): Promise<boolean> {
+    if (!url) {
+      return Promise.resolve(false);
+    }
+    return new Promise((resolve) => {
+      const timeout = setTimeout(() => {
+        resolve(false);
+      }, timeoutMs);
+      const img = new Image();
+      img.onload = () => {
+        clearTimeout(timeout);
+        resolve(true);
+      };
+      img.onerror = () => {
+        clearTimeout(timeout);
+        resolve(false);
+      };
+      img.src = url;
+    });
+  }
+}
diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
index 8b1be4205..b79167c70 100644
--- a/frontend/src/common/jwe.ts
+++ b/frontend/src/common/jwe.ts
@@ -1,4 +1,4 @@
-import { base64url } from 'rfc4648';
+import { base64urlnopad } from '@scure/base';
 import { UnwrapKeyError } from './crypto';
 import { UTF8 } from './util';
 
@@ -149,14 +149,14 @@ class EcdhRecipient extends Recipient {
       kid: this.kid,
       alg: 'ECDH-ES+A256KW',
       epk: await crypto.subtle.exportKey('jwk', ephemeralKey.publicKey),
-      apu: base64url.stringify(this.apu, { pad: false }),
-      apv: base64url.stringify(this.apv, { pad: false })
+      apu: base64urlnopad.encode(this.apu),
+      apv: base64urlnopad.encode(this.apv)
     };
     const wrappingKey = await ECDH_ES.deriveKey(this.recipientKey, ephemeralKey.privateKey, 384, 32, header, false, { name: 'AES-KW', length: 256 }, ['wrapKey']);
     const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, wrappingKey, 'AES-KW'));
     return {
       header: header,
-      encrypted_key: base64url.stringify(encryptedKey, { pad: false })
+      encrypted_key: base64urlnopad.encode(encryptedKey)
     };
   }
 
@@ -192,7 +192,7 @@ class EcdhRecipient extends Recipient {
   async decryptAndUnwrap(header: JWEHeader, encryptedKey: string): Promise<CryptoKey> {
     const wrappingKey = await this.decryptDirect(header, { name: 'AES-KW', length: 256 }, ['unwrapKey']);
     try {
-      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }) as Uint8Array<ArrayBuffer>, wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
+      return await crypto.subtle.unwrapKey('raw', base64urlnopad.decode(encryptedKey) as Uint8Array<ArrayBuffer>, wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -213,7 +213,7 @@ class A256kwRecipient extends Recipient {
     const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, this.wrappingKey, 'AES-KW'));
     return {
       header: header,
-      encrypted_key: base64url.stringify(encryptedKey, { pad: false })
+      encrypted_key: base64urlnopad.encode(encryptedKey)
     };
   }
 
@@ -222,7 +222,7 @@ class A256kwRecipient extends Recipient {
       throw new Error('unsupported alg');
     }
     try {
-      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }) as Uint8Array<ArrayBuffer>, this.wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
+      return await crypto.subtle.unwrapKey('raw', base64urlnopad.decode(encryptedKey) as Uint8Array<ArrayBuffer>, this.wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -241,13 +241,13 @@ class Pbes2Recipient extends Recipient {
       kid: this.kid,
       alg: 'PBES2-HS512+A256KW',
       p2c: this.iterations,
-      p2s: base64url.stringify(salt, { pad: false })
+      p2s: base64urlnopad.encode(salt)
     };
     const wrappingKey = PBES2.deriveWrappingKey(this.password, 'PBES2-HS512+A256KW', salt, this.iterations);
     const encryptedKey = new Uint8Array(await crypto.subtle.wrapKey('raw', cek, await wrappingKey, 'AES-KW'));
     return {
       header: header,
-      encrypted_key: base64url.stringify(encryptedKey, { pad: false })
+      encrypted_key: base64urlnopad.encode(encryptedKey)
     };
   }
 
@@ -255,10 +255,10 @@ class Pbes2Recipient extends Recipient {
     if (header.alg != 'PBES2-HS512+A256KW' || !header.p2s || !header.p2c) {
       throw new Error('Missing or invalid header parameters.');
     }
-    const salt = base64url.parse(header.p2s, { loose: true });
+    const salt = base64urlnopad.decode(header.p2s);
     const wrappingKey = await PBES2.deriveWrappingKey(this.password, 'PBES2-HS512+A256KW', salt, header.p2c);
     try {
-      return await crypto.subtle.unwrapKey('raw', base64url.parse(encryptedKey, { loose: true }) as Uint8Array<ArrayBuffer>, wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
+      return await crypto.subtle.unwrapKey('raw', base64urlnopad.decode(encryptedKey) as Uint8Array<ArrayBuffer>, wrappingKey, 'AES-KW', { name: 'AES-GCM' }, false, ['decrypt']);
     } catch (error) {
       throw new UnwrapKeyError(error);
     }
@@ -278,7 +278,7 @@ export class JWE {
   public static parseCompact(token: string): EncryptedJWE {
     const [protectedHeader, encryptedKey, iv, ciphertext, tag] = token.split('.', 5);
     const utf8 = new TextDecoder();
-    const header: JWEHeader = JSON.parse(utf8.decode(base64url.parse(protectedHeader, { loose: true })));
+    const header: JWEHeader = JSON.parse(utf8.decode(base64urlnopad.decode(protectedHeader)));
 
     return new EncryptedJWE(protectedHeader, [{ encrypted_key: encryptedKey, header: header }], iv, ciphertext, tag);
   }
@@ -311,7 +311,7 @@ export class JWE {
       }
     }
 
-    const encodedProtectedHeader = base64url.stringify(UTF8.encode(JSON.stringify(protectedHeader)), { pad: false });
+    const encodedProtectedHeader = base64urlnopad.encode(UTF8.encode(JSON.stringify(protectedHeader)));
     const m = UTF8.encode(JSON.stringify(this.payload));
     const ciphertextAndTag = new Uint8Array(await crypto.subtle.encrypt(
       {
@@ -327,9 +327,9 @@ export class JWE {
     const ciphertext = ciphertextAndTag.slice(0, m.byteLength - 16);
     const tag = ciphertextAndTag.slice(m.byteLength - 16);
 
-    const encodedIv = base64url.stringify(iv, { pad: false });
-    const encodedCiphertext = base64url.stringify(ciphertext, { pad: false });
-    const encodedTag = base64url.stringify(tag, { pad: false });
+    const encodedIv = base64urlnopad.encode(iv);
+    const encodedCiphertext = base64urlnopad.encode(ciphertext);
+    const encodedTag = base64urlnopad.encode(tag);
     return new EncryptedJWE(encodedProtectedHeader, perRecipientData, encodedIv, encodedCiphertext, encodedTag);
   }
 }
@@ -367,19 +367,19 @@ export class EncryptedJWE {
   }
 
   public async decrypt(recipient: Recipient): Promise<any> {
-    const protectedHeader: JWEHeader = JSON.parse(UTF8.decode(base64url.parse(this.protectedHeader, { loose: true })));
+    const protectedHeader: JWEHeader = JSON.parse(UTF8.decode(base64urlnopad.decode(this.protectedHeader)));
     const perRecipientData = (this.perRecipient.length === 1)
       ? this.perRecipient[0]
       : this.perRecipientWithKid(recipient.kid);
     const combinedHeader: JWEHeader = { ...perRecipientData.header, ...protectedHeader };
     const cek = await recipient.decrypt(combinedHeader, perRecipientData.encrypted_key);
-    const ciphertext = base64url.parse(this.ciphertext, { loose: true });
-    const tag = base64url.parse(this.tag, { loose: true });
+    const ciphertext = base64urlnopad.decode(this.ciphertext);
+    const tag = base64urlnopad.decode(this.tag);
     const ciphertextAndTag = new Uint8Array([...ciphertext, ...tag]);
     const cleartext = new Uint8Array(await crypto.subtle.decrypt(
       {
         name: 'AES-GCM',
-        iv: base64url.parse(this.iv, { loose: true }) as Uint8Array<ArrayBuffer>,
+        iv: base64urlnopad.decode(this.iv) as Uint8Array<ArrayBuffer>,
         additionalData: UTF8.encode(this.protectedHeader),
         tagLength: 128
       },
@@ -412,8 +412,8 @@ export class ECDH_ES {
         throw new Error('Missing alg or enc header parameter');
       }
       const algorithmId = ECDH_ES.lengthPrefixed(UTF8.encode(algOrEnc));
-      const partyUInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apu ?? '', { loose: true }));
-      const partyVInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apv ?? '', { loose: true }));
+      const partyUInfo = ECDH_ES.lengthPrefixed(base64urlnopad.decode(header.apu ?? ''));
+      const partyVInfo = ECDH_ES.lengthPrefixed(base64urlnopad.decode(header.apv ?? ''));
       const suppPubInfo = new ArrayBuffer(4);
       const suppPrivInfo = new Uint8Array();
       new DataView(suppPubInfo).setUint32(0, desiredKeyBytes * 8, false);
diff --git a/frontend/src/common/jwt.ts b/frontend/src/common/jwt.ts
index 9908e7aca..a306fd788 100644
--- a/frontend/src/common/jwt.ts
+++ b/frontend/src/common/jwt.ts
@@ -1,4 +1,4 @@
-import { base64url } from 'rfc4648';
+import { base64urlnopad } from '@scure/base';
 import { UTF8 } from './util';
 
 export type JWTHeader = {
@@ -8,6 +8,11 @@ export type JWTHeader = {
   [other: string]: undefined | string | number | boolean | object; // allow further properties
 }
 
+export const ECDSA_P384: EcKeyImportParams | EcKeyGenParams = {
+  name: 'ECDSA',
+  namedCurve: 'P-384'
+};
+
 export class JWT {
   public header: any;
   public payload: any;
@@ -30,8 +35,8 @@ export class JWT {
    * @param signerPrivateKey The signers's private key
    */
   public static async build(header: JWTHeader, payload: object, signerPrivateKey: CryptoKey): Promise<string> {
-    const encodedHeader = base64url.stringify(UTF8.encode(JSON.stringify(header)), { pad: false });
-    const encodedPayload = base64url.stringify(UTF8.encode(JSON.stringify(payload)), { pad: false });
+    const encodedHeader = base64urlnopad.encode(UTF8.encode(JSON.stringify(header)));
+    const encodedPayload = base64urlnopad.encode(UTF8.encode(JSON.stringify(payload)));
     const encodedSignature = await this.es384sign(encodedHeader, encodedPayload, signerPrivateKey);
     return encodedHeader + '.' + encodedPayload + '.' + encodedSignature;
   }
@@ -39,7 +44,7 @@ export class JWT {
   // visible for testing
   public static async es384sign(encodedHeader: string, encodedPayload: string, signerPrivateKey: CryptoKey): Promise<string> {
     const headerAndPayload = UTF8.encode(encodedHeader + '.' + encodedPayload);
-    const signature = await window.crypto.subtle.sign(
+    const signature = await globalThis.crypto.subtle.sign(
       {
         name: 'ECDSA',
         hash: { name: 'SHA-384' },
@@ -47,7 +52,7 @@ export class JWT {
       signerPrivateKey,
       headerAndPayload
     );
-    return base64url.stringify(new Uint8Array(signature), { pad: false });
+    return base64urlnopad.encode(new Uint8Array(signature));
   }
 
   /**
@@ -59,7 +64,7 @@ export class JWT {
    */
   public static async parse(jwt: string, signerPublicKey: CryptoKey): Promise<[JWTHeader, object]> {
     const [encodedHeader, encodedPayload] = jwt.split('.');
-    const header: JWTHeader = JSON.parse(UTF8.decode(base64url.parse(encodedHeader, { loose: true })));
+    const header: JWTHeader = JSON.parse(UTF8.decode(base64urlnopad.decode(encodedHeader)));
     if (header.alg !== 'ES384') {
       throw new Error('Unsupported algorithm');
     }
@@ -67,7 +72,7 @@ export class JWT {
     if (!validSignature) {
       throw new Error('Invalid signature');
     }
-    const payload = JSON.parse(UTF8.decode(base64url.parse(encodedPayload, { loose: true })));
+    const payload = JSON.parse(UTF8.decode(base64urlnopad.decode(encodedPayload)));
     return [header, payload];
   }
 
@@ -75,8 +80,8 @@ export class JWT {
   public static async es384verify(jwt: string, signerPublicKey: CryptoKey): Promise<boolean> {
     const [encodedHeader, encodedPayload, encodedSignature] = jwt.split('.');
     const headerAndPayload = UTF8.encode(encodedHeader + '.' + encodedPayload);
-    const signature = base64url.parse(encodedSignature);
-    return window.crypto.subtle.verify(
+    const signature = base64urlnopad.decode(encodedSignature) as Uint8Array<ArrayBuffer>;
+    return globalThis.crypto.subtle.verify(
       {
         name: 'ECDSA',
         hash: { name: 'SHA-384' },
diff --git a/frontend/src/common/katta.ts b/frontend/src/common/katta.ts
new file mode 100644
index 000000000..9c6f7fb66
--- /dev/null
+++ b/frontend/src/common/katta.ts
@@ -0,0 +1,5 @@
+
+export function isAwsHostname(hostname: string, cn: boolean = true): boolean {
+    var match = (cn ? hostname.match(/^([a-z0-9\-]+\.)?s3(\.dualstack)?(\.[a-z0-9\-]+)?(\.vpce)?\.amazonaws\.com(\.cn)?$/) : hostname.match(/^([a-z0-9\-]+\.)?s3(\.dualstack)?(\.[a-z0-9\-]+)?(\.vpce)?\.amazonaws\.com$/))
+    return match != null;
+}
diff --git a/frontend/src/common/settings.ts b/frontend/src/common/settings.ts
new file mode 100644
index 000000000..2481e2e7b
--- /dev/null
+++ b/frontend/src/common/settings.ts
@@ -0,0 +1,2 @@
+// TODO review is there a standard way for injecting developer properties?
+export const showVaultIDs = true;
\ No newline at end of file
diff --git a/frontend/src/common/svgUtils.ts b/frontend/src/common/svgUtils.ts
new file mode 100644
index 000000000..d94e5f111
--- /dev/null
+++ b/frontend/src/common/svgUtils.ts
@@ -0,0 +1,18 @@
+/**
+ * Describes a segment (slice) for a pie chart.
+ * @param index The segment index (0-based)
+ * @param total Total number of segments
+ * @param radius Radius of the circle
+ * @returns SVG path string
+ */
+export function describeSegment(index: number, total: number, radius: number): string {
+  const angle = (2 * Math.PI) / total;
+  const startAngle = index * angle - Math.PI / 2;
+  const endAngle = startAngle + angle;
+  const x1 = 18 + radius * Math.cos(startAngle);
+  const y1 = 18 + radius * Math.sin(startAngle);
+  const x2 = 18 + radius * Math.cos(endAngle);
+  const y2 = 18 + radius * Math.sin(endAngle);
+  const largeArc = angle > Math.PI ? 1 : 0;
+  return `M18,18 L${x1},${y1} A${radius},${radius} 0 ${largeArc} 1 ${x2},${y2} Z`;
+}
diff --git a/frontend/src/common/universalVaultFormat.ts b/frontend/src/common/universalVaultFormat.ts
index 99b259e2b..dfa8a3ff9 100644
--- a/frontend/src/common/universalVaultFormat.ts
+++ b/frontend/src/common/universalVaultFormat.ts
@@ -1,9 +1,12 @@
+import { base32, base64, base64urlnopad } from '@scure/base';
 import JSZip from 'jszip';
-import { base32, base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
-import { AccessTokenPayload, AccessTokenProducing, JsonWebKeySet, OtherVaultMember, UserKeys, VaultTemplateProducing, getJwkThumbprintStr } from './crypto';
+import { AccessTokenPayload, AccessTokenProducing, JsonWebKeySet, OtherVaultMember, RecoveryKeyProducing, UserKeys, VaultTemplateProducing, getJwkThumbprintStr } from './crypto';
 import { JWE, JWEHeader, JsonJWE, Recipient } from './jwe';
 import { CRC32, UTF8, wordEncoder } from './util';
+// / start katta extension
+import { VaultMetadataJWEBackendDto } from './backend';
+// \ end katta extension
 
 type MetadataPayload = {
   fileFormat: 'AES-256-GCM-32k';
@@ -14,6 +17,9 @@ type MetadataPayload = {
   kdf: 'HKDF-SHA512';
   kdfSalt: string;
   'org.cryptomator.automaticAccessGrant': VaultMetadataJWEAutomaticAccessGrantDto;
+  // / start katta extension
+  'cloud.katta.storage': VaultMetadataJWEBackendDto;
+  // \ end katta extension
 }
 
 type VaultMetadataJWEAutomaticAccessGrantDto = {
@@ -57,7 +63,7 @@ export class MemberKey {
   public static async load(encodedKey: string): Promise<MemberKey> {
     let rawKey: Uint8Array<ArrayBuffer> = new Uint8Array();
     try {
-      rawKey = base64.parse(encodedKey).slice();
+      rawKey = base64.decode(encodedKey) as Uint8Array<ArrayBuffer>;
       const memberKey = await crypto.subtle.importKey('raw', rawKey, MemberKey.KEY_DESIGNATION, true, MemberKey.KEY_USAGE);
       return new MemberKey(memberKey);
     } finally {
@@ -71,7 +77,7 @@ export class MemberKey {
    */
   public async serializeKey(): Promise<string> {
     const bytes = await crypto.subtle.exportKey('raw', this.key);
-    return base64.stringify(new Uint8Array(bytes), { pad: true });
+    return base64.encode(new Uint8Array(bytes));
   }
 }
 // #endregion
@@ -148,11 +154,7 @@ export class RecoveryKey {
     return new RecoveryKey(publicKey, privateKey);
   }
 
-  /**
-   * Encodes the private key as a list of words
-   * @returns private key in a human-readable encoding
-   */
-  public async createRecoveryKey(): Promise<string> {
+  public async createRawRecoveryKey(): Promise<Uint8Array> {
     if (!this.privateKey) {
       throw new Error('Private key not available');
     }
@@ -169,10 +171,19 @@ export class RecoveryKey {
     const numPaddingBytes = 3 - (combined.length % 3);
     const padding = new Uint8Array(numPaddingBytes);
     padding.fill(numPaddingBytes & 0xFF); // 01 or 02 02 or 03 03 03
-    const padded = new Uint8Array([...combined, ...padding]);
+
+    return new Uint8Array([...combined, ...padding]);
+  }
+
+  /**
+   * Encodes the private key as a list of words
+   * @returns private key in a human-readable encoding
+   */
+  public async createRecoveryKey(): Promise<string> {
+    const recoveryKeyBytes = await this.createRawRecoveryKey();
 
     // encode using human-readable words:
-    return wordEncoder.encodePadded(padded);
+    return wordEncoder.encodePadded(recoveryKeyBytes);
   }
 
   /**
@@ -184,7 +195,7 @@ export class RecoveryKey {
       throw new Error('Private key not available');
     }
     const bytes = await crypto.subtle.exportKey('pkcs8', this.privateKey);
-    return base64.stringify(new Uint8Array(bytes), { pad: true });
+    return base64.encode(new Uint8Array(bytes));
   }
 
   /**
@@ -219,6 +230,9 @@ export class DecodeUvfRecoveryKeyError extends Error {
 export class VaultMetadata {
   private constructor(
     readonly automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto,
+    // / start katta extension
+    readonly backend: VaultMetadataJWEBackendDto,
+    // \ end katta extension
     readonly seeds: Map<number, Uint8Array<ArrayBuffer>>,
     readonly initialSeedId: number,
     readonly latestSeedId: number,
@@ -236,7 +250,11 @@ export class VaultMetadata {
    * @param automaticAccessGrant Configuration instructing the client how to automatically deal with permission requests
    * @returns new vault
    */
-  public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<VaultMetadata> {
+  public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto
+    // / start katta extension
+    , backend: VaultMetadataJWEBackendDto
+    // \ end katta extension
+    ): Promise<VaultMetadata> {
     const initialSeedId = new Uint8Array(4);
     const initialSeedValue = new Uint8Array(32);
     const kdfSalt = new Uint8Array(32);
@@ -244,9 +262,13 @@ export class VaultMetadata {
     crypto.getRandomValues(initialSeedValue);
     crypto.getRandomValues(kdfSalt);
     const initialSeedNo = new DataView(initialSeedId.buffer).getInt32(0, false);
-    const seeds: Map<number, Uint8Array> = new Map<number, Uint8Array>();
+    const seeds: Map<number, Uint8Array<ArrayBuffer>> = new Map<number, Uint8Array<ArrayBuffer>>();
     seeds.set(initialSeedNo, initialSeedValue);
-    return new VaultMetadata(automaticAccessGrant, seeds, initialSeedNo, initialSeedNo, kdfSalt);
+    return new VaultMetadata(automaticAccessGrant,
+      // / start katta extension
+      backend,
+      // \ end katta extension
+      seeds, initialSeedNo, initialSeedNo, kdfSalt);
   }
 
   public get initialSeed(): Uint8Array<ArrayBuffer> {
@@ -295,14 +317,17 @@ export class VaultMetadata {
     const seeds = new Map<number, Uint8Array<ArrayBuffer>>();
     for (const key in payload.seeds) {
       const num = parseSeedId(key);
-      const value = base64url.parse(payload.seeds[key], { loose: true }).slice();
+      const value = base64urlnopad.decode(payload.seeds[key]) as Uint8Array<ArrayBuffer>;
       seeds.set(num, value);
     }
     const initialSeedId = parseSeedId(payload['initialSeed']);
     const latestSeedId = parseSeedId(payload['latestSeed']);
-    const kdfSalt = base64url.parse(payload['kdfSalt'], { loose: true }).slice();
+    const kdfSalt = base64urlnopad.decode(payload['kdfSalt']) as Uint8Array<ArrayBuffer>;
     return new VaultMetadata(
       payload['org.cryptomator.automaticAccessGrant'],
+      // / start katta extension
+      payload['cloud.katta.storage'],
+      // \ start katta extension
       seeds,
       initialSeedId,
       latestSeedId,
@@ -338,7 +363,7 @@ export class VaultMetadata {
     const encodedSeeds: Record<string, string> = {};
     for (const [key, value] of this.seeds) {
       const seedId = stringifySeedId(key);
-      encodedSeeds[seedId] = base64url.stringify(value, { pad: false });
+      encodedSeeds[seedId] = base64urlnopad.encode(value);
     }
     return {
       fileFormat: 'AES-256-GCM-32k',
@@ -347,8 +372,11 @@ export class VaultMetadata {
       initialSeed: stringifySeedId(this.initialSeedId),
       latestSeed: stringifySeedId(this.latestSeedId),
       kdf: 'HKDF-SHA512',
-      kdfSalt: base64url.stringify(this.kdfSalt, { pad: false }),
+      kdfSalt: base64urlnopad.encode(this.kdfSalt),
       'org.cryptomator.automaticAccessGrant': this.automaticAccessGrant
+      // / start katta extension
+      ,'cloud.katta.storage': this.backend
+      // \ end katta extension
     };
   }
 }
@@ -358,11 +386,19 @@ export class VaultMetadata {
 /**
  * A UVF-formatted Vault
  */
-export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplateProducing {
+export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplateProducing, RecoveryKeyProducing {
   private constructor(readonly metadata: VaultMetadata, readonly memberKey: MemberKey, readonly recoveryKey: RecoveryKey) { }
 
-  public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto): Promise<UniversalVaultFormat> {
-    const metadata = await VaultMetadata.create(automaticAccessGrant);
+  public static async create(automaticAccessGrant: VaultMetadataJWEAutomaticAccessGrantDto
+    // / start katta extension
+    , backend: VaultMetadataJWEBackendDto
+    // \ end katta extension
+    ): Promise<UniversalVaultFormat> {
+    const metadata = await VaultMetadata.create(automaticAccessGrant
+      // / start katta extension
+      ,backend
+      // \ end katta extension
+      );
     const memberKey = await MemberKey.create();
     const recoveryKey = await RecoveryKey.create();
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
@@ -392,13 +428,18 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     const metadata = await VaultMetadata.decryptWithMemberKey(vault.uvfMetadataFile, memberKey);
     let recoveryKey: RecoveryKey;
     if (payload.recoveryKey) {
-      recoveryKey = await RecoveryKey.import(recoveryPublicKey, base64.parse(payload.recoveryKey).slice());
+      recoveryKey = await RecoveryKey.import(recoveryPublicKey, base64.decode(payload.recoveryKey) as Uint8Array<ArrayBuffer>);
     } else {
       recoveryKey = await RecoveryKey.import(recoveryPublicKey);
     }
     return new UniversalVaultFormat(metadata, memberKey, recoveryKey);
   }
 
+  /** @inheritdoc */
+  public async createPaddedRecoveryKeyBytes(): Promise<Uint8Array> {
+    return this.recoveryKey.createRawRecoveryKey();
+  }
+
   /**
    * Recover the `vault.uvf` file using the recovery key. After recovery, all access tokens need to be re-issued.
    * @param uvfMetadataFile contents of the `vault.uvf` file
@@ -444,7 +485,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
     const initialSeed = await crypto.subtle.importKey('raw', this.metadata.initialSeed, { name: 'HKDF' }, false, ['deriveKey']);
     const hmacKey = await crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-512', salt: this.metadata.kdfSalt, info: UTF8.encode('hmac') }, initialSeed, { name: 'HMAC', hash: 'SHA-256', length: 512 }, false, ['sign']);
     const rootDirHash = await crypto.subtle.sign('HMAC', hmacKey, rootDirId);
-    return base32.stringify(new Uint8Array(rootDirHash).slice(0, 20));
+    return base32.encode(new Uint8Array(rootDirHash).slice(0, 20));
   }
 
   public async encryptFile(content: Uint8Array<ArrayBuffer>, seedId: number): Promise<Uint8Array> {
@@ -512,7 +553,7 @@ export class UniversalVaultFormat implements AccessTokenProducing, VaultTemplate
  * @throws Error if the input is invalid
  */
 function parseSeedId(encoded: string): number {
-  const bytes = base64url.parse(encoded, { loose: true });
+  const bytes = base64urlnopad.decode(encoded);
   if (bytes.length != 4) {
     throw new Error('Malformed seed ID');
   }
@@ -527,5 +568,5 @@ function parseSeedId(encoded: string): number {
 function stringifySeedId(id: number): string {
   const bytes = new Uint8Array(4);
   new DataView(bytes.buffer).setInt32(0, id, false);
-  return base64url.stringify(bytes, { pad: false });
+  return base64urlnopad.encode(bytes);
 }
diff --git a/frontend/src/common/updatecheck.ts b/frontend/src/common/updatecheck.ts
index 40810fafa..b1b97eb60 100644
--- a/frontend/src/common/updatecheck.ts
+++ b/frontend/src/common/updatecheck.ts
@@ -12,11 +12,11 @@ class UpdatesService {
     const config = {
       headers: {
         'Content-Type': 'application/json',
-        'Cryptomator-Hub-Version': localVersion,
-        'Cryptomator-Hub-Instance': 'TODO' //for future uses
+        'Katta-Version': localVersion,
+        'Katta-Instance': 'TODO' //for future uses
       }
     };
-    return axios.get('https://api.cryptomator.org/hub/latest-version.json', config)
+    return axios.get('https://api.katta.cloud/server/latest-version.json', config)
       .then(response => response.data)
       .catch(error => {
         console.error(error);
diff --git a/frontend/src/common/userdata.ts b/frontend/src/common/userdata.ts
index 3252ca4f0..cf986624a 100644
--- a/frontend/src/common/userdata.ts
+++ b/frontend/src/common/userdata.ts
@@ -1,4 +1,4 @@
-import { base64 } from 'rfc4648';
+import { base64 } from '@scure/base';
 import backend, { DeviceDto, UserDto } from './backend';
 import { BrowserKeys, UserKeys } from './crypto';
 import { JWE, Recipient } from './jwe';
@@ -70,7 +70,7 @@ class UserData {
       if (!me.ecdhPublicKey) {
         throw new Error('User not initialized.');
       }
-      return base64.parse(me.ecdhPublicKey).slice();
+      return base64.decode(me.ecdhPublicKey) as Uint8Array<ArrayBuffer>;
     });
   }
 
@@ -81,7 +81,7 @@ class UserData {
    */
   public get ecdsaPublicKey(): Promise<Uint8Array<ArrayBuffer> | undefined> {
     return this.me.then(me => {
-      return me.ecdsaPublicKey ? base64.parse(me.ecdsaPublicKey).slice() : undefined;
+      return me.ecdsaPublicKey ? base64.decode(me.ecdsaPublicKey) as Uint8Array<ArrayBuffer> : undefined;
     });
   }
 
@@ -175,7 +175,7 @@ class UserData {
       me.ecdsaPublicKey = await userKeys.encodedEcdsaPublicKey();
       me.privateKeys = await userKeys.encryptWithSetupCode(setupCode);
       for (const device of me.devices) {
-        device.userPrivateKey = await userKeys.encryptForDevice(base64.parse(device.publicKey).slice());
+        device.userPrivateKey = await userKeys.encryptForDevice(base64.decode(device.publicKey) as Uint8Array<ArrayBuffer>);
       }
       await backend.users.putMe(me);
     }
diff --git a/frontend/src/common/util.ts b/frontend/src/common/util.ts
index 5c00c3be6..d2ade1b90 100644
--- a/frontend/src/common/util.ts
+++ b/frontend/src/common/util.ts
@@ -68,8 +68,8 @@ export class Deferred<T> {
  * @param wait time to wait before calling function
  * @returns debounced function
  */
-// eslint-disable-next-line @typescript-eslint/no-unsafe-function-type
-export const debounce = (func: Function, wait = 300) => {
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export function debounce<F extends (...args: any[]) => any>(func: F, wait = 300): F & { cancel: () => void } {
   let timeoutId: ReturnType<typeof setTimeout>;
   function debounceCore(this: unknown, ...args: unknown[]) {
     cancel();
@@ -79,8 +79,8 @@ export const debounce = (func: Function, wait = 300) => {
     clearTimeout(timeoutId);
   }
   debounceCore.cancel = cancel;
-  return debounceCore;
-};
+  return debounceCore as F & { cancel: () => void };
+}
 
 // based on https://stackoverflow.com/a/18639903/4014509
 export class CRC32 {
@@ -138,7 +138,7 @@ class WordEncoder {
     return result.join(WordEncoder.DELIMITER);
   }
 
-  public decode(encoded: string): Uint8Array {
+  public decode(encoded: string): Uint8Array<ArrayBuffer> {
     const split = encoded.split(/\s+/).filter(s => s !== '');
     if (split.length % 2 != 0) {
       throw new Error(`input needs to be a multiple of two words: "${encoded}"`);
diff --git a/frontend/src/common/vaultFormat8.ts b/frontend/src/common/vaultFormat8.ts
index c2c4f3f77..0a3b64c12 100644
--- a/frontend/src/common/vaultFormat8.ts
+++ b/frontend/src/common/vaultFormat8.ts
@@ -1,9 +1,9 @@
+import { aessiv } from '@noble/ciphers/aes.js';
+import { base32, base64, base64nopad, base64urlnopad } from '@scure/base';
 import JSZip from 'jszip';
-import * as miscreant from 'miscreant';
-import { base32, base64, base64url } from 'rfc4648';
 import { VaultDto } from './backend';
 import config, { absFrontendBaseURL } from './config';
-import { AccessTokenProducing, GCM_NONCE_LEN, OtherVaultMember, UnwrapKeyError, UserKeys, VaultTemplateProducing } from './crypto';
+import { AccessTokenProducing, GCM_NONCE_LEN, OtherVaultMember, RecoveryKeyProducing, UnwrapKeyError, UserKeys, VaultTemplateProducing } from './crypto';
 import { CRC32, UTF8, wordEncoder } from './util';
 
 interface VaultConfigPayload {
@@ -24,7 +24,7 @@ interface VaultConfigHeaderHub {
   devicesResourceUrl: string
 }
 
-export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducing {
+export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducing, RecoveryKeyProducing {
   // in this browser application, this 512 bit key is used
   // as a hmac key to sign the vault config.
   // however when used by cryptomator, it gets split into
@@ -64,7 +64,7 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     let rawKey = new Uint8Array();
     try {
       const payload = await userKeyPair.decryptAccessToken(jwe);
-      rawKey = base64.parse(payload.key);
+      rawKey = base64.decode(payload.key) as Uint8Array<ArrayBuffer>;
       const masterKey = crypto.subtle.importKey('raw', rawKey, VaultFormat8.MASTERKEY_KEY_DESIGNATION, true, ['sign']);
       return new VaultFormat8(await masterKey);
     } finally {
@@ -92,7 +92,7 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
       {
         name: 'PBKDF2',
         hash: 'SHA-256',
-        salt: base64.parse(salt, { loose: true }),
+        salt: base64nopad.decode(salt) as Uint8Array<ArrayBuffer>,
         iterations: iterations
       },
       await pwKey,
@@ -101,9 +101,9 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
       ['unwrapKey']
     );
     // unwrapping
-    const decodedMasterKey = base64.parse(wrappedMasterkey, { loose: true });
-    const decodedPrivateKey = base64.parse(wrappedOwnerPrivateKey, { loose: true });
-    const decodedPublicKey = base64.parse(ownerPublicKey, { loose: true });
+    const decodedMasterKey = base64.decode(wrappedMasterkey);
+    const decodedPrivateKey = base64.decode(wrappedOwnerPrivateKey);
+    const decodedPublicKey = base64.decode(ownerPublicKey);
     try {
       const masterkey = await crypto.subtle.unwrapKey(
         'raw',
@@ -125,7 +125,7 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
       );
       const pubKey = await crypto.subtle.importKey(
         'spki',
-        decodedPublicKey,
+        decodedPublicKey as Uint8Array<ArrayBuffer>,
         { name: 'ECDSA', namedCurve: 'P-384' },
         true,
         ['verify']
@@ -155,7 +155,7 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
       vault.masterKey,
       message
     );
-    const base64urlDigest = base64url.stringify(new Uint8Array(digest), { pad: false });
+    const base64urlDigest = base64urlnopad.encode(new Uint8Array(digest));
     if (!(signature === base64urlDigest)) {
       throw new Error('Recovery key does not match vault file.');
     }
@@ -239,14 +239,14 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
       hub: hubConfig
     });
     const payloadJson = JSON.stringify(payload);
-    const unsignedToken = base64url.stringify(UTF8.encode(header), { pad: false }) + '.' + base64url.stringify(UTF8.encode(payloadJson), { pad: false });
+    const unsignedToken = base64urlnopad.encode(UTF8.encode(header)) + '.' + base64urlnopad.encode(UTF8.encode(payloadJson));
     const encodedUnsignedToken = UTF8.encode(unsignedToken);
     const signature = await crypto.subtle.sign(
       'HMAC',
       this.masterKey,
       encodedUnsignedToken
     );
-    return unsignedToken + '.' + base64url.stringify(new Uint8Array(signature), { pad: false });
+    return unsignedToken + '.' + base64urlnopad.encode(new Uint8Array(signature));
   }
 
   // visible for testing
@@ -254,15 +254,14 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
     const dirHash = UTF8.encode(cleartextDirectoryId);
     const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
     try {
-      // miscreant lib requires mac key first and then the enc key
+      // aes-siv requires mac key first and then the enc key:
       const encKey = rawkey.subarray(0, rawkey.length / 2 | 0);
       const macKey = rawkey.subarray(rawkey.length / 2 | 0);
       const shiftedRawKey = new Uint8Array([...macKey, ...encKey]);
-      const key = await miscreant.SIV.importKey(shiftedRawKey, 'AES-SIV');
-      const ciphertext = await key.seal(dirHash, []);
+      const ciphertext = aessiv(shiftedRawKey).encrypt(dirHash) as Uint8Array<ArrayBuffer>;
       // hash is only used as deterministic scheme for the root dir
       const hash = await crypto.subtle.digest('SHA-1', ciphertext);
-      return base32.stringify(new Uint8Array(hash));
+      return base32.encode(new Uint8Array(hash));
     } finally {
       rawkey.fill(0x00);
     }
@@ -274,31 +273,37 @@ export class VaultFormat8 implements AccessTokenProducing, VaultTemplateProducin
    */
   public async serializeMasterKey(): Promise<string> {
     const bytes = await crypto.subtle.exportKey('raw', this.masterKey);
-    return base64.stringify(new Uint8Array(bytes), { pad: true });
+    return base64.encode(new Uint8Array(bytes));
   }
 
   /** @inheritdoc */
-  public async encryptForUser(userPublicKey: CryptoKey | Uint8Array): Promise<string> {
+  public async encryptForUser(userPublicKey: CryptoKey | BufferSource): Promise<string> {
     return OtherVaultMember.withPublicKey(userPublicKey).createAccessToken({
       key: await this.serializeMasterKey(),
     });
   }
 
-  /**
-   * Encode masterkey for offline backup purposes, allowing re-importing the key for recovery purposes
-   */
-  public async createRecoveryKey(): Promise<string> {
-    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));
+  /** @inheritdoc */
+  public async createPaddedRecoveryKeyBytes(): Promise<Uint8Array> {
+    const rawkey = new Uint8Array(await crypto.subtle.exportKey('raw', this.masterKey));;
 
     // add 16 bit checksum:
     const crc32 = CRC32.compute(rawkey);
     const checksum = new Uint8Array(2);
     checksum[0] = crc32 & 0xff;      // append the least significant byte of the crc
     checksum[1] = crc32 >> 8 & 0xff; // followed by the second-least significant byte
-    const combined = new Uint8Array([...rawkey, ...checksum]);
+
+    return new Uint8Array([...rawkey, ...checksum]);
+  }
+
+  /**
+   * Encode masterkey for offline backup purposes, allowing re-importing the key for recovery purposes
+   */
+  public async createRecoveryKey(): Promise<string> {
+    const recoveryKeyBytes = await this.createPaddedRecoveryKeyBytes();
 
     // encode using human-readable words:
-    return wordEncoder.encodePadded(combined);
+    return wordEncoder.encodePadded(recoveryKeyBytes);
   }
 }
 
diff --git a/frontend/src/common/wot.ts b/frontend/src/common/wot.ts
index 2fb89e6ea..2286aaa24 100644
--- a/frontend/src/common/wot.ts
+++ b/frontend/src/common/wot.ts
@@ -1,4 +1,4 @@
-import { base64 } from 'rfc4648';
+import { base64 } from '@scure/base';
 import backend, { TrustDto, UserDto } from './backend';
 import { UserKeys, asPublicKey, getJwkThumbprint } from './crypto';
 import { JWT, JWTHeader } from './jwt';
@@ -70,7 +70,7 @@ async function verifyRescursive(signatureChain: string[], signerPublicKey: Crypt
     }
   } else {
     // otherwise, the payload is an intermediate public key used to sign the next element
-    const nextTrustedPublicKey = await asPublicKey(base64.parse(signedKeys.ecdsaPublicKey), UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
+    const nextTrustedPublicKey = await asPublicKey(base64.decode(signedKeys.ecdsaPublicKey) as Uint8Array<ArrayBuffer>, UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
     await verifyRescursive(remainingChain, nextTrustedPublicKey, allegedSignedKey);
   }
 }
@@ -84,8 +84,8 @@ async function computeFingerprint(user: { ecdhPublicKey?: string; ecdsaPublicKey
   if (!user.ecdhPublicKey || !user.ecdsaPublicKey) {
     throw new Error('User has no public keys');
   }
-  const ecdhPublicKey = await asPublicKey(base64.parse(user.ecdhPublicKey), UserKeys.ECDH_KEY_DESIGNATION);
-  const ecdsaPublicKey = await asPublicKey(base64.parse(user.ecdsaPublicKey), UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
+  const ecdhPublicKey = await asPublicKey(base64.decode(user.ecdhPublicKey) as Uint8Array<ArrayBuffer>, UserKeys.ECDH_KEY_DESIGNATION);
+  const ecdsaPublicKey = await asPublicKey(base64.decode(user.ecdsaPublicKey) as Uint8Array<ArrayBuffer>, UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
   const concatenatedThumbprints = new Uint8Array([
     ...await getJwkThumbprint(ecdhPublicKey),
     ...await getJwkThumbprint(ecdsaPublicKey)
diff --git a/frontend/src/components/AdminSettings.vue b/frontend/src/components/AdminSettings.vue
index ccda5022a..f8716a2f5 100644
--- a/frontend/src/components/AdminSettings.vue
+++ b/frontend/src/components/AdminSettings.vue
@@ -1,6 +1,6 @@
 <template>
-  <div v-if="admin == null || version == null || wotMaxDepth == null || wotIdVerifyLen == null">
-    <div v-if="onFetchError == null">
+  <div v-if="billing === undefined || version === undefined || wotMaxDepth === undefined || wotIdVerifyLen === undefined">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
@@ -9,13 +9,19 @@
   </div>
 
   <div v-else>
+    <!-- Page Header -->
     <div class="pb-5 border-b border-gray-200">
       <h2 class="text-2xl font-bold leading-7 text-gray-900 sm:text-3xl sm:truncate">
         {{ t('admin.title') }}
       </h2>
     </div>
 
+    <ContentBanner v-if="hasLegacyDevices" type="warning" :title="t('legacyDeviceBanner.title')" class="mt-5">
+      {{ t('legacyDeviceBanner.admin.description') }}
+    </ContentBanner>
+
     <div class="space-y-6 mt-5">
+      <!-- Server Information Section -->
       <section class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6">
         <h3 class="text-lg font-medium leading-6 text-gray-900">
           {{ t('admin.serverInfo.title') }}
@@ -28,7 +34,7 @@
           <div class="md:grid md:grid-cols-3 md:gap-6">
             <label for="hubId" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">{{ t('admin.serverInfo.hubId.title') }}</label>
             <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
-              <input id="hubId" v-model="admin.hubId" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
+              <input id="hubId" v-model="billing.hubId" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
             </div>
           </div>
 
@@ -63,7 +69,7 @@
             <label for="keycloakVersion" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">{{ t('admin.serverInfo.keycloakVersion.title') }}</label>
             <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
               <input id="keycloakVersion" :value="version.keycloakVersion ?? t('admin.serverInfo.keycloakVersion.notAvailable')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
-              <p id="keycloakAdminRealmURL" class="inline-flex mt-2 text-sm">
+              <p v-if="cfg.entitlements.keycloakAccessEnabled" id="keycloakAdminRealmURL" class="inline-flex mt-2 text-sm">
                 <LinkIcon class="shrink-0 text-primary mr-1 h-5 w-5" aria-hidden="true" />
                 <a :href="keycloakAdminRealmURL" target="_blank" class="underline text-gray-500 hover:text-gray-900">{{ $t('admin.serverInfo.keycloakVersion.description') }}</a>
               </p>
@@ -72,10 +78,16 @@
         </form>
       </section>
 
-      <section v-if="admin.hasLicense && remainingSeats != null" class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6">
-        <h3 class="text-lg font-medium leading-6 text-gray-900">
-          {{ t('admin.licenseInfo.title') }}
-        </h3>
+      <!-- License Information Section -->
+      <section v-if="remainingSeats !== undefined" class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6">
+        <div class="flex items-center justify-between">
+          <h3 class="text-lg font-medium leading-6 text-gray-900">
+            {{ t('admin.licenseInfo.title') }}
+          </h3>
+          <button type="button" class="p-1 cursor-pointer text-gray-400 hover:text-gray-600 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary rounded-full disabled:opacity-50 disabled:hover:text-gray-400 disabled:cursor-not-allowed" :title="t('common.refresh')" :disabled="!isRegistered" @click="refreshLicense()">
+            <ArrowPathIcon class="h-5 w-5" aria-hidden="true" />
+          </button>
+        </div>
         <p class="mt-1 text-sm text-gray-500 w-full">
           {{ t('admin.licenseInfo.description') }}
         </p>
@@ -84,14 +96,14 @@
           <div class="md:grid md:grid-cols-3 md:gap-6">
             <label for="email" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">{{ t('admin.licenseInfo.email.title') }}</label>
             <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
-              <input id="email" v-model="admin.email" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
+              <input id="email" v-model="billing.email" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
             </div>
           </div>
 
           <div class="md:grid md:grid-cols-3 md:gap-6">
             <label for="seats" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">{{ t('admin.licenseInfo.seats.title') }}</label>
             <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
-              <input id="seats" v-model="admin.licensedSeats" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" aria-describedby="seats-description" readonly />
+              <input id="seats" v-model="billing.licensedSeats" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" aria-describedby="seats-description" readonly />
               <p v-if="remainingSeats > 0" id="seats-description" class="inline-flex mt-2 text-sm text-gray-500">
                 <CheckIcon class="shrink-0 text-primary mr-1 h-5 w-5" aria-hidden="true" />
                 {{ t('admin.licenseInfo.seats.description.enoughSeats', [remainingSeats]) }}
@@ -110,15 +122,15 @@
           <div class="md:grid md:grid-cols-3 md:gap-6">
             <label for="issuedAt" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">{{ t('admin.licenseInfo.issuedAt.title') }}</label>
             <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
-              <input id="issuedAt" :value="d(admin.issuedAt, 'short')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
+              <input id="issuedAt" :value="d(billing.issuedAt, 'short')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
             </div>
           </div>
 
           <div class="md:grid md:grid-cols-3 md:gap-6">
             <label for="expiresAt" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">{{ t('admin.licenseInfo.expiresAt.title') }}</label>
             <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
-              <input id="expiresAt" :value="d(admin.expiresAt, 'short')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" aria-describedby="expiresAt-description" readonly />
-              <p v-if="now < admin.expiresAt" id="expiresAt-description" class="inline-flex mt-2 text-sm text-gray-500">
+              <input id="expiresAt" :value="d(billing.expiresAt, 'short')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" aria-describedby="expiresAt-description" readonly />
+              <p v-if="now < billing.expiresAt" id="expiresAt-description" class="inline-flex mt-2 text-sm text-gray-500">
                 <CheckIcon class="shrink-0 text-primary mr-1 h-5 w-5" aria-hidden="true" />
                 {{ t('admin.licenseInfo.expiresAt.description.valid') }}
               </p>
@@ -130,66 +142,17 @@
           </div>
 
           <div class="md:grid md:grid-cols-3 md:gap-6">
-            <div class="md:col-start-2">
-              <button type="button" class="flex-none inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed" @click="manageSubscription()">
+            <div class="md:col-start-2 col-span-2 flex gap-2">
+              <a :href="manageSubscriptionUrl" rel="noopener" class="button inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
                 <ArrowTopRightOnSquareIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
                 {{ t('admin.licenseInfo.manageSubscription') }}
-              </button>
-            </div>
-          </div>
-        </form>
-      </section>
-
-      <section v-if="!admin.hasLicense && remainingSeats != null" class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6">
-        <h3 class="text-lg font-medium leading-6 text-gray-900">
-          {{ t('admin.licenseInfo.title') }}
-        </h3>
-        <p v-if="!admin.managedInstance" class="mt-1 text-sm text-gray-500 w-full">
-          {{ t('admin.licenseInfo.selfHostedNoLicense.description') }}
-        </p>
-        <p v-else class="mt-1 text-sm text-gray-500 w-full">
-          {{ t('admin.licenseInfo.managedNoLicense.description') }}
-        </p>
-        <hr class="my-4 pb-6 border-gray-200"/>
-        <form class="space-y-6 md:gap-6" novalidate>
-          <div class="md:grid md:grid-cols-3 md:gap-6">
-            <label for="licenseType" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">{{ t('admin.licenseInfo.type.title') }}</label>
-            <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
-              <input v-if="!admin.managedInstance" id="licenseType" value="Community License" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
-              <input v-else id="licenseType" value="Managed" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" readonly />
-            </div>
-          </div>
-
-          <div class="md:grid md:grid-cols-3 md:gap-6">
-            <label for="seats" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">{{ t('admin.licenseInfo.seats.title') }}</label>
-            <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
-              <input id="seats" v-model="admin.licensedSeats" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md bg-gray-200" aria-describedby="seats-description" readonly />
-              <p v-if="remainingSeats > 0" id="seats-description" class="inline-flex mt-2 text-sm text-gray-500">
-                <CheckIcon class="shrink-0 text-primary mr-1 h-5 w-5" aria-hidden="true" />
-                {{ t('admin.licenseInfo.seats.description.enoughSeats', [remainingSeats]) }}
-              </p>
-              <p v-else-if="remainingSeats == 0" id="seats-description" class="inline-flex mt-2 text-sm text-gray-500">
-                <ExclamationTriangleIcon class="shrink-0 text-orange-500 mr-1 h-5 w-5" aria-hidden="true" />
-                {{ t('admin.licenseInfo.seats.description.zeroSeats') }}
-              </p>
-              <p v-else id="seats-description" class="inline-flex mt-2 text-sm text-gray-500">
-                <XMarkIcon class="shrink-0 text-red-500 mr-1 h-5 w-5" aria-hidden="true" />
-                {{ t('admin.licenseInfo.seats.description.undercutSeats', [numberOfExceededSeats]) }}
-              </p>
-            </div>
-          </div>
-
-          <div class="md:grid md:grid-cols-3 md:gap-6">
-            <div class="md:col-start-2">
-              <button type="button" class="flex-none inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed" @click="manageSubscription()">
-                <ArrowTopRightOnSquareIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
-                {{ t('admin.licenseInfo.getLicense') }}
-              </button>
+              </a>
             </div>
           </div>
         </form>
       </section>
 
+      <!-- Web of Trust Configuration Section -->
       <section class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6">
         <h3 class="text-lg font-medium leading-6 text-gray-900">
           {{ t('admin.webOfTrust.title') }}
@@ -204,8 +167,8 @@
               {{ t('admin.webOfTrust.wotMaxDepth.title') }}
             </label>
             <div class="mt-1 md:mt-0 relative md:col-span-2 lg:col-span-1">
-              <input id="wotMaxDepth" v-model="wotMaxDepth" type="number" min="0" max="9" step="1" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" :class="{ 'border-red-300 text-red-900 focus:ring-red-500 focus:border-red-500': wotMaxDepthError instanceof FormValidationFailedError }"/>
-              <div v-if="wotMaxDepthError" class="absolute left-1/2 -translate-x-1/2 -top-2 transform translate-y-[-100%] w-5/6">
+              <input id="wotMaxDepth" v-model="wotMaxDepth" type="number" min="0" max="9" step="1" class="focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" :class="{ 'border-red-300 text-red-900 focus:ring-red-500 focus:border-red-500': wotMaxDepthError instanceof WotFormValidationFailedError }"/>
+              <div v-if="wotMaxDepthError" class="absolute left-1/2 -translate-x-1/2 -top-2 transform translate-y-full w-5/6">
                 <div class="bg-red-50 border border-red-300 text-red-900 px-2 py-1 rounded shadow-sm text-sm hyphens-auto">
                   {{ t('admin.webOfTrust.wotMaxDepth.error') }}
                   <div class="absolute bottom-0 left-1/2 transform translate-y-1/2 rotate-45 w-2 h-2 bg-red-50 border-r border-b border-red-300"></div>
@@ -226,8 +189,8 @@
               {{ t('admin.webOfTrust.wotIdVerifyLen.title') }}
             </label>
             <div class="mt-1 md:mt-0 relative md:col-span-2 lg:col-span-1">
-              <input id="wotIdVerifyLen" v-model="wotIdVerifyLen" type="number" min="0" max="9" step="1" class="focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" :class="{ 'border-red-300 text-red-900 focus:ring-red-500 focus:border-red-500': wotIdVerifyLenError instanceof FormValidationFailedError }"/>
-              <div v-if="wotIdVerifyLenError" class="absolute left-1/2 -translate-x-1/2 -top-2 transform translate-y-[-100%] w-5/6">
+              <input id="wotIdVerifyLen" v-model="wotIdVerifyLen" type="number" min="0" max="9" step="1" class="focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" :class="{ 'border-red-300 text-red-900 focus:ring-red-500 focus:border-red-500': wotIdVerifyLenError instanceof WotFormValidationFailedError }"/>
+              <div v-if="wotIdVerifyLenError" class="absolute left-1/2 -translate-x-1/2 -top-2 transform translate-y-full w-5/6">
                 <div class="bg-red-50 border border-red-300 text-red-900 px-2 py-1 rounded shadow-sm text-sm hyphens-auto">
                   {{ t('admin.webOfTrust.wotIdVerifyLen.error') }}
                   <div class="absolute bottom-0 left-1/2 transform translate-y-1/2 rotate-45 w-2 h-2 bg-red-50 border-r border-b border-red-300"></div>
@@ -249,7 +212,7 @@
                 <span v-if="!wotUpdated">{{ t('admin.webOfTrust.save') }}</span>
                 <span v-else>{{ t('admin.webOfTrust.saved') }}</span>
               </button>
-              <p v-if="onSaveError != null && !(onSaveError instanceof FormValidationFailedError)" class="mt-2 text-sm text-red-900">
+              <p v-if="onSaveError && !(onSaveError instanceof WotFormValidationFailedError)" class="mt-2 text-sm text-red-900">
                 {{ t('common.unexpectedError', [onSaveError.message]) }}
               </p>
               <div v-if="wotHasUnsavedChanges" class="flex items-center whitespace-nowrap gap-1 text-sm text-yellow-700">
@@ -263,50 +226,78 @@
           </div>
         </form>
       </section>
+
+      <AdminSettingsEmergencyAccess/>
     </div>
   </div>
 </template>
 
 <script setup lang="ts">
-import { ArrowRightIcon, ArrowTopRightOnSquareIcon, CheckIcon, ExclamationTriangleIcon, InformationCircleIcon, LinkIcon, XMarkIcon } from '@heroicons/vue/20/solid';
+import { ArrowPathIcon, ArrowRightIcon, ArrowTopRightOnSquareIcon, CheckIcon, ExclamationTriangleIcon, InformationCircleIcon, LinkIcon, XMarkIcon } from '@heroicons/vue/20/solid';
 import semver from 'semver';
 import { computed, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { BillingDto, VersionDto } from '../common/backend';
-import config, { absFrontendBaseURL } from '../common/config';
+import config, { absFrontendBaseURL, ConfigDto } from '../common/config';
 import { FetchUpdateError, LatestVersionDto, updateChecker } from '../common/updatecheck';
 import { debounce } from '../common/util';
 import FetchError from './FetchError.vue';
+import AdminSettingsEmergencyAccess from './AdminSettingsEmergencyAccess.vue';
+import ContentBanner from './ContentBanner.vue';
 
-const { t, d, locale, fallbackLocale } = useI18n({ useScope: 'global' });
-
+const { t, d } = useI18n({ useScope: 'global' });
 const props = defineProps<{
   token?: string
 }>();
 
-const version = ref<VersionDto>();
-const latestVersion = ref<LatestVersionDto>();
-const admin = ref<BillingDto>();
+const cfg = ref<ConfigDto>(config.get());
 const now = ref<Date>(new Date());
 const keycloakAdminRealmURL = ref<string>();
-const wotMaxDepth = ref<number>();
-const wotIdVerifyLen = ref<number>();
-const wotUpdated = ref(false);
-const debouncedWotUpdated = debounce(() => wotUpdated.value = false, 2000);
 const form = ref<HTMLFormElement>();
 const processing = ref(false);
-const onFetchError = ref<Error | null>();
+const onFetchError = ref<Error>();
 const errorOnFetchingUpdates = ref<boolean>(false);
-const onSaveError = ref<Error | null>(null);
-const wotMaxDepthError = ref<Error | null >(null);
-const wotIdVerifyLenError = ref<Error | null >(null);
+const hasLegacyDevices = ref<boolean>(false);
 
-class FormValidationFailedError extends Error {
-  constructor() {
-    super('The form is invalid.');
+onMounted(async () => {
+  keycloakAdminRealmURL.value = `${cfg.value.keycloakUrl}/admin/${cfg.value.keycloakRealm}/console/`;
+  if (props.token) {
+    await setToken(props.token);
+  }
+  await fetchData();
+});
+
+async function fetchData() {
+  try {
+    const versionDto = backend.version.get();
+    const versionAvailable = versionDto.then(versionDto => updateChecker.get(versionDto.hubVersion));
+    billing.value = await backend.billing.get();
+    version.value = await versionDto;
+    latestVersion.value = await versionAvailable;
+    hasLegacyDevices.value = await backend.devices.hasLegacyDevices();
+
+    const settings = await backend.settings.get();
+    wotMaxDepth.value = settings.wotMaxDepth;
+    wotIdVerifyLen.value = settings.wotIdVerifyLen;
+    initialWebOfTrustSettings.value = {
+      wotMaxDepth: wotMaxDepth.value,
+      wotIdVerifyLen: wotIdVerifyLen.value
+    };
+  } catch (error) {
+    if (error instanceof FetchUpdateError) {
+      errorOnFetchingUpdates.value = true;
+    } else {
+      console.error('Retrieving server information failed.', error);
+      onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
+    }
   }
 }
 
+// #region Update Information
+
+const version = ref<VersionDto>();
+const latestVersion = ref<LatestVersionDto>();
+
 const isBeta = computed(() => {
   if (version.value && semver.valid(version.value.hubVersion)) {
     return semver.prerelease(version.value.hubVersion ?? '0.1.0') != null;
@@ -326,84 +317,88 @@ const betaUpdateExists = computed(() => {
   return false;
 });
 
-const remainingSeats = computed(() => admin.value ? admin.value.licensedSeats - admin.value.usedSeats : undefined);
-const numberOfExceededSeats = computed(() => {
-  if (remainingSeats.value === undefined) {
-    return undefined;
-  }
-  return remainingSeats.value < 0 ? Math.abs(remainingSeats.value) : 0;
-});
+// #endregion
 
-type WotSettings = { wotMaxDepth: number; wotIdVerifyLen: number };
-const initialWebOfTrustSettings = ref<WotSettings>({ wotMaxDepth: 0, wotIdVerifyLen: 0 });
+// #region License Information
 
-const wotHasUnsavedChanges = computed(() => {
-  return (
-    initialWebOfTrustSettings.value.wotMaxDepth !== wotMaxDepth.value ||
-    initialWebOfTrustSettings.value.wotIdVerifyLen !== wotIdVerifyLen.value
-  );
-});
+const billing = ref<BillingDto>();
 
-onMounted(async () => {
-  const cfg = config.get();
-  keycloakAdminRealmURL.value = `${cfg.keycloakUrl}/admin/${cfg.keycloakRealm}/console`;
-  if (props.token) {
-    await setToken(props.token);
+const isRegistered = computed(() => !cfg.value.entitlements.showTrialHint );
+
+const manageSubscriptionUrl = computed(() => {
+  if (!billing.value) {
+    return '';
   }
-  await fetchData();
+  const returnUrl = `${absFrontendBaseURL}admin`;
+  return `${cfg.value.billingUrl}#oldLicense=${encodeURIComponent(billing.value.licenseKey)}&returnUrl=${encodeURIComponent(returnUrl)}`;
 });
 
-async function setToken(token: string) {
+async function refreshLicense() {
   try {
-    await backend.billing.setToken(token);
+    await backend.license.refresh();
+    billing.value = await backend.billing.get();
+    cfg.value = await config.reload();
   } catch (error) {
-    console.error('Setting token failed.', error);
+    console.error('Refreshing license info failed.', error);
   }
 }
 
-async function fetchData() {
+async function setToken(token: string) {
   try {
-    const versionDto = backend.version.get();
-    const versionAvailable = versionDto.then(versionDto => updateChecker.get(versionDto.hubVersion));
-    admin.value = await backend.billing.get();
-    version.value = await versionDto;
-    latestVersion.value = await versionAvailable;
-    
-    const settings = await backend.settings.get();
-    wotMaxDepth.value = settings.wotMaxDepth;
-    wotIdVerifyLen.value = settings.wotIdVerifyLen;
-    initialWebOfTrustSettings.value = {
-      wotMaxDepth: wotMaxDepth.value,
-      wotIdVerifyLen: wotIdVerifyLen.value
-    };
+    await backend.billing.setToken(token);
   } catch (error) {
-    if (error instanceof FetchUpdateError) {
-      errorOnFetchingUpdates.value = true;
-    } else {
-      console.error('Retrieving server information failed.', error);
-      onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
-    }
+    console.error('Setting token failed.', error);
   }
 }
 
-function manageSubscription() {
-  const returnUrl = `${absFrontendBaseURL}admin`;
-  window.open(`https://cryptomator.org/hub/billing/?hub_id=${admin.value?.hubId}&return_url=${encodeURIComponent(returnUrl)}`, '_self');
+const remainingSeats = computed(() => billing.value ? billing.value.licensedSeats - billing.value.usedSeats : 0);
+const numberOfExceededSeats = computed(() => {
+  if (remainingSeats.value === undefined) {
+    return undefined;
+  }
+  return remainingSeats.value < 0 ? Math.abs(remainingSeats.value) : 0;
+});
+
+// #endregion
+
+// #region Web of Trust
+
+type WotSettings = { wotMaxDepth: number; wotIdVerifyLen: number };
+const initialWebOfTrustSettings = ref<WotSettings>({ wotMaxDepth: 0, wotIdVerifyLen: 0 });
+const wotMaxDepth = ref<number>();
+const wotIdVerifyLen = ref<number>();
+const wotUpdated = ref(false);
+const debouncedWotUpdated = debounce(() => wotUpdated.value = false, 2000);
+const wotMaxDepthError = ref<Error>();
+const wotIdVerifyLenError = ref<Error>();
+const onSaveError = ref<Error>();
+
+class WotFormValidationFailedError extends Error {
+  constructor() {
+    super('The form is invalid.');
+  }
 }
 
+const wotHasUnsavedChanges = computed(() => {
+  return (
+    initialWebOfTrustSettings.value.wotMaxDepth !== wotMaxDepth.value ||
+    initialWebOfTrustSettings.value.wotIdVerifyLen !== wotIdVerifyLen.value
+  );
+});
+
 async function saveWebOfTrust() {
-  onSaveError.value = null;
-  wotMaxDepthError.value = null;
-  wotIdVerifyLenError.value = null;
-  if (admin.value == null || wotMaxDepth.value == null || wotIdVerifyLen.value == null) {
+  onSaveError.value = undefined;
+  wotMaxDepthError.value = undefined;
+  wotIdVerifyLenError.value = undefined;
+  if (billing.value === undefined || wotMaxDepth.value === undefined || wotIdVerifyLen.value === undefined) {
     throw new Error('No data available.');
   }
   if (!form.value?.checkValidity()) {
     if (wotMaxDepth.value < 0 || wotMaxDepth.value > 9) {
-      wotMaxDepthError.value = new FormValidationFailedError();
+      wotMaxDepthError.value = new WotFormValidationFailedError();
     }
     if (wotIdVerifyLen.value < 0) {
-      wotIdVerifyLenError.value = new FormValidationFailedError();
+      wotIdVerifyLenError.value = new WotFormValidationFailedError();
     }
     return;
   }
@@ -412,13 +407,13 @@ async function saveWebOfTrust() {
     const settings = {
       wotMaxDepth: wotMaxDepth.value,
       wotIdVerifyLen: wotIdVerifyLen.value,
-      hubId: admin.value.hubId
+      hubId: billing.value.hubId
     };
     initialWebOfTrustSettings.value = {
       wotMaxDepth: wotMaxDepth.value,
       wotIdVerifyLen: wotIdVerifyLen.value
     };
-    await backend.settings.put(settings);
+    await backend.settings.update(settings);
     wotUpdated.value = true;
     debouncedWotUpdated();
   } catch (error) {
@@ -434,4 +429,6 @@ function resetWebOfTrust() {
   wotIdVerifyLen.value = initialWebOfTrustSettings.value.wotIdVerifyLen;
 }
 
+// #endregion
+
 </script>
diff --git a/frontend/src/components/AdminSettingsEmergencyAccess.vue b/frontend/src/components/AdminSettingsEmergencyAccess.vue
new file mode 100644
index 000000000..01cd4ff78
--- /dev/null
+++ b/frontend/src/components/AdminSettingsEmergencyAccess.vue
@@ -0,0 +1,454 @@
+<template>
+  <section class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6">
+    <h3 class="text-lg font-medium leading-6 text-gray-900">{{ t('admin.emergencyAccess.title') }}</h3>
+    <p class="mt-1 text-sm text-gray-500 w-full">
+      {{ t('admin.emergencyAccess.description') }}
+      <a href="https://docs.cryptomator.org/hub/admin/#" target="_blank" class="ml-1 inline-flex items-center text-primary underline hover:text-primary-darker">
+        {{ t('admin.emergencyAccess.learnMore') }}
+        <ArrowRightIcon class="ml-1 h-4 w-4" aria-hidden="true" />
+      </a>
+    </p>
+    <hr class="my-4 border-gray-200"/>
+    <ContentBanner v-if="!entitlements.emergencyAccessEnabled" type="info" :title="t('missingEntitlements.title')">
+      {{ t('missingEntitlements.description') }} <!-- TODO: link to feature comparison? -->
+    </ContentBanner>
+    <form v-else class="space-y-6 md:gap-6" novalidate @submit.prevent="saveRecoverySettings">
+      <ContentBanner v-if="entitlements.showTrialHint" type="info" :title="t('trial.enterpriseFeature.title')" class="mb-6">
+        {{ t('trial.enterpriseFeature.description') }} <!-- TODO: link to feature comparison? -->
+      </ContentBanner>
+      <ContentBanner
+        v-if="noRedundancy"
+        type="warning"
+        :title="t('admin.emergencyAccess.noRedundancy.title')"
+        :link-text="t('admin.emergencyAccess.learnMore')"
+        link-url="https://docs.cryptomator.org/hub/admin/#"
+      >
+        {{ t('admin.emergencyAccess.noRedundancy.description') }}
+      </ContentBanner>
+      <!-- Enable Emergency Access -->
+      <div class="md:grid md:grid-cols-6 md:gap-6 items-baseline">
+        <label for="enableEmergencyAccess" class="col-span-2 block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+          {{ t('admin.emergencyAccess.enabled.label') }}
+        </label>
+        <div class="mt-2 md:mt-0 lg:col-span-3 md:col-span-4">
+          <input
+            id="enableEmergencyAccess"
+            v-model="enableEmergencyAccess"
+            type="checkbox"
+            class="h-4 w-4 text-primary focus:ring-primary border-gray-300 rounded"
+          />
+          <label for="enableEmergencyAccess" class="ml-2 text-sm text-gray-500">
+            {{ t('admin.emergencyAccess.enabled.help') }}
+          </label>
+        </div>
+      </div>
+
+      <!-- Key Splitting -->
+      <div class="md:grid md:grid-cols-6 md:gap-6 items-baseline">
+        <label for="requiredKeyShares" class="col-span-2 block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+          {{ t('admin.emergencyAccess.requiredKeys.label') }}
+        </label>
+        <div class="mt-1 md:mt-0 lg:col-span-3 md:col-span-4 relative">
+          <div class="flex items-center gap-2">
+            <div v-if="defaultRequiredEmergencyKeySharesLessThenTwoError || defaultRequiredEmergencyKeySharesToHighError instanceof FormValidationFailedError" class="absolute  -top-2 transform translate-y-full z-10">
+              <div class="bg-red-50 border border-red-300 text-red-900 px-2 py-1 rounded shadow-sm text-sm hyphens-auto">
+                {{ requiredKeySharesValidationText }}
+              </div>
+            </div>
+            <div class="relative flex-1">
+              <input
+                id="requiredKeyShares"
+                v-model.number="requiredShares"
+                type="number" min="2" max="255"
+                :disabled="!enableEmergencyAccess"
+                class="rounded-md border-gray-300 shadow-sm sm:text-sm focus:ring-primary focus:border-primary text-left w-full disabled:cursor-not-allowed disabled:bg-gray-200"
+                :class="{ 'border-red-300 text-red-900 focus:ring-red-500 focus:border-red-500': defaultRequiredEmergencyKeySharesError || defaultRequiredEmergencyKeySharesToHighError instanceof FormValidationFailedError}"
+                :aria-label="t('admin.emergencyAccess.requiredKeys.ariaLabel')"
+              />
+              <div v-if="defaultRequiredEmergencyKeySharesLessThenTwoError || defaultRequiredEmergencyKeySharesToHighError instanceof FormValidationFailedError" class="absolute  -top-2 transform translate-y-full z-10">
+                <div class="absolute bottom-0 left-5 transform translate-y-1/2 rotate-45 w-2 h-2 bg-red-50 border-r border-b border-red-300"></div>
+              </div>
+              <p class="mt-2 my-4 text-sm text-gray-500">{{ t('admin.emergencyAccess.requiredKeys.help') }}</p>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <!-- User Selection -->
+      <div class="md:grid md:grid-cols-6 md:gap-6">
+        <label for="searchKeyholder" class="col-span-2 block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+          {{ t('admin.emergencyAccess.keyholders.label') }}
+        </label>
+        <div class="mt-1 md:mt-0 lg:col-span-3 md:col-span-4">
+          <div class="relative">
+            <MultiUserSelectInputGroup
+              v-if="enableEmergencyAccess"
+              input-id="searchKeyholder"
+              :selected-users="selectedUsers"
+              :on-search="searchCouncilMembers"
+              :input-visible="enableEmergencyAccess"
+              :error-message="t('admin.emergencyAccess.keyholders.minSelected', [requiredShares])"
+              :has-error="!!selectedMembersError"
+              :placeholder="t('common.search.placeholder')"
+              @action="selectUser"
+              @remove="removeUser"
+            />
+            <MultiUserSelectInputGroup
+              v-else
+              :selected-users="selectedUsers"
+              :on-search="async () => []"
+              :input-visible="enableEmergencyAccess"
+              :disable-action="true"
+            />
+            <p class="mt-2 text-sm text-gray-500">{{ t('admin.emergencyAccess.keyholders.help') }}</p>
+          </div>
+        </div>
+      </div>
+
+      <!-- Allow Choosing Council + Min Members -->
+      <div class="md:grid md:grid-cols-6 md:gap-6">
+        <span class="col-span-2"></span>
+        <div class="mt-1 md:mt-0 lg:col-span-3 md:col-span-4 flex items-center h-9.5">
+          <input
+            id="allow"
+            v-model="allowChoosing"
+            :disabled="!enableEmergencyAccess"
+            type="checkbox"
+            class="h-4 w-4 text-primary focus:ring-primary border-gray-300 rounded"
+          />
+          <label for="allow" class="ml-2 text-sm text-gray-500">
+            {{ t('admin.emergencyAccess.allowChoosing.label') }}
+            <label for="minMembers" v-if="allowChoosing"> {{ t('admin.emergencyAccess.allowChoosing.atLeast') }}</label>
+          </label>
+
+          <div class="relative ml-2 flex-1">
+            <!-- Tooltip -->
+            <div
+              v-if="defaultMinMembersLessThenTwoError || defaultMinMembersToHighError || defaultMinMembersLowerThenRequiredEmergencyKeySharesError instanceof FormValidationFailedError"
+              class="absolute -top-2 left-0 translate-y-full z-10"
+            >
+              <div class="inline-block bg-red-50 border border-red-300 text-red-900 px-2 py-1 rounded shadow-sm text-sm hyphens-auto">
+                {{ requiredMinMembersValidationText }}
+              </div>
+              <!-- Arrow -->
+              <div class="absolute bottom-0 left-5 transform translate-y-1/2 rotate-45 w-2 h-2 bg-red-50 border-r border-b border-red-300"></div>
+            </div>
+
+            <!-- minMembers Input -->
+            <input
+              id="minMembers"
+              v-model.number="minMembers"
+              :disabled="!enableEmergencyAccess"
+              type="number"
+              min="2" max="255"
+              :hidden="!allowChoosing"
+              class="w-full rounded-md border-gray-300 shadow-sm sm:text-sm focus:ring-primary focus:border-primary text-left disabled:cursor-not-allowed disabled:bg-gray-200"
+              :class="{
+                'border-red-300 text-red-900 focus:ring-red-500 focus:border-red-500':
+                  defaultMinMembersLessThenTwoError || defaultMinMembersToHighError || defaultMinMembersLowerThenRequiredEmergencyKeySharesError instanceof FormValidationFailedError
+              }"
+              :aria-label="t('admin.emergencyAccess.minMembers.ariaLabel')"
+            />
+          </div>
+        </div>
+      </div>
+
+      <!-- Example Recovery -->
+      <div class="md:grid md:grid-cols-6 md:gap-6">
+        <span class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2 col-span-2">
+          {{ t('emergencyAccess.label.exampleRecovery') }}
+        </span>
+        <div class="mt-1 md:mt-0 lg:col-span-3 md:col-span-4">
+          <EmergencyScenarioVisualization
+            :selected-users="selectedUsers"
+            :required-key-shares="requiredShares!"
+          />
+          <p class="mt-2 text-sm text-gray-500">{{ t('admin.emergencyAccess.example.help') }}</p>
+        </div>
+      </div>
+
+      <!-- Save / Undo -->
+      <div class="md:grid md:grid-cols-3 md:gap-6">
+        <div class="md:col-start-2 flex items-center gap-2">
+          <button
+            type="submit"
+            :disabled="processing || !hasUnsavedChanges"
+            class="inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed"
+          >
+            <span v-if="!updated">{{ t('admin.webOfTrust.save') }}</span>
+            <span v-else>{{ t('admin.webOfTrust.saved') }}</span>
+          </button>
+          <div v-if="hasUnsavedChanges" class="flex items-center whitespace-nowrap gap-1 text-sm text-yellow-700">
+            <ExclamationTriangleIcon class="w-4 h-4 m-1 text-yellow-500" />
+            {{ t('common.unsavedChanges') }}&nbsp;
+            <button type="button" class="underline hover:text-yellow-900" @click="reset">
+              {{ t('common.undo') }}
+            </button>
+          </div>
+        </div>
+        <div class="md:col-start-2 flex items-center gap-2 col-span-2">
+          <p v-if="false && onSaveErrorRecovery" class="mt-2 text-sm text-red-900" >
+            {{ onSaveErrorRecovery!.message }}
+          </p>
+        </div>
+      </div>
+    </form>
+  </section>
+</template>
+
+<script setup lang="ts">
+import { ref, computed, onMounted, watch } from 'vue';
+import { ArrowRightIcon, ExclamationTriangleIcon } from '@heroicons/vue/20/solid';
+import ContentBanner from './ContentBanner.vue';
+import { useI18n } from 'vue-i18n';
+import backend, { UserDto, ActivatedUser, didCompleteSetup } from '../common/backend';
+import config from '../common/config';
+import MultiUserSelectInputGroup from './MultiUserSelectInputGroup.vue';
+import EmergencyScenarioVisualization from './emergencyaccess/EmergencyScenarioVisualization.vue';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const entitlements = config.get().entitlements;
+const noRedundancy = ref(false);
+const isKeySplittingInvalid = ref(false);
+const isMinMembersKeySplittingInvalid = ref(false);
+
+const isDescLoading = ref(false);
+let descTimer: number | undefined;
+
+class FormValidationFailedError extends Error {
+  constructor() {
+    super('The form is invalid.');
+  }
+}
+const requiredShares = ref<number>();
+const minMembers = ref<number>();
+const allowChoosing = ref<boolean>(false);
+const enableEmergencyAccess = ref<boolean>(false);
+
+type EmergencyAccessSettings = {
+  enableEmergencyAccess: boolean;
+  defaultRequiredEmergencyKeyShares?: number;
+  defaultMinMembers?: number;
+  allowChoosingEmergencyCouncil: boolean;
+  selectedUsers: UserDto[];
+};
+
+const initialEmergencyAccessSettings = ref<EmergencyAccessSettings>({ enableEmergencyAccess: false, defaultRequiredEmergencyKeyShares: 0, defaultMinMembers: 0, allowChoosingEmergencyCouncil: false, selectedUsers: [] });
+
+const initialCouncilMembers = ref<UserDto[]>([]);
+const addedCouncilMembers = ref<UserDto[]>([]);
+const selectedUsers = computed(() => [...initialCouncilMembers.value, ...addedCouncilMembers.value]);
+
+const processing = ref(false);
+const updated = ref(false);
+
+const selectedCouncilUserIds = computed(() => selectedUsers.value.map(u => u.id).sort().join(','));
+const initialCouncilUserIds = computed(() => initialEmergencyAccessSettings.value.selectedUsers.map(u => u.id).sort().join(','));
+
+const sameCouncilMemberIds = computed(() => {
+  return initialCouncilUserIds.value === selectedCouncilUserIds.value;
+});
+const hasUnsavedChanges = computed(() => {
+  return (
+    initialEmergencyAccessSettings.value.enableEmergencyAccess !== enableEmergencyAccess.value ||
+    initialEmergencyAccessSettings.value.defaultRequiredEmergencyKeyShares !== requiredShares.value ||
+    initialEmergencyAccessSettings.value.defaultMinMembers !== minMembers.value ||
+    initialEmergencyAccessSettings.value.allowChoosingEmergencyCouncil !== allowChoosing.value ||
+    !sameCouncilMemberIds.value
+  );
+});
+
+async function fetchEmergencyAccess() {
+  const allUsers = await backend.users.listAll();
+  const s = await backend.settings.get();
+
+  const selected = s.emergencyCouncilMemberIds
+    .map((id: string) => allUsers.find(u => u.id === id))
+    .filter((u): u is UserDto => !!u)
+    .sort((a, b) => a.name.localeCompare(b.name));
+
+  initialCouncilMembers.value = selected;
+  addedCouncilMembers.value = [];
+
+  requiredShares.value = s.defaultRequiredEmergencyKeyShares;
+  minMembers.value = s.defaultMinMembers;
+  allowChoosing.value = s.allowChoosingEmergencyCouncil;
+  enableEmergencyAccess.value = s.enableEmergencyAccess;
+
+  initialEmergencyAccessSettings.value = {
+    enableEmergencyAccess: enableEmergencyAccess.value,
+    defaultRequiredEmergencyKeyShares: requiredShares.value,
+    defaultMinMembers: minMembers.value,
+    allowChoosingEmergencyCouncil: allowChoosing.value,
+    selectedUsers: [...selectedUsers.value]
+  };
+}
+
+async function searchCouncilMembers(query: string): Promise<ActivatedUser[]> {
+  const existing = new Set(selectedUsers.value.map(m => m.id));
+  const auths = await backend.authorities.search(query, true);
+  return auths
+    .filter(a => a.type === 'USER')
+    .filter(a => didCompleteSetup(a))
+    .filter(a => !existing.has(a.id))
+    .sort((a, b) => a.name.localeCompare(b.name));
+}
+function selectUser(u: UserDto) {
+  if (!selectedUsers.value.some(x => x.id === u.id)) addedCouncilMembers.value.push(u);
+}
+function removeUser(u: UserDto) {
+  initialCouncilMembers.value = initialCouncilMembers.value.filter(x => x.id !== u.id);
+  addedCouncilMembers.value = addedCouncilMembers.value.filter(x => x.id !== u.id);
+}
+
+const requiredKeySharesValidationText = computed(() => {
+  if (defaultRequiredEmergencyKeySharesToHighError.value != null) return t('admin.emergencyAccess.validation.maxValue', [255]);
+  else if (defaultRequiredEmergencyKeySharesLessThenTwoError.value != null) return t('admin.emergencyAccess.validation.minValue', [2]);
+  return '';
+});
+
+const requiredMinMembersValidationText = computed(() => {
+  if (defaultMinMembersToHighError.value != null) return t('admin.emergencyAccess.validation.maxValue', [255]);
+  else if (defaultMinMembersLessThenTwoError.value != null) return t('admin.emergencyAccess.validation.minValue', [2]);
+  else if (defaultMinMembersLowerThenRequiredEmergencyKeySharesError.value != null) return t('admin.emergencyAccess.validation.minMembersAtLeastRequiredShares');
+  return '';
+});
+
+const onSaveErrorRecovery = ref<Error | null>(null);
+
+const defaultRequiredEmergencyKeySharesLessThenTwoError = ref<Error | null>(null);
+const defaultRequiredEmergencyKeySharesToHighError = ref<Error | null>(null);
+const defaultRequiredEmergencyKeySharesError = ref<Error | null>(null);
+
+const defaultMinMembersLessThenTwoError = ref<Error | null>(null);
+const defaultMinMembersToHighError = ref<Error | null>(null);
+const defaultMinMembersLowerThenRequiredEmergencyKeySharesError = ref<Error | null>(null);
+
+const selectedMembersError = ref<Error | null>(null);
+
+watch([selectedUsers, requiredShares], ([users, shares]) => {
+  noRedundancy.value = !!shares && users.length === shares;
+});
+
+watch([requiredShares], ([r]) => {
+  isDescLoading.value = true;
+  isKeySplittingInvalid.value = false;
+  isMinMembersKeySplittingInvalid.value = false;
+
+  defaultRequiredEmergencyKeySharesLessThenTwoError.value = null;
+  defaultRequiredEmergencyKeySharesToHighError.value = null;
+
+  if (r! >= 255 || r! < 2){
+    isKeySplittingInvalid.value = true;
+  }
+  if (descTimer) window.clearTimeout(descTimer);
+  descTimer = window.setTimeout(() => { isDescLoading.value = false; }, 350);
+});
+
+function validateRecoverySettings(): boolean {
+  defaultRequiredEmergencyKeySharesError.value = null;
+  selectedMembersError.value = null;
+  onSaveErrorRecovery.value = null;
+  defaultRequiredEmergencyKeySharesLessThenTwoError.value = null;
+  defaultRequiredEmergencyKeySharesToHighError.value = null;
+  defaultMinMembersLessThenTwoError.value = null;
+  defaultMinMembersToHighError.value = null;
+  defaultMinMembersLowerThenRequiredEmergencyKeySharesError.value = null;
+  
+  if (requiredShares.value == null || minMembers.value == null) {
+    onSaveErrorRecovery.value = new Error('Missing input');
+    return false;
+  }
+  if (requiredShares.value < 2) {
+    defaultRequiredEmergencyKeySharesLessThenTwoError.value = new FormValidationFailedError();
+    return false;
+  }
+  if (requiredShares.value > 255) {
+    defaultRequiredEmergencyKeySharesToHighError.value = new FormValidationFailedError();
+    return false;
+  }
+
+  if (minMembers.value < 2) {
+    defaultMinMembersLessThenTwoError.value = new FormValidationFailedError();
+    return false;
+  }
+  if (minMembers.value > 255) {
+    defaultMinMembersToHighError.value = new FormValidationFailedError();
+    return false;
+  }
+
+  if (allowChoosing.value && requiredShares.value > minMembers.value) {
+    defaultMinMembersLowerThenRequiredEmergencyKeySharesError.value = new FormValidationFailedError();
+    onSaveErrorRecovery.value = new Error(t('admin.emergencyAccess.errors.sharesMustNotExceedMembers'));
+    return false;
+  }
+  if (selectedUsers.value.length < requiredShares.value) {
+    selectedMembersError.value = new FormValidationFailedError();
+    return false;
+  }
+  return true;
+}
+
+async function saveRecoverySettings() {
+  if (enableEmergencyAccess.value && !validateRecoverySettings()) {
+    return;
+  }
+  try {
+    processing.value = true;
+    await backend.settings.update({
+      enableEmergencyAccess: enableEmergencyAccess.value,
+      defaultRequiredEmergencyKeyShares: requiredShares.value,
+      defaultMinMembers: allowChoosing.value ? minMembers.value : selectedUsers.value.length,
+      allowChoosingEmergencyCouncil: allowChoosing.value,
+      emergencyCouncilMemberIds: selectedUsers.value.map(u => u.id),
+    });
+    initialEmergencyAccessSettings.value = {
+      enableEmergencyAccess: enableEmergencyAccess.value,
+      defaultRequiredEmergencyKeyShares: requiredShares.value,
+      defaultMinMembers: allowChoosing.value ? minMembers.value : selectedUsers.value.length,
+      allowChoosingEmergencyCouncil: allowChoosing.value,
+      selectedUsers: selectedUsers.value
+    };
+
+    updated.value = true;
+    setTimeout(() => (updated.value = false), 2000);
+  } catch (e: any) {
+    onSaveErrorRecovery.value = e instanceof Error ? e : new Error('Unknown reason');
+  } finally {
+    processing.value = false;
+  }
+}
+
+function reset() {
+  requiredShares.value = initialEmergencyAccessSettings.value.defaultRequiredEmergencyKeyShares;
+  minMembers.value = initialEmergencyAccessSettings.value.defaultMinMembers;
+  allowChoosing.value = initialEmergencyAccessSettings.value.allowChoosingEmergencyCouncil;
+  initialCouncilMembers.value = [...initialEmergencyAccessSettings.value.selectedUsers];
+  enableEmergencyAccess.value = initialEmergencyAccessSettings.value.enableEmergencyAccess;
+  addedCouncilMembers.value = [];
+  defaultRequiredEmergencyKeySharesError.value = null;
+  selectedMembersError.value = null;
+  onSaveErrorRecovery.value = null;
+}
+
+watch(() => [selectedUsers.value.map(u => u.id).join(','), minMembers.value, requiredShares.value],
+  () => { 
+    selectedMembersError.value = null; 
+    defaultRequiredEmergencyKeySharesError.value = null; 
+    defaultMinMembersLowerThenRequiredEmergencyKeySharesError.value = null;
+  });
+onMounted(async () => {
+  await fetchEmergencyAccess();
+  updateNoRedundancy();
+});
+
+function updateNoRedundancy() {
+  const shares = requiredShares.value;
+  if (!shares) {
+    noRedundancy.value = false;
+    return;
+  }
+  noRedundancy.value = selectedUsers.value.length === shares;
+}
+</script>
diff --git a/frontend/src/components/ArchiveVaultDialog.vue b/frontend/src/components/ArchiveVaultDialog.vue
index 5fd7171ac..a84f34329 100644
--- a/frontend/src/components/ArchiveVaultDialog.vue
+++ b/frontend/src/components/ArchiveVaultDialog.vue
@@ -35,7 +35,7 @@
                     {{ t('common.cancel') }}
                   </button>
                 </div>
-                <p v-if="onArchiveVaultError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                <p v-if="onArchiveVaultError" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
                   {{ t('common.unexpectedError', [onArchiveVaultError.message]) }}
                 </p>
               </form>
@@ -58,7 +58,7 @@ const { t } = useI18n({ useScope: 'global' });
 
 const open = ref(false);
 
-const onArchiveVaultError = ref<Error | null>();
+const onArchiveVaultError = ref<Error>();
 
 const props = defineProps<{
   vault: VaultDto
@@ -78,12 +78,12 @@ function show() {
 }
 
 async function archiveVault() {
-  onArchiveVaultError.value = null;
+  onArchiveVaultError.value = undefined;
   const dto = { ...props.vault };
   dto.archived = true;
   try {
-    const updatedVault = await backend.vaults.createOrUpdateVault(dto);
-    emit('archived', updatedVault);
+    const vaultDto = await backend.vaults.setArchived(props.vault.id, true);
+    emit('archived', vaultDto);
     open.value = false;
   } catch (error) {
     console.error('Archiving vault failed.', error);
diff --git a/frontend/src/components/AuditLog.vue b/frontend/src/components/AuditLog.vue
index ae9c2f2a8..7230cd259 100644
--- a/frontend/src/components/AuditLog.vue
+++ b/frontend/src/components/AuditLog.vue
@@ -1,6 +1,10 @@
 <template>
+  <ContentBanner v-if="cfg.entitlements.showTrialHint" type="info" :title="t('trial.enterpriseFeature.title')" class="mb-12">
+    {{ t('trial.enterpriseFeature.description') }} <!-- TODO: link to feature comparison? -->
+  </ContentBanner>
+
   <div v-if="state == State.Loading">
-    <div v-if="onFetchError == null">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
@@ -63,7 +67,7 @@
                     <input id="filter-end-date" v-model="endDateFilter" type="text" class="shadow-xs focus:ring-primary focus:border-primary block w-full sm:text-sm border-gray-300 rounded-md" :class="{ 'border-red-300 text-red-900 focus:ring-red-500 focus:border-red-500': !endDateFilterIsValid }" placeholder="yyyy-MM-dd" />
                   </div>
                   <div class="sm:grid sm:grid-cols-2 sm:items-center sm:gap-2">
-                    <label class="block text-sm font-medium text-gray-700 flex items-center">
+                    <label for="event-type-filter" class="block text-sm font-medium text-gray-700 flex items-center">
                       {{ t('auditLog.type') }}
                       <button 
                         type="button" 
@@ -76,7 +80,7 @@
                       </button>
                     </label>
                   </div>
-                  <Listbox v-model="selectedEventTypes" as="div" multiple>
+                  <Listbox id="event-type-filter" v-model="selectedEventTypes" as="div" multiple>
                     <div class="relative w-88">
                       <ListboxButton class="relative w-full rounded-md border border-gray-300 bg-white py-2 pl-3 pr-10 text-left shadow-sm focus:border-primary focus:outline-none focus:ring-1 focus:ring-primary text-sm">
                         <div class="flex flex-wrap gap-2">
@@ -159,6 +163,12 @@
                   </td>
                   <AuditLogDetailsDeviceRegister v-if="auditEvent.type == 'DEVICE_REGISTER'" :event="auditEvent" />
                   <AuditLogDetailsDeviceRemove v-else-if="auditEvent.type == 'DEVICE_REMOVE'" :event="auditEvent" />
+                  <AuditLogDetailsEmergencyAccessSetup v-else-if="auditEvent.type == 'EMERGENCY_ACCESS_SETUP'" :event="auditEvent" />
+                  <AuditLogDetailsEmergencyAccessSettingsUpdated v-else-if="auditEvent.type == 'EMERGENCY_ACCESS_SETTINGS_UPDATED'" :event="auditEvent" />
+                  <AuditLogDetailsEmergencyAccessRecoveryStarted v-else-if="auditEvent.type == 'EMERGENCY_ACCESS_RECOVERY_STARTED'" :event="auditEvent" />
+                  <AuditLogDetailsEmergencyAccessRecoveryApproved v-else-if="auditEvent.type == 'EMERGENCY_ACCESS_RECOVERY_APPROVED'" :event="auditEvent" />
+                  <AuditLogDetailsEmergencyAccessRecoveryCompleted v-else-if="auditEvent.type == 'EMERGENCY_ACCESS_RECOVERY_COMPLETED'" :event="auditEvent" />
+                  <AuditLogDetailsEmergencyAccessRecoveryAborted v-else-if="auditEvent.type == 'EMERGENCY_ACCESS_RECOVERY_ABORTED'" :event="auditEvent" />
                   <AuditLogDetailsSettingWotUpdate v-else-if="auditEvent.type == 'SETTING_WOT_UPDATE'" :event="auditEvent" />
                   <AuditLogDetailsSignedWotId v-else-if="auditEvent.type == 'SIGN_WOT_ID'" :event="auditEvent" />
                   <AuditLogDetailsUserAccountReset v-else-if="auditEvent.type == 'USER_ACCOUNT_RESET'" :event="auditEvent" />
@@ -198,7 +208,7 @@
               </tfoot>
             </table>
           </div>
-          <p v-if="onFetchError != null" class="text-sm text-red-900 mt-2">{{ onFetchError.message }}</p>
+          <p v-if="onFetchError" class="text-sm text-red-900 mt-2">{{ onFetchError.message }}</p>
         </div>
       </div>
     </div>
@@ -229,6 +239,12 @@ import auditlog, { AuditEventDto } from '../common/auditlog';
 import { PaymentRequiredError } from '../common/backend';
 import AuditLogDetailsDeviceRegister from './AuditLogDetailsDeviceRegister.vue';
 import AuditLogDetailsDeviceRemove from './AuditLogDetailsDeviceRemove.vue';
+import AuditLogDetailsEmergencyAccessSetup from './AuditLogDetailsEmergencyAccessSetup.vue';
+import AuditLogDetailsEmergencyAccessSettingsUpdated from './AuditLogDetailsEmergencyAccessSettingsUpdated.vue';
+import AuditLogDetailsEmergencyAccessRecoveryStarted from './AuditLogDetailsEmergencyAccessRecoveryStarted.vue';
+import AuditLogDetailsEmergencyAccessRecoveryApproved from './AuditLogDetailsEmergencyAccessRecoveryApproved.vue';
+import AuditLogDetailsEmergencyAccessRecoveryCompleted from './AuditLogDetailsEmergencyAccessRecoveryCompleted.vue';
+import AuditLogDetailsEmergencyAccessRecoveryAborted from './AuditLogDetailsEmergencyAccessRecoveryAborted.vue';
 import AuditLogDetailsSettingWotUpdate from './AuditLogDetailsSettingWotUpdate.vue';
 import AuditLogDetailsSignedWotId from './AuditLogDetailsSignedWotId.vue';
 import AuditLogDetailsUserAccountReset from './AuditLogDetailsUserAccountReset.vue';
@@ -243,6 +259,8 @@ import AuditLogDetailsVaultUpdate from './AuditLogDetailsVaultUpdate.vue';
 import AuditLogUserKeysChange from './AuditLogUserKeysChange.vue';
 import AuditLogUserSetupCodeChanged from './AuditLogUserSetupCodeChanged.vue';
 import FetchError from './FetchError.vue';
+import config, { ConfigDto } from '../common/config';
+import ContentBanner from './ContentBanner.vue';
 
 enum State {
   Loading,
@@ -252,9 +270,10 @@ enum State {
 
 const { t } = useI18n({ useScope: 'global' });
 
+const cfg = ref<ConfigDto>(config.get());
 const state = ref(State.Loading);
 const auditEvents = ref<AuditEventDto[]>([]);
-const onFetchError = ref<Error | null>();
+const onFetchError = ref<Error>();
 
 const startDate = ref(beginOfDate(new Date(new Date().setMonth(new Date().getMonth() - 1))));
 const startDateFilter = ref(startDate.value.toISOString().split('T')[0]);
@@ -299,6 +318,12 @@ const eventTypeOptions = Object.fromEntries(
   Object.entries({
     DEVICE_REGISTER: t('auditLog.details.device.register'),
     DEVICE_REMOVE: t('auditLog.details.device.remove'),
+    EMERGENCY_ACCESS_SETUP: t('auditLog.details.emergencyaccess.setup'),
+    EMERGENCY_ACCESS_SETTINGS_UPDATED: t('auditLog.details.emergencyaccess.settingsUpdated'),
+    EMERGENCY_ACCESS_RECOVERY_STARTED: t('auditLog.details.emergencyaccess.recoveryStarted'),
+    EMERGENCY_ACCESS_RECOVERY_APPROVED: t('auditLog.details.emergencyaccess.recoveryApproved'),
+    EMERGENCY_ACCESS_RECOVERY_COMPLETED: t('auditLog.details.emergencyaccess.recoveryCompleted'),
+    EMERGENCY_ACCESS_RECOVERY_ABORTED: t('auditLog.details.emergencyaccess.recoveryAborted'),
     SETTING_WOT_UPDATE: t('auditLog.details.setting.wot.update'),
     SIGN_WOT_ID: t('auditLog.details.wot.signedIdentity'),
     USER_ACCOUNT_RESET: t('auditLog.details.user.account.reset'),
@@ -330,7 +355,7 @@ watch(selectedEventTypes, (newSelection, oldSelection) => {
 });
 
 async function fetchData(page: number = 0) {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
     // Fetch one more event than the page size to determine if there is a next page
     const events = await auditlog.service.getAllEvents(startDate.value, endDate.value, selectedEventTypes.value, lastIdOfPreviousPage[page], selectedOrder.value, pageSize.value + 1);
@@ -401,7 +426,7 @@ function validateDateFilterValue(dateFilterValue: string): Date | null {
     return null;
   }
   const date = new Date(dateFilterValue);
-  if (isNaN(date.getTime())) {
+  if (Number.isNaN(date.getTime())) {
     return null;
   } else {
     return date;
diff --git a/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryAborted.vue b/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryAborted.vue
new file mode 100644
index 000000000..262181135
--- /dev/null
+++ b/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryAborted.vue
@@ -0,0 +1,60 @@
+<template>
+  <td class="whitespace-nowrap px-3 py-4 text-sm font-medium text-gray-900">
+    {{ t('auditLog.details.emergencyaccess.recoveryAborted') }}
+  </td>
+  <td class="whitespace-nowrap py-4 pl-3 pr-4 sm:pr-6">
+    <dl class="flex flex-col gap-2">
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>process</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.processId }}</code>
+        </dd>
+      </div>
+
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>councilMember</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedCouncilMember != null">{{ resolvedCouncilMember.name }}</span>
+          <code
+            class="text-xs"
+            :class="{'text-gray-600': resolvedCouncilMember != null}"
+          >
+            {{ event.councilMemberId }}
+          </code>
+        </dd>
+      </div>
+
+      <div v-if="event.ipAddress" class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>ipAddress</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.ipAddress }}</code>
+        </dd>
+      </div>
+    </dl>
+  </td>
+</template>
+
+<script setup lang="ts">
+import { onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import auditlog, { AuditEventEmergencyAccessRecoveryAbortedDto } from '../common/auditlog';
+import type { AuthorityDto } from '../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  event: AuditEventEmergencyAccessRecoveryAbortedDto;
+}>();
+
+const resolvedCouncilMember = ref<AuthorityDto>();
+
+onMounted(async () => {
+  resolvedCouncilMember.value = await auditlog.entityCache.getAuthority(props.event.councilMemberId);
+});
+</script>
diff --git a/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryApproved.vue b/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryApproved.vue
new file mode 100644
index 000000000..2fd22379a
--- /dev/null
+++ b/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryApproved.vue
@@ -0,0 +1,53 @@
+<template>
+  <td class="whitespace-nowrap px-3 py-4 text-sm font-medium text-gray-900">
+    {{ t('auditLog.details.emergencyaccess.recoveryApproved') }}
+  </td>
+  <td class="whitespace-nowrap py-4 pl-3 pr-4 sm:pr-6">
+    <dl class="flex flex-col gap-2">
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>process</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.processId }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>councilMember</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedCouncilMember != null">{{ resolvedCouncilMember.name }}</span>
+          <code class="text-xs" :class="{'text-gray-600': resolvedCouncilMember != null}">{{ event.councilMemberId }}</code>
+        </dd>
+      </div>
+      <div v-if="event.ipAddress" class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>ipAddress</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.ipAddress }}</code>
+        </dd>
+      </div>
+    </dl>
+  </td>
+</template>
+
+<script setup lang="ts">
+import { onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import auditlog, { AuditEventEmergencyAccessRecoveryApprovedDto } from '../common/auditlog';
+import type { AuthorityDto } from '../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  event: AuditEventEmergencyAccessRecoveryApprovedDto
+}>();
+
+const resolvedCouncilMember = ref<AuthorityDto>();
+
+onMounted(async () => {
+  resolvedCouncilMember.value = await auditlog.entityCache.getAuthority(props.event.councilMemberId);
+});
+</script>
diff --git a/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryCompleted.vue b/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryCompleted.vue
new file mode 100644
index 000000000..af1f5305e
--- /dev/null
+++ b/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryCompleted.vue
@@ -0,0 +1,53 @@
+<template>
+  <td class="whitespace-nowrap px-3 py-4 text-sm font-medium text-gray-900">
+    {{ t('auditLog.details.emergencyaccess.recoveryCompleted') }}
+  </td>
+  <td class="whitespace-nowrap py-4 pl-3 pr-4 sm:pr-6">
+    <dl class="flex flex-col gap-2">
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>process</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.processId }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>councilMember</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedCouncilMember != null">{{ resolvedCouncilMember.name }}</span>
+          <code class="text-xs" :class="{'text-gray-600': resolvedCouncilMember != null}">{{ event.councilMemberId }}</code>
+        </dd>
+      </div>
+      <div v-if="event.ipAddress" class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>ipAddress</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.ipAddress }}</code>
+        </dd>
+      </div>
+    </dl>
+  </td>
+</template>
+
+<script setup lang="ts">
+import { onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import auditlog, { AuditEventEmergencyAccessRecoveryCompletedDto } from '../common/auditlog';
+import type { AuthorityDto } from '../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  event: AuditEventEmergencyAccessRecoveryCompletedDto
+}>();
+
+const resolvedCouncilMember = ref<AuthorityDto>();
+
+onMounted(async () => {
+  resolvedCouncilMember.value = await auditlog.entityCache.getAuthority(props.event.councilMemberId);
+});
+</script>
diff --git a/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryStarted.vue b/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryStarted.vue
new file mode 100644
index 000000000..8ec035f1d
--- /dev/null
+++ b/frontend/src/components/AuditLogDetailsEmergencyAccessRecoveryStarted.vue
@@ -0,0 +1,86 @@
+<template>
+  <td class="whitespace-nowrap px-3 py-4 text-sm font-medium text-gray-900">
+    {{ t('auditLog.details.emergencyaccess.recoveryStarted') }}
+  </td>
+  <td class="whitespace-nowrap py-4 pl-3 pr-4 sm:pr-6">
+    <dl class="flex flex-col gap-2">
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>vault</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedVault != null">{{ resolvedVault.name }}</span>
+          <code class="text-xs" :class="{'text-gray-600': resolvedVault != null}">{{ event.vaultId }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>process</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.processId }}</code>
+        </dd>
+      </div>
+      <div v-if="event.councilMemberId" class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>councilMember</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedCouncilMember != null">{{ resolvedCouncilMember.name }}</span>
+          <code class="text-xs" :class="{'text-gray-600': resolvedCouncilMember != null}">{{ event.councilMemberId }}</code>
+        </dd>
+      </div>
+      <div v-if="event.recoveryType" class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>recoveryType</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.recoveryType }}</code>
+        </dd>
+      </div>
+      <div v-if="event.details" class="flex items-start gap-2">
+        <dt class="text-xs text-gray-500 mt-1">
+          <code>details</code>
+        </dt>
+        <dd class="text-xs text-gray-900">
+          <pre class="max-w-[48rem] overflow-x-auto whitespace-pre-wrap break-words bg-gray-50 rounded p-2 ring-1 ring-inset ring-gray-200">{{ prettyDetails }}</pre>
+        </dd>
+      </div>
+    </dl>
+  </td>
+</template>
+
+<script setup lang="ts">
+import { onMounted, ref, computed } from 'vue';
+import { useI18n } from 'vue-i18n';
+import auditlog, { AuditEventEmergencyAccessRecoveryStartedDto } from '../common/auditlog';
+import type { AuthorityDto, VaultDto } from '../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  event: AuditEventEmergencyAccessRecoveryStartedDto
+}>();
+
+const resolvedVault = ref<VaultDto>();
+const resolvedCouncilMember = ref<AuthorityDto>();
+
+const prettyDetails = computed(() => {
+  const raw = props.event.details ?? '';
+  if (!raw) return '';
+  try {
+    const obj = JSON.parse(raw);
+    return JSON.stringify(obj, null, 2);
+  } catch {
+    return raw;
+  }
+});
+
+onMounted(async () => {
+  resolvedVault.value = await auditlog.entityCache.getVault(props.event.vaultId);
+
+  if (props.event.councilMemberId) {
+    resolvedCouncilMember.value = await auditlog.entityCache.getAuthority(props.event.councilMemberId);
+  }
+});
+</script>
diff --git a/frontend/src/components/AuditLogDetailsEmergencyAccessSettingsUpdated.vue b/frontend/src/components/AuditLogDetailsEmergencyAccessSettingsUpdated.vue
new file mode 100644
index 000000000..47071d88b
--- /dev/null
+++ b/frontend/src/components/AuditLogDetailsEmergencyAccessSettingsUpdated.vue
@@ -0,0 +1,86 @@
+<template>
+  <td class="whitespace-nowrap px-3 py-4 text-sm font-medium text-gray-900">
+    {{ t('auditLog.details.emergencyaccess.settingsUpdated') }}
+  </td>
+  <td class="whitespace-nowrap py-4 pl-3 pr-4 sm:pr-6">
+    <dl class="flex flex-col gap-2">
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>admin</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedAdmin != null">{{ resolvedAdmin.name }}</span>
+          <code class="text-xs" :class="resolvedAdmin ? 'text-gray-600' : ''">{{ event.adminId }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>enableEmergencyAccess</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ String(event.enableEmergencyAccess) }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>requiredKeyShares</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.requiredKeyShares }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>minMembers</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.minMembers }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>allowChoosingCouncil</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ String(event.allowChoosingCouncil) }}</code>
+        </dd>
+      </div>
+      <div v-if="councilIds.length > 0" class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>councilMembers</code>
+        </dt>
+        <dd class="flex items-center flex-wrap gap-2 text-sm text-gray-900">
+          <code v-for="id in councilIds" :key="id" class="text-xs text-gray-700">
+            {{ id }}
+          </code>
+        </dd>
+      </div>
+    </dl>
+  </td>
+</template>
+
+<script setup lang="ts">
+import { onMounted, ref, computed } from 'vue';
+import { useI18n } from 'vue-i18n';
+import auditlog, { AuditEventEmergencyAccessSettingsChangedDto } from '../common/auditlog';
+import type { AuthorityDto } from '../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  event: AuditEventEmergencyAccessSettingsChangedDto
+}>();
+
+const resolvedAdmin = ref<AuthorityDto | undefined>();
+
+const councilIds = computed<string[]>(() =>
+  (props.event.councilMemberIds ?? '')
+    .split(/\s+/)
+    .map(s => s.trim())
+    .filter(Boolean)
+);
+
+onMounted(async () => {
+  resolvedAdmin.value = await auditlog.entityCache.getAuthority(props.event.adminId);
+});
+</script>
diff --git a/frontend/src/components/AuditLogDetailsEmergencyAccessSetup.vue b/frontend/src/components/AuditLogDetailsEmergencyAccessSetup.vue
new file mode 100644
index 000000000..4a4956f35
--- /dev/null
+++ b/frontend/src/components/AuditLogDetailsEmergencyAccessSetup.vue
@@ -0,0 +1,75 @@
+<template>
+  <td class="whitespace-nowrap px-3 py-4 text-sm font-medium text-gray-900">
+    {{ t('auditLog.details.emergencyaccess.setup') }}
+  </td>
+  <td class="whitespace-nowrap py-4 pl-3 pr-4 sm:pr-6">
+    <dl class="flex flex-col gap-2">
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>owner</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedOwner != null">{{ resolvedOwner.name }}</span>
+          <code class="text-xs" :class="{'text-gray-600': resolvedOwner != null}">{{ event.ownerId }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>vault</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedVault != null">{{ resolvedVault.name }}</span>
+          <code class="text-xs" :class="{'text-gray-600': resolvedVault != null}">{{ event.vaultId }}</code>
+        </dd>
+      </div>
+      <div v-if="event.ipAddress" class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>ipAddress</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <code class="text-xs">{{ event.ipAddress }}</code>
+        </dd>
+      </div>
+      <div class="flex items-start gap-2">
+        <dt class="text-xs text-gray-500 mt-1">
+          <code>settings</code>
+        </dt>
+        <dd class="text-xs text-gray-900">
+          <pre class="max-w-[48rem] overflow-x-auto whitespace-pre-wrap break-words bg-gray-50 rounded p-2 ring-1 ring-inset ring-gray-200">{{ prettySettings }}</pre>
+        </dd>
+      </div>
+    </dl>
+  </td>
+</template>
+
+<script setup lang="ts">
+import { onMounted, ref, computed } from 'vue';
+import { useI18n } from 'vue-i18n';
+import auditlog, { AuditEventEmergencyAccessSetupDto } from '../common/auditlog';
+import type { AuthorityDto, VaultDto } from '../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  event: AuditEventEmergencyAccessSetupDto
+}>();
+
+const resolvedOwner = ref<AuthorityDto>();
+const resolvedVault = ref<VaultDto>();
+
+const prettySettings = computed(() => {
+  const raw = props.event.settings ?? '';
+  if (!raw) return '';
+  try {
+    const obj = JSON.parse(raw);
+    return JSON.stringify(obj, null, 2);
+  } catch {
+    return raw;
+  }
+});
+
+onMounted(async () => {
+  resolvedVault.value = await auditlog.entityCache.getVault(props.event.vaultId);
+  resolvedOwner.value = await auditlog.entityCache.getAuthority(props.event.ownerId);
+});
+</script>
diff --git a/frontend/src/components/AuditLogDetailsSignedWotId.vue b/frontend/src/components/AuditLogDetailsSignedWotId.vue
index 89f6de459..f349532ff 100644
--- a/frontend/src/components/AuditLogDetailsSignedWotId.vue
+++ b/frontend/src/components/AuditLogDetailsSignedWotId.vue
@@ -38,7 +38,7 @@
 </template>
 
 <script setup lang="ts">
-import { base64 } from 'rfc4648';
+import { base64 } from '@scure/base';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import auditlog, { AuditEventSignedWotIdDto } from '../common/auditlog';
@@ -75,7 +75,7 @@ onMounted(async () => {
   }
 
   try {
-    const signerPublicKey = await asPublicKey(base64.parse(props.event.signerKey), UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
+    const signerPublicKey = await asPublicKey(base64.decode(props.event.signerKey) as Uint8Array<ArrayBuffer>, UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
     const [_, signedKeys] = await JWT.parse(props.event.signature, signerPublicKey) as [JWTHeader, SignedKeys];
     signedFingerprint.value = await wot.computeFingerprint({ ecdhPublicKey: signedKeys.ecdhPublicKey, ecdsaPublicKey: signedKeys.ecdsaPublicKey });
     if (props.event.signerKey === signingUser?.ecdsaPublicKey && signedFingerprint.value === currentFingerprint.value) {
diff --git a/frontend/src/components/AuthenticatedMain.vue b/frontend/src/components/AuthenticatedMain.vue
index eaffe4055..82a952c9b 100644
--- a/frontend/src/components/AuthenticatedMain.vue
+++ b/frontend/src/components/AuthenticatedMain.vue
@@ -1,7 +1,7 @@
 <template>
-  <div v-if="me == null">
+  <div v-if="me === undefined">
     <!--TODO: beautify loading screen -->
-    <div v-if="onFetchError == null">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
@@ -29,12 +29,12 @@ import NavigationBar from './NavigationBar.vue';
 const { t } = useI18n({ useScope: 'global' });
 
 const me = ref<UserDto>();
-const onFetchError = ref<Error | null>();
+const onFetchError = ref<Error>();
 
 onMounted(fetchData);
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
     me.value = await userdata.me;
   } catch (error) {
diff --git a/frontend/src/components/ClaimVaultOwnershipDialog.vue b/frontend/src/components/ClaimVaultOwnershipDialog.vue
index 133a89380..50fda1cdb 100644
--- a/frontend/src/components/ClaimVaultOwnershipDialog.vue
+++ b/frontend/src/components/ClaimVaultOwnershipDialog.vue
@@ -35,7 +35,7 @@
                   <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
                     {{ t('common.cancel') }}
                   </button>
-                  <div v-if="onAuthenticationError != null">
+                  <div v-if="onAuthenticationError">
                     <p v-if="onAuthenticationError instanceof FormValidationFailedError" class="text-sm text-red-900">
                       {{ t('claimVaultOwnershipDialog.error.formValidationFailed') }}
                     </p>
@@ -75,7 +75,7 @@ const { t } = useI18n({ useScope: 'global' });
 
 const form = ref<HTMLFormElement>();
 
-const onAuthenticationError = ref<Error|null>();
+const onAuthenticationError = ref<Error>();
 
 const open = ref(false);
 const password = ref('');
@@ -98,7 +98,7 @@ function show() {
 }
 
 async function authenticateVaultAdmin() {
-  onAuthenticationError.value = null;
+  onAuthenticationError.value = undefined;
   try {
     if (!form.value?.checkValidity()) {
       throw new FormValidationFailedError();
diff --git a/frontend/src/components/ContentBanner.vue b/frontend/src/components/ContentBanner.vue
new file mode 100644
index 000000000..d6e98dcfb
--- /dev/null
+++ b/frontend/src/components/ContentBanner.vue
@@ -0,0 +1,97 @@
+<template>
+  <div
+    class="rounded-md p-4 ring-1"
+    :class="[typeStyles.bg, typeStyles.border]"
+  >
+    <div class="flex">
+      <div class="shrink-0">
+        <component :is="typeStyles.icon" class="h-5 w-5" :class="[typeStyles.iconColor]" aria-hidden="true" />
+      </div>
+      <div class="ml-3 flex-1">
+        <h3 v-if="props.title" class="text-sm font-medium" :class="[typeStyles.titleColor]">
+          {{ props.title }}
+        </h3>
+        <div :class="[props.title ? 'mt-2' : '', 'text-sm', typeStyles.textColor]">
+          <slot></slot>
+          <a
+            v-if="props.linkText && props.linkUrl"
+            :href="props.linkUrl"
+            target="_blank"
+            class="ml-1 inline-flex items-center text-primary underline hover:text-primary-darker"
+          >
+            {{ props.linkText }}
+            <ArrowRightIcon class="ml-1 h-4 w-4" aria-hidden="true" />
+          </a>
+        </div>
+      </div>
+      <div v-if="props.dismissible" class="ml-auto pl-3">
+        <div class="-mx-1.5 -my-1.5">
+          <button
+            type="button"
+            class="inline-flex rounded-md p-1.5 focus:outline-none focus:ring-2 focus:ring-offset-2"
+            :class="[typeStyles.dismissButton]"
+            @click="emit('dismiss')"
+          >
+            <span class="sr-only">Dismiss</span>
+            <XMarkIcon class="h-5 w-5" aria-hidden="true" />
+          </button>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { computed } from 'vue';
+import { ExclamationTriangleIcon, XCircleIcon, InformationCircleIcon, ArrowRightIcon, XMarkIcon } from '@heroicons/vue/20/solid';
+
+const props = withDefaults(defineProps<{
+  type?: 'info' | 'warning' | 'error';
+  title?: string;
+  linkText?: string;
+  linkUrl?: string;
+  dismissible?: boolean;
+}>(), {
+  type: 'info',
+  dismissible: false
+});
+
+const emit = defineEmits<{
+  dismiss: [];
+}>();
+
+const typeStyles = computed(() => {
+  switch (props.type) {
+    case 'warning':
+      return {
+        bg: 'bg-yellow-50',
+        border: 'ring-yellow-300/70',
+        icon: ExclamationTriangleIcon,
+        iconColor: 'text-yellow-400',
+        titleColor: 'text-yellow-800',
+        textColor: 'text-yellow-700',
+        dismissButton: 'bg-yellow-50 text-yellow-500 hover:bg-yellow-100 focus:ring-yellow-600 focus:ring-offset-yellow-50'
+      };
+    case 'error':
+      return {
+        bg: 'bg-red-50',
+        border: 'ring-red-300/70',
+        icon: XCircleIcon,
+        iconColor: 'text-red-400',
+        titleColor: 'text-red-800',
+        textColor: 'text-red-700',
+        dismissButton: 'bg-red-50 text-red-500 hover:bg-red-100 focus:ring-red-600 focus:ring-offset-red-50'
+      };
+    default: // info
+      return {
+        bg: 'bg-blue-50',
+        border: 'ring-blue-300/70',
+        icon: InformationCircleIcon,
+        iconColor: 'text-blue-400',
+        titleColor: 'text-blue-800',
+        textColor: 'text-blue-700',
+        dismissButton: 'bg-blue-50 text-blue-500 hover:bg-blue-100 focus:ring-blue-600 focus:ring-offset-blue-50'
+      };
+  }
+});
+</script>
diff --git a/frontend/src/components/CreateVault.vue b/frontend/src/components/CreateVault.vue
index 7a8af3eef..c03e84b03 100644
--- a/frontend/src/components/CreateVault.vue
+++ b/frontend/src/components/CreateVault.vue
@@ -78,7 +78,7 @@
             >
               {{ t('createVault.enterRecoveryKey.submit') }}
             </button>
-            <div v-if="onRecoverError != null">
+            <div v-if="onRecoverError">
               <p v-if="onRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.formValidationFailed') }}</p>
               <p v-else-if="onRecoverError instanceof DecodeUvfRecoveryKeyError || onRecoverError instanceof DecodeVf8RecoveryKeyError" class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
               <p v-else class="text-sm text-red-900 mt-2">{{ t('createVault.error.invalidRecoveryKey') }}</p>
@@ -88,10 +88,11 @@
       </div>
     </form>
   </div>
-
-  <div v-else-if="state == State.EnterVaultDetails">
+  <!-- // / start katta modification -->
+  <div v-else-if="state == State.EnterVaultDetails && (backends?.values?.length ?? 0) > 0  && (regions?.values?.length ?? 0) > 0">
+  <!-- // \ end katta modification -->
     <BreadcrumbNav :crumbs="[ { label: t('vaultList.title'), to: '/app/vaults' }, { label: t('createVault.enterVaultDetails.title') } ]"/>
-    <VaultCreationProgress :state="State.EnterVaultDetails" :steps="allCreateStates" class="flex justify-center mb-4" />
+    <VaultCreationProgress :state="State.EnterVaultDetails" :steps="getCurrentStates" class="flex justify-center mb-4" />
     <form ref="form" class="space-y-6" novalidate @submit.prevent="validateVaultDetails()">
       <div class="flex justify-center text-center">
         <div class="bg-white shadow-sm rounded-lg overflow-hidden sm:w-full sm:max-w-lg">
@@ -117,23 +118,171 @@
             </div>
 
             <div>
-              <label for="vaultDescription" class="block text-sm font-medium text-gray-700  text-left">
+              <label for="vaultDescription" class="block text-sm font-medium text-gray-700 text-left">
                 {{ t('createVault.enterVaultDetails.vaultDescription') }}
                 <span class="text-xs text-gray-500">({{ t('common.optional') }})</span>
               </label>
               <input id="vaultDescription" v-model="vault.description" :disabled="processing" type="text" class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-xs sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200"/>
             </div>
+
+            <!-- / start katta extension -->
+            <div class="col-span-6 sm:col-span-3">
+                <label for="vaultName" class="block text-sm font-medium text-gray-700">{{ t('CreateVaultS3.enterVaultDetails.storage') }}</label>
+                <Listbox as="div" class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" v-model="selectedBackend"
+                   @update:modelValue="value => { setRegionsOnSelectStorage(value);}"
+                >
+                  <ListboxButton class="relative w-full cursor-default rounded-lg bg-white py-2 pl-3 pr-10 text-left shadow-md focus:outline-none focus-visible:border-indigo-500 focus-visible:ring-2 focus-visible:ring-white focus-visible:ring-opacity-75 focus-visible:ring-offset-2 focus-visible:ring-offset-orange-300 sm:text-sm">
+                    <span class="block truncate text-sm font-medium text-gray-700">{{ selectedBackend ? selectedBackend.name : '' }}</span>
+                    <span
+                      class="pointer-events-none absolute inset-y-0 right-0 flex items-center pr-2"
+                    >
+                      <ChevronUpDownIcon
+                        class="h-5 w-5 text-gray-400"
+                        aria-hidden="true"
+                      />
+                    </span>
+                  </ListboxButton>
+
+                  <transition
+                    leave-active-class="transition duration-100 ease-in"
+                    leave-from-class="opacity-100"
+                    leave-to-class="opacity-0"
+                  >
+                    <div class="col-span-6 sm:col-span-4">
+                    <ListboxOptions
+                      class="relative mt-1 max-h-60 w-full overflow-auto rounded-md bg-white py-1 text-base shadow-lg ring-1 ring-black ring-opacity-5 focus:outline-none sm:text-sm"
+                    >
+                      <ListboxOption
+                        v-slot="{ active, selected }"
+                        v-for="backend in backends"
+                        :key="backend.name"
+                        :value="backend"
+                        as="template"
+                      >
+                        <li
+                          :class="[
+                            active ? 'bg-emerald-100 text-emerald-900' : 'text-gray-900',
+                            'relative cursor-default select-none py-2 pl-10 pr-4',
+                          ]"
+                        >
+                          <span
+                            :class="[
+                              selected ? 'font-medium' : 'font-normal',
+                              'block truncate col-span-6 sm:col-span-4',
+                            ]">{{ backend.name }}</span>
+                          <span
+                            v-if="selected"
+                            class="absolute inset-y-0 left-0 flex items-center pl-3 text-amber-600"
+                          >
+                            <CheckIcon class="h-5 w-5" aria-hidden="true" />
+                          </span>
+                        </li>
+                      </ListboxOption>
+                    </ListboxOptions>
+                    </div>
+                  </transition>
+                </Listbox>
+            </div>
+            <br/>
+            <div v-if="!isPermanent" class="col-span-6 sm:col-span-3">
+                <label for="vaultName" class="block text-sm font-medium text-gray-700">{{ t('CreateVaultS3.enterVaultDetails.region') }}</label>
+                <Listbox as="div" class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" v-model="selectedRegion">
+                  <ListboxButton class="relative w-full cursor-default rounded-lg bg-white py-2 pl-3 pr-10 text-left shadow-md focus:outline-none focus-visible:border-indigo-500 focus-visible:ring-2 focus-visible:ring-white focus-visible:ring-opacity-75 focus-visible:ring-offset-2 focus-visible:ring-offset-orange-300 sm:text-sm">
+                    <span class="block truncate text-sm font-medium text-gray-700">{{ selectedRegion }}</span>
+                    <span
+                      class="pointer-events-none absolute inset-y-0 right-0 flex items-center pr-2"
+                    >
+                      <ChevronUpDownIcon
+                        class="h-5 w-5 text-gray-400"
+                        aria-hidden="true"
+                      />
+                    </span>
+                  </ListboxButton>
+
+                  <transition
+                    leave-active-class="transition duration-100 ease-in"
+                    leave-from-class="opacity-100"
+                    leave-to-class="opacity-0"
+                  >
+                    <div class="col-span-6 sm:col-span-4">
+                    <ListboxOptions
+                      class="relative mt-1 max-h-60 w-full overflow-auto rounded-md bg-white py-1 text-base shadow-lg ring-1 ring-black ring-opacity-5 focus:outline-none sm:text-sm"
+                    >
+                      <ListboxOption
+                        v-slot="{ active, selected }"
+                        v-for="region in regions"
+                        :key="region"
+                        :value="region"
+                        as="template"
+                      >
+                        <li
+                          :class="[
+                            active ? 'bg-emerald-100 text-emerald-900' : 'text-gray-900',
+                            'relative cursor-default select-none py-2 pl-10 pr-4',
+                          ]"
+                        >
+                          <span
+                            :class="[
+                              selected ? 'font-medium' : 'font-normal',
+                              'block truncate col-span-6 sm:col-span-4',
+                            ]">{{ region }}</span>
+                          <span
+                            v-if="selected"
+                            class="absolute inset-y-0 left-0 flex items-center pl-3 text-amber-600"
+                          >
+                            <CheckIcon class="h-5 w-5" aria-hidden="true" />
+                          </span>
+                        </li>
+                      </ListboxOption>
+                    </ListboxOptions>
+                    </div>
+                  </transition>
+                </Listbox>
+            </div>
+            <div v-if="isPermanent" class="col-span-6 sm:col-span-4">
+                <label for="vaultAccessKeyId" class="block text-sm font-medium text-gray-700">
+                  {{ t('CreateVaultS3.enterVaultDetails.vaultPermanentAccessKeyId') }}
+                </label>
+                <input id="vaultAccessKeyId" v-model="vaultAccessKeyId" :disabled="processing" type="text" class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onCreateError instanceof FormValidationFailedError }" required/>
+            </div>
+            <div v-if="isPermanent" class="col-span-6 sm:col-span-4">
+                <label for="vaultSecretKey" class="block text-sm font-medium text-gray-700">
+                  {{ t('CreateVaultS3.enterVaultDetails.vaultPermanentSecretKey') }}
+                </label>
+                <input id="vaultSecretKey" v-model="vaultSecretKey" :disabled="processing" type="text" class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onCreateError instanceof FormValidationFailedError }" required/>
+            </div>
+            <div v-if="isPermanent" class="col-span-6 sm:col-span-4">
+                <label for="vaultBucketName" class="block text-sm font-medium text-gray-700">
+                  {{ t('CreateVaultS3.enterVaultDetails.vaultPermanentBucketName') }}
+                </label>
+                <input id="vaultBucketName" v-model="vaultBucketName" :disabled="processing" type="text" class="mt-1 focus:ring-primary focus:border-primary block w-full shadow-sm sm:text-sm border-gray-300 rounded-md disabled:bg-gray-200" :class="{ 'invalid:border-red-300 invalid:text-red-900 focus:invalid:ring-red-500 focus:invalid:border-red-500': onCreateError instanceof FormValidationFailedError }" required/>
+            </div>
+            <br/>
+            <div class="col-span-6 sm:col-span-3">
+                <label for="vaultName" class="block text-sm font-medium text-gray-700">{{ t('CreateVaultS3.enterVaultDetails.automaticAccessGrant') }}</label>
+                <input id="automaticAccessGrant" v-model="automaticAccessGrant" name="automaticAccessGrant" type="checkbox" class="h-4 w-4 rounded border-gray-300 text-primary focus:ring-primary" required>
+            </div>
+            <!-- \ end katta extension -->
+
+
           </div>
 
           <div class="bg-gray-50 mt-4 px-4 py-3 sm:px-6">
             <div class="flex flex-col sm:flex-row sm:justify-between sm:items-center sm:space-x-4">
               <div class="text-sm text-red-900 text-right sm:flex-1 sm:min-w-0">
-                <template v-if="onCreateError !== null">
+                <template v-if="onCreateError">
                   <p v-if="(onCreateError instanceof FormValidationFailedError)">
-                    {{ t('createVault.error.formValidationFailed','') }} 
+                    {{ t('createVault.error.formValidationFailed','') }}
+                  </p>
+                  <!-- // / start katta extension -->
+                  <p v-else-if="(onCreateError instanceof StorageProfileError )">
+                    {{ t('CreateVaultS3.error.invalidStorageProfileConfiguration', '') }}: {{ onCreateError.message }}
                   </p>
-                  <p v-if="(onRecoverError instanceof DecodeUvfRecoveryKeyError || onRecoverError instanceof DecodeVf8RecoveryKeyError)">
-                    {{ t('createVault.error.invalidRecoveryKey','') }} 
+                  <!-- // \ end katta extension -->
+                  <!-- // / start katta modification -->
+                  <p v-else-if="(onCreateError instanceof DecodeUvfRecoveryKeyError || onCreateError instanceof DecodeVf8RecoveryKeyError)">
+                  <!-- // \  end katta modification -->
+                    {{ t('createVault.error.invalidRecoveryKey','') }}
                   </p>
                   <p v-else>
                     {{ t('common.unexpectedError', [onCreateError.message]) }}
@@ -156,9 +305,63 @@
     </form>
   </div>
 
+  <div v-else-if="state == State.DefineEmergencyAccess">
+    <BreadcrumbNav :crumbs="[ { label: t('vaultList.title'), to: '/app/vaults' }, { label: t('createVault.enterVaultDetails.title') } ]"/>
+    <VaultCreationProgress :state="state" :steps="getCurrentStates" class="flex justify-center mb-4" />
+    <form @submit.prevent="validateVaultEmergencyAccess()">
+      <div class="flex justify-center">
+        <div class="bg-white shadow-sm rounded-lg sm:w-full sm:max-w-lg">
+          <div class="mx-auto mt-5 flex items-center justify-center h-12 w-12 rounded-full bg-emerald-100">
+            <ArrowPathIcon class="h-6 w-6 text-emerald-600" aria-hidden="true" />
+          </div>
+          <div class="mt-3 mb-3 px-4 sm:mt-5">
+            <h3 class="text-lg leading-6 font-medium text-gray-900 text-center">
+              {{ t('createVault.emergencyAccessDetails.title') }}
+            </h3>
+            <div class="mt-2">
+              <p class="text-sm text-gray-500 text-center">
+                {{ settings?.allowChoosingEmergencyCouncil
+                  ? t('createVault.emergencyAccessDetails.description')
+                  : t('createVault.emergencyAccessDetails.description.adminDefined') }}
+              </p>
+            </div>
+            <EmergencyAccessSetup v-if="settings" ref="emergencyAccessSetup" :settings="settings" :required-key-shares="settings.defaultRequiredEmergencyKeyShares" :allow-choosing-council="settings.allowChoosingEmergencyCouncil"/>
+          </div>
+          <div class="bg-gray-50 mt-4 px-4 py-3 sm:px-6 rounded-b-lg">
+            <div class="flex flex-col sm:flex-row sm:justify-between sm:items-center sm:space-x-4">
+              <div class="text-sm text-red-900 sm:flex-1 sm:min-w-0">
+                <template v-if="onCreateError">
+                  <p v-if="!(onCreateError instanceof PaymentRequiredError)">
+                    {{ t('common.unexpectedError', [onCreateError.message]) }}
+                  </p>
+                </template>
+              </div>
+              <div class="flex flex-col-reverse sm:flex-row-reverse sm:space-x-reverse sm:space-x-3 shrink-0 mt-4 sm:mt-0">
+                <button
+                  type="submit"
+                  :disabled="!emergencyAccessSetup || emergencyAccessSetup.hasValidationErrors || processing"
+                  class="inline-flex justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed"
+                >
+                  {{ t('common.next') }}
+                </button>
+                <button
+                  type="button"
+                  class="mt-3 sm:mt-0 inline-flex justify-center rounded-md border border-gray-300 bg-white px-4 py-2 text-base font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:text-sm"
+                  @click="backToEnterVaultDetails()"
+                >
+                  {{ t('common.previous') }}
+                </button>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    </form>
+  </div>
+
   <div v-else-if="state == State.ShowRecoveryKey">
     <BreadcrumbNav :crumbs="[ { label: t('vaultList.title'), to: '/app/vaults' }, { label: t('createVault.enterVaultDetails.title') } ]"/>
-    <VaultCreationProgress :state="state" :steps="allCreateStates" class="flex justify-center mb-4" />
+    <VaultCreationProgress :state="state" :steps="getCurrentStates" class="flex justify-center mb-4" />
     <form @submit.prevent="createVault()">
       <div class="flex justify-center text-center">
         <div class="bg-white shadow-sm rounded-lg overflow-hidden sm:max-w-lg">
@@ -217,7 +420,7 @@
           <div class="bg-gray-50 mt-4 px-4 py-3 sm:px-6">
             <div class="flex flex-col sm:flex-row sm:justify-between sm:items-center sm:space-x-4">
               <div class="text-sm text-red-900 sm:flex-1 sm:min-w-0">
-                <template v-if="onCreateError !== null">
+                <template v-if="onCreateError">
                   <p v-if="!(onCreateError instanceof PaymentRequiredError)">
                     {{ t('common.unexpectedError', [onCreateError.message]) }}
                   </p>
@@ -237,7 +440,7 @@
                 <button
                   type="button"
                   class="mt-3 sm:mt-0 inline-flex justify-center rounded-md border border-gray-300 bg-white px-4 py-2 text-base font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:text-sm"
-                  @click="backToEnterVaultDetails()" 
+                  @click="backToDefineEmergencyAccess()"
                 >
                   {{ t('common.previous') }}
                 </button>
@@ -251,7 +454,7 @@
 
   <div v-else-if="state == State.Finished">
     <BreadcrumbNav :crumbs="[ { label: t('vaultList.title'), to: '/app/vaults' }, { label: t('createVault.enterVaultDetails.title') } ]"/>
-    <VaultCreationProgress :state="state" :steps="allCreateStates" class="flex justify-center mb-4" />
+    <VaultCreationProgress :state="state" :steps="getCurrentStates" class="flex justify-center mb-4" />
     <div class="flex justify-center">
       <div class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
         <div class="mx-auto flex items-center justify-center h-12 w-12 rounded-full bg-emerald-100">
@@ -263,7 +466,9 @@
           </h3>
           <div class="mt-2">
             <p class="text-sm text-gray-500">
-              {{ t('createVault.success.description') }}
+              <!-- / start katta modification -->
+              {{ t('CreateVaultS3.success.description') }}
+              <!-- \ end katta modification -->
             </p>
           </div>
         </div>
@@ -276,11 +481,23 @@
             <ArrowDownTrayIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
             {{ t('createVault.success.download') }}
           </button>
-          <p v-if="onDownloadTemplateError != null" class="text-sm text-red-900 mr-4">
+          <p v-if="onDownloadTemplateError" class="text-sm text-red-900 mr-4">
             {{ t('createVault.error.downloadTemplateFailed', [onDownloadTemplateError.message]) }}
           </p>
           <!-- TODO: not beautiful-->
         </div>
+        <!-- / start katta modification -->
+        <div class="mt-5 sm:mt-6">
+          <button type="button" class="inline-flex items-center px-4 py-2 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="openBookmark()">
+            <ArrowTopRightOnSquareIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
+            {{ t('CreateVaultS3.success.open') }}
+          </button>
+          <p v-if="onOpenBookmarkError != null " class="text-sm text-red-900 mr-4">{{ t('CreateVaultS3.error.openBookmarkFailed', [onOpenBookmarkError.message]) }}</p> <!-- TODO: not beautiful-->
+        </div>
+        <div class="mt-5 sm:mt-6">
+          <p v-if="onUploadTemplateError != null " class="text-sm text-red-900 mr-4">{{ t('CreateVaultS3.error.uploadTemplateFailed') }}{{ onUploadTemplateError.message == null ? '' : ': ' + onUploadTemplateError.message }}</p> <!-- TODO: not beautiful-->
+        </div>
+        <!-- \ end katta modification -->
         <div class="mt-2">
           <router-link to="/app/vaults" class="text-sm text-gray-500">
             {{ t('createVault.success.return') }}
@@ -289,29 +506,56 @@
       </div>
     </div>
   </div>
+  <!-- // / start katta modification -->
+  <div v-else-if="state == State.EnterVaultDetails && ((backends?.values?.length ?? 0) == 0  || (regions?.values?.length ?? 0) == 0)">
+    <BreadcrumbNav :crumbs="[ { label: t('vaultList.title'), to: '/app/vaults' }, { label: t('createVault.enterVaultDetails.title') } ]"/>
+    <div class="mt-3 text-center">
+      <ExclamationTriangleIcon class="mx-auto h-12 w-12 text-gray-400" aria-hidden="true" />
+      <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('CreateVaultS3.error.noStorageProfileAvailable') }}</h3>
+    </div>
+  </div>
+  <!-- // \ end katta modification -->
 </template>
 
 <script setup lang="ts">
-import { ClipboardIcon, XCircleIcon } from '@heroicons/vue/20/solid';
+import { ClipboardIcon, XCircleIcon, ArrowDownTrayIcon } from '@heroicons/vue/20/solid';
 import { ArrowPathIcon, ArrowUpOnSquareIcon, CheckIcon, DocumentCheckIcon, KeyIcon, PlusIcon } from '@heroicons/vue/24/outline';
-import { ArrowDownTrayIcon } from '@heroicons/vue/24/solid';
 import { saveAs } from 'file-saver';
 import { computed, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import backend, { AccessGrant, PaymentRequiredError, VaultDto } from '../common/backend';
+import backend, { AccessGrant, LicenseUserInfoDto, PaymentRequiredError, SettingsDto, VaultDto } from '../common/backend';
 import { absBackendBaseURL } from '../common/config';
-import { VaultTemplateProducing } from '../common/crypto';
+import { RecoveryKeyProducing, VaultTemplateProducing } from '../common/crypto';
 import { DecodeUvfRecoveryKeyError, UniversalVaultFormat } from '../common/universalVaultFormat';
 import userdata from '../common/userdata';
 import { debounce } from '../common/util';
 import BreadcrumbNav from './BreadcrumbNav.vue';
+import EmergencyAccessSetup from './emergencyaccess/EmergencyAccessSetup.vue';
 import VaultCreationProgress from './VaultCreationProgress.vue';
 import { DecodeVf8RecoveryKeyError, VaultFormat8 } from '../common/vaultFormat8';
+// / start katta extension
+import { StorageProfileDto, VaultMetadataJWEBackendDto } from '../common/backend';
+import {
+     Listbox,
+     ListboxButton,
+     ListboxOptions,
+     ListboxOption,
+   } from '@headlessui/vue';
+import { ChevronUpDownIcon } from '@heroicons/vue/24/outline';
+import { ArrowTopRightOnSquareIcon } from '@heroicons/vue/24/solid';
+import { STSClient,AssumeRoleWithWebIdentityCommand } from "@aws-sdk/client-sts";
+import { S3Client, PutObjectCommand, ListObjectsV2Command, GetBucketLocationCommand, HeadBucketCommand } from "@aws-sdk/client-s3";
+import authPromise from '../common/auth';
+import {AxiosError} from 'axios';
+import { base64urlnopad } from '@scure/base';
+import { isAwsHostname } from '../../src/common/katta';
+// \ end katta extension
 
 enum State {
   Initial,
   EnterRecoveryKey,
   EnterVaultDetails,
+  DefineEmergencyAccess,
   ShowRecoveryKey,
   Finished
 }
@@ -335,6 +579,7 @@ class EmptyVaultTemplateError extends Error {
   }
 }
 
+
 class NoFileError extends Error {
   constructor() {
     super('Drag and drop operation has no file.');
@@ -358,19 +603,24 @@ const { t } = useI18n({ useScope: 'global' });
 const form = ref<HTMLFormElement>();
 const fileUpload = ref<HTMLInputElement>();
 
-const onCreateError = ref<Error | null>(null);
-const onDownloadTemplateError = ref<Error | null>(null);
-const onRecoverError = ref<Error | null>(null);
-const onUploadError = ref<Error | null>(null);
+const onCreateError = ref<Error>();
+const onRecoverError = ref<Error>();
+const onDownloadTemplateError = ref<Error>();
+const onUploadError = ref<Error>();
 
 const state = ref(State.Initial);
 const processing = ref(false);
+const settings = ref<SettingsDto>();
+const vaultName = ref('');
+const vaultDescription = ref<string | undefined>();
 const vault = ref<VaultDto>({
   id: crypto.randomUUID(),
   name: '',
   description: '',
   archived: false,
-  creationTime: new Date()
+  creationTime: new Date(),
+  requiredEmergencyKeyShares: 0,
+  emergencyKeyShares: {}
 });
 const copiedRecoveryKey = ref(false);
 const debouncedCopyFinish = debounce(() => copiedRecoveryKey.value = false, 2000);
@@ -378,6 +628,7 @@ const confirmRecoveryKey = ref(false);
 const vaultFormat8 = ref<VaultFormat8>();
 const recoveryKeyStr = ref<string>('');
 const uvfVault = ref<UniversalVaultFormat>();
+const emergencyAccessSetup = ref<InstanceType<typeof EmergencyAccessSetup>>();
 
 const metadataFilename = computed(() => vaultType.value == VaultType.VaultFormat8 ? 'vault.cryptomator' : 'vault.uvf');
 const vaultMetadata = ref<string>('');
@@ -387,7 +638,32 @@ const props = defineProps<{
   recover: boolean
 }>();
 
+// / start katta extension
+const selectedBackend = ref<StorageProfileDto | null >(null);
+const selectedRegion = ref<string | undefined>();
+const isPermanent = ref(false);
+const regions = ref<string[] | undefined>();
+const backends = ref<StorageProfileDto[] | null>(null);
+const vaultAccessKeyId = ref('');
+const vaultSecretKey = ref('');
+const vaultBucketName = ref('');
+const automaticAccessGrant = ref<boolean>(true);
+const onOpenBookmarkError = ref<Error | null>(null);
+const onUploadTemplateError = ref<Error | null>(null);
+
+class ErrorWithCodeHint extends Error {
+  constructor(public message: string, public codehint: string) {
+    super(message);
+    this.codehint = codehint;
+  }
+}
+// \ end katta extension
 onMounted(initialize);
+const licenseStatus = ref<LicenseUserInfoDto>();
+
+const isCommunityLicense = computed(() => {
+  return !licenseStatus.value?.expiresAt;
+});
 
 async function initialize() {
   if (props.recover) {
@@ -399,12 +675,22 @@ async function initialize() {
         recoveryKeyStr.value = await vaultFormat8.value.createRecoveryKey();
         break;
       case VaultType.UniversalVaultFormat:
-        uvfVault.value = await UniversalVaultFormat.create({ enabled: false, maxWotDepth: 0 });
+        uvfVault.value = await UniversalVaultFormat.create({ enabled: false, maxWotDepth: 0 }, { provider: '', defaultPath: '', nickname: '', region: ''});
         recoveryKeyStr.value = await uvfVault.value.recoveryKey.createRecoveryKey();
         break;
     }
+    settings.value = await backend.settings.get();
     state.value = State.EnterVaultDetails;
   }
+  licenseStatus.value = await backend.license.getUserInfo();
+  // / start katta extension
+  // get only non-archived storage profiles for new vaults
+  backends.value = await backend.storageprofiles.get(false);
+  selectedBackend.value = backends.value[0];
+  setRegionsOnSelectStorage(selectedBackend.value);
+  selectedRegion.value = selectedBackend.value.region;
+  // \ end katta extension
+
 }
 
 async function handleDragEnterAndOver (event: DragEvent){
@@ -420,7 +706,7 @@ async function handleDragLeave() {
 }
 
 async function handleDrop(event: DragEvent) {
-  onUploadError.value = null;
+  onUploadError.value = undefined;
   isDraggingOver.value = false;
   let file: File | null = null;
   if (event.dataTransfer?.items && event.dataTransfer.items.length >= 1) {
@@ -436,7 +722,7 @@ async function handleDrop(event: DragEvent) {
 }
 
 async function handleUpload(event: Event) {
-  onUploadError.value = null;
+  onUploadError.value = undefined;
   validateAndSetMetadataFile(fileUpload.value?.files?.item(0) ?? null);
 }
 
@@ -458,7 +744,7 @@ async function validateAndSetMetadataFile(file: File | null) {
 }
 
 async function validateRecoveryKey() {
-  onRecoverError.value = null;
+  onRecoverError.value = undefined;
   if (!form.value?.checkValidity() || !vaultMetadata.value ) {
     onRecoverError.value = new FormValidationFailedError();
     return;
@@ -466,14 +752,25 @@ async function validateRecoveryKey() {
   await recoverVault();
 }
 
+const getCurrentStates = computed(() => {
+  return isCommunityLicense.value || !settings.value?.enableEmergencyAccess ? communityCreateStates : allCreateStates;
+});
+
 const allCreateStates = [
+  State.EnterVaultDetails,
+  State.DefineEmergencyAccess,
+  State.ShowRecoveryKey,
+  State.Finished,
+];
+
+const communityCreateStates = [
   State.EnterVaultDetails,
   State.ShowRecoveryKey,
   State.Finished,
 ];
 
 async function recoverVault() {
-  onRecoverError.value = null;
+  onRecoverError.value = undefined;
   try {
     processing.value = true;
     if (vaultType.value == VaultType.UniversalVaultFormat) {
@@ -491,15 +788,178 @@ async function recoverVault() {
 }
 
 async function validateVaultDetails() {
-  onCreateError.value = null;
+  onCreateError.value = undefined;
   if (!form.value?.checkValidity()) {
     onCreateError.value = new FormValidationFailedError();
     return;
   }
+  // / start katta extension
+    if(!selectedBackend.value){
+        onCreateError.value = new StorageProfileError(t('CreateVaultS3.error.noStorageProfileSelected'));
+        return;
+    }
+    if(!isPermanent.value){
+        if(!selectedRegion.value){
+            onCreateError.value = new StorageProfileError(t('CreateVaultS3.error.noRegionSelected'));
+            return;
+        }
+    }
+    else if(isPermanent.value){
+        if(!vaultAccessKeyId.value){
+            onCreateError.value = new StorageProfileError(t('CreateVaultS3.error.missingAccessKey'));
+            return;
+        }
+        if(!vaultSecretKey.value){
+            onCreateError.value = new StorageProfileError(t('CreateVaultS3.error.missingSecretKey'));
+            return;
+        }
+        if(!vaultBucketName.value){
+            onCreateError.value = new StorageProfileError(t('CreateVaultS3.error.missingBucket'));
+            return;
+        }
+        const endpoint = (selectedBackend.value.scheme && selectedBackend.value.hostname && selectedBackend.value.port) ? `${selectedBackend.value.scheme}://${selectedBackend.value.hostname}:${selectedBackend.value.port}` : undefined;
+
+    try {
+      const headBucketClient = new S3Client({
+        // https://github.com/aws/aws-sdk-js/issues/462 us-east-1 seems to have special behaviour
+        region: "us-west-2", // must not be empty, despite documentation saying optional (SDK rejects before even sending out request)
+        endpoint: `https://s3.amazonaws.com`,
+        credentials: {
+          accessKeyId: vaultAccessKeyId.value,
+          secretAccessKey: vaultSecretKey.value
+        }
+      });
+
+      const command = new GetBucketLocationCommand({
+        Bucket: vaultBucketName.value
+      });
+      try {
+        const response = await headBucketClient.send(command);
+        console.log(response)
+      }
+      catch (error) {
+        console.log(error)
+        // https://stackoverflow.com/questions/47668509/the-authorization-header-is-malformed-the-region-us-east-1-is-wrong-expectin
+        if ((error as any)?.Code == "AuthorizationHeaderMalformed" && (error as any)?.Region != undefined) {
+          selectedRegion.value = (error as any).Region
+        }
+        else {
+          if (selectedRegion.value === undefined) { // MinIO returns undefined
+            selectedRegion.value = "us-east-1"; // must not be empty, despite documentation saying optional (SDK rejects before even sending out request)
+          }
+        }
+      }
+      console.log(`GetBucketLocation returned region ${selectedRegion.value}`);
+
+            const client = new S3Client({
+               region: selectedRegion.value,
+               endpoint: endpoint,
+               forcePathStyle: selectedBackend.value.withPathStyleAccessEnabled,
+               credentials:{
+                   accessKeyId: vaultAccessKeyId.value,
+                   secretAccessKey: vaultSecretKey.value
+               }
+            });
+            // N.B. there seems to be no API to check write permissions without actually writing.
+            const commandListObjects = new ListObjectsV2Command({
+               Bucket: vaultBucketName.value,
+               MaxKeys: 1,
+            });
+            const responseListObjects = await client.send(commandListObjects);
+            console.log(responseListObjects);
+            if(responseListObjects.KeyCount != 0){
+                onCreateError.value = new Error(t('CreateVaultS3.error.bucketNotEmpty'));
+                return;
+            }
+        } catch (error) {
+            console.log(error);
+            // TODO review can we improve whether this is a CORS problem? FF message is "NetworkError when attempting to fetch resource", Safari "Load failed".
+            if(error instanceof TypeError){
+                onCreateError.value = new ErrorWithCodeHint(error.message + ". " + t('CreateVaultS3.error.invalidCORS'), `
+                aws s3api put-bucket-cors --endpoint-url ${endpoint} --bucket ${vaultBucketName.value} --cors-configuration file://cors.json
+
+                cors.json:
+                {
+                  "CORSRules": [
+                           {
+                               "AllowedHeaders": [
+                                   "*"
+                               ],
+                               "AllowedMethods": [
+                                   "GET",
+                                   "PUT"
+                               ],
+                               "AllowedOrigins": [
+                                   "${document.baseURI}"
+                               ],
+                               "ExposeHeaders": [
+                                   "ETag"
+                               ],
+                               "MaxAgeSeconds": 3600
+                           }
+                       ]
+                }
+                `);
+            }
+            else{
+              console.error('Uploading template failed.', error);
+              error instanceof Error ? error : new Error('Unknown Error');
+            }
+            return;
+        }
+    }
+    else{
+        // we assume CORS settings are set correctly by admins
+    }
+    // \ end katta extension
   if (props.recover) {
     await createVault();
   } else {
+    if (!isCommunityLicense.value && settings.value?.enableEmergencyAccess)
+      state.value = State.DefineEmergencyAccess;
+    else
+      state.value = State.ShowRecoveryKey;
+  }
+}
+
+async function validateVaultEmergencyAccess() {
+  onCreateError.value = undefined;
+  if (!emergencyAccessSetup.value) {
+    onCreateError.value = new Error('Invalid state.');
+    return;
+  }
+
+  processing.value = true;
+  try {
+    let recoveryKeyProducer: RecoveryKeyProducing;
+    switch (vaultType.value) {
+      case VaultType.VaultFormat8: {
+        if (!vaultFormat8.value) {
+          throw new Error('Invalid state');
+        }
+        recoveryKeyProducer = vaultFormat8.value;
+        break;
+      }
+      case VaultType.UniversalVaultFormat: {
+        if (!uvfVault.value) {
+          throw new Error('Invalid state');
+        }
+        recoveryKeyProducer = uvfVault.value;
+        break;
+      }
+      default:
+        throw new Error('Invalid state');
+    }
+
+    const { requiredKeyShares, keyShares } = await emergencyAccessSetup.value.split(recoveryKeyProducer);
+    vault.value.requiredEmergencyKeyShares = requiredKeyShares;
+    vault.value.emergencyKeyShares = { ...keyShares };
     state.value = State.ShowRecoveryKey;
+  } catch (error) {
+    console.error('Validating emergency access settings failed.', error);
+    onCreateError.value = error instanceof Error ? error : new Error('Unexpected error');
+  } finally {
+    processing.value = false;
   }
 }
 
@@ -507,8 +967,15 @@ function backToEnterVaultDetails(){
   state.value = State.EnterVaultDetails;
 }
 
+function backToDefineEmergencyAccess(){
+  if (isCommunityLicense.value || !settings.value?.enableEmergencyAccess)
+    state.value = State.EnterVaultDetails;
+  else
+    state.value = State.DefineEmergencyAccess;
+}
+
 async function createVault() {
-  onCreateError.value = null;
+  onCreateError.value = undefined;
   try {
     processing.value = true;
     const owner = await userdata.me;
@@ -516,6 +983,7 @@ async function createVault() {
       throw new Error('User not set up');
     }
     const ownerGrant: AccessGrant = { userId: owner.id, token: '' };
+
     switch (vaultType.value) {
       case VaultType.VaultFormat8: {
         if (!vaultFormat8.value) {
@@ -528,6 +996,30 @@ async function createVault() {
         if (!uvfVault.value) {
           throw new Error('Invalid state');
         }
+        // / start katta extension
+        if (!uvfVault.value) {
+          throw new Error('Invalid state');
+        }
+        if (!selectedBackend.value) {
+          throw new Error('Invalid state');
+        }
+        if (!selectedRegion.value) {
+          throw new Error('Invalid state');
+        }
+
+        uvfVault.value.metadata.backend.provider = selectedBackend.value.id;
+        uvfVault.value.metadata.backend.defaultPath = selectedBackend.value.bucketPrefix + vault.value.id;
+        uvfVault.value.metadata.backend.nickname = vault.value.name;
+        uvfVault.value.metadata.backend.region = selectedRegion.value;
+        uvfVault.value.metadata.automaticAccessGrant.enabled = automaticAccessGrant.value;
+
+        if(isPermanent.value){
+            uvfVault.value.metadata.backend.username = vaultAccessKeyId.value;
+            uvfVault.value.metadata.backend.password = vaultSecretKey.value;
+            uvfVault.value.metadata.backend.defaultPath = vaultBucketName.value;
+        }
+        // \ end katta extension
+
         ownerGrant.token = await uvfVault.value.encryptForUser(await userdata.ecdhPublicKey, true);
         const recoveryPublicKey = await uvfVault.value.recoveryKey.serializePublicKey();
         vault.value.uvfMetadataFile = await uvfVault.value.createMetadataFile(absBackendBaseURL, vault.value);
@@ -535,12 +1027,148 @@ async function createVault() {
         break;
       }
     }
-    await backend.vaults.createOrUpdateVault(vault.value);
+    // / start katta extension
+    if (!uvfVault.value) {
+      throw new Error('Invalid state');
+    }
+    if (!selectedBackend.value) {
+      throw new Error('Invalid state');
+    }
+    if (!selectedRegion.value) {
+      throw new Error('Invalid state');
+    }
+    // Decision 2024-02-01 upload vault template/create bucket before creating vault in hub and uploading JWE. This is the most delicate operation. No further rollback for now.
+    if(isPermanent.value){
+       await uploadVaultTemplate();
+    }
+    else {
+        // N.B. the access tokens for cryptomator and cryptomator hub clients do only have realm roles added to them, but not client roles.
+        //      We use client roles for vaults shared with a user. So this setup prevents access tokens from growing with new vaults.
+        const token = await authPromise.then(auth => auth.bearerToken());
+
+        // https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-sts/classes/stsclient.html
+
+        const stsClient = new STSClient({
+            region: selectedRegion.value,
+            endpoint: selectedBackend.value.stsEndpoint
+        });
+
+        // https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-sts/classes/assumerolewithwebidentitycommand.html
+        // https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
+        // N.B. almost zero trust: add inline policy to pass only credentials allowing for creating the specified bucket in the backend
+        const assumeRoleWithWebIdentityArgs = {
+          // Required. The OAuth 2.0 access token or OpenID Connect ID token that is provided by the
+          // identity provider.
+          WebIdentityToken: token,
+          RoleSessionName: vault.value.id,
+          // Valid Range: Minimum value of 900. Maximum value of 43200.
+          DurationSeconds: 900,
+          Policy: `{
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Action": [
+                  "s3:CreateBucket",
+                  "s3:GetBucketPolicy",
+                  "s3:PutBucketVersioning",
+                  "s3:GetBucketVersioning"
+                ],
+                "Resource": "arn:aws:s3:::{}"
+              },
+              {
+                "Effect": "Allow",
+                "Action": [
+                  "s3:PutObject"
+                ],
+                "Resource": [
+                  "arn:aws:s3:::{}/*.uvf",
+                  "arn:aws:s3:::{}/*/"
+                ]
+              }
+            ]
+          }`.replaceAll("{}", uvfVault.value.metadata.backend.defaultPath),
+          // Required. ARN of the role that the caller is assuming.
+          RoleArn: selectedBackend.value.stsRoleCreateBucketHub
+        }
+
+
+        const { Credentials } = await stsClient
+            .send(new AssumeRoleWithWebIdentityCommand(assumeRoleWithWebIdentityArgs));
+
+        if (!Credentials) {
+            throw new Error('Invalid state: Could not assume role with web identity.');
+        }
+        if (!Credentials.AccessKeyId) {
+            throw new Error('Invalid state: Missing AccessKeyId.');
+        }
+        if (!Credentials.SecretAccessKey) {
+            throw new Error('Invalid state: Missing SecretAccessKey.');
+        }
+        if (!Credentials.SessionToken) {
+            throw new Error('Invalid state: Missing SessionToken.');
+        }
+
+        const rootDirId = await uvfVault.value.computeRootDirId();
+        const rootDirHash = await uvfVault.value.computeRootDirIdHash(rootDirId);
+        if (!rootDirHash) {
+            throw new Error('Invalid state: rootDirHash missing.');
+        }
+        if (!vault.value?.uvfMetadataFile) {
+            throw new Error('Invalid state: uvfMetadataFile missing.');
+        }
+        const dirFile = await uvfVault.value.encryptFile(rootDirId, uvfVault.value.metadata.initialSeedId);
+        await backend.storage.put(vault.value.id, {
+            vaultId: vault.value.id,
+            storageConfigId: selectedBackend.value.id,
+            vaultUvf: vault.value.uvfMetadataFile,
+            dirUvf: base64urlnopad.encode(dirFile),
+            rootDirHash: rootDirHash,
+            // https://github.com/awslabs/smithy-typescript/blob/697310da9aec949034f92598f5cefc2cc162ef4d/packages/types/src/identity/awsCredentialIdentity.ts#L24
+            awsAccessKey: Credentials.AccessKeyId,
+            awsSecretKey: Credentials.SecretAccessKey,
+            sessionToken: Credentials.SessionToken,
+            region: selectedRegion.value
+
+        });
+    }
+    // \ end katta extension
+    var minio = (!isPermanent.value) && (selectedBackend.value.hostname != null);
+    var aws = (!isPermanent.value) && ((selectedBackend.value.hostname == null) || isAwsHostname(selectedBackend.value.hostname ));
+
+    await backend.vaults.createOrUpdateVault(vault.value, aws, minio);
     await backend.vaults.grantAccess(vault.value.id, ownerGrant);
     state.value = State.Finished;
   } catch (error) {
     console.error('Creating vault failed.', error);
-    onCreateError.value = error instanceof Error ? error : new Error('Unknown reason');
+
+    // / start katta extension
+    if(typeof(error) === 'string'){
+        onCreateError.value = new Error(error);
+    }
+    else if((error instanceof AxiosError)){
+      var msg = error.message;
+      if(error.response?.statusText){
+        msg += ` (${error.response?.statusText}).`;
+      }
+      else{
+        msg += `.`;
+      }
+      if(error.response?.status === 409){
+        msg += ` Details: Bucket ${uvfVault.value?.metadata.backend.defaultPath} already exists or no permission to list.`;
+      }
+      else if(error.response?.data.details){
+        msg += ` Details: ${error.response.data.details}.`;
+      }
+      onCreateError.value = new Error(msg);
+    }
+    else if(error instanceof Error){
+        onCreateError.value = error;
+    }
+    else {
+        onCreateError.value = new Error('Unknown reason');
+    }
+    // \ end katta extension
   } finally {
     processing.value = false;
   }
@@ -556,7 +1184,7 @@ async function downloadVaultTemplate() {
   if (!vaultFormat8.value && !uvfVault.value) {
     throw new Error('Invalid state');
   }
-  onDownloadTemplateError.value = null;
+  onDownloadTemplateError.value = undefined;
   try {
     const templateProducer: VaultTemplateProducing = vaultFormat8.value || uvfVault.value!;
     const blob = await templateProducer.exportTemplate(absBackendBaseURL, vault.value);
@@ -570,4 +1198,96 @@ async function downloadVaultTemplate() {
     onDownloadTemplateError.value = error instanceof Error ? error : new Error('Unknown reason');
   }
 }
+
+// / start katta extension
+import { baseURL } from '../common/config';
+async function openBookmark() {
+  onOpenBookmarkError.value = null;
+  try {
+    window.location.href = `katta://${new URL(location.origin).host}${baseURL}`;
+  } catch (error) {
+    console.error('Opening bookmark from browser failed.', error);
+    onOpenBookmarkError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+
+function setRegionsOnSelectStorage(storage: StorageProfileDto){
+    console.log('selected storage ' + storage.name);
+    regions.value = storage.regions;
+    console.log('   available regions: ' + storage.regions);
+    selectedRegion.value = storage.region;
+    console.log('   default region: ' + storage.region);
+    if (!selectedBackend.value) {
+      throw new Error('Invalid state.');
+    }
+    isPermanent.value = selectedBackend.value['protocol'] === 'S3STATIC';
+    console.log('   isPermanent: ' + isPermanent.value);
+}
+
+async function uploadVaultTemplate() {
+  onUploadTemplateError.value = null;
+  try {
+    if (!selectedBackend.value) {
+        throw new Error('Invalid state.');
+    }
+    const endpoint = (selectedBackend.value.scheme && selectedBackend.value.hostname && selectedBackend.value.port) ? `${selectedBackend.value.scheme}://${selectedBackend.value.hostname}:${selectedBackend.value.port}` : undefined;
+    const client = new S3Client({
+        region: selectedRegion.value,
+        endpoint: endpoint,
+        forcePathStyle: selectedBackend.value.withPathStyleAccessEnabled,
+        credentials:{
+            accessKeyId: vaultAccessKeyId.value,
+            secretAccessKey: vaultSecretKey.value
+        }
+    });
+    const commandListObjects = new ListObjectsV2Command({
+        Bucket: vaultBucketName.value,
+        MaxKeys: 1,
+      });
+    const responseListObjects = await client.send(commandListObjects);
+    console.log(responseListObjects);
+    if(responseListObjects.KeyCount != 0){
+        throw new Error('Bucket not empty, cannot upload template. Empty the bucket manually and re-try.');
+    }
+    if(!uvfVault.value){
+       throw new Error('Invalid state');
+    }
+
+    const rootDirHash = await uvfVault.value.computeRootDirIdHash(await uvfVault.value.computeRootDirId());
+    console.log(rootDirHash);
+
+    if (!rootDirHash) {
+        throw new Error('Invalid state: rootDirHash missing.');
+    }
+
+    const commandPutVaultCryptomator = new PutObjectCommand({
+        Bucket: vaultBucketName.value,
+        Key: 'vault.uvf',
+        Body: vault.value.uvfMetadataFile
+    });
+    console.log(commandPutVaultCryptomator);
+    const responsePutVaultCryptomator = await client.send(commandPutVaultCryptomator);
+    console.log(responsePutVaultCryptomator);
+
+    const commandPutDFolder = new PutObjectCommand({
+        Bucket: vaultBucketName.value,
+        Key: `d/${rootDirHash.substring(0, 2)}/${rootDirHash.substring(2)}/`,
+        Body: '',
+    });
+    console.log(commandPutDFolder);
+    const responsePutDFolder = await client.send(commandPutDFolder);
+    console.log(responsePutDFolder);
+
+  } catch (error) {
+    console.error('Uploading vault template failed.', error);
+    onUploadTemplateError.value = error instanceof Error ? error : new Error('Unknown reason');
+  }
+}
+class StorageProfileError extends Error {
+  constructor(s: string) {
+    super(s);
+  }
+}
+// \ end katta extension
+
 </script>
diff --git a/frontend/src/components/DeviceList.vue b/frontend/src/components/DeviceList.vue
index 0a5c6c6c6..0ccf11a1e 100644
--- a/frontend/src/components/DeviceList.vue
+++ b/frontend/src/components/DeviceList.vue
@@ -1,6 +1,6 @@
 <template>
-  <div v-if="me == null">
-    <div v-if="onFetchError == null">
+  <div v-if="me === undefined">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
@@ -45,13 +45,13 @@
                   <tr>
                     <td class="py-4 text-sm text-gray-500">
                       <div class="grid place-items-center h-12 aspect-square">
-                        <span v-if="device.type == 'BROWSER'" :title="'Browser'">
+                        <span v-if="device.type == 'BROWSER'" :title="t('deviceType.browser')">
                           <WindowIcon class="size-5" aria-hidden="true" />
                         </span>
-                        <span v-else-if="device.type == 'DESKTOP'" :title="'Desktop'">
+                        <span v-else-if="device.type == 'DESKTOP'" :title="t('deviceType.desktop')">
                           <ComputerDesktopIcon class="size-5" aria-hidden="true" />
                         </span>
-                        <span v-else-if="device.type == 'MOBILE'" :title="'Mobile'">
+                        <span v-else-if="device.type == 'MOBILE'" :title="t('deviceType.mobile')">
                           <DevicePhoneMobileIcon class="size-5" aria-hidden="true" />
                         </span>
                       </div>
@@ -78,7 +78,7 @@
                     </td>
                   </tr>
                   <!-- TODO: good styling -->
-                  <tr v-if="onRemoveDeviceError[device.id] != null" class="bg-red-50">
+                  <tr v-if="onRemoveDeviceError[device.id]" class="bg-red-50">
                     <td colspan="5" class="px-6 py-3 text-center text-xs font-medium text-red-500 uppercase tracking-wider">
                       {{ t('common.unexpectedError', [onRemoveDeviceError[device.id].message]) }}
                     </td>
@@ -105,15 +105,15 @@ const { t, d } = useI18n({ useScope: 'global' });
 
 const me = ref<UserDto>();
 const myDevice = ref<DeviceDto>();
-const onFetchError = ref<Error | null>();
-const onRemoveDeviceError = ref< {[id: string]: Error} >({});
+const onFetchError = ref<Error>();
+const onRemoveDeviceError = ref<Record<string, Error>>({});
 
 onMounted(async () => {
   await fetchData();
 });
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
     me.value = await userdata.meWithLastAccess;
     myDevice.value = await userdata.browser;
diff --git a/frontend/src/components/DownloadVaultTemplateDialog.vue b/frontend/src/components/DownloadVaultTemplateDialog.vue
index 4feffee16..3b2b3d52b 100644
--- a/frontend/src/components/DownloadVaultTemplateDialog.vue
+++ b/frontend/src/components/DownloadVaultTemplateDialog.vue
@@ -34,7 +34,7 @@
                   <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
                     {{ t('common.cancel') }}
                   </button>
-                  <p v-if="onDownloadError != null" class="text-sm text-red-900">
+                  <p v-if="onDownloadError" class="text-sm text-red-900">
                     {{ t('common.unexpectedError', [onDownloadError.message]) }}
                   </p>
                 </div>
@@ -61,7 +61,7 @@ const { t } = useI18n({ useScope: 'global' });
 
 const open = ref(false);
 
-const onDownloadError = ref<Error|null>();
+const onDownloadError = ref<Error>();
 
 const props = defineProps<{
   vault: VaultDto
@@ -81,7 +81,7 @@ function show() {
 }
 
 async function downloadVault() {
-  onDownloadError.value = null;
+  onDownloadError.value = undefined;
   try {
     const blob = await props.vaultKeys.exportTemplate(absBackendBaseURL, props.vault);
     saveAs(blob, `${props.vault.name}.zip`);
diff --git a/frontend/src/components/EditVaultMetadataDialog.vue b/frontend/src/components/EditVaultMetadataDialog.vue
index 2e94a40bc..477c78e08 100644
--- a/frontend/src/components/EditVaultMetadataDialog.vue
+++ b/frontend/src/components/EditVaultMetadataDialog.vue
@@ -45,7 +45,7 @@
                   <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
                     {{ t('common.cancel') }}
                   </button>
-                  <div v-if="onUpdateVaultMetadataError != null">
+                  <div v-if="onUpdateVaultMetadataError">
                     <p v-if="onUpdateVaultMetadataError instanceof FormValidationFailedError" class="text-sm text-red-900">
                       {{ t('editVaultMetadataDialog.error.formValidationFailed') }}
                     </p>
@@ -81,7 +81,7 @@ const { t } = useI18n({ useScope: 'global' });
 const open = ref(false);
 const form = ref<HTMLFormElement>();
 
-const onUpdateVaultMetadataError = ref<Error|null>();
+const onUpdateVaultMetadataError = ref<Error>();
 
 const vaultName = ref('');
 const vaultDescription = ref<string | undefined>();
@@ -106,14 +106,14 @@ function show() {
 }
 
 async function updateVaultMetadata() {
-  onUpdateVaultMetadataError.value = null;
+  onUpdateVaultMetadataError.value = undefined;
   try {
     if (!form.value?.checkValidity()) {
       throw new FormValidationFailedError();
     }
     const dto = { ...props.vault };
     dto.description = vaultDescription.value;
-    const updatedVault = await backend.vaults.createOrUpdateVault(dto);
+    const updatedVault = await backend.vaults.createOrUpdateVault(dto, null, null);
     emit('updated', updatedVault);
     open.value = false;
   } catch (error) {
diff --git a/frontend/src/components/FetchError.vue b/frontend/src/components/FetchError.vue
index a4937e5ae..b0482e47c 100644
--- a/frontend/src/components/FetchError.vue
+++ b/frontend/src/components/FetchError.vue
@@ -7,7 +7,7 @@
     <p class="mt-1 text-sm text-gray-500">
       {{ error.message }}
     </p>
-    <div v-if="retry != undefined " class="mt-6">
+    <div v-if="retry !== undefined " class="mt-6">
       <button type="button" class="inline-flex items-center px-4 py-2 border border-transparent shadow-xs text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="retry">
         <ArrowPathIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
         {{ t('common.retry') }}
@@ -24,6 +24,6 @@ const { t } = useI18n({ useScope: 'global' });
 
 defineProps<{
   error: Error
-  retry: (() => Promise<void>) | null
+  retry?: (() => Promise<void>)
 }>();
 </script>
diff --git a/frontend/src/components/GrantPermissionDialog.vue b/frontend/src/components/GrantPermissionDialog.vue
index f1d92a3fe..fc9920752 100644
--- a/frontend/src/components/GrantPermissionDialog.vue
+++ b/frontend/src/components/GrantPermissionDialog.vue
@@ -48,7 +48,7 @@
                     {{ t('common.cancel') }}
                   </button>
                 </div>
-                <p v-if="onGrantPermissionError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                <p v-if="onGrantPermissionError" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
                   {{ t('common.unexpectedError', [onGrantPermissionError.message]) }}
                 </p>
                 <p v-if="onGrantPermissionError instanceof ConflictError || onGrantPermissionError instanceof NotFoundError" class="text-sm text-red-900 px-4 sm:px-6 pb-3 text-right bg-red-50">
@@ -66,7 +66,7 @@
 <script setup lang="ts">
 import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
 import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
-import { base64 } from 'rfc4648';
+import { base64 } from '@scure/base';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { AccessGrant, ConflictError, MemberDto, NotFoundError, TrustDto, UserDto, VaultDto } from '../common/backend';
@@ -77,7 +77,7 @@ const { t } = useI18n({ useScope: 'global' });
 
 const open = ref(false);
 const trusts = ref<TrustDto[]>([]);
-const onGrantPermissionError = ref<Error | null>();
+const onGrantPermissionError = ref<Error>();
 
 const props = defineProps<{
   vault: VaultDto
@@ -109,7 +109,7 @@ function show() {
 }
 
 async function grantAccess() {
-  onGrantPermissionError.value = null;
+  onGrantPermissionError.value = undefined;
   try {
     await giveUsersAccess(props.users);
     emit('permissionGranted');
@@ -124,8 +124,8 @@ async function giveUsersAccess(members: (MemberDto & UserDto)[]) {
   const tokens: AccessGrant[] = [];
   for (const member of members) {
     if (member.ecdhPublicKey) { // some users might not have set up their key pair, so we can't share secrets with them yet
-      const publicKey = base64.parse(member.ecdhPublicKey);
-      const includeOwnerKeys = member.role === 'OWNER';
+      const publicKey = base64.decode(member.ecdhPublicKey) as Uint8Array<ArrayBuffer>;
+      const includeOwnerKeys = member.vaultRole === 'OWNER';
       const jwe = await props.vaultKeys.encryptForUser(publicKey, includeOwnerKeys);
       tokens.push({ userId: member.id, token: jwe });
     }
diff --git a/frontend/src/components/InitialSetup.vue b/frontend/src/components/InitialSetup.vue
index be88b5eb7..986c272bb 100644
--- a/frontend/src/components/InitialSetup.vue
+++ b/frontend/src/components/InitialSetup.vue
@@ -1,9 +1,9 @@
 <template>
-  <SimpleNavigationBar v-if="me != null" :me="me"/>
+  <SimpleNavigationBar v-if="me !== undefined" :me="me"/>
 
   <div class="max-w-7xl mx-auto px-4 py-12 sm:px-6 lg:px-8">
     <div v-if="state == State.Preparing">
-      <div v-if="onFetchError == null" class="text-center">
+      <div v-if="!onFetchError" class="text-center">
         {{ t('common.loading') }}
       </div>
       <div v-else>
@@ -16,7 +16,7 @@
         <div class="flex justify-center">
           <div class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
             <div class="flex justify-center">
-              <img src="/logo.svg" class="h-12" alt="Logo" aria-hidden="true" />
+              <img src="/logo.png" class="h-16" alt="Katta Logo" aria-hidden="true" />
             </div>
             <div class="mt-3 sm:mt-5">
               <h3 class="text-lg leading-6 font-medium text-gray-900">
@@ -96,7 +96,7 @@
                 <button type="submit" :disabled="!confirmSetupCode || processing" class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-xs hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:primary focus:ring-offset-2 sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
                   {{ t('initialSetup.submit') }}
                 </button>
-                <div v-if="onCreateError != null">
+                <div v-if="onCreateError">
                   <p class="text-red-900 mt-2">{{ t('common.unexpectedError', [onCreateError.message]) }}</p>
                 </div>
               </div>
@@ -111,7 +111,7 @@
         <div class="flex flex-col items-center">
           <div class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
             <div class="flex justify-center">
-              <img src="/logo.svg" class="h-12" alt="Logo" aria-hidden="true" />
+              <img src="/logo.png" class="h-16" alt="Katta Logo" aria-hidden="true" />
             </div>
             <div class="mt-3 sm:mt-5">
               <h3 class="text-lg leading-6 font-medium text-gray-900">
@@ -138,7 +138,7 @@
                 </button>
                 <div class="text-sm text-red-900 mt-2">
                   <p v-if="onRecoverError instanceof UnwrapKeyError">{{ t('initialSetup.recoverUserKey.error.wrongAccountKey') }}</p>
-                  <p v-else-if="onRecoverError != null">{{ t('common.unexpectedError', [onRecoverError.message]) }}</p>
+                  <p v-else-if="onRecoverError">{{ t('common.unexpectedError', [onRecoverError.message]) }}</p>
                 </div>
               </div>
             </div>
@@ -157,7 +157,7 @@
       <div class="flex flex-col items-center">
         <div class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
           <div class="flex justify-center">
-            <img src="/logo.svg" class="h-12" alt="Logo" aria-hidden="true" />
+            <img src="/logo.png" class="h-16" alt="Katta Logo" aria-hidden="true" />
           </div>
           <div class="mt-3 sm:mt-5">
             <h3 class="text-lg leading-6 font-medium text-gray-900">
@@ -215,9 +215,9 @@ const vFocus = {
   }
 };
 
-const onFetchError = ref<Error | null>(null);
-const onCreateError = ref<Error | null >(null);
-const onRecoverError = ref<Error | null >(null);
+const onFetchError = ref<Error>();
+const onCreateError = ref<Error>();
+const onRecoverError = ref<Error>();
 
 const state = ref(State.Preparing);
 const processing = ref(false);
@@ -237,7 +237,7 @@ const resetUserAccountDialog = ref<typeof ResetUserAccountDialog>();
 onMounted(fetchData);
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
     me.value = await userdata.me;
     if (!me.value.setupCode) {
@@ -255,7 +255,7 @@ async function fetchData() {
 }
 
 async function createUserKey() {
-  onCreateError.value = null;
+  onCreateError.value = undefined;
   try {
     processing.value = true;
     const me = await userdata.me;
@@ -278,7 +278,7 @@ async function createUserKey() {
 }
 
 async function recoverUserKey() {
-  onRecoverError.value = null;
+  onRecoverError.value = undefined;
   try {
     processing.value = true;
     setupCode.value = setupCode.value.trim();
@@ -333,7 +333,7 @@ function editBrowserName() {
     span.focus();
     const range = document.createRange();
     range.selectNodeContents(span);
-    const sel = window.getSelection() as Selection;
+    const sel = globalThis.getSelection() as Selection;
     sel.removeAllRanges();
     sel.addRange(range);
   });
diff --git a/frontend/src/components/LegacyDeviceList.vue b/frontend/src/components/LegacyDeviceList.vue
index 8a3e31ecf..b29cb8a04 100644
--- a/frontend/src/components/LegacyDeviceList.vue
+++ b/frontend/src/components/LegacyDeviceList.vue
@@ -1,6 +1,6 @@
 <template>
-  <div v-if="me == null">
-    <div v-if="onFetchError == null">
+  <div v-if="me === undefined">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
@@ -9,6 +9,10 @@
   </div>
 
   <div v-if="me?.devices && me.devices.length > 0">
+    <ContentBanner type="warning" :title="t('legacyDeviceBanner.title')" class="mb-4">
+      {{ t('legacyDeviceBanner.user.description') }}
+    </ContentBanner>
+
     <h2 id="legacyDeviceListTitle" class="text-base font-semibold leading-6 text-gray-900">
       {{ t('legacyDeviceList.title') }}
     </h2>
@@ -53,7 +57,7 @@
                   <tr>
                     <td class="py-4 text-sm text-gray-500">
                       <div class="grid place-items-center h-12 aspect-square">
-                        <span v-if="device.type == 'DESKTOP'" :title="'Desktop'">
+                        <span v-if="device.type == 'DESKTOP'" :title="t('deviceType.desktop')">
                           <ComputerDesktopIcon class="size-5" aria-hidden="true" />
                         </span>
                       </div>
@@ -79,7 +83,7 @@
                     </td>
                   </tr>
                   <!-- TODO: good styling -->
-                  <tr v-if="onRemoveDeviceError[device.id] != null" class="bg-red-50">
+                  <tr v-if="onRemoveDeviceError[device.id]" class="bg-red-50">
                     <td colspan="5" class="px-6 py-3 text-center text-xs font-medium text-red-500 uppercase tracking-wider">
                       {{ t('common.unexpectedError', [onRemoveDeviceError[device.id].message]) }}
                     </td>
@@ -100,20 +104,21 @@ import { computed, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import backend, { DeviceDto, NotFoundError, UserDto } from '../common/backend';
 import userdata from '../common/userdata';
+import ContentBanner from './ContentBanner.vue';
 import FetchError from './FetchError.vue';
 
 const { t, d } = useI18n({ useScope: 'global' });
 
 const me = ref<UserDto>();
-const onFetchError = ref<Error | null>();
-const onRemoveDeviceError = ref< {[id: string]: Error} >({});
+const onFetchError = ref<Error>();
+const onRemoveDeviceError = ref<Record<string, Error>>({});
 
 onMounted(async () => {
   await fetchData();
 });
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
     me.value = await userdata.meWithLegacyDevicesAndLastAccess;
   } catch (error) {
diff --git a/frontend/src/components/ManageSetupCode.vue b/frontend/src/components/ManageSetupCode.vue
index 0904fca4c..b3f01c5ba 100644
--- a/frontend/src/components/ManageSetupCode.vue
+++ b/frontend/src/components/ManageSetupCode.vue
@@ -1,6 +1,6 @@
 <template>
-  <div v-if="setupCode == null">
-    <div v-if="onFetchError == null">
+  <div v-if="setupCode === undefined">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
@@ -41,7 +41,7 @@
     </div>
   </div>
 
-  <RegenerateSetupCodeDialog v-if="regeneratingSetupCode && setupCode != null" ref="regenerateSetupCodeDialog" v-model:setup-code="setupCode" @close="regeneratingSetupCode = false" />
+  <RegenerateSetupCodeDialog v-if="regeneratingSetupCode && setupCode !== undefined" ref="regenerateSetupCodeDialog" v-model:setup-code="setupCode" @close="regeneratingSetupCode = false" />
 </template>
 
 <script setup lang="ts">
@@ -60,12 +60,12 @@ const copiedSetupCode = ref(false);
 const debouncedCopyFinish = debounce(() => copiedSetupCode.value = false, 2000);
 const regeneratingSetupCode = ref(false);
 const regenerateSetupCodeDialog = ref<typeof RegenerateSetupCodeDialog>();
-const onFetchError = ref<Error | null>();
+const onFetchError = ref<Error>();
 
 onMounted(fetchData);
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
     const me = await userdata.me;
     if (!me.setupCode) {
@@ -84,7 +84,7 @@ function toggleSetupCodeVisibility() {
 }
 
 async function copySetupCode() {
-  if (setupCode.value == null) {
+  if (setupCode.value === undefined) {
     throw new Error('Invalid state.');
   }
   await navigator.clipboard.writeText(setupCode.value);
diff --git a/frontend/src/components/MultiUserSelectInputGroup.vue b/frontend/src/components/MultiUserSelectInputGroup.vue
new file mode 100644
index 000000000..29cec11c1
--- /dev/null
+++ b/frontend/src/components/MultiUserSelectInputGroup.vue
@@ -0,0 +1,270 @@
+<template>
+  <div class="relative w-full">
+    <div
+      :class="[
+        'flex items-center flex-wrap min-h-[54px] rounded-md px-2 py-1 shadow-xs border', 
+        inputVisible ? 'focus-within:ring-1 bg-white' : 'bg-gray-100 cursor-not-allowed',
+        props.hasError
+          ? (inputVisible ? 'border-red-300 text-red-900 focus-within:ring-red-500 focus-within:border-red-500' : 'border-red-300/60 text-red-900')
+          : (inputVisible ? 'border-gray-300 focus-within:ring-primary' : 'border-gray-300/60')
+      ]"
+      @click="focusInput"
+    >
+      <!-- Pills -->
+      <button
+        v-for="(user, index) in selectedUsers"
+        :key="user.id"
+        tabindex="-1"
+        :disabled="!inputVisible"
+        class="inline-flex items-center text-sm text-gray-800 rounded-full px-2 py-1 mt-1 mb-1 mr-1 border transition-colors shadow-sm gap-1"
+        :class="{
+          'bg-white': selectedPillIndex !== index,
+          'bg-white ring-2 ring-primary': selectedPillIndex === index,
+          'cursor-not-allowed': !inputVisible
+        }"
+        @click="onPillClick($event, user)"
+      >
+        <img :src="user.pictureUrl" class="w-4 h-4 rounded-full" :class="{ 'opacity-60': !inputVisible }" alt="" />
+        <span :class="{ 'opacity-60': !inputVisible }">{{ user.name }}</span>
+        <span
+          v-if="user.type === 'USER'" class="trust-details"
+        >
+          <TrustDetails
+            :trusted-user="user as UserDto"
+            :trusts="trusts"
+            :disable-action="disableAction"
+            :dimmed="!inputVisible"
+            @trust-changed="refreshTrusts"
+          />
+        </span>
+        <span v-else class="trust-details" :class="{ 'opacity-60': !inputVisible }">
+          <span class="inline-flex items-center bg-gray-50 ring-1 ring-inset ring-gray-500/10 mx-1 px-2 p-0.5 rounded-full">
+            {{ user.memberSize }}
+          </span>
+        </span>
+        <div v-if="inputVisible" class="text-gray-500 hover:text-red-600">&times;</div>
+      </button>
+      <!-- Combobox -->
+      <Combobox @update:model-value="onSelect">
+        <div class="flex-1 relative"> 
+          <ComboboxInput v-if="inputVisible" :id="props.inputId" as="template">
+            <input
+              ref="inputEl"
+              v-model="query"
+              autocomplete="off"
+              class="w-full min-w-[60px] h-9 border-none focus:ring-0 text-sm px-1 placeholder-gray-400"
+              :class="{
+                'caret-transparent': selectedPillIndex !== null,
+                'caret-black': selectedPillIndex === null
+              }"
+              :placeholder="props.placeholder || t('common.search.placeholder')"
+              @keydown="onKeyDown"
+              @blur="onBlur"
+            />
+          </ComboboxInput>
+        </div>
+      </Combobox>
+      <div v-if="props.hasError" class="absolute left-1/2 -translate-x-1/2 -top-2 transform -translate-y-full">
+        <div class="bg-red-50 border border-red-300 text-red-900 px-2 py-1 rounded shadow-sm text-sm hyphens-auto">
+          {{ props.errorMessage || t('common.unexpectedError') }}
+          <div class="absolute bottom-0 left-1/2 transform translate-y-1/2 rotate-45 w-2 h-2 bg-red-50 border-r border-b border-red-300"></div>
+        </div>
+      </div>
+    </div>
+    <!-- DROPDOWN -->
+    <div
+      v-if="inputVisible && query && filteredUsers.length > 0"
+      class="absolute z-10 mt-1 w-full rounded-md border border-gray-300 bg-white shadow-lg ring-1 ring-black/5 focus:outline-none sm:text-sm"
+    >
+      <div
+        v-for="(user, index) in filteredUsers"
+        :key="user.id"
+        :class="[
+          'cursor-pointer select-none py-2 px-3 flex items-center',
+          (hoveredIndex === index || (hoveredIndex === null && activeIndex === index))
+            ? 'bg-primary text-white'
+            : 'hover:bg-primary'
+        ]"
+        @click="onSelect(user as T)"
+        @mouseenter="hoveredIndex = index"
+        @mouseleave="hoveredIndex = null"
+      >
+        <img :src="user.pictureUrl" alt="" class="h-5 w-5 rounded-full mr-2" />
+        {{ user.name }}
+        <span v-if="user.type === 'GROUP'" class="ml-1 trust-details">
+          <span class="inline-flex items-center bg-gray-50 ring-1 ring-inset ring-gray-500/10 mx-1 px-2 p-0.5 rounded-full focus:outline-hidden focus:ring-primary text-black">
+            {{ user.memberSize }}
+          </span>
+        </span>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts" generic="T extends AuthorityDto">
+import backend, { AuthorityDto, TrustDto, UserDto } from '../common/backend';
+import { useId, ref, computed, watch, nextTick, onMounted } from 'vue';
+import { Combobox, ComboboxInput } from '@headlessui/vue';
+import { useI18n } from 'vue-i18n';
+import TrustDetails from './TrustDetails.vue';
+
+export type MultiUserSelectExpose = {
+  focus: () => Promise<void> | void;
+};
+
+const trusts = ref<TrustDto[]>([]);
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = withDefaults(defineProps<{
+  selectedUsers: T[];
+  onSearch: (query: string) => Promise<T[]>;
+  inputVisible: boolean;
+  disableAction?: boolean;
+  hasError?: boolean;
+  errorMessage?: string;
+  placeholder?: string;
+  inputId?: string;
+}>(), {
+  errorMessage: undefined,
+  placeholder: undefined,
+  inputId: useId()
+});
+
+const emit = defineEmits<{
+  action: [item: T];
+  remove: [item: T];
+}>();
+
+const inputVisible = computed(() => props.inputVisible !== false);
+
+const query = ref('');
+const searchResults = ref<T[]>([]);
+
+const inputEl = ref<HTMLInputElement | null>(null);
+
+async function focus() {
+  selectedPillIndex.value = null;
+  await nextTick();
+
+  if (inputVisible.value) inputEl.value?.focus();
+}
+
+defineExpose<MultiUserSelectExpose>({
+  focus
+});
+
+const focusInput = () => {
+  selectedPillIndex.value = null;
+  nextTick(() => {
+    inputEl.value?.focus();
+  });
+};
+
+const activeIndex = ref(0);
+const hoveredIndex = ref<number | null>(null);
+const selectedPillIndex = ref<number | null>(null);
+
+const filteredUsers = computed(() => {
+  return searchResults.value.filter(
+    (u) => !props.selectedUsers.some((sel) => sel.id === u.id)
+  );
+});
+
+async function refreshTrusts() {
+  trusts.value = await backend.trust.listTrusted();
+}
+
+function onPillClick(event: MouseEvent, user: T) {
+  const target = event.target as HTMLElement;
+  if (target.closest('.trust-details')) {
+    return;
+  }
+  if (inputVisible.value) {
+    removeUser(user);
+  }
+}
+
+watch(query, async (newQuery) => {
+  if (newQuery.trim() === '') {
+    searchResults.value = [];
+  } else {
+    searchResults.value = await props.onSearch(newQuery);
+  }
+});
+
+onMounted(async () => {
+  await refreshTrusts();
+});
+
+function onSelect(user: T) {
+  emit('action', user);
+  query.value = '';
+  searchResults.value = [];
+  activeIndex.value = 0;
+  nextTick(() => inputEl.value?.focus());
+}
+
+function removeUser(user: T) {
+  emit('remove', user);
+}
+
+function onBlur() {
+  selectedPillIndex.value = null;
+}
+
+function onKeyDown(e: KeyboardEvent) {
+  const userCount = props.selectedUsers.length;
+
+  if (e.key === 'Backspace') {
+    if (query.value === '' && selectedPillIndex.value === null && userCount > 0) {
+      selectedPillIndex.value = userCount - 1;
+      e.preventDefault();
+    } else if (selectedPillIndex.value !== null) {
+      const user = props.selectedUsers[selectedPillIndex.value];
+      removeUser(user);
+      selectedPillIndex.value = selectedPillIndex.value == 0 ? (props.selectedUsers.length == 1 ? null : 0) : selectedPillIndex.value - 1;
+      e.preventDefault();
+    }
+  } else if (e.key === 'ArrowLeft') {
+    if (query.value === '' && userCount > 0) {
+      if (selectedPillIndex.value === null) {
+        selectedPillIndex.value = userCount - 1;
+      } else if (selectedPillIndex.value > 0) {
+        selectedPillIndex.value--;
+      }
+      e.preventDefault();
+    }
+  } else if (e.key === 'ArrowRight') {
+    if (selectedPillIndex.value !== null) {
+      if (selectedPillIndex.value < userCount - 1) {
+        selectedPillIndex.value++;
+      } else {
+        selectedPillIndex.value = null;
+        nextTick(() => inputEl.value?.focus());
+      }
+      e.preventDefault();
+    }
+  } else if (e.key === 'ArrowDown') {
+    e.preventDefault();
+    hoveredIndex.value = null;
+    if (filteredUsers.value.length > 0) {
+      activeIndex.value = (activeIndex.value + 1) % filteredUsers.value.length;
+    }
+  } else if (e.key === 'ArrowUp') {
+    e.preventDefault();
+    hoveredIndex.value = null;
+    if (filteredUsers.value.length > 0) {
+      activeIndex.value = (activeIndex.value - 1 + filteredUsers.value.length) % filteredUsers.value.length;
+    }
+  } else if (e.key === 'Enter' || e.key === 'Tab') {
+    if (activeIndex.value >= 0 && filteredUsers.value[activeIndex.value]) {
+      e.preventDefault();
+      onSelect(filteredUsers.value[activeIndex.value] as T);
+    }
+  } else {
+    selectedPillIndex.value = null;
+  }
+}
+
+</script>
diff --git a/frontend/src/components/NavigationBar.vue b/frontend/src/components/NavigationBar.vue
index 7c2e1cc64..027fb099b 100644
--- a/frontend/src/components/NavigationBar.vue
+++ b/frontend/src/components/NavigationBar.vue
@@ -12,12 +12,12 @@
         </div>
         <div class="flex-1 flex items-center justify-center sm:items-stretch sm:justify-start">
           <router-link to="/app" class="shrink-0 flex items-center">
-            <img src="/logo.svg" class="h-8" alt="Logo"/>
-            <span class="font-headline font-bold text-primary ml-2 pb-px">CRYPTOMATOR HUB</span>
+            <img src="/logo.png" class="h-9" alt="Katta Logo"/>
+            <span class="font-headline font-bold text-white ml-2 pb-px">KATTA</span>
           </router-link>
           <div class="hidden sm:ml-6 sm:flex sm:space-x-8">
-            <router-link v-for="item in navigation" :key="item.name" v-slot="{ isActive, href, navigate }" :to="item.to" custom>
-              <a :href="href" :class="[isActive ? 'border-primary text-white' : 'border-transparent text-gray-300 hover:border-gray-300 hover:text-white', ' inline-flex items-center px-1 pt-1 border-b-2 text-sm font-medium']" @click="navigate">
+            <router-link v-for="item in navigation" :key="item.name" v-slot="{ href, navigate }" :to="item.to" custom>
+              <a :href="href" :class="[route.path.startsWith(item.to) ? 'border-primary text-white' : 'border-transparent text-gray-300 hover:border-gray-300 hover:text-white', 'inline-flex items-center px-1 pt-1 border-b-2 text-sm font-medium']" @click="navigate">
                 {{ t(item.name) }}
               </a>
             </router-link>
@@ -69,16 +69,18 @@
 <script setup lang="ts">
 import { Disclosure, DisclosureButton, DisclosurePanel, Menu, MenuButton, MenuItem, MenuItems } from '@headlessui/vue';
 import { ArrowRightStartOnRectangleIcon, Bars3Icon, ListBulletIcon, UserIcon, WrenchIcon, XMarkIcon } from '@heroicons/vue/24/outline';
-import { FunctionalComponent, onMounted, ref } from 'vue';
+import { computed, FunctionalComponent, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
+import { useRoute } from 'vue-router';
 import auth from '../common/auth';
-import { UserDto } from '../common/backend';
+import backend, { LicenseUserInfoDto, UserDto, VaultDto } from '../common/backend';
 
 const { t } = useI18n({ useScope: 'global' });
+const route = useRoute();
 
-const navigation = [
-  { name: 'nav.vaults', to: '/app/vaults' },
-];
+const navigation = ref([
+  { name: 'nav.vaults', to: '/app/vaults' }
+]);
 
 type ProfileDropdownItem = { icon: FunctionalComponent, name: string, to: string };
 
@@ -92,6 +94,10 @@ const profileDropdownSections = {
     [
       { icon: ListBulletIcon, name: 'nav.profile.auditlog', to: '/app/admin/auditlog' },
       { icon: WrenchIcon, name: 'nav.profile.admin', to: '/app/admin/settings' }
+      // / start katta extension
+      ,{ icon: WrenchIcon, name: 'nav.profile.storageprofiles', to: '/app/admin/storageprofiles' }
+      // \ end katta extension
+
     ],
 
   hubSection :
@@ -105,12 +111,45 @@ const profileDropdown = ref<ProfileDropdownItem[][]>([]);
 const props = defineProps<{
   me : UserDto
 }>();
+const licenseStatus = ref<LicenseUserInfoDto>();
+
+const isCommunityLicense = computed(() => {
+  return !licenseStatus.value?.expiresAt;
+});
 
 onMounted(async () => {
   if ((await auth).hasRole('admin')) {
+    navigation.value.push(
+      { name: 'nav.users', to: '/app/users' },
+      { name: 'nav.groups', to: '/app/groups' }
+    );
     profileDropdown.value = [profileDropdownSections.infoSection, profileDropdownSections.adminSection, profileDropdownSections.hubSection];
   } else {
     profileDropdown.value = [profileDropdownSections.infoSection, profileDropdownSections.hubSection];
   }
+
+  licenseStatus.value = await backend.license.getUserInfo();
+  const emergencyAccessEnabled = (await backend.settings.get()).enableEmergencyAccess;
+  if (!isCommunityLicense.value && emergencyAccessEnabled){
+    const recoverableVaults = ref<VaultDto[]>([]);
+
+    try {
+      const recoverable = await backend.vaults.listRecoverable().catch(() => [] as VaultDto[]);
+
+      const map = new Map<string, VaultDto>();
+      recoverable.forEach(v => {
+        map.set(v.id, v);
+      });
+      recoverableVaults.value = Array.from(map.values());
+    } catch (e) {
+      console.error('Failed to load emergency-access vaults:', e);
+      recoverableVaults.value = [];
+    }
+
+    if (recoverableVaults.value.length > 0 && !navigation.value.some(i => i.to === '/app/emergency-access')) {
+      navigation.value.push({ name: 'nav.emergencyAccess', to: '/app/emergency-access' });
+    }
+  }
 });
+
 </script>
diff --git a/frontend/src/components/ReactivateVaultDialog.vue b/frontend/src/components/ReactivateVaultDialog.vue
index a0a540fff..6a6949c91 100644
--- a/frontend/src/components/ReactivateVaultDialog.vue
+++ b/frontend/src/components/ReactivateVaultDialog.vue
@@ -35,7 +35,7 @@
                     {{ t('common.cancel') }}
                   </button>
                 </div>
-                <p v-if="onReactivateVaultError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                <p v-if="onReactivateVaultError" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
                   {{ t('common.unexpectedError', [onReactivateVaultError.message]) }}
                 </p>
               </form>
@@ -58,7 +58,7 @@ const { t } = useI18n({ useScope: 'global' });
 
 const open = ref(false);
 
-const onReactivateVaultError = ref<Error | null>();
+const onReactivateVaultError = ref<Error>();
 
 const props = defineProps<{
   vault: VaultDto
@@ -78,12 +78,12 @@ function show() {
 }
 
 async function reactivateVault() {
-  onReactivateVaultError.value = null;
+  onReactivateVaultError.value = undefined;
   const dto =  { ...props.vault };
   dto.archived = false;
   try {
-    const updatedVault = await backend.vaults.createOrUpdateVault(dto);
-    emit('reactivated', updatedVault);
+    const vaultDto = await backend.vaults.setArchived(props.vault.id, false);
+    emit('reactivated', vaultDto);
     open.value = false;
   } catch (error) {
     console.error('Reactivating vault failed.', error);
diff --git a/frontend/src/components/RecoverVaultDialog.vue b/frontend/src/components/RecoverVaultDialog.vue
index d4a080975..2848a43ad 100644
--- a/frontend/src/components/RecoverVaultDialog.vue
+++ b/frontend/src/components/RecoverVaultDialog.vue
@@ -32,7 +32,7 @@
                   <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
                     {{ t('common.cancel') }}
                   </button>
-                  <div v-if="onVaultRecoverError != null">
+                  <div v-if="onVaultRecoverError">
                     <p v-if="onVaultRecoverError instanceof FormValidationFailedError" class="text-sm text-red-900">
                       {{ t('recoverVaultDialog.error.formValidationFailed') }}
                     </p>
@@ -68,7 +68,7 @@ const { t } = useI18n({ useScope: 'global' });
 
 const form = ref<HTMLFormElement>();
 
-const onVaultRecoverError = ref<Error|null>();
+const onVaultRecoverError = ref<Error>();
 
 const open = ref(false);
 const recoveryKey = ref('');
@@ -99,7 +99,7 @@ async function validateRecoveryKey() {
 }
 
 async function recoverVault() {
-  onVaultRecoverError.value = null;
+  onVaultRecoverError.value = undefined;
   try {
     processingVaultRecovery.value = true;
     // TODO: check whether Vault Format 8 or UVF
diff --git a/frontend/src/components/RegenerateSetupCodeDialog.vue b/frontend/src/components/RegenerateSetupCodeDialog.vue
index 7992e9947..fe3859f8a 100644
--- a/frontend/src/components/RegenerateSetupCodeDialog.vue
+++ b/frontend/src/components/RegenerateSetupCodeDialog.vue
@@ -34,7 +34,7 @@
                   <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
                     {{ t('common.close') }}
                   </button>
-                  <p v-if="onRegenerateError != null" class="mt-3 text-center text-sm text-red-900 sm:mt-0 sm:text-right">
+                  <p v-if="onRegenerateError" class="mt-3 text-center text-sm text-red-900 sm:mt-0 sm:text-right">
                     {{ t('common.unexpectedError', [onRegenerateError.message]) }}
                   </p>
                 </div>
@@ -113,7 +113,7 @@ enum State {
 
 const { t } = useI18n({ useScope: 'global' });
 
-const onRegenerateError = ref<Error | null>();
+const onRegenerateError = ref<Error>();
 
 const state = ref(State.ConfirmRegenerateSetupCode);
 const processing = ref(false);
@@ -146,7 +146,7 @@ async function show() {
 }
 
 async function regenerateSetupCode() {
-  onRegenerateError.value = null;
+  onRegenerateError.value = undefined;
   try {
     processing.value = true;
 
diff --git a/frontend/src/components/ResetUserAccountDialog.vue b/frontend/src/components/ResetUserAccountDialog.vue
index b19787de0..57ddd1921 100644
--- a/frontend/src/components/ResetUserAccountDialog.vue
+++ b/frontend/src/components/ResetUserAccountDialog.vue
@@ -34,7 +34,7 @@
                   <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
                     {{ t('common.close') }}
                   </button>
-                  <p v-if="onResetError != null" class="mt-3 text-center text-sm text-red-900 sm:mt-0 sm:text-right">
+                  <p v-if="onResetError" class="mt-3 text-center text-sm text-red-900 sm:mt-0 sm:text-right">
                     {{ t('common.unexpectedError', [onResetError.message]) }}
                   </p>
                 </div>
@@ -58,7 +58,7 @@ import router from '../router';
 
 const { t } = useI18n({ useScope: 'global' });
 
-const onResetError = ref<Error | null>();
+const onResetError = ref<Error>();
 
 const processing = ref(false);
 
@@ -81,7 +81,7 @@ async function show() {
 }
 
 async function resetUserAccount() {
-  onResetError.value = null;
+  onResetError.value = undefined;
   try {
     processing.value = true;
     await backend.users.resetMe();
diff --git a/frontend/src/components/SearchInputGroup.vue b/frontend/src/components/SearchInputGroup.vue
index f59f43057..adaf0a091 100644
--- a/frontend/src/components/SearchInputGroup.vue
+++ b/frontend/src/components/SearchInputGroup.vue
@@ -4,34 +4,37 @@
       <Combobox as="div" class="w-full" @update:model-value="item => selectedItem = item">
         <div class="relative">
           <div class="absolute inset-y-0 left-0 pl-3 flex items-center pointer-events-none">
-            <UsersIcon v-if="selectedItem == null" class="h-5 w-5 text-gray-400" aria-hidden="true" />
+            <UsersIcon v-if="selectedItem === undefined" class="h-5 w-5 text-gray-400" aria-hidden="true" />
             <img v-else :src="selectedItem.pictureUrl ?? ''" alt="" class="w-5 h-5 rounded-full" >
           </div>
 
-          <ComboboxInput v-if="selectedItem == null" v-focus class="w-full h-10 rounded-l-md border border-gray-300 bg-white py-2 px-10 shadow-xs focus:border-primary focus:outline-hidden focus:ring-1 focus:ring-primary sm:text-sm disabled:bg-primary-l2" placeholder="John Doe" @change="query = $event.target.value"/>
+          <ComboboxInput v-if="selectedItem === undefined" v-focus class="w-full h-10 rounded-l-md border border-gray-300 bg-white py-2 px-10 shadow-xs focus:border-primary focus:outline-hidden focus:ring-1 focus:ring-primary sm:text-sm disabled:bg-primary-l2" :placeholder="placeHolder" @change="query = $event.target.value"/>
           <div v-else class="w-full h-10 rounded-l-md border border-gray-300 bg-primary-l2 py-2 px-10 flex items-center justify-between shadow-xs sm:text-sm">
             <span class="truncate">{{ selectedItem.name }}</span>
             <span v-if="selectedItem.type === 'GROUP'" class="ml-3 text-gray-500 text-xs italic whitespace-nowrap">{{ t('common.xMembers', [selectedItem.memberSize]) }}</span>
           </div>
         </div>
 
-        <ComboboxOptions v-if="selectedItem == null && filteredItems.length > 0" class="absolute z-10 mt-1 max-h-56 w-full overflow-auto rounded-md bg-white py-1 text-base shadow-lg ring-1 ring-black/5 focus:outline-hidden sm:text-sm">
+        <ComboboxOptions v-if="selectedItem === undefined && filteredItems.length > 0" class="absolute z-10 mt-1 max-h-56 w-full overflow-auto rounded-md bg-white py-1 text-base shadow-lg ring-1 ring-black/5 focus:outline-hidden sm:text-sm">
           <ComboboxOption v-for="item in filteredItems" :key="item.id" :value="item" class="relative cursor-default select-none py-2 pl-3 pr-9 ui-not-active:text-gray-900 ui-active:bg-primary ui-active:text-white">
             <div class="flex items-center">
-              <img :src="item.pictureUrl ?? ''" alt="" class="h-6 w-6 shrink-0 rounded-full" >
+              <img v-if="item.pictureUrl" :src="item.pictureUrl" class="w-6 h-6 shrink-0 rounded-full" alt="group icon" />
+              <div v-else class="w-6 h-6 flex items-center rounded-full rounded-full border border-gray-300 bg-white justify-center overflow-hidden">
+                <UserGroupIcon class="w-4 h-4 shrink-0 text-gray-400" aria-hidden="true" />
+              </div>
               <span class="ml-3 truncate">{{ item.name }}</span>
-              <span v-if="item.type === 'GROUP'" class="ml-3 text-gray-500 text-xs italic whitespace-nowrap">{{ t('common.xMembers', [item.memberSize]) }}</span>
+              <span v-if="item.type === 'GROUP'" class="ml-3 text-gray-500 text-xs italic whitespace-nowrap ui-active:text-white">{{ t('common.xMembers', [item.memberSize]) }}</span>
             </div>
           </ComboboxOption>
         </ComboboxOptions>
       </Combobox>
 
-      <button v-if="selectedItem != null" type="button" class="absolute inset-y-0 right-0 pr-3 flex items-center" @click="reset()">
+      <button v-if="selectedItem !== undefined" type="button" class="absolute inset-y-0 right-0 pr-3 flex items-center" @click="reset()">
         <XCircleIcon class="h-5 w-5 text-gray-400" aria-hidden="true" />
       </button>
     </div>
 
-    <button ref="actionButton" :disabled="selectedItem == null" type="button" class="-ml-px relative inline-flex items-center space-x-2 px-4 py-2 border border-transparent text-sm font-medium rounded-r-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary focus:border-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed" @click="onAction()">
+    <button ref="actionButton" :disabled="selectedItem === undefined" type="button" class="-ml-px relative inline-flex items-center space-x-2 px-4 py-2 border border-transparent text-sm font-medium rounded-r-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary focus:border-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed" @click="onAction()">
       {{ actionTitle }}
     </button>
   </div>
@@ -39,7 +42,7 @@
 
 <script setup lang="ts" generic="T extends Item">
 import { Combobox, ComboboxInput, ComboboxOption, ComboboxOptions } from '@headlessui/vue';
-import { UsersIcon, XCircleIcon } from '@heroicons/vue/24/solid';
+import { UsersIcon, UserGroupIcon, XCircleIcon } from '@heroicons/vue/24/solid';
 import { computed, nextTick, ref, shallowRef, watch } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { debounce } from '../common/util';
@@ -56,6 +59,7 @@ const { t } = useI18n({ useScope: 'global' });
 
 const props = defineProps<{
   actionTitle: string
+  placeHolder: string
   onSearch: (query: string) => Promise<T[]>
 }>();
 
@@ -70,9 +74,9 @@ const vFocus = {
 };
 
 const actionButton = ref<HTMLButtonElement>();
-const selectedItem = shallowRef<T | null>(null);
+const selectedItem = shallowRef<T>();
 watch(selectedItem, (value) => {
-  if (value != null) {
+  if (value !== undefined) {
     nextTick(() => actionButton.value?.focus());
   }
 });
@@ -112,7 +116,7 @@ function onAction() {
 }
 
 function reset() {
-  selectedItem.value = null;
+  selectedItem.value = undefined;
   query.value = '';
 }
 </script>
diff --git a/frontend/src/components/SignUserKeysDialog.vue b/frontend/src/components/SignUserKeysDialog.vue
index ffecd8531..49b018b68 100644
--- a/frontend/src/components/SignUserKeysDialog.vue
+++ b/frontend/src/components/SignUserKeysDialog.vue
@@ -44,7 +44,7 @@
                     {{ t('common.cancel') }}
                   </button>
                 </div>
-                <p v-if="onSignError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                <p v-if="onSignError" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
                   {{ t('common.unexpectedError', [onSignError.message]) }}
                 </p>
               </form>
@@ -82,7 +82,7 @@ defineExpose({
   show
 });
 
-const onSignError = ref<Error | null>();
+const onSignError = ref<Error>();
 const expectedFingerprint = ref<string>();
 const enteredFingerprint = ref<string>('');
 const minVerificationLen = ref<number>(64); // default: check all 64 hex digits of 256 bit fingerprint
@@ -116,7 +116,8 @@ async function sign() {
     emit('signed', newTrust);
     open.value = false;
   } catch (error) {
-    onSignError.value = error;
+    console.error('Error during signing:', error);
+    onSignError.value = error instanceof Error ? error : new Error('Unknown Error');
   }
 }
 
diff --git a/frontend/src/components/SimpleNavigationBar.vue b/frontend/src/components/SimpleNavigationBar.vue
index ebaadf264..67d21157e 100644
--- a/frontend/src/components/SimpleNavigationBar.vue
+++ b/frontend/src/components/SimpleNavigationBar.vue
@@ -4,8 +4,8 @@
       <div class="relative flex justify-between h-16">
         <div class="flex-1 flex items-center justify-center sm:items-stretch sm:justify-start">
           <div class="shrink-0 flex items-center">
-            <img src="/logo.svg" class="h-8" alt="Logo"/>
-            <span class="font-headline font-bold text-primary ml-2 pb-px">CRYPTOMATOR HUB</span>
+            <img src="/logo.png" class="h-9" alt="Katta Logo"/>
+            <span class="font-headline font-bold text-white ml-2 pb-px">KATTA</span>
           </div>
         </div>
 
diff --git a/frontend/src/components/TrustDetails.vue b/frontend/src/components/TrustDetails.vue
index f2b01694f..d6c255fbd 100644
--- a/frontend/src/components/TrustDetails.vue
+++ b/frontend/src/components/TrustDetails.vue
@@ -1,6 +1,12 @@
 <template>
   <Popover as="div" class="relative inline-block text-left overflow-visible">
-    <PopoverButton class="inline-flex items-center bg-gray-50 ring-1 ring-inset ring-gray-500/10 mx-1 p-1 rounded-full focus:outline-hidden focus:ring-primary">
+    <PopoverButton
+      :disabled="disableAction" class="inline-flex items-center bg-gray-50 ring-1 ring-inset ring-gray-500/10 mx-1 p-1 rounded-full focus:outline-hidden focus:ring-primary"
+      :class="{
+        'cursor-not-allowed': disableAction,
+        'opacity-60': dimmed
+      }"
+    >
       <ShieldExclamationIcon v-if="trustLevel === -1" class="h-4 w-4 text-red-500" aria-label="Unverified" />
       <ShieldCheckIcon v-else class="h-4 w-4 text-primary" aria-label="Verified" />
     </PopoverButton>
@@ -10,7 +16,11 @@
         <p v-if="trustLevel === -1" class="text-sm mb-2">{{ t('trustDetails.trustLevel.untrusted') }}</p>
         <p v-else-if="trustLevel === 0" class="text-sm mb-2">{{ t('trustDetails.trustLevel', [ n(1, 'percent')]) }}</p>
         <p v-else-if="trustLevel > 0" class="text-sm mb-2">{{ t('trustDetails.trustLevel', [ n(1 / trustLevel, 'percent')]) }}</p>
-        <button v-if="trustLevel !== 0 && trustedUser.ecdhPublicKey && trustedUser.ecdsaPublicKey" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-primary text-base font-medium text-white hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:w-auto sm:text-sm" @click="showSignUserKeysDialog()">
+        <button 
+          v-if="trustLevel !== 0 && trustedUser.ecdhPublicKey && trustedUser.ecdsaPublicKey" 
+          class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-primary text-base font-medium text-white hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:w-auto sm:text-sm whitespace-nowrap" 
+          @click.prevent.stop="showSignUserKeysDialog"
+        >
           {{ t('trustDetails.showSignDialogBtn') }}
         </button>
         <p v-if="!trustedUser.ecdhPublicKey || !trustedUser.ecdsaPublicKey" class="text-sm mb-2">{{ t('trustDetails.userNotSetUp') }}</p>
@@ -35,7 +45,9 @@ const { t, n } = useI18n({ useScope: 'global' });
 
 const props = defineProps<{
   trustedUser: UserDto,
-  trusts: TrustDto[]
+  trusts: TrustDto[],
+  disableAction?: boolean,
+  dimmed?: boolean
 }>();
 
 const emit = defineEmits<{
diff --git a/frontend/src/components/UnlockError.vue b/frontend/src/components/UnlockError.vue
index 6c04b3ed1..4586db9c4 100644
--- a/frontend/src/components/UnlockError.vue
+++ b/frontend/src/components/UnlockError.vue
@@ -2,8 +2,8 @@
   <nav class="bg-tertiary2">
     <div class="max-w-7xl mx-auto sm:px-6 lg:px-8 h-16 flex-1 flex items-center justify-center sm:items-stretch sm:justify-start">
       <div class="shrink-0 flex items-center">
-        <img src="/logo.svg" class="h-8" alt="Logo"/>
-        <span class="font-headline font-bold text-primary ml-2 pb-px">CRYPTOMATOR HUB</span>
+        <img src="/logo.png" class="h-8" alt="Logo"/>
+        <span class="font-headline font-bold text-primary ml-2 pb-px">KATTA</span>
       </div>
     </div>
   </nav>
@@ -11,7 +11,7 @@
   <div class="max-w-7xl mx-auto px-4 py-12 sm:px-6 lg:px-8 flex justify-center">
     <div class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
       <div class="flex justify-center mb-3 sm:mb-5">
-        <img src="/logo.svg" class="h-12" alt="Logo" aria-hidden="true" />
+        <img src="/logo.png" class="h-16" alt="Katta Logo" aria-hidden="true" />
       </div>
       <h1 class="text-2xl leading-6 font-medium text-gray-900">
         Unlock failed
diff --git a/frontend/src/components/UnlockSuccess.vue b/frontend/src/components/UnlockSuccess.vue
index 13e1789a1..400c042a7 100644
--- a/frontend/src/components/UnlockSuccess.vue
+++ b/frontend/src/components/UnlockSuccess.vue
@@ -3,8 +3,8 @@
   <SimpleNavigationBar v-else-if="me" :me="me"/>
 
   <div class="max-w-7xl mx-auto px-4 py-12 sm:px-6 lg:px-8 flex justify-center">
-    <div v-if="me == null">
-      <div v-if="onFetchError == null">
+    <div v-if="me === undefined">
+      <div v-if="!onFetchError">
         {{ t('common.loading') }}
       </div>
       <div v-else>
@@ -14,7 +14,7 @@
 
     <div v-else class="bg-white px-4 py-5 shadow-sm sm:rounded-lg sm:p-6 text-center sm:w-full sm:max-w-lg">
       <div class="flex justify-center mb-3 sm:mb-5">
-        <img src="/logo.svg" class="h-12" alt="Logo" aria-hidden="true" />
+        <img src="/logo.png" class="h-16" alt="Katta Logo" aria-hidden="true" />
       </div>
 
       <!-- ACCOUNT SETUP -->
@@ -41,6 +41,16 @@
         </router-link>
       </div>
 
+      <!-- ARCHIVED -->
+      <div v-else-if="vaultAccess == VaultAccess.Archived" class="text-sm text-gray-500">
+        <h1 class="text-2xl leading-6 font-medium text-gray-900">
+          {{ t('unlock.noAccessVaultArchived.title') }}
+        </h1>
+        <p class="mt-2">
+          {{ t('unlock.noAccessVaultArchived.description') }}
+        </p>
+      </div>
+
       <!-- NO VAULT ACCESS -->
       <div v-else-if="vaultAccess == VaultAccess.Denied" class="text-sm text-gray-500">
         <h1 class="text-2xl leading-6 font-medium text-gray-900">
@@ -52,7 +62,7 @@
       </div>
 
       <!-- SUCCESS -->
-      <div v-else class="text-sm text-gray-500">
+      <div v-else-if="vaultAccess == VaultAccess.Allowed" class="text-sm text-gray-500">
         <h1 class="text-2xl leading-6 font-medium text-gray-900">
           {{ t('unlockSuccess.title') }}
         </h1>
@@ -98,9 +108,10 @@ const deviceState : ComputedRef<DeviceState> = computed(() => {
 });
 
 const vaultAccess : ComputedRef<VaultAccess> = computed(() => {
-  return accessibleVaults.value?.find(v => v.id === props.vaultId)
-    ? VaultAccess.Allowed
-    : VaultAccess.Denied;
+  const vault = accessibleVaults.value?.find(v => v.id === props.vaultId);
+  if (!vault) return VaultAccess.Denied;
+  if (vault.archived) return VaultAccess.Archived;
+  return VaultAccess.Allowed;
 });
 
 enum AccountState {
@@ -115,18 +126,19 @@ enum DeviceState {
 
 enum VaultAccess {
   Allowed,
+  Archived,
   Denied
 }
 
 const me = ref<UserDto>();
 const hasBrowserKeys = ref<boolean>(false);
 const accessibleVaults = ref<VaultDto[]>();
-const onFetchError = ref<Error | null>();
+const onFetchError = ref<Error>();
 
 onMounted(fetchData);
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
     me.value = await userdata.me;
     hasBrowserKeys.value = await userdata.browserKeys.then(keys => keys !== undefined);
diff --git a/frontend/src/components/UserListGroupVisualization.vue b/frontend/src/components/UserListGroupVisualization.vue
new file mode 100644
index 000000000..401a30888
--- /dev/null
+++ b/frontend/src/components/UserListGroupVisualization.vue
@@ -0,0 +1,49 @@
+<template>
+  <div v-if="authorities.length" class="relative inline-flex -space-x-2">
+    <template v-for="a in preview.list" :key="a.id">
+      <div v-if="a.type === 'USER'" class="relative h-8 w-8 rounded-full ring-1 ring-gray-200 bg-white overflow-hidden flex items-center justify-center">
+        <img v-if="a.pictureUrl" :src="a.pictureUrl" :alt="a.name" :title="a.name" class="h-full w-full object-cover" />
+        <div v-else class="h-full w-full flex items-center justify-center text-[9px] font-semibold text-gray-700">
+          {{ initials(a.name) }}
+        </div>
+      </div>
+      <div v-else-if="a.type === 'GROUP'" :title="a.name" class="relative h-8 w-8 rounded-full ring-1 ring-gray-200 bg-gray-300 flex items-center justify-center text-[10px] font-semibold text-gray-700">
+        {{ initials(a.name) }} <span v-if="a.memberSize">({{ a.memberSize }})</span>
+      </div>
+    </template>
+
+    <div v-if="preview.extra > 0" class="relative z-10 h-8 w-8 ml-0.5 rounded-full ring-1 ring-gray-200 bg-gray-200 flex items-center justify-center text-[10px] font-semibold text-gray-700">
+      +{{ preview.extra }}
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { computed } from 'vue';
+import { AuthorityDto } from '../common/backend';
+
+const props = withDefaults(defineProps<{
+  authorities: AuthorityDto[];
+  max?: number;
+}>(), {
+  max: 3,
+});
+
+const preview = computed(() => {
+  const extra = Math.max(0, props.authorities.length - props.max);
+  return {
+    list: props.authorities.slice(0, props.max),
+    extra,
+  };
+});
+
+function initials(name: string): string {
+  return (name ?? '')
+    .split(' ')
+    .map(p => p.trim()[0])
+    .filter(Boolean)
+    .slice(0, 2)
+    .join('')
+    .toUpperCase();
+}
+</script>
diff --git a/frontend/src/components/UserProfile.vue b/frontend/src/components/UserProfile.vue
index 0d21aabf9..05ac2d26f 100644
--- a/frontend/src/components/UserProfile.vue
+++ b/frontend/src/components/UserProfile.vue
@@ -1,6 +1,6 @@
 <template>
-  <div v-if="me == null">
-    <div v-if="onFetchError == null">
+  <div v-if="me === undefined">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
@@ -15,14 +15,14 @@
         <div class="text-center">
           <img class="h-32 w-32 rounded-full bg-white mx-auto" :src="me.pictureUrl" alt="" />
           <p class="mt-3 font-semibold">{{ me.name }}</p>
-          <p v-if="me.email != null" class="text-sm text-gray-500">{{ me.email }}</p>
+          <p v-if="me.email" class="text-sm text-gray-500">{{ me.email }}</p>
         </div>
         <div class="flex flex-col gap-2">
           <button type="button" class="inline-flex items-center justify-center px-4 py-2 border border-gray-300 shadow-xs text-sm font-medium rounded-md text-gray-700 bg-white hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="openKeycloakUserAccount()">
             <ArrowTopRightOnSquareIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
             {{ t('userProfile.actions.manageAccount') }}
           </button>
-          <Listbox v-model="locale" as="div">
+          <Listbox v-model="languagePreference" as="div">
             <div class="relative">
               <ListboxButton class="relative w-full inline-flex items-center justify-center px-4 py-2 border border-gray-300 shadow-xs text-sm font-medium rounded-md text-gray-700 bg-white hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary">
                 <LanguageIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
@@ -33,7 +33,7 @@
               </ListboxButton>
               <transition leave-active-class="transition ease-in duration-100" leave-from-class="opacity-100" leave-to-class="opacity-0">
                 <ListboxOptions class="absolute z-10 mt-1 max-h-60 w-full overflow-auto rounded-md bg-white py-1 shadow-lg ring-1 ring-black/5 focus:outline-hidden text-sm">
-                  <ListboxOption v-slot="{ active, selected }" :value="browserLocale" class="relative cursor-default select-none py-2 pl-3 pr-9 ui-not-active:text-gray-900 ui-active:text-white ui-active:bg-primary" @click="saveLanguage(undefined)">
+                  <ListboxOption v-slot="{ active, selected }" value="browser" class="relative cursor-default select-none py-2 pl-3 pr-9 ui-not-active:text-gray-900 ui-active:text-white ui-active:bg-primary" @click="saveLanguage(undefined)">
                     <span :class="[selected || active ? 'font-semibold' : 'font-normal', 'block truncate']">{{ t('userProfile.actions.changeLanguage.entry.browser') }}</span>
                     <span v-if="selected" :class="[active ? 'text-white' : 'text-primary', 'absolute inset-y-0 right-0 flex items-center pr-4']">
                       <CheckIcon class="h-5 w-5" aria-hidden="true" />
@@ -50,9 +50,9 @@
             </div>
           </Listbox>
         </div>
-        <div v-if="version != null" class="text-center">
+        <div v-if="version !== undefined" class="text-center">
           <p class="text-xs text-gray-500">
-            Hub {{ version.hubVersion }} • Keycloak {{ version.keycloakVersion ?? t('userProfile.keycloakVersion.notAvailable') }}
+            Katta {{ version.hubVersion }} • Keycloak {{ version.keycloakVersion ?? t('userProfile.keycloakVersion.notAvailable') }}
           </p>
         </div>
       </div>
@@ -76,7 +76,7 @@ import backend, { UserDto, VersionDto } from '../common/backend';
 
 import config from '../common/config';
 import userdata from '../common/userdata';
-import { Locale } from '../i18n';
+import { Locale, detectBrowserLocale } from '../i18n';
 import DeviceList from './DeviceList.vue';
 import FetchError from './FetchError.vue';
 import LegacyDeviceList from './LegacyDeviceList.vue';
@@ -85,20 +85,29 @@ import UserkeyFingerprint from './UserkeyFingerprint.vue';
 
 const { locale, t } = useI18n({ useScope: 'global' });
 
+type LanguagePreference = Locale | 'browser';
+
+const languagePreference = ref<LanguagePreference>('browser');
+
 const me = ref<UserDto>();
 const keycloakUserAccountURL = ref<string>();
 const version = ref<VersionDto>();
-const onFetchError = ref<Error | null>();
-const browserLocale = ref<string>(navigator.language);
+const onFetchError = ref<Error>();
+const browserLocale = ref<string>(detectBrowserLocale());
 
 onMounted(async () => {
   const cfg = config.get();
   keycloakUserAccountURL.value = `${cfg.keycloakUrl}/realms/${cfg.keycloakRealm}/account`;
   await fetchData();
+  if (me.value?.language) {
+    languagePreference.value = me.value.language as Locale;
+  } else {
+    languagePreference.value = 'browser';
+  }
 });
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
     me.value = await userdata.me;
     version.value = await backend.version.get();
diff --git a/frontend/src/components/VaultCreationProgress.vue b/frontend/src/components/VaultCreationProgress.vue
index 89ca8c257..80899b0f7 100644
--- a/frontend/src/components/VaultCreationProgress.vue
+++ b/frontend/src/components/VaultCreationProgress.vue
@@ -43,6 +43,7 @@ enum State {
   Initial,
   EnterRecoveryKey,
   EnterVaultDetails,
+  DefineEmergencyAccess,
   ShowRecoveryKey,
   Finished
 }
@@ -60,6 +61,8 @@ const tooltipForStep = (step: State): string => {
   switch (step) {
     case State.EnterVaultDetails:
       return t('createVault.enterVaultDetails.title');
+    case State.DefineEmergencyAccess:
+      return t('createVault.emergencyAccessDetails.title');
     case State.ShowRecoveryKey:
       return t('createVault.showRecoveryKey.title');
     case State.Finished:
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index d403184ef..8b31ef2b8 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -1,10 +1,10 @@
 <template>
-  <div v-if="vault == null">
-    <div v-if="onFetchError == null">
+  <div v-if="vault === undefined">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
-      <FetchError :error="onFetchError" :retry="allowRetryFetch ? fetchData : null"/>
+      <FetchError :error="onFetchError" :retry="allowRetryFetch ? fetchData : undefined"/>
     </div>
   </div>
 
@@ -18,6 +18,10 @@
       </div>
     </div>
 
+    <!-- / start katta extension -->
+    <p v-if="showVaultIDs && (vault.id.length > 0)" class="truncate text-sm text-gray-500 mt-2">{{ vault.id }}</p>
+    <!-- \ end katta extension -->
+
     <div>
       <h3 class="font-medium text-gray-900">{{ t('vaultDetails.description.header') }}</h3>
       <div class="mt-2 flex items-center justify-between">
@@ -49,7 +53,7 @@
                   <p class="w-full ml-4 text-sm font-medium text-gray-900 truncate">{{ member.name }}</p>
                   <span v-if="member.type === 'GROUP'" class="ml-3 text-xs text-gray-500 italic whitespace-nowrap">{{ t('common.xMembers', [member.memberSize]) }}</span>
                   <TrustDetails v-if="member.type === 'USER'" :trusted-user="member" :trusts="trusts" @trust-changed="refreshTrusts()"/>
-                  <div v-if="member.role == 'OWNER'" class="ml-3 inline-flex items-center rounded-md bg-gray-50 px-2 py-1 text-xs font-medium text-gray-600 ring-1 ring-inset ring-gray-500/10">{{ t('vaultDetails.sharedWith.badge.owner') }}</div>
+                  <div v-if="member.vaultRole == 'OWNER'" class="ml-3 inline-flex items-center rounded-md bg-gray-50 px-2 py-1 text-xs font-medium text-gray-600 ring-1 ring-inset ring-gray-500/10">{{ t('vaultDetails.sharedWith.badge.owner') }}</div>
                   <Menu v-if="member.id != me?.id" as="div" class="relative ml-2 inline-block shrink-0 text-left">
                     <MenuButton class="group relative inline-flex h-8 w-8 items-center justify-center rounded-full bg-white focus:outline-hidden focus:ring-2 focus:ring-primary focus:ring-offset-2">
                       <span class="absolute -inset-1.5" />
@@ -61,12 +65,12 @@
                     <transition enter-active-class="transition ease-out duration-100" enter-from-class="transform opacity-0 scale-95" enter-to-class="transform opacity-100 scale-100" leave-active-class="transition ease-in duration-75" leave-from-class="transform opacity-100 scale-100" leave-to-class="transform opacity-0 scale-95">
                       <MenuItems class="absolute right-9 top-0 z-10 w-48 origin-top-right rounded-md bg-white shadow-lg ring-1 ring-black/5 focus:outline-hidden">
                         <div class="py-1">
-                          <MenuItem v-if="member.role == 'MEMBER'" v-slot="{ active }" @click="updateMemberRole(member, 'OWNER')">
+                          <MenuItem v-if="member.vaultRole == 'MEMBER'" v-slot="{ active }" @click="updateMemberRole(member, 'OWNER')">
                             <div :class="[active ? 'bg-gray-100 text-gray-900' : 'text-gray-700', 'cursor-pointer block px-4 py-2 text-sm']">
                               {{ t('vaultDetails.sharedWith.grantOwnership') }}
                             </div>
                           </MenuItem>
-                          <MenuItem v-if="member.role == 'OWNER'" v-slot="{ active }" @click="updateMemberRole(member, 'MEMBER')">
+                          <MenuItem v-if="member.vaultRole == 'OWNER'" v-slot="{ active }" @click="updateMemberRole(member, 'MEMBER')">
                             <div :class="[active ? 'bg-gray-100 text-gray-900' : 'text-gray-700', 'cursor-pointer block px-4 py-2 text-sm']">
                               {{ t('vaultDetails.sharedWith.revokeOwnership') }}
                             </div>
@@ -83,7 +87,7 @@
                 </div>
               </div>
 
-              <p v-if="onUpdateVaultMembershipError[member.id] != null" class="text-sm text-red-900 text-right mt-1">
+              <p v-if="onUpdateVaultMembershipError[member.id]" class="text-sm text-red-900 text-right mt-1">
                 {{ t('common.unexpectedError', [onUpdateVaultMembershipError[member.id].message]) }}
               </p>
             </li>
@@ -98,8 +102,8 @@
                 <span class="ml-4 text-sm font-medium text-primary group-hover:text-primary-l1">{{ t('common.share') }}</span>
               </button>
             </div>
-            <SearchInputGroup v-else-if="addingUser" :action-title="t('common.add')" :on-search="searchAuthority" @action="addAuthority" />
-            <div v-if="onAddUserError != null">
+            <SearchInputGroup v-else-if="addingUser" :action-title="t('common.add')" place-holder="John Doe" :on-search="searchAuthority" @action="addAuthority" />
+            <div v-if="onAddUserError">
               <p v-if="onAddUserError instanceof PaymentRequiredError" class="text-sm text-red-900 text-right mt-1">
                 {{ t('vaultDetails.error.licenseViolated') }}
               </p>
@@ -130,9 +134,13 @@
           {{ t('vaultDetails.actions.editVaultMetadata') }}
         </button>
         <!-- archiveVault button -->
-        <button v-if="(vaultRole == 'OWNER' || isAdmin)" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showArchiveVaultDialog()">
+        <button v-if="canToggleArchive && !vault.archived" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showArchiveVaultDialog()">
           {{ t('vaultDetails.actions.archiveVault') }}
         </button>
+        <!-- reactivateVault button -->
+        <button v-if="canToggleArchive && vault.archived" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showReactivateVaultDialog()">
+          {{ t('vaultDetails.actions.reactivateVault') }}
+        </button>
       </div>
 
       <!-- special owner reset stuff -->
@@ -147,21 +155,33 @@
         <button type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showRecoverVaultDialog()">
           {{ t('vaultDetails.actions.recoverVault') }}
         </button>
+        <!-- archiveVault button -->
+        <button v-if="canToggleArchive && !vault.archived" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showArchiveVaultDialog()">
+          {{ t('vaultDetails.actions.archiveVault') }}
+        </button>
+        <!-- reactivateVault button -->
+        <button v-if="canToggleArchive && vault.archived" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showReactivateVaultDialog()">
+          {{ t('vaultDetails.actions.reactivateVault') }}
+        </button>
       </div>
 
       <!-- vault is archived -->
       <div v-else-if="vault.archived" class="mt-2 flex flex-col gap-2">
         <!-- downloadTemplate button -->
+        <!-- / start katta modification -->
+        <!--
         <button v-if="vaultRole == 'OWNER'" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-xs text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDownloadVaultTemplateDialog()">
           {{ t('vaultDetails.actions.downloadVaultTemplate') }}
         </button>
+        -->
+        <!-- \ end katta modification -->
         <!-- displayRecoveryKey button (Vault Format 8 only) -->
         <button v-if="vaultRole == 'OWNER' && vaultFormat8" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-xs text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
           {{ t('vaultDetails.actions.displayRecoveryKey') }}
         </button>
         <!-- TODO: regenerateRecoveryKey button (UVF only) -->
         <!-- reactivateVault button -->
-        <button v-if="(vaultRole == 'OWNER' || isAdmin)" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showReactivateVaultDialog()">
+        <button v-if="canToggleArchive" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showReactivateVaultDialog()">
           {{ t('vaultDetails.actions.reactivateVault') }}
         </button>
       </div>
@@ -183,15 +203,34 @@
           {{ t('vaultDetails.actions.editVaultMetadata') }}
         </button>
         <!-- downloadTemplate button -->
+        <!-- / start katta modification -->
+        <!--
         <button v-if="vaultRole == 'OWNER'" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-xs text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDownloadVaultTemplateDialog()">
           {{ t('vaultDetails.actions.downloadVaultTemplate') }}
         </button>
+        -->
+        <!-- \ end katta modification -->
         <!-- displayRecoveryKey button -->
         <button v-if="vaultRole == 'OWNER' && (vaultFormat8 || uvfVault?.recoveryKey.privateKey)" type="button" class="bg-white py-2 px-4 border border-gray-300 rounded-md shadow-xs text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showDisplayRecoveryKeyDialog()">
           {{ t('vaultDetails.actions.displayRecoveryKey') }}
         </button>
+        <!-- setup emergencyAccess button -->
+        <button v-if="!hasEmergencyKeys && vaultRole == 'OWNER' && !isCommunityLicense && settings?.enableEmergencyAccess" type="button" class="inline-flex items-center justify-center gap-2 bg-white py-2 px-4 border border-gray-300 rounded-md shadow-xs text-sm font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showGrantEmergencyAccessDialog()">
+          <ExclamationTriangleIcon class="h-5 w-5 text-yellow-500" />
+          <span>{{ t('vaultDetails.emergencyAccess.setupCouncil') }}</span>
+        </button>
+        <!-- fix emergency council size -->
+        <button
+          v-else-if="(vaultRole == 'OWNER' && hasInsufficientEmergencyRedundancy || (vaultRole == 'OWNER' && requiredGreaterThanMembers)) && !isCommunityLicense && settings?.enableEmergencyAccess"
+          type="button"
+          class="inline-flex items-center justify-center gap-2 bg-white py-2 px-4 border border-yellow-300 rounded-md shadow-xs text-sm font-medium text-yellow-800 hover:bg-yellow-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-yellow-400"
+          @click="showGrantEmergencyAccessDialog()"
+        >
+          <ExclamationTriangleIcon class="h-5 w-5 text-yellow-500" />
+          <span>{{ t('vaultDetails.emergencyAccess.fixCouncil') }}</span>
+        </button>
         <!-- archiveVault button -->
-        <button v-if="(vaultRole == 'OWNER' || isAdmin)" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showArchiveVaultDialog()">
+        <button v-if="canToggleArchive" type="button" class="bg-red-600 py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white  hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500" @click="showArchiveVaultDialog()">
           {{ t('vaultDetails.actions.archiveVault') }}
         </button>
       </div>
@@ -200,24 +239,24 @@
 
   <ClaimVaultOwnershipDialog v-if="claimingVaultOwnership && vault" ref="claimVaultOwnershipDialog" :vault="vault" @action="provedOwnership" @close="claimingVaultOwnership = false" />
   <GrantPermissionDialog v-if="grantingPermission && vault && (vaultFormat8 || uvfVault)" ref="grantPermissionDialog" :vault="vault" :users="membersRequiringAccessGrant" :vault-keys="(vaultFormat8 || uvfVault)!" @close="grantingPermission = false" @permission-granted="permissionGranted()" />
-  <EditVaultMetadataDialog v-if="editingVaultMetadata && vault" ref="editVaultMetadataDialog" :vault="vault" @close="editingVaultMetadata = false" @updated="v => refreshVault(v)" />
+  <EditVaultMetadataDialog v-if="editingVaultMetadata && vault" ref="editVaultMetadataDialog" :vault="vault" @close="editingVaultMetadata = false" @updated="refreshVault" />
   <DownloadVaultTemplateDialog v-if="downloadingVaultTemplate && vault && (vaultFormat8 || uvfVault)" ref="downloadVaultTemplateDialog" :vault="vault" :vault-keys="(vaultFormat8 || uvfVault)!" @close="downloadingVaultTemplate = false" />
   <DisplayRecoveryKeyDialog v-if="displayingRecoveryKey && vault && (vaultFormat8 || uvfVault?.recoveryKey.privateKey)" ref="displayRecoveryKeyDialog" :vault="vault" @close="displayingRecoveryKey = false" />
-  <ArchiveVaultDialog v-if="archivingVault && vault" ref="archiveVaultDialog" :vault="vault" @close="archivingVault = false" @archived="v => refreshVault(v)" />
+  <ArchiveVaultDialog v-if="archivingVault && vault" ref="archiveVaultDialog" :vault="vault" @close="archivingVault = false" @archived="refreshVault" />
   <ReactivateVaultDialog v-if="reactivatingVault && vault" ref="reactivateVaultDialog" :vault="vault" @close="reactivatingVault = false" @reactivated="v => { refreshVault(v); refreshLicense();}" />
   <RecoverVaultDialog v-if="recoveringVault && vault" ref="recoverVaultDialog" :vault="vault" @close="recoveringVault = false" @recovered="fetchOwnerData()" />
+  <GrantEmergencyAccessDialog v-if="grantingEmergencyAccess && vault && (vaultFormat8 || uvfVault) && settings" ref="grantEmergencyAccessDialog" :vault="vault" :vault-keys="(vaultFormat8 || uvfVault)!" :settings="settings" @close="grantingEmergencyAccess = false" @updated="refreshVault" />
 </template>
 
 <script setup lang="ts">
 import { Menu, MenuButton, MenuItem, MenuItems } from '@headlessui/vue';
 import { ArrowPathIcon, EllipsisVerticalIcon, ExclamationTriangleIcon } from '@heroicons/vue/20/solid';
 import { PlusSmallIcon } from '@heroicons/vue/24/solid';
-import { base64 } from 'rfc4648';
+import { base64 } from '@scure/base';
+import * as R from 'remeda';
 import { computed, nextTick, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import * as R from 'remeda';
-import auth from '../common/auth';
-import backend, { AuthorityDto, ConflictError, ForbiddenError, LicenseUserInfoDto, MemberDto, NotFoundError, PaymentRequiredError, TrustDto, UserDto, VaultDto, VaultRole } from '../common/backend';
+import backend, { AuthorityDto, ConflictError, ForbiddenError, LicenseUserInfoDto, MemberDto, NotFoundError, PaymentRequiredError, RecoveryProcessDto, SettingsDto, TrustDto, UserDto, VaultDto, VaultRole } from '../common/backend';
 import { JWT, JWTHeader } from '../common/jwt';
 import { UniversalVaultFormat } from '../common/universalVaultFormat';
 import userdata from '../common/userdata';
@@ -233,12 +272,18 @@ import ReactivateVaultDialog from './ReactivateVaultDialog.vue';
 import RecoverVaultDialog from './RecoverVaultDialog.vue';
 import SearchInputGroup from './SearchInputGroup.vue';
 import TrustDetails from './TrustDetails.vue';
+import GrantEmergencyAccessDialog from './emergencyaccess/GrantEmergencyAccessDialog.vue';
+
+// / start katta extension
+import { showVaultIDs } from '../common/settings';
+// \ end katta extension
 
 const { t, d } = useI18n({ useScope: 'global' });
 
 const props = defineProps<{
   vaultId: string,
   vaultRole: VaultRole | 'NONE',
+  isAdmin: boolean,
 }>();
 
 const emit = defineEmits<{
@@ -246,12 +291,15 @@ const emit = defineEmits<{
   licenseStatusUpdated: [license: LicenseUserInfoDto]
 }>();
 
-const onFetchError = ref<Error | null>();
-const allowRetryFetch = computed(() => onFetchError.value != null && !(onFetchError.value instanceof NotFoundError));  //fetch requests either list something, or query from th vault. In the latter, a 404 indicates the vault does not exists anymore.
+const canToggleArchive = computed(() => props.vaultRole === 'OWNER' || props.isAdmin);
+
+const onFetchError = ref<Error>();
+const allowRetryFetch = computed(() => onFetchError.value && !(onFetchError.value instanceof NotFoundError));  //fetch requests either list something, or query from th vault. In the latter, a 404 indicates the vault does not exists anymore.
 
 const onUpdateVaultMembershipError = ref< {[id: string]: Error} >({});
-const onAddUserError = ref<Error | null>();
+const onAddUserError = ref<Error>();
 
+const settings = ref<SettingsDto>();
 const license = ref<LicenseUserInfoDto>();
 const addingUser = ref(false);
 const grantingPermission = ref(false);
@@ -277,20 +325,35 @@ const trusts = ref<TrustDto[]>([]);
 const claimVaultOwnershipDialog = ref<typeof ClaimVaultOwnershipDialog>();
 const claimingVaultOwnership = ref(false);
 const me = ref<UserDto>();
+const grantingEmergencyAccess = ref(false);
+const grantEmergencyAccessDialog = ref<typeof GrantEmergencyAccessDialog>();
 
 const vaultRecoveryRequired = ref<boolean>(false);
-const isAdmin = ref<boolean>();
 
-const isLegacyVault = computed(() => vault.value?.authPublicKey != null);
+const isLegacyVault = computed(() => vault.value?.authPublicKey !== undefined);
 const licenseViolated = computed(() => license.value?.isExpired() || license.value?.isExceeded());
 
+const emergencyKeyShareAuthorities = ref<Record<string, AuthorityDto>>({});
+
+const hasEmergencyKeys = computed(() => Object.keys(vault.value?.emergencyKeyShares ?? {}).length > 0 );
+
+const isCommunityLicense = computed(() => {
+  return !license.value?.expiresAt;
+});
+
 onMounted(fetchData);
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
-    isAdmin.value = (await auth).hasRole('admin');
     vault.value = await backend.vaults.get(props.vaultId);
+    settings.value = await backend.settings.get();
+
+    if (vault.value && Object.keys(vault.value.emergencyKeyShares).length > 0) {
+      const authorities = await backend.authorities.listSome(Object.keys(vault.value.emergencyKeyShares));
+      emergencyKeyShareAuthorities.value = R.indexBy(authorities, a => a.id);
+    }
+
     me.value = await userdata.me;
     license.value = await backend.license.getUserInfo();
     if (props.vaultRole == 'OWNER') {
@@ -331,6 +394,20 @@ async function fetchOwnerData() {
   }
 }
 
+const hasInsufficientEmergencyRedundancy = computed(() => {
+  const required = vault.value?.requiredEmergencyKeyShares ?? 0;
+  const members = Object.keys(vault.value?.emergencyKeyShares ?? {}).length;
+  return required >= members;
+});
+
+const councilMemberCount = computed(() =>
+  Object.keys(vault.value?.emergencyKeyShares ?? {}).length
+);
+
+const requiredGreaterThanMembers = computed(() =>
+  (vault.value?.requiredEmergencyKeyShares ?? 0) > councilMemberCount.value
+);
+
 async function loadVaultFormat8Keys(vaultKeyJwe: string): Promise<VaultFormat8> {
   const userKeys = await userdata.decryptUserKeysWithBrowser();
   return VaultFormat8.decryptWithUserKey(vaultKeyJwe, userKeys);
@@ -387,13 +464,13 @@ async function reloadMembersRequiringAccessGrant() {
 }
 
 async function addAuthority(authority: AuthorityDto) {
-  onAddUserError.value = null;
+  onAddUserError.value = undefined;
 
   try {
     await addAuthorityBackend(authority);
     const addedMember: MemberDto = {
       ...authority,
-      role: 'MEMBER'
+      vaultRole: 'MEMBER'
     };
     members.value[authority.id] = addedMember;
     membersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
@@ -437,10 +514,12 @@ function showEditVaultMetadataDialog() {
   nextTick(() => editVaultMetadataDialog.value?.show());
 }
 
-function showDownloadVaultTemplateDialog() {
-  downloadingVaultTemplate.value = true;
-  nextTick(() => downloadVaultTemplateDialog.value?.show());
-}
+// / start katta modification
+//function showDownloadVaultTemplateDialog() {
+//  downloadingVaultTemplate.value = true;
+//  nextTick(() => downloadVaultTemplateDialog.value?.show());
+//}
+// \ end katta modification -->
 
 function showDisplayRecoveryKeyDialog() {
   displayingRecoveryKey.value = true;
@@ -450,6 +529,11 @@ function showDisplayRecoveryKeyDialog() {
   nextTick(() => displayRecoveryKeyDialog.value?.show(recoveryKey));
 }
 
+function showGrantEmergencyAccessDialog() {
+  grantingEmergencyAccess.value = true;
+  nextTick(() => grantEmergencyAccessDialog.value?.show?.());
+}
+
 function showArchiveVaultDialog() {
   archivingVault.value = true;
   nextTick(() => archiveVaultDialog.value?.show());
@@ -502,11 +586,11 @@ async function updateMemberRole(member: MemberDto, role: VaultRole) {
     }
     const updatedMember = members.value[member.id];
     if (updatedMember) {
-      updatedMember.role = role;
+      updatedMember.vaultRole = role;
     }
     if (uvfVault.value && member.type == 'USER' && member.ecdhPublicKey) {
       const includeOwnerKeys = role == 'OWNER';
-      const updatedAccessToken = await uvfVault.value.encryptForUser(base64.parse(member.ecdhPublicKey), includeOwnerKeys);
+      const updatedAccessToken = await uvfVault.value.encryptForUser(base64.decode(member.ecdhPublicKey) as Uint8Array<ArrayBuffer>, includeOwnerKeys);
       await backend.vaults.grantAccess(props.vaultId, { userId: member.id, token: updatedAccessToken });
     }
   } catch (error) {
diff --git a/frontend/src/components/VaultList.vue b/frontend/src/components/VaultList.vue
index f01a7381d..fd0c718f4 100644
--- a/frontend/src/components/VaultList.vue
+++ b/frontend/src/components/VaultList.vue
@@ -1,6 +1,6 @@
 <template>
-  <div v-if="vaults == null">
-    <div v-if="onFetchError == null">
+  <div v-if="!vaults">
+    <div v-if="!onFetchError">
       {{ t('common.loading') }}
     </div>
     <div v-else>
@@ -8,9 +8,17 @@
     </div>
   </div>
 
-  <LicenseAlert v-if="isLicenseViolated && isAdmin != undefined && licenseStatus" :is-admin="isAdmin" :license-status="licenseStatus" />
+  <LicenseAlert v-if="isLicenseViolated && licenseStatus" :is-admin="isAdmin" :license-status="licenseStatus" />
 
-  <h2 class="text-2xl font-bold leading-7 text-gray-900 sm:text-3xl sm:truncate">
+  <ContentBanner v-if="anyUserHasLegacyDevices" type="warning" :title="t('legacyDeviceBanner.title')" class="mb-4">
+    {{ t('legacyDeviceBanner.admin.description') }}
+  </ContentBanner>
+
+  <ContentBanner v-else-if="hasLegacyDevices" type="warning" :title="t('legacyDeviceBanner.title')" class="mb-4">
+    {{ t('legacyDeviceBanner.user.description') }}
+  </ContentBanner>
+
+  <h2 class="text-2xl font-bold leading-9 text-gray-900 sm:text-3xl sm:truncate">
     {{ t('vaultList.title') }}
   </h2>
 
@@ -69,9 +77,16 @@
         </MenuItems>
       </transition>
     </Menu>
+
+    <!-- / start katta extension -->
+    <button type="button" class="inline-flex items-center px-4 py-2 border border-transparent rounded-md shadow-sm text-sm font-medium text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="openBookmark()">
+      <ArrowTopRightOnSquareIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
+      {{ t('vaultList.openInKatta') }}
+    </button>
+    <!-- \ end katta extension -->
   </div>
 
-  <div v-if="filteredVaults != null && filteredVaults.length > 0" class="mt-5 bg-white shadow-sm overflow-hidden rounded-md">
+  <div v-if="filteredVaults && filteredVaults.length > 0" class="mt-5 bg-white shadow-sm rounded-md">
     <ul class="divide-y divide-gray-200">
       <li v-for="(vault, index) in filteredVaults" :key="vault.masterkey">
         <a tabindex="0" class="block hover:bg-gray-50" :class="{'ring-2 ring-inset ring-primary': selectedVault == vault, 'rounded-t-md': index == 0, 'rounded-b-md': index == filteredVaults.length - 1}" @click="showVaultDetails(vault)">
@@ -83,6 +98,25 @@
                 <div v-if="vault.archived" class="inline-flex items-center rounded-md bg-yellow-400/10 px-2 py-1 text-xs font-medium text-yellow-500 ring-1 ring-inset ring-yellow-400/20">{{ t('vaultList.badge.archived') }}</div>
               </div>
               <p v-if="vault.description && vault.description.length > 0" class="truncate text-sm text-gray-500 mt-2">{{ vault.description }}</p>
+              <!-- / start katta extension -->
+              <p v-if="showVaultIDs && (vault.id.length > 0)" class="truncate text-sm text-gray-500 mt-2">{{ vault.id }}</p>
+              <!-- \ end katta extension -->
+            </div>
+            <div v-if="ownedVaults?.some(ownedVault => ownedVault.id == vault.id) && !isCommunityLicense && settings?.enableEmergencyAccess">
+              <EmergencyBadge
+                v-if="settings && settings.defaultMinMembers > emergencyAccessMembers(vault).length"
+                type="insufficientCouncilMembers"
+                :title="t('emergencyAccess.badge.insufficientCouncilMembers.title')"
+                :message="t('emergencyAccess.badge.insufficientCouncilMembers.message', [settings.defaultMinMembers])"
+                position="right"
+              />
+              <EmergencyBadge
+                v-else-if="vault.requiredEmergencyKeyShares > emergencyAccessMembers(vault).length"
+                type="broken"
+                :title="t('emergencyAccess.badge.broken.title')"
+                :message="t('emergencyAccess.badge.broken.message')"
+                position="right"
+              />
             </div>
             <div class="ml-5 shrink-0">
               <ChevronRightIcon class="h-5 w-5 text-gray-400" aria-hidden="true" />
@@ -93,7 +127,7 @@
     </ul>
   </div>
 
-  <div v-else-if="query === '' && filteredVaults != null && filteredVaults.length == 0" class="mt-3 text-center">
+  <div v-else-if="query === '' && filteredVaults && filteredVaults.length == 0" class="mt-3 text-center">
     <svg xmlns="http://www.w3.org/2000/svg" class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
       <path vector-effect="non-scaling-stroke" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 10.5v6m3-3H9m4.06-7.19l-2.12-2.12a1.5 1.5 0 00-1.061-.44H4.5A2.25 2.25 0 002.25 6v12a2.25 2.25 0 002.25 2.25h15A2.25 2.25 0 0021.75 18V9a2.25 2.25 0 00-2.25-2.25h-5.379a1.5 1.5 0 01-1.06-.44z" />
     </svg>
@@ -101,7 +135,7 @@
     <p v-if="canCreateVaults" class="mt-1 text-sm text-gray-500">{{ t('vaultList.empty.description') }}</p>
   </div>
 
-  <div v-else-if="query !== '' && filteredVaults != null && filteredVaults.length == 0" class="mt-3 text-center">
+  <div v-else-if="query !== '' && filteredVaults && filteredVaults.length == 0" class="mt-3 text-center">
     <svg xmlns="http://www.w3.org/2000/svg" class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
       <path vector-effect="non-scaling-stroke" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15.75 15.75l-2.489-2.489m0 0a3.375 3.375 0 10-4.773-4.773 3.375 3.375 0 004.774 4.774zM21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
     </svg>
@@ -109,33 +143,39 @@
     <p class="mt-1 text-sm text-gray-500">{{ t('vaultList.filter.result.empty.description') }}</p>
   </div>
 
-  <SlideOver v-if="selectedVault != null" ref="vaultDetailsSlideOver" :title="selectedVault.name" @close="selectedVault = null">
-    <VaultDetails :vault-id="selectedVault.id" :vault-role="roleOfSelectedVault" @vault-updated="v => onSelectedVaultUpdate(v)" @license-status-updated="l => licenseUpdated(l)"></VaultDetails>
+  <SlideOver v-if="selectedVault" ref="vaultDetailsSlideOver" :title="selectedVault.name" @close="selectedVault = undefined">
+    <VaultDetails :vault-id="selectedVault.id" :vault-role="roleOfSelectedVault" :is-admin="isAdmin" @vault-updated="v => onSelectedVaultUpdate(v)" @license-status-updated="l => licenseUpdated(l)"></VaultDetails>
   </SlideOver>
 </template>
 
 <script setup lang="ts">
 import { Listbox, ListboxButton, ListboxOption, ListboxOptions, Menu, MenuButton, MenuItem, MenuItems } from '@headlessui/vue';
-import { ArrowPathIcon, ChevronDownIcon, PlusIcon } from '@heroicons/vue/20/solid';
-import { CheckIcon, ChevronRightIcon, ChevronUpDownIcon } from '@heroicons/vue/24/solid';
+import { ArrowPathIcon, ArrowTopRightOnSquareIcon, ChevronDownIcon, PlusIcon } from '@heroicons/vue/20/solid';
+import { CheckIcon, ChevronRightIcon, ChevronUpDownIcon, ExclamationTriangleIcon } from '@heroicons/vue/24/solid';
 import { computed, nextTick, onMounted, ref, watch } from 'vue';
 import { useI18n } from 'vue-i18n';
 import auth from '../common/auth';
-import backend, { LicenseUserInfoDto, VaultDto, VaultRole } from '../common/backend';
+import backend, { LicenseUserInfoDto, SettingsDto, UserDto, VaultDto, VaultRole } from '../common/backend';
+import userdata from '../common/userdata';
 import FetchError from './FetchError.vue';
 import LicenseAlert from './LicenseAlert.vue';
+import ContentBanner from './ContentBanner.vue';
 import SlideOver from './SlideOver.vue';
 import VaultDetails from './VaultDetails.vue';
+import EmergencyBadge from './emergencyaccess/EmergencyBadge.vue';
 
 const { t } = useI18n({ useScope: 'global' });
 
+const me = ref<UserDto>();
+
 const vaultDetailsSlideOver = ref<typeof SlideOver>();
-const onFetchError = ref<Error | null>();
+const onFetchError = ref<Error>();
 
 const vaults = ref<VaultDto[]>();
+const settings = ref<SettingsDto>();
 const accessibleVaults = ref<VaultDto[]>();
 const ownedVaults = ref<VaultDto[]>();
-const selectedVault = ref<VaultDto | null>(null);
+const selectedVault = ref<VaultDto>();
 
 const roleOfSelectedVault = computed<VaultRole | 'NONE'>(() => {
   if (ownedVaults.value?.some(ownedVault => ownedVault.id == selectedVault.value?.id)) {
@@ -149,6 +189,8 @@ const roleOfSelectedVault = computed<VaultRole | 'NONE'>(() => {
 
 const isAdmin = ref<boolean>(false);
 const canCreateVaults = ref<boolean>(false);
+const hasLegacyDevices = ref<boolean>(false);
+const anyUserHasLegacyDevices = ref<boolean>(false);
 const licenseStatus = ref<LicenseUserInfoDto>();
 const isLicenseViolated = computed(() => {
   if (licenseStatus.value) {
@@ -158,6 +200,10 @@ const isLicenseViolated = computed(() => {
   }
 });
 
+const isCommunityLicense = computed(() => {
+  return !licenseStatus.value?.expiresAt;
+});
+
 const filterOptions = ref< {[key: string]: string} >({
   accessibleVaults: t('vaultList.filter.entry.accessibleVaults'),
   ownedVaults: t('vaultList.filter.entry.ownedVaults')
@@ -176,13 +222,19 @@ const filteredVaults = computed(() =>
 onMounted(fetchData);
 
 async function fetchData() {
-  onFetchError.value = null;
+  onFetchError.value = undefined;
   try {
+    me.value = await userdata.me;
     isAdmin.value = (await auth).hasRole('admin');
+    const meWithLegacy = await userdata.meWithLegacyDevicesAndLastAccess;
+    hasLegacyDevices.value = (meWithLegacy.devices?.length ?? 0) > 0;
     canCreateVaults.value = (await auth).hasRole('create-vaults');
 
+    settings.value = await backend.settings.get();
+
     if (isAdmin.value) {
       filterOptions.value['allVaults'] = t('vaultList.filter.entry.allVaults');
+      anyUserHasLegacyDevices.value = await backend.devices.hasLegacyDevices();
     }
     accessibleVaults.value = (await backend.vaults.listAccessible()).filter(v => !v.archived).sort((a, b) => a.name.localeCompare(b.name));
     ownedVaults.value = (await backend.vaults.listAccessible('OWNER')).sort((a, b) => a.name.localeCompare(b.name));
@@ -211,9 +263,13 @@ function showVaultDetails(vault: VaultDto) {
   nextTick(() => vaultDetailsSlideOver.value?.show());
 }
 
+function emergencyAccessMembers(vault: VaultDto): string[] {
+  return Object.keys(vault.emergencyKeyShares);
+}
+
 async function onSelectedVaultUpdate(vault: VaultDto) {
   await fetchData();
-  if (vaults.value == null || vault.id !== selectedVault.value?.id) {
+  if (vaults.value === undefined || vault.id !== selectedVault.value?.id) {
     return;
   }
   const index = vaults.value?.findIndex(v => v.id === vault.id);
@@ -227,4 +283,16 @@ async function onSelectedVaultUpdate(vault: VaultDto) {
 async function licenseUpdated(license: LicenseUserInfoDto) {
   licenseStatus.value = license;
 }
+
+// / start katta extension
+import { showVaultIDs } from '../common/settings';
+import { baseURL } from '../common/config';
+async function openBookmark() {
+  try {
+    window.location.href = `katta://${new URL(location.origin).host}${baseURL}`;
+  } catch (error) {
+    console.error('Opening bookmark from browser failed.', error);
+  }
+}
+// \ end katta extension
 </script>
diff --git a/frontend/src/components/authority/GroupAddMemberDialog.vue b/frontend/src/components/authority/GroupAddMemberDialog.vue
new file mode 100644
index 000000000..cc00bd62f
--- /dev/null
+++ b/frontend/src/components/authority/GroupAddMemberDialog.vue
@@ -0,0 +1,138 @@
+<template>
+  <TransitionRoot as="template" :show="open">
+    <Dialog as="div" class="fixed inset-0 z-10 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in  duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75" @click.stop />
+      </TransitionChild>
+      <div class="flex min-h-full items-end justify-center p-4 sm:items-center sm:p-0">
+        <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+          <DialogPanel class="relative flex w-full h-[32rem] transform flex-col overflow-hidden rounded-lg bg-white shadow-xl transition-all sm:my-8 sm:max-w-lg">
+            <form novalidate class="flex flex-1 min-h-0 flex-col p-4" @submit.prevent="onSubmit">
+              <div class="flex flex-1 min-h-0 flex-col overflow-hidden bg-white p-1 mb-4">
+                <DialogTitle class="text-lg font-medium text-gray-900">
+                  {{ t('group.addMembers.title') }}
+                </DialogTitle>
+                <div class="flex flex-col p-1 mt-4">
+                  <SearchInputGroup :action-title="t('common.add')" :place-holder="t('group.addMembers.searchLabel')" :on-search="searchUser" @action="addUser" />
+                  <p v-if="onAddUserError" class="mt-1 text-sm text-red-900 text-right">
+                    {{ t('common.unexpectedError', [onAddUserError.message]) }}
+                  </p>
+                </div>
+                <div ref="scrollContainer" class="mt-4 flex flex-1 min-h-0 flex-col overflow-y-auto">
+                  <TransitionGroup tag="ul" class="flex-1 min-h-0 divide-y divide-gray-200" enter-active-class="transition-all duration-250 ease-out" enter-from-class="bg-green-50 opacity-0 scale-95" enter-to-class="bg-white opacity-100 scale-100" leave-active-class="transition-all duration-250 ease-in" leave-from-class="bg-white opacity-100 scale-100" leave-to-class="bg-red-50 opacity-0 scale-95">
+                    <li v-for="member in sortedNewMembers" :key="member.id" class="flex flex-col py-2 border-b border-gray-200 border-l-4 border-transparent mx-1 last:border-b-0 transform transition">
+                      <div class="flex items-center justify-between">
+                        <div class="flex items-center w-full" :title="member.name">
+                          <img :src="member.pictureUrl" class="w-8 h-8 rounded-full border border-gray-300 object-cover" alt="user icon" />
+                          <p class="ml-4 text-sm font-medium truncate">
+                            {{ member.name }}
+                          </p>
+                        </div>
+                        <button type="button" class="cursor-pointer text-red-600 hover:text-red-900" :title="t('common.remove')" @click="removeTempMember(member.id)">{{ t('common.remove') }}</button>
+                      </div>
+                    </li>
+                  </TransitionGroup>
+                </div>
+              </div>
+              <div class="flex-shrink-0 bg-gray-50 -m-4 py-3 px-6 sm:flex sm:flex-row-reverse sm:space-x-4 sm:space-x-reverse">
+                <button type="submit" :disabled="isSaving" class="w-full sm:w-auto inline-flex justify-center rounded-md border border-transparent shadow-sm px-4 py-2 bg-primary text-base font-medium text-white hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:cursor-not-allowed">
+                  {{ t('common.save') }}
+                </button>
+                <button type="button" :disabled="isSaving" class="mt-3 sm:mt-0 w-full sm:w-auto inline-flex justify-center rounded-md border border-gray-300 shadow-sm px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:cursor-not-allowed" @click="open = false">
+                  {{ t('common.cancel') }}
+                </button>
+                <span class="mt-3 sm:mt-0 flex items-center text-sm text-gray-600 sm:mr-auto">
+                  {{ selectedCount }} {{ t('group.addMembers.selectedUser') }}
+                </span>
+              </div>
+            </form>
+          </DialogPanel>
+        </TransitionChild>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ref, computed } from 'vue';
+import { useI18n } from 'vue-i18n';
+import SearchInputGroup from '../SearchInputGroup.vue';
+import backend, { AuthorityDto, UserDto } from '../../common/backend';
+
+const props = defineProps<{ groupId: string; members: AuthorityDto[] }>();
+const emit  = defineEmits<{ saved: [added: AuthorityDto[]] }>();
+
+const { t } = useI18n({ useScope: 'global' });
+const open = ref(false);
+const newMembers = ref<AuthorityDto[]>([]);
+const onAddUserError = ref<Error>();
+const isSaving = ref(false);
+
+const selectedCount = computed(() => newMembers.value.length);
+const sortedNewMembers = computed(() => [...newMembers.value].reverse());
+
+function isKnown(id: string) {
+  return props.members.some(u => u.id === id);
+}
+
+async function searchUser(query: string): Promise<UserDto[]> {
+  if (!query.trim()) return [];
+
+  try {
+    const results = await backend.authorities.search(query);
+    // Filter to only users (not groups) and exclude existing members
+    return results
+      .filter((a): a is UserDto => a.type === 'USER')
+      .filter(u => !isKnown(u.id) && !newMembers.value.some(n => n.id === u.id))
+      .sort((a, b) => a.name.localeCompare(b.name, undefined, { sensitivity: 'base' }));
+  } catch (error) {
+    console.error('Search failed:', error);
+    return [];
+  }
+}
+
+function addUser(user: UserDto) {
+  try {
+    if (isKnown(user.id) || newMembers.value.some(u => u.id === user.id)) {
+      return;
+    }
+    newMembers.value.push(user);
+  } catch (e) { onAddUserError.value = e as Error; }
+}
+
+function removeTempMember(id: string) {
+  newMembers.value = newMembers.value.filter(u => u.id !== id);
+}
+
+async function onSubmit() {
+  if (newMembers.value.length === 0) {
+    open.value = false;
+    return;
+  }
+
+  isSaving.value = true;
+  onAddUserError.value = undefined;
+
+  try {
+    // Add each member to the group via API
+    for (const member of newMembers.value) {
+      await backend.groups.addMember(props.groupId, member.id);
+    }
+    emit('saved', [...newMembers.value]);
+    open.value = false;
+  } catch (error) {
+    console.error('Adding members failed:', error);
+    onAddUserError.value = error instanceof Error ? error : new Error('Unknown Error');
+  } finally {
+    isSaving.value = false;
+  }
+}
+
+function show() {
+  newMembers.value = [];
+  open.value = true;
+}
+
+defineExpose({ show });
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/GroupDeleteDialog.vue b/frontend/src/components/authority/GroupDeleteDialog.vue
new file mode 100644
index 000000000..e78532f91
--- /dev/null
+++ b/frontend/src/components/authority/GroupDeleteDialog.vue
@@ -0,0 +1,94 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="$emit('close')">
+    <Dialog as="div" class="fixed z-10 inset-0 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75 transition-opacity" />
+      </TransitionChild>
+  
+      <div class="fixed inset-0 z-10 overflow-y-auto">
+        <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+          <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+            <DialogPanel class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-full sm:max-w-lg">
+              <form novalidate @submit.prevent="deleteGroup">
+                <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                  <div class="sm:flex sm:items-start">
+                    <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+                      <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+                    </div>
+                    <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                      <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                        {{ t('deleteGroupDialog.title') }}
+                      </DialogTitle>
+                      <div class="mt-2">
+                        <p class="text-sm text-gray-500">
+                          {{ t('deleteGroupDialog.description') }}
+                        </p>
+                      </div>
+                      <div class="mt-4 hidden sm:flex items-center gap-2">
+                        <img :src="group.pictureUrl" class="w-8 h-8 rounded-full border" />
+                        <span class="font-medium text-sm">{{ group.name }}</span>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+                <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
+                  <button type="submit" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-red-600 text-base font-medium text-white hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500 sm:ml-3 sm:w-auto sm:text-sm">
+                    {{ t('deleteGroupDialog.confirm') }}
+                  </button>
+                  <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
+                    {{ t('common.cancel') }}
+                  </button>
+                </div>
+                <p v-if="onDeleteGroupError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                  {{ t('common.unexpectedError', [onDeleteGroupError.message]) }}
+                </p>
+              </form>
+            </DialogPanel>
+          </TransitionChild>
+        </div>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+  
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
+import { ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { GroupDto } from '../../common/backend';
+  
+const { t } = useI18n({ useScope: 'global' });
+  
+const open = ref(false);
+const onDeleteGroupError = ref<Error | null>(null);
+  
+const props = defineProps<{
+    group: GroupDto;
+  }>();
+  
+const emit = defineEmits<{
+    close: [];
+    delete: [deletedGroupId: string];
+  }>();
+
+defineExpose({
+  show
+});
+
+function show() {
+  open.value = true;
+}
+
+async function deleteGroup() {
+  onDeleteGroupError.value = null;
+  try {
+    await backend.groups.removeGroup(props.group.id);
+    emit('delete', props.group.id);
+    open.value = false;
+  } catch (error) {
+    console.error('Deleting group failed.', error);
+    onDeleteGroupError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+</script>
diff --git a/frontend/src/components/authority/GroupDetail.vue b/frontend/src/components/authority/GroupDetail.vue
new file mode 100644
index 000000000..585745d28
--- /dev/null
+++ b/frontend/src/components/authority/GroupDetail.vue
@@ -0,0 +1,134 @@
+<template>
+  <div v-if="loading" class="text-center p-8 text-gray-500 text-sm">
+    {{ t('common.loading') }}
+  </div>
+  <FetchError v-else-if="fetchError" :error="fetchError" :retry="fetchGroup" />
+  <div v-else>
+    <BreadcrumbNav :crumbs="[ { label: t('nav.groups'), to: '/app/groups' }, { label: group.name } ]"/>
+    <div class="flex flex-row items-center justify-between gap-3 pb-1 w-full border-b border-gray-200 mb-2">
+      <!-- Headline -->
+      <h2 id="title" class="text-2xl font-bold leading-7 text-gray-900 sm:text-3xl mb-4">
+        {{ t('group.detail.info') }}
+      </h2>
+
+      <div class="flex gap-3 items-center -mt-4">
+        <!-- Edit-Button -->
+        <button class="w-full bg-primary py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showGroupEdit">
+          {{ t('common.edit') }}
+        </button>
+
+        <!-- Menu -->
+        <Menu as="div" class="relative inline-block text-left">
+          <MenuButton class="group p-1 focus:outline-hidden focus:ring-2 focus:ring-primary focus:ring-offset-2">
+            <span class="sr-only">Open options menu</span>
+            <EllipsisVerticalIcon class="h-5 w-5 text-gray-400 group-hover:text-gray-500" aria-hidden="true" />
+          </MenuButton>
+
+          <transition enter-active-class="transition ease-out duration-100" enter-from-class="transform opacity-0 translate-y-1 scale-95" enter-to-class="transform opacity-100 translate-y-0 scale-100" leave-active-class="transition ease-in duration-75" leave-from-class="transform opacity-100 translate-y-0 scale-100" leave-to-class="transform opacity-0 translate-y-1 scale-95">
+            <MenuItems class="absolute right-0 mt-2 z-10 w-48 origin-top-right rounded-md bg-white shadow-lg ring-1 ring-black/5 focus:outline-hidden">
+              <div class="py-1">
+                <MenuItem v-slot="{ active }">
+                  <div :class="[ active ? 'bg-gray-100 text-red-900' : 'text-red-700', 'cursor-pointer block px-4 py-2 text-sm']" @click="showDeleteGroupDialog(group)">
+                    {{ t('common.remove') }}
+                  </div>
+                </MenuItem>
+              </div>
+            </MenuItems>
+          </transition>
+        </Menu>
+      </div>
+    </div>
+    <div class="hidden lg:grid grid-cols-1 lg:grid-cols-2 gap-6 items-start pt-3">
+      <section class="lg:col-start-1 grid gap-6">
+        <!-- Group Info -->
+        <GroupInfo :group="group"/>
+        <!-- Vaults -->
+        <VaultList :vaults="group.vaults" :page-size="10" :visible="true"/>
+      </section>
+      <section class="lg:col-start-2 grid gap-6">
+        <!-- Members -->
+        <GroupMemberList v-model:members="group.members" :group="group" :page-size="10" :on-saved="onMembersSaved" />
+      </section>
+    </div>
+    <div class="grid lg:hidden grid-cols-1 gap-6 items-start pt-3">
+      <!-- Group Info -->
+      <GroupInfo :group="group"/>
+      <!-- Members -->
+      <GroupMemberList v-model:members="group.members" :group="group" :page-size="10" :on-saved="onMembersSaved" />
+      <!-- Vaults -->
+      <VaultList :vaults="group.vaults" :page-size="10" :visible="true"/>
+    </div>
+  </div>
+  <!-- Delete Dialog -->
+  <GroupDeleteDialog v-if="deletingGroup" ref="deleteGroupDialog" :group="deletingGroup" @close="deletingGroup = undefined" @delete="onGroupDeleted"/>
+</template>
+
+<script setup lang="ts">
+import { Menu, MenuButton, MenuItem, MenuItems } from '@headlessui/vue';
+import { EllipsisVerticalIcon } from '@heroicons/vue/20/solid';
+import { nextTick, onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { useRouter } from 'vue-router';
+import backend, { AuthorityDto, GroupDto, GroupDtoWithDetails } from '../../common/backend';
+import BreadcrumbNav from '../BreadcrumbNav.vue';
+import FetchError from '../FetchError.vue';
+import GroupDeleteDialog from './GroupDeleteDialog.vue';
+import GroupInfo from './GroupInfo.vue';
+import GroupMemberList from './GroupMemberList.vue';
+import VaultList from './VaultList.vue';
+
+const router = useRouter();
+
+const deletingGroup = ref<GroupDto>();
+
+function showDeleteGroupDialog(grp: GroupDtoWithDetails) {
+  deletingGroup.value = grp;
+  nextTick(() => deleteGroupDialog.value?.show());
+}
+
+const deleteGroupDialog = ref<typeof GroupDeleteDialog>();
+
+function showGroupEdit() {
+  router.push(`/app/groups/${group.value.id}/edit`);
+}
+
+function onGroupDeleted() {
+  router.push('/app/groups');
+}
+
+const props = defineProps<{ id: string }>();
+const { t } = useI18n({ useScope: 'global' });
+
+const group = ref<GroupDtoWithDetails>({
+  type: 'GROUP',
+  id: props.id,
+  name: '',
+  pictureUrl: undefined,
+  members: [],
+  vaults: []
+});
+
+function onMembersSaved(newMembers: AuthorityDto[]) {
+  const ids = new Set(group.value.members.map(u => u.id));
+  newMembers.forEach(u => { if (!ids.has(u.id)) group.value.members.push(u); });
+  group.value.members.sort((a, b) => a.name.localeCompare(b.name, undefined, { sensitivity: 'base' }));
+}
+
+const loading = ref(true);
+const fetchError = ref<Error | null>(null);
+
+async function fetchGroup() {
+  loading.value = true;
+  fetchError.value = null;
+  try {
+    group.value = await backend.groups.getGroup(props.id);
+  } catch (error) {
+    console.error('Failed to fetch group:', error);
+    fetchError.value = error instanceof Error ? error : new Error('Unknown error');
+  } finally {
+    loading.value = false;
+  }
+}
+
+onMounted(fetchGroup);
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/GroupEditCreate.vue b/frontend/src/components/authority/GroupEditCreate.vue
new file mode 100644
index 000000000..7ecdc1bdd
--- /dev/null
+++ b/frontend/src/components/authority/GroupEditCreate.vue
@@ -0,0 +1,212 @@
+<template>
+  <!-- Loading placeholder -->
+  <div v-if="onFetchError">
+    <FetchError :error="onFetchError"/>
+  </div>
+  <div v-else-if="loading" class="text-center py-10">
+    {{ t('common.loading') }}
+  </div>
+
+  <!-- Edit/Create page -->
+  <div v-else>
+    <BreadcrumbNav v-if="props.mode === 'EDIT'" :crumbs="[ { label: t('nav.groups'), to: '/app/groups' }, { label: data.name, to:'/app/groups/' + props.id }, { label: t('common.edit') } ]"/>
+    <BreadcrumbNav v-else :crumbs="[ { label: t('nav.groups'), to: '/app/groups' }, { label: t('common.create') } ]"/>
+    <div class="-my-2 -mx-4 sm:-mx-6 lg:-mx-8 overflow-hidden">
+      <div class="py-2 align-middle inline-block min-w-full px-4 sm:px-6 lg:px-8">
+        <div class="shadow overflow-hidden border-b border-gray-200 rounded-lg bg-white p-6 space-y-8">
+          <div>
+            <h3 class="text-lg font-medium leading-6 text-gray-900">
+              {{ props.mode === 'EDIT' ? t('groupEditCreate.title.edit') : t('groupEditCreate.title.create') }}
+            </h3>
+            <hr class="my-4 border-gray-200"/>
+          </div>
+
+          <!-- Profile Picture Preview -->
+          <div class="flex flex-col items-center gap-4 mb-8">
+            <div class="relative w-32 h-32">
+              <img v-if="isValidImageUrl" :src="data.pictureUrl" class="w-full h-full rounded-full object-cover border border-gray-300" :alt="t('groupEditCreate.profilePicture')" />
+              <img v-else-if="previewJdenticon" :src="previewJdenticon" class="w-full h-full rounded-full object-cover border border-gray-300"/>
+              <div v-else class="w-full h-full rounded-full bg-gray-100 flex items-center justify-center text-gray-400">
+                <UserGroupIcon class="w-12 h-12" />
+              </div>
+            </div>
+          </div>
+
+          <!-- Form -->
+          <form class="space-y-6 md:space-y-8" novalidate @submit.prevent="onSubmit">
+            <!-- Profile Picture URL row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="pictureUrl" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('groupEditCreate.profilePictureUrl') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <div class="relative">
+                  <input id="pictureUrl" v-model="data.pictureUrl" type="url" :class="[errors.pictureUrl ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md pr-10']"/>
+                  <button v-if="data.pictureUrl" type="button" class="absolute inset-y-0 right-0 flex items-center px-3 text-gray-400 hover:text-gray-600 focus:outline-none" :aria-label="t('groupEditCreate.removePicture')" @click="removePicture">
+                    <TrashIcon class="w-5 h-5 text-gray-600" />
+                  </button>
+                </div>
+                <p v-if="errors.pictureUrl" class="mt-1 text-sm text-red-600">{{ errors.pictureUrl }}</p>
+              </div>
+            </div>
+
+            <!-- Name row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="name" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('groupEditCreate.name') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <input id="name" v-model="data.name" type="text" :class="[errors.name ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md']" required />
+                <p v-if="errors.name" class="mt-1 text-sm text-red-600">{{ errors.name }}</p>
+              </div>
+            </div>
+
+            <!-- Actions -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <div></div>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <div class="flex space-x-3">
+                  <button type="button" class="inline-flex justify-center py-2 px-4 border border-gray-300 shadow-sm text-sm font-medium rounded-md bg-white text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="cancelAction">
+                    {{ t('common.cancel') }}
+                  </button>
+                  <button type="submit" :disabled="processing || !groupDataHasUnsavedChanges" class="inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
+                    <span>{{ props.mode === 'EDIT' ? t('common.save') : t('common.create') }}</span>
+                  </button>
+                  <div v-if="groupDataHasUnsavedChanges && props.mode === 'EDIT'" class="flex items-center whitespace-nowrap gap-1 text-sm text-yellow-700">
+                    <ExclamationTriangleIcon class="w-4 h-4 m-1 text-yellow-500" />
+                    {{ t('common.unsavedChanges') }}&nbsp;
+                    <button type="button" class="underline hover:text-yellow-900" @click="resetGroupData()">
+                      {{ t('common.undo') }}
+                    </button>
+                  </div>
+                </div>
+                <p v-if="onSubmitError" class="mt-2 text-sm text-red-600">{{ t('common.unexpectedError', [onSubmitError.message]) }}</p>
+              </div>
+            </div>
+          </form>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { ExclamationTriangleIcon, TrashIcon, UserGroupIcon } from '@heroicons/vue/24/outline';
+import { computed, onMounted, reactive, ref, shallowRef, watch } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { useRouter } from 'vue-router';
+import backend, { generateFallbackPictureUrl, GroupDto, isAxiosError } from '../../common/backend';
+import { FormValidator } from '../../common/formvalidator';
+import { debounce } from '../../common/util';
+import BreadcrumbNav from '../BreadcrumbNav.vue';
+import FetchError from '../FetchError.vue';
+
+const props = defineProps<{
+  id: undefined,
+  mode: 'CREATE',
+} | {
+  id: string,
+  mode: 'EDIT',
+}>();
+
+type EditableGroupData = Pick<GroupDto, 'name' | 'pictureUrl'>;
+const initialData = shallowRef<EditableGroupData>({ name: '', pictureUrl: undefined });
+const data = reactive<EditableGroupData>(initialData.value);
+
+const groupDataHasUnsavedChanges = computed(() => {
+  return data.name !== initialData.value.name
+    || data.pictureUrl !== initialData.value.pictureUrl;
+});
+
+function resetGroupData() {
+  data.name = initialData.value.name;
+  data.pictureUrl = initialData.value.pictureUrl;
+}
+
+const { t } = useI18n({ useScope: 'global' });
+const router = useRouter();
+const loading = ref(true);
+const onFetchError = ref<Error>();
+const errors = ref<Record<string, string>>({});
+const processing = ref(false);
+const onSubmitError = ref<Error>();
+const isValidImageUrl = ref<boolean>(false);
+const previewJdenticon = ref<string>();
+const debouncedValidateImageUrl = debounce(async (url?: string) => {
+  isValidImageUrl.value = await FormValidator.validateImageUrl(url);
+}, 500);
+
+watch(() => data.pictureUrl, debouncedValidateImageUrl, { immediate: true });
+
+onMounted(async () => {
+  loading.value = true;
+  if (props.mode === 'EDIT') {
+    previewJdenticon.value = generateFallbackPictureUrl('GROUP', props.id);
+    try {
+      initialData.value = await backend.groups.getGroup(props.id, false);
+    } catch (error) {
+      console.error('Failed to fetch group:', error);
+      onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
+    } finally {
+      loading.value = false;
+    }
+  } else {
+    initialData.value = { name: '', pictureUrl: undefined };
+    loading.value = false;
+  }
+  resetGroupData();
+});
+
+function removePicture() {
+  data.pictureUrl = undefined;
+}
+
+async function validateForm(): Promise<boolean> {
+  const result = FormValidator.validateGroup({
+    name: data.name,
+    pictureUrl: data.pictureUrl,
+    isValidImageUrl: await FormValidator.validateImageUrl(data.pictureUrl)
+  });
+
+  errors.value = result.errors;
+  return result.valid;
+}
+
+async function onSubmit() {
+  if (!await validateForm()) {
+    return;
+  }
+
+  processing.value = true;
+  onSubmitError.value = undefined;
+
+  data.name = data.name.trim();
+
+  try {
+    if (props.mode === 'EDIT') {
+      await backend.groups.updateGroup(props.id, data);
+      router.push(`/app/groups/${props.id}`);
+    } else {
+      await backend.groups.createGroup(data);
+      router.push('/app/groups');
+    }
+  } catch (error: unknown) {
+    console.error('Failed to save group:', error);
+    if (isAxiosError(error) && error.response?.status === 409) {
+      errors.value.name = t('groupEditCreate.error.groupNameAlreadyExists');
+    } else {
+      onSubmitError.value = error instanceof Error ? error : new Error('Unknown Error');
+    }
+  } finally {
+    processing.value = false;
+  }
+}
+
+function cancelAction() {
+  if (props.mode === 'EDIT') {
+    router.push(`/app/groups/${props.id}`);
+  } else {
+    router.push('/app/groups');
+  }
+}
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/GroupInfo.vue b/frontend/src/components/authority/GroupInfo.vue
new file mode 100644
index 000000000..ca9e62213
--- /dev/null
+++ b/frontend/src/components/authority/GroupInfo.vue
@@ -0,0 +1,18 @@
+<template>
+  <section class="bg-white rounded-lg shadow-sm overflow-hidden">
+    <div class="px-6 py-6">
+      <div class="flex flex-col items-center justify-center h-full text-center">
+        <img :src="group.pictureUrl" class="w-48 h-48 rounded-full object-cover border border-gray-300 mb-4" />
+        <h2 class="text-xl font-semibold text-gray-900">{{ group.name }}</h2>
+      </div>
+    </div>
+  </section>
+</template>
+
+<script setup lang="ts">
+import { GroupDto } from '../../common/backend';
+
+defineProps<{
+  group: GroupDto;
+}>();
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/GroupList.vue b/frontend/src/components/authority/GroupList.vue
new file mode 100644
index 000000000..9b071d803
--- /dev/null
+++ b/frontend/src/components/authority/GroupList.vue
@@ -0,0 +1,245 @@
+<template>
+  <div v-if="loading" class="text-center p-8 text-gray-500 text-sm">
+    {{ t('common.loading') }}
+  </div>
+  <div v-else-if="onFetchError == null">
+    <div class="flex flex-col">
+      <h2 class="text-2xl font-bold leading-9 text-gray-900 sm:text-3xl sm:truncate mb-4">
+        {{ t('groups.title') }}
+      </h2>
+      <!-- Searchbar + Create button -->
+      <div class="flex flex-wrap sm:flex-nowrap justify-between items-center gap-3 mb-4">
+        <input v-model="query" type="text" :placeholder="t('groupList.search.placeholder')" class="flex-1 focus:ring-primary focus:border-primary shadow-xs text-sm border-gray-300 rounded-md"/>
+        <button type="button" class="bg-primary text-white text-sm font-medium px-4 py-2 rounded-md shadow-xs hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showCreateGroup()">{{ t('groupList.create.button') }}</button>
+      </div>
+      
+      <!-- Mobile Card Layout (visible on small screens) -->
+      <div v-if="paginatedGroups.length > 0" class="block md:hidden space-y-3">
+        <div v-for="group in paginatedGroups" :key="group.id" class="bg-white rounded-lg shadow-sm border border-gray-200 hover:shadow-md transition-shadow cursor-pointer" @click="router.push(`/app/groups/${group.id}`)">
+          <div class="px-4 py-4">
+            <div class="flex items-start justify-between mb-4">
+              <div class="flex items-center min-w-0 flex-1" :title="group.name">
+                <img :src="group.pictureUrl" :alt="t('groupList.profileImage')" class="w-10 h-10 rounded-full object-cover border border-gray-300 flex-shrink-0" />
+                <div class="ml-3 min-w-0 flex-1">
+                  <p class="text-sm font-medium text-gray-900 truncate leading-tight">{{ group.name }}</p>
+                </div>
+              </div>
+              <Menu as="div" class="relative inline-block shrink-0 text-left">
+                <MenuButton class="group p-1 focus:outline-hidden focus:ring-2 focus:ring-primary focus:ring-offset-2" @click.stop>
+                  <span class="sr-only">Open options menu</span>
+                  <EllipsisVerticalIcon class="h-5 w-5 text-gray-400 group-hover:text-gray-500" aria-hidden="true" />
+                </MenuButton>
+                <transition enter-active-class="transition ease-out duration-100" enter-from-class="transform opacity-0 scale-95" enter-to-class="transform opacity-100 scale-100" leave-active-class="transition ease-in duration-75" leave-from-class="transform opacity-100 scale-100" leave-to-class="transform opacity-0 scale-95">
+                  <MenuItems class="absolute right-0 mt-2 z-10 w-48 origin-top-right rounded-md bg-white shadow-lg ring-1 ring-black/5 focus:outline-hidden">
+                    <div class="py-1">
+                      <MenuItem>
+                        <button type="button" class="text-red-700 hover:text-red-900 block w-full px-4 py-2 text-sm text-left hover:bg-gray-50" @click.stop="showDeleteGroupDialog(group)">{{ t('common.remove') }}</button>
+                      </MenuItem>
+                    </div>
+                  </MenuItems>
+                </transition>
+              </Menu>
+            </div>
+
+            <!-- Stats section -->
+            <div class="ml-13 text-xs text-gray-600 space-x-3">
+              <span>{{ t('groupList.members.count') }}: {{ group.memberSize ?? 0 }}</span>
+              <span>{{ t('groupList.vaults.count') }}: {{ group.vaultCount ?? 0 }}</span>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <!-- Desktop Table Layout (visible on medium screens and up) -->
+      <div v-if="paginatedGroups.length > 0" class="-my-2 overflow-x-auto sm:-mx-6 lg:-mx-8 hidden md:block">
+        <div class="py-2 align-middle inline-block min-w-full sm:px-6 lg:px-8">
+          <div class="shadow-sm overflow-hidden border-b border-gray-200 sm:rounded-lg">
+            <table class="min-w-full divide-y divide-gray-200" aria-describedby="groupListTitle">
+              <thead class="bg-gray-50">
+                <tr>
+                  <th class="px-6 py-3 w-2/5 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">{{ t('groupList.name') }}</th>
+                  <th class="px-4 py-3 w-1/5 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">{{ t('groupList.members.count') }}</th>
+                  <th class="px-4 py-3 w-1/5 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">{{ t('groupList.vaults.count') }}</th>
+                  <th class="px-4 py-3 w-auto text-right text-xs font-medium text-gray-500 uppercase tracking-wider"></th>
+                </tr>
+              </thead>
+
+              <tbody class="bg-white divide-y divide-gray-200">
+                <template v-for="group in paginatedGroups" :key="group.id">
+                  <tr>
+                    <td class="px-6 py-4 text-sm font-medium text-gray-900">
+                      <div class="flex items-center gap-3 max-w-xs">
+                        <img :src="group.pictureUrl" :alt="t('groupList.profileImage')" class="w-10 h-10 rounded-full object-cover border border-gray-300"/>
+                        <button type="button" class="truncate block hover:underline cursor-pointer" :title="group.name" @click="router.push(`/app/groups/${group.id}`)"> {{ group.name }} </button>
+                      </div>
+                    </td>
+                    <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">{{ group.memberSize ?? 0 }}</td>
+                    <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">{{ group.vaultCount ?? 0 }}</td>
+                    <td class="px-6 py-4 whitespace-nowrap text-right text-sm font-medium">
+                      <div class="cursor-pointer text-sm font-medium text-red-700 hover:text-red-900" @click="showDeleteGroupDialog(group)">{{ t('common.remove') }}</div>
+                    </td>
+                  </tr>
+                </template>
+              </tbody>
+
+              <!-- Pagination -->
+              <tfoot v-if="showPagination" class="bg-gray-50">
+                <tr>
+                  <td colspan="4">
+                    <nav class="flex items-center justify-between px-4 py-3 sm:px-6" :aria-label="t('common.pagination')">
+                      <div class="hidden sm:block">
+                        <i18n-t keypath="auditLog.pagination.showing" scope="global" tag="p" class="text-sm text-gray-700">
+                          <span class="font-medium">{{ paginationBegin }}</span>
+                          <span class="font-medium">{{ paginationEnd }}</span>
+                        </i18n-t>
+                      </div>
+                      <div class="flex flex-1 justify-end space-x-3">
+                        <button v-if="currentPage > 0" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showPreviousPage">
+                          {{ t('common.previous') }}
+                        </button>
+                        <button v-if="hasNextPage" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showNextPage">
+                          {{ t('common.next') }}
+                        </button>
+                      </div>
+                    </nav>
+                  </td>
+                </tr>
+              </tfoot>
+            </table>
+          </div>
+        </div>
+      </div>
+
+      <!-- Mobile Pagination -->
+      <nav v-if="showPagination" class="flex items-center justify-between px-4 py-3 md:hidden" :aria-label="t('common.pagination')">
+        <div class="flex flex-1 justify-between space-x-3">
+          <button v-if="currentPage > 0" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showPreviousPage">
+            {{ t('common.previous') }}
+          </button>
+          <div class="flex-1"></div>
+          <button v-if="hasNextPage" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showNextPage">
+            {{ t('common.next') }}
+          </button>
+        </div>
+      </nav>
+
+      <!-- Empty State when no groups exist -->
+      <div v-if="query === '' && sortedGroups.length === 0" class="mt-3 text-center">
+        <svg xmlns="http://www.w3.org/2000/svg" class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+          <path vector-effect="non-scaling-stroke" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M18 18.72a9.094 9.094 0 003.741-.479 3 3 0 00-4.682-2.72m.94 3.198l.001.031c0 .225-.012.447-.037.666A11.944 11.944 0 0112 21c-2.17 0-4.207-.576-5.963-1.584A6.062 6.062 0 016 18.719m12 0a5.971 5.971 0 00-.941-3.197m0 0A5.995 5.995 0 0012 12.75a5.995 5.995 0 00-5.058 2.772m0 0a3 3 0 00-4.681 2.72 8.986 8.986 0 003.74.477m.94-3.197a5.971 5.971 0 00-.94 3.197M15 6.75a3 3 0 11-6 0 3 3 0 016 0zm6 3a2.25 2.25 0 11-4.5 0 2.25 2.25 0 014.5 0zm-13.5 0a2.25 2.25 0 11-4.5 0 2.25 2.25 0 014.5 0z" />
+        </svg>
+        <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('groupList.empty.title') }}</h3>
+        <p class="mt-1 text-sm text-gray-500">{{ t('groupList.empty.description') }}</p>
+      </div>
+
+      <!-- Empty State for Search Results -->
+      <div v-else-if="query !== '' && sortedGroups.length === 0" class="mt-3 text-center">
+        <svg xmlns="http://www.w3.org/2000/svg" class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+          <path vector-effect="non-scaling-stroke" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15.75 15.75l-2.489-2.489m0 0a3.375 3.375 0 10-4.773-4.773 3.375 3.375 0 004.774 4.774zM21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+        <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('groupList.filter.result.empty.title') }}</h3>
+        <p class="mt-1 text-sm text-gray-500">{{ t('groupList.filter.result.empty.description') }}</p>
+      </div>
+    </div>
+  </div>
+
+  <div v-else>
+    <FetchError :error="onFetchError" :retry="fetchData" />
+  </div>
+
+  <!-- Delete Dialog -->
+  <GroupDeleteDialog v-if="deletingGroup != null" ref="deleteGroupDialog" :group="deletingGroup" @close="deletingGroup = null" @delete="onGroupDeleted"/>
+</template>
+
+<script setup lang="ts">
+import { Menu, MenuButton, MenuItem, MenuItems } from '@headlessui/vue';
+import { EllipsisVerticalIcon } from '@heroicons/vue/20/solid';
+import { computed, nextTick, onMounted, ref, watch } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { useRoute, useRouter } from 'vue-router';
+import backend, { GroupDto } from '../../common/backend';
+import FetchError from '../FetchError.vue';
+import GroupDeleteDialog from './GroupDeleteDialog.vue';
+
+const router = useRouter();
+const route = useRoute();
+
+const { t } = useI18n({ useScope: 'global' });
+
+const groups = ref<GroupDto[]>([]);
+const loading = ref(true);
+const onFetchError = ref<Error | null>(null);
+const deleteGroupDialog = ref<typeof GroupDeleteDialog>();
+const deletingGroup = ref<GroupDto | null>(null);
+const query = ref('');
+const currentPage = ref(0);
+const pageSize = 20;
+
+function showDeleteGroupDialog(group: GroupDto) {
+  deletingGroup.value = group;
+  nextTick(() => deleteGroupDialog.value?.show());
+}
+
+function onGroupDeleted(deletedGroupId: string) {
+  groups.value = groups.value.filter(g => g.id !== deletedGroupId);
+  deletingGroup.value = null;
+}
+
+function showCreateGroup() {
+  router.push('/app/groups/create');
+}
+
+onMounted(() => {
+  fetchData();
+});
+
+watch(() => route.path, (newPath) => {
+  if (newPath === '/app/groups') {
+    fetchData();
+  }
+});
+
+async function fetchData() {
+  onFetchError.value = null;
+  try {
+    groups.value = await backend.groups.listAll();
+  } catch (error) {
+    onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
+  } finally {
+    loading.value = false;
+  }
+}
+
+const filteredGroups = computed(() =>
+  query.value === ''
+    ? groups.value
+    : groups.value.filter((g) =>
+      g.name.toLowerCase().includes(query.value.toLowerCase())
+    )
+);
+
+const sortedGroups = computed(() =>
+  filteredGroups.value.slice().sort((a, b) =>
+    a.name.localeCompare(b.name)
+  )
+);
+
+const paginatedGroups = computed(() =>
+  sortedGroups.value.slice(currentPage.value * pageSize, (currentPage.value + 1) * pageSize)
+);
+
+const showPagination = computed(() => sortedGroups.value.length > pageSize);
+const hasNextPage = computed(() => (currentPage.value + 1) * pageSize < sortedGroups.value.length);
+const paginationBegin = computed(() => sortedGroups.value.length ? currentPage.value * pageSize + 1 : 0);
+const paginationEnd = computed(() => Math.min((currentPage.value + 1) * pageSize, sortedGroups.value.length));
+
+function showNextPage() {
+  if (hasNextPage.value) currentPage.value += 1;
+}
+
+function showPreviousPage() {
+  if (currentPage.value > 0) currentPage.value -= 1;
+}
+
+watch(() => [filteredGroups.value.length, query.value], () => (currentPage.value = 0));
+</script>
diff --git a/frontend/src/components/authority/GroupMemberList.vue b/frontend/src/components/authority/GroupMemberList.vue
new file mode 100644
index 000000000..ee9114b62
--- /dev/null
+++ b/frontend/src/components/authority/GroupMemberList.vue
@@ -0,0 +1,165 @@
+<template>
+  <section class="bg-white rounded-lg shadow-sm overflow-hidden">
+    <div class="bg-gray-50 px-6 py-4 border-b border-gray-200 flex items-center justify-between">
+      <div class="flex items-baseline gap-1">
+        <h3 id="membersTitle" class="text-sm font-semibold text-gray-900 uppercase tracking-wide">
+          {{ t('group.detail.members') }}
+        </h3>
+        <span class="text-xs text-gray-500">{{ members.length }}</span>
+      </div>
+      <button class="inline-flex items-center gap-2 px-2.5 py-1.5 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 bg-white hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="openAccessDialog">
+        {{ t('common.add') }}
+      </button>
+    </div>
+
+    <!-- Search bar -->
+    <div class="px-6 py-3 border-b border-gray-200">
+      <label for="memberSearch" class="sr-only">{{ t('common.search.placeholder') }}</label>
+      <input id="memberSearch" v-model="userQuery" :placeholder="t('common.search.placeholder')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs text-sm border-gray-300 rounded-md disabled:bg-gray-200" />
+    </div>
+
+    <!-- User table -->
+    <div class="overflow-x-auto">
+      <table class="min-w-full divide-y divide-gray-300" aria-describedby="membersTitle">
+        <thead class="sr-only">
+          <tr>
+            <th scope="col">{{ t('common.member') }}</th>
+            <th scope="col">{{ t('common.actions') }}</th>
+          </tr>
+        </thead>
+        <tbody class="divide-y divide-gray-200 bg-white">
+          <tr v-for="member in paginatedMembers" :key="member.id + member.name">
+            <td class="whitespace-nowrap h-17 py-4 pl-4 pr-3 text-sm font-medium text-gray-900 flex items-center gap-3 sm:pl-6">
+              <img :src="member.pictureUrl" class="w-8 h-8 rounded-full object-cover border border-gray-300" />
+              <div v-if="member.type === 'USER'" class="flex flex-col truncate">
+                <span class="font-medium truncate">{{ member.name }}</span>
+                <span class="text-xs text-gray-500 truncate">{{ member.firstName || member.lastName ? [member.firstName, member.lastName].filter(Boolean).join(' ') : member.email }}</span>
+              </div>
+            </td>
+            <td class="px-6 py-4 whitespace-nowrap text-right text-sm font-medium">
+              <button type="button" class="cursor-pointer text-red-600 hover:text-red-900" :title="t('common.leave')" @click="showDeleteDialog(member)">{{ t('common.remove') }}</button>
+            </td>
+          </tr>
+          <tr v-if="!filteredUsers.length">
+            <td colspan="2" class="py-4 px-4 text-sm text-center text-gray-500">
+              {{ t(userQuery ? 'group.members.search.empty' : 'common.none') }}
+            </td>
+          </tr>
+        </tbody>
+
+        <!-- USERS – Pagination ----------------------------->
+        <tfoot v-if="showPaginationUsers" class="bg-gray-50">
+          <tr>
+            <td colspan="2">
+              <nav class="flex items-center justify-between px-4 py-3 sm:px-6" :aria-label="t('common.pagination')">
+                <div class="hidden sm:block">
+                  <i18n-t keypath="auditLog.pagination.showing" scope="global" tag="p" class="text-sm text-gray-700">
+                    <span class="font-medium">{{ paginationBegin }}</span>
+                    <span class="font-medium">{{ paginationEnd }}</span>
+                  </i18n-t>
+                </div>
+                <div class="flex flex-1 justify-end space-x-3">
+                  <button v-if="currentPage > 0" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showPreviousPage">
+                    {{ t('common.previous') }}
+                  </button>
+                  <button v-if="hasNextPage" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showNextPage">
+                    {{ t('common.next') }}
+                  </button>
+                </div>
+              </nav>
+            </td>
+          </tr>
+        </tfoot>
+      </table>
+    </div>
+  </section>
+  <GroupAddMemberDialog ref="addMemberDialog" :group-id="group.id" :members="members" @saved="props.onSaved" />
+  <GroupMemberRemoveDialog v-if="deletingGroupMember" ref="deleteGroupMemberDialog" :member="deletingGroupMember" :group-id="group.id" @close="deletingGroupMember = undefined" @delete="onGroupMemberDeleted" />
+</template>
+
+<script setup lang="ts">
+import { computed, nextTick, ref, watch } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { AuthorityDto, GroupDto } from '../../common/backend';
+import GroupAddMemberDialog from './GroupAddMemberDialog.vue';
+import GroupMemberRemoveDialog from './GroupMemberRemoveDialog.vue';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  group: GroupDto;
+  pageSize: number;
+  onSaved: (members: AuthorityDto[]) => void;
+}>();
+
+const members = defineModel<AuthorityDto[]>('members', { required: true });
+
+const deleteGroupMemberDialog = ref<typeof GroupMemberRemoveDialog>();
+const deletingGroupMember = ref<AuthorityDto>();
+const addMemberDialog = ref<InstanceType<typeof GroupAddMemberDialog> | null>(null);
+
+function showDeleteDialog(u: AuthorityDto) {
+  deletingGroupMember.value = u;
+  nextTick(() => deleteGroupMemberDialog.value?.show());
+}
+
+function openAccessDialog() {
+  addMemberDialog.value?.show();
+}
+
+function onGroupMemberDeleted(deletedMemberId: string) {
+  members.value = members.value.filter(m => m.id !== deletedMemberId);
+  deletingGroupMember.value = undefined;
+}
+
+const currentPage = ref(0);
+const userQuery = ref('');
+
+const showPaginationUsers = computed(
+  () => filteredUsers.value.length > props.pageSize
+);
+
+const filteredUsers = computed(() => {
+  const q = userQuery.value.trim().toLowerCase();
+  return [...members.value]
+    .filter(m => m.type === 'USER')
+    .filter(u => {
+      if (!q) return true;
+      const nameMatch = u.name?.toLowerCase().includes(q);
+      const emailMatch = u.email?.toLowerCase().includes(q);
+      const firstNameMatch = u.firstName?.toLowerCase().includes(q);
+      const lastNameMatch = u.lastName?.toLowerCase().includes(q);
+      return nameMatch || emailMatch || firstNameMatch || lastNameMatch;
+    })
+    .sort((a, b) => {
+      const aKey = a.name?.trim() || a.email || '';
+      const bKey = b.name?.trim() || b.email || '';
+      return aKey.localeCompare(bKey, undefined, { sensitivity: 'base' });
+    });
+});
+
+const paginatedMembers = computed(() =>
+  filteredUsers.value.slice(currentPage.value * props.pageSize, currentPage.value * props.pageSize + props.pageSize)
+);
+
+const hasNextPage = computed(
+  () => (currentPage.value + 1) * props.pageSize < filteredUsers.value.length
+);
+
+const paginationBegin = computed(() =>
+  filteredUsers.value.length ? currentPage.value * props.pageSize + 1 : 0,
+);
+const paginationEnd = computed(() =>
+  Math.min((currentPage.value + 1) * props.pageSize, filteredUsers.value.length),
+);
+
+function showNextPage() {
+  if (hasNextPage.value) currentPage.value += 1;
+}
+function showPreviousPage() {
+  if (currentPage.value > 0) currentPage.value -= 1;
+}
+
+watch(() => [filteredUsers.value.length, userQuery.value], () => (currentPage.value = 0));
+
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/GroupMemberRemoveDialog.vue b/frontend/src/components/authority/GroupMemberRemoveDialog.vue
new file mode 100644
index 000000000..9c8c490f4
--- /dev/null
+++ b/frontend/src/components/authority/GroupMemberRemoveDialog.vue
@@ -0,0 +1,108 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="$emit('close')">
+    <Dialog as="div" class="fixed z-10 inset-0 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75 transition-opacity" />
+      </TransitionChild>
+
+      <div class="fixed inset-0 z-10 overflow-y-auto">
+        <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+          <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+            <DialogPanel class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-full sm:max-w-lg">
+              <form novalidate @submit.prevent="removeMember">
+                <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                  <div class="sm:flex sm:items-start">
+                    <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+                      <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+                    </div>
+                    <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                      <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                        {{ t('group.member.remove.title') }}
+                      </DialogTitle>
+                      <div class="mt-2">
+                        <p class="text-sm text-gray-500">
+                          {{ t('group.member.remove.description') }}
+                        </p>
+                      </div>
+                      <div class="mt-4 hidden sm:flex items-center gap-2">
+                        <img :src="member.pictureUrl" class="w-8 h-8 rounded-full border" />
+                        <div class="flex flex-col">
+                          <span class="font-medium text-sm">{{ member.name }}</span>
+                          <span v-if="fullName" class="text-xs text-gray-500">{{ fullName }}</span>
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+                <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
+                  <button type="submit" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-red-600 text-base font-medium text-white hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500 sm:ml-3 sm:w-auto sm:text-sm">
+                    {{ t('group.member.remove.confirm') }}
+                  </button>
+                  <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
+                    {{ t('common.cancel') }}
+                  </button>
+                </div>
+                <p v-if="onDeleteGroupError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                  {{ t('common.unexpectedError', [onDeleteGroupError.message]) }}
+                </p>
+              </form>
+            </DialogPanel>
+          </TransitionChild>
+        </div>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
+import { computed, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { AuthorityDto } from '../../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const open = ref(false);
+const onDeleteGroupError = ref<Error | null>(null);
+
+const props = defineProps<{
+   member: AuthorityDto;
+   groupId: string;
+ }>();
+
+const fullName = computed(() => {
+  if (props.member.type === 'USER') {
+    const first = props.member.firstName ?? '';
+    const last = props.member.lastName ?? '';
+    return `${first} ${last}`.trim();
+  } else {
+    return props.member.name;
+  }
+});
+
+const emit = defineEmits<{
+    close: [];
+    delete: [deletedMemberId: string];
+}>();
+
+defineExpose({
+  show
+});
+
+function show() {
+  open.value = true;
+}
+
+async function removeMember() {
+  onDeleteGroupError.value = null;
+  try {
+    await backend.groups.removeMember(props.groupId, props.member.id);
+    emit('delete', props.member.id);
+    open.value = false;
+  } catch (error) {
+    console.error('Removing member failed.', error);
+    onDeleteGroupError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+</script>
diff --git a/frontend/src/components/authority/UserAddGroupDialog.vue b/frontend/src/components/authority/UserAddGroupDialog.vue
new file mode 100644
index 000000000..bee0d70d7
--- /dev/null
+++ b/frontend/src/components/authority/UserAddGroupDialog.vue
@@ -0,0 +1,152 @@
+<template>
+  <TransitionRoot as="template" :show="open">
+    <Dialog as="div" class="fixed inset-0 z-10 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in  duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75" @click.stop />
+      </TransitionChild>
+      <div class="flex min-h-full items-end justify-center p-4 sm:items-center sm:p-0">
+        <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+          <DialogPanel class="relative flex w-full h-[32rem] transform flex-col overflow-hidden rounded-lg bg-white shadow-xl transition-all sm:my-8 sm:max-w-lg">
+            <form novalidate class="flex flex-1 min-h-0 flex-col p-4" @submit.prevent="onSubmit">
+              <div class="flex flex-1 min-h-0 flex-col overflow-hidden bg-white p-1 mb-4">
+                <DialogTitle class="text-lg font-medium text-gray-900 mx-1">
+                  {{ t('user.addGroups.title') }}
+                </DialogTitle>
+                <div class="flex flex-col p-1 mt-4">
+                  <SearchInputGroup :action-title="t('common.add')" :place-holder="t('user.addGroups.searchLabel')" :on-search="searchGroup" @action="addGroup" />
+                  <p v-if="onAddGroupError" class="mt-1 text-sm text-red-900 text-right">
+                    {{ t('common.unexpectedError', [onAddGroupError.message]) }}
+                  </p>
+                </div>
+
+                <div ref="scrollContainer" class="mt-4 flex flex-1 min-h-0 flex-col overflow-y-auto">
+                  <TransitionGroup tag="ul" class="flex-1 min-h-0 divide-y divide-gray-200" enter-active-class="transition-all duration-250 ease-out" enter-from-class="bg-green-50 opacity-0 scale-95" enter-to-class="bg-white opacity-100 scale-100" leave-active-class="transition-all duration-250 ease-in" leave-from-class="bg-white opacity-100 scale-100" leave-to-class="bg-red-50 opacity-0 scale-95">
+                    <li v-for="group in sortedNewGroups" :key="group.id" class="flex flex-col py-2 border-b border-gray-200 border-l-4 border-transparent mx-1 last:border-b-0 transform transition">
+                      <div class="flex items-center justify-between">
+                        <div class="flex items-center w-full" :title="group.name">
+                          <div class="w-8 h-8 rounded-full border border-gray-300 bg-white flex items-center justify-center overflow-hidden">
+                            <img :src="group.pictureUrl" class="w-full h-full object-cover" alt="group icon" />
+                          </div>
+                          <p class="ml-4 text-sm font-medium truncate">
+                            {{ group.name }}
+                          </p>
+                        </div>
+                        <button type="button" class="cursor-pointer text-red-600 hover:text-red-900" :title="t('common.remove')" @click="removeTempGroup(group.id)">{{ t('common.remove') }}</button>
+                      </div>
+                    </li>
+                  </TransitionGroup>
+                </div>
+              </div>
+              <div class="flex-shrink-0 bg-gray-50 -m-4 py-3 px-6 sm:flex sm:flex-row-reverse sm:space-x-4 sm:space-x-reverse">
+                <button type="submit" class="w-full sm:w-auto inline-flex justify-center rounded-md border border-transparent shadow-sm px-4 py-2 bg-primary text-base font-medium text-white hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary">
+                  {{ t('common.save') }}
+                </button>
+                <button type="button" class="mt-3 sm:mt-0 w-full sm:w-auto inline-flex justify-center rounded-md border border-gray-300 shadow-sm px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="open = false">
+                  {{ t('common.cancel') }}
+                </button>
+                <span class="mt-3 sm:mt-0 flex items-center text-sm text-gray-600 sm:mr-auto">
+                  {{ selectedCount }}
+                  {{ t('user.addGroups.selectedGroups') }}
+                </span>
+              </div>
+            </form>
+          </DialogPanel>
+        </TransitionChild>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ref, computed, nextTick } from 'vue';
+import { useI18n } from 'vue-i18n';
+import SearchInputGroup from '../SearchInputGroup.vue';
+import backend, { GroupDto } from '../../common/backend';
+
+const scrollContainer = ref<HTMLElement | null>(null);
+
+const props = defineProps<{ groups: GroupDto[]; userId: string }>();
+const emit = defineEmits<{ saved: [added: GroupDto[]] }>();
+
+const { t } = useI18n({ useScope: 'global' });
+const open = ref(false);
+const newGroups = ref<GroupDto[]>([]);
+const onAddGroupError = ref<Error | null>(null);
+
+const selectedCount = computed(() => newGroups.value.length);
+const sortedNewGroups = computed(() => [...newGroups.value].reverse());
+
+function isKnown(id: string) {
+  return props.groups.some(g => g.id === id);
+}
+
+async function searchGroup(query: string): Promise<GroupDto[]> {
+  if (!query.trim()) return [];
+
+  try {
+    const results = await backend.authorities.search(query, true);
+
+    return results
+      .filter((r): r is GroupDto =>
+        r.type === 'GROUP' &&
+        !isKnown(r.id) &&
+        !newGroups.value.some(n => n.id === r.id)
+      )
+      .sort((a, b) => a.name.localeCompare(b.name, undefined, { sensitivity: 'base' }))
+      .map(g => ({
+        id: g.id,
+        type: g.type,
+        name: g.name,
+        description: undefined,
+        memberSize: g.memberSize,
+        pictureUrl: g.pictureUrl
+      }));
+  } catch (error) {
+    console.error('Search groups failed:', error);
+    return [];
+  }
+}
+
+function addGroup(group: GroupDto) {
+  try {
+    if (isKnown(group.id) || newGroups.value.some(g => g.id === group.id)) return;
+    newGroups.value.push(group);
+
+    nextTick(() => {
+      if (scrollContainer.value) {
+        scrollContainer.value.scrollTop = 0;
+      }
+    });
+  } catch (e) {
+    onAddGroupError.value = e as Error;
+  }
+}
+
+function removeTempGroup(id: string) {
+  newGroups.value = newGroups.value.filter(g => g.id !== id);
+}
+
+async function onSubmit() {
+  onAddGroupError.value = null;
+
+  try {
+    for (const group of newGroups.value) {
+      await backend.groups.addMember(group.id, props.userId);
+    }
+
+    emit('saved', [...newGroups.value]);
+    open.value = false;
+  } catch (error) {
+    console.error('Adding user to groups failed:', error);
+    onAddGroupError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+
+function show() {
+  newGroups.value = [];
+  open.value = true;
+}
+
+defineExpose({ show });
+</script>
diff --git a/frontend/src/components/authority/UserDeleteDialog.vue b/frontend/src/components/authority/UserDeleteDialog.vue
new file mode 100644
index 000000000..3f98939fa
--- /dev/null
+++ b/frontend/src/components/authority/UserDeleteDialog.vue
@@ -0,0 +1,105 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="$emit('close')">
+    <Dialog as="div" class="fixed z-10 inset-0 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75 transition-opacity" />
+      </TransitionChild>
+
+      <div class="fixed inset-0 z-10 overflow-y-auto">
+        <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+          <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+            <DialogPanel class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-full sm:max-w-lg">
+              <form novalidate @submit.prevent="deleteUser" >
+                <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                  <div class="sm:flex sm:items-start">
+                    <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+                      <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+                    </div>
+                    <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                      <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                        {{ t('deleteUserDialog.title') }}
+                      </DialogTitle>
+                      <div class="mt-2">
+                        <p class="text-sm text-gray-500">
+                          {{ t('deleteUserDialog.description') }}
+                        </p>
+                      </div>
+                      <div class="mt-4 hidden sm:flex items-center gap-2">
+                        <img :src="user.pictureUrl" class="w-8 h-8 rounded-full border" />
+                        <div class="flex flex-col">
+                          <span class="font-medium text-sm">{{ user.name }}</span>
+                          <span v-if="fullName" class="text-xs text-gray-500">{{ fullName }}</span>
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+                <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
+                  <button type="submit" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-red-600 text-base font-medium text-white hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500 sm:ml-3 sm:w-auto sm:text-sm" >
+                    {{ t('deleteUserDialog.confirm') }}
+                  </button>
+                  <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
+                    {{ t('common.cancel') }}
+                  </button>
+                </div>
+                <p v-if="onDeleteUserError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                  {{ t('common.unexpectedError', [onDeleteUserError.message]) }}
+                </p>
+              </form>
+            </DialogPanel>
+          </TransitionChild>
+        </div>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
+import { ref, computed } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { UserDto } from '../../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const open = ref(false);
+const onDeleteUserError = ref<Error | null>(null);
+
+const props = defineProps<{
+  user: UserDto;
+}>();
+
+const fullName = computed(() => {
+  const first = props.user.firstName ?? '';
+  const last = props.user.lastName ?? '';
+  return `${first} ${last}`.trim();
+});
+
+const emit = defineEmits<{
+  close: [];
+  delete: [deletedUser: UserDto];
+}>();
+
+defineExpose({
+  show
+});
+
+function show() {
+  open.value = true;
+}
+
+async function deleteUser() {
+  onDeleteUserError.value = null;
+
+  try {
+    await backend.users.removeUser(props.user.id);
+
+    emit('delete', props.user);
+    open.value = false;
+  } catch (error) {
+    console.error('Deleting user failed.', error);
+    onDeleteUserError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+</script>
diff --git a/frontend/src/components/authority/UserDetail.vue b/frontend/src/components/authority/UserDetail.vue
new file mode 100644
index 000000000..19607ff23
--- /dev/null
+++ b/frontend/src/components/authority/UserDetail.vue
@@ -0,0 +1,172 @@
+<template>
+  <div v-if="loading" class="text-center p-8 text-gray-500 text-sm">
+    {{ t('common.loading') }}
+  </div>
+  <div v-else>
+    <BreadcrumbNav :crumbs="[ { label: t('nav.users'), to: '/app/users' }, { label: user.name } ]" />
+    <div class="flex flex-row items-center justify-between gap-3 pb-1 w-full border-b border-gray-200 mb-2">
+      <!-- Headline -->
+      <h2 id="title" class="text-2xl font-bold leading-7 text-gray-900 sm:text-3xl mb-4">
+        {{ t('user.detail.info') }}
+      </h2>
+
+      <div class="flex gap-3 items-center -mt-4">
+        <!-- Edit-Button -->
+        <button class="w-full bg-primary py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showUserEdit()">
+          {{ t('common.edit') }}
+        </button>
+
+        <!-- Ellipsis-Menü -->
+        <Menu as="div" class="relative inline-block shrink-0 text-left">
+          <MenuButton class="group p-1 focus:outline-hidden focus:ring-2 focus:ring-primary focus:ring-offset-2">
+            <span class="sr-only">Open options menu</span>
+            <EllipsisVerticalIcon class="h-5 w-5 text-gray-400 group-hover:text-gray-500" aria-hidden="true" />
+          </MenuButton>
+
+          <transition enter-active-class="transition ease-out duration-100" enter-from-class="transform opacity-0 translate-y-1 scale-95" enter-to-class="transform opacity-100 translate-y-0 scale-100" leave-active-class="transition ease-in duration-75" leave-from-class="transform opacity-100 translate-y-0 scale-100" leave-to-class="transform opacity-0 translate-y-1 scale-95">
+            <MenuItems class="absolute right-0 mt-2 z-10 w-48 origin-top-right rounded-md bg-white shadow-lg ring-1 ring-black/5 focus:outline-hidden">
+              <div class="py-1">
+                <MenuItem v-if="user.enabled" v-slot="{ active }">
+                  <div :class="[ active ? 'bg-gray-100 text-red-900' : 'text-red-700', 'cursor-pointer block px-4 py-2 text-sm']" @click="showDisableUserDialog()">
+                    {{ t('user.detail.disable') }}
+                  </div>
+                </MenuItem>
+                <MenuItem v-else v-slot="{ active }">
+                  <div :class="[ active ? 'bg-gray-100 text-gray-900' : 'text-gray-700', 'cursor-pointer block px-4 py-2 text-sm']" @click="enableUser()">
+                    {{ t('user.detail.enable') }}
+                  </div>
+                </MenuItem>
+                <MenuItem v-slot="{ active }">
+                  <div :class="[ active ? 'bg-gray-100 text-red-900' : 'text-red-700', 'cursor-pointer block px-4 py-2 text-sm']" @click="showDeleteUserDialog()">
+                    {{ t('common.remove') }}
+                  </div>
+                </MenuItem>
+              </div>
+            </MenuItems>
+          </transition>
+        </Menu>
+      </div>
+    </div>
+    <div class="hidden lg:grid grid-cols-1 lg:grid-cols-2 gap-6 items-start pt-3">
+      <section class="lg:col-start-1 grid gap-6">
+        <!-- User Info -->
+        <UserInfo :user="user"/>
+        <!-- Devices -->
+        <UserDeviceList :devices="user.devices" :title="t('user.detail.devices')"/>      
+        <UserDeviceList :devices="user.legacyDevices" :visible="user.legacyDevices.length != 0" :title="t('legacyDeviceList.title')" :info="t('user.detail.legacyDeviceList.info')"/>
+      </section>
+      <section class="lg:col-start-2 grid gap-6">
+        <!-- Groups -->
+        <UserGroupsList :user="user" :user-id="props.id" :groups="user.groups" @on-saved="handleGroupsSaved"/>
+        <!-- Vaults -->
+        <VaultList :vaults="user.accessibleVaults" :visible="true"/>
+      </section>
+    </div>
+    <div class="grid lg:hidden grid-cols-1 gap-6 items-start pt-3">
+      <!-- User Info -->
+      <UserInfo :user="user"/>
+      <!-- Groups -->
+      <UserGroupsList :user="user" :user-id="props.id" :groups="user.groups" @on-saved="handleGroupsSaved"/>
+      <!-- Devices -->
+      <UserDeviceList :devices="user.devices" :title="t('user.detail.devices')"/>
+      <UserDeviceList :devices="user.legacyDevices" :visible="user.legacyDevices.length != 0" :title="t('legacyDeviceList.title')" :info="t('user.detail.legacyDeviceList.info')"/>
+      <!-- Vaults -->
+      <VaultList :vaults="user.accessibleVaults" :visible="true"/>
+    </div>
+  </div>
+
+  <!-- Dialogs -->
+  <UserDisableDialog v-if="disablingUser" ref="disableUserDialog" :user="disablingUser" @close="disablingUser = undefined" @disable="onUserDisabled"/>
+  <UserDeleteDialog v-if="deletingUser" ref="deleteUserDialog" :user="deletingUser" @close="deletingUser = undefined" @delete="onUserDeleted"/>
+</template>
+
+<script setup lang="ts">
+import { Menu, MenuButton, MenuItem, MenuItems } from '@headlessui/vue';
+import { EllipsisVerticalIcon } from '@heroicons/vue/20/solid';
+import { nextTick, onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { useRouter } from 'vue-router';
+import backend, { GroupDto, UserDto, UserDtoWithDetails } from '../../common/backend';
+import BreadcrumbNav from '../BreadcrumbNav.vue';
+import UserDeleteDialog from './UserDeleteDialog.vue';
+import UserDisableDialog from './UserDisableDialog.vue';
+import UserDeviceList from './UserDeviceList.vue';
+import UserGroupsList from './UserGroupsList.vue';
+import UserInfo from './UserInfo.vue';
+import VaultList from './VaultList.vue';
+
+const props = defineProps<{ id: string }>();
+const { t } = useI18n({ useScope: 'global' });
+const router = useRouter();
+
+const deleteUserDialog = ref<typeof UserDeleteDialog>();
+const deletingUser = ref<UserDto>();
+const disableUserDialog = ref<typeof UserDisableDialog>();
+const disablingUser = ref<UserDto>();
+
+const showDeleteUserDialog = () => {
+  deletingUser.value = user.value;
+  nextTick(() => deleteUserDialog.value?.show());
+};
+
+const onUserDeleted = () => {
+  router.push('/app/users');
+};
+
+const showDisableUserDialog = () => {
+  disablingUser.value = user.value;
+  nextTick(() => disableUserDialog.value?.show());
+};
+
+const onUserDisabled = async () => {
+  user.value = await backend.users.getUser(props.id);
+};
+
+const enableUser = async () => {
+  try {
+    await backend.users.setUserEnabled(props.id, true);
+    user.value = await backend.users.getUser(props.id);
+  } catch (error) {
+    console.error('Enabling user failed.', error);
+  }
+};
+
+const user = ref<UserDtoWithDetails>({
+  type: 'USER',
+  id: props.id,
+  name: '',
+  pictureUrl: undefined,
+  email: '',
+  firstName: undefined,
+  lastName: undefined,
+  language: undefined,
+  accessibleVaults: [],
+  realmRoles: [],
+  enabled: true,
+  groups: [],
+  devices: [],
+  legacyDevices: [],
+});
+
+const loading = ref<boolean>(true);
+
+async function handleGroupsSaved(newGroups: GroupDto[]) {
+  user.value = await backend.users.getUser(props.id); // reload user to get updated vault list
+  user.value.groups.sort((a, b) => a.name.localeCompare(b.name, undefined, { sensitivity: 'base' }));
+}
+
+onMounted(async () => {
+  try {
+    user.value = await backend.users.getUser(props.id);
+    user.value.groups.sort((a, b) => a.name.localeCompare(b.name, undefined, { sensitivity: 'base' }));
+  } catch (error) {
+    console.error('Failed to fetch user:', error);
+  } finally {
+    loading.value = false;
+  }
+});
+
+function showUserEdit() {
+  router.push(`/app/users/${props.id}/edit`);
+}
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/UserDeviceList.vue b/frontend/src/components/authority/UserDeviceList.vue
new file mode 100644
index 000000000..e8a0b6585
--- /dev/null
+++ b/frontend/src/components/authority/UserDeviceList.vue
@@ -0,0 +1,225 @@
+<template>
+  <section v-if="visible" class="bg-white rounded-lg shadow-sm overflow-hidden">
+    <div class="flex items-center bg-gray-50 px-6 py-4 border-b border-gray-200 space-x-2">
+      <div class="flex items-baseline gap-1">
+        <h3 :id="'deviceListTitle' + id" class="text-sm font-semibold text-gray-900 uppercase tracking-wide">
+          {{ title }}
+        </h3>
+        <span class="text-xs text-gray-500">{{ devices.length }}</span>
+      </div>
+      <div v-if="info != ''" class="relative group" :title="info">
+        <QuestionMarkCircleIcon class="h-4 w-4 text-gray-400"/>
+      </div>
+    </div>
+
+    <!-- Search bar -->
+    <div class="px-6 py-3 border-b border-gray-200">
+      <label :for="'deviceSearch' + id" class="sr-only">{{ t('common.search.placeholder') }}</label>
+      <input :id="'deviceSearch' + id" v-model="deviceQuery" :placeholder="t('common.search.placeholder')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs text-sm border-gray-300 rounded-md disabled:bg-gray-200" />
+    </div>
+    <div>
+      <table class="w-full table-fixed divide-y divide-gray-200" :aria-describedby="'deviceListTitle' + id">
+        <!-- Desktop Header -->
+        <thead v-if="filteredDevices.length != 0" class="bg-gray-50 hidden sm:table-header-group">
+          <tr>
+            <th scope="col" class="px-6 py-4 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+              {{ t('common.device') }}
+            </th>
+            <th scope="col" class="px-6 py-4 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+              {{ t('legacyDeviceList.added') }}
+            </th>
+            <th scope="col" class="px-6 py-4 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+              <span class="inline-flex items-center gap-1">
+                {{ t('legacyDeviceList.lastAccess') }}
+                <div class="relative group" :title="t('legacyDeviceList.lastAccess.toolTip')">
+                  <QuestionMarkCircleIcon class="h-4 w-4 text-gray-400"/>
+                </div>
+              </span>
+            </th>
+          </tr>
+        </thead>
+
+        <tbody class="bg-white divide-y divide-gray-200">
+          <template v-for="device in paginatedDevices" :key="device.id">
+            <!-- Desktop -->
+            <tr class="hidden sm:table-row">
+              <td class="px-6 py-4 whitespace-nowrap text-sm font-medium text-gray-900">
+                <div class="flex items-center gap-2">
+                  <span v-if="device.type == 'BROWSER'" :title="t('deviceType.browser')">
+                    <WindowIcon class="h-5 w-5 text-gray-500" aria-hidden="true" />
+                  </span>
+                  <span v-else-if="device.type == 'DESKTOP'" :title="t('deviceType.desktop')">
+                    <ComputerDesktopIcon class="h-5 w-5 text-gray-500" aria-hidden="true" />
+                  </span>
+                  <span v-else-if="device.type == 'MOBILE'" :title="t('deviceType.mobile')">
+                    <DevicePhoneMobileIcon class="h-5 w-5 text-gray-500" aria-hidden="true" />
+                  </span>
+                  <span class="truncate max-w-xs" :title="device.name">
+                    {{ device.name }}
+                  </span>
+                </div>
+              </td>
+              <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">
+                {{ d(device.creationTime, 'long') }}
+              </td>
+              <td class="h-17 px-6 py-4 whitespace-nowrap text-sm text-gray-500">
+                <div v-if="device.lastAccessTime">
+                  {{ d(device.lastAccessTime, 'long') }}
+                </div>
+                <div v-if="device.lastIpAddress" class="text-xs text-gray-400">
+                  {{ device.lastIpAddress }}
+                </div>
+              </td>
+            </tr>
+            <!-- Mobile -->
+            <tr class="sm:hidden">
+              <td colspan="3" class="px-4 py-4 text-sm text-gray-900">
+                <div class="flex items-start gap-2">
+                  <span v-if="device.type == 'BROWSER'" :title="t('deviceType.browser')">
+                    <WindowIcon class="h-5 w-5 text-gray-500" aria-hidden="true" />
+                  </span>
+                  <span v-else-if="device.type == 'DESKTOP'" :title="t('deviceType.desktop')">
+                    <ComputerDesktopIcon class="h-5 w-5 text-gray-500" aria-hidden="true" />
+                  </span>
+                  <span v-else-if="device.type == 'MOBILE'" :title="t('deviceType.mobile')">
+                    <DevicePhoneMobileIcon class="h-5 w-5 text-gray-500" aria-hidden="true" />
+                  </span>
+                  <div>
+                    <div class="font-medium truncate max-w-xs" :title="device.name">
+                      {{ device.name }}
+                    </div>
+                  </div>
+                </div>
+                <table class="text-xs text-gray-400 mt-2 ml-8">
+                  <thead class="sr-only">
+                    <tr>
+                      <th scope="col">{{ t('common.property') }}</th>
+                      <th scope="col">{{ t('common.value') }}</th>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <tr>
+                      <td class="pr-2 align-top text-left whitespace-nowrap font-normal text-gray-500">
+                        {{ t('legacyDeviceList.added') }}
+                      </td>
+                      <td class="text-left">
+                        {{ d(device.creationTime, 'long') }}
+                      </td>
+                    </tr>
+                    <tr>
+                      <td class="inline-flex pr-2 align-top text-left whitespace-nowrap font-normal text-gray-500">
+                        {{ t('legacyDeviceList.lastAccess') }}
+                        <div class="relative group" :title="t('legacyDeviceList.lastAccess.toolTip')">
+                          <QuestionMarkCircleIcon class="h-3 w-3 text-gray-400 m-0.5"/>
+                        </div>
+                      </td>
+                      <td v-if="device.lastAccessTime" class="text-left">
+                        {{ d(device.lastAccessTime, 'long') }}
+                      </td>
+                    </tr>
+                    <tr v-if="device.lastIpAddress">
+                      <td class="pr-2 align-top text-right whitespace-nowrap font-normal text-gray-500">
+                      </td>
+                      <td class="text-left">
+                        {{ device.lastIpAddress }}
+                      </td>
+                    </tr>
+                  </tbody>
+                </table>
+              </td>
+            </tr>
+          </template>
+
+          <tr v-if="!filteredDevices.length">
+            <td colspan="3" class="py-4 px-4 sm:px-6 text-sm text-gray-500 text-center">
+              {{ t(deviceQuery ? 'common.nothingFound' : 'common.none') }}
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+
+    <!-- Pagination -->
+    <div v-if="showPaginationDevice" class="bg-gray-50 border-t border-gray-200">
+      <nav class="flex items-center justify-between px-4 py-3 sm:px-6" :aria-label="t('common.pagination')">
+        <div class="hidden sm:block">
+          <i18n-t keypath="auditLog.pagination.showing" scope="global" tag="p" class="text-sm text-gray-700">
+            <span class="font-medium">{{ paginationBeginDevice }}</span>
+            <span class="font-medium">{{ paginationEndDevice }}</span>
+          </i18n-t>
+        </div>
+        <div class="flex flex-1 justify-between sm:justify-end space-x-3">
+          <button v-if="currentPageDevice > 0" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showPreviousPageDevice">
+            {{ t('common.previous') }}
+          </button>
+          <button v-if="hasNextPageDevice" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showNextPageDevice">
+            {{ t('common.next') }}
+          </button>
+        </div>
+      </nav>
+    </div>
+  </section>
+</template>
+
+<script setup lang="ts">
+import { useId, computed, ref, watch } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { ComputerDesktopIcon, QuestionMarkCircleIcon, DevicePhoneMobileIcon, WindowIcon } from '@heroicons/vue/24/solid';
+import { DeviceDto } from '../../common/backend';
+
+const { t, d } = useI18n({ useScope: 'global' });
+const id = useId();
+
+const PAGE_SIZE = 10;
+
+const props = withDefaults(defineProps<{
+  devices: DeviceDto[];
+  visible?: boolean;
+  title: string;
+  info?: string;
+}>(), {
+  visible: true,
+  info: ''
+});
+
+// ---------------------------------------------------------------------------
+// DEVICES – search & pagination
+// ---------------------------------------------------------------------------
+
+// Filter und Pagination
+const deviceQuery = ref('');
+const filteredDevices = computed(() =>
+  props.devices.filter((device) =>
+    device.name.toLowerCase().includes(deviceQuery.value.toLowerCase())
+  )
+);
+
+const currentPageDevice = ref(0);
+
+const paginatedDevices = computed(() =>
+  filteredDevices.value.slice(
+    currentPageDevice.value * PAGE_SIZE,
+    (currentPageDevice.value + 1) * PAGE_SIZE
+  )
+);
+
+const showPaginationDevice = computed(() => filteredDevices.value.length > PAGE_SIZE);
+const hasNextPageDevice = computed(() =>
+  (currentPageDevice.value + 1) * PAGE_SIZE < filteredDevices.value.length
+);
+const paginationBeginDevice = computed(() => currentPageDevice.value * PAGE_SIZE + 1);
+const paginationEndDevice = computed(() =>
+  Math.min((currentPageDevice.value + 1) * PAGE_SIZE, filteredDevices.value.length)
+);
+
+function showPreviousPageDevice() {
+  if (currentPageDevice.value > 0) currentPageDevice.value--;
+}
+
+function showNextPageDevice() {
+  if (hasNextPageDevice.value) currentPageDevice.value++;
+}
+
+watch(() => [filteredDevices.value.length, deviceQuery.value], () => (currentPageDevice.value = 0));
+
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/UserDisableDialog.vue b/frontend/src/components/authority/UserDisableDialog.vue
new file mode 100644
index 000000000..2f3fee966
--- /dev/null
+++ b/frontend/src/components/authority/UserDisableDialog.vue
@@ -0,0 +1,105 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="$emit('close')">
+    <Dialog as="div" class="fixed z-10 inset-0 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75 transition-opacity" />
+      </TransitionChild>
+
+      <div class="fixed inset-0 z-10 overflow-y-auto">
+        <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+          <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+            <DialogPanel class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-full sm:max-w-lg">
+              <form novalidate @submit.prevent="disableUser" >
+                <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                  <div class="sm:flex sm:items-start">
+                    <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+                      <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+                    </div>
+                    <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                      <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                        {{ t('disableUserDialog.title') }}
+                      </DialogTitle>
+                      <div class="mt-2">
+                        <p class="text-sm text-gray-500">
+                          {{ t('disableUserDialog.description') }}
+                        </p>
+                      </div>
+                      <div class="mt-4 hidden sm:flex items-center gap-2">
+                        <img :src="user.pictureUrl" class="w-8 h-8 rounded-full border" />
+                        <div class="flex flex-col">
+                          <span class="font-medium text-sm">{{ user.name }}</span>
+                          <span v-if="fullName" class="text-xs text-gray-500">{{ fullName }}</span>
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+                <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
+                  <button type="submit" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-red-600 text-base font-medium text-white hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500 sm:ml-3 sm:w-auto sm:text-sm" >
+                    {{ t('disableUserDialog.confirm') }}
+                  </button>
+                  <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
+                    {{ t('common.cancel') }}
+                  </button>
+                </div>
+                <p v-if="onDisableUserError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                  {{ t('common.unexpectedError', [onDisableUserError.message]) }}
+                </p>
+              </form>
+            </DialogPanel>
+          </TransitionChild>
+        </div>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
+import { ref, computed } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { UserDto } from '../../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const open = ref(false);
+const onDisableUserError = ref<Error | null>(null);
+
+const props = defineProps<{
+  user: UserDto;
+}>();
+
+const fullName = computed(() => {
+  const first = props.user.firstName ?? '';
+  const last = props.user.lastName ?? '';
+  return `${first} ${last}`.trim();
+});
+
+const emit = defineEmits<{
+  close: [];
+  disable: [disabledUser: UserDto];
+}>();
+
+defineExpose({
+  show
+});
+
+function show() {
+  open.value = true;
+}
+
+async function disableUser() {
+  onDisableUserError.value = null;
+
+  try {
+    await backend.users.setUserEnabled(props.user.id, false);
+
+    emit('disable', props.user);
+    open.value = false;
+  } catch (error) {
+    console.error('Disabling user failed.', error);
+    onDisableUserError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+</script>
diff --git a/frontend/src/components/authority/UserEditCreate.vue b/frontend/src/components/authority/UserEditCreate.vue
new file mode 100644
index 000000000..6a927fa05
--- /dev/null
+++ b/frontend/src/components/authority/UserEditCreate.vue
@@ -0,0 +1,435 @@
+<template>
+  <!-- Loading placeholder -->
+  <div v-if="onFetchError">
+    <FetchError :error="onFetchError"/>
+  </div>
+  <div v-else-if="loading" class="text-center p-8 text-gray-500 text-sm">
+    {{ t('common.loading') }}
+  </div>
+
+  <!-- Edit/Create page -->
+  <div v-else>
+    <BreadcrumbNav v-if="props.mode === 'EDIT'" :crumbs="[ { label: t('nav.users'), to: '/app/users' }, { label: data.name, to:'/app/users/' + props.id }, { label: t('common.edit') } ]"/>
+    <BreadcrumbNav v-else :crumbs="[ { label: t('nav.users'), to: '/app/users' }, { label: t('common.create') } ]"/>
+    <div class="-my-2 -mx-4 sm:-mx-6 lg:-mx-8 overflow-hidden">
+      <div class="py-2 align-middle inline-block min-w-full px-4 sm:px-6 lg:px-8">
+        <div class="shadow overflow-hidden border-b border-gray-200 rounded-lg bg-white p-6 space-y-8 relative">
+          <div>
+            <h3 class="text-lg font-medium leading-6 text-gray-900">
+              {{ props.mode === 'EDIT' ? t('userEditCreate.title.edit') : t('userEditCreate.title.create') }}
+            </h3>
+            <hr class="my-4 border-gray-200"/>
+          </div>
+          
+          <!-- Profile Picture Preview -->
+          <div class="flex flex-col items-center gap-4 mb-8">
+            <div class="relative w-32 h-32">
+              <img v-if="isValidImageUrl" :src="data.pictureUrl" class="w-full h-full rounded-full object-cover border border-gray-300"/>
+              <img v-else-if="previewJdenticon" :src="previewJdenticon" class="w-full h-full rounded-full object-cover border border-gray-300"/>
+              <div v-else class="w-full h-full rounded-full bg-gray-100 flex items-center justify-center text-gray-400">
+                <UserIcon class="w-12 h-12" />
+              </div>
+            </div>
+          </div>
+
+          <!-- Form -->
+          <form class="space-y-6 md:space-y-8" novalidate @submit.prevent="onSubmit">
+            <!-- Profile Picture URL row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="pictureUrl" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('userEditCreate.profilePictureUrl') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <div class="relative">
+                  <input id="pictureUrl" v-model="data.pictureUrl" type="url" :class="[errors.pictureUrl ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md pr-10']"/>
+                  <button v-if="data.pictureUrl" type="button" class="absolute inset-y-0 right-0 flex items-center px-3 text-gray-400 hover:text-gray-600 focus:outline-none" :aria-label="t('userEditCreate.removePicture')" @click="removePicture">
+                    <TrashIcon class="w-5 h-5 text-gray-600" />
+                  </button>
+                </div>
+                <p v-if="errors.pictureUrl" class="mt-1 text-sm text-red-600">{{ errors.pictureUrl }}</p>
+              </div>
+            </div>
+
+            <!-- First Name row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="firstName" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('userEditCreate.firstName') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <input id="firstName" v-model="data.firstName" type="text" required :class="[errors.firstName ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md']"/>
+                <p v-if="errors.firstName" class="mt-1 text-sm text-red-600">{{ errors.firstName }}</p>
+              </div>
+            </div>
+
+            <!-- Last Name row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="lastName" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('userEditCreate.lastName') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <input id="lastName" v-model="data.lastName" type="text" required :class="[errors.lastName ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md']"/>
+                <p v-if="errors.lastName" class="mt-1 text-sm text-red-600">{{ errors.lastName }}</p>
+              </div>
+            </div>
+
+            <!-- Username row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="username" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('userEditCreate.username') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <input id="username" v-model="data.name" type="text" required :disabled="props.mode === 'EDIT'" :class="[errors.username ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md disabled:bg-gray-200 disabled:cursor-not-allowed']"/>
+                <p v-if="errors.username" class="mt-1 text-sm text-red-600">{{ errors.username }}</p>
+              </div>
+            </div>
+
+            <!-- Email row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="email" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('userEditCreate.email') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <input id="email" v-model="data.email" type="email" :required="emailRequired" :class="[errors.email ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md']"/>
+                <p v-if="errors.email" class="mt-1 text-sm text-red-600">{{ errors.email }}</p>
+                <p v-else-if="data.email?.trim() && !isValidEmail(data.email.trim())" class="mt-1 text-sm text-red-600">
+                  {{ t('userEditCreate.invalidEmail') }}
+                </p>
+              </div>
+            </div>
+
+            <!-- Roles row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="roles" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('userEditCreate.roles') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1 max-w-md">
+                <Listbox v-model="selectedRoleOptions" multiple as="div">
+                  <div class="relative">
+                    <ListboxButton class="relative w-full rounded-md border border-gray-300 bg-white py-2 pl-3 pr-10 text-left shadow-sm focus:ring-primary text-sm">
+                      <div class="flex flex-wrap gap-2">
+                        <template v-if="selectedRoleOptions.length > 0">
+                          <button v-for="role in selectedRoleOptions" :key="role" class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700 ring-1 ring-inset ring-green-600/20" @click.stop="removeRole(role)">
+                            <span class="mr-1">{{ roleOptions[role] }}</span>
+                            <span class="text-green-800 font-bold">&times;</span>
+                          </button>
+                        </template>
+                        <template v-else>
+                          <span class="text-gray-500">{{ t('userEditCreate.selectRolesPlaceholder') }}</span>
+                        </template>
+                      </div>
+                      <span class="pointer-events-none absolute inset-y-0 right-0 flex items-center pr-2">
+                        <ChevronUpDownIcon class="h-5 w-5 text-gray-400" />
+                      </span>
+                    </ListboxButton>
+
+                    <transition leave-active-class="transition ease-in duration-100" leave-from-class="opacity-100" leave-to-class="opacity-0">
+                      <ListboxOptions class="absolute z-10 mt-1 max-h-60 w-full overflow-auto rounded-md bg-white py-1 shadow-lg ring-1 ring-black/5 text-sm">
+                        <ListboxOption v-for="(label, key) in roleOptions" :key="key" v-slot="{ selected }" :value="key" class="relative cursor-default select-none py-2 pl-3 pr-9 ui-not-active:text-gray-900 ui-active:text-white ui-active:bg-primary">
+                          <span :class="[selected ? 'font-semibold' : 'font-normal', 'block truncate']">{{ label }}</span>
+                          <span v-if="selected" class="absolute inset-y-0 right-0 flex items-center pr-4 text-primary">
+                            <CheckIcon class="h-5 w-5" />
+                          </span>
+                        </ListboxOption>
+                      </ListboxOptions>
+                    </transition>
+                  </div>
+                </Listbox>
+              </div>
+            </div>
+
+            <!-- Password Info -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <div></div>
+              <div class="md:col-span-2 lg:col-span-1">
+                <div class="bg-blue-50 text-gray-900 text-sm rounded-md p-4 flex gap-3 items-start">
+                  <InformationCircleIcon class="w-5 h-5 mt-0.5 text-blue-400 shrink-0" aria-hidden="true" />
+                  <p>
+                    {{ props.mode === 'EDIT' ? t('userEditCreate.edit.passwordInfo') : t('userEditCreate.create.passwordInfo') }}
+                  </p>
+                </div>
+              </div>
+            </div>
+
+            <!-- Password row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="password" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('userEditCreate.password') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <div class="relative">
+                  <input id="password" v-model="password" :type="passwordInputType" :class="[errors.password ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md pr-10']"/>
+                  <button type="button" class="absolute inset-y-0 right-0 flex items-center px-3 text-gray-400 hover:text-gray-600 focus:outline-none" :aria-label="passwordInputType === 'password' ? t('userEditCreate.showPassword') : t('userEditCreate.hidePassword')" @click="togglePasswordVisibility">
+                    <component :is="passwordInputType === 'password' ? EyeIcon : EyeSlashIcon" class="h-5 w-5" />
+                  </button>
+                </div>
+                <p v-if="errors.password" class="mt-1 text-sm text-red-600">{{ errors.password }}</p>
+                <div v-if="password" class="mt-2 max-w-md">
+                  <div class="flex items-center">
+                    <div class="w-full bg-gray-200 rounded-full h-2">
+                      <div 
+                        class="h-2 rounded-full transition-all duration-300" 
+                        :class="{
+                          'w-1/3 bg-red-500': passwordStrength === 'weak',
+                          'w-2/3 bg-yellow-500': passwordStrength === 'medium',
+                          'w-full bg-green-500': passwordStrength === 'strong'
+                        }"
+                      ></div>
+                    </div>
+                    <span class="ml-2 text-xs" :class="passwordStrengthColor">{{ passwordStrengthLabel }}</span>
+                  </div>
+                </div>
+              </div>
+            </div>
+
+            <!-- Password Confirm row -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <label for="passwordConfirm" class="block text-sm font-medium text-gray-700 md:text-right md:pr-4 md:mt-2">
+                {{ t('userEditCreate.passwordConfirm') }}
+              </label>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <div class="relative">
+                  <input id="passwordConfirm" v-model="passwordConfirm" :type="passwordInputType" :class="[errors.passwordConfirm ? 'border-red-300 focus:border-red-500 focus:ring-red-500' : 'border-gray-300 focus:ring-primary focus:border-primary', 'block w-full max-w-md shadow-sm sm:text-sm rounded-md pr-10']"/>
+                  <button type="button" class="absolute inset-y-0 right-0 flex items-center px-3 text-gray-400 hover:text-gray-600 focus:outline-none" :aria-label="passwordInputType === 'password' ? t('userEditCreate.showPassword') : t('userEditCreate.hidePassword')" @click="togglePasswordVisibility">
+                    <component :is="passwordInputType === 'password' ? EyeIcon : EyeSlashIcon" class="h-5 w-5" />
+                  </button>
+                </div>
+                <p v-if="errors.passwordConfirm" class="mt-1 text-sm text-red-600">{{ errors.passwordConfirm }}</p>
+                <p v-else-if="passwordConfirm" :class="['mt-1 text-sm', password === passwordConfirm ? 'text-green-600' : 'text-red-600']">
+                  {{ password === passwordConfirm ? t('userEditCreate.passwordsMatch') : t('userEditCreate.passwordsDontMatch') }}
+                </p>
+              </div>
+            </div>
+
+            <!-- Actions -->
+            <div class="md:grid md:grid-cols-3 md:gap-6">
+              <div></div>
+              <div class="mt-1 md:mt-0 md:col-span-2 lg:col-span-1">
+                <div class="flex space-x-3">
+                  <button type="button" class="inline-flex justify-center py-2 px-4 border border-gray-300 shadow-sm text-sm font-medium rounded-md bg-white text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="cancelAction">
+                    {{ t('common.cancel') }}
+                  </button>
+                  <button type="submit" :disabled="processing || !userDataHasUnsavedChanges || password !== passwordConfirm" class="inline-flex justify-center py-2 px-4 border border-transparent shadow-sm text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed">
+                    <span>{{ props.mode === 'EDIT' ? t('common.save') : t('common.create') }}</span>
+                  </button>
+                  <div v-if="userDataHasUnsavedChanges && props.mode === 'EDIT'" class="flex items-center whitespace-nowrap gap-1 text-sm text-yellow-700">
+                    <ExclamationTriangleIcon class="w-4 h-4 m-1 text-yellow-500" />
+                    {{ t('common.unsavedChanges') }}&nbsp;
+                    <button type="button" class="underline hover:text-yellow-900" @click="resetUserData()">
+                      {{ t('common.undo') }}
+                    </button>
+                  </div>
+                </div>
+                <p v-if="submitError" class="mt-2 text-sm text-red-600">{{ submitError }}</p>
+              </div>
+            </div>
+          </form>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { Listbox, ListboxButton, ListboxOption, ListboxOptions } from '@headlessui/vue';
+import { CheckIcon, ChevronUpDownIcon, ExclamationTriangleIcon, EyeIcon, EyeSlashIcon, InformationCircleIcon, TrashIcon, UserIcon } from '@heroicons/vue/24/outline';
+import { computed, onMounted, reactive, ref, shallowRef, watch } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { useRouter } from 'vue-router';
+import backend, { generateFallbackPictureUrl, isAxiosError, isSelectableRealmRole, SelectableRealmRole, UserDto } from '../../common/backend';
+import { FormValidator } from '../../common/formvalidator';
+import { debounce } from '../../common/util';
+import BreadcrumbNav from '../BreadcrumbNav.vue';
+import FetchError from '../FetchError.vue';
+
+const props = defineProps<{
+  id: undefined,
+  mode: 'CREATE',
+} | {
+  id: string,
+  mode: 'EDIT',
+}>();
+
+type EditableUserData = Pick<UserDto, 'firstName' | 'lastName' | 'name' | 'email' | 'realmRoles' | 'pictureUrl'>;
+const initialData = shallowRef<EditableUserData>({ firstName: undefined, lastName: undefined, name: '', email: '', realmRoles: ['user'], pictureUrl: undefined });
+const data = reactive<EditableUserData>(initialData.value);
+
+const userDataHasUnsavedChanges = computed(() => {
+  return data.firstName !== initialData.value.firstName
+    || data.lastName !== initialData.value.lastName
+    || (props.mode !== 'EDIT' && data.name !== initialData.value.name)
+    || data.email !== initialData.value.email
+    || JSON.stringify([...data.realmRoles].sort()) !== JSON.stringify([...initialData.value.realmRoles].sort())
+    || data.pictureUrl !== initialData.value.pictureUrl
+    || password.value.length > 0;
+});
+
+function resetUserData() {
+  data.firstName = initialData.value.firstName;
+  data.lastName = initialData.value.lastName;
+  data.name = initialData.value.name;
+  data.email = initialData.value.email;
+  data.realmRoles = [...initialData.value.realmRoles];
+  data.pictureUrl = initialData.value.pictureUrl;
+  
+  password.value = '';
+  passwordConfirm.value = '';
+}
+
+const { t } = useI18n({ useScope: 'global' });
+const router = useRouter();
+const loading = ref(true);
+const onFetchError = ref<Error>();
+
+const selectedRoleOptions = computed({
+  get() {
+    return data.realmRoles.filter(isSelectableRealmRole);
+  },
+  set(newValue) {
+    data.realmRoles = ['user', ...newValue];
+  }
+});
+const roleOptions: Record<SelectableRealmRole, string> = {
+  'admin': 'Admin',
+  'create-vaults': 'Create Vaults',
+};
+
+const errors = ref<Record<string, string>>({});
+const processing = ref(false);
+const submitError = ref<string>();
+
+const password = ref('');
+const passwordConfirm = ref('');
+const passwordInputType = ref<'password' | 'text'>('password');
+const passwordStrength = ref<'weak' | 'medium' | 'strong' | ''>('');
+
+const isValidImageUrl = ref<boolean>(false);
+const previewJdenticon = ref<string>();
+const debouncedValidateImageUrl = debounce(async (url?: string) => {
+  isValidImageUrl.value = await FormValidator.validateImageUrl(url);
+}, 500);
+
+watch(() => data.pictureUrl, debouncedValidateImageUrl, { immediate: true });
+
+onMounted(async () => {
+  loading.value = true;
+  if (props.mode === 'EDIT') {
+    previewJdenticon.value = generateFallbackPictureUrl('USER', props.id);
+    try {
+      initialData.value = await backend.users.getUser(props.id, false);
+    } catch (error) {
+      console.error('Failed to fetch user data:', error);
+      onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
+    } finally {
+      loading.value = false;
+    }
+  } else {
+    initialData.value = { firstName: undefined, lastName: undefined, name: '', email: '', realmRoles: [], pictureUrl: undefined };
+    loading.value = false;
+  }
+  resetUserData();
+});
+
+function removeRole(role: SelectableRealmRole) {
+  selectedRoleOptions.value = selectedRoleOptions.value.filter(r => r !== role);
+}
+
+function togglePasswordVisibility() {
+  passwordInputType.value = passwordInputType.value === 'password' ? 'text' : 'password';
+}
+
+async function validateForm(): Promise<boolean> {
+  const result = FormValidator.validateUser({
+    firstName: data.firstName,
+    lastName: data.lastName,
+    username: data.name,
+    email: data.email,
+    password: password.value,
+    passwordConfirm: passwordConfirm.value,
+    isEditMode: props.mode === 'EDIT',
+    initialEmail: initialData.value.email,
+    pictureUrl: data.pictureUrl,
+    isValidImageUrl: await FormValidator.validateImageUrl(data.pictureUrl)
+  });
+
+  errors.value = result.errors;
+  return result.valid;
+}
+
+const passwordStrengthLabel = computed(() => {
+  switch (passwordStrength.value) {
+    case 'strong': return t('userEditCreate.passwordStrong');
+    case 'medium': return t('userEditCreate.passwordMedium');
+    case 'weak': return t('userEditCreate.passwordWeak');
+    default: return '';
+  }
+});
+
+const passwordStrengthColor = computed(() => {
+  switch (passwordStrength.value) {
+    case 'strong': return 'text-green-600';
+    case 'medium': return 'text-yellow-600';
+    case 'weak': return 'text-red-600';
+    default: return 'text-gray-600';
+  }
+});
+
+const isValidEmail = FormValidator.isValidEmail;
+const emailRequired = computed(() => FormValidator.isEmailRequired(props.mode === 'EDIT', initialData.value.email));
+
+function evaluatePasswordStrength(pw: string): 'weak' | 'medium' | 'strong' | '' {
+  return FormValidator.evaluatePasswordStrength(pw);
+}
+
+watch(password, (newVal) => {
+  passwordStrength.value = evaluatePasswordStrength(newVal);
+});
+
+function removePicture() {
+  data.pictureUrl = undefined;
+  isValidImageUrl.value = false;
+}
+
+async function onSubmit() {
+  if (!await validateForm()) {
+    return;
+  }
+
+  processing.value = true;
+  submitError.value = undefined;
+
+  data.firstName = data.firstName?.trim();
+  data.lastName = data.lastName?.trim();
+  data.name = data.name.trim();
+  data.email = data.email?.trim();
+  data.pictureUrl = data.pictureUrl?.trim();
+
+  try {
+    if (props.mode === 'EDIT') { // edit mode
+      await backend.users.updateUser(props.id, { ...data, password: password.value || undefined });
+      router.push(`/app/users/${props.id}`); // navigate to user detail page after save
+    } else { // create mode
+      await backend.users.createUser({ ...data, password: password.value });
+      router.push('/app/users'); // navigate to user list page after creation
+    }
+  } catch (error: unknown) {
+    console.error('Failed to save user:', error);
+    if (!isAxiosError(error)) {
+      submitError.value = error instanceof Error ? error.message : 'An error occurred';
+    } else if (error.response?.status === 409 && error.response.data === 'EMAIL_EXISTS') {
+      errors.value.email = t('userEditCreate.error.emailAlreadyExists');
+    } else if (error.response?.status === 409) {
+      errors.value.username = t('userEditCreate.error.userAlreadyExists');
+    }
+  } finally {
+    processing.value = false;
+  }
+}
+
+function cancelAction() {
+  if (props.mode === 'EDIT') {
+    router.push(`/app/users/${props.id}`);
+  } else {
+    router.push('/app/users');
+  }
+}
+</script>
diff --git a/frontend/src/components/authority/UserGroupRemoveDialog.vue b/frontend/src/components/authority/UserGroupRemoveDialog.vue
new file mode 100644
index 000000000..dcbdd27fa
--- /dev/null
+++ b/frontend/src/components/authority/UserGroupRemoveDialog.vue
@@ -0,0 +1,97 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="$emit('close')">
+    <Dialog as="div" class="fixed z-10 inset-0 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75 transition-opacity" />
+      </TransitionChild>
+
+      <div class="fixed inset-0 z-10 overflow-y-auto">
+        <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+          <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+            <DialogPanel class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-full sm:max-w-lg">
+              <form novalidate @submit.prevent="removeUserFromGroup">
+                <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                  <div class="sm:flex sm:items-start">
+                    <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+                      <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+                    </div>
+                    <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                      <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                        {{ t('group.member.remove.title') }}
+                      </DialogTitle>
+                      <div class="mt-2">
+                        <p class="text-sm text-gray-500">
+                          {{ t('group.member.remove.description') }}
+                        </p>
+                      </div>
+                      <div v-if="group" class="mt-4 hidden sm:flex items-center gap-2">
+                        <img :src="group.pictureUrl" class="w-8 h-8 rounded-full border" />
+                        <span class="font-medium text-sm">{{ group.name }}</span>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+                <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
+                  <button type="submit" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-red-600 text-base font-medium text-white hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500 sm:ml-3 sm:w-auto sm:text-sm">
+                    {{ t('group.member.remove.confirm') }}
+                  </button>
+                  <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
+                    {{ t('common.cancel') }}
+                  </button>
+                </div>
+                <p v-if="onDeleteGroupError" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                  {{ t('common.unexpectedError', [onDeleteGroupError.message]) }}
+                </p>
+              </form>
+            </DialogPanel>
+          </TransitionChild>
+        </div>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
+import { ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { GroupDto } from '../../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const open = ref(false);
+const onDeleteGroupError = ref<Error>();
+
+const props = defineProps<{
+    group?: GroupDto;
+    userId: string;
+}>();
+
+const emit = defineEmits<{
+    close: [];
+    removed: [];
+}>();
+
+defineExpose({
+  show
+});
+
+function show() {
+  open.value = true;
+}
+
+async function removeUserFromGroup() {
+  if (!props.group) return;
+
+  onDeleteGroupError.value = undefined;
+  try {
+    await backend.groups.removeMember(props.group.id, props.userId);
+    emit('removed');
+    open.value = false;
+  } catch (error) {
+    console.error('Removing user from group failed.', error);
+    onDeleteGroupError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+</script>
diff --git a/frontend/src/components/authority/UserGroupsList.vue b/frontend/src/components/authority/UserGroupsList.vue
new file mode 100644
index 000000000..8375bb291
--- /dev/null
+++ b/frontend/src/components/authority/UserGroupsList.vue
@@ -0,0 +1,160 @@
+<template>
+  <section class="bg-white rounded-lg shadow-sm overflow-hidden">
+    <div class="bg-gray-50 px-6 py-4 border-b border-gray-200 flex items-center justify-between">
+      <div class="flex items-baseline gap-1">
+        <h3 id="groupsTitle" class="text-sm font-semibold text-gray-900 uppercase tracking-wide">
+          {{ t('user.detail.groups') }}
+        </h3>
+        <span class="text-xs text-gray-500">{{ groups.length }}</span>
+      </div>
+      <button class="inline-flex items-center gap-2 px-2.5 py-1.5 border border-gray-300 rounded-md shadow-sm text-sm font-medium text-gray-700 bg-white hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="openAddGroupDialog">
+        {{ t('common.add') }}
+      </button>
+    </div>
+
+    <!-- Search bar -->
+    <div class="px-6 py-3 border-b border-gray-200">
+      <label for="groupSearch" class="sr-only">{{ t('common.search.placeholder') }}</label>
+      <input id="groupSearch" v-model="groupQuery" :placeholder="t('common.search.placeholder')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs text-sm border-gray-300 rounded-md disabled:bg-gray-200" />
+    </div>
+
+    <!-- Group table -->
+    <div class="overflow-x-auto">
+      <table class="min-w-full divide-y divide-gray-300" aria-describedby="groupsTitle">
+        <thead class="sr-only">
+          <tr>
+            <th scope="col">{{ t('common.group') }}</th>
+            <th scope="col">{{ t('common.actions') }}</th>
+          </tr>
+        </thead>
+        <tbody class="divide-y divide-gray-200 bg-white">
+          <tr v-for="group in paginatedGroups" :key="group.id">
+            <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-gray-900 flex items-center gap-3 sm:pl-6">
+              <div class="w-8 h-8 rounded-full border border-gray-300 bg-white flex items-center justify-center overflow-hidden">
+                <img v-if="group.pictureUrl" :src="group.pictureUrl" class="w-full h-full object-cover" alt="group icon" />
+                <UserGroupIcon v-else class="w-5 h-5 text-gray-400" aria-hidden="true" />
+              </div>
+              <span class="truncate">{{ group.name }}</span>
+            </td>
+
+            <td class="px-6 py-4 whitespace-nowrap text-right text-sm font-medium">
+              <button type="button" class="cursor-pointer text-red-600 hover:text-red-900" :title="t('common.remove')" @click="showDeleteDialog(group)">{{ t('common.remove') }}</button>
+            </td>
+          </tr>
+          <tr v-if="!filteredGroups.length">
+            <td colspan="2" class="py-4 px-4 text-sm text-center text-gray-500">
+              {{ t(groupQuery ? 'group.members.search.empty' : 'common.none') }}
+            </td>
+          </tr>
+        </tbody>
+
+        <!-- GROUP pagination -->
+        <tfoot v-if="showPaginationGroup" class="bg-gray-50">
+          <tr>
+            <td colspan="2">
+              <nav class="flex items-center justify-between px-4 py-3 sm:px-6" :aria-label="t('common.pagination')">
+                <div class="hidden sm:block">
+                  <i18n-t keypath="auditLog.pagination.showing" scope="global" tag="p" class="text-sm text-gray-700">
+                    <span class="font-medium">{{ paginationBeginGroup }}</span>
+                    <span class="font-medium">{{ paginationEndGroup }}</span>
+                  </i18n-t>
+                </div>
+                <div class="flex flex-1 justify-end space-x-3">
+                  <button v-if="currentPageGroup > 0" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showPreviousPageGroup">
+                    {{ t('common.previous') }}
+                  </button>
+                  <button v-if="hasNextPageGroup" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showNextPageGroup">
+                    {{ t('common.next') }}
+                  </button>
+                </div>
+              </nav>
+            </td>
+          </tr>
+        </tfoot>
+      </table>
+    </div>
+  </section>
+  <UserAddGroupDialog ref="addGroupDialog" :user-id="userId" :groups="user.groups" @saved="(groups: GroupDto[]) => emit('onSaved', groups)" />
+  <UserGroupRemoveDialog ref="deleteGroupMemberDialog" :group="deletingGroup" :user-id="userId" @close="deletingGroup = undefined" @removed="onGroupRemoved"/>
+</template>
+
+<script setup lang="ts">
+import { computed, ref, watch, nextTick } from 'vue';
+import { useI18n } from 'vue-i18n';
+import UserAddGroupDialog from './UserAddGroupDialog.vue';
+import UserGroupRemoveDialog from './UserGroupRemoveDialog.vue';
+import { UserGroupIcon } from '@heroicons/vue/20/solid';
+import { UserDtoWithDetails, GroupDto } from '../../common/backend';
+const { t } = useI18n({ useScope: 'global' });
+
+const PAGE_SIZE = 10;
+
+const props = defineProps<{
+  user: UserDtoWithDetails;
+  userId: string;
+  groups: GroupDto[];
+}>();
+
+const emit = defineEmits<{
+  onSaved: [groups: GroupDto[]]
+}>();
+
+const deletingGroup = ref<GroupDto>();
+const deleteGroupMemberDialog = ref<InstanceType<typeof UserGroupRemoveDialog> | null>(null);
+
+function showDeleteDialog(g: GroupDto) {
+  deletingGroup.value = g;
+  nextTick(() => {
+    deleteGroupMemberDialog.value?.show();
+  });
+}
+
+function onGroupRemoved() {
+  const updatedGroups = props.groups.filter(g => g.id !== deletingGroup.value?.id);
+  emit('onSaved', updatedGroups);
+  deletingGroup.value = undefined;
+}
+
+// ---------------------------------------------------------------------------
+// GROUP dialog actions
+// ---------------------------------------------------------------------------
+const addGroupDialog = ref<InstanceType<typeof UserAddGroupDialog> | null>(null);
+
+function openAddGroupDialog() {
+  addGroupDialog.value?.show();
+}
+
+// ---------------------------------------------------------------------------
+// GROUPS – search & pagination (member-list style)
+// ---------------------------------------------------------------------------
+const currentPageGroup = ref(0);
+const groupQuery = ref('');
+
+const filteredGroups = computed(() => {
+  const q = groupQuery.value.trim().toLowerCase();
+  return (props.groups ?? [])
+    .filter((g) => !q || g.name.toLowerCase().includes(q))
+    .sort((a, b) => a.name.localeCompare(b.name, undefined, { sensitivity: 'base' }));
+});
+
+const showPaginationGroup = computed(() => filteredGroups.value.length > PAGE_SIZE);
+
+const paginatedGroups = computed(() =>
+  filteredGroups.value.slice(currentPageGroup.value * PAGE_SIZE, (currentPageGroup.value + 1) * PAGE_SIZE)
+);
+
+const hasNextPageGroup = computed(() => (currentPageGroup.value + 1) * PAGE_SIZE < filteredGroups.value.length);
+
+const paginationBeginGroup = computed(() => (filteredGroups.value.length ? currentPageGroup.value * PAGE_SIZE + 1 : 0));
+const paginationEndGroup = computed(() => Math.min((currentPageGroup.value + 1) * PAGE_SIZE, filteredGroups.value.length));
+
+function showNextPageGroup() {
+  if (hasNextPageGroup.value) currentPageGroup.value++;
+}
+function showPreviousPageGroup() {
+  if (currentPageGroup.value > 0) currentPageGroup.value--;
+}
+
+watch(() => [filteredGroups.value.length, groupQuery.value], () => (currentPageGroup.value = 0));
+
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/UserInfo.vue b/frontend/src/components/authority/UserInfo.vue
new file mode 100644
index 000000000..db1a1a85d
--- /dev/null
+++ b/frontend/src/components/authority/UserInfo.vue
@@ -0,0 +1,55 @@
+<template>
+  <section class="bg-white rounded-lg shadow-sm overflow-hidden">
+    <div class="px-6 py-6">
+      <div class="flex flex-col items-center justify-center h-full text-center">
+        <img :src="user.pictureUrl" class="w-48 h-48 rounded-full object-cover border border-gray-300 mb-4" />
+        <h2 class="text-xl font-semibold text-gray-900">
+          <template v-if="user.firstName || user.lastName">
+            {{ user.firstName }} {{ user.lastName }}
+          </template>
+          <template v-else>
+            {{ user.name }}
+          </template>
+        </h2>
+        <p v-if="user.firstName || user.lastName" class="text-sm text-gray-500 mt-1">
+          {{ user.name }}
+        </p>
+        <span v-if="!user.enabled" class="inline-flex items-center rounded-md bg-gray-100 px-2 py-1 text-xs font-medium text-gray-600 ring-1 ring-inset ring-gray-500/10 mt-2">{{ t('user.detail.disabled') }}</span>
+      </div>
+      <dl class="divide-y divide-gray-100">
+        <div class="py-3 flex justify-between">
+          <dt class="text-sm text-gray-500">{{ t('user.detail.email') }}</dt>
+          <dd class="text-sm text-gray-900 font-medium">{{ user.email }}</dd>
+        </div>
+        <div class="py-3 flex justify-between">
+          <dt class="text-sm text-gray-500">{{ t('user.detail.roles') }}</dt>
+          <dd class="flex flex-wrap justify-end gap-2">
+            <span v-for="role in sortedRoles" :key="role" class="inline-flex items-center rounded-md bg-green-50 px-2 py-1 text-xs font-medium text-green-700 ring-1 ring-inset ring-green-600/20 capitalize">
+              {{ role }}
+            </span>
+            <span v-if="!sortedRoles.length" class="text-sm text-gray-500">
+              {{ t('common.none') }}
+            </span>
+          </dd>
+        </div>
+      </dl>
+    </div>
+  </section>
+</template>
+
+<script setup lang="ts">
+import { useI18n } from 'vue-i18n';
+import { computed } from 'vue';
+import { UserDtoWithDetails, isSelectableRealmRole } from '../../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  user: UserDtoWithDetails;
+}>();
+
+const sortedRoles = computed(() => 
+  [...props.user.realmRoles].filter(isSelectableRealmRole).sort((a, b) => a.localeCompare(b, undefined, { sensitivity: 'base' }))
+);
+
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/authority/UserList.vue b/frontend/src/components/authority/UserList.vue
new file mode 100644
index 000000000..a0ac250f6
--- /dev/null
+++ b/frontend/src/components/authority/UserList.vue
@@ -0,0 +1,261 @@
+<template>
+  <div v-if="loading" class="text-center p-8 text-gray-500 text-sm">
+    {{ t('common.loading') }}
+  </div>
+
+  <FetchError v-else-if="onFetchError" :error="onFetchError" :retry="fetchData" />
+
+  <div v-else class="flex flex-col">
+    <h2 id="userListTitle" class="text-2xl font-bold leading-9 text-gray-900 sm:text-3xl sm:truncate mb-4">
+      {{ t('users.title') }}
+    </h2>
+    <!-- Searchbar + Createbutton -->
+    <div class="flex flex-wrap sm:flex-nowrap justify-between items-center gap-3 mb-4">
+      <label for="userSearch" class="sr-only">{{ t('common.search.placeholder') }}</label>
+      <input id="userSearch" v-model="query" type="text" :placeholder="t('common.search.placeholder')" class="flex-1 focus:ring-primary focus:border-primary shadow-xs text-sm border-gray-300 rounded-md"/>
+      <button type="button" class="bg-primary text-white text-sm font-medium px-4 py-2 rounded-md shadow-xs hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="showCreateUser()">{{ t('userList.create.button') }}</button>
+    </div>
+    
+    <!-- Mobile Card Layout (visible on small screens) -->
+    <div v-if="paginatedUsers.length > 0" class="block md:hidden space-y-3">
+      <div v-for="user in paginatedUsers" :key="user.id" class="bg-white rounded-lg shadow-sm border border-gray-200 hover:shadow-md transition-shadow cursor-pointer" @click="router.push(`users/${user.id}`)">
+        <div class="px-4 py-4">
+          <div class="flex items-start justify-between mb-4">
+            <div class="flex items-center min-w-0 flex-1" :title="user.name">
+              <img :src="user.pictureUrl" :alt="t('userList.profileImage')" class="w-10 h-10 rounded-full object-cover border border-gray-300 flex-shrink-0" />
+              <div class="ml-3 min-w-0 flex-1">
+                <div class="flex items-center gap-2">
+                  <p class="text-sm font-medium text-gray-900 truncate leading-tight">{{ user.name }}</p>
+                  <span v-if="!user.enabled" class="inline-flex items-center rounded-md bg-gray-100 px-2 py-0.5 text-xs font-medium text-gray-600 ring-1 ring-inset ring-gray-500/10 shrink-0">{{ t('userList.disabled') }}</span>
+                </div>
+                <p class="text-xs text-gray-500 truncate">{{ user.firstName || user.lastName ? `${user.firstName ?? ''} ${user.lastName ?? ''}`.trim() : user.email }}</p>
+              </div>
+            </div>
+            <Menu v-if="user.id !== currentUserId" as="div" class="relative inline-block shrink-0 text-left">
+              <MenuButton class="group p-1 focus:outline-hidden focus:ring-2 focus:ring-primary focus:ring-offset-2" @click.stop>
+                <span class="sr-only">Open options menu</span>
+                <EllipsisVerticalIcon class="h-5 w-5 text-gray-400 group-hover:text-gray-500" aria-hidden="true" />
+              </MenuButton>
+              <transition enter-active-class="transition ease-out duration-100" enter-from-class="transform opacity-0 scale-95" enter-to-class="transform opacity-100 scale-100" leave-active-class="transition ease-in duration-75" leave-from-class="transform opacity-100 scale-100" leave-to-class="transform opacity-0 scale-95">
+                <MenuItems class="absolute right-0 mt-2 z-10 w-48 origin-top-right rounded-md bg-white shadow-lg ring-1 ring-black/5 focus:outline-hidden">
+                  <div class="py-1">
+                    <MenuItem>
+                      <button type="button" class="text-red-700 hover:text-red-900 block w-full px-4 py-2 text-sm text-left hover:bg-gray-50" @click.stop="showDeleteUserDialog(user)">{{ t('common.remove') }}</button>
+                    </MenuItem>
+                  </div>
+                </MenuItems>
+              </transition>
+            </Menu>
+          </div>
+
+          <!-- Stats section -->
+          <div class="mb-3 ml-13 text-xs text-gray-600">
+            <span>{{ t('userList.vaults.count') }}: {{ user.accessibleVaultCount ?? 0 }}</span>
+            <span class="mx-2">|</span>
+            <span>{{ t('userList.groups.count') }}: {{ user.groupsCount ?? 0 }}</span>
+            <span class="mx-2">|</span>
+            <span>{{ t('userList.device.count') }}: {{ user.devicesCount ?? 0 }}</span>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Desktop Table Layout (visible on medium screens and up) -->
+    <div v-if="paginatedUsers.length > 0" class="-my-2 overflow-x-auto sm:-mx-6 lg:-mx-8 hidden md:block">
+      <div class="py-2 align-middle inline-block min-w-full sm:px-6 lg:px-8">
+        <div class="shadow-sm overflow-hidden border-b border-gray-200 sm:rounded-lg">
+          <table class="min-w-full divide-y divide-gray-200" aria-describedby="userListTitle">
+            <thead class="bg-gray-50">
+              <tr>
+                <th class="px-6 py-3 w-2/5 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">{{ t('userList.userName') }}</th>
+                <th class="px-6 py-3 w-1/8 text-left text-xs font-medium text-gray-500 uppercase tracking-wider whitespace-nowrap">{{ t('userList.vaults.count') }}</th>
+                <th class="px-6 py-3 w-1/8 text-left text-xs font-medium text-gray-500 uppercase tracking-wider whitespace-nowrap">{{ t('userList.groups.count') }}</th>
+                <th class="px-6 py-3 w-1/8 text-left text-xs font-medium text-gray-500 uppercase tracking-wider whitespace-nowrap">{{ t('userList.device.count') }}</th>
+                <th class="px-3 py-3 w-auto text-left text-xs font-medium text-gray-500 uppercase tracking-wider whitespace-nowrap"></th>
+              </tr>
+            </thead>
+
+            <tbody class="bg-white divide-y divide-gray-200">
+              <template v-for="user in paginatedUsers" :key="user.id">
+                <tr>
+                  <td class="pr-8 pl-6 py-4 text-sm font-medium text-gray-900">
+                    <div class="flex items-center gap-3 max-w-sm">
+                      <img :src="user.pictureUrl" :alt="t('userList.profileImage')" class="w-10 h-10 rounded-full object-cover border border-gray-300"/>
+                      <div class="flex flex-col min-w-0 flex-1">
+                        <div class="flex items-center gap-2">
+                          <button type="button" class="truncate block hover:underline cursor-pointer text-left" :title="user.name" @click="router.push(`users/${user.id}`)">{{ user.name }}</button>
+                          <span v-if="!user.enabled" class="inline-flex items-center rounded-md bg-gray-100 px-2 py-0.5 text-xs font-medium text-gray-600 ring-1 ring-inset ring-gray-500/10 shrink-0">{{ t('userList.disabled') }}</span>
+                        </div>
+                        <span class="text-xs text-gray-500 truncate" :title="user.firstName || user.lastName ? `${user.firstName ?? ''} ${user.lastName ?? ''}`.trim() : user.email ?? undefined">{{ user.firstName || user.lastName ? `${user.firstName ?? ''} ${user.lastName ?? ''}`.trim() : user.email }}</span>
+                      </div>
+                    </div>
+                  </td>
+                  <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">{{ user.accessibleVaultCount ?? 0 }}</td>
+                  <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">{{ user.groupsCount ?? 0 }}</td>
+                  <td class="px-6 py-4 whitespace-nowrap text-sm text-gray-500">{{ user.devicesCount ?? 0 }}</td>
+                  <td class="px-6 py-4 whitespace-nowrap text-right text-sm font-medium">
+                    <div v-if="user.id !== currentUserId" class="flex justify-end gap-3">
+                      <div class="cursor-pointer text-sm font-medium text-red-700 hover:text-red-900" @click="showDeleteUserDialog(user)">{{ t('common.remove') }}</div>
+                    </div>
+                  </td>
+                </tr>
+              </template>
+            </tbody>
+
+            <!-- Pagination -->
+            <tfoot v-if="showPagination" class="bg-gray-50">
+              <tr>
+                <td colspan="5">
+                  <nav class="flex items-center justify-between px-4 py-3 sm:px-6" :aria-label="t('common.pagination')">
+                    <div class="hidden sm:block">
+                      <i18n-t keypath="auditLog.pagination.showing" scope="global" tag="p" class="text-sm text-gray-700">
+                        <span class="font-medium">{{ paginationBegin }}</span>
+                        <span class="font-medium">{{ paginationEnd }}</span>
+                      </i18n-t>
+                    </div>
+                    <div class="flex flex-1 justify-end space-x-3">
+                      <button v-if="currentPage > 0" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showPreviousPage">
+                        {{ t('common.previous') }}
+                      </button>
+                      <button v-if="hasNextPage" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showNextPage">
+                        {{ t('common.next') }}
+                      </button>
+                    </div>
+                  </nav>
+                </td>
+              </tr>
+            </tfoot>
+          </table>
+        </div>
+      </div>
+    </div>
+
+    <!-- Mobile Pagination -->
+    <nav v-if="showPagination" class="flex items-center justify-between px-4 py-3 md:hidden" :aria-label="t('common.pagination')">
+      <div class="flex flex-1 justify-between space-x-3">
+        <button v-if="currentPage > 0" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showPreviousPage">
+          {{ t('common.previous') }}
+        </button>
+        <div class="flex-1"></div>
+        <button v-if="hasNextPage" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showNextPage">
+          {{ t('common.next') }}
+        </button>
+      </div>
+    </nav>
+
+    <!-- Empty State for Search Results -->
+    <div v-if="query !== '' && sortedUsers.length === 0" class="mt-3 text-center">
+      <svg xmlns="http://www.w3.org/2000/svg" class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+        <path vector-effect="non-scaling-stroke" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15.75 15.75l-2.489-2.489m0 0a3.375 3.375 0 10-4.773-4.773 3.375 3.375 0 004.774 4.774zM21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+      </svg>
+      <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('userList.filter.result.empty.title') }}</h3>
+      <p class="mt-1 text-sm text-gray-500">{{ t('userList.filter.result.empty.description') }}</p>
+    </div>
+  </div>
+
+  <!-- Delete Dialog -->
+  <UserDeleteDialog v-if="deletingUser" ref="deleteUserDialog" :user="deletingUser" @close="deletingUser = undefined" @delete="onUserDeleted"/>
+</template>
+
+<script setup lang="ts">
+import { Menu, MenuButton, MenuItem, MenuItems } from '@headlessui/vue';
+import { EllipsisVerticalIcon } from '@heroicons/vue/20/solid';
+import { computed, nextTick, onMounted, ref, watch } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { useRouter, useRoute } from 'vue-router';
+import backend from '../../common/backend';
+import userdata from '../../common/userdata';
+import UserDeleteDialog from './UserDeleteDialog.vue';
+import FetchError from '../FetchError.vue';
+
+const router = useRouter();
+const route = useRoute();
+
+import { UserDtoWithCounts } from '../../common/backend';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const PAGE_SIZE = 20;
+
+const users = ref<UserDtoWithCounts[]>([]);
+const loading = ref(true);
+const onFetchError = ref<Error>();
+const deleteUserDialog = ref<typeof UserDeleteDialog>();
+const deletingUser = ref<UserDtoWithCounts>();
+const query = ref('');
+const currentUserId = ref<string>('');
+const currentPage = ref(0);
+
+const showDeleteUserDialog = (user: UserDtoWithCounts) => {
+  deletingUser.value = user;
+  nextTick(() => deleteUserDialog.value?.show());
+};
+
+const onUserDeleted = (deletedUser: { id: string }) => {
+  users.value = users.value.filter((u: UserDtoWithCounts) => u.id !== deletedUser.id);
+  deletingUser.value = undefined;
+};
+
+function showCreateUser() {
+  router.push('/app/users/create');
+}
+
+onMounted(async () => {
+  const me = await userdata.me;
+  currentUserId.value = me.id;
+  fetchData();
+});
+
+watch(() => route.path, (newPath) => {
+  if (newPath === '/app/users') {
+    fetchData();
+  }
+});
+
+async function fetchData() {
+  loading.value = true;
+  onFetchError.value = undefined;
+  try {
+    users.value = await backend.users.listAll();
+  } catch (error) {
+    onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
+  } finally {
+    loading.value = false;
+  }
+}
+
+const filteredUsers = computed(() =>
+  query.value === ''
+    ? users.value
+    : users.value.filter((u: UserDtoWithCounts) =>
+      u.name.toLowerCase().includes(query.value.toLowerCase())
+    )
+);
+
+const sortedUsers = computed(() =>
+  filteredUsers.value.toSorted((a, b) => {
+    if (a.id === currentUserId.value) return -1;
+    if (b.id === currentUserId.value) return 1;
+    return a.name.localeCompare(b.name);
+  })
+);
+
+const paginatedUsers = computed(() =>
+  sortedUsers.value.slice(currentPage.value * PAGE_SIZE, (currentPage.value + 1) * PAGE_SIZE)
+);
+
+const showPagination = computed(() => sortedUsers.value.length > PAGE_SIZE);
+const hasNextPage = computed(() => (currentPage.value + 1) * PAGE_SIZE < sortedUsers.value.length);
+const paginationBegin = computed(() => sortedUsers.value.length ? currentPage.value * PAGE_SIZE + 1 : 0);
+const paginationEnd = computed(() => Math.min((currentPage.value + 1) * PAGE_SIZE, sortedUsers.value.length));
+
+function showNextPage() {
+  if (hasNextPage.value) currentPage.value += 1;
+}
+
+function showPreviousPage() {
+  if (currentPage.value > 0) currentPage.value -= 1;
+}
+
+watch(() => [filteredUsers.value.length, query.value], () => (currentPage.value = 0));
+</script>
diff --git a/frontend/src/components/authority/VaultList.vue b/frontend/src/components/authority/VaultList.vue
new file mode 100644
index 000000000..5f046bfde
--- /dev/null
+++ b/frontend/src/components/authority/VaultList.vue
@@ -0,0 +1,111 @@
+<template>
+  <section v-if="props.visible" class="bg-white rounded-lg shadow-sm overflow-hidden">
+    <div class="bg-gray-50 px-6 py-4 border-b border-gray-200">
+      <div class="flex items-baseline gap-1">
+        <h3 class="text-sm font-semibold text-gray-900 uppercase tracking-wide">
+          {{ t('nav.vaults') }}
+        </h3>
+        <span class="text-xs text-gray-500">{{ deduplicatedVaults.length }}</span>
+      </div>
+    </div>
+
+    <!-- Search bar -->
+    <div class="px-6 py-3 border-b border-gray-200">
+      <label for="vaultSearch" class="sr-only">{{ t('common.search.placeholder') }}</label>
+      <input id="vaultSearch" v-model="vaultQuery" :placeholder="t('common.search.placeholder')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs text-sm border-gray-300 rounded-md disabled:bg-gray-200" />
+    </div>
+
+    <!-- Vault list -->
+    <div class="py-0">
+      <ul class="divide-y divide-gray-200 bg-white">
+        <li v-for="vault in paginatedVaults" :key="vault.id" class="py-2 px-6">
+          <div class="flex items-center gap-2">
+            <div class="text-sm font-medium text-gray-900 truncate">{{ vault.name }}</div>
+            <div v-if="vault.role === 'OWNER'" class="inline-flex items-center rounded-md bg-gray-50 px-2 py-1 text-xs font-medium text-gray-600 ring-1 ring-inset ring-gray-500/10">{{ t('vaultList.badge.owner') }}</div>
+          </div>
+          <div v-if="vault.description" class="text-sm text-gray-500 truncate">{{ vault.description }}</div>
+        </li>
+        <li v-if="!filteredVaults.length" class="flex items-center justify-center py-4 px-6 w-full text-sm text-gray-500">
+          {{ t(vaultQuery ? 'common.nothingFound' : 'common.none') }}
+        </li>
+      </ul>
+    </div>
+
+    <!-- Pagination -->
+    <div v-if="showPaginationVault" class="bg-gray-50 border-t border-gray-200">
+      <nav class="flex items-center justify-between px-4 py-3 sm:px-6" :aria-label="t('common.pagination')">
+        <div class="hidden sm:block">
+          <i18n-t keypath="auditLog.pagination.showing" scope="global" tag="p" class="text-sm text-gray-700">
+            <span class="font-medium">{{ paginationBeginVault }}</span>
+            <span class="font-medium">{{ paginationEndVault }}</span>
+          </i18n-t>
+        </div>
+        <div class="flex flex-1 justify-between sm:justify-end space-x-3">
+          <button v-if="currentPageVault > 0" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showPreviousPageVault">
+            {{ t('common.previous') }}
+          </button>
+          <button v-if="hasNextPageVault" type="button" class="relative inline-flex items-center rounded-md bg-white px-3 py-2 text-sm font-medium text-gray-900 ring-1 ring-inset ring-gray-300 hover:bg-gray-50 focus-visible:outline-offset-0" @click="showNextPageVault">
+            {{ t('common.next') }}
+          </button>
+        </div>
+      </nav>
+    </div>
+  </section>
+</template>
+
+<script setup lang="ts">
+import { computed, ref, watch } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { VaultDtoWithRole } from '../../common/backend';
+const { t } = useI18n({ useScope: 'global' });
+
+const PAGE_SIZE = 10;
+
+const props = defineProps<{
+  vaults: VaultDtoWithRole[];
+  visible: boolean;
+}>();
+
+// Deduplicate vaults by ID, keeping highest role (OWNER > MEMBER)
+const deduplicatedVaults = computed(() => {
+  const vaultMap = new Map<string, VaultDtoWithRole>();
+  for (const vault of props.vaults) {
+    const existing = vaultMap.get(vault.id);
+    if (!existing || vault.role === 'OWNER') {
+      vaultMap.set(vault.id, vault);
+    }
+  }
+  return Array.from(vaultMap.values());
+});
+
+// Vaults – search & pagination
+const currentPageVault = ref(0);
+const vaultQuery = ref('');
+
+const filteredVaults = computed(() => {
+  const q = vaultQuery.value.trim().toLowerCase();
+  return deduplicatedVaults.value
+    .filter(v => !q || v.name.toLowerCase().includes(q) || (v.description && v.description.toLowerCase().includes(q)))
+    .sort((a, b) => a.name.localeCompare(b.name, 'de', { sensitivity: 'base' }));
+});
+
+const showPaginationVault = computed(() => filteredVaults.value.length > PAGE_SIZE);
+
+const paginatedVaults = computed(() =>
+  filteredVaults.value.slice(currentPageVault.value * PAGE_SIZE, (currentPageVault.value + 1) * PAGE_SIZE)
+);
+
+const hasNextPageVault = computed(() => (currentPageVault.value + 1) * PAGE_SIZE < filteredVaults.value.length);
+
+const paginationBeginVault = computed(() => (filteredVaults.value.length ? currentPageVault.value * PAGE_SIZE + 1 : 0));
+const paginationEndVault = computed(() => Math.min((currentPageVault.value + 1) * PAGE_SIZE, filteredVaults.value.length));
+
+function showNextPageVault() {
+  if (hasNextPageVault.value) currentPageVault.value++;
+}
+function showPreviousPageVault() {
+  if (currentPageVault.value > 0) currentPageVault.value--;
+}
+
+watch(() => [filteredVaults.value.length, vaultQuery.value], () => (currentPageVault.value = 0));
+</script>
diff --git a/frontend/src/components/emergencyaccess/EmergencyAccessDialog.vue b/frontend/src/components/emergencyaccess/EmergencyAccessDialog.vue
new file mode 100644
index 000000000..39689a19d
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/EmergencyAccessDialog.vue
@@ -0,0 +1,861 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="handleAfterLeave">
+    <Dialog as="div" class="fixed inset-0 z-10 overflow-y-auto" :class="wantAbort ? 'pointer-events-none' : ''" :aria-hidden="wantAbort ? 'true' : undefined" @close="handleParentClose">
+      <TransitionChild
+        as="template"
+        enter="ease-out duration-300"
+        enter-from="opacity-0"
+        enter-to="opacity-100"
+        leave="ease-in duration-200"
+        leave-from="opacity-100"
+        leave-to="opacity-0"
+      >
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75 transition-opacity" />
+      </TransitionChild>
+
+      <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+        <TransitionChild
+          as="template"
+          enter="ease-out duration-300"
+          enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95"
+          enter-to="opacity-100 translate-y-0 sm:scale-100"
+          leave="ease-in duration-200"
+          leave-from="opacity-100 translate-y-0 sm:scale-100"
+          leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95"
+        >
+          <DialogPanel
+            class="relative transform overflow-visible transition-all sm:my-8 sm:w-full sm:max-w-lg"
+          >
+            <div class="relative rounded-lg bg-white z-10">
+              <div class="px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                <div class="sm:flex sm:items-start">
+                  <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 sm:mx-0 sm:h-10 sm:w-10 relative">
+                    <div v-if="showSuccess">
+                      <CheckCircleIcon class="h-12 w-12 text-primary" aria-hidden="true" />
+                    </div>
+                    <div v-else-if="phase !== 'start'">
+                      <SegmentRing
+                        :total="requiredSegments"
+                        :completed="completedSegments"
+                        :size="36"
+                      />
+                    </div>
+                    <div v-else>
+                      <PlayIcon class="h-8 w-8 text-primary" aria-hidden="true" />
+                    </div>
+                  </div>
+                  <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                    <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                      {{ phaseTitle }}
+                    </DialogTitle>
+                    <div v-if="showSuccess" class="mt-4">
+                      <div>
+                        {{ t('emergencyAccessDialog.message.completed') }}
+                      </div>
+                    </div>
+                    <div v-else-if="phase === 'start'" class="mt-4 space-y-4">
+                      <div v-if="processType === 'CHANGE_PERMISSIONS'">
+                        <label class="block text-sm font-medium text-gray-700">
+                          {{ t('emergencyAccessDialog.label.selectOwner') }}
+                        </label>
+                        <MultiUserSelectInputGroup
+                          ref="ownersSelect"
+                          :selected-users="owners"
+                          :on-search="searchUsers"
+                          :input-visible="true"
+                          @action="addOwner"
+                          @remove="removeOwner"
+                        />
+
+                        <!-- Members (non-owners) selector -->
+                        <div class="mt-4">
+                          <label class="block text-sm font-medium text-gray-700">
+                            {{ t('emergencyAccessDialog.label.selectMember') }}
+                          </label>
+                          <MultiUserSelectInputGroup
+                            :selected-users="members"
+                            :on-search="searchUsers"
+                            :input-visible="true"
+                            @action="addMember"
+                            @remove="removeMember"
+                          />
+                        </div>
+
+                        <!-- Removed Members display -->
+                        <div v-if="removedMembers.length > 0" class="mt-4">
+                          <span class="block text-sm font-medium text-gray-700">
+                            {{ t('emergencyAccess.label.removed') }}
+                          </span>
+                          <MultiUserSelectInputGroup
+                            :selected-users="removedMembers"
+                            :on-search="noopSearch"
+                            :input-visible="false"
+                          />
+                        </div>
+                      </div>
+
+                      <div v-else-if="processType === 'COUNCIL_CHANGE'">
+                        <EmergencyAccessSetup ref="emergencyAccessSetup" :settings="settings" :council-members="councilMembers" :required-key-shares="settings.defaultRequiredEmergencyKeyShares" :allow-choosing-council="true"/>
+                      </div>
+                      <div v-else class="text-sm text-red-600">
+                        {{ t('recoveryDialog.error.invalidRecoveryType') }}
+                      </div>
+                    </div>
+
+                    <div v-else-if="!recoveryProcess">
+                      <!-- every other phase should have a non-null recovery process -->
+                      Internal error: No recovery process available. <!-- no need to localize this. -->
+                    </div>
+
+                    <div v-else>
+                      <div v-if="recoveryProcess.type === 'CHANGE_PERMISSIONS'" >
+                        {{ t('emergencyAccessDialog.section.ownership') }}
+                        
+                        <div class="mt-4 space-y-1 text-sm text-gray-500">
+                          <span class="font-medium text-gray-700">{{ t('emergencyAccess.label.owners') }}</span>
+                          <MultiUserSelectInputGroup
+                            :selected-users="selectedNewOwners"
+                            :on-search="noopSearch"
+                            :input-visible="false"
+                          />
+                          <!-- Members (non-owners) selector -->
+                          <div class="mt-4">
+                            <label class="block text-sm font-medium text-gray-700">
+                              {{ t('emergencyAccess.label.members') }}
+                            </label>
+                            <MultiUserSelectInputGroup
+                              :selected-users="selectedNewmembers"
+                              :on-search="noopSearch"
+                              :input-visible="false"
+                            />
+                          </div>
+                          <!-- Removed Members display -->
+                          <div v-if="removedMembers.length > 0" class="mt-4">
+                            <span class="block text-sm font-medium text-gray-700">
+                              {{ t('emergencyAccess.label.removed') }}
+                            </span>
+                            <MultiUserSelectInputGroup
+                              :selected-users="removedMembers"
+                              :on-search="noopSearch"
+                              :input-visible="false"
+                            />
+                          </div>
+                        </div>
+                      </div>
+                      <div v-if="recoveryProcess.type === 'COUNCIL_CHANGE'" >
+                        {{ t('emergencyAccessDialog.section.councilChange') }}
+                        <div class="mt-4">
+                          <EmergencyAccessSetup :settings="settings" :council-members="councilMembers" :required-key-shares="recoveryProcess.details.newRequiredKeyShares" :readonly="true" :show-required-key-shares="true"/>
+                        </div>
+                      </div>
+                      <div v-if="phase === 'complete' && !didAddMyShare && isMeInProcessCouncil" class="text-sm pt-2">
+                        <span class="inline-flex items-center gap-2 rounded-md bg-green-50 ring-1 ring-green-300/70 px-2.5 py-1 text-xs font-medium text-green-800">
+                          <InformationCircleIcon class="h-4 w-4" aria-hidden="true" />
+                          {{ t('emergencyAccessDialog.hint.finishProcess') }}
+                        </span>
+                      </div>
+                      <div v-else-if="(phase === 'complete' || phase === 'approve') && didAddMyShare" class="text-sm pt-2">
+                        <span class="inline-flex items-center gap-2 rounded-full bg-green-50 ring-1 ring-green-300/70 px-2.5 py-1 text-xs font-medium text-green-800">
+                          <CheckBadgeIcon class="h-4 w-4" aria-hidden="true" />
+                          {{ t('emergencyAccessDialog.hint.keyShareAdded') }}
+                        </span>
+                      </div>
+                    </div>
+                    <div v-if="phase !== 'start' && !isMeInProcessCouncil" class="text-sm pt-4">
+                      <span class="inline-flex items-center gap-2 rounded-md bg-yellow-50 ring-1 ring-yellow-300/70 px-2.5 py-1 text-xs font-medium text-yellow-800 text-left">
+                        <ExclamationCircleIcon class="h-4 w-4" aria-hidden="true" />
+                        {{ t('emergencyAccessDialog.hint.notInCouncil') }}
+                      </span>
+                    </div>
+                  </div>
+                </div>
+              </div>
+            
+              <div v-if="onError" class="w-full sm:w-auto mb-2 text-right">
+                <p v-if="onError instanceof PaymentRequiredError" class="inline-block text-sm text-red-900 bg-red-100 rounded px-3 py-1 mt-1">
+                  {{ t('vaultDetails.error.licenseViolated') }}
+                </p>
+                <p v-else class="inline-block text-sm text-red-700 bg-red-100 rounded px-3 py-1 mt-1">
+                  {{ t('common.unexpectedError', [onError.message]) }}
+                </p>
+              </div>
+
+              <div v-if="conflictingProcessExists && phase === 'start'" class="w-full sm:w-auto mb-2 text-right">
+                <p class="inline-block text-sm text-red-700 bg-red-100 rounded px-3 py-1">
+                  {{ t('recoveryDialog.error.processAlreadyExists') }}
+                </p>
+              </div>
+
+              <div class="bg-gray-50 rounded-b-lg px-4 py-3 sm:px-6 sm:flex">
+                <!-- ABORT -->
+                <template v-if="phase !== 'start' && isMeInProcessCouncil && !showSuccess">
+                  <button
+                    class=" text-sm text-red-600 hover:underline sm:mr-auto focus:outline-none focus:underline rounded"
+                    @click.stop="requestCancel()"
+                  >
+                    {{ t('emergencyAccessDialog.action.abortProcess') }}
+                  </button>
+                </template>
+                <!-- CLOSE -->
+                <button
+                  ref="closeButton"
+                  type="button"
+                  class="mt-3 inline-flex w-full justify-center sm:ml-auto rounded-md border border-gray-300 bg-white px-4 py-2 text-base font-medium text-gray-700 shadow-sm hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:w-auto sm:text-sm"
+                  @click.stop="open = false" 
+                >
+                  {{ t('common.close') }}
+                </button>               
+                <!-- START -->
+                <template v-if="phase === 'start'">
+                  <button
+                    type="button"
+                    class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:ml-3 sm:w-auto sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed"
+                    :disabled="!canStartRecovery"
+                    @click="startRecovery()"
+                  >
+                    {{ t('emergencyAccessDialog.action.start') }}
+                  </button>
+                </template>
+
+                <!-- APPROVE -->
+                <template v-else-if="phase === 'approve'">
+                  <button
+                    v-if="canSeeApprove"
+                    type="button"
+                    class="inline-flex w-full justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:ml-3 sm:w-auto sm:text-sm"
+                    @click="approveRecovery()"
+                  >
+                    {{ t('emergencyAccessDialog.action.approve') }}
+                  </button>
+                </template>
+
+                <!-- COMPLETE -->
+                <template v-else-if="phase === 'complete' && !showSuccess">
+                  <button
+                    v-if="canSeeComplete"
+                    ref="completeButton"
+                    type="button"
+                    class="inline-flex w-full sm:w-auto justify-center rounded-md border border-transparent bg-primary px-4 py-2 text-base font-medium text-white shadow-sm hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:ml-3 sm:text-sm"
+                    @click="completeRecovery()"
+                  >
+                    {{ t('emergencyAccessDialog.action.completeProcess') }}
+                  </button>
+                </template>
+              </div>
+            </div>
+          </DialogPanel>
+        </TransitionChild>
+      </div>
+      <ProcessAbortDialog
+        v-if="props.recoveryProcess"
+        ref="abortDialog"
+        :recovery-process-id="props.recoveryProcess.id"
+        @confirmed="handleRecoveryAborted"
+        @close="onAbortClosed"
+      />
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { CheckBadgeIcon, ExclamationCircleIcon, InformationCircleIcon } from '@heroicons/vue/20/solid';
+import { PlayIcon, CheckCircleIcon } from '@heroicons/vue/24/solid';
+import { base64 } from '@scure/base';
+import * as R from 'remeda';
+import { computed, ref, Ref, toRaw, nextTick } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { AccessGrant, ActivatedUser, AuthorityDto, didCompleteSetup, GroupDto, PaymentRequiredError, RecoveredKeyShareDto, RecoveryProcessChangeCouncil, RecoveryProcessDto, RecoveryProcessSetNewOwner, SettingsDto, UserDto, VaultDto, VaultRole } from '../../common/backend';
+import { AccessTokenProducing, asPublicKey, UserKeys } from '../../common/crypto';
+import { EmergencyAccess } from '../../common/emergencyaccess';
+import { ECDSA_P384, JWT, JWTHeader } from '../../common/jwt';
+import userdata from '../../common/userdata';
+import { wordEncoder } from '../../common/util';
+import MultiUserSelectInputGroup from '../MultiUserSelectInputGroup.vue';
+import EmergencyAccessSetup from './EmergencyAccessSetup.vue';
+import ProcessAbortDialog from './ProcessAbortDialog.vue';
+import SegmentRing from './SegmentRing.vue';
+import type { MultiUserSelectExpose } from '../MultiUserSelectInputGroup.vue';
+import { VaultFormat8 } from '../../common/vaultFormat8';
+import { UniversalVaultFormat } from '../../common/universalVaultFormat';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  vault: VaultDto;
+  me: UserDto;
+  settings: SettingsDto;
+  recoveryProcess?: RecoveryProcessDto;
+  startType: RecoveryProcessDto['type'];
+}>();
+
+const emit = defineEmits<{
+  close: [];
+  updated: [recoveryProcess?: RecoveryProcessDto];
+}>();
+
+defineExpose({ show });
+const closeButton = ref<HTMLElement>();
+const ownersSelect = ref<MultiUserSelectExpose>();
+const emergencyAccessSetup = ref<InstanceType<typeof EmergencyAccessSetup>>();
+
+const processType = ref<RecoveryProcessDto['type']>(
+  props.recoveryProcess?.type ?? props.startType
+);
+
+const processCouncilIds = computed(() =>
+  props.recoveryProcess ? Object.keys(props.recoveryProcess.recoveredKeyShares ?? {}) : []
+);
+
+const isMeInProcessCouncil = computed(() =>
+  processCouncilIds.value.includes(props.me.id)
+);
+
+const canSeeApprove = computed(() =>
+  phase.value === 'approve' 
+  && isMeInProcessCouncil.value 
+  && !didAddMyShare.value
+);
+
+const canSeeComplete = computed(() =>
+  phase.value === 'complete' 
+  && isMeInProcessCouncil.value 
+  && (!didAddMyShare.value || completedSegments.value >= requiredSegments.value)
+);
+
+type PhaseType = 'start' | 'approve' | 'complete';
+const phase = computed<PhaseType>(() => {
+  const p = props.recoveryProcess;
+  if (!p) {
+    return 'start';
+  } else if (completedSegments.value + 1 < p.requiredKeyShares) {
+    return 'approve';
+  } else {
+    return 'complete';
+  }
+});
+
+const requiredSegments = computed(() =>
+  props.recoveryProcess?.requiredKeyShares ?? props.vault.requiredEmergencyKeyShares
+);
+
+const completedSegments = computed(() =>
+  Object.values(props.recoveryProcess?.recoveredKeyShares ?? {}).filter(
+    ks => ks.recoveredKeyShare !== undefined
+  ).length
+);
+
+const didAddMyShare = computed(() => {
+  return props.recoveryProcess?.recoveredKeyShares?.[props.me.id]?.recoveredKeyShare !== undefined;
+});
+
+const open = ref(false);
+const onError = ref<Error>();
+
+const existingProcesses = ref<RecoveryProcessDto[]>([]);
+
+const conflictingProcessExists = computed(() => {
+  return existingProcesses.value.some(p => p.type === processType.value);
+});
+
+function processConflicts(type: RecoveryProcessDto['type']) {
+  return existingProcesses.value.some(p => p.type === type);
+}
+
+// OWNERS
+const owners = ref<AuthorityDto[]>([]);
+const existingOwners = ref<AuthorityDto[]>([]);
+const newOwnerIds = computed(() => owners.value.map(u => u.id));
+
+// MEMBERS (non-owners)
+const members = ref<AuthorityDto[]>([]);
+const existingMembers = ref<AuthorityDto[]>([]);
+const newMemberIds = computed(() => members.value.map(u => u.id));
+
+const authoritiesById = ref<Record<string, AuthorityDto>>({});
+
+// --- helper: generic add/remove by id ---
+function addUnique(list: Ref<AuthorityDto[]>, user: AuthorityDto) {
+  if (!list.value.find(u => u.id === user.id)) list.value.push(user);
+}
+function removeFrom(list: Ref<AuthorityDto[]>, user: AuthorityDto) {
+  list.value = list.value.filter(u => u.id !== user.id);
+}
+
+// Owner handlers keep lists in sync
+const addOwner = (user: AuthorityDto) => {
+  addUnique(owners, user);
+  removeFrom(members, user);
+};
+const removeOwner = (user: AuthorityDto) => {
+  removeFrom(owners, user);
+};
+
+// Member handlers keep lists in sync
+const addMember = (user: AuthorityDto) => {
+  addUnique(members, user);
+  removeFrom(owners, user);
+};
+const removeMember = (user: AuthorityDto) => {
+  removeFrom(members, user);
+};
+
+const removedMembers = computed<AuthorityDto[]>(() => {
+  const oldMembers = [...existingOwners.value, ...existingMembers.value];
+  const oldIds = oldMembers.map(u => u.id);
+  const oldMembersById = R.indexBy<AuthorityDto, string>(oldMembers, (u) => u.id);
+
+  const newIds: string[] = props.recoveryProcess?.type === 'CHANGE_PERMISSIONS'
+    ? [...(props.recoveryProcess.details.newOwnerIds ?? []), ...(props.recoveryProcess.details.newMemberIds ?? [])]
+    : [...newOwnerIds.value, ...newMemberIds.value];
+
+  const removedIds = R.difference(oldIds, newIds);
+  return removedIds.map((id) => oldMembersById[id]);
+});
+
+const selectedNewOwners = computed<AuthorityDto[]>(() => {
+  if (props.recoveryProcess?.type === 'CHANGE_PERMISSIONS') {
+    const ids = new Set(props.recoveryProcess.details.newOwnerIds);
+    return owners.value.filter(u => ids.has(u.id));
+  } else {
+    return owners.value;
+  }
+});
+
+const selectedNewmembers = computed<AuthorityDto[]>(() => {
+  if (props.recoveryProcess?.type === 'CHANGE_PERMISSIONS') {
+    const ids = new Set(props.recoveryProcess.details.newMemberIds);
+    return members.value.filter(u => ids.has(u.id));
+  } else {
+    return members.value;
+  }
+});
+
+// COUNCIL CHANGE
+const councilMembers = ref<ActivatedUser[]>([]);
+
+const canStartRecovery = computed(() => {
+  if (processType.value === undefined) return false;
+  if (conflictingProcessExists.value) return false;
+
+  if (processType.value === 'CHANGE_PERMISSIONS') {
+    const existingOwnerIds = new Set(existingOwners.value.map(u => u.id));
+    const sameOwners = owners.value.length === existingOwners.value.length && owners.value.every(o => existingOwnerIds.has(o.id));
+    const existingMemberIds = new Set(existingMembers.value.map(u => u.id));
+    const sameMembers = members.value.length === existingMembers.value.length && members.value.every(m => existingMemberIds.has(m.id));
+    return !(sameOwners && sameMembers) && owners.value.length !== 0;
+  } else if (processType.value === 'COUNCIL_CHANGE' && emergencyAccessSetup.value) {
+    const existingCouncilIds = new Set(Object.keys(props.vault.emergencyKeyShares));
+    const sameCouncil = emergencyAccessSetup.value.emergencyCouncilMembers.length === existingCouncilIds.size && emergencyAccessSetup.value.emergencyCouncilMembers.every(m => existingCouncilIds.has(m.id));
+    const sameRequiredKeyShares = props.settings.defaultRequiredEmergencyKeyShares === props.vault.requiredEmergencyKeyShares; // does the vault's current number of required key shares differ from the configured default?
+    return !emergencyAccessSetup.value.hasValidationErrors && (!sameCouncil || !sameRequiredKeyShares);
+  }
+
+  return false;
+});
+
+const noopSearch = async () => [];
+
+async function searchUsers(query: string): Promise<AuthorityDto[]> {
+  const authorities = await backend.authorities.search(query, true);
+  return authorities
+    .filter((a): a is AuthorityDto => true)
+    .sort((a, b) => a.name.localeCompare(b.name));
+}
+
+const abortDialog = ref<InstanceType<typeof ProcessAbortDialog> | null>(null);
+const wantAbort = ref(false);
+
+function requestCancel() {
+  if (!props.recoveryProcess) return;
+  wantAbort.value = true;
+  abortDialog.value?.show();
+}
+
+function onAbortClosed() { wantAbort.value = false; }
+
+function handleParentClose() { if (!wantAbort.value) open.value = false; }
+
+function handleAfterLeave() { if (!open.value) emit('close'); }
+
+async function handleRecoveryAborted() {
+  if (!props.recoveryProcess) return;
+  onError.value = undefined;
+  try {
+    await backend.emergencyAccess.abort(props.recoveryProcess.id);
+    emit('updated');
+    wantAbort.value = false;
+    open.value = false;
+  } catch (error) {
+    console.error('Cancelling emergency recovery failed.', error);
+    onError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+
+async function show() {
+  await loadExistingProcessesForVault();
+  initProcessType();
+  await initOwnersAndMembers();
+  await loadAuthoritiesForCouncilAndProcesses();
+  await initProcessSpecificState();
+  showSuccess.value = false;
+  open.value = true;
+  await nextTick();
+
+  if (phase.value === 'start' && processType.value === 'CHANGE_PERMISSIONS') {
+    return ownersSelect.value?.focus();
+  } else {
+    return closeButton.value?.focus();
+  }
+}
+
+async function loadExistingProcessesForVault() {
+  existingProcesses.value = await backend.emergencyAccess.findProcessesForVault(props.vault.id);
+}
+
+function initProcessType() {
+  if (props.recoveryProcess) {
+    processType.value = props.recoveryProcess.type;
+  } else if (props.startType) {
+    processType.value = props.startType;
+  } else {
+    const allTypes: RecoveryProcessDto['type'][] = ['CHANGE_PERMISSIONS', 'COUNCIL_CHANGE'];
+    const firstFree = allTypes.find(t => !processConflicts(t));
+    processType.value = firstFree ?? 'CHANGE_PERMISSIONS';
+  }
+}
+
+async function initOwnersAndMembers() {
+  try {
+    const memberList = await backend.vaults.getMembers(props.vault.id);
+    const initialOwners = memberList.filter(m => m.vaultRole === 'OWNER') as AuthorityDto[];
+    const initialMembers = memberList.filter(m => m.vaultRole === 'MEMBER') as AuthorityDto[];
+
+    existingOwners.value = initialOwners;
+    owners.value = [...initialOwners];
+
+    existingMembers.value = initialMembers;
+    members.value = [...initialMembers];
+  } catch (e) {
+    console.error('Loading existing owners/members failed', e);
+  }
+}
+
+async function loadAuthoritiesForCouncilAndProcesses() {
+  const memberIdsOfAllRunningProcesses = existingProcesses.value.flatMap(p =>
+    Object.keys(p.recoveredKeyShares ?? {})
+  );
+
+  const councilIds = Object.keys(props.vault.emergencyKeyShares ?? {});
+  const allIds = Array.from(new Set([...memberIdsOfAllRunningProcesses, ...councilIds]));
+
+  if (allIds.length > 0) {
+    const auths = await backend.authorities.listSome(allIds);
+    authoritiesById.value = R.indexBy(auths, u => u.id);
+  } else {
+    authoritiesById.value = {};
+  }
+}
+
+async function initProcessSpecificState() {
+  if (props.recoveryProcess?.type === 'COUNCIL_CHANGE') {
+    councilMembers.value = await loadActivatedUsers(props.recoveryProcess.details.newCouncilMemberIds);
+  } else if (!props.recoveryProcess && processType.value === 'COUNCIL_CHANGE') {
+    councilMembers.value = await loadActivatedUsers(Object.keys(props.vault.emergencyKeyShares));
+  } else if (props.recoveryProcess?.type === 'CHANGE_PERMISSIONS') {
+    const newOwners = await backend.authorities.listSome(props.recoveryProcess.details.newOwnerIds);
+    const enrichedOwners = await enrichGroupsMemberSize([...owners.value, ...newOwners]);
+    owners.value = R.uniqueBy(enrichedOwners, u => u.id);
+
+    const newMembers = await backend.authorities.listSome(props.recoveryProcess.details.newMemberIds);
+    const enrichedMembers = await enrichGroupsMemberSize([...members.value, ...newMembers]);
+    members.value = R.uniqueBy(enrichedMembers, u => u.id);
+  }
+};
+
+async function enrichGroupsMemberSize(authorities: AuthorityDto[]): Promise<AuthorityDto[]> {
+  const groups = authorities.filter(a => a.type === 'GROUP') as GroupDto[];
+  if (groups.length === 0) return authorities;
+
+  const lookups = await Promise.all(groups.map(async g => {
+    const res = await backend.authorities.search(g.name, true);
+    const hit = res.find(a => a.type === 'GROUP' && a.id === g.id) as GroupDto | undefined;
+    return [g.id, hit?.memberSize] as const;
+  }));
+  const byId = Object.fromEntries(lookups);
+
+  return authorities.map(a =>
+    a.type === 'GROUP'
+      ? { ...a, memberSize: byId[a.id] ?? (a as GroupDto).memberSize }
+      : a
+  );
+}
+
+const showSuccess = ref(false);
+
+const phaseTitle = computed(() => {
+  if (showSuccess.value) return t('emergencyAccessDialog.title.success');
+
+  switch (phase.value) {
+    case 'start': {
+      if (processType.value === 'COUNCIL_CHANGE') {
+        return t('emergencyAccessDialog.title.changeCouncil');
+      }
+      return t('emergencyAccessDialog.title.changePermissions');
+    }
+    case 'approve': {
+      if (!isMeInProcessCouncil.value) {
+        return t('emergencyAccessDialog.title.processDetails');
+      }
+      return didAddMyShare.value
+        ? t('emergencyAccessDialog.title.approved')
+        : t('emergencyAccessDialog.title.approveEmergencyAccess');
+    }
+    case 'complete': {
+      return !didAddMyShare.value
+        ? t('emergencyAccessDialog.title.completeEmergencyAccess')
+        : t('emergencyAccessDialog.title.approved');
+    }
+    default:
+      return '';
+  }
+});
+
+/**
+ * PHASE ONE: Starting the recovery process and adding the first share.
+ */
+async function startRecovery() {
+  onError.value = undefined;
+  try {
+    const recoveryCouncilMemberIds = Object.keys(props.vault.emergencyKeyShares);
+    const councilMembers = await loadActivatedUsers(recoveryCouncilMemberIds);
+    if (councilMembers.length < props.vault.requiredEmergencyKeyShares) {
+      throw new Error(t('emergencyAccessDialog.error.insufficientCouncilMembers', [councilMembers.length, props.vault.requiredEmergencyKeyShares]));
+    }
+
+    let data: RecoveryProcessSetNewOwner | RecoveryProcessChangeCouncil;
+    if (processType.value === 'CHANGE_PERMISSIONS') {
+      if (newOwnerIds.value.length === 0) {
+        throw new Error(t('recoveryDialog.error.noOwnerSelected'));
+      }
+      data = {
+        type: 'CHANGE_PERMISSIONS',
+        details: {
+          newOwnerIds: newOwnerIds.value,
+          newMemberIds: newMemberIds.value
+        }
+      };
+    } else if (processType.value === 'COUNCIL_CHANGE' && emergencyAccessSetup.value) {
+      if (emergencyAccessSetup.value.hasValidationErrors) {
+        throw new Error(t('recoveryDialog.error.notEnoughCouncilMembers')); // TODO: change error message
+      }
+      data = {
+        type: 'COUNCIL_CHANGE',
+        details: {
+          newCouncilMemberIds: emergencyAccessSetup.value.emergencyCouncilMembers.map(u => u.id),
+          newRequiredKeyShares: props.settings.defaultRequiredEmergencyKeyShares
+        }
+      };
+    } else {
+      throw new Error(t('recoveryDialog.error.invalidRecoveryType'));
+    }
+
+    const processKeyPair = await EmergencyAccess.startRecovery(councilMembers);
+    const process: RecoveryProcessDto = {
+      id: crypto.randomUUID(),
+      vaultId: props.vault.id,
+      ...data,
+      requiredKeyShares: props.vault.requiredEmergencyKeyShares,
+      processPublicKey: processKeyPair.recoveryPublicKey,
+      recoveredKeyShares: {}
+    };
+    for (const [memberId, jwe] of Object.entries(processKeyPair.recoveryPrivateKeys)) {
+      process.recoveredKeyShares[memberId] = {
+        unrecoveredKeyShare: props.vault.emergencyKeyShares[memberId],
+        processPrivateKey: jwe,
+      };
+    }
+
+    const userKeys = await userdata.decryptUserKeysWithBrowser();
+    process.recoveredKeyShares[props.me.id] = await addMyShare(process, userKeys);
+
+    await backend.emergencyAccess.startRecovery(process);
+    emit('updated', process);
+    open.value = false;
+  } catch (error) {
+    console.error('Starting emergency recovery failed.', error);
+    onError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+
+/**
+ * PHASE TWO: Adding further shares to the recovery process.
+ */
+async function approveRecovery() {
+  if (!props.recoveryProcess) {
+    throw new Error(t('emergencyAccessDialog.error.noProcessToApprove'));
+  }
+  onError.value = undefined;
+  try {
+    const verifiedProcess = await verifyProcessInfo(props.recoveryProcess);
+    if (!verifiedProcess) {
+      throw new Error(t('emergencyAccessDialog.error.processTampered'));
+    }
+
+    const userKeys = await userdata.decryptUserKeysWithBrowser();
+    const process = structuredClone(toRaw(props.recoveryProcess));
+    process.recoveredKeyShares[props.me.id] = await addMyShare(process, userKeys);
+    await backend.emergencyAccess.addMyShare(process.id, process.recoveredKeyShares[props.me.id]);
+
+    emit('updated', process);
+    open.value = false;
+  } catch (error) {
+    console.error('Approving emergency recovery failed.', error);
+    onError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+
+/**
+ * PHASE THREE: By adding the last required share, we can complete the recovery process.
+ */
+async function completeRecovery() {
+  if (!props.recoveryProcess) {
+    throw new Error(t('emergencyAccessDialog.error.noProcessToComplete'));
+  }
+  onError.value = undefined;
+  try {
+    const verifiedProcess = await verifyProcessInfo(props.recoveryProcess);
+    if (!verifiedProcess) {
+      throw new Error(t('emergencyAccessDialog.error.processTampered'));
+    }
+
+    const userKeys = await userdata.decryptUserKeysWithBrowser();
+
+    const process = structuredClone(toRaw(props.recoveryProcess));
+    process.recoveredKeyShares[props.me.id] = await addMyShare(process, userKeys);
+
+    const keyShares = Object.values(process.recoveredKeyShares).filter(p => p.recoveredKeyShare !== undefined).map(p => p.recoveredKeyShare!);
+
+    const processPrivateKey = process.recoveredKeyShares[props.me.id].processPrivateKey;
+    const recoveredKeyBytes = await EmergencyAccess.combineRecoveredShares(keyShares, processPrivateKey, userKeys.ecdhKeyPair.privateKey);
+    const recoveredKey = wordEncoder.encodePadded(recoveredKeyBytes);
+
+    if (process.type === 'COUNCIL_CHANGE') {
+      if (councilMembers.value.length < process.details.newRequiredKeyShares) {
+        throw new Error(t('emergencyAccessDialog.error.insufficientCouncilMembers', [councilMembers.value.length, process.details.newRequiredKeyShares]));
+      }
+      const keyShares = await EmergencyAccess.split(recoveredKeyBytes, process.details.newRequiredKeyShares, ...councilMembers.value);
+      await backend.vaults.createOrUpdateVault({
+        ...props.vault,
+        requiredEmergencyKeyShares: process.details.newRequiredKeyShares,
+        emergencyKeyShares: keyShares
+      });
+    } else if (process.type === 'CHANGE_PERMISSIONS') {
+      const vaultKeys: AccessTokenProducing = props.vault.uvfMetadataFile
+        ? await UniversalVaultFormat.recover(props.vault.uvfMetadataFile, recoveredKey)
+        : await VaultFormat8.recover(recoveredKey);
+      
+      // const vaultKeys = await VaultKeys.recover(recoveredKey);
+
+      const membersWithRole = Object.fromEntries([
+        ...selectedNewmembers.value.map(u => [u.id, 'MEMBER']),
+        ...selectedNewOwners.value.map(u => [u.id, 'OWNER'])
+      ]) as Record<string, VaultRole>;
+
+      await backend.vaults.setMembersWithRole(props.vault.id, membersWithRole);
+
+      const activatedUsersToGrant = (await backend.vaults.getUsersRequiringAccessGrant(props.vault.id) as UserDto[])
+        .filter(didCompleteSetup);
+
+      const accessGrants: AccessGrant[] = await Promise.all(
+        activatedUsersToGrant.map(async u => {
+          const publicKey = base64.decode(u.ecdhPublicKey) as Uint8Array<ArrayBuffer>;
+          const jwe = await vaultKeys.encryptForUser(publicKey);
+          return { userId: u.id, token: jwe };
+        })
+      );
+
+      if (accessGrants.length > 0) { await backend.vaults.grantAccess(props.vault.id, ...accessGrants); }
+    }
+
+    await backend.emergencyAccess.complete(process.id);
+    emit('updated');
+    showSuccess.value = true; 
+    closeButton.value?.focus();
+  } catch (error) {
+    console.error('Completing emergency recovery failed.', error);
+    onError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+
+type SignedProcessInfoPayload = Pick<RecoveryProcessDto, 'type' | 'details'> & {
+  iss: string;
+  sub: string;
+  iat: number;
+};
+
+async function addMyShare(process: RecoveryProcessDto, userKeys: UserKeys): Promise<RecoveredKeyShareDto> {
+  const encryptedShare = process.recoveredKeyShares[props.me.id].unrecoveredKeyShare;
+  const recoveredShare = await EmergencyAccess.recoverShare(encryptedShare, userKeys.ecdhKeyPair.privateKey, process.processPublicKey);
+
+  const processInfo = R.pick(process, ['type', 'details']);
+  const payload: SignedProcessInfoPayload = {
+    iss: props.me.id,
+    sub: process.id,
+    iat: Math.floor(Date.now() / 1000),
+    ...processInfo
+  };
+
+  const signedProcessInfo = await JWT.build({
+    alg: 'ES384',
+    typ: 'JWT',
+    b64: true
+  }, payload, userKeys.ecdsaKeyPair.privateKey);
+
+  return {
+    ...process.recoveredKeyShares[props.me.id],
+    recoveredKeyShare: recoveredShare,
+    signedProcessInfo: signedProcessInfo
+  };
+}
+
+async function verifyProcessInfo(process: RecoveryProcessDto): Promise<boolean> {
+  const councilMemberIds = Object.keys(process.recoveredKeyShares);
+  const authorities = await backend.authorities.listSome(councilMemberIds);
+  const councilMembers = R.indexBy(
+    authorities.filter(a => a.type === 'USER').filter(u => didCompleteSetup(u)),
+    u => u.id
+  );
+
+  for (const [councilMemberId, recoveredKeyShare] of Object.entries(process.recoveredKeyShares)) {
+    if (!recoveredKeyShare.recoveredKeyShare) {
+      continue;
+    } else if (!recoveredKeyShare.signedProcessInfo) {
+      console.error(`Missing signed process info for council member ${councilMemberId}.`);
+      return false;
+    } else if (!councilMembers[councilMemberId]) {
+      console.error(`Unknown council member ${councilMemberId}.`);
+      return false;
+    }
+    const councilMember = councilMembers[councilMemberId];
+    const publicKey = await asPublicKey(base64.decode(councilMember.ecdsaPublicKey) as Uint8Array<ArrayBuffer>, ECDSA_P384, ['verify']);
+    const [_header, payload] = await JWT.parse(recoveredKeyShare.signedProcessInfo, publicKey) as [JWTHeader, SignedProcessInfoPayload];
+    if (payload.sub !== process.id || payload.iss !== councilMemberId) {
+      console.error(`Invalid signed process info for council member ${councilMemberId}.`);
+      return false;
+    }
+    if (payload.type !== process.type || !R.isDeepEqual(payload.details, process.details)) {
+      console.error(`Signed process info for council member ${councilMemberId} does not match the recovery process`, process, payload);
+      return false;
+    }
+  }
+  return true;
+}
+
+async function loadActivatedUsers(ids: string[]): Promise<ActivatedUser[]> {
+  const authorities = await backend.authorities.listSome(ids);
+  return authorities
+    .filter((a): a is ActivatedUser => a.type === 'USER' && didCompleteSetup(a))
+    .sort((a, b) => a.name.localeCompare(b.name));
+}
+</script>
diff --git a/frontend/src/components/emergencyaccess/EmergencyAccessSetup.vue b/frontend/src/components/emergencyaccess/EmergencyAccessSetup.vue
new file mode 100644
index 000000000..64f01259a
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/EmergencyAccessSetup.vue
@@ -0,0 +1,190 @@
+<template>
+  <div class="relative">
+    <div class="flex items-center justify-between gap-2 pt-2 pb-2">
+      <label :for="id + '-cm'" class="text-sm font-medium text-gray-700 flex items-center">
+        {{ readonly || !allowChoosingCouncil ? t('emergencyAccess.label.newCouncilMembers') : t('emergencyAccessDialog.label.councilMembersAtLeast', [settings.defaultMinMembers]) }}
+      </label>
+      <button
+        v-if="hasCouncilChanges && !readonly"
+        type="button"
+        class="inline-flex cursor-pointer items-center justify-center rounded text-primary hover:text-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-primary focus:ring-offset-2"
+        :aria-label="t('common.reset')"
+        :title="t('common.reset')"
+        @click="resetCouncilMembers()"
+      >
+        <ArrowUturnLeftIcon class="h-4 w-4" aria-hidden="true" />
+      </button>
+    </div>
+    <MultiUserSelectInputGroup
+      :selected-users="emergencyCouncilMembers"
+      :on-search="searchCouncilMembers"
+      :input-id="id + '-cm'"
+      :input-visible="allowChoosingCouncil && !readonly"
+      :error-message="t('emergencyAccess.validation.minimumMembers', [settings.defaultMinMembers])"
+      :has-error="allowChoosingCouncil && hasValidationErrors"
+      @action="addCouncilMember"
+      @remove="removeCouncilMember"
+    />
+  </div>
+
+  <div v-if="showRequiredKeyShares" class="mt-4 space-y-1 text-sm text-gray-500">
+    <div>
+      <span class="font-medium text-gray-700">{{ t('emergencyAccess.requiredKeyShares') }}:</span>
+      {{ requiredKeyShares }}
+    </div>
+  </div>
+
+  <span class="block text-sm font-medium text-gray-700 pt-4">
+    {{ readonly ? t('emergencyAccess.label.possibleScenario') : t('emergencyAccess.label.exampleRecovery') }}
+  </span>
+  <EmergencyScenarioVisualization
+    :selected-users="emergencyCouncilMembers"
+    :required-key-shares="requiredKeyShares"
+  />
+  <div v-if="requiredKeyShares === emergencyCouncilMembers.length && allowChoosingCouncil && !readonly && !hasValidationErrors" class="mt-4 mr-3">
+    <span class="inline-flex items-center gap-2 rounded-full bg-yellow-50 ring-1 ring-yellow-300/70 px-2.5 py-1 text-xs font-medium text-yellow-800">
+      <ExclamationTriangleIcon class="h-4 w-4" aria-hidden="true" />
+      {{ t('emergencyAccess.noRedundancy') }}
+    </span>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { ArrowUturnLeftIcon, ExclamationTriangleIcon } from '@heroicons/vue/24/solid';
+import { useId, computed, onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { ActivatedUser, SettingsDto, didCompleteSetup } from '../../common/backend';
+import { RecoveryKeyProducing } from '../../common/crypto';
+import { EmergencyAccess } from '../../common/emergencyaccess';
+import { wordEncoder } from '../../common/util';
+import MultiUserSelectInputGroup from '../MultiUserSelectInputGroup.vue';
+import EmergencyScenarioVisualization from './EmergencyScenarioVisualization.vue';
+
+const { t } = useI18n({ useScope: 'global' });
+const id = useId();
+
+const props = withDefaults(defineProps<{
+  councilMembers?: ActivatedUser[];
+  settings: SettingsDto;
+  readonly?: boolean;
+  requiredKeyShares: number
+  showRequiredKeyShares?: boolean;
+  allowChoosingCouncil?: boolean;
+}>(), {
+  councilMembers: () => [],
+  readonly: false,
+  showRequiredKeyShares: false,
+  allowChoosingCouncil: false,
+});
+
+export type SplitResult = {
+  keyShares: Record<string, string>;
+  requiredKeyShares: number;
+};
+
+// current council:
+const currentEmergencyCouncilMembers = ref<ActivatedUser[]>([...props.councilMembers]);
+
+// user choice:
+const emergencyCouncilMembers = ref<ActivatedUser[]>([]);
+
+// validation:
+const isInvalidKeyShares = computed(() => props.requiredKeyShares < 1);
+const isInvalidCouncilMembers = computed(() => emergencyCouncilMembers.value.length < 1);
+const hasTooFewCouncilMembers = computed(() =>
+  emergencyCouncilMembers.value.length < props.requiredKeyShares
+  || (props.allowChoosingCouncil && emergencyCouncilMembers.value.length < props.settings.defaultMinMembers)
+);
+const hasCouncilChanges = computed(() => {
+  if (emergencyCouncilMembers.value.length !== currentEmergencyCouncilMembers.value.length) {
+    return true;
+  }
+
+  const defaultIds = new Set(currentEmergencyCouncilMembers.value.map(member => member.id));
+  return emergencyCouncilMembers.value.some(member => !defaultIds.has(member.id));
+});
+const hasValidationErrors = computed(() =>
+  isInvalidKeyShares.value || isInvalidCouncilMembers.value || hasTooFewCouncilMembers.value
+);
+
+defineExpose({
+  split,
+  hasValidationErrors,
+  emergencyCouncilMembers
+});
+
+onMounted(async () => {
+  await initialize();
+});
+
+async function split(vaultKeys: RecoveryKeyProducing): Promise<SplitResult> {
+  if (props.requiredKeyShares < 1) {
+    throw new Error(t('grantEmergencyAccessDialog.error.keySharesRequired'));
+  }
+
+  if (emergencyCouncilMembers.value.length < 1) {
+    throw new Error(t('grantEmergencyAccessDialog.error.councilMembersRequired'));
+  }
+
+  if (props.allowChoosingCouncil && emergencyCouncilMembers.value.length < props.settings.defaultMinMembers) {
+    throw new Error(t('grantEmergencyAccessDialog.error.tooFewCouncilMembers'));
+  }
+
+  if (emergencyCouncilMembers.value.length < props.requiredKeyShares) {
+    throw new Error(t('grantEmergencyAccessDialog.error.tooFewCouncilMembers'));
+  }
+
+  const recoveryKeyBytes = await vaultKeys.createPaddedRecoveryKeyBytes();
+  const keyShares = await EmergencyAccess.split(
+    recoveryKeyBytes,
+    props.requiredKeyShares,
+    ...emergencyCouncilMembers.value
+  );
+
+  return {
+    keyShares: keyShares,
+    requiredKeyShares: props.requiredKeyShares
+  };
+}
+
+async function initialize() {
+  // if there is no current council, load default from settings:
+  if (currentEmergencyCouncilMembers.value.length === 0) {
+    const authorities = await backend.authorities.listSome(props.settings.emergencyCouncilMemberIds);
+    const sortedActivatedUsers = authorities
+      .filter((a): a is ActivatedUser => a.type === 'USER' && didCompleteSetup(a))
+      .sort((a, b) => a.name.localeCompare(b.name));
+    currentEmergencyCouncilMembers.value = [...sortedActivatedUsers];
+  }
+
+  // pre-initialize emergencyCouncilMembers with current council or default from settings:
+  if (emergencyCouncilMembers.value.length === 0) {
+    emergencyCouncilMembers.value = [...currentEmergencyCouncilMembers.value];
+  }
+}
+
+async function searchCouncilMembers(query: string): Promise<ActivatedUser[]> {
+  const existingIds = new Set(emergencyCouncilMembers.value.map(member => member.id));
+  const authorities = await backend.authorities.search(query, true);
+  return authorities
+    .filter((a): a is ActivatedUser => a.type === 'USER' && didCompleteSetup(a))
+    .filter(a => !existingIds.has(a.id))
+    .sort((a, b) => a.name.localeCompare(b.name));
+}
+
+function addCouncilMember(authority: ActivatedUser) {
+  const alreadyExists = emergencyCouncilMembers.value.some(u => u.id === authority.id);
+
+  if (!alreadyExists) {
+    emergencyCouncilMembers.value  = [...emergencyCouncilMembers.value, authority];
+  }
+}
+
+function removeCouncilMember(user: ActivatedUser) {
+  emergencyCouncilMembers.value = emergencyCouncilMembers.value.filter(u => u.id !== user.id);
+}
+
+function resetCouncilMembers() {
+  emergencyCouncilMembers.value = [...currentEmergencyCouncilMembers.value];
+}
+</script>
diff --git a/frontend/src/components/emergencyaccess/EmergencyAccessVaultList.vue b/frontend/src/components/emergencyaccess/EmergencyAccessVaultList.vue
new file mode 100644
index 000000000..22dacb0c9
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/EmergencyAccessVaultList.vue
@@ -0,0 +1,520 @@
+<template>
+  <div v-if="loading" class="text-center p-8 text-gray-500 text-sm">
+    {{ t('common.loading') }}
+  </div>
+  <FetchError v-else-if="onFetchError" :error="onFetchError" :retry="fetchData" />
+
+  <LicenseAlert v-if="isLicenseViolated && isAdmin != undefined && licenseStatus" :is-admin="isAdmin" :license-status="licenseStatus" />
+
+  <ContentBanner v-if="entitlements.emergencyAccessEnabled && entitlements.showTrialHint" type="info" :title="t('trial.enterpriseFeature.title')" class="mb-6">
+    {{ t('trial.enterpriseFeature.description') }} <!-- TODO: link to feature comparison? -->
+  </ContentBanner>
+
+  <div v-if="!entitlements.emergencyAccessEnabled" class="flex flex-col justify-center items-center text-center">
+    <svg xmlns="http://www.w3.org/2000/svg" class="h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+      <path vector-effect="non-scaling-stroke" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M11.25 11.25l.041-.02a.75.75 0 011.063.852l-.708 2.836a.75.75 0 001.063.853l.041-.021M21 12a9 9 0 11-18 0 9 9 0 0118 0zm-9-3.75h.008v.008H12V8.25z" />
+    </svg>
+    <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('auditLog.paymentRequired.message') }}</h3>
+    <p class="mt-1 text-sm text-gray-500">
+      {{ t('emergencyAccess.licenseRequired.message') }}
+      <span v-if="isAdmin"> {{ t('emergencyAccess.licenseRequired.adminHint') }}</span>
+    </p>
+    <router-link to="/app/admin/settings" :hidden="!isAdmin" class="inline-flex items-center px-4 py-2 border border-transparent shadow-xs text-sm font-medium rounded-md text-white bg-primary hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary mt-6">
+      <WrenchIcon class="-ml-1 mr-2 h-5 w-5" aria-hidden="true" />
+      {{ t('auditLog.paymentRequired.openAdminSection') }}
+    </router-link>
+  </div>
+  <div v-else-if="!settings?.enableEmergencyAccess" class="mt-3 text-center">
+    <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('emergencyAccess.empty.disabled') }}</h3>
+  </div>
+  <section v-else>
+    <!-- entitlements.emergencyAccessEnabled && settings.enableEmergencyAccess -->
+    <header class="pb-5 border-b border-gray-200">
+      <div class="flex flex-col sm:flex-row sm:justify-between gap-3 w-full">
+        <h2 class="text-2xl font-bold leading-9 text-gray-900 sm:text-3xl sm:truncate">
+          {{ t('nav.emergencyAccess') }}
+        </h2>
+        <div class="flex gap-3">
+          <button class="w-full bg-primary py-2 px-4 border border-transparent rounded-md shadow-xs text-sm font-medium text-white hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary" @click="fetchData()">
+            {{ t('common.refresh') }}
+          </button>
+        </div>
+      </div>
+      <div class="mt-3 flex flex-wrap sm:flex-nowrap gap-3 items-center whitespace-nowrap">
+        <input id="vaultSearch" v-model="query" :placeholder="t('vaultList.search.placeholder')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-xs text-sm border-gray-300 rounded-md disabled:bg-gray-200"/>
+
+        <Listbox v-model="selectedFilter" as="div">
+          <div class="relative w-auto whitespace-nowrap">
+            <ListboxButton class="min-w-60 relative w-full rounded-md border border-gray-300 bg-white py-2 pl-3 pr-10 text-left shadow-xs focus:border-primary focus:outline-hidden focus:ring-1 focus:ring-primary text-sm">
+              <span class="block whitespace-nowrap">{{ filterOptions[selectedFilter] }}</span>
+              <span class="pointer-events-none absolute inset-y-0 right-0 flex items-center pr-2">
+                <ChevronUpDownIcon class="h-5 w-5 text-gray-400" aria-hidden="true" />
+              </span>
+            </ListboxButton>
+            <transition leave-active-class="transition ease-in duration-100" leave-from-class="opacity-100" leave-to-class="opacity-0">
+              <ListboxOptions class="absolute z-10 mt-1 max-h-60 w-full overflow-auto rounded-md bg-white py-1 shadow-lg ring-1 ring-black/5 focus:outline-hidden text-sm">
+                <ListboxOption v-for="(name, key) in filterOptions" :key="key" v-slot="{ active, selected }" :value="key" class="relative cursor-default select-none py-2 pl-3 pr-12 ui-not-active:text-gray-900 ui-active:text-white ui-active:bg-primary">
+                  <span :class="[selected ? 'font-semibold' : 'font-normal', 'block whitespace-nowrap']">{{ name }}</span>
+                  <span v-if="selected" :class="[active ? 'text-white' : 'text-primary', 'absolute inset-y-0 right-0 flex items-center pr-4']">
+                    <CheckIcon class="h-5 w-5" aria-hidden="true" />
+                  </span>
+                </ListboxOption>
+              </ListboxOptions>
+            </transition>
+          </div>
+        </Listbox>
+      </div>
+    </header>
+
+    <div v-if="filteredVaults.length === 0" class="mt-3 text-center">
+      <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('emergencyAccess.empty.noneFound') }}</h3>
+    </div>
+    <ul role="list" class="mt-5 divide-y divide-gray-200 bg-white shadow-sm rounded-md">
+      <li v-for="(vault, index) in filteredVaults" :key="vault.id">
+        <details
+          class="group/vault hover:bg-gray-50"
+          :class="{ 'rounded-t-md': index == 0, 'rounded-b-md': index == filteredVaults.length - 1 }"
+          @toggle="onVaultDetailsToggle(vault.id, $event)"
+        >
+          <summary
+            class="list-none px-4 py-4 sm:px-6  cursor-pointer [&::-webkit-details-marker]:hidden"
+            :class="{ 'rounded-t-md': index == 0, 'rounded-b-md': index == filteredVaults.length - 1 }"
+          >
+            <div class="flex flex-wrap gap-3 sm:flex-nowrap sm:items-center sm:justify-between">
+              <!-- Name and description -->
+              <div class="flex-1 min-w-40">
+                <div class="flex items-center gap-3 min-w-0">
+                  <p class="truncate text-sm font-medium text-primary min-w-0">
+                    {{ vault.name }}
+                  </p>
+                  <div v-if="vault.archived" class="inline-flex items-center rounded-md bg-yellow-400/10 px-2 py-1 text-xs font-medium text-yellow-500 ring-1 ring-inset ring-yellow-400/20">{{ t('vaultList.badge.archived') }}</div>
+                </div>
+                <p
+                  v-if="vault.description"
+                  class="truncate text-sm text-gray-500 mt-2 min-w-0"
+                >
+                  {{ vault.description }}
+                </p>
+              </div>
+
+              <div class="flex flex-wrap items-center gap-2 sm:justify-end" @click.stop>
+                <EmergencyBadge
+                  v-if="isBroken(vault)"
+                  type="broken"
+                  :title="t('emergencyAccess.badge.broken.title')"
+                  :message="t('emergencyAccess.badge.broken.message')"
+                />
+
+                <EmergencyBadge
+                  v-if="settings && settings.defaultMinMembers > emergencyAccessMembers(vault).length"
+                  type="insufficientCouncilMembers"
+                  :title="t('emergencyAccess.badge.insufficientCouncilMembers.title')"
+                  :message="t('emergencyAccess.badge.insufficientCouncilMembers.message', [settings.defaultMinMembers])"
+                  position="right"
+                />
+
+                <EmergencyBadge
+                  v-else-if="vault.requiredEmergencyKeyShares === emergencyAccessMembers(vault).length"
+                  type="noRedundancy"
+                  :title="t('emergencyAccess.badge.noRedundancy.title')"
+                  :message="t('emergencyAccess.badge.noRedundancy.message')"
+                />
+              </div>
+              <div class="flex items-center gap-2">
+                <span
+                  v-if="getProcesses(vault.id).length > 0"
+                  class="inline-flex items-center rounded-full bg-gray-100 px-2 py-0.5 text-xs font-medium text-gray-700"
+                >
+                  {{ getProcesses(vault.id).length }}
+                </span>
+                <ChevronDownIcon class="h-5 w-5 text-gray-400 transition-transform duration-200 group-open/vault:rotate-180" aria-hidden="true"/>
+              </div>
+            </div>
+          </summary>
+          <div class="px-4 py-4 sm:px-6 text-sm text-gray-500">
+            <div class="flex flex-col gap-4 md:flex-row">
+              <!-- EMERGENCY ACCESS COUNCIL -->
+              <section class="flex flex-1 min-w-0 flex-col">
+                <h4 class="mb-2 font-semibold text-gray-700">{{ t('emergencyAccess.vaultCouncil') }}</h4>
+                <ul class="max-h-56 overflow-auto pr-1 mb-1">
+                  <li
+                    v-for="member in getCurrentCouncilMembers(vault)"
+                    :key="member.id"
+                    class="flex items-center gap-2 h-6"
+                  >
+                    <img
+                      v-if="member.pictureUrl"
+                      :src="member.pictureUrl"
+                      class="h-4 w-4 rounded-full"
+                    />
+                    {{ member.name }}
+                  </li>
+                </ul>
+                <div class="mb-3">
+                  {{ t('emergencyAccess.requiredKeyShares') }}: {{ vault.requiredEmergencyKeyShares }}
+                </div>
+                <div class="mt-auto pt-2 flex flex-wrap items-center gap-2">
+                  <EmergencyBadge
+                    v-if="!isEmergencyKeyShareHolder(vault)"
+                    type="notCouncil"
+                    :title="t('emergencyAccess.badge.notCouncil.title')"
+                    :message="t('emergencyAccess.badge.notCouncil.message')"
+                  />
+                  <EmergencyProcessButton
+                    v-if="getProcessByType(vault, 'COUNCIL_CHANGE')"
+                    :label="getTypeLabel(vault, 'COUNCIL_CHANGE')"
+                    :approval-label="getApprovalLabel(getProcessByType(vault, 'COUNCIL_CHANGE')!)"
+                    :disabled="isBroken(vault) || !isUserInProcessWithType(vault, 'COUNCIL_CHANGE')"
+                    :has-process="true"
+                    :can-start="false"
+                    :required-key-shares="getProcessByType(vault, 'COUNCIL_CHANGE')!.requiredKeyShares"
+                    :completed-key-shares="getCompletedSegmentsForProcess(getProcessByType(vault, 'COUNCIL_CHANGE')!)"
+                    :council-members="getCouncilMembersForProcess(getProcessByType(vault, 'COUNCIL_CHANGE')!)"
+                    :recovered-member-ids="Array.from(recoveredMemberIdsForProcess(getProcessByType(vault, 'COUNCIL_CHANGE')!))"
+                    @click-main="onUnifiedButtonClick(vault, 'COUNCIL_CHANGE')"
+                  />
+                  <EmergencyProcessButton
+                    v-else
+                    :label="getTypeLabel(vault, 'COUNCIL_CHANGE')"
+                    :disabled="isBroken(vault) || !isEmergencyKeyShareHolder(vault)"
+                    :has-process="false"
+                    :can-start="true"
+                    @click-main="onUnifiedButtonClick(vault, 'COUNCIL_CHANGE')"
+                  />
+                </div>
+              </section>
+
+              <!-- VAULT MEMBERS -->
+              <section class="flex flex-1 min-w-0 flex-col">
+                <h4 class="mb-2 font-semibold text-gray-700">Vault Access</h4>
+                <div class="grid grid-cols-[max-content_minmax(0,1fr)] gap-x-3 gap-y-3 items-center mb-3">
+                  <div class="text-xs font-medium uppercase tracking-wide text-gray-500 whitespace-nowrap">{{ t('emergencyAccess.label.owners') }}:</div>
+                  <UserListGroupVisualization :authorities="getVaultMembers(vault.id).filter(member => member.vaultRole === 'OWNER')" :max="8"/>
+                    
+                  <div class="text-xs font-medium uppercase tracking-wide text-gray-500 whitespace-nowrap">{{ t('emergencyAccess.label.members') }}:</div>
+                  <UserListGroupVisualization :authorities="getVaultMembers(vault.id).filter(member => member.vaultRole === 'MEMBER')" :max="8"/>
+                </div>
+                <div class="mt-auto pt-2 flex flex-wrap items-center gap-2">
+                  <EmergencyProcessButton
+                    v-if="getProcessByType(vault, 'CHANGE_PERMISSIONS')"
+                    :label="getTypeLabel(vault, 'CHANGE_PERMISSIONS')"
+                    :approval-label="getApprovalLabel(getProcessByType(vault, 'CHANGE_PERMISSIONS')!)"
+                    :disabled="isBroken(vault) || !isUserInProcessWithType(vault, 'CHANGE_PERMISSIONS')"
+                    :has-process="true"
+                    :can-start="false"
+                    :required-key-shares="getProcessByType(vault, 'CHANGE_PERMISSIONS')!.requiredKeyShares"
+                    :completed-key-shares="getCompletedSegmentsForProcess(getProcessByType(vault, 'CHANGE_PERMISSIONS')!)"
+                    :council-members="getCouncilMembersForProcess(getProcessByType(vault, 'CHANGE_PERMISSIONS')!)"
+                    :recovered-member-ids="Array.from(recoveredMemberIdsForProcess(getProcessByType(vault, 'CHANGE_PERMISSIONS')!))"
+                    @click-main="onUnifiedButtonClick(vault, 'CHANGE_PERMISSIONS')"
+                  />
+                  <EmergencyProcessButton
+                    v-else
+                    :label="getTypeLabel(vault, 'CHANGE_PERMISSIONS')"
+                    :disabled="isBroken(vault) || !isEmergencyKeyShareHolder(vault)"
+                    :has-process="false"
+                    :can-start="true"
+                    @click-main="onUnifiedButtonClick(vault, 'CHANGE_PERMISSIONS')"
+                  />
+                </div>
+              </section>
+            </div>
+          </div>
+        </details>
+      </li>
+    </ul>
+  </section>
+
+  <EmergencyAccessDialog
+    v-if="recoveryApprovVault && settings"
+    ref="recoveryApprovDialog"
+    :settings="settings"
+    :vault="recoveryApprovVault"
+    :me="me!"
+    :recovery-process="selectedProcess"
+    :start-type="startType"
+    @updated="fetchData"
+    @close="recoveryApprovVault = undefined"
+  />
+</template>
+
+<script setup lang="ts">
+import { ref, computed, onMounted, nextTick } from 'vue';
+import { useI18n } from 'vue-i18n';
+import * as R from 'remeda';
+import auth from '../../common/auth';
+import backend, { LicenseUserInfoDto, VaultDto, RecoveryProcessDto, MemberDto, SettingsDto } from '../../common/backend';
+import FetchError from '../FetchError.vue';
+import { Listbox, ListboxButton, ListboxOption, ListboxOptions } from '@headlessui/vue';
+import LicenseAlert from '../LicenseAlert.vue';
+import ContentBanner from '../ContentBanner.vue';
+import { CheckIcon, ChevronDownIcon, ChevronUpDownIcon, WrenchIcon } from '@heroicons/vue/24/solid';
+import userdata from '../../common/userdata';
+import { UserDto } from '../../common/backend';
+import config from '../../common/config';
+import EmergencyAccessDialog from './EmergencyAccessDialog.vue';
+import EmergencyBadge from './EmergencyBadge.vue';
+import EmergencyProcessButton from './EmergencyProcessButton.vue';
+import UserListGroupVisualization from '../UserListGroupVisualization.vue';
+
+const SUPPORTED_PROCESS_TYPES = ['CHANGE_PERMISSIONS', 'COUNCIL_CHANGE'] as const;
+
+const { t } = useI18n({ useScope: 'global' });
+const me = ref<UserDto>();
+const query = ref('');
+const vaults = ref<VaultDto[]>([]);
+const loading = ref(true);
+const onFetchError = ref<Error>();
+
+const isAdmin = ref<boolean>(false);
+
+const entitlements = config.get().entitlements;
+const licenseStatus = ref<LicenseUserInfoDto>();
+const settings = ref<SettingsDto>();
+const isLicenseViolated = computed(() => {
+  if (licenseStatus.value) {
+    return licenseStatus.value.isExceeded() || licenseStatus.value.isExpired();
+  } else {
+    return false;
+  }
+});
+
+const selectedFilter = ref<'recoverableVaults' | 'approved' | 'approvable' | 'startable'>('recoverableVaults');
+const filterOptions = computed(() => ({
+  recoverableVaults: t('emergencyAccess.filter.all'),
+  approvable: t('emergencyAccess.filter.approvable'),
+  approved: t('emergencyAccess.filter.approved'),
+  startable: t('emergencyAccess.filter.startable'),
+}));
+const selectedProcess = ref<RecoveryProcessDto>();
+const filteredVaults = computed<VaultDto[]>(() => filterVaults(vaults.value));
+const vaultRecoveryProcesses = ref<Record<string, RecoveryProcessDto[]>>({});
+const startType = ref<RecoveryProcessDto['type']>('CHANGE_PERMISSIONS');
+const recoveryApprovVault = ref<VaultDto>();
+const recoveryApprovDialog = ref<typeof EmergencyAccessDialog>();
+const usersById = ref<Record<string, UserDto>>({});
+const membersByVaultId = ref<Record<string, MemberDto[]>>({});
+const membersLoadingByVaultId = ref<Record<string, boolean>>({});
+
+onMounted(fetchData);
+
+async function fetchData() {
+  loading.value = true;
+  onFetchError.value = undefined;
+  membersByVaultId.value = {};
+  membersLoadingByVaultId.value = {};
+  try {
+    me.value = await userdata.me;
+    isAdmin.value = (await auth).hasRole('admin');
+    licenseStatus.value = await backend.license.getUserInfo();
+    settings.value = await backend.settings.get();
+
+    if (entitlements.emergencyAccessEnabled && settings.value.enableEmergencyAccess){
+      vaults.value = (await backend.vaults.listRecoverable())
+        .sort((a, b) => a.name.localeCompare(b.name));
+
+      for (const vault of vaults.value) {
+        const processes = await backend.emergencyAccess.findProcessesForVault(vault.id);
+        vaultRecoveryProcesses.value[vault.id] = processes;
+      }
+
+      const memberIdsOfAllRunningProcesses = Object.values(vaultRecoveryProcesses.value)
+        .flat()
+        .flatMap(p => Object.keys(p.recoveredKeyShares));
+      const memberIds = vaults.value
+        .flatMap(v => Object.keys(v.emergencyKeyShares));
+      const combinedMemberIds = R.unique([...memberIdsOfAllRunningProcesses, ...memberIds]);
+
+      if (combinedMemberIds.length > 0) {
+        const allUsers = (await backend.authorities.listSome(combinedMemberIds)).filter(a => a.type === 'USER');
+        usersById.value = R.indexBy(allUsers, u => u.id);
+      } else {
+        usersById.value = {};
+      }
+    }
+  } catch (error) {
+    onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
+  } finally {
+    loading.value = false;
+  }
+}
+
+function recoveredMemberIdsForProcess(proc: RecoveryProcessDto): Set<string> {
+  const set = new Set<string>();
+  if (!proc?.recoveredKeyShares) return set;
+  for (const [id, ks] of Object.entries(proc.recoveredKeyShares)) {
+    if (ks?.recoveredKeyShare) set.add(id);
+  }
+  return set;
+}
+
+function didAddMyShare(proc?: RecoveryProcessDto): boolean {
+  if (!proc || !me.value) return false;
+  return proc.recoveredKeyShares?.[me.value.id]?.recoveredKeyShare !== undefined;
+}
+
+function isProcessFullyApproved(proc?: RecoveryProcessDto): boolean {
+  if (!proc) return false;
+  const recovered = Object.values(proc.recoveredKeyShares ?? {})
+    .filter(ks => ks?.recoveredKeyShare !== undefined).length;
+  return recovered >= proc.requiredKeyShares;
+}
+
+function isProcessAboutToComplete(proc?: RecoveryProcessDto): boolean {
+  if (!proc) return false;
+  const recovered = Object.values(proc.recoveredKeyShares ?? {})
+    .filter(ks => ks?.recoveredKeyShare !== undefined).length;
+  return (recovered + 1 ) >= proc.requiredKeyShares;
+}
+
+function getApprovalLabel(proc?: RecoveryProcessDto): string {
+  if (!proc) return '';
+
+  if (didAddMyShare(proc))
+    return t('emergencyAccess.approval.waitingOthers');
+  else if (!isUserInProcess(proc))
+    return t('emergencyAccess.approval.showDetails');
+  else {
+    if (isProcessFullyApproved(proc) || isProcessAboutToComplete(proc)) {
+      return t('emergencyAccess.approval.completeNow');
+    }
+    else 
+      return t('emergencyAccess.approval.approveNow');
+  }
+}
+
+function getProcessByType(vault: VaultDto, type: RecoveryProcessDto['type']): RecoveryProcessDto | undefined {
+  return getProcesses(vault.id).find(p => p.type === type);
+}
+
+function getTypeLabel(vault: VaultDto, type: RecoveryProcessDto['type']) {
+  return type === 'CHANGE_PERMISSIONS'
+    ? t('emergencyAccess.processType.changePermissions')
+    : t('emergencyAccess.processType.changeCouncil');
+}
+
+function onUnifiedButtonClick(vault: VaultDto, type: RecoveryProcessDto['type']) {
+  const proc = getProcessByType(vault, type);
+  if (proc) {
+    openRecoveryDialog(vault, proc);
+  } else {
+    openRecoveryStartDialog(vault, type);
+  }
+}
+
+function getCurrentCouncilMembers(vault: VaultDto): UserDto[] {
+  const ids = Object.keys(vault.emergencyKeyShares);
+  return ids.map(id => usersById.value[id]).filter(u => u !== undefined).sort((a, b) => a.name.localeCompare(b.name));
+}
+
+function filterVaults(vaults: VaultDto[]): VaultDto[] {
+  if (loading.value) return [];
+  const filteredByStatus = vaults.filter(filterByStatus);
+  if (query.value !== '') {
+    return filteredByStatus.filter((vault) =>
+      vault.name.toLowerCase().includes(query.value.toLowerCase())
+    );
+  } else {
+    return filteredByStatus;
+  }
+}
+
+function filterByStatus(vault: VaultDto): boolean {
+  const processes = getProcesses(vault.id);
+  switch (selectedFilter.value) {
+    case 'approved': // find vaults where there is at least one process to which the user has already submitted their key share
+      return processes.some(p => hasSubmittedEmergencyKeyShare(p));
+    case 'approvable': // find vaults where there there is at least one process to which the user has not yet submitted their key share
+      return processes.length > 0 && processes.some(p => !hasSubmittedEmergencyKeyShare(p));
+    case 'startable': { // find vaults where at least one type of process has not yet been started
+      const processTypes = processes.map(p => p.type);
+      return !SUPPORTED_PROCESS_TYPES.every(processTypes.includes);
+    }
+    case 'recoverableVaults': // all
+    default:
+      return true;
+  }
+}
+
+function openRecoveryDialog(vault: VaultDto, proc: RecoveryProcessDto) {
+  recoveryApprovVault.value = vault;
+  selectedProcess.value = proc;
+  nextTick(() => recoveryApprovDialog.value?.show());
+}
+
+function isUserInProcessWithType(vault: VaultDto, type: RecoveryProcessDto['type']): boolean {
+  const proc = getProcessByType(vault, type);
+  if (!proc || !me.value) return false;
+  return Object.keys(proc.recoveredKeyShares ?? {}).includes(me.value.id);
+}
+
+function isUserInProcess(proc: RecoveryProcessDto): boolean {
+  const councilMemberIds = Object.keys(proc.recoveredKeyShares);
+  return councilMemberIds.includes(me.value?.id ?? '');
+}
+
+function getCouncilMembersForProcess(proc: RecoveryProcessDto): UserDto[] {
+  return Object.keys(proc.recoveredKeyShares).map(id => usersById.value[id]);
+}
+
+function hasSubmittedEmergencyKeyShare(proc: RecoveryProcessDto): boolean {
+  if (!me.value || !proc?.recoveredKeyShares) return false;
+  return proc.recoveredKeyShares[me.value.id]?.recoveredKeyShare !== undefined;
+}
+
+function isEmergencyKeyShareHolder(vault: VaultDto): boolean {
+  if (!vault || !me.value) return false;
+  return vault.emergencyKeyShares[me.value.id] !== undefined;
+}
+
+function emergencyAccessMembers(vault: VaultDto): string[] {
+  return Object.keys(vault.emergencyKeyShares);
+}
+
+function isBroken(vault: VaultDto): boolean {
+  return vault.requiredEmergencyKeyShares > emergencyAccessMembers(vault).length;
+}
+
+function getCompletedSegmentsForProcess(proc: RecoveryProcessDto): number {
+  return Object.values(proc.recoveredKeyShares)
+    .filter(ks => ks?.recoveredKeyShare !== undefined).length;
+}
+
+function openRecoveryStartDialog(vault: VaultDto, type: RecoveryProcessDto['type']) {
+  recoveryApprovVault.value = vault;
+  selectedProcess.value = undefined;
+  startType.value = type;
+  nextTick(() => recoveryApprovDialog.value?.show());
+}
+
+function getProcesses(vaultId: string): RecoveryProcessDto[] {
+  return vaultRecoveryProcesses.value[vaultId];
+}
+
+async function onVaultDetailsToggle(vaultId: string, event: Event) {
+  const details = event.target as HTMLDetailsElement;
+  if (!details.open) {
+    return;
+  }
+
+  await loadMembersForVault(vaultId);
+}
+
+async function loadMembersForVault(vaultId: string) {
+  if (membersByVaultId.value[vaultId] || membersLoadingByVaultId.value[vaultId]) {
+    return;
+  }
+
+  membersLoadingByVaultId.value[vaultId] = true;
+  try {
+    membersByVaultId.value[vaultId] = await backend.vaults.getMembers(vaultId);
+  } finally {
+    membersLoadingByVaultId.value[vaultId] = false;
+  }
+}
+
+function getVaultMembers(vaultId: string): MemberDto[] {
+  return membersByVaultId.value[vaultId] ?? [];
+}
+
+</script>
diff --git a/frontend/src/components/emergencyaccess/EmergencyBadge.vue b/frontend/src/components/emergencyaccess/EmergencyBadge.vue
new file mode 100644
index 000000000..174796e90
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/EmergencyBadge.vue
@@ -0,0 +1,107 @@
+<template>
+  <div v-if="type !== 'none'" class="relative mr-3 group/badge">
+    <!-- Badge -->
+    <span 
+      class="inline-flex items-center gap-2 rounded-full px-2 py-2 text-xs font-medium cursor-default ring-1" 
+      :class="badgeClasses"
+    >
+      <ExclamationTriangleIcon class="h-4 w-4" :class="iconColor" />
+    </span>
+
+    <!-- Tooltip -->
+    <div 
+      class="invisible opacity-0 group-hover/badge:visible group-hover/badge:opacity-100 transition-opacity duration-150 absolute -top-2 transform -translate-y-full w-max max-w-xs z-20" 
+      :class="positionClasses"
+    >
+      <div class="px-2 py-1 rounded shadow-sm text-xs hyphens-auto border relative" :class="tooltipClasses">
+        <b>{{ title }}</b><br />
+        <span>{{ message }}</span>
+
+        <!-- Arrow -->
+        <div
+          class="absolute bottom-0 transform translate-y-1/2 rotate-45 w-2 h-2 border-r border-b"
+          :class="[arrowClasses, arrowPositionClasses]"
+        ></div>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { computed } from 'vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/24/solid';
+
+const props = defineProps<{
+  type: 'notCouncil' | 'broken' | 'noRedundancy' | 'insufficientCouncilMembers' | 'none';
+  title: string;
+  message: string;
+  position?: 'center' | 'left' | 'right';
+}>();
+
+const positionClasses = computed(() => {
+  switch (props.position) {
+    case 'left':
+      return 'left-0';
+    case 'right':
+      return 'right-0';
+    case 'center':
+    default:
+      return 'left-1/2 -translate-x-1/2';
+  }
+});
+
+const badgeClasses = computed(() => {
+  switch (props.type) {
+    case 'notCouncil':
+    case 'insufficientCouncilMembers':
+    case 'noRedundancy':
+      return 'bg-yellow-50 ring-yellow-300/70 text-yellow-800';
+    case 'broken':
+      return 'bg-red-100 ring-red-300/70 text-red-800';
+    default:
+      return '';
+  }
+});
+
+const tooltipClasses = computed(() => {
+  switch (props.type) {
+    case 'notCouncil':
+    case 'insufficientCouncilMembers':
+    case 'noRedundancy':
+      return 'bg-yellow-50 border-yellow-300 text-yellow-900';
+    case 'broken':
+      return 'bg-red-50 border-red-300 text-red-900';
+    default:
+      return '';
+  }
+});
+
+const arrowClasses = computed(() => {
+  switch (props.type) {
+    case 'notCouncil':
+    case 'insufficientCouncilMembers':
+    case 'noRedundancy':
+      return 'bg-yellow-50 border-yellow-300';
+    case 'broken':
+      return 'bg-red-50 border-red-300';
+    default:
+      return '';
+  }
+});
+
+const arrowPositionClasses = computed(() => {
+  switch (props.position) {
+    case 'left':
+      return 'left-2';
+    case 'right':
+      return 'right-2';
+    case 'center':
+    default:
+      return 'left-1/2 -translate-x-1/2';
+  }
+});
+
+const iconColor = computed(() => {
+  return props.type === 'broken' ? 'text-red-600' : 'text-yellow-500';
+});
+</script>
diff --git a/frontend/src/components/emergencyaccess/EmergencyProcessButton.vue b/frontend/src/components/emergencyaccess/EmergencyProcessButton.vue
new file mode 100644
index 000000000..7a87091cf
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/EmergencyProcessButton.vue
@@ -0,0 +1,148 @@
+<template>
+  <div
+    v-if="hasProcess"
+    class="relative inline-flex rounded-md shadow-sm -space-x-px"
+    role="group"
+  >
+    <button
+      type="button"
+      class="h-10 inline-flex items-center gap-2 px-2 text-xs font-medium text-gray-700 bg-white
+             hover:bg-gray-50 border border-gray-300 rounded-s-md
+             focus:outline-none focus:ring-2 focus:ring-primary disabled:opacity-50 disabled:cursor-not-allowed"
+      :disabled="disabled"
+      @mouseenter="openTooltip()"
+      @mouseleave="closeTooltip()"
+      @click.stop.prevent="toggleTooltip()"
+    >
+      <SegmentRing
+        :total="requiredKeyShares || 0"
+        :completed="completedKeyShares || 0"
+        :size="24"
+      />
+    </button>
+
+    <button
+      type="button"
+      class="h-10 inline-flex flex-col justify-center px-2 text-xs font-medium text-gray-700 bg-white
+             hover:bg-gray-50 border border-gray-300 rounded-e-md w-full
+             focus:outline-none focus:ring-2 focus:ring-primary disabled:opacity-50 disabled:cursor-not-allowed text-left"
+      :disabled="disabled"
+      @click.stop="emit('click-main')"
+    >
+      <span class="leading-tight">{{ label }}</span>
+      <span class="text-[10px] text-gray-500 leading-tight">
+        {{ approvalLabel }}
+      </span>
+    </button>
+
+    <!-- Tooltip -->
+    <div
+      class="transition-opacity duration-150 absolute right-0 top-10 z-20 w-60 rounded-lg border
+             border-gray-200 bg-white p-3 shadow-xl"
+      :class="isTooltipOpen ? 'opacity-100 visible' : 'opacity-0 invisible'"
+      role="tooltip"
+    >
+      <div class="flex items-center justify-between mb-1">
+        <div>
+          <div class="text-xl">{{ label }}</div>
+          <div class="text-xs text-gray-500 mb-2">
+            {{ t('emergencyAccess.requiredKeyShares') }}:
+            {{ requiredKeyShares }}
+          </div>
+        </div>
+        <SegmentRing
+          :total="requiredKeyShares || 0"
+          :completed="completedKeyShares || 0"
+          :size="42"
+        />
+      </div>
+
+      <div>{{ t('emergencyAccess.processCouncil') }}</div>
+      <ul class="space-y-1 max-h-56 overflow-auto pr-1">
+        <li
+          v-for="m in councilMembers"
+          :key="m.id"
+          class="flex items-center justify-between text-sm h-6"
+        >
+          <span class="truncate flex items-center gap-2">
+            <img v-if="m.pictureUrl" :src="m.pictureUrl" :alt="m.name" class="h-4 w-4 rounded-full" />
+            <span class="truncate">{{ m.name || m.id }}</span>
+          </span>
+          <span
+            class="ml-2 inline-flex items-center gap-1 rounded-full px-2 py-0.5 text-[11px]"
+            :class="recoveredSet.has(m.id)
+              ? 'bg-green-50 text-green-700 ring-1 ring-green-200'
+              : 'bg-gray-50 text-gray-600 ring-1 ring-gray-200'"
+          >
+            <span
+              class="h-2 w-2 rounded-full"
+              :class="recoveredSet.has(m.id) ? 'bg-green-500' : 'bg-gray-300'"
+            ></span>
+            {{ recoveredSet.has(m.id)
+              ? t('emergencyAccess.status.added')
+              : t('emergencyAccess.status.pending') }}
+          </span>
+        </li>
+      </ul>
+    </div>
+  </div>
+
+  <button
+    v-else-if="canStart"
+    type="button"
+    class="w-full sm:w-auto h-10 inline-flex items-center gap-2 rounded-md bg-white px-2 py-1
+           text-xs font-medium text-gray-700 shadow-sm ring-1 ring-inset ring-gray-300
+           hover:bg-gray-50 disabled:opacity-50 disabled:cursor-not-allowed"
+    :disabled="disabled"
+    @click.stop="emit('click-main')"
+  >
+    <PlayIcon class="h-6 w-6 text-primary" />
+    <span class="flex flex-col leading-tight text-left">
+      <span>{{ label }}</span>
+      <span class="text-[10px] text-gray-500">{{ t('emergencyAccess.startProcess') }}</span>
+    </span>
+  </button>
+</template>
+
+<script setup lang="ts">
+import { computed, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import SegmentRing from './SegmentRing.vue';
+import { PlayIcon } from '@heroicons/vue/24/solid';
+import { AuthorityDto } from '../../common/backend';
+
+const props = defineProps<{
+  label: string;
+  approvalLabel?: string;
+  disabled?: boolean;
+  hasProcess: boolean;
+  canStart: boolean;
+  requiredKeyShares?: number;
+  completedKeyShares?: number;
+  councilMembers?: AuthorityDto[];
+  recoveredMemberIds?: string[];
+}>();
+
+const emit = defineEmits<{
+  (e: 'click-main'): void;
+}>();
+
+const { t } = useI18n({ useScope: 'global' });
+
+const isTooltipOpen = ref(false);
+const recoveredSet = computed(
+  () => new Set(props.recoveredMemberIds ?? []),
+);
+
+function openTooltip() {
+  isTooltipOpen.value = true;
+}
+
+function closeTooltip() {
+  isTooltipOpen.value = false;
+}
+
+function toggleTooltip() {
+  isTooltipOpen.value = !isTooltipOpen.value;
+}
+</script>
diff --git a/frontend/src/components/emergencyaccess/EmergencyScenarioVisualization.vue b/frontend/src/components/emergencyaccess/EmergencyScenarioVisualization.vue
new file mode 100644
index 000000000..f985dca1a
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/EmergencyScenarioVisualization.vue
@@ -0,0 +1,243 @@
+<template>
+  <div class="p-2 border border-gray-300 rounded-md bg-gray-200 opacity-60 cursor-not-allowed" aria-disabled="true">
+    <template v-if="loadingCouncilSelection">
+      <div class="flex">
+        <svg class="animate-spin h-5 w-5 text-gray-500" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
+          <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4" />
+          <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4z" />
+        </svg>
+      </div>
+    </template>
+
+    <template v-else>
+      <template v-if="isGrantButtonDisabled">
+        <div class="flex">
+          <span class="inline-flex items-center border border-red-300 bg-red-50 text-red-800 text-sm font-medium px-2 py-1 rounded-full shadow-sm">
+            <ExclamationTriangleIcon class="h-4 w-4 m-1 text-red-500 mr-1" />
+            <span class="truncate">{{ t('emergencyAccess.notPossible') }}</span>
+          </span>
+        </div>
+      </template>
+
+      <template v-else>
+        <div class="flex items-center gap-2 text-sm text-gray-800">
+          <template v-for="(slot, index) in visibleSlots" :key="`lane-${index}`">
+            <div class="flex-1 min-w-0 max-w-1/3">
+              <div class="slot-lane relative h-8 overflow-hidden">
+                <Transition name="slot-roll">
+                  <span v-if="slot.type === 'user'" :key="slot.user.id" class="absolute inset-0 inline-flex w-full items-center justify-between gap-1 rounded-full border border-grey bg-white px-2 py-1 shadow-sm">
+                    <img :src="slot.user.pictureUrl" class="w-4 h-4 rounded-full shrink-0" />
+                    <span class="truncate">{{ slot.user.name }}</span>
+                    <SegmentRing :start-index="index" :total="requiredKeyShares" :completed="1" :size="24"/>
+                  </span>
+                  <span v-else class="absolute inset-0 inline-flex w-full items-center justify-center rounded-full border border-gray-300 bg-gray-100 px-3 py-1 font-medium text-gray-700 shadow-sm">
+                    +{{ slot.hiddenCount }}
+                  </span>
+                </Transition>
+              </div>
+            </div>
+
+            <span v-if="index < visibleSlots.length - 1" class="shrink-0 inline-flex items-center justify-center text-gray-500 font-medium">+</span>
+          </template>
+        </div>
+      </template>
+    </template>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { computed, watch, ref, toRefs, onBeforeUnmount } from 'vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/20/solid';
+import { useI18n } from 'vue-i18n';
+import { UserDto } from '../../common/backend';
+import SegmentRing from './SegmentRing.vue';
+import { shuffle, clamp } from 'remeda';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  selectedUsers: UserDto[];
+  requiredKeyShares: number;
+}>();
+
+let timeoutId: ReturnType<typeof setTimeout> | undefined;
+const loadingCouncilSelection = ref(true);
+const randomCouncilSelection = ref<UserDto[]>([]);
+const randomSelectionInterval = ref<ReturnType<typeof setInterval>>();
+const maxVisibleSlots = 4;
+
+const { selectedUsers, requiredKeyShares } = toRefs(props);
+
+onBeforeUnmount(() => {
+  stopRandomCouncilInterval();
+  if (timeoutId !== undefined) {
+    clearTimeout(timeoutId);
+  }
+  timeoutId = undefined;
+});
+
+function startRandomCouncilInterval() {
+  stopRandomCouncilInterval();
+  pickRandomCouncilMembers();
+  randomSelectionInterval.value = setInterval(() => {
+    pickRandomCouncilMembers();
+  }, 2000);
+}
+
+function stopRandomCouncilInterval() {
+  if (randomSelectionInterval.value) {
+    clearInterval(randomSelectionInterval.value);
+    randomSelectionInterval.value = undefined;
+  }
+}
+const isGrantButtonDisabled = computed(() => {
+  return selectedUsers.value.length < requiredKeyShares.value;
+});
+
+const visibleUserSlots = computed(() => {
+  return clamp(requiredKeyShares.value, { max: maxVisibleSlots });
+});
+
+const visibleSlots = computed(() => {
+  const userSlots = randomCouncilSelection.value.map(user => ({
+    type: 'user' as const,
+    user: user,
+  }));
+
+  if (requiredKeyShares.value <= maxVisibleSlots) {
+    return userSlots;
+  } else {
+    return [
+      ...userSlots.slice(0, maxVisibleSlots - 1),
+      {
+        type: 'overflow' as const,
+        hiddenCount: requiredKeyShares.value - visibleUserSlots.value + 1,
+      }
+    ];
+  }
+});
+
+watch(
+  [selectedUsers, requiredKeyShares],
+  () => {
+    loadingCouncilSelection.value = true;
+   
+    pickRandomCouncilMembers();
+    if (timeoutId !== undefined) {
+      clearTimeout(timeoutId);
+    }
+    timeoutId = setTimeout(() => {
+      loadingCouncilSelection.value = false;
+      timeoutId = undefined;
+    }, 100);
+  },
+  { immediate: true }
+);
+
+watch([isGrantButtonDisabled], () => {
+  if (!isGrantButtonDisabled.value) {
+    pickRandomCouncilMembers();
+    startRandomCouncilInterval();
+  } else {
+    stopRandomCouncilInterval();
+  }
+}, { immediate: true });
+
+function pickRandomCouncilMembers() {
+  const available = props.selectedUsers;
+  const required = props.requiredKeyShares ?? 1;
+
+  if (available.length < required) {
+    randomCouncilSelection.value = [];
+    return;
+  }
+
+  if (needsInitialSelection(available, required)) {
+    setInitialCouncil(available, required);
+    return;
+  }
+  if (selectedUsers.value.length != requiredKeyShares.value)
+    rotateCouncilMember(available, required);
+}
+
+function needsInitialSelection(available: UserDto[], required: number): boolean {
+  if (randomCouncilSelection.value.length !== Math.min(required, visibleUserSlots.value)) return true;
+
+  const currentIds = randomCouncilSelection.value.map(u => u.id);
+  const availableIds = new Set(available.map(u => u.id));
+
+  return currentIds.some(id => !availableIds.has(id));
+}
+
+function setInitialCouncil(available: UserDto[], required: number) {
+  const shuffled = shuffle(available);
+  randomCouncilSelection.value = shuffled.slice(0, Math.min(required, visibleUserSlots.value));
+}
+
+function rotateCouncilMember(available: UserDto[], required: number) {
+  const current = randomCouncilSelection.value;
+  const currentIds = new Set(current.map(u => u.id));
+  const candidates = available.filter(u => !currentIds.has(u.id));
+
+  const userSlots = required > visibleUserSlots.value ? visibleUserSlots.value - 1 : Math.min(required, visibleUserSlots.value);
+
+  const replaceIndex = Math.floor(
+    Math.random() // NOSONAR
+    * userSlots
+  );
+
+  let newUser: UserDto;
+
+  if (candidates.length > 0) {
+    newUser = candidates[Math.floor(
+      Math.random() // NOSONAR
+      * candidates.length
+    )];
+  } else {
+    const alternatives = available.filter(u => u.id !== current[replaceIndex].id);
+    if (alternatives.length === 0) return;
+    newUser = alternatives[Math.floor(
+      Math.random() // NOSONAR
+      * alternatives.length
+    )];
+  }
+
+  randomCouncilSelection.value = [
+    ...current.slice(0, replaceIndex),
+    newUser,
+    ...current.slice(replaceIndex + 1),
+  ];
+}
+</script>
+
+<style scoped>
+.slot-roll-enter-active,
+.slot-roll-leave-active {
+  transition: transform 0.5s ease, opacity 0.5s ease, filter 0.5s ease;
+}
+
+.slot-roll-enter-from {
+  opacity: 0;
+  transform: translateY(-100%);
+  filter: blur(2px);
+}
+.slot-roll-enter-to {
+  opacity: 1;
+  transform: translateY(0);
+  filter: blur(0);
+}
+
+.slot-roll-leave-from {
+  opacity: 1;
+  transform: translateY(0);
+  filter: blur(0);
+}
+.slot-roll-leave-to {
+  opacity: 0;
+  transform: translateY(100%);
+  filter: blur(2px);
+}
+.slot-lane {
+  contain: layout paint;
+}
+</style>
diff --git a/frontend/src/components/emergencyaccess/GrantEmergencyAccessDialog.vue b/frontend/src/components/emergencyaccess/GrantEmergencyAccessDialog.vue
new file mode 100644
index 000000000..8e49039d0
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/GrantEmergencyAccessDialog.vue
@@ -0,0 +1,146 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="$emit('close')">
+    <Dialog as="div" class="fixed z-10 inset-0 overflow-y-auto" @close="open = false">
+      <TransitionChild
+        as="template"
+        enter="ease-out duration-300"
+        enter-from="opacity-0"
+        enter-to="opacity-100"
+        leave="ease-in duration-200"
+        leave-from="opacity-100"
+        leave-to="opacity-0"
+      >
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75 transition-opacity" />
+      </TransitionChild>
+
+      <div class="fixed inset-0 z-10 overflow-y-auto">
+        <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+          <TransitionChild
+            as="template"
+            enter="ease-out duration-300"
+            enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95"
+            enter-to="opacity-100 translate-y-0 sm:scale-100"
+            leave="ease-in duration-200"
+            leave-from="opacity-100 translate-y-0 sm:scale-100"
+            leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95"
+          >
+            <DialogPanel
+              class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-full sm:max-w-lg"
+            >
+              <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                <div class="sm:flex sm:items-start">
+                  <div
+                    class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10"
+                  >
+                    <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+                  </div>
+                  <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                    <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                      {{ t('grantEmergencyAccessDialog.title') }}
+                    </DialogTitle>
+                    <div class="mt-2">
+                      <p v-if="settings.allowChoosingEmergencyCouncil" class="text-sm text-gray-500">
+                        {{ t('grantEmergencyAccessDialog.description.selectCouncil') }}
+                      </p>
+                      <p v-else class="text-sm text-gray-500">
+                        {{ t('grantEmergencyAccessDialog.description.default') }}
+                      </p>
+                    </div>
+                    <EmergencyAccessSetup ref="emergencyAccessSetup" :settings="settings" :required-key-shares="settings.defaultRequiredEmergencyKeyShares" :allow-choosing-council="settings.allowChoosingEmergencyCouncil"/>
+                  </div>
+                </div>
+
+                <p v-if="onAddCouncilMemberError" class="mt-2 text-right text-sm text-red-600">
+                  {{ onAddCouncilMemberError.message }}
+                </p>
+              </div>
+              <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
+                <!-- Grant-Button -->
+                <button
+                  type="button"
+                  class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-primary text-base font-medium text-white hover:bg-primary-d1 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:ml-3 sm:w-auto sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed"
+                  :disabled="!emergencyAccessSetup || emergencyAccessSetup.hasValidationErrors"
+                  @click="splitRecoveryKey()"
+                >
+                  {{ t('grantEmergencyAccessDialog.grant') }}
+                </button>
+                <!-- Close-Button -->
+                <button
+                  type="button"
+                  class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:w-auto sm:text-sm"
+                  @click="closeDialog()"
+                >
+                  {{ t('common.close') }}
+                </button>
+              </div>
+            </DialogPanel>
+          </TransitionChild>
+        </div>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
+import { ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { SettingsDto, VaultDto } from '../../common/backend';
+import { RecoveryKeyProducing } from '../../common/crypto';
+import EmergencyAccessSetup from './EmergencyAccessSetup.vue';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  vault: VaultDto,
+  vaultKeys: RecoveryKeyProducing
+  settings: SettingsDto
+}>();
+
+const emit = defineEmits<{
+  close: []
+  updated: [updatedVault: VaultDto]
+}>();
+
+defineExpose({
+  show,
+});
+
+const open = ref(false);
+const emergencyAccessSetup = ref<InstanceType<typeof EmergencyAccessSetup>>();
+const onAddCouncilMemberError = ref<Error>();
+
+async function show() {
+  onAddCouncilMemberError.value = undefined;
+  open.value = true;
+}
+
+function closeDialog() {
+  open.value = false;
+}
+
+async function splitRecoveryKey() {
+  if (!emergencyAccessSetup.value) {
+    console.warn('EmergencyAccessSetup not yet mounted.');
+    return;
+  }
+
+  onAddCouncilMemberError.value = undefined;
+  try {
+    const { requiredKeyShares, keyShares } = await emergencyAccessSetup.value.split(props.vaultKeys);
+
+    const updatedVault = await backend.vaults.createOrUpdateVault({
+      ...props.vault,
+      requiredEmergencyKeyShares: requiredKeyShares,
+      emergencyKeyShares: keyShares
+    });
+
+    emit('updated', updatedVault);
+    open.value = false;
+  } catch (error) {
+    console.error('Granting emergency access failed.', error);
+    onAddCouncilMemberError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+</script>
diff --git a/frontend/src/components/emergencyaccess/ProcessAbortDialog.vue b/frontend/src/components/emergencyaccess/ProcessAbortDialog.vue
new file mode 100644
index 000000000..dfd52f9f8
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/ProcessAbortDialog.vue
@@ -0,0 +1,82 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="$emit('close')">
+    <Dialog as="div" class="fixed inset-0 z-50 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500/75 transition-opacity" />
+      </TransitionChild>
+
+      <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+        <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+          <DialogPanel class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-100 sm:max-w-lg">
+              <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                <div class="sm:flex sm:items-start">
+                  <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+                    <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+                  </div>
+                  <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                    <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                      {{ t('processAbortDialog.title') }}
+                    </DialogTitle>
+                    <div class="mt-2">
+                      <p class="text-sm text-gray-500">
+                        {{ t('processAbortDialog.description') }}
+                      </p>
+                    </div>
+                  </div>
+                </div>
+              </div>
+              <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
+                <button type="button" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-xs px-4 py-2 bg-red-600 text-base font-medium text-white hover:bg-red-700 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-red-500 sm:ml-3 sm:w-auto sm:text-sm" @click.stop="abortProcess">
+                  {{ t('processAbortDialog.confirm') }}
+                </button>
+                <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-xs px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click.stop="close">
+                  {{ t('common.close') }}
+                </button>
+              </div>
+              <p v-if="onAbortError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                {{ t('common.unexpectedError', [onAbortError.message]) }}
+              </p>
+          </DialogPanel>
+        </TransitionChild>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
+import { ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  recoveryProcessId: string
+}>();
+
+const emit = defineEmits<{
+  close: []
+  confirmed: []
+}>();
+
+const open = ref(false);
+const onAbortError = ref<Error | null>();
+
+defineExpose({ show });
+
+function show() {
+  onAbortError.value = null;
+  open.value = true;
+}
+
+function close() {
+  open.value = false;
+}
+
+function abortProcess() {
+  onAbortError.value = null;
+  emit('confirmed');
+  open.value = false;
+}
+</script>
diff --git a/frontend/src/components/emergencyaccess/SegmentRing.vue b/frontend/src/components/emergencyaccess/SegmentRing.vue
new file mode 100644
index 000000000..602ea1bc1
--- /dev/null
+++ b/frontend/src/components/emergencyaccess/SegmentRing.vue
@@ -0,0 +1,47 @@
+<template>
+  <svg
+    :width="size"
+    :height="size"
+    :viewBox="`0 0 36 36`"
+    :class="['ml-auto shrink-0', attrs.class]"
+    aria-hidden="true"
+  >
+    <g>
+      <path
+        v-for="i in total"
+        :key="i"
+        :d="describeSegment(i - 1 + startIndex, total, 16)"
+        :fill="i <= completed ? fillColor : emptyColor"
+        :stroke="stroke"
+        :stroke-width="strokeWidth"
+      />
+    </g>
+  </svg>
+</template>
+
+<script setup lang="ts">
+import { useAttrs } from 'vue';
+import { describeSegment } from '../../common/svgUtils';
+
+const attrs = useAttrs();
+
+type Props = {
+  total: number;
+  completed: number;
+  startIndex?: number;
+  size?: number;
+  fillColor?: string;
+  emptyColor?: string;
+  stroke?: string;
+  strokeWidth?: number;
+};
+
+withDefaults(defineProps<Props>(), {
+  startIndex: 0,
+  size: 20,
+  fillColor: '#22c55e',
+  emptyColor: '#e5e7eb',
+  stroke: 'white',
+  strokeWidth: 1,
+});
+</script>
diff --git a/frontend/src/components/katta/StorageProfileDetails.vue b/frontend/src/components/katta/StorageProfileDetails.vue
new file mode 100644
index 000000000..081ea2401
--- /dev/null
+++ b/frontend/src/components/katta/StorageProfileDetails.vue
@@ -0,0 +1,111 @@
+<template>
+  <div v-if="storageprofile == null">
+    <div v-if="onFetchError == null">
+      {{ t('common.loading') }}
+    </div>
+    <div v-else>
+      <FetchError :error="onFetchError" :retry="allowRetryFetch ? fetchData : undefined"/>
+    </div>
+  </div>
+
+  <div v-else class="pb-16 space-y-6">
+    <div v-if="storageprofile.archived" class="rounded-md bg-yellow-50 p-4">
+      <div class="flex">
+        <div class="flex-shrink-0">
+          <ExclamationTriangleIcon class="h-5 w-5 text-yellow-400" aria-hidden="true" />
+        </div>
+        <p class="ml-3 text-sm text-yellow-700">{{ t('vaultDetails.warning.archived') }}</p>
+      </div>
+    </div>
+    <div v-if="storageprofile['protocol'] == 'S3STATIC'">
+      <div v-for="(item,key) in openapi.components.schemas.StorageProfileS3StaticDto.properties">
+        <h3 class="font-medium text-gray-900"><span v-if="!(item as OpenapiType).nullable" style="color: red;">* </span>{{ key }}</h3>
+        <div class="mt-2 flex items-center justify-between">
+          <p class="text-sm text-gray-600">{{ storageprofile[key] }}</p>
+        </div>
+        <div class="mt-2 flex items-center justify-between">
+          <p class="text-sm text-gray-400">{{ item.description }}</p>
+        </div>
+        <div class="mt-2 flex items-center justify-between">
+          <p class="text-sm text-gray-400">type: {{ openapi.components.schemas.StorageProfileS3StaticDto.properties[key].type }}</p>
+        </div>
+        <div v-if="(openapi.components.schemas.StorageProfileS3StaticDto.properties[key] as OpenapiType)?.allOf">
+          <div class="mt-2 flex items-center justify-between">
+            <p v-if="((openapi.components.schemas as OpenapiSchemas)?.[((openapi.components.schemas.StorageProfileS3StaticDto.properties[key] as OpenapiType)?.allOf?.[0].$ref.split('/').pop()) ?? ''] as OpenapiSchema)?.enum" class="text-sm text-gray-400">enum: {{ ((openapi.components.schemas as OpenapiSchemas)?.[((openapi.components.schemas.StorageProfileS3StaticDto.properties[key] as OpenapiType)?.allOf?.[0].$ref.split('/').pop()) ?? ''] as OpenapiSchema)?.enum }}</p>
+          </div>
+          <div class="mt-2 flex items-center justify-between">
+            <p v-if="((openapi.components.schemas as OpenapiSchemas)?.[((openapi.components.schemas.StorageProfileS3StaticDto.properties[key] as OpenapiType)?.allOf?.[0].$ref.split('/').pop()) ?? ''] as OpenapiSchema)?.pattern" class="text-sm text-gray-400">pattern: {{ ((openapi.components.schemas as OpenapiSchemas)?.[((openapi.components.schemas.StorageProfileS3StaticDto.properties[key] as OpenapiType)?.allOf?.[0].$ref.split('/').pop()) ?? ''] as OpenapiSchema)?.pattern }}</p>
+          </div>
+        </div>
+        <div class="mt-2 flex items-center justify-between">
+          <p class="text-sm text-gray-400" v-if="(openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.example">example: {{ (openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.example }}</p>
+        </div>
+        <br/>
+      </div>
+    </div>
+    <div v-if="storageprofile['protocol'] == 'S3STS'">
+      <div v-for="(item,key) in openapi.components.schemas.StorageProfileS3STSDto.properties">
+        <h3 class="font-medium text-gray-900"><span v-if="!(item as OpenapiType).nullable" style="color: red;">* </span>{{ key }}</h3>
+        <div class="mt-2 flex items-center justify-between">
+          <p class="text-sm text-gray-600">{{ storageprofile[key] }}</p>
+        </div>
+        <div class="mt-2 flex items-center justify-between">
+          <p class="text-sm text-gray-400">{{ item.description }}</p>
+        </div>
+        <div class="mt-2 flex items-center justify-between">
+          <p class="text-sm text-gray-400">type: {{ openapi.components.schemas.StorageProfileS3STSDto.properties[key].type }}</p>
+        </div>
+        <div v-if="(openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.allOf">
+          <div class="mt-2 flex items-center justify-between">
+            <p v-if="((openapi.components.schemas as OpenapiSchemas)?.[((openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.allOf?.[0].$ref.split('/').pop()) ?? ''] as OpenapiSchema)?.enum" class="text-sm text-gray-400">enum: {{ ((openapi.components.schemas as OpenapiSchemas)?.[((openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.allOf?.[0].$ref.split('/').pop()) ?? ''] as OpenapiSchema)?.enum }}</p>
+          </div>
+          <div class="mt-2 flex items-center justify-between">
+            <p v-if="((openapi.components.schemas as OpenapiSchemas)?.[((openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.allOf?.[0].$ref.split('/').pop()) ?? ''] as OpenapiSchema)?.pattern" class="text-sm text-gray-400">pattern: {{ ((openapi.components.schemas as OpenapiSchemas)?.[((openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.allOf?.[0].$ref.split('/').pop()) ?? ''] as OpenapiSchema)?.pattern }}</p>
+          </div>
+        </div>
+        <div class="mt-2 flex items-center justify-between">
+          <p class="text-sm text-gray-400" v-if="(openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.example">example: {{ (openapi.components.schemas.StorageProfileS3STSDto.properties[key] as OpenapiType)?.example }}</p>
+        </div>
+        <br/>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { ExclamationTriangleIcon } from '@heroicons/vue/20/solid';
+import { computed, onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { NotFoundError, StorageProfileDto } from '../../common/backend';
+import FetchError from '../FetchError.vue';
+import { openapi, OpenapiType, OpenapiSchema, OpenapiSchemas } from '../../openapi/index';
+
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  storageprofileId: string
+}>();
+
+const emit = defineEmits<{
+  storageprofileUpdated: [updateStorageprofile: StorageProfileDto]
+}>();
+
+
+const onFetchError = ref<Error>();
+const allowRetryFetch = computed(() => onFetchError.value && !(onFetchError.value instanceof NotFoundError));  //fetch requests either list something, or query from th vault. In the latter, a 404 indicates the vault does not exists anymore.
+
+const storageprofile = ref<StorageProfileDto>();
+
+onMounted(fetchData);
+
+async function fetchData() {
+  onFetchError.value = undefined;
+  try {
+    storageprofile.value = await backend.storageprofiles.getSingle(props.storageprofileId);
+  } catch (error) {
+    console.error('Fetching data failed.', error);
+    onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+</script>
diff --git a/frontend/src/components/katta/StorageProfiles.vue b/frontend/src/components/katta/StorageProfiles.vue
new file mode 100644
index 000000000..fef0c196a
--- /dev/null
+++ b/frontend/src/components/katta/StorageProfiles.vue
@@ -0,0 +1,140 @@
+<template>
+  <div v-if="storageprofiles == null">
+    <div v-if="onFetchError == null">
+      {{ t('common.loading') }}
+    </div>
+    <div v-else>
+      <FetchError :error="onFetchError" :retry="fetchData"/>
+    </div>
+  </div>
+
+
+  <h2 class="text-2xl font-bold leading-7 text-gray-900 sm:text-3xl sm:truncate">
+    {{ t('storageProfileList.title') }}
+  </h2>
+  <div class="space-y-6 mt-5">
+    <div class="bg-white px-4 py-5 shadow sm:rounded-lg sm:p-6">
+      <div class="md:grid md:grid-cols-3 md:gap-6">
+        <div class="md:col-span-3">
+          <h3 class="text-lg font-medium leading-6 text-gray-900">
+            {{ t('storageProfileList.setup.title') }}
+          </h3>
+          <div class="col-span-6 sm:col-span-3">
+            <p id="keycloakAdminRealmURL" class="inline-flex mt-2 text-sm">
+              <LinkIcon class="shrink-0 text-primary mr-1 h-5 w-5" aria-hidden="true" />
+              <!-- TODO final URL? -->
+              <a role="button" href="https://github.com/shift7-ch/katta-docs/" target="_blank" class="underline text-gray-500 hover:text-gray-900">{{ $t('storageProfileList.setup.description') }}</a>
+            </p>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <div class="pb-5 mt-3 border-b border-gray-200 flex flex-wrap sm:flex-nowrap gap-3 items-center whitespace-nowrap">
+    <input id="storageprofileSearch" v-model="query" :placeholder="t('storageProfileList.search.placeholder')" type="text" class="focus:ring-primary focus:border-primary block w-full shadow-sm text-sm border-gray-300 rounded-md disabled:bg-gray-200"/>
+  </div>
+
+  <div v-if="filteredStorageprofiles != null && filteredStorageprofiles.length > 0" class="mt-5 bg-white shadow overflow-hidden rounded-md">
+    <ul role="list" class="divide-y divide-gray-200">
+      <li v-for="(storageprofile, index) in filteredStorageprofiles" :key="storageprofile.name">
+        <a role="button" tabindex="0" class="block hover:bg-gray-50" :class="{'ring-2 ring-inset ring-primary': selectedStorageprofile == storageprofile, 'rounded-t-md': index == 0, 'rounded-b-md': index == filteredStorageprofiles.length - 1}" @click="showStorageProfileDetails(storageprofile)">
+          <div class="px-4 py-4 flex items-center sm:px-6">
+            <div class="min-w-0 flex-1">
+              <div class="flex items-center gap-3">
+                <p class="truncate text-sm font-medium text-primary">{{ storageprofile.name }}</p>
+                <div v-if="storageprofile.archived" class="inline-flex items-center rounded-md bg-yellow-400/10 px-2 py-1 text-xs font-medium text-yellow-500 ring-1 ring-inset ring-yellow-400/20">{{ t('storageprofileList.badge.archived') }}</div>
+              </div>
+            </div>
+            <div class="ml-5 shrink-0">
+              <ChevronRightIcon class="h-5 w-5 text-gray-400" aria-hidden="true" />
+            </div>
+          </div>
+        </a>
+      </li>
+    </ul>
+  </div>
+
+  <div v-else-if="query === '' && filteredStorageprofiles != null && filteredStorageprofiles.length == 0" class="mt-3 text-center">
+    <svg xmlns="http://www.w3.org/2000/svg" class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+      <path vector-effect="non-scaling-stroke" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 10.5v6m3-3H9m4.06-7.19l-2.12-2.12a1.5 1.5 0 00-1.061-.44H4.5A2.25 2.25 0 002.25 6v12a2.25 2.25 0 002.25 2.25h15A2.25 2.25 0 0021.75 18V9a2.25 2.25 0 00-2.25-2.25h-5.379a1.5 1.5 0 01-1.06-.44z" />
+    </svg>
+    <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('storageProfileList.empty.title') }}</h3>
+    <p class="mt-1 text-sm text-gray-500">{{ t('storageProfileList.empty.description') }}</p>
+  </div>
+
+  <div v-else-if="query !== '' && filteredStorageprofiles != null && filteredStorageprofiles.length == 0" class="mt-3 text-center">
+    <svg xmlns="http://www.w3.org/2000/svg" class="mx-auto h-12 w-12 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" aria-hidden="true">
+      <path vector-effect="non-scaling-stroke" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15.75 15.75l-2.489-2.489m0 0a3.375 3.375 0 10-4.773-4.773 3.375 3.375 0 004.774 4.774zM21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+    </svg>
+    <h3 class="mt-2 text-sm font-medium text-gray-900">{{ t('storageProfileList.filter.result.empty.title') }}</h3>
+    <p class="mt-1 text-sm text-gray-500">{{ t('storageProfileList.filter.result.empty.description') }}</p>
+  </div>
+
+  <SlideOver v-if="selectedStorageprofile != null" ref="StorageProfileDetailsSlideOver" :title="selectedStorageprofile.name" @close="selectedStorageprofile = null">
+    <StorageProfileDetails :storageprofile-id="selectedStorageprofile.id" @storageprofile-updated="v => onSelectedStorageprofileUpdate(v)"></StorageProfileDetails>
+  </SlideOver>
+</template>
+
+<script setup lang="ts">
+import { ChevronRightIcon, LinkIcon } from '@heroicons/vue/24/solid';
+import { computed, nextTick, onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import auth from '../../common/auth';
+import backend, { StorageProfileDto } from '../../common/backend';
+import FetchError from '../FetchError.vue';
+import SlideOver from '../SlideOver.vue';
+import StorageProfileDetails from './StorageProfileDetails.vue';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const StorageProfileDetailsSlideOver = ref<typeof SlideOver>();
+const onFetchError = ref<Error | null>();
+
+const storageprofiles = ref<StorageProfileDto[]>();
+const selectedStorageprofile = ref<StorageProfileDto | null>(null);
+
+
+const isAdmin = ref<boolean>();
+
+const query = ref('');
+const filteredStorageprofiles = computed(() =>
+  query.value === ''
+    ? storageprofiles.value
+    : storageprofiles.value?.filter((storageprofile) => {
+      return storageprofile.name.toLowerCase().includes(query.value.toLowerCase());
+    })
+);
+
+onMounted(fetchData);
+
+async function fetchData() {
+  onFetchError.value = null;
+  try {
+    isAdmin.value = (await auth).hasRole("admin");
+    storageprofiles.value = (await backend.storageprofiles.get(undefined));
+  } catch (error) {
+    console.error('Retrieving storageprofile list failed.', error);
+    onFetchError.value = error instanceof Error ? error : new Error('Unknown Error');
+  }
+}
+
+function showStorageProfileDetails(storageprofile: StorageProfileDto) {
+  selectedStorageprofile.value = storageprofile;
+  nextTick(() => StorageProfileDetailsSlideOver.value?.show());
+}
+
+async function onSelectedStorageprofileUpdate(storageprofile: StorageProfileDto) {
+  await fetchData();
+  if (storageprofiles.value == null || storageprofile.id !== selectedStorageprofile.value?.id) {
+    return;
+  }
+  const index = storageprofiles.value?.findIndex(v => v.id === storageprofile.id);
+  if (index !== undefined && index !== -1) {
+    selectedStorageprofile.value = storageprofiles.value[index];
+  } else {
+    selectedStorageprofile.value = storageprofile;
+  }
+}
+
+</script>
diff --git a/frontend/src/css/fonts.css b/frontend/src/css/fonts.css
index 3e37edbdc..b5f9e4741 100644
--- a/frontend/src/css/fonts.css
+++ b/frontend/src/css/fonts.css
@@ -16,6 +16,17 @@
   unicode-range: U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC;
 }
 
+/*
+ * For headlines (Roboto Slab variable font):
+ */
+@font-face {
+  font-family: 'Roboto Slab';
+  font-style: normal;
+  font-weight: 100 900;
+  font-display: swap;
+  src: url('../fonts/RobotoSlab-VariableFont_wght.ttf') format('truetype');
+}
+
 /*
  * For h3 headings [ASCII + ÄäÖöÜü߀]:
  * pyftsubset quicksand-regular.woff2 --unicodes=U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC --verbose --flavor=woff2 --output-file=quicksand-regular.reduced.woff2
@@ -42,15 +53,3 @@
   unicode-range: U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC;
 }
 
-/*
- * Only for "CRYPTOMATOR" title:
- * pyftsubset quicksand-bold.woff2 --text="CRYPTOMATOR HUB" --verbose --flavor=woff2 --output-file=quicksand-bold.reduced.woff2
- */
-@font-face {
-  font-family: 'Quicksand';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: url('../fonts/quicksand-bold.reduced.woff2') format('woff2');
-  unicode-range: U+0043,U+0052,U+0059,U+0050,U+0054,U+004F,U+004D,U+0041,U+0020,U+0048,U+0055,U+0042;
-}
diff --git a/frontend/src/fonts/RobotoSlab-VariableFont_wght.ttf b/frontend/src/fonts/RobotoSlab-VariableFont_wght.ttf
new file mode 100644
index 000000000..934c67107
Binary files /dev/null and b/frontend/src/fonts/RobotoSlab-VariableFont_wght.ttf differ
diff --git a/frontend/src/fonts/quicksand-bold.reduced.woff2 b/frontend/src/fonts/quicksand-bold.reduced.woff2
index 8f9fd2ecc..7e674ff30 100644
Binary files a/frontend/src/fonts/quicksand-bold.reduced.woff2 and b/frontend/src/fonts/quicksand-bold.reduced.woff2 differ
diff --git a/frontend/src/i18n/ar-SA.json b/frontend/src/i18n/ar-SA.json
index 7e85103ae..e4bde29aa 100644
--- a/frontend/src/i18n/ar-SA.json
+++ b/frontend/src/i18n/ar-SA.json
@@ -16,7 +16,9 @@
   "common.close": "إغلاق",
   "common.copied": "تم النسخ!",
   "common.copy": "نسخ",
+  "common.create": "إنشاء",
   "common.download": "تحميل",
+  "common.edit": "تعديل",
   "common.hide": "أخفِ",
   "common.loading": "جارِ التحميل…",
   "common.next": "التالي",
@@ -27,6 +29,9 @@
   "common.remove": "حذف",
   "common.reset": "إعادة الضبط",
   "common.retry": "اعد المحاولة",
+  "common.save": "حفظ",
+  "common.saved": "حفظ!",
+  "common.search.placeholder": "بحث…",
   "common.share": "مشاركة",
   "common.show": "عرض",
   "common.undo": "تراجع",
@@ -34,6 +39,7 @@
   "common.unsavedChanges": "تغييرات غير محفوظة.",
   "common.update": "تحديث",
   "common.xMembers": "{0} أعضاء",
+  "common.actions": "الإجراءات",
   "admin.title": "مسؤول",
   "admin.serverInfo.title": "معلومات الخادم",
   "admin.serverInfo.hubVersion.description.updateExists": "التحديث إلى الإصدار {0} ممكن.",
@@ -50,6 +56,7 @@
   "admin.webOfTrust.information": "معرفة المزيد.",
   "admin.webOfTrust.save": "حفظ",
   "admin.webOfTrust.saved": "حفظ!",
+  "admin.emergencyAccess.learnMore": "معرفة المزيد.",
   "archiveVaultDialog.confirm": "أرشفة",
   "auditLog.filter": "التصفية",
   "auditLog.filter.startDate": "تاريخ البدء",
@@ -75,9 +82,16 @@
   "deviceList.added": "أُضيف",
   "deviceList.thisDevice": "هذا الجهاز",
   "deviceList.ipAddress": "عنوان IP",
+  "emergencyAccess.status.added": "أُضيف",
   "editVaultMetadataDialog.vaultName": "اسم الخزينة",
   "editVaultMetadataDialog.vaultDescription": "الوصف",
   "grantPermissionDialog.title": "منح الإذن",
+  "group.detail.vaults": "المخازن",
+  "group.detail.name": "الاسم",
+  "groupList.name": "الاسم",
+  "groupList.edit.group.button": "تعديل",
+  "groupList.search.placeholder": "بحث…",
+  "groupList.vaults.count": "المخازن",
   "trustDetails.trustLevel": "مستوى الثقة {0}",
   "trustDetails.trustLevel.untrusted": "لم يتم التحقق",
   "trustDetails.showSignDialogBtn": "تحقق من الهوية...",
@@ -109,6 +123,20 @@
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Account Key",
   "resetUserAccountDialog.title": "إعادة تعيين حساب المستخدم",
   "userkeyFingerprint.title": "بصمة مفتاح المستخدم",
+  "user.detail.disable": "تعطيل",
+  "user.detail.edit": "تعديل",
+  "user.detail.enable": "تفعيل",
+  "user.detail.name": "الاسم",
+  "user.detail.username": "اسم المستخدم",
+  "userEditCreate.button.save": "حفظ",
+  "userEditCreate.button.saved": "حفظ!",
+  "userEditCreate.username": "اسم المستخدم",
+  "userEditCreate.password": "كلمة المرور",
+  "userEditCreate.passwordStrong": "قوية",
+  "userEditCreate.passwordWeak": "ضعيفة",
+  "userList.edit.user.button": "تعديل",
+  "userList.userName": "الاسم",
+  "userList.vaults.count": "المخازن",
   "userProfile.title": "الملف الشخصي",
   "userProfile.actions.manageAccount": "أدر الحساب",
   "userProfile.actions.changeLanguage": "غيّر اللغة",
@@ -116,7 +144,7 @@
   "unlockSuccess.accountSetup.title": "الإعداد مطلوب",
   "unlockSuccess.accountSetup.description": "أكمل إعداد حسابك واسترد مفتاح حسابك.",
   "unlockSuccess.deviceSetup.title": "جهاز جديد",
-  "unlockSuccess.deviceSetup.description": "الرجاء إدخال مفتاح حسابك في Cryptomator لتفويض ذلك.",
+  "unlockSuccess.deviceSetup.description": "الرجاء إدخال مفتاح حسابك في Katta لتفويض ذلك.",
   "unlockSuccess.deviceSetup.goToProfile": "اعرض مفتاح الحساب في ملفي الشخصي",
   "vaultDetails.description.header": "الوصف",
   "vaultDetails.description.empty": "لم يتم تقديم وصف.",
diff --git a/frontend/src/i18n/ba-RU.json b/frontend/src/i18n/ba-RU.json
index 6cb398d93..8c45ad3d0 100644
--- a/frontend/src/i18n/ba-RU.json
+++ b/frontend/src/i18n/ba-RU.json
@@ -5,18 +5,22 @@
   "common.close": "Яп",
   "common.copied": "Күсермә алынды!",
   "common.copy": "Күсермәһен ал",
+  "common.create": "Яһа",
   "common.download": "Күсереп ал",
+  "common.edit": "Төҙәт",
   "common.next": "Киләһе",
   "common.previous": "Алдағы",
   "common.refresh": "Яңырт",
   "common.remove": "Алып ташлау",
   "common.reset": "Яңынан башла",
   "common.retry": "Ҡабатла",
+  "common.save": "Һаҡла",
   "common.share": "Уртаҡлаш",
   "common.show": "Күрһәт",
   "admin.licenseInfo.manageSubscription": "Яҙылыуҙар менән идара итеү",
   "admin.webOfTrust.information": "Артабан уҡырға.",
   "admin.webOfTrust.save": "Һаҡла",
+  "admin.emergencyAccess.learnMore": "Артабан уҡырға.",
   "auditLog.filter": "Фильтр",
   "auditLog.details": "Тулыраҡ мәғлүмәт",
   "auditLog.details.vault.create": "Һаҡлағыс яһа",
@@ -26,9 +30,23 @@
   "createVault.showRecoveryKey.submit": "Һаҡлағыс яһа",
   "deviceList.deviceName": "Йыһаз исеме",
   "editVaultMetadataDialog.vaultName": "Һаҡлағыс исеме",
+  "group.detail.vaults": "Һаҡлағыстар",
+  "groupList.edit.group.button": "Төҙәт",
+  "groupList.vaults.count": "Һаҡлағыстар",
   "legacyDeviceList.description.information": "Артабан уҡырға.",
   "legacyDeviceList.deviceName": "Йыһаз исеме",
   "nav.vaults": "Һаҡлағыстар",
+  "user.detail.disable": "Һүндер",
+  "user.detail.edit": "Төҙәт",
+  "user.detail.enable": "Ғәмәлгә индер",
+  "user.detail.username": "Ҡулланыусы исеме",
+  "userEditCreate.button.save": "Һаҡла",
+  "userEditCreate.username": "Ҡулланыусы исеме",
+  "userEditCreate.password": "Серһүҙ",
+  "userEditCreate.passwordStrong": "Көслө",
+  "userEditCreate.passwordWeak": "Көсһөҙ",
+  "userList.edit.user.button": "Төҙәт",
+  "userList.vaults.count": "Һаҡлағыстар",
   "unlockSuccess.deviceSetup.title": "Яңы йыһаз",
   "vaultDetails.actions.updatePermissions.reload": "Яңынан тейә",
   "vaultDetails.actions.displayRecoveryKey": "Ҡайтарыу асҡысын ҡарау",
diff --git a/frontend/src/i18n/be-BY.json b/frontend/src/i18n/be-BY.json
index e822354b1..10dffdab6 100644
--- a/frontend/src/i18n/be-BY.json
+++ b/frontend/src/i18n/be-BY.json
@@ -5,12 +5,15 @@
   "common.close": "Зачыніць",
   "common.copied": "Скапіявана!",
   "common.copy": "Капіяваць",
+  "common.create": "Стварыць",
+  "common.edit": "Рэдагаваць",
   "common.next": "Далей",
   "common.previous": "Папярэдні",
   "common.refresh": "Абнавiць",
   "common.remove": "Выдаліць",
   "common.reset": "Скінуць",
   "common.retry": "Паспрабаваць ізноў",
+  "common.save": "Захаваць",
   "common.share": "Абагуліць",
   "common.show": "Паказаць",
   "admin.webOfTrust.save": "Захаваць",
@@ -22,7 +25,16 @@
   "createVault.showRecoveryKey.submit": "Стварыць скарбніцу",
   "deviceList.deviceName": "Назва прылады",
   "editVaultMetadataDialog.vaultName": "Назва скарбніцы",
+  "groupList.edit.group.button": "Рэдагаваць",
   "legacyDeviceList.deviceName": "Назва прылады",
+  "user.detail.edit": "Рэдагаваць",
+  "user.detail.username": "Імя карыстальніка",
+  "userEditCreate.button.save": "Захаваць",
+  "userEditCreate.username": "Імя карыстальніка",
+  "userEditCreate.password": "Пароль",
+  "userEditCreate.passwordStrong": "Моцны",
+  "userEditCreate.passwordWeak": "Слабы",
+  "userList.edit.user.button": "Рэдагаваць",
   "unlockSuccess.deviceSetup.title": "Новая прылада",
   "vaultDetails.actions.updatePermissions.reload": "Перазагрузіць",
   "vaultDetails.actions.displayRecoveryKey": "Паказаць пароль аднаўлення",
diff --git a/frontend/src/i18n/bg-BG.json b/frontend/src/i18n/bg-BG.json
index a6bfbaddd..01d426dae 100644
--- a/frontend/src/i18n/bg-BG.json
+++ b/frontend/src/i18n/bg-BG.json
@@ -5,12 +5,15 @@
   "common.close": "Затваряне",
   "common.copied": "Копирано!",
   "common.copy": "Копиране",
+  "common.create": "Създаване",
+  "common.edit": "Редактиране",
   "common.next": "Напред",
   "common.previous": "Назад",
   "common.refresh": "Презареждане",
   "common.remove": "Премахване",
   "common.reset": "Нулиране",
   "common.retry": "Повторен опит",
+  "common.save": "Запазване",
   "common.share": "Споделяне",
   "common.show": "Показване",
   "admin.webOfTrust.save": "Запазване",
@@ -22,7 +25,16 @@
   "createVault.showRecoveryKey.submit": "Създаване",
   "deviceList.deviceName": "Име на устройството",
   "editVaultMetadataDialog.vaultName": "Наименование",
+  "groupList.edit.group.button": "Редактиране",
   "legacyDeviceList.deviceName": "Име на устройството",
+  "user.detail.edit": "Редактиране",
+  "user.detail.username": "Потребител",
+  "userEditCreate.button.save": "Запазване",
+  "userEditCreate.username": "Потребител",
+  "userEditCreate.password": "Парола",
+  "userEditCreate.passwordStrong": "Добра",
+  "userEditCreate.passwordWeak": "Слаба",
+  "userList.edit.user.button": "Редактиране",
   "unlockSuccess.deviceSetup.title": "Ново устройство",
   "vaultDetails.actions.updatePermissions.reload": "Презареждане",
   "vaultDetails.actions.displayRecoveryKey": "Показване на ключ за възстановяване",
diff --git a/frontend/src/i18n/bn-BD.json b/frontend/src/i18n/bn-BD.json
index 0ec347030..34bae6d65 100644
--- a/frontend/src/i18n/bn-BD.json
+++ b/frontend/src/i18n/bn-BD.json
@@ -4,21 +4,31 @@
   "common.close": "বন্ধ করুন",
   "common.copied": "কপি হয়েছে!",
   "common.copy": "কপি",
+  "common.create": "তৈরি করুন",
   "common.download": "ডাউনলোড",
+  "common.edit": "এডিট",
   "common.next": "পরবর্তী",
   "common.previous": "পিছনে",
   "common.refresh": "রিফ্রেশ",
   "common.remove": "বাতিল",
   "common.retry": "পুনরায় চেষ্টা করুন",
+  "common.save": "সংরক্ষণ করুন",
   "common.share": "শেয়ার",
   "common.show": "দেখান",
   "admin.webOfTrust.information": "আরও জানুন।",
   "admin.webOfTrust.save": "সংরক্ষণ করুন",
+  "admin.emergencyAccess.learnMore": "আরও জানুন।",
   "auditLog.details.vault.create": "ভোল্ট তৈরি করুন",
   "claimVaultOwnershipDialog.error.wrongPassword": "ভুল পাসওয়ার্ড",
   "createVault.enterVaultDetails.title": "ভোল্ট তৈরি করুন",
   "createVault.enterVaultDetails.vaultName": "ভোল্ট এর নাম",
   "createVault.showRecoveryKey.submit": "ভোল্ট তৈরি করুন",
   "editVaultMetadataDialog.vaultName": "ভোল্ট এর নাম",
-  "legacyDeviceList.description.information": "আরও জানুন।"
+  "groupList.edit.group.button": "এডিট",
+  "legacyDeviceList.description.information": "আরও জানুন।",
+  "user.detail.edit": "এডিট",
+  "user.detail.username": "ব্যবহারকারীর নাম",
+  "userEditCreate.button.save": "সংরক্ষণ করুন",
+  "userEditCreate.username": "ব্যবহারকারীর নাম",
+  "userList.edit.user.button": "এডিট"
 }
diff --git a/frontend/src/i18n/bs-BA.json b/frontend/src/i18n/bs-BA.json
index 65e25ed78..23b888cf2 100644
--- a/frontend/src/i18n/bs-BA.json
+++ b/frontend/src/i18n/bs-BA.json
@@ -4,16 +4,30 @@
   "common.close": "Zatvori",
   "common.copied": "Kopirano!",
   "common.copy": "Kopiraj",
+  "common.create": "Dodaj",
+  "common.edit": "Izmjeni",
   "common.next": "Sljedeće",
   "common.remove": "Ukloni",
   "common.show": "Pokaži",
   "admin.webOfTrust.information": "Saznaj više.",
+  "admin.emergencyAccess.learnMore": "Saznaj više.",
   "auditLog.details.vault.create": "Kreiraj novi sef",
   "createVault.enterVaultDetails.title": "Kreiraj novi sef",
   "createVault.enterVaultDetails.vaultName": "Ime sefa",
   "createVault.showRecoveryKey.submit": "Kreiraj novi sef",
   "editVaultMetadataDialog.vaultName": "Ime sefa",
+  "group.detail.vaults": "Sef",
+  "groupList.edit.group.button": "Izmjeni",
+  "groupList.vaults.count": "Sef",
   "legacyDeviceList.description.information": "Saznaj više.",
   "nav.vaults": "Sef",
+  "user.detail.edit": "Izmjeni",
+  "user.detail.username": "Korisničko ime",
+  "userEditCreate.username": "Korisničko ime",
+  "userEditCreate.password": "Šifra",
+  "userEditCreate.passwordStrong": "Sigurno",
+  "userEditCreate.passwordWeak": "Slabo",
+  "userList.edit.user.button": "Izmjeni",
+  "userList.vaults.count": "Sef",
   "vaultList.title": "Sef"
 }
diff --git a/frontend/src/i18n/ca-ES.json b/frontend/src/i18n/ca-ES.json
index 64beeddd6..0f82756be 100644
--- a/frontend/src/i18n/ca-ES.json
+++ b/frontend/src/i18n/ca-ES.json
@@ -5,7 +5,9 @@
   "common.close": "Tanca",
   "common.copied": "Copiat!",
   "common.copy": "Copia",
+  "common.create": "Crear",
   "common.download": "Descarrega",
+  "common.edit": "Editar",
   "common.hide": "Amaga",
   "common.loading": "Carregant…",
   "common.next": "Següent",
@@ -17,6 +19,7 @@
   "common.remove": "Elimina",
   "common.reset": "Reinicia",
   "common.retry": "Reintenta",
+  "common.save": "Desa",
   "common.share": "Comparteix",
   "common.show": "Mostra",
   "common.undo": "Desfer",
@@ -24,6 +27,7 @@
   "admin.licenseInfo.manageSubscription": "Gestionar Subscripcions",
   "admin.webOfTrust.information": "Més informació.",
   "admin.webOfTrust.save": "Desa",
+  "admin.emergencyAccess.learnMore": "Més informació.",
   "auditLog.filter": "Filtre",
   "auditLog.details": "Detalls",
   "auditLog.details.vault.create": "Crea la caixa forta",
@@ -33,13 +37,32 @@
   "createVault.showRecoveryKey.submit": "Crea la caixa forta",
   "deviceList.deviceName": "Nom del dispositiu",
   "editVaultMetadataDialog.vaultName": "Nom de la caixa forta",
+  "group.detail.vaults": "Caixes fortes",
+  "group.detail.name": "Nom",
+  "groupList.name": "Nom",
+  "groupList.edit.group.button": "Editar",
+  "groupList.vaults.count": "Caixes fortes",
   "legacyDeviceList.description.information": "Més informació.",
   "legacyDeviceList.deviceName": "Nom del dispositiu",
   "nav.vaults": "Caixes fortes",
+  "user.detail.disable": "Desactiva",
+  "user.detail.edit": "Editar",
+  "user.detail.enable": "Activa",
+  "user.detail.name": "Nom",
+  "user.detail.username": "Nom d'usuari",
+  "userEditCreate.button.save": "Desa",
+  "userEditCreate.username": "Nom d'usuari",
+  "userEditCreate.password": "Contrasenya",
+  "userEditCreate.passwordStrong": "Segura",
+  "userEditCreate.passwordWeak": "Poc segura",
+  "userList.edit.user.button": "Editar",
+  "userList.userName": "Nom",
+  "userList.vaults.count": "Caixes fortes",
   "unlockSuccess.deviceSetup.title": "Nou dispositiu",
   "vaultDetails.actions.updatePermissions.reload": "Torna a carregar",
   "vaultDetails.actions.displayRecoveryKey": "Veure clau de recuperació",
   "vaultList.title": "Caixes fortes",
   "vaultList.addVault": "Afegir",
-  "vaultList.filter": "Filtre"
+  "vaultList.filter": "Filtre",
+  "trial.enterpriseFeature.description": "Aquesta funció només es pot utilitzar de manera permanent amb una llicència Enterprise."
 }
diff --git a/frontend/src/i18n/cs-CZ.json b/frontend/src/i18n/cs-CZ.json
index ef9833d6b..a7f061624 100644
--- a/frontend/src/i18n/cs-CZ.json
+++ b/frontend/src/i18n/cs-CZ.json
@@ -5,18 +5,22 @@
   "common.close": "Zavřít",
   "common.copied": "Zkopírováno!",
   "common.copy": "Kopírovat",
+  "common.create": "Vytvořit",
   "common.download": "Stáhnout",
+  "common.edit": "Upravit",
   "common.next": "Další",
   "common.previous": "Předchozí",
   "common.refresh": "Načíst znovu",
   "common.remove": "Odstranit",
   "common.reset": "Resetovat",
   "common.retry": "Opakovat",
+  "common.save": "Uložit",
   "common.share": "Sdílet",
   "common.show": "Zobrazit",
   "admin.licenseInfo.manageSubscription": "Spravovat předplatné",
   "admin.webOfTrust.information": "Více informací.",
   "admin.webOfTrust.save": "Uložit",
+  "admin.emergencyAccess.learnMore": "Více informací.",
   "auditLog.filter": "Filtr",
   "auditLog.details": "Podrobnosti",
   "auditLog.details.vault.create": "Vytvořit trezor",
@@ -26,9 +30,23 @@
   "createVault.showRecoveryKey.submit": "Vytvořit trezor",
   "deviceList.deviceName": "Název zařízení",
   "editVaultMetadataDialog.vaultName": "Název trezoru",
+  "group.detail.vaults": "Trezory",
+  "groupList.edit.group.button": "Upravit",
+  "groupList.vaults.count": "Trezory",
   "legacyDeviceList.description.information": "Více informací.",
   "legacyDeviceList.deviceName": "Název zařízení",
   "nav.vaults": "Trezory",
+  "user.detail.disable": "Zakázat",
+  "user.detail.edit": "Upravit",
+  "user.detail.enable": "Povolit",
+  "user.detail.username": "Uživatel",
+  "userEditCreate.button.save": "Uložit",
+  "userEditCreate.username": "Uživatel",
+  "userEditCreate.password": "Heslo",
+  "userEditCreate.passwordStrong": "silné",
+  "userEditCreate.passwordWeak": "slabé",
+  "userList.edit.user.button": "Upravit",
+  "userList.vaults.count": "Trezory",
   "unlockSuccess.deviceSetup.title": "Nové zařízení",
   "vaultDetails.actions.updatePermissions.reload": "Obnovit",
   "vaultDetails.actions.displayRecoveryKey": "Zobrazit obnovovací klíč",
diff --git a/frontend/src/i18n/da-DK.json b/frontend/src/i18n/da-DK.json
index 411559d18..4448a095e 100644
--- a/frontend/src/i18n/da-DK.json
+++ b/frontend/src/i18n/da-DK.json
@@ -7,7 +7,7 @@
   "locale.lv-LV": "Lettisk",
   "locale.nl-NL": "Hollandsk",
   "locale.pt-BR": "Portugisisk (Brasilien)",
-  "locale.pt-PT": "Portugesisk",
+  "locale.pt-PT": "Portugisisk",
   "locale.ru-RU": "Russisk",
   "locale.tr-TR": "Tyrkisk",
   "locale.uk-UA": "Ukrainsk",
@@ -18,7 +18,9 @@
   "common.close": "Luk",
   "common.copied": "Kopieret!",
   "common.copy": "Kopiér",
+  "common.create": "Opret",
   "common.download": "Download",
+  "common.edit": "Redigér",
   "common.hide": "Skjul",
   "common.loading": "Indlæser…",
   "common.next": "Næste",
@@ -30,6 +32,8 @@
   "common.remove": "Fjern",
   "common.reset": "Nulstil",
   "common.retry": "Prøv igen",
+  "common.save": "Gem",
+  "common.saved": "Gemt!",
   "common.share": "Del",
   "common.show": "Vis",
   "common.undo": "Fortryd",
@@ -39,14 +43,15 @@
   "common.xMembers": "{0} Medlemmer",
   "admin.title": "Admin",
   "admin.serverInfo.title": "Serverinfo",
-  "admin.serverInfo.description": "Hub ID bruges til at identificere din Cryptomator Hub-instans for din licens. Angiv altid den viste Hub og Keycloak version ved supporthenvendelser.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub version",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub er opdateret.",
+  "admin.serverInfo.description": "Katta ID bruges til at identificere din Katta-instans for din licens. Angiv altid den viste Katta og Keycloak version ved supporthenvendelser.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta version",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta er opdateret.",
   "admin.serverInfo.hubVersion.description.updateExists": "Opdatering til version {0} muligt.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Kan ikke tjekke for opdateringer. Tjek venligst manuelt.",
   "admin.serverInfo.keycloakVersion.title": "Keycloak version",
   "admin.serverInfo.keycloakVersion.description": "Håndtér Keycloak",
+  "admin.serverInfo.keycloakVersion.notAvailable": "ikke tilgængelig",
   "admin.licenseInfo.title": "Licens-info",
   "admin.licenseInfo.description": "Bekræft dine licensoplysninger. Hvis du vil foretage ændringer eller tjekke din abonnementsstatus, skal du klikke på \"Administrer abonnement\".",
   "admin.licenseInfo.email.title": "Licenseret til",
@@ -61,12 +66,29 @@
   "admin.licenseInfo.manageSubscription": "Administrér abonnement",
   "admin.licenseInfo.type.title": "Type",
   "admin.licenseInfo.getLicense": "Hent licens",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Tak fordi du bruger Cryptomator Hub! Du er blevet tildelt community licensen. Hvis du har brug for flere pladser, skal du opgradere din licens.",
-  "admin.licenseInfo.managedNoLicense.description": "Tak for at bruge Cryptomator Hub! Du har i øjeblikket ingen aktiv licens.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Tak fordi du bruger Katta! Du er blevet tildelt community licensen. Hvis du har brug for flere pladser, skal du opgradere din licens.",
+  "admin.licenseInfo.managedNoLicense.description": "Tak for at bruge Katta! Du har i øjeblikket ingen aktiv licens.",
   "admin.webOfTrust.title": "Web of Trust",
+  "admin.webOfTrust.description": "Konfigurér Web of Trust indstillinger til at styre, hvordan tillid er etableret mellem brugere i systemet. Disse indstillinger påvirker verifikationen af brugernes identiteter og nøglesignaturer.",
   "admin.webOfTrust.information": "Læs mere.",
+  "admin.webOfTrust.wotMaxDepth.error": "Maksimal WoT-dybde skal være mellem 0 og 9.",
+  "admin.webOfTrust.wotMaxDepth.title": "Maksimal WoT-dybde",
+  "admin.webOfTrust.wotMaxDepth.description": "Maksimal afstand mellem to brugere, så en indirekte bekendt stadig anses for troværdig (forudsat mellemliggende identiteter er blevet verificeret).",
+  "admin.webOfTrust.wotIdVerifyLen.error": "Verifikation af fingeraftryks-præcision skal være positiv.",
+  "admin.webOfTrust.wotIdVerifyLen.title": "Verifikation af fingeraftryk-præcision",
+  "admin.webOfTrust.wotIdVerifyLen.description": "Hvor mange cifre i en anden brugers fingeraftryk man skal indtaste for at bekræfte deres identitet.",
   "admin.webOfTrust.save": "Gem",
+  "admin.webOfTrust.saved": "Gemt!",
+  "admin.emergencyAccess.learnMore": "Læs mere.",
+  "archiveVaultDialog.title": "Arkivér boks",
+  "archiveVaultDialog.description": "Arkivering af en boks gør den inaktiv. Dette kan frigøre besatte pladser. En arkiveret boks kan genaktiveres senere.",
+  "archiveVaultDialog.confirm": "Arkiv",
+  "auditLog.title": "Revisionslog",
+  "auditLog.order.ascending": "Stigende",
+  "auditLog.order.descending": "Faldende",
   "auditLog.filter": "Filter",
+  "auditLog.filter.startDate": "Startdato",
+  "auditLog.filter.endDate": "Slutdato",
   "auditLog.details": "Detaljer",
   "auditLog.details.vault.create": "Opret boks",
   "auditLog.details.vault.update": "Opdatér boks",
@@ -95,7 +117,7 @@
   "createVault.enterVaultDetails.title": "Opret boks",
   "createVault.enterVaultDetails.description": "Angiv et navn og en beskrivelse for din nye boks. Du kan ændre disse senere.",
   "createVault.enterVaultDetails.vaultName": "Boks-navn",
-  "createVault.enterVaultDetails.vaultDescription": "Beskriveslse",
+  "createVault.enterVaultDetails.vaultDescription": "Beskrivelse",
   "createVault.showRecoveryKey.title": "Gendannelsesnøgle",
   "createVault.showRecoveryKey.description": "Følgende gendannelsesnøgle kan bruges til at gendanne adgang til boksen.",
   "createVault.showRecoveryKey.recoveryKey": "Gendannelsesnøgle til din boks",
@@ -106,25 +128,61 @@
   "createVault.error.invalidRecoveryKey": "Gendannelsesnøgle er ugyldig.",
   "createVault.error.vaultAlreadyExists": "En boks med det givne navn findes allerede.",
   "createVault.error.downloadTemplateFailed": "Download af boks-skabelon mislykkedes: {0}",
-  "createVault.error.paymentRequired": "Din Cryptomator Hub licens har overskredet antallet af ledige pladser eller er udløbet. Du bedes give en Hub administrator besked om at opgradere eller forny licensen.",
+  "createVault.error.paymentRequired": "Din Katta licens har overskredet antallet af ledige pladser eller er udløbet. Du bedes give en Katta administrator besked om at opgradere eller forny licensen.",
   "createVault.success.title": "Boks oprettet",
+  "disableUserDialog.title": "Deaktivér bruger",
+  "disableUserDialog.description": "Denne bruger vil ikke længere være i stand til at logge ind og vil blive ekskluderet fra antallet af sæder. Du kan genaktivere brugeren når som helst.",
+  "disableUserDialog.confirm": "Deaktivér bruger",
   "deviceList.deviceName": "Enheds-navn",
   "deviceList.type": "Type",
+  "deviceType.browser": "Browser",
+  "deviceType.desktop": "Desktop",
+  "deviceType.mobile": "Mobil",
+  "emergencyAccess.processType.changePermissions": "Vælg boksbrugere",
+  "emergencyAccess.processType.changeCouncil": "Skift nødadgangs-råd",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "Utilstrækkelig nødadgang",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "Din teampolitik kræver et nødadgangs-råd på mindst {0} medlemmer. Denne boks opfylder i øjeblikket ikke dette krav.",
   "editVaultMetadataDialog.vaultName": "Boks-navn",
-  "editVaultMetadataDialog.vaultDescription": "Beskriveslse",
+  "editVaultMetadataDialog.vaultDescription": "Beskrivelse",
   "editVaultMetadataDialog.error.vaultAlreadyExists": "En boks med det givne navn findes allerede.",
+  "group.detail.vaults": "Bokse",
+  "group.detail.name": "Navn",
+  "groupList.name": "Navn",
+  "groupList.edit.group.button": "Redigér",
+  "groupList.vaults.count": "Bokse",
+  "initialSetup.accountKey": "Kontonøgle",
   "legacyDeviceList.description.information": "Læs mere.",
   "legacyDeviceList.deviceName": "Enheds-navn",
   "legacyDeviceList.type": "Type",
+  "manageAccountKey.title": "Kontonøgle",
   "nav.vaults": "Bokse",
   "nav.profile.admin": "Admin",
+  "nav.profile.auditlog": "Revisionslog",
   "recoveryKeyDialog.title": "Gendannelsesnøgle",
   "recoveryKeyDialog.recoveryKey": "Gendannelsesnøgle til din boks",
   "recoverVaultDialog.submit": "Gendan boks",
+  "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Kontonøgle",
+  "user.detail.disable": "Deaktivér",
+  "user.detail.disabled": "Deaktiveret",
+  "user.detail.edit": "Redigér",
+  "user.detail.enable": "Aktivér",
+  "user.detail.name": "Navn",
+  "user.detail.username": "Brugernavn",
+  "userEditCreate.button.save": "Gem",
+  "userEditCreate.button.saved": "Gemt!",
+  "userEditCreate.username": "Brugernavn",
+  "userEditCreate.password": "Adgangskode",
+  "userEditCreate.passwordStrong": "Stærk",
+  "userEditCreate.passwordWeak": "Svag",
+  "userList.edit.user.button": "Redigér",
+  "userList.userName": "Navn",
+  "userList.vaults.count": "Bokse",
+  "userList.disabled": "Deaktiveret",
   "unlockSuccess.deviceSetup.title": "Ny Enhed",
-  "vaultDetails.description.header": "Beskriveslse",
+  "vaultDetails.description.header": "Beskrivelse",
   "vaultDetails.actions.updatePermissions.reload": "Genindlæs",
   "vaultDetails.actions.displayRecoveryKey": "Vis gendannelsesnøgle",
+  "vaultDetails.actions.archiveVault": "Arkivér boks",
   "vaultDetails.actions.claimOwnership": "Kræv ejerskab",
   "vaultList.title": "Bokse",
   "vaultList.addVault": "Tilføj",
diff --git a/frontend/src/i18n/de-DE.json b/frontend/src/i18n/de-DE.json
index 8c0a9288b..183ef9bbb 100644
--- a/frontend/src/i18n/de-DE.json
+++ b/frontend/src/i18n/de-DE.json
@@ -18,7 +18,9 @@
   "common.close": "Schließen",
   "common.copied": "Kopiert!",
   "common.copy": "Kopieren",
+  "common.create": "Erstellen",
   "common.download": "Herunterladen",
+  "common.edit": "Bearbeiten",
   "common.hide": "Ausblenden",
   "common.loading": "Laden…",
   "common.next": "Weiter",
@@ -30,6 +32,9 @@
   "common.remove": "Entfernen",
   "common.reset": "Zurücksetzen",
   "common.retry": "Wiederholen",
+  "common.save": "Speichern",
+  "common.saved": "Gespeichert!",
+  "common.search.placeholder": "Suche…",
   "common.share": "Teilen",
   "common.show": "Anzeigen",
   "common.undo": "Rückgängig machen",
@@ -37,12 +42,13 @@
   "common.unsavedChanges": "Nicht gespeicherte Änderungen.",
   "common.update": "Aktualisieren",
   "common.xMembers": "{0} Mitglieder",
+  "common.actions": "Aktionen",
   "admin.title": "Administrator",
   "admin.serverInfo.title": "Server-Info",
-  "admin.serverInfo.description": "Die Hub-ID dient zur Identifizierung deiner Cryptomator Hub-Instanz für deine Lizenz. Für den Support gib bitte immer die angezeigte Hub- und Keycloak-Version an.",
-  "admin.serverInfo.hubId.title": "Hub-ID",
-  "admin.serverInfo.hubVersion.title": "Hub-Version",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub ist aktuell.",
+  "admin.serverInfo.description": "Die Katta-ID dient zur Identifizierung deiner Katta-Instanz für deine Lizenz. Für den Support gib bitte immer die angezeigte Katta- und Keycloak-Version an.",
+  "admin.serverInfo.hubId.title": "Katta-ID",
+  "admin.serverInfo.hubVersion.title": "Katta-Version",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta ist aktuell.",
   "admin.serverInfo.hubVersion.description.updateExists": "Update auf Version {0} möglich.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Suche nach Updates ist fehlgeschlagen. Bitte prüfe manuell.",
   "admin.serverInfo.keycloakVersion.title": "Keycloak-Version",
@@ -62,8 +68,8 @@
   "admin.licenseInfo.manageSubscription": "Abonnement verwalten",
   "admin.licenseInfo.type.title": "Typ",
   "admin.licenseInfo.getLicense": "Lizenz erhalten",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Vielen Dank, dass du Cryptomator Hub nutzt! Du hast die Community-Lizenz erhalten. Wenn du mehr Sitze benötigst, erweiter deine Lizenz.",
-  "admin.licenseInfo.managedNoLicense.description": "Vielen Dank, dass du Cryptomator Hub nutzt! Du hast aktuell keine aktive Lizenz.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Vielen Dank, dass du Katta nutzt! Du hast die Community-Lizenz erhalten. Wenn du mehr Sitze benötigst, erweiter deine Lizenz.",
+  "admin.licenseInfo.managedNoLicense.description": "Vielen Dank, dass du Katta nutzt! Du hast aktuell keine aktive Lizenz.",
   "admin.webOfTrust.title": "Web of Trust",
   "admin.webOfTrust.description": "Konfiguriere die Web of Trust-Einstellungen, um zu verwalten, wie Vertrauen zwischen Benutzern im System aufgebaut wird. Diese Einstellungen beeinflussen die Überprüfung von Benutzeridentitäten und Schlüssel-Signaturen.",
   "admin.webOfTrust.information": "Erfahre mehr.",
@@ -75,6 +81,8 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Wie viel des Fingerabdrucks eines anderen Nutzers eingegeben werden muss, um dessen Identität zu verifizieren.",
   "admin.webOfTrust.save": "Speichern",
   "admin.webOfTrust.saved": "Gespeichert!",
+  "admin.emergencyAccess.learnMore": "Mehr erfahren.",
+  "admin.emergencyAccess.noRedundancy.title": "Ihre aktuelle Schlüsselaufteilung hat keine Redundanz!",
   "archiveVaultDialog.title": "Tresor archivieren",
   "archiveVaultDialog.description": "Das Archivieren eines Tresors macht ihn inaktiv. Dadurch können belegte Sitze frei werden. Ein archivierter Tresor kann später wieder aktiviert werden.",
   "archiveVaultDialog.confirm": "Archivieren",
@@ -142,13 +150,13 @@
   "createVault.error.keyDoesNotMatchMetadata": "Der eingegebene Wiederherstellungsschlüssel passt nicht zur hochgeladenen Tresormetadatendatei.",
   "createVault.error.vaultAlreadyExists": "Ein Tresor mit dem angegebenen Namen existiert bereits.",
   "createVault.error.downloadTemplateFailed": "Download der Tresorvorlage fehlgeschlagen: {0}",
-  "createVault.error.paymentRequired": "Deine Cryptomator Hub Lizenz hat die Anzahl der verfügbaren Sitze überschritten oder ist abgelaufen. Bitte informiere einen Hub-Administrator, um die Lizenz zu erneuern oder zu erweitern.",
+  "createVault.error.paymentRequired": "Deine Katta Lizenz hat die Anzahl der verfügbaren Sitze überschritten oder ist abgelaufen. Bitte informiere einen Katta-Administrator, um die Lizenz zu erneuern oder zu erweitern.",
   "createVault.success.title": "Tresor erstellt",
   "createVault.success.description": "Nachdem du den gezippten Tresorordner heruntergeladen hast, entpacke ihn an einem beliebigen Ort, der für deine Teammitglieder freigegeben ist.",
   "createVault.success.download": "Gezippten Tresorordner herunterladen",
   "createVault.success.return": "Zurück zur Tresorliste",
   "deviceList.empty.message": "Keine Geräte",
-  "deviceList.empty.description": "Um ein Gerät hinzuzufügen, füge einen Tresor aus diesem Hub zur Cryptomator-App des Geräts hinzu und entsperre es.",
+  "deviceList.empty.description": "Um ein Gerät hinzuzufügen, füge einen Tresor aus Katta zur Katta-App des Geräts hinzu und entsperre es.",
   "deviceList.title": "Autorisierte Geräte und Browser",
   "deviceList.deviceName": "Gerätename",
   "deviceList.type": "Typ",
@@ -157,8 +165,12 @@
   "deviceList.ipAddress": "IP-Adresse",
   "deviceList.lastAccess": "Letzter Tresor Zugriff",
   "deviceList.lastAccess.toolTip": "Kann bei Zugriff von Geräten mit älteren Versionen fehlen.",
+  "deviceType.mobile": "Mobil",
   "downloadVaultTemplateDialog.title": "Tresorvorlage herunterladen",
   "downloadVaultTemplateDialog.description": "Lade die gezippte Tresorvorlage herunter und entpacke ihn an einem beliebigen Ort, der für deine Teammitglieder freigegeben ist. Dies ist einmal für die Ersteinrichtung erforderlich.",
+  "emergencyAccess.status.added": "Hinzugefügt",
+  "emergencyAccess.filter.all": "Alle",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "Deine Teamrichtlinie erfordert einen Notfallzugangsrat von mindestens {0} Mitgliedern. Dieser Tresor erfüllt derzeit diese Anforderung nicht.",
   "editVaultMetadataDialog.title": "Tresor-Metadaten bearbeiten",
   "editVaultMetadataDialog.description": "Aktualisiere den Namen und die Beschreibung des Tresors.",
   "editVaultMetadataDialog.vaultName": "Tresorname",
@@ -168,6 +180,12 @@
   "grantPermissionDialog.title": "Berechtigung erteilen",
   "grantPermissionDialog.description": "Tresor-Schlüssel mit neu hinzugefügten Nutzern teilen.",
   "grantPermissionDialog.submit": "Berechtigung für {0} Nutzer gewähren",
+  "group.detail.vaults": "Tresore",
+  "group.detail.name": "Name",
+  "groupList.name": "Name",
+  "groupList.edit.group.button": "Bearbeiten",
+  "groupList.search.placeholder": "Suche…",
+  "groupList.vaults.count": "Tresore",
   "trustDetails.trustLevel": "Vertrauenslevel {0}",
   "trustDetails.trustLevel.untrusted": "Unverifiziert",
   "trustDetails.showSignDialogBtn": "Identität prüfen...",
@@ -175,7 +193,7 @@
   "signUserKeysDialog.title": "{0}s Identität bestätigen",
   "signUserKeysDialog.description": "Gib die ersten {0} Zeichen von {1}s Fingerprint ein, um die Authentizität der Public Keys dieses Nutzers zu bestätigen. Der Fingerprint wird im persönlichen Nutzerprofil angezeigt.",
   "signUserKeysDialog.submit": "Identität bestätigen",
-  "initialSetup.createUserKey.title": "Willkommen bei Cryptomator Hub",
+  "initialSetup.createUserKey.title": "Willkommen bei Katta",
   "initialSetup.createUserKey.description": "Bei der ersten Anmeldung erhält jeder Nutzer einen eindeutigen Account Key:",
   "initialSetup.createUserKey.details.accountKey": "Dein Account Key wird benötigt, um dich von anderen Apps oder Browsern aus anzumelden",
   "initialSetup.createUserKey.details.devicesList": "Du kannst eine Liste autorisierter Apps auf deiner Profilseite sehen",
@@ -191,19 +209,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Account Key verloren? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Account zurücksetzen",
   "initialSetup.setupAlreadyCompleted.title": "Einrichtung bereits abgeschlossen",
-  "initialSetup.setupAlreadyCompleted.description": "Du hast die Einrichtung von Cryptomator Hub bereits abgeschlossen. Dein Account Key befindet sich in deinem Profil.",
+  "initialSetup.setupAlreadyCompleted.description": "Du hast die Einrichtung von Katta bereits abgeschlossen. Dein Account Key befindet sich in deinem Profil.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Zu deinem Profil",
   "initialSetup.accountKey": "Account Key",
   "initialSetup.submit": "Einrichtung abschließen",
   "licenseAlert.noRemainingSeats.title": "Lizenz überschritten",
-  "licenseAlert.noRemainingSeats.admin.description": "Deine Cryptomator Hub Instanz hat die Anzahl an lizensierten Sitzen überschritten. Öffne den {0} und upgrade dort deine Lizenz, um deine Tresore weiterhin verwalten und entsperren zu können.",
-  "licenseAlert.noRemainingSeats.user.description": "Deine Cryptomator Hub Instanz hat die Anzahl an lizensierten Sitzen überschritten. Bitte informiere einen Hub-Administrator, um die Lizenz zu erweitern.",
+  "licenseAlert.noRemainingSeats.admin.description": "Deine Katta Instanz hat die Anzahl an lizensierten Sitzen überschritten. Öffne den {0} und upgrade dort deine Lizenz, um deine Tresore weiterhin verwalten und entsperren zu können.",
+  "licenseAlert.noRemainingSeats.user.description": "Deine Katta Instanz hat die Anzahl an lizensierten Sitzen überschritten. Bitte informiere einen Katta-Administrator, um die Lizenz zu erweitern.",
   "licenseAlert.licenseExpired.title": "Lizenz abgelaufen",
-  "licenseAlert.licenseExpired.admin.description": "Deine Cryptomator Hub Lizenz ist abgelaufen. Öffne den {0} und erneuere dort deine Lizenz, um deine Tresore weiterhin verwalten und entsperren zu können.",
-  "licenseAlert.licenseExpired.user.description": "Deine Cryptomator Hub Lizenz ist abgelaufen. Bitte informiere einen Hub-Administrator, um die Lizenz zu erweitern.",
+  "licenseAlert.licenseExpired.admin.description": "Deine Katta Lizenz ist abgelaufen. Öffne den {0} und erneuere dort deine Lizenz, um deine Tresore weiterhin verwalten und entsperren zu können.",
+  "licenseAlert.licenseExpired.user.description": "Deine Katta Lizenz ist abgelaufen. Bitte informiere einen Katta-Administrator, um die Lizenz zu erweitern.",
   "licenseAlert.button": "Admin-Bereich",
   "legacyDeviceList.title": "Veraltete Geräte",
-  "legacyDeviceList.description": "Diese Geräte wurden mit einer älteren Version von Hub erstellt und müssen aktualisiert werden, um Tresore in zukünftigen Versionen zu entsperren. Wenn du sie nicht mehr brauchst, entferne sie bitte. Andernfalls aktualisiere bitte den Cryptomator auf diesem Gerät. Dein nächstes Entsperren wird die Aktualisierung automatisch auslösen.",
+  "legacyDeviceList.description": "Diese Geräte wurden mit einer älteren Version von Katta erstellt und müssen aktualisiert werden, um Tresore in zukünftigen Versionen zu entsperren. Wenn du sie nicht mehr brauchst, entferne sie bitte. Andernfalls aktualisiere bitte den Katta auf diesem Gerät. Dein nächstes Entsperren wird die Aktualisierung automatisch auslösen.",
   "legacyDeviceList.description.information": "Mehr erfahren.",
   "legacyDeviceList.deviceName": "Gerätename",
   "legacyDeviceList.type": "Typ",
@@ -212,6 +230,7 @@
   "legacyDeviceList.ipAddress": "IP-Adresse",
   "legacyDeviceList.lastAccess": "Letzter Tresor Zugriff",
   "legacyDeviceList.lastAccess.toolTip": "Kann bei Zugriff von Geräten mit älteren Versionen fehlen.",
+  "legacyDeviceBanner.admin.description": "Einer oder mehrere Benutzer haben immer noch Legacy-Geräte. Die Unterstützung für diese veralterten Geräte wird in der nächsten Hauptversion entfernt. Bitten Sie die betroffenen Benutzer, Cryptomator zu aktualisieren oder diese veralterten Geräte zu entfernen.",
   "manageAccountKey.title": "Account Key",
   "manageAccountKey.description": "Dein Account Key wird benötigt, um dich von anderen Apps oder Browsern aus anzumelden.",
   "manageAccountKey.regenerate": "Neuen Key generieren",
@@ -244,18 +263,35 @@
   "resetUserAccountDialog.submit": "Account zurücksetzen",
   "userkeyFingerprint.title": "Fingerabdruck des Benutzerschlüssels",
   "userkeyFingerprint.description": "Dein User Key Fingerprint kann zur Verifizierung deiner Identität während der Aktualisierung der Tresor-Berechtigung dienen.",
+  "user.detail.disable": "Deaktivieren",
+  "user.detail.edit": "Bearbeiten",
+  "user.detail.enable": "Aktivieren",
+  "user.detail.name": "Name",
+  "user.detail.username": "Benutzername",
+  "userEditCreate.button.save": "Speichern",
+  "userEditCreate.button.saved": "Gespeichert!",
+  "userEditCreate.username": "Benutzername",
+  "userEditCreate.password": "Passwort",
+  "userEditCreate.passwordStrong": "Stark",
+  "userEditCreate.passwordWeak": "Schwach",
+  "userList.edit.user.button": "Bearbeiten",
+  "userList.userName": "Name",
+  "userList.vaults.count": "Tresore",
+  "userList.disabled": "Deaktiviert",
   "userProfile.title": "Profil",
   "userProfile.actions.manageAccount": "Account verwalten",
   "userProfile.actions.changeLanguage": "Sprache ändern",
   "userProfile.actions.changeLanguage.entry.browser": "Browser-Sprache",
   "userProfile.keycloakVersion.notAvailable": "Version nicht verfügbar",
+  "unlock.noAccessVaultArchived.title": "Tresor ist archiviert",
+  "unlock.noAccessVaultArchived.description": "Dieser Tresor wurde archiviert, daher ist ein Zugriff darauf nicht mehr möglich. Kontaktiere den Eigentümer des Tresors.",
   "unlockSuccess.title": "Tresor erfolgreich entsperrt",
-  "unlockSuccess.description": "Du kannst diesen Browser-Tab schließen und zu Cryptomator zurückkehren.",
+  "unlockSuccess.description": "Du kannst diesen Browser-Tab schließen und zu Katta zurückkehren.",
   "unlockSuccess.accountSetup.title": "Einrichtung erforderlich",
   "unlockSuccess.accountSetup.description": "Schließe die Einrichtung deines Kontos ab und erhalte deinen Account Key.",
   "unlockSuccess.accountSetup.goToSetup": "Einrichtung abschließen",
   "unlockSuccess.deviceSetup.title": "Neues Gerät",
-  "unlockSuccess.deviceSetup.description": "Bitte geben deinen Account Key in Cryptomator ein, um es zu autorisieren.",
+  "unlockSuccess.deviceSetup.description": "Bitte geben deinen Account Key in Katta ein, um es zu autorisieren.",
   "unlockSuccess.deviceSetup.goToProfile": "Account Key in meinem Profil anzeigen",
   "unlockSuccess.noVaultAccess.title": "Kein Zugriff auf diesen Tresor",
   "unlockSuccess.noVaultAccess.description": "Bitte kontaktiere den Tresor-Besitzer, um dich als Tresormitglied hinzuzufügen.",
@@ -278,7 +314,7 @@
   "vaultDetails.actions.reactivateVault": "Tresor reaktivieren",
   "vaultDetails.actions.claimOwnership": "Eigentümer werden",
   "vaultDetails.actions.recoverVault": "Tresorzugriff wiederherstellen",
-  "vaultDetails.error.licenseViolated": "Deine Cryptomator Hub Lizenz hat die Anzahl der verfügbaren Sitze überschritten oder ist abgelaufen. Bitte informiere einen Hub-Administrator, um die Lizenz zu erneuern oder zu erweitern.",
+  "vaultDetails.error.licenseViolated": "Deine Katta Lizenz hat die Anzahl der verfügbaren Sitze überschritten oder ist abgelaufen. Bitte informiere einen Katta-Administrator, um die Lizenz zu erneuern oder zu erweitern.",
   "vaultDetails.recoverVault.title": "Du hast deinen Account zurückgesetzt!",
   "vaultDetails.recoverVault.description": "Um wieder Zugriff auf den Tresor zu erhalten, musst du deinen Zugriff mit dem Wiederherstellungsschlüssel wiederherstellen oder ein anderer Eigentümer muss die Zugriffsrechte aktualisieren.",
   "vaultList.title": "Tresore",
@@ -297,5 +333,48 @@
   "vaultList.filter.result.empty.description": "Keine Ergebnisse mit diesem Suchbegriff oder Filter.",
   "vaultList.search.placeholder": "Suche…",
   "vaultList.badge.owner": "Eigentümer",
-  "vaultList.badge.archived": "Archiviert"
+  "vaultList.badge.archived": "Archiviert",
+
+
+  "CreateVaultS3.enterVaultDetails.storage": "Tresor-Speicherbereich",
+  "CreateVaultS3.enterVaultDetails.region": "Region",
+  "CreateVaultS3.enterVaultDetails.automaticAccessGrant": "Automatische Zugriffsfreigabe",
+  "CreateVaultS3.enterVaultDetails.vaultPermanentAccessKeyId": "Benutzername (S3 AccessKeyId)",
+  "CreateVaultS3.enterVaultDetails.vaultPermanentSecretKey": "Passwort (S3 SecretKey)",
+  "CreateVaultS3.enterVaultDetails.vaultPermanentBucketName": "S3 Bucket-Name (existent)",
+  "CreateVaultS3.success.description": "Katta auf dem Computer benützen, um den Tresor zu öffnen.",
+  "CreateVaultS3.success.open": "Tresore in Katta öffnen",
+  "CreateVaultS3.error.uploadTemplateFailed": "Hochladen Tresorvorlage nach S3-Bucket fehlgeschlagen.",
+
+
+  "vaultList.openInKatta": "In Katta öffnen",
+
+  "nav.profile.storageprofiles": "Admin Tresor-Speicherbereiche",
+  "storageProfileList.title": "Tresor-Speicherbereiche",
+  "storageProfileList.setup.title": "Katta web setup",
+  "storageProfileList.setup.description": "Katta web setup admin documentation",
+  "storageProfileList.search.placeholder": "Suche…",
+  "storageProfileList.empty.title": "Keine Tresor-Speicherbereiche",
+  "storageProfileList.empty.description": "Keine Tresor-Speicherbereiche",
+  "storageProfileList.filter.result.empty.title": "Keine Tresor-Speicherbereiche",
+  "storageProfileList.filter.result.empty.description": "Keinen Treffer mit diesem Suchbegriff oder Filter.",
+  "storageprofile.id": "id",
+  "storageprofile.name": "name",
+  "storageprofile.protocol": "protocol",
+  "storageprofile.bucketPrefix": "bucketPrefix",
+  "storageprofile.stsRoleArnClient": "stsRoleArnClient",
+  "storageprofile.stsRoleArnHub": "stsRoleArnHub",
+  "storageprofile.withPathStyleAccessEnabled": "withPathStyleAccessEnabled",
+  "storageprofile.region": "region",
+  "storageprofile.regions": "regions",
+  "storageprofile.scheme": "scheme",
+  "storageprofile.hostname": "hostname",
+  "storageprofile.port": "port",
+  "storageprofile.oauthClientId": "oauthClientId",
+  "storageprofile.oauthTokenUrl": "oauthTokenUrl",
+  "storageprofile.oauthAuthorizationUrl": "oauthAuthorizationUrl",
+  "storageprofile.stsRoleArn": "stsRoleArn",
+  "storageprofile.stsRoleArn2": "stsRoleArn2",
+  "storageprofile.stsDurationSeconds": "stsDurationSeconds",
+  "storageprofile.oAuthTokenExchangeAudience": "oAuthTokenExchangeAudience"
 }
diff --git a/frontend/src/i18n/el-GR.json b/frontend/src/i18n/el-GR.json
index bac73c9bc..c6aa72141 100644
--- a/frontend/src/i18n/el-GR.json
+++ b/frontend/src/i18n/el-GR.json
@@ -18,7 +18,9 @@
   "common.close": "Κλείσιμο",
   "common.copied": "Αντιγράφηκε!",
   "common.copy": "Αντιγραφή",
+  "common.create": "Δημιουργία",
   "common.download": "Λήψη",
+  "common.edit": "Επεξεργασία",
   "common.hide": "Απόκρυψη",
   "common.loading": "Φόρτωση…",
   "common.next": "Επόμενο",
@@ -30,6 +32,8 @@
   "common.remove": "Αφαίρεση",
   "common.reset": "Επαναφορά",
   "common.retry": "Επανάληψη",
+  "common.save": "Αποθήκευση",
+  "common.search.placeholder": "Αναζήτηση…",
   "common.share": "Κοινοποίηση",
   "common.show": "Εμφάνιση",
   "common.undo": "Αναίρεση",
@@ -37,11 +41,12 @@
   "common.unsavedChanges": "Μη αποθηκευμένες αλλαγές.",
   "common.update": "Ενημέρωση",
   "common.xMembers": "{0} Μέλη",
+  "common.actions": "Ενέργειες",
   "admin.title": "Διαχειριστής",
   "admin.serverInfo.title": "Πληροφορίες Διακομιστή",
-  "admin.serverInfo.hubId.title": "Αναγνωριστικό Hub",
-  "admin.serverInfo.hubVersion.title": "Έκδοση Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "Το Hub είναι ενημερωμένο.",
+  "admin.serverInfo.hubId.title": "Αναγνωριστικό Katta",
+  "admin.serverInfo.hubVersion.title": "Έκδοση Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "Το Katta είναι ενημερωμένο.",
   "admin.serverInfo.hubVersion.description.updateExists": "Δυνατότητα ενημέρωσης στην έκδοση {0}.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Δεν είναι δυνατός ο έλεγχος για ενημερώσεις. Παρακαλούμε ελέγξτε χειροκίνητα.",
   "admin.serverInfo.keycloakVersion.title": "Έκδοση Keycloak",
@@ -52,6 +57,7 @@
   "admin.licenseInfo.manageSubscription": "Διαχείριση Συνδρομής",
   "admin.webOfTrust.information": "Μάθε περισσότερα.",
   "admin.webOfTrust.save": "Αποθήκευση",
+  "admin.emergencyAccess.learnMore": "Μάθε περισσότερα.",
   "auditLog.filter": "Φίλτρο",
   "auditLog.details": "Λεπτομέρειες",
   "auditLog.details.vault.create": "Δημιουργία Κρύπτης",
@@ -81,13 +87,13 @@
   "createVault.error.invalidRecoveryKey": "Το κλειδί Ανάκτησης δεν είναι έγκυρο.",
   "createVault.error.vaultAlreadyExists": "Υπάρχει ήδη κρύπτη με το συγκεκριμένο όνομα.",
   "createVault.error.downloadTemplateFailed": "Η λήψη του πρότυπου κρύπτης απέτυχε: {0}",
-  "createVault.error.paymentRequired": "Η άδεια σας Cryptomator Hub έχει υπερβεί τον αριθμό των διαθέσιμων θέσεων ή έχει λήξει. Ενημερώστε έναν διαχειριστή του Hub για να αναβαθμίσει ή να ανανεώσει την άδεια χρήσης.",
+  "createVault.error.paymentRequired": "Η άδεια σας Katta έχει υπερβεί τον αριθμό των διαθέσιμων θέσεων ή έχει λήξει. Ενημερώστε έναν διαχειριστή του Katta για να αναβαθμίσει ή να ανανεώσει την άδεια χρήσης.",
   "createVault.success.title": "Η Κρύπτη δημιουργήθηκε",
   "createVault.success.description": "Αφού κάνετε λήψη του συμπιεσμένου φακέλου κρύπτης, αποσυμπιέστε τον σε οποιαδήποτε τοποθεσία είναι κοινή με τα μέλη της ομάδας σας.",
   "createVault.success.download": "Λήψη του συμπιεσμένου φακέλου κρύπτης",
   "createVault.success.return": "Επιστροφή στη λίστα κρυπτών",
   "deviceList.empty.message": "Δεν υπάρχουν συσκευές",
-  "deviceList.empty.description": "Για να προσθέσετε μια συσκευή, προσθέστε μια κρύπτη από αυτό το Hub στην εφαρμογή Cryptomator της συσκευής και ξεκλειδώστε την.",
+  "deviceList.empty.description": "Για να προσθέσετε μια συσκευή, προσθέστε μια κρύπτη από αυτό το Katta στην εφαρμογή Katta της συσκευής και ξεκλειδώστε την.",
   "deviceList.title": "Εξουσιοδοτημένες Συσκευές και Περιηγητές",
   "deviceList.deviceName": "Όνομα Συσκευής",
   "deviceList.type": "Τύπος",
@@ -97,6 +103,8 @@
   "deviceList.lastAccess": "Τελευταία Πρόσβαση Κρύπτης",
   "downloadVaultTemplateDialog.title": "Λήψη Προτύπου Κρύπτης",
   "downloadVaultTemplateDialog.description": "Κατεβάστε και αποσυμπιέστε το πρότυπο συμπιεσμένης κρύπτης σε οποιαδήποτε τοποθεσία μοιράστηκε με τα μέλη της ομάδας σας. Αυτό απαιτείται μόνο μία φορά κατά τη διάρκεια της αρχικής ρύθμισης.",
+  "emergencyAccess.status.added": "Προστέθηκε",
+  "emergencyAccess.filter.all": "Όλες",
   "editVaultMetadataDialog.title": "Επεξεργασία Μεταδεδομένων Κρύπτης",
   "editVaultMetadataDialog.description": "Ενημερώστε το όνομα και την περιγραφή της κρύπτης.",
   "editVaultMetadataDialog.vaultName": "Όνομα Κρύπτης",
@@ -106,6 +114,12 @@
   "grantPermissionDialog.title": "Χορήγηση Άδειας",
   "grantPermissionDialog.description": "Μοιραστείτε τα κλειδιά κρύπτης με χρήστες που προστέθηκαν πρόσφατα.",
   "grantPermissionDialog.submit": "Παραχώρηση Άδειας σε {0} χρήστη(ες)",
+  "group.detail.vaults": "Κρύπτες",
+  "group.detail.name": "Όνομα",
+  "groupList.name": "Όνομα",
+  "groupList.edit.group.button": "Επεξεργασία",
+  "groupList.search.placeholder": "Αναζήτηση…",
+  "groupList.vaults.count": "Κρύπτες",
   "trustDetails.trustLevel": "Επίπεδο Εμπιστοσύνης {0}",
   "trustDetails.trustLevel.untrusted": "Μη επαληθευμένος",
   "trustDetails.showSignDialogBtn": "Έλεγχος Ταυτότητας...",
@@ -127,6 +141,19 @@
   "recoveryKeyDialog.recoveryKey": "Κλειδί Ανάκτησης της Κρύπτης Σας",
   "recoverVaultDialog.submit": "Ανάκτηση Κρύπτης",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Κλειδί Λογαριασμού",
+  "user.detail.disable": "Απενεργοποίηση",
+  "user.detail.edit": "Επεξεργασία",
+  "user.detail.enable": "Ενεργοποίηση",
+  "user.detail.name": "Όνομα",
+  "user.detail.username": "Όνομα χρήστη",
+  "userEditCreate.button.save": "Αποθήκευση",
+  "userEditCreate.username": "Όνομα χρήστη",
+  "userEditCreate.password": "Κωδικός πρόσβασης",
+  "userEditCreate.passwordStrong": "Δυνατός",
+  "userEditCreate.passwordWeak": "Αδύναμος",
+  "userList.edit.user.button": "Επεξεργασία",
+  "userList.userName": "Όνομα",
+  "userList.vaults.count": "Κρύπτες",
   "userProfile.title": "Προφίλ",
   "userProfile.actions.manageAccount": "Διαχείριση Λογαριασμού",
   "userProfile.actions.changeLanguage": "Αλλαγή Γλώσσας",
diff --git a/frontend/src/i18n/en-US.json b/frontend/src/i18n/en-US.json
index d84a12016..10b4921a9 100644
--- a/frontend/src/i18n/en-US.json
+++ b/frontend/src/i18n/en-US.json
@@ -19,10 +19,16 @@
   "common.close": "Close",
   "common.copied": "Copied!",
   "common.copy": "Copy",
+  "common.create": "Create",
+  "common.device": "Device",
   "common.download": "Download",
+  "common.edit": "Edit",
   "common.hide": "Hide",
+  "common.leave": "Leave",
   "common.loading": "Loading…",
   "common.next": "Next",
+  "common.none": "None",
+  "common.nothingFound": "Nothing found",
   "common.optional": "optional",
   "common.pagination": "Pagination",
   "common.previous": "Previous",
@@ -31,6 +37,10 @@
   "common.remove": "Remove",
   "common.reset": "Reset",
   "common.retry": "Retry",
+  "common.save": "Save",
+  "common.saved": "Saved!",
+  "common.search.placeholder": "Search…",
+  "common.select.placeholder": "Select…",
   "common.share": "Share",
   "common.show": "Show",
   "common.undo": "Undo",
@@ -38,13 +48,18 @@
   "common.unsavedChanges": "Unsaved changes.",
   "common.update": "Update",
   "common.xMembers": "{0} Members",
+  "common.actions": "Actions",
+  "common.group": "Group",
+  "common.member": "Member",
+  "common.property": "Property",
+  "common.value": "Value",
 
   "admin.title": "Admin",
   "admin.serverInfo.title": "Server Info",
-  "admin.serverInfo.description": "The Hub ID is used to identify your Cryptomator Hub instance for your license. For support, always state the displayed Hub and Keycloak version.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub Version",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub is up-to-date.",
+  "admin.serverInfo.description": "The Katta ID is used to identify your Katta instance for your license. For support, always state the displayed Katta and Keycloak version.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta Version",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta is up-to-date.",
   "admin.serverInfo.hubVersion.description.updateExists": "Update to version {0} possible.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Unable to check for updates. Please check manually.",
   "admin.serverInfo.keycloakVersion.title": "Keycloak Version",
@@ -64,8 +79,8 @@
   "admin.licenseInfo.manageSubscription": "Manage Subscription",
   "admin.licenseInfo.type.title": "Type",
   "admin.licenseInfo.getLicense": "Get License",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Thank you for using Cryptomator Hub! You have been granted the Community License. If you need more seats, upgrade your license.",
-  "admin.licenseInfo.managedNoLicense.description": "Thank you for using Cryptomator Hub! You currently have no active license.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Thank you for using Katta! You have been granted the Community License. If you need more seats, upgrade your license.",
+  "admin.licenseInfo.managedNoLicense.description": "Thank you for using Katta! You currently have no active license.",
 
   "admin.webOfTrust.title": "Web of Trust",
   "admin.webOfTrust.description": "Configure the Web of Trust settings to manage how trust is established between users in the system. These settings affect the verification of user identities and key signatures.",
@@ -78,7 +93,27 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "How many digits of another users fingerprint one needs to enter to verify their identity.",
   "admin.webOfTrust.save": "Save",
   "admin.webOfTrust.saved": "Saved!",
-  
+"admin.emergencyAccess.title": "Emergency Access",
+  "admin.emergencyAccess.description": "Configure key splitting for vault recovery.",
+  "admin.emergencyAccess.learnMore": "Learn more.",
+  "admin.emergencyAccess.noRedundancy.title": "Your current key splitting has no redundancy!",
+  "admin.emergencyAccess.noRedundancy.description": "It is strongly advised to configure more keyholders than required keys.",
+  "admin.emergencyAccess.enabled.label": "Enabled",
+  "admin.emergencyAccess.enabled.help": "Enable Emergency Access",
+  "admin.emergencyAccess.requiredKeys.label": "Required Keys",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Required key shares",
+  "admin.emergencyAccess.requiredKeys.help": "How many keys are required in order to restore access to a vault.",
+  "admin.emergencyAccess.keyholders.label": "Keyholders",
+  "admin.emergencyAccess.keyholders.minSelected": "At least {0} members must be selected. The required amount was defined above.",
+  "admin.emergencyAccess.keyholders.help": "Who shall retrieve an emergency access key.",
+  "admin.emergencyAccess.allowChoosing.label": "Let vault owners choose different keyholders.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "At least:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Minimum members",
+  "admin.emergencyAccess.example.help": "Example of who can collaborate to recover a vault.",
+  "admin.emergencyAccess.validation.maxValue": "Max value is {0}.",
+  "admin.emergencyAccess.validation.minValue": "Min value is {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Must be greater than or equal to required key shares.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "Required key shares must not exceed minimum members.",
   "archiveVaultDialog.title": "Archive Vault",
   "archiveVaultDialog.description": "Archiving a vault makes it inactive. This may free up occupied seats. An archived vault can be reactivated later.",
   "archiveVaultDialog.confirm": "Archive",
@@ -91,11 +126,18 @@
   "auditLog.filter.endDate": "End Date",
   "auditLog.filter.selectEventFilter": "Select event filter",
   "auditLog.filter.clerEventFilter": "Clear event filter",
+  "auditLog.filter.removeEventType": "Remove {type}",
   "auditLog.timestamp": "Timestamp",
   "auditLog.type": "Event",
   "auditLog.details": "Details",
   "auditLog.details.device.register": "Register Device",
   "auditLog.details.device.remove": "Remove Device",
+  "auditLog.details.emergencyaccess.setup": "Emergency Access Setup",
+  "auditLog.details.emergencyaccess.settingsUpdated": "Emergency Access Settings Updated",
+  "auditLog.details.emergencyaccess.recoveryStarted": "Emergency Access Recovery Started",
+  "auditLog.details.emergencyaccess.recoveryApproved": "Emergency Access Recovery Approved",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "Emergency Access Recovery Completed",
+  "auditLog.details.emergencyaccess.recoveryAborted": "Emergency Access Recovery Aborted",
   "auditLog.details.setting.wot.update": "Update Wot Settings",
   "auditLog.details.user.account.reset": "Reset User Account",
   "auditLog.details.user.keys.change": "User Keys Change",
@@ -136,6 +178,9 @@
   "createVault.enterVaultDetails.description": "Enter a name and description for your new vault. You can change these later.",
   "createVault.enterVaultDetails.vaultName": "Vault Name",
   "createVault.enterVaultDetails.vaultDescription": "Description",
+  "createVault.emergencyAccessDetails.title": "Define Emergency Access Conditions",
+  "createVault.emergencyAccessDetails.description": "Select council members for emergency access.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "The emergency access council is defined by the administrator and cannot be changed here.",
   "createVault.showRecoveryKey.title": "Recovery Key",
   "createVault.showRecoveryKey.description": "The following recovery key can be used to restore access to the vault.",
   "createVault.showRecoveryKey.recoveryKey": "Recovery Key of Your Vault",
@@ -150,14 +195,26 @@
   "createVault.error.keyDoesNotMatchMetadata": "The given recovery key does not match the uploaded vault metadata file.",
   "createVault.error.vaultAlreadyExists": "A vault with the given name already exists.",
   "createVault.error.downloadTemplateFailed": "Download of vault template failed: {0}",
-  "createVault.error.paymentRequired": "Your Cryptomator Hub license has exceeded the number of available seats or has expired. Please inform a Hub administrator to upgrade or renew the license.",
+  "createVault.error.paymentRequired": "Your Katta license has exceeded the number of available seats or has expired. Please inform a Katta administrator to upgrade or renew the license.",
   "createVault.success.title": "Vault created",
   "createVault.success.description": "After downloading the zipped vault folder, unpack it to any location shared with your team members.",
   "createVault.success.download": "Download zipped vault folder",
   "createVault.success.return": "Return to vault list",
 
+  "deleteGroupDialog.title": "Delete Group",
+  "deleteGroupDialog.description": "Are you sure you want to permanently delete this group? It will be removed from all associated vaults. This action cannot be undone.",
+  "deleteGroupDialog.confirm": "Yes, delete group",
+
+  "disableUserDialog.title": "Disable User",
+  "disableUserDialog.description": "This user will no longer be able to log in and will be excluded from the seat count. You can re-enable the user at any time.",
+  "disableUserDialog.confirm": "Disable User",
+
+  "deleteUserDialog.title": "Delete User Account",
+  "deleteUserDialog.description": "Are you sure you want to permanently delete this user? All associated vaults and devices will be removed. This action cannot be undone.",
+  "deleteUserDialog.confirm": "Yes, delete user",
+
   "deviceList.empty.message": "No devices",
-  "deviceList.empty.description": "To add a device, add a vault from this Hub to the Cryptomator app of the device and unlock it.",
+  "deviceList.empty.description": "To add a device, add a vault from Katta to the Katta app of the device and unlock it.",
   "deviceList.title": "Authorized Devices and Browsers",
   "deviceList.deviceName": "Device Name",
   "deviceList.type": "Type",
@@ -167,9 +224,96 @@
   "deviceList.lastAccess": "Last Vault Access",
   "deviceList.lastAccess.toolTip": "May be missing for devices accessed with older versions.",
 
+  "deviceType.browser": "Browser",
+  "deviceType.desktop": "Desktop",
+  "deviceType.mobile": "Mobile",
+
   "downloadVaultTemplateDialog.title": "Download Vault Template",
   "downloadVaultTemplateDialog.description": "Download and unpack the zipped vault template to any location shared with your team members. This is required only once during the initial setup.",
 
+  "emergencyAccess.requiredKeyShares": "Required Key Shares",
+  "emergencyAccess.processCouncil": "Process Council",
+  "emergencyAccess.status.added": "Added",
+  "emergencyAccess.status.pending": "Pending",
+  "emergencyAccess.startProcess": "Start process",
+  "emergencyAccess.notPossible": "Not possible",
+  "emergencyAccess.vaultCouncil": "Vault Council",
+  "emergencyAccess.noRedundancy": "No Redundancy",
+  "emergencyAccess.label.councilMembers": "Council Members",
+  "emergencyAccess.label.newCouncilMembers": "New Council Members",
+  "emergencyAccess.label.owners": "Owners",
+  "emergencyAccess.label.members": "Members",
+  "emergencyAccess.label.removed": "Removed",
+  "emergencyAccess.label.possibleScenario": "Possible Emergency Scenario",
+  "emergencyAccess.label.exampleRecovery": "Example Recovery",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "Select at least {0} more council members.",
+  "emergencyAccess.validation.minimumMembers": "At least {0} members must be selected.",
+  "emergencyAccess.approval.waitingOthers": "Waiting for other approvals",
+  "emergencyAccess.approval.showDetails": "Show details",
+  "emergencyAccess.approval.completeNow": "Complete now",
+  "emergencyAccess.approval.approveNow": "Approve now",
+  "emergencyAccess.processType.changePermissions": "Choose Vault Members",
+  "emergencyAccess.processType.changeCouncil": "Change Emergency Access Council",
+  "emergencyAccess.filter.all": "All",
+  "emergencyAccess.filter.approvable": "Approvable",
+  "emergencyAccess.filter.approved": "Approved",
+  "emergencyAccess.filter.startable": "Startable",
+  "emergencyAccess.empty.disabled": "Emergency Access is disabled.",
+  "emergencyAccess.empty.noneFound": "No emergency access vaults found",
+  "emergencyAccess.licenseRequired.message": "Emergency Access is only available with a paid license.",
+  "emergencyAccess.licenseRequired.adminHint": "You can get one in the admin section.",
+  "emergencyAccess.badge.notCouncil.title": "No Vault Council Member anymore",
+  "emergencyAccess.badge.notCouncil.message": "You are no longer part of the actual vault's emergency council. But you are still part of a running emergency access process.",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "Insufficient Emergency Access",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "Your team policy requires an emergency access council of at least {0} members. This vault does not currently meet this requirement.",
+  "emergencyAccess.badge.broken.title": "Broken Emergency Access",
+  "emergencyAccess.badge.broken.message": "Emergency Access is not possible anymore. One or more council members performed an account reset and lost their key shares.",
+  "emergencyAccess.badge.noRedundancy.title": "No Redundancy",
+  "emergencyAccess.badge.noRedundancy.message": "This Emergency Access Council has no redundancy. Consider assigning a council with redundancy.",
+
+  "emergencyAccessDialog.message.completed": "Process completed successfully.",
+  "emergencyAccessDialog.label.selectOwner": "Select user with role owner",
+  "emergencyAccessDialog.label.selectMember": "Select user with role member",
+  "emergencyAccessDialog.label.councilMembersAtLeast": "Council Members (At least: {0})",
+  "emergencyAccessDialog.section.ownership": "Ownership",
+  "emergencyAccessDialog.section.councilChange": "Council Change",
+  "emergencyAccessDialog.hint.finishProcess": "You can finish this emergency access process by adding the last key share and completing it.",
+  "emergencyAccessDialog.hint.keyShareAdded": "Your key share has already been added.",
+  "emergencyAccessDialog.hint.notInCouncil": "You are not part of the council for this process and cannot add a key share.",
+  "emergencyAccessDialog.action.abortProcess": "Abort this Process",
+  "emergencyAccessDialog.action.start": "Start",
+  "emergencyAccessDialog.action.approve": "Approve",
+  "emergencyAccessDialog.action.completeProcess": "Complete Process",
+  "emergencyAccessDialog.title.success": "Success",
+  "emergencyAccessDialog.title.changeCouncil": "Change council",
+  "emergencyAccessDialog.title.changePermissions": "Change vault permissions",
+  "emergencyAccessDialog.title.processDetails": "Process details",
+  "emergencyAccessDialog.title.approved": "Approved",
+  "emergencyAccessDialog.title.approveEmergencyAccess": "Approve Emergency Access",
+  "emergencyAccessDialog.title.completeEmergencyAccess": "Complete Emergency Access",
+  "emergencyAccessDialog.error.insufficientCouncilMembers": "Inconsistent data: Insufficient council members ({0}) to recover this vault ({1}).",
+  "emergencyAccessDialog.error.noProcessToApprove": "No recovery process to approve.",
+  "emergencyAccessDialog.error.processTampered": "Recovery process has been tampered with.",
+  "emergencyAccessDialog.error.noProcessToComplete": "No recovery process to complete.",
+  "emergencyAccessDialog.error.unsupportedProcessType": "Unsupported state for recovery process type: {0}",
+
+  "grantEmergencyAccessDialog.title": "Grant Emergency Access",
+  "grantEmergencyAccessDialog.description.selectCouncil": "Select council members to grant emergency access for this vault.",
+  "grantEmergencyAccessDialog.description.default": "Grant emergency access for this vault.",
+  "grantEmergencyAccessDialog.grant": "Grant",
+  "grantEmergencyAccessDialog.error.keySharesRequired": "At least 2 Emergency Key Shares are required.",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "At least 2 Council Members are required.",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "Too few Council Members. Add more or lower the required Emergency Key Shares.",
+
+  "processAbortDialog.title": "Abort this Process",
+  "processAbortDialog.description": "Are you sure you want to abort this emergency access process? This action cannot be undone.",
+  "processAbortDialog.confirm": "Abort Process",
+
+  "recoveryDialog.error.invalidRecoveryType": "Invalid recovery process type.",
+  "recoveryDialog.error.processAlreadyExists": "A recovery process of this type already exists.",
+  "recoveryDialog.error.noOwnerSelected": "Select at least one owner.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "Not enough council members selected.",
+
   "editVaultMetadataDialog.title": "Edit Vault Metadata",
   "editVaultMetadataDialog.description": "Update the name and description of the vault.",
   "editVaultMetadataDialog.vaultName": "Vault Name",
@@ -181,6 +325,54 @@
   "grantPermissionDialog.description": "Share vault keys with newly added users.",
   "grantPermissionDialog.submit": "Grant Permission to {0} User(s)",
 
+  "groups.title": "Groups",
+  "group.detail.info": "Group Details",
+  "group.detail.members": "Members",
+  "group.detail.vaults": "Vaults",
+  "group.detail.edit": "Edit Group",
+  "group.detail.add.member": "Add Member",
+  "group.detail.name": "Name",
+  "group.detail.createdOn": "Created on",
+  "group.detail.roles": "Roles",
+
+  "groupList.name": "Name",
+  "groupList.members.count": "Users",
+  "groupList.edit.group.button": "Edit",
+  "groupList.search.placeholder": "Search…",
+  "groupList.groupImage": "Group Image",
+  "groupList.vaults.count": "Vaults",
+  "groupList.create.button": "Create Group",
+  "groupList.group.created": "Created on",
+
+  "group.members.add":"Add Members",
+  "group.members.search.empty": "Nothing found",
+
+  "group.addMembers.title": "Add Members",
+  "group.addMembers.searchLabel": "Search by username or full name",
+  "group.addMembers.selectedUser": "User(s) selected",
+
+
+  "group.member.remove.title" : "Remove User from Group",
+  "group.member.remove.description": "Are you sure you want to remove this user from the group?",
+  "group.member.remove.confirm": "Yes, remove from group",
+
+  "groupEditCreate.title.create" : "Create New Group",
+  "groupEditCreate.title.edit" : "Group Edit",
+  "groupEditCreate.profileImage" : "Profile Image",
+  "groupEditCreate.role" : "Role",
+  "groupEditCreate.removePicture" : "Remove Picture",
+  "groupEditCreate.addPicture" : "Add Picture",
+  "groupEditCreate.name" : "Group Name",
+  "groupEditCreate.roles" : "Roles",
+  "groupEditCreate.validation.required": "This field is required",
+  "groupEditCreate.roles.remove": "Remove roles",
+  "groupEditCreate.roles.choose": "Choose roles",
+  "groupEditCreate.roles.addMore": "Add more",
+  "groupEditCreate.invalidImageUrl": "Invalid image URL",
+  "groupEditCreate.profilePictureUrl": "Profile Picture URL",
+  "groupEditCreate.selectRolesPlaceholder": "Select role(s)",
+  "groupEditCreate.error.groupNameAlreadyExists": "A group with this name already exists.",
+
   "trustDetails.trustLevel": "Trust Level {0}",
   "trustDetails.trustLevel.untrusted": "Unverified",
   "trustDetails.showSignDialogBtn": "Check Identity...",
@@ -190,7 +382,7 @@
   "signUserKeysDialog.description": "Enter the first {0} characters of {1}'s fingerprint in order to confirm the authenticity of their public keys. The fingerprint can be found in the user's profile.",
   "signUserKeysDialog.submit": "Confirm this User's Identity",
 
-  "initialSetup.createUserKey.title": "Welcome to Cryptomator Hub",
+  "initialSetup.createUserKey.title": "Welcome to Katta",
   "initialSetup.createUserKey.description": "On first login, every user gets a unique Account Key:",
   "initialSetup.createUserKey.details.accountKey": "Your Account Key is required to login from other apps or browsers",
   "initialSetup.createUserKey.details.devicesList": "You can see a list of authorized apps on your profile page",
@@ -206,21 +398,21 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Lost your Account Key? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Reset my account",
   "initialSetup.setupAlreadyCompleted.title": "Setup Already Completed",
-  "initialSetup.setupAlreadyCompleted.description": "You have already completed the initial setup for Cryptomator Hub. Your Account Key can be found in your profile.",
+  "initialSetup.setupAlreadyCompleted.description": "You have already completed the initial setup for Katta. Your Account Key can be found in your profile.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Go to Your Profile",
   "initialSetup.accountKey": "Account Key",
   "initialSetup.submit": "Finish Setup",
 
   "licenseAlert.noRemainingSeats.title": "License exceeded",
-  "licenseAlert.noRemainingSeats.admin.description": "Your Cryptomator Hub instance has exceeded the number of licensed seats. Upgrade it in the {0} in order to manage and unlock your vaults again.",
-  "licenseAlert.noRemainingSeats.user.description": "Your Cryptomator Hub instance has exceeded the number of licensed seats. Please inform a Hub administrator to upgrade the license.",
+  "licenseAlert.noRemainingSeats.admin.description": "Your Katta instance has exceeded the number of licensed seats. Upgrade it in the {0} in order to manage and unlock your vaults again.",
+  "licenseAlert.noRemainingSeats.user.description": "Your Katta instance has exceeded the number of licensed seats. Please inform a Katta administrator to upgrade the license.",
   "licenseAlert.licenseExpired.title": "License expired",
-  "licenseAlert.licenseExpired.admin.description": "Your Cryptomator Hub license has expired. Renew it in the {0} in order to manage and unlock your vaults again.",
-  "licenseAlert.licenseExpired.user.description": "Your Cryptomator Hub license has expired. Please inform a Hub administrator to renew the license.",
+  "licenseAlert.licenseExpired.admin.description": "Your Katta license has expired. Renew it in the {0} in order to manage and unlock your vaults again.",
+  "licenseAlert.licenseExpired.user.description": "Your Katta license has expired. Please inform a Katta administrator to renew the license.",
   "licenseAlert.button": "Admin Section",
 
   "legacyDeviceList.title": "Legacy Devices",
-  "legacyDeviceList.description": "These devices were created with an older version of Hub and need to be updated to unlock vaults in future versions. If you no longer need them, please remove them. Otherwise, please update Cryptomator on that device. Your next unlock will trigger the update automatically.",
+  "legacyDeviceList.description": "These devices were created with an older version of Katta and need to be updated to unlock vaults in future versions. If you no longer need them, please remove them. Otherwise, please update Katta on that device. Your next unlock will trigger the update automatically.",
   "legacyDeviceList.description.information": "Learn more.",
   "legacyDeviceList.deviceName": "Device Name",
   "legacyDeviceList.type": "Type",
@@ -229,6 +421,9 @@
   "legacyDeviceList.ipAddress": "IP Address",
   "legacyDeviceList.lastAccess": "Last Vault Access",
   "legacyDeviceList.lastAccess.toolTip": "May be missing for devices accessed with older versions.",
+  "legacyDeviceBanner.title": "Legacy Devices Will Be Dropped",
+  "legacyDeviceBanner.user.description": "Your legacy devices will no longer be supported in the next major release. Please update Cryptomator on those devices or remove them.",
+  "legacyDeviceBanner.admin.description": "One or more users still have legacy devices. Legacy device support will be dropped in the next major release. Please ask affected users to update Cryptomator or remove their legacy devices.",
 
 
   "manageAccountKey.title": "Account Key",
@@ -236,11 +431,15 @@
   "manageAccountKey.regenerate": "Regenerate Key",
 
   "nav.vaults": "Vaults",
+  "nav.emergencyAccess": "Emergency Access",
   "nav.profile.signedInAs": "Signed in as",
   "nav.profile.profile": "Your Profile",
   "nav.profile.admin": "Admin",
   "nav.profile.auditlog": "Audit Logs",
   "nav.profile.signOut": "Sign out",
+  "nav.authority": "Users & Groups",
+  "nav.groups": "Groups",
+  "nav.users": "Users",
   "nav.mobileMenu": "Open main menu",
 
   "reactivateVaultDialog.title": "Reactivate Vault",
@@ -271,19 +470,83 @@
   "userkeyFingerprint.title": "User Key Fingerprint",
   "userkeyFingerprint.description": "Your User Key Fingerprint can be used to verify your identity when updating the vault permission.",
 
+  "users.title": "Users",
+  "user.detail.createdOn": "Created on",
+  "user.detail.disable": "Disable",
+  "user.detail.disabled": "Disabled",
+  "user.detail.devices": "Devices",
+  "user.detail.edit": "Edit",
+  "user.detail.enable": "Enable",
+  "user.detail.email": "Email",
+  "user.detail.groups": "Groups",
+  "user.detail.groups.join": "Join",
+  "user.detail.info": "User Details",
+  "user.detail.legacyDeviceList.info": "These devices were created with an older version of Hub and need to be updated to unlock vaults in future versions.",
+  "user.detail.name": "Name",
+  "user.detail.roles": "Roles",
+  "user.detail.username": "Username",
+
+  "user.addGroups.title": "Add Groups",
+  "user.addGroups.searchLabel": "Search by group name",
+  "user.addGroups.selectedGroups": "Group(s) selected",
+
+  "userEditCreate.title.create": "Create New User",
+  "userEditCreate.title.edit": "Edit User",
+  "userEditCreate.button.create": "Create User",
+  "userEditCreate.button.save": "Save",
+  "userEditCreate.button.saved": "Saved!",
+  "userEditCreate.firstName": "First Name",
+  "userEditCreate.lastName": "Last Name",
+  "userEditCreate.username": "Username",
+  "userEditCreate.email": "Email",
+  "userEditCreate.roles": "Roles",
+  "userEditCreate.selectRolesPlaceholder": "Select role(s)",
+  "userEditCreate.password": "Password",
+  "userEditCreate.passwordConfirm": "Confirm Password",
+  "userEditCreate.create.passwordInfo": "This is a temporary password. The user must change it on first login.",
+  "userEditCreate.edit.passwordInfo": "Leave the password fields empty if you don’t want to reset the user’s password.",
+  "userEditCreate.removePicture": "Remove Picture",
+  "userEditCreate.passwordStrong": "Strong",
+  "userEditCreate.passwordMedium": "Medium",
+  "userEditCreate.passwordWeak": "Weak",
+  "userEditCreate.passwordsMatch": "Passwords match",
+  "userEditCreate.passwordsDontMatch": "Passwords don't match",
+  "userEditCreate.profilePictureUrl": "Profile Picture URL",
+  "userEditCreate.showPassword": "Show Password",
+  "userEditCreate.hidePassword": "Hide Password",
+  "userEditCreate.invalidEmail": "Invalid email format",
+  "userEditCreate.invalidImageUrl": "Invalid image URL",
+  "userEditCreate.validation.required": "This field is required",
+  "userEditCreate.validation.passwordMismatch": "Passwords don't match",
+  "userEditCreate.error.userAlreadyExists": "A user with this username already exists.",
+  "userEditCreate.error.emailAlreadyExists": "A user with this email already exists.",
+
+  "userList.edit.user.button": "Edit",
+  "userList.userName": "Name",
+  "userList.groups.count": "Groups",
+  "userList.device.count": "Devices",
+  "userList.vaults.count": "Vaults",
+  "userList.user.created": "Created on",
+  "userList.profileImage": "Profile Image",
+  "userList.create.button": "Create User",
+  "userList.disabled": "Disabled",
+
   "userProfile.title": "Profile",
   "userProfile.actions.manageAccount": "Manage Account",
   "userProfile.actions.changeLanguage": "Change Language",
   "userProfile.actions.changeLanguage.entry.browser": "Browser Language",
   "userProfile.keycloakVersion.notAvailable": "version not available",
 
+  "unlock.noAccessVaultArchived.title": "Vault is archived",
+  "unlock.noAccessVaultArchived.description": "This vault has been archived and is no longer accessible. Please contact the vault owner.",
+
   "unlockSuccess.title": "Vault unlocked successfully",
-  "unlockSuccess.description": "You may now close this browser tab and return to Cryptomator.",
+  "unlockSuccess.description": "You may now close this browser tab and return to Katta.",
   "unlockSuccess.accountSetup.title": "Setup Required",
   "unlockSuccess.accountSetup.description": "Complete setting up your account and retrieve your account key.",
   "unlockSuccess.accountSetup.goToSetup": "Complete Setup",
   "unlockSuccess.deviceSetup.title": "New Device",
-  "unlockSuccess.deviceSetup.description": "Please enter your account key in Cryptomator to authorize it.",
+  "unlockSuccess.deviceSetup.description": "Please enter your account key in Katta to authorize it.",
   "unlockSuccess.deviceSetup.goToProfile": "View Account Key in my Profile",
   "unlockSuccess.noVaultAccess.title": "No access to this Vault",
   "unlockSuccess.noVaultAccess.description": "Please contact the vault owner to add you as a vault member.",
@@ -307,7 +570,9 @@
   "vaultDetails.actions.reactivateVault": "Reactivate Vault",
   "vaultDetails.actions.claimOwnership": "Claim Ownership",
   "vaultDetails.actions.recoverVault": "Recover Vault Access",
-  "vaultDetails.error.licenseViolated": "Your Cryptomator Hub license has expired or you exceeded the number of licensed seats. Please inform a Hub administrator renew or upgrade the license.",
+  "vaultDetails.emergencyAccess.setupCouncil": "Setup Emergency Access Council",
+  "vaultDetails.emergencyAccess.fixCouncil": "Fix Emergency Access Council",
+  "vaultDetails.error.licenseViolated": "Your Katta license has expired or you exceeded the number of licensed seats. Please inform a Katta administrator to renew or upgrade the license.",
   "vaultDetails.recoverVault.title": "You have Reset Your Account!",
   "vaultDetails.recoverVault.description": "To regain access to the vault, you must restore your access using the recovery key or another owner must update the access permissions.",
 
@@ -327,5 +592,68 @@
   "vaultList.filter.result.empty.description": "No results using that search term or filter.",
   "vaultList.search.placeholder": "Search…",
   "vaultList.badge.owner": "Owner",
-  "vaultList.badge.archived": "Archived"
+  "vaultList.badge.archived": "Archived",
+  "userList.filter.result.empty.title": "No users",
+  "userList.filter.result.empty.description": "No results using that search term.",
+  "groupList.empty.title": "No groups",
+  "groupList.empty.description": "You don't own any groups and aren't a member of any.",
+  "groupList.filter.result.empty.title": "No groups",
+  "groupList.filter.result.empty.description": "No results using that search term.",
+
+  "missingEntitlements.title": "Upgrade Required",
+  "missingEntitlements.description": "This feature is not part of your current license.",
+
+  "trial.enterpriseFeature.title": "Enterprise Feature",
+  "trial.enterpriseFeature.description": "This feature is only permanently available with an Enterprise license.",
+
+
+  "CreateVaultS3.enterVaultDetails.storage": "Storage Locations",
+  "CreateVaultS3.enterVaultDetails.region": "Region",
+  "CreateVaultS3.enterVaultDetails.automaticAccessGrant": "Automatically Grant Vault Access",
+  "CreateVaultS3.enterVaultDetails.vaultPermanentAccessKeyId": "Username (S3 AccessKeyId)",
+  "CreateVaultS3.enterVaultDetails.vaultPermanentSecretKey": "Password (S3 SecretKey)",
+  "CreateVaultS3.enterVaultDetails.vaultPermanentBucketName": "S3 Bucket name (existing)",
+  "CreateVaultS3.success.description": "Use the Katta client on your computer to open the vault.",
+  "CreateVaultS3.success.open": "Open vaults in Katta",
+  "CreateVaultS3.error.uploadTemplateFailed": "Upload Vault Template to S3 Bucket failed",
+  "CreateVaultS3.error.invalidStorageProfileConfiguration": "Vault configuration invalid",
+  "CreateVaultS3.error.noStorageProfileAvailable": "No storage profile available. Please contact your Katta Server Admin.",
+  "CreateVaultS3.error.noStorageProfileSelected": "Select a vault storage location.",
+  "CreateVaultS3.error.noRegionSelected": "Select a region.",
+  "CreateVaultS3.error.missingAccessKey": "Enter the username and re-try.",
+  "CreateVaultS3.error.missingSecretKey": "Enter the password and re-try.",
+  "CreateVaultS3.error.missingBucket": "Enter the bucket name and re-try.",
+  "CreateVaultS3.error.bucketNotEmpty": "Bucket not empty, cannot upload template. Empty the bucket manually and re-try.",
+  "CreateVaultS3.error.invalidCORS": "Check your bucket CORS settings.",
+
+  "vaultList.openInKatta": "Open in Katta",
+
+  "nav.profile.storageprofiles": "Admin Storage Locations",
+  "storageProfileList.title": "Storage Locations",
+  "storageProfileList.setup.title": "Katta web setup",
+  "storageProfileList.setup.description": "Katta web setup admin documentation",
+  "storageProfileList.search.placeholder": "Search…",
+  "storageProfileList.empty.title": "No storage locations",
+  "storageProfileList.empty.description": "No storage locations",
+  "storageProfileList.filter.result.empty.title": "No storage locations",
+  "storageProfileList.filter.result.empty.description":  "No results using that search term or filter.",
+  "storageprofile.id": "id",
+  "storageprofile.name": "name",
+  "storageprofile.protocol": "protocol",
+  "storageprofile.bucketPrefix": "bucketPrefix",
+  "storageprofile.stsRoleArnClient": "stsRoleArnClient",
+  "storageprofile.stsRoleArnHub": "stsRoleArnHub",
+  "storageprofile.withPathStyleAccessEnabled": "withPathStyleAccessEnabled",
+  "storageprofile.region": "region",
+  "storageprofile.regions": "regions",
+  "storageprofile.scheme": "scheme",
+  "storageprofile.hostname": "hostname",
+  "storageprofile.port": "port",
+  "storageprofile.oauthClientId": "oauthClientId",
+  "storageprofile.oauthTokenUrl": "oauthTokenUrl",
+  "storageprofile.oauthAuthorizationUrl": "oauthAuthorizationUrl",
+  "storageprofile.stsRoleArn": "stsRoleArn",
+  "storageprofile.stsRoleArn2": "stsRoleArn2",
+  "storageprofile.stsDurationSeconds": "stsDurationSeconds",
+  "storageprofile.oAuthTokenExchangeAudience": "oAuthTokenExchangeAudience"
 }
diff --git a/frontend/src/i18n/es-ES.json b/frontend/src/i18n/es-ES.json
index b8e34b3aa..9e64f2130 100644
--- a/frontend/src/i18n/es-ES.json
+++ b/frontend/src/i18n/es-ES.json
@@ -4,6 +4,7 @@
   "locale.fr-FR": "Francés",
   "locale.it-IT": "Italiano",
   "locale.ko-KR": "Coreano",
+  "locale.lv-LV": "Letón",
   "locale.nl-NL": "Holandés",
   "locale.pt-BR": "Portugués (Brasil)",
   "locale.pt-PT": "Portugués",
@@ -17,37 +18,149 @@
   "common.close": "Cerrar",
   "common.copied": "¡Copiado!",
   "common.copy": "Copiar",
+  "common.create": "Crear",
   "common.download": "Descargar",
+  "common.edit": "Editar",
+  "common.hide": "Ocultar",
+  "common.loading": "Cargando…",
   "common.next": "Siguiente",
+  "common.optional": "opcional",
+  "common.pagination": "Paginación",
   "common.previous": "Anterior",
   "common.refresh": "Recargar",
+  "common.reload": "Por favor, recargue la página.",
   "common.remove": "Eliminar",
   "common.reset": "## Reiniciar contraseña\nrecoveryKey.recover.resetBtn",
   "common.retry": "Reintentar",
+  "common.save": "Guardar",
+  "common.saved": "¡Guardado!",
   "common.share": "Compartir",
   "common.show": "Mostrar",
   "common.undo": "Deshacer",
+  "common.unexpectedError": "Error inesperado: {0}",
   "common.unsavedChanges": "No se guardaron los cambios.",
+  "common.update": "Actualización",
   "common.xMembers": "{0} Miembros",
+  "admin.title": "Admin",
+  "admin.serverInfo.title": "Información del servidor",
+  "admin.serverInfo.description": "El ID de Hub se utiliza para identificar su instancia de Cryptomator Hub para su licencia. Para soporte, indique siempre las versiones de Hub y Keycloak.",
+  "admin.serverInfo.hubId.title": "ID de hub",
+  "admin.serverInfo.hubVersion.title": "Versión de hub",
+  "admin.serverInfo.hubVersion.description.upToDate": "El hub está actualizado.",
+  "admin.serverInfo.hubVersion.description.updateExists": "Es posible actualizar a la versión {0}.",
+  "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "No se puede comprobar si hay actualizaciones. Compruébelo manualmente.",
+  "admin.serverInfo.keycloakVersion.title": "Versión de Keycloak",
+  "admin.serverInfo.keycloakVersion.description": "Administrar Keycloak",
   "admin.serverInfo.keycloakVersion.notAvailable": "no disponible",
+  "admin.licenseInfo.title": "Información de la licencia",
+  "admin.licenseInfo.description": "Verifique la información de su licencia. Si desea realizar cambios o comprobar el estado de su suscripción, pulse \"Administrar suscripción\".",
+  "admin.licenseInfo.email.title": "Licenciado a",
+  "admin.licenseInfo.seats.title": "Número de asientos",
+  "admin.licenseInfo.seats.description.enoughSeats": "Tiene {0} asientos sin usar restantes.",
+  "admin.licenseInfo.seats.description.zeroSeats": "No tiene asientos restantes. Actualice si es necesario.",
+  "admin.licenseInfo.seats.description.undercutSeats": "Ha utilizado {0} asientos más de los que tiene disponible. Elimine usuarios o actualice si es necesario.",
+  "admin.licenseInfo.issuedAt.title": "Emitido el",
+  "admin.licenseInfo.expiresAt.title": "Caduca el",
+  "admin.licenseInfo.expiresAt.description.valid": "Su licencia es válida.",
+  "admin.licenseInfo.expiresAt.description.expired": "Su licencia ha caducado.",
   "admin.licenseInfo.manageSubscription": "Gestionar suscripción",
+  "admin.licenseInfo.type.title": "Tipo",
+  "admin.licenseInfo.getLicense": "Obtener licencia",
+  "admin.webOfTrust.title": "Web of Trust",
+  "admin.webOfTrust.description": "Configure los parámetros de Web of Trust para administrar cómo se establece la confianza entre los usuarios en el sistema. Estos ajustes afectan a la verificación de identidades de usuario y claves de firma.",
   "admin.webOfTrust.information": "Más información.",
+  "admin.webOfTrust.wotMaxDepth.error": "La profundidad máxima de WoT debe estar entre 0 y 9.",
+  "admin.webOfTrust.wotMaxDepth.title": "Profundidad máxima de WoT",
+  "admin.webOfTrust.wotMaxDepth.description": "Distancia máxima entre dos usuarios, por lo que una adquisición indirecta sigue siendo considerada fiable (asumiendo que las identidades intermedias han sido verificadas).",
+  "admin.webOfTrust.wotIdVerifyLen.error": "La precisión de la verificación de la huella dactilar debe ser positiva.",
+  "admin.webOfTrust.wotIdVerifyLen.title": "Precisión de la verificación de huella dactilar",
+  "admin.webOfTrust.wotIdVerifyLen.description": "Cuántos dígitos de la huella digital de otro usuario hay que introducir para verificar su identidad.",
   "admin.webOfTrust.save": "Guardar",
+  "admin.webOfTrust.saved": "¡Guardado!",
+  "admin.emergencyAccess.learnMore": "Más información.",
+  "archiveVaultDialog.title": "Archivar bóveda",
+  "archiveVaultDialog.description": "Archivar una bóveda la inactiva. Esto puede liberar asientos ocupados. Una bóveda archivada puede reactivarse más tarde.",
+  "archiveVaultDialog.confirm": "Archivar",
+  "auditLog.title": "Registro de auditoría",
+  "auditLog.order.ascending": "Ascendente",
+  "auditLog.order.descending": "Descendente",
   "auditLog.filter": "Filtro",
+  "auditLog.filter.startDate": "Fecha de inicio",
+  "auditLog.filter.endDate": "Fecha de fin",
+  "auditLog.filter.selectEventFilter": "Seleccionar filtro de eventos",
+  "auditLog.filter.clerEventFilter": "Limpiar filtro de eventos",
+  "auditLog.timestamp": "Fecha/Hora",
+  "auditLog.type": "Evento",
   "auditLog.details": "Detalles",
+  "auditLog.details.device.register": "Registrar dispositivo",
+  "auditLog.details.device.remove": "Eliminar dispositivo",
+  "auditLog.details.setting.wot.update": "Actualizar ajustes de Wot",
+  "auditLog.details.user.account.reset": "Restablecer cuenta de usuario",
+  "auditLog.details.user.keys.change": "Cambiar claves de usuario",
+  "auditLog.details.user.setupCode.change": "Cambiar clave de cuenta",
   "auditLog.details.vault.create": "Crear bóveda",
+  "auditLog.details.vault.update": "Actualizar bóveda",
+  "auditLog.details.vaultAccess.grant": "Conceder acceso a la bóveda",
+  "auditLog.details.vaultKey.retrieve": "Recuperar clave de bóveda",
+  "auditLog.details.vaultMember.add": "Añadir miembro de la bóveda",
+  "auditLog.details.vaultMember.remove": "Eliminar miembro de bóveda",
+  "auditLog.details.vaultMember.update": "Actualizar miembro de la bóveda",
+  "auditLog.details.vaultOwnership.claim": "Reclamar propiedad de la bóveda",
+  "auditLog.details.wot.signedIdentity": "Identidad firmada",
+  "auditLog.pagination.showing": "Mostrando entradas {0} a {1}",
+  "auditLog.paymentRequired.message": "Necesaria licencia",
+  "auditLog.paymentRequired.description": "Los registros de auditoría sólo están disponibles con una licencia de pago. Puede obtener una en la sección de administración.",
+  "auditLog.paymentRequired.openAdminSection": "Abrir sección de administración",
+  "claimVaultOwnershipDialog.title": "Reclamar propiedad de la bóveda",
+  "claimVaultOwnershipDialog.description": "Escriba la contraseña del administrador de la bóveda para demostrar que tiene permisos para administrarla.",
+  "claimVaultOwnershipDialog.password": "Contraseña del administrador de la bóveda",
+  "claimVaultOwnershipDialog.submit": "Reclamar propiedad",
+  "claimVaultOwnershipDialog.error.formValidationFailed": "La contraseña no puede estar vacía",
   "claimVaultOwnershipDialog.error.wrongPassword": "Contraseña incorrecta",
+  "fetchError.title": "Falló la obtención de datos",
+  "createVault.enterRecoveryKey.title": "Recuperar bóveda",
+  "createVault.enterRecoveryKey.description": "Introduzca la clave de recuperación de su bóveda existente para crear una nueva plantilla de bóveda a partir de ella.",
+  "createVault.enterRecoveryKey.recoveryKey": "Clave de recuperación de su bóveda",
+  "createVault.enterRecoveryKey.submit": "Recuperar bóveda",
   "createVault.enterVaultDetails.title": "Crear bóveda",
+  "createVault.enterVaultDetails.description": "Introduzca un nombre y una descripción para su nueva bóveda. Puede cambiarlos más tarde.",
   "createVault.enterVaultDetails.vaultName": "Nombre de la bóveda",
+  "createVault.enterVaultDetails.vaultDescription": "Descripción",
+  "createVault.showRecoveryKey.title": "Clave de recuperación",
+  "createVault.showRecoveryKey.description": "La siguiente clave de recuperación se puede utilizar para restaurar el acceso a la bóveda.",
+  "createVault.showRecoveryKey.recoveryKey": "Clave de recuperación de su bóveda",
+  "createVault.showRecoveryKey.confirmRecoveryKey": "Entiendo que perderé el acceso a la bóveda en caso de emergencia si no tengo la clave de recuperación.",
   "createVault.showRecoveryKey.submit": "Crear bóveda",
+  "createVault.error.illegalVaultName": "El nombre de la bóveda no debe contener ninguno de los siguientes caracteres:",
+  "createVault.error.formValidationFailed": "Compruebe el formulario y vuelva a intentarlo.",
+  "createVault.error.invalidRecoveryKey": "La clave de recuperación no es válida.",
+  "createVault.error.vaultAlreadyExists": "Ya existe una bóveda con el nombre indicado.",
+  "createVault.error.downloadTemplateFailed": "Error al descargar la plantilla de bóveda: {0}",
+  "createVault.error.paymentRequired": "Su licencia de Cryptomator Hub ha excedido el número de asientos disponibles o ha caducado. Por favor, informe a un administrador de Hub para actualizar o renovar la licencia.",
+  "createVault.success.title": "Bóveda creada",
+  "createVault.success.description": "Después de descargar la carpeta de la bóveda comprimida, desempaquétela en cualquier ubicación compartida con los miembros de su equipo.",
+  "createVault.success.download": "Descargar carpeta de bóveda comprimida",
+  "createVault.success.return": "Volver a la lista de bóvedas",
+  "disableUserDialog.title": "Desactivar usuario",
+  "disableUserDialog.description": "Este usuario ya no podrá iniciar sesión y será excluido del recuento de asientos. Puede volver a activar el usuario en cualquier momento.",
+  "disableUserDialog.confirm": "Desactivar usuario",
+  "deviceList.empty.message": "Sin dispositivos",
   "deviceList.deviceName": "Nombre del dispositivo",
+  "deviceList.type": "Tipo",
   "deviceList.ipAddress": "Dirección IP",
   "deviceList.lastAccess": "Último acceso a la Bóveda",
   "deviceList.lastAccess.toolTip": "Puede faltar para dispositivos accedidos con versiones anteriores.",
   "editVaultMetadataDialog.vaultName": "Nombre de la bóveda",
+  "editVaultMetadataDialog.vaultDescription": "Descripción",
+  "editVaultMetadataDialog.error.vaultAlreadyExists": "Ya existe una bóveda con el nombre indicado.",
+  "group.detail.vaults": "Bóvedas",
+  "group.detail.name": "Nombre",
+  "groupList.name": "Nombre",
+  "groupList.edit.group.button": "Editar",
+  "groupList.vaults.count": "Bóvedas",
   "initialSetup.accountKey": "Account Key",
   "legacyDeviceList.title": "Dispositivos antiguos",
-  "legacyDeviceList.description": "Estos dispositivos fueron creados con una versión anterior de Hub y necesitan ser actualizados para desbloquear las bóvedas en versiones futuras. Si ya no las necesita, por favor remuévelas. De lo contrario, actualice el Cryptomator en ese dispositivo. Su próximo desbloqueo activará la actualización automáticamente.",
+  "legacyDeviceList.description": "Estos dispositivos fueron creados con una versión anterior de Katta y necesitan ser actualizados para desbloquear las bóvedas en versiones futuras. Si ya no las necesita, por favor remuévelas. De lo contrario, actualice el Katta en ese dispositivo. Su próximo desbloqueo activará la actualización automáticamente.",
   "legacyDeviceList.description.information": "Más información.",
   "legacyDeviceList.deviceName": "Nombre del dispositivo",
   "legacyDeviceList.type": "Tipo",
@@ -56,17 +169,45 @@
   "legacyDeviceList.ipAddress": "Dirección IP",
   "legacyDeviceList.lastAccess": "Último acceso a la Bóveda",
   "legacyDeviceList.lastAccess.toolTip": "Puede faltar para dispositivos accedidos con versiones anteriores.",
+  "legacyDeviceBanner.title": "Los dispositivos antiguos serán descartados",
+  "legacyDeviceBanner.user.description": "Sus dispositivos heredados ya no serán soportados en la próxima versión principal. Por favor, actualice Cryptomator en esos dispositivos o elimínalos.",
+  "legacyDeviceBanner.admin.description": "Uno o más usuarios todavía tienen dispositivos antiguos. El soporte de dispositivos antiguos se eliminará en la próxima versión principal. Pídele a los usuarios afectados que actualicen Cryptomator o que elimine sus dispositivos antiguos.",
   "manageAccountKey.title": "Account Key",
   "nav.vaults": "Bóvedas",
+  "nav.profile.admin": "Admin",
+  "nav.profile.auditlog": "Registro de auditoría",
+  "recoveryKeyDialog.title": "Clave de recuperación",
+  "recoveryKeyDialog.recoveryKey": "Clave de recuperación de su bóveda",
   "recoverVaultDialog.description": "Escribe la Clave de Recuperación de esta bóveda para recuperar el acceso.",
+  "recoverVaultDialog.submit": "Recuperar bóveda",
   "recoverVaultDialog.error.formValidationFailed": "La Clave de Recuperación no debe estar vacía",
   "recoverVaultDialog.error.invalidRecoveryKey": "Clave de Recuperación no válida",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Account Key",
+  "resetUserAccountDialog.title": "Restablecer cuenta de usuario",
+  "user.detail.disable": "Desactivar",
+  "user.detail.disabled": "Desactivado",
+  "user.detail.edit": "Editar",
+  "user.detail.enable": "Activar",
+  "user.detail.name": "Nombre",
+  "user.detail.username": "Nombre de usuario",
+  "userEditCreate.button.save": "Guardar",
+  "userEditCreate.button.saved": "¡Guardado!",
+  "userEditCreate.username": "Nombre de usuario",
+  "userEditCreate.password": "Contraseña",
+  "userEditCreate.passwordStrong": "Fuerte",
+  "userEditCreate.passwordWeak": "Débil",
+  "userList.edit.user.button": "Editar",
+  "userList.userName": "Nombre",
+  "userList.vaults.count": "Bóvedas",
+  "userList.disabled": "Desactivado",
   "userProfile.actions.changeLanguage.entry.browser": "Idioma del navegador",
   "userProfile.keycloakVersion.notAvailable": "versión no disponible",
   "unlockSuccess.deviceSetup.title": "Nuevo dispositivo",
+  "vaultDetails.description.header": "Descripción",
   "vaultDetails.actions.updatePermissions.reload": "Recargar",
   "vaultDetails.actions.displayRecoveryKey": "Mostrar clave de recuperación",
+  "vaultDetails.actions.archiveVault": "Archivar bóveda",
+  "vaultDetails.actions.claimOwnership": "Reclamar propiedad",
   "vaultList.title": "Bóvedas",
   "vaultList.addVault": "Añadir",
   "vaultList.filter": "Filtro"
diff --git a/frontend/src/i18n/fa-IR.json b/frontend/src/i18n/fa-IR.json
index dea4bbded..cb89fb680 100644
--- a/frontend/src/i18n/fa-IR.json
+++ b/frontend/src/i18n/fa-IR.json
@@ -5,11 +5,15 @@
   "common.close": "ببند",
   "common.copied": "کپی شد!",
   "common.copy": "کپی",
+  "common.create": "ایجاد",
+  "common.download": "بارگیری",
+  "common.edit": "ویرایش",
   "common.next": "بعدی",
   "common.previous": "قبلی",
   "common.refresh": "نوسازی",
   "common.remove": "حذف",
   "common.retry": "تلاش مجدد",
+  "common.save": "ذخیره",
   "common.share": "اشتراک‌گذاری",
   "common.show": "نشان",
   "admin.webOfTrust.save": "ذخیره",
@@ -20,7 +24,13 @@
   "createVault.showRecoveryKey.submit": "ایجاد گاوصندوق",
   "deviceList.ipAddress": "آدرس IP",
   "editVaultMetadataDialog.vaultName": "نام گاوصندوق",
+  "groupList.edit.group.button": "ویرایش",
   "legacyDeviceList.ipAddress": "آدرس IP",
+  "user.detail.edit": "ویرایش",
+  "user.detail.username": "نام کاربری",
+  "userEditCreate.button.save": "ذخیره",
+  "userEditCreate.username": "نام کاربری",
+  "userList.edit.user.button": "ویرایش",
   "unlockSuccess.deviceSetup.title": "دستگاه جدید",
   "vaultList.addVault": "اضافه کردن"
 }
diff --git a/frontend/src/i18n/fi-FI.json b/frontend/src/i18n/fi-FI.json
index 4838af350..be69522ff 100644
--- a/frontend/src/i18n/fi-FI.json
+++ b/frontend/src/i18n/fi-FI.json
@@ -1,16 +1,24 @@
 {
+  "common.add": "Lisää",
   "common.apply": "Käytä",
   "common.cancel": "Peruuta",
   "common.close": "Sulje",
   "common.copied": "Kopioitu!",
   "common.copy": "Kopioi",
   "common.download": "Lataa",
+  "common.edit": "Muokkaa",
   "common.next": "Seuraava",
+  "common.previous": "Edellinen",
+  "common.refresh": "Päivitä",
   "common.remove": "Poista",
   "common.reset": "Palauta",
+  "common.retry": "Yritä uudelleen",
+  "common.save": "Tallenna",
   "common.share": "Jaa",
   "common.show": "Näytä",
   "admin.webOfTrust.information": "Lue Lisää.",
+  "admin.webOfTrust.save": "Tallenna",
+  "admin.emergencyAccess.learnMore": "Lue Lisää.",
   "auditLog.filter": "Suodata",
   "auditLog.details.vault.create": "Luo Uusi Vault",
   "claimVaultOwnershipDialog.error.wrongPassword": "Väärä salasana",
@@ -19,10 +27,20 @@
   "createVault.showRecoveryKey.submit": "Luo Uusi Vault",
   "deviceList.deviceName": "Laitteen Nimi",
   "editVaultMetadataDialog.vaultName": "Holvin nimi",
+  "groupList.edit.group.button": "Muokkaa",
   "legacyDeviceList.description.information": "Lue Lisää.",
   "legacyDeviceList.deviceName": "Laitteen Nimi",
+  "user.detail.edit": "Muokkaa",
+  "user.detail.username": "Käyttäjätunnus",
+  "userEditCreate.button.save": "Tallenna",
+  "userEditCreate.username": "Käyttäjätunnus",
+  "userEditCreate.password": "Salasana",
+  "userEditCreate.passwordStrong": "Vahva",
+  "userEditCreate.passwordWeak": "Heikko",
+  "userList.edit.user.button": "Muokkaa",
   "unlockSuccess.deviceSetup.title": "Uusi laite",
   "vaultDetails.actions.updatePermissions.reload": "Päivitä",
   "vaultDetails.actions.displayRecoveryKey": "Näytä palautusavain",
+  "vaultList.addVault": "Lisää",
   "vaultList.filter": "Suodata"
 }
diff --git a/frontend/src/i18n/fil-PH.json b/frontend/src/i18n/fil-PH.json
index 99412dfef..98e765969 100644
--- a/frontend/src/i18n/fil-PH.json
+++ b/frontend/src/i18n/fil-PH.json
@@ -5,18 +5,22 @@
   "common.close": "Isara",
   "common.copied": "Nakopya na!",
   "common.copy": "Kopyahin",
+  "common.create": "Gumawa",
   "common.download": "I-download",
+  "common.edit": "I-edit",
   "common.next": "Sunod",
   "common.previous": "Nakaraan",
   "common.refresh": "I-refresh",
   "common.remove": "Tanggalin",
   "common.reset": "I-reset",
   "common.retry": "Subukan muli",
+  "common.save": "I-save",
   "common.share": "Ibahagi",
   "common.show": "Ipakita",
   "admin.licenseInfo.manageSubscription": "Pamahalaan ang Subscription",
   "admin.webOfTrust.information": "Matuto pa.",
   "admin.webOfTrust.save": "I-save",
+  "admin.emergencyAccess.learnMore": "Matuto pa.",
   "auditLog.filter": "Filter",
   "auditLog.details": "Mga detalye",
   "auditLog.details.vault.create": "Gumawa ng bagong Vault",
@@ -26,9 +30,23 @@
   "createVault.showRecoveryKey.submit": "Gumawa ng bagong Vault",
   "deviceList.deviceName": "Pangalan ng device",
   "editVaultMetadataDialog.vaultName": "Pangalan ng Vault",
+  "group.detail.vaults": "Mga Vault",
+  "groupList.edit.group.button": "I-edit",
+  "groupList.vaults.count": "Mga Vault",
   "legacyDeviceList.description.information": "Matuto pa.",
   "legacyDeviceList.deviceName": "Pangalan ng device",
   "nav.vaults": "Mga Vault",
+  "user.detail.disable": "Huwag paganahin",
+  "user.detail.edit": "I-edit",
+  "user.detail.enable": "I-enable",
+  "user.detail.username": "Username",
+  "userEditCreate.button.save": "I-save",
+  "userEditCreate.username": "Username",
+  "userEditCreate.password": "Password",
+  "userEditCreate.passwordStrong": "Malakas",
+  "userEditCreate.passwordWeak": "Mahina",
+  "userList.edit.user.button": "I-edit",
+  "userList.vaults.count": "Mga Vault",
   "unlockSuccess.deviceSetup.title": "Bagong Device",
   "vaultDetails.actions.updatePermissions.reload": "Reload",
   "vaultDetails.actions.displayRecoveryKey": "Ipakita ang Recovery Key",
diff --git a/frontend/src/i18n/fr-FR.json b/frontend/src/i18n/fr-FR.json
index 956c3b7c3..35dce2da1 100644
--- a/frontend/src/i18n/fr-FR.json
+++ b/frontend/src/i18n/fr-FR.json
@@ -18,10 +18,16 @@
   "common.close": "Fermer",
   "common.copied": "Copié !",
   "common.copy": "Copier",
+  "common.create": "Créer",
+  "common.device": "Appareil",
   "common.download": "Télécharger",
+  "common.edit": "Éditer",
   "common.hide": "Masquer",
+  "common.leave": "Quitter",
   "common.loading": "Chargement…",
   "common.next": "Suivant",
+  "common.none": "Aucun",
+  "common.nothingFound": "Aucun résultat",
   "common.optional": "facultatif",
   "common.pagination": "Pagination",
   "common.previous": "Précédent",
@@ -30,6 +36,10 @@
   "common.remove": "Retirer",
   "common.reset": "Réinitialiser",
   "common.retry": "Réessayer",
+  "common.save": "Enregistrer",
+  "common.saved": "Enregistré !",
+  "common.search.placeholder": "Rechercher…",
+  "common.select.placeholder": "Sélectionner…",
   "common.share": "Partager",
   "common.show": "Montrer",
   "common.undo": "Annuler",
@@ -37,12 +47,17 @@
   "common.unsavedChanges": "Modifications non sauvegardées.",
   "common.update": "Mettre à jour",
   "common.xMembers": "{0} Membres",
+  "common.actions": "Actions",
+  "common.group": "Groupe",
+  "common.member": "Membre",
+  "common.property": "Propriété",
+  "common.value": "Valeur",
   "admin.title": "Administrateur",
   "admin.serverInfo.title": "Informations sur le serveur",
-  "admin.serverInfo.description": "Le Hub ID est utilisé pour identifier votre instance Cryptomator Hub pour votre licence. Pour toute assistance, indiquez toujours la version du Hub et de Keycloak affichée.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Version Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub est à jour.",
+  "admin.serverInfo.description": "Le Katta ID est utilisé pour identifier votre instance Katta pour votre licence. Pour toute assistance, indiquez toujours la version de Katta et de Keycloak affichée.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Version Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta est à jour.",
   "admin.serverInfo.hubVersion.description.updateExists": "Mise à jour vers la version {0} disponible.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Impossible de vérifier les mises à jour. Veuillez vérifier manuellement.",
   "admin.serverInfo.keycloakVersion.title": "Version de Keycloak",
@@ -62,8 +77,8 @@
   "admin.licenseInfo.manageSubscription": "Gérer l'abonnement",
   "admin.licenseInfo.type.title": "Type",
   "admin.licenseInfo.getLicense": "Obtenir une licence",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Merci d'utiliser Cryptomator Hub ! Vous avez obtenu une Licence Communautaire. Si vous avez besoin de plus de places, mettez à niveau votre licence.",
-  "admin.licenseInfo.managedNoLicense.description": "Merci d'utiliser Cryptomator Hub ! Vous n'avez actuellement aucune licence active.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Merci d'utiliser Katta ! Vous avez obtenu une Licence Communautaire. Si vous avez besoin de plus de places, mettez à niveau votre licence.",
+  "admin.licenseInfo.managedNoLicense.description": "Merci d'utiliser Katta ! Vous n'avez actuellement aucune licence active.",
   "admin.webOfTrust.title": "Réseau de Confiance",
   "admin.webOfTrust.description": "Configurez les paramètres du Réseau de Confiance pour gérer comment la confiance est établie entre les utilisateurs du système. Ces paramètres affectent la vérification des identités des utilisateurs et des signatures clés.",
   "admin.webOfTrust.information": "En savoir plus.",
@@ -75,6 +90,9 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Combien de chiffres de l'empreinte digitale d'un autre utilisateur doivent être entrés pour vérifier son identité.",
   "admin.webOfTrust.save": "Enregistrer",
   "admin.webOfTrust.saved": "Enregistré !",
+  "admin.emergencyAccess.title": "Accès d'urgence",
+  "admin.emergencyAccess.learnMore": "En savoir plus.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Au moins :",
   "archiveVaultDialog.title": "Archiver le coffre",
   "archiveVaultDialog.description": "Archiver un coffre le rend inactif. Cela peut libérer des places occupées. Un coffre archivé peut être réactivé plus tard.",
   "archiveVaultDialog.confirm": "Archiver",
@@ -133,13 +151,21 @@
   "createVault.error.invalidRecoveryKey": "La clé de récupération est invalide.",
   "createVault.error.vaultAlreadyExists": "Un coffre avec ce nom existe déjà.",
   "createVault.error.downloadTemplateFailed": "Le téléchargement du modèle de coffre a échoué : {0}",
-  "createVault.error.paymentRequired": "Votre licence Cryptomator Hub a dépassé le nombre de places disponibles ou a expiré. Veuillez demander à un administrateur du Hub la mise à niveau ou le renouvellement de la licence.",
+  "createVault.error.paymentRequired": "Votre licence Katta a dépassé le nombre de places disponibles ou a expiré. Veuillez demander à un administrateur de Katta la mise à niveau ou le renouvellement de la licence.",
   "createVault.success.title": "Le coffre a été créé",
   "createVault.success.description": "Après avoir téléchargé le dossier du coffre zippé, décompressez-le à n'importe quel endroit partagé avec les membres de votre équipe.",
   "createVault.success.download": "Télécharger le dossier du coffre zippé",
   "createVault.success.return": "Retour à la liste des coffres",
+  "deleteGroupDialog.title": "Supprimer le groupe",
+  "deleteGroupDialog.description": "Êtes-vous sûr de vouloir supprimer définitivement ce groupe ? Il sera retiré de tous les coffres associés. Cette action ne peut pas être annulée.",
+  "deleteGroupDialog.confirm": "Oui, supprimer le groupe",
+  "disableUserDialog.title": "Désactiver l’utilisateur",
+  "disableUserDialog.description": "Cet utilisateur ne pourra plus se connecter et sera exclu du nombre de sièges. Vous pouvez réactiver l'utilisateur à tout moment.",
+  "disableUserDialog.confirm": "Désactiver l’utilisateur",
+  "deleteUserDialog.description": "Êtes-vous sûr de vouloir supprimer définitivement cet utilisateur ? Tous les coffres et appareils associés seront supprimés. Cette action est irréversible.",
+  "deleteUserDialog.confirm": "Oui, supprimer l'utilisateur",
   "deviceList.empty.message": "Aucun appareil",
-  "deviceList.empty.description": "Pour ajouter un appareil, ajoutez un coffre de ce Hub à l'application Cryptomator de l'appareil et déverrouillez-le.",
+  "deviceList.empty.description": "Pour ajouter un appareil, ajoutez un coffre de Katta à l'application Katta de l'appareil et déverrouillez-le.",
   "deviceList.title": "Appareils et navigateurs autorisés",
   "deviceList.deviceName": "Nom de l'appareil",
   "deviceList.type": "Type",
@@ -148,8 +174,23 @@
   "deviceList.ipAddress": "Adresse IP",
   "deviceList.lastAccess": "Dernier accès au coffre",
   "deviceList.lastAccess.toolTip": "Peut être manquant pour les appareils avec de vieilles versions.",
+  "deviceType.browser": "Navigateur",
+  "deviceType.desktop": "Ordinateur",
+  "deviceType.mobile": "Mobile",
   "downloadVaultTemplateDialog.title": "Télécharger le modèle de coffre",
   "downloadVaultTemplateDialog.description": "Téléchargez et décompressez le modèle de coffre zippé à n'importe quel endroit partagé avec les membres de votre équipe. Ceci n'est requis qu'une seule fois lors de la configuration initiale.",
+  "emergencyAccess.status.added": "Ajouté",
+  "emergencyAccess.status.pending": "En attente",
+  "emergencyAccess.label.owners": "Propriétaires",
+  "emergencyAccess.label.members": "Membres",
+  "emergencyAccess.approval.showDetails": "Afficher les détails",
+  "emergencyAccess.approval.approveNow": "",
+  "emergencyAccess.filter.all": "Tous",
+  "emergencyAccess.badge.noRedundancy.title": "Pas de redondance",
+  "emergencyAccessDialog.section.ownership": "Propriété",
+  "processAbortDialog.title": "Abandonner ce processus",
+  "processAbortDialog.description": "Êtes-vous sûr de vouloir annuler ce processus d'accès d'urgence ? Cette action ne peut pas être annulée.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "Pas assez de membres du conseil sélectionnés.",
   "editVaultMetadataDialog.title": "Modifier les métadonnées du coffre",
   "editVaultMetadataDialog.description": "Mettre à jour le nom et la description du coffre.",
   "editVaultMetadataDialog.vaultName": "Nom du coffre",
@@ -159,6 +200,16 @@
   "grantPermissionDialog.title": "Donner la permission",
   "grantPermissionDialog.description": "Partagez les clés du coffre avec les nouveaux utilisateurs.",
   "grantPermissionDialog.submit": "Donner l'autorisation à {0} utilisateur(s)",
+  "group.detail.vaults": "Coffres",
+  "group.detail.name": "Nom",
+  "groupList.name": "Nom",
+  "groupList.edit.group.button": "Éditer",
+  "groupList.search.placeholder": "Rechercher…",
+  "groupList.vaults.count": "Coffres",
+  "group.members.search.empty": "Aucun résultat",
+  "group.member.remove.description": "Voulez-vous vraiment retirer cet utilisateur du groupe ?",
+  "groupEditCreate.invalidImageUrl": "URL d'image invalide",
+  "groupEditCreate.profilePictureUrl": "URL de la photo de profil",
   "trustDetails.trustLevel": "Niveau de confiance {0}",
   "trustDetails.trustLevel.untrusted": "Non vérifié",
   "trustDetails.showSignDialogBtn": "Vérification de l'identité...",
@@ -166,7 +217,7 @@
   "signUserKeysDialog.title": "Vérifier l'identité de {0}",
   "signUserKeysDialog.description": "Entrez les {0} premiers caractères de l'empreinte digitale de {1} afin de confirmer l'authenticité de leurs clés publiques. L'empreinte digitale se trouve dans le profil de l'utilisateur.",
   "signUserKeysDialog.submit": "Confirmer l'identité de cet utilisateur",
-  "initialSetup.createUserKey.title": "Bienvenue sur Cryptomator Hub",
+  "initialSetup.createUserKey.title": "Bienvenue sur Katta",
   "initialSetup.createUserKey.description": "Lors de la première connexion, chaque utilisateur obtient une Clé de Compte unique :",
   "initialSetup.createUserKey.details.accountKey": "Votre Clé de Compte est requise pour vous connecter à partir d'autres applications ou navigateurs",
   "initialSetup.createUserKey.details.devicesList": "Vous pouvez voir une liste des applications autorisées sur votre page de profil",
@@ -182,19 +233,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Vous avez perdu votre Clé de Compte ? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Réinitialiser mon compte",
   "initialSetup.setupAlreadyCompleted.title": "Configuration déjà terminée",
-  "initialSetup.setupAlreadyCompleted.description": "Vous avez déjà terminé la configuration initiale de Cryptomator Hub. Vous pouvez retrouver votre Clé de Compte dans votre profil.",
+  "initialSetup.setupAlreadyCompleted.description": "Vous avez déjà terminé la configuration initiale de Katta. Vous pouvez retrouver votre Clé de Compte dans votre profil.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Accéder à Votre Profil",
   "initialSetup.accountKey": "Clé de compte",
   "initialSetup.submit": "Terminer la configuration",
   "licenseAlert.noRemainingSeats.title": "Limite de licence atteinte",
-  "licenseAlert.noRemainingSeats.admin.description": "Votre instance Cryptomator Hub a dépassé le nombre de places accordé par sa licence. Mettez-la à niveau via {0} afin de gérer et déverrouiller à nouveau vos coffres.",
-  "licenseAlert.noRemainingSeats.user.description": "Votre instance Cryptomator Hub a dépassé le nombre de places accordé par sa licence. Veuillez demander à un administrateur du Hub la mise à niveau de la licence.",
+  "licenseAlert.noRemainingSeats.admin.description": "Votre instance Katta a dépassé le nombre de places accordé par sa licence. Mettez-la à niveau via {0} afin de gérer et déverrouiller à nouveau vos coffres.",
+  "licenseAlert.noRemainingSeats.user.description": "Votre instance Katta a dépassé le nombre de places accordé par sa licence. Veuillez demander à un administrateur de Katta la mise à niveau de la licence.",
   "licenseAlert.licenseExpired.title": "Licence expirée",
-  "licenseAlert.licenseExpired.admin.description": "Votre licence Cryptomator Hub a expiré. Renouvelez-la via {0} afin de gérer et déverrouiller à nouveau vos coffres.",
-  "licenseAlert.licenseExpired.user.description": "Votre licence Cryptomator Hub a expiré. Veuillez demander son renouvellement à un administrateur du Hub.",
+  "licenseAlert.licenseExpired.admin.description": "Votre licence Katta a expiré. Renouvelez-la via {0} afin de gérer et déverrouiller à nouveau vos coffres.",
+  "licenseAlert.licenseExpired.user.description": "Votre licence Katta a expiré. Veuillez demander son renouvellement à un administrateur de Katta.",
   "licenseAlert.button": "Section Administration",
   "legacyDeviceList.title": "Anciens Appareils",
-  "legacyDeviceList.description": "Ces appareils ont été crées avec une ancienne version de Hub et doivent être mis à jour pour déverrouiller les coffres dans les futures versions.\nSi vous n'en avez plus besoin, veuillez les supprimer. Sinon, merci de mettre à jour Cryptomator sur cet appareil. Votre prochain déverrouillage déclenchera la mise à jour automatiquement.",
+  "legacyDeviceList.description": "Ces appareils ont été crées avec une ancienne version de Katta et doivent être mis à jour pour déverrouiller les coffres dans les futures versions.\nSi vous n'en avez plus besoin, veuillez les supprimer. Sinon, merci de mettre à jour Katta sur cet appareil. Votre prochain déverrouillage déclenchera la mise à jour automatiquement.",
   "legacyDeviceList.description.information": "En savoir plus.",
   "legacyDeviceList.deviceName": "Nom de l'appareil",
   "legacyDeviceList.type": "Type",
@@ -203,10 +254,14 @@
   "legacyDeviceList.ipAddress": "Adresse IP",
   "legacyDeviceList.lastAccess": "Dernier accès au coffre",
   "legacyDeviceList.lastAccess.toolTip": "Peut être manquant pour les appareils avec de vieilles versions.",
+  "legacyDeviceBanner.title": "Les anciens appareils seront abandonnés",
+  "legacyDeviceBanner.user.description": "Vos anciens appareils ne seront plus pris en charge dans la prochaine version majeure. Veuillez mettre à jour Cryptomator sur ces appareils ou les supprimer.",
+  "legacyDeviceBanner.admin.description": "Un ou plusieurs utilisateurs ont encore des anciens appareils. La prise en charge des anciens appareils sera abandonnée dans la prochaine version majeure. Veuillez demander aux utilisateurs concernés de mettre à jour Cryptomator ou de supprimer leurs anciens appareils.",
   "manageAccountKey.title": "Clé de compte",
   "manageAccountKey.description": "Votre Clé de Compte est requise pour vous connecter à partir d'autres applications ou navigateurs.",
   "manageAccountKey.regenerate": "Re-générer la Clé",
   "nav.vaults": "Coffres",
+  "nav.emergencyAccess": "Accès d'Urgence",
   "nav.profile.signedInAs": "Connecté(e) en tant que",
   "nav.profile.profile": "Votre Profil",
   "nav.profile.admin": "Administrateur",
@@ -235,18 +290,76 @@
   "resetUserAccountDialog.submit": "Réinitialiser le compte",
   "userkeyFingerprint.title": "Empreinte digitale de la clé utilisateur",
   "userkeyFingerprint.description": "Votre empreinte digitale de clé d'utilisateur peut être utilisée pour vérifier votre identité lors de la mise à jour des autorisations du coffre.",
+  "users.title": "Utilisateurs",
+  "user.detail.createdOn": "Créé le",
+  "user.detail.disable": "Désactiver",
+  "user.detail.disabled": "Désactivé",
+  "user.detail.devices": "Appareils",
+  "user.detail.edit": "Éditer",
+  "user.detail.enable": "Activer",
+  "user.detail.groups": "Groupes",
+  "user.detail.groups.join": "Rejoindre",
+  "user.detail.info": "Détails de l'utilisateur",
+  "user.detail.legacyDeviceList.info": "Ces appareils ont été créés avec une version antérieure de Hub et doivent être mis à jour pour pouvoir déverrouiller les coffres dans les versions futures.",
+  "user.detail.name": "Nom",
+  "user.detail.roles": "Rôles",
+  "user.detail.username": "Nom d'utilisateur",
+  "user.addGroups.title": "Ajouter des groupes",
+  "user.addGroups.searchLabel": "Rechercher par nom de groupe",
+  "user.addGroups.selectedGroups": "Groupe(s) sélectionné(s)",
+  "userEditCreate.title.create": "Créer un nouvel utilisateur",
+  "userEditCreate.title.edit": "Modifier l'utilisateur",
+  "userEditCreate.button.create": "Créer un utilisateur",
+  "userEditCreate.button.save": "Enregistrer",
+  "userEditCreate.button.saved": "Enregistré !",
+  "userEditCreate.firstName": "Prénom",
+  "userEditCreate.lastName": "Nom de famille",
+  "userEditCreate.username": "Nom d'utilisateur",
+  "userEditCreate.email": "Courriel",
+  "userEditCreate.roles": "Rôles",
+  "userEditCreate.selectRolesPlaceholder": "Sélectionner le(s) rôle(s)",
+  "userEditCreate.password": "Mot de passe",
+  "userEditCreate.passwordConfirm": "Confirmation du mot de passe",
+  "userEditCreate.create.passwordInfo": "Ceci est un mot de passe temporaire. L'utilisateur devra le modifier lors de sa première connexion.",
+  "userEditCreate.edit.passwordInfo": "Laissez les champs de mot de passe vides si vous ne souhaitez pas réinitialiser le mot de passe de l'utilisateur.",
+  "userEditCreate.removePicture": "Supprimer l'image",
+  "userEditCreate.passwordStrong": "Fort",
+  "userEditCreate.passwordMedium": "Moyen",
+  "userEditCreate.passwordWeak": "Faible",
+  "userEditCreate.passwordsMatch": "Les mots de passe correspondent",
+  "userEditCreate.passwordsDontMatch": "Les mots de passe ne correspondent pas",
+  "userEditCreate.profilePictureUrl": "URL de la photo de profil",
+  "userEditCreate.showPassword": "Afficher le mot de passe",
+  "userEditCreate.hidePassword": "Masquer le mot de passe",
+  "userEditCreate.invalidEmail": "Format de courriel non valide",
+  "userEditCreate.invalidImageUrl": "URL d'image invalide",
+  "userEditCreate.validation.required": "Ce champ est obligatoire",
+  "userEditCreate.validation.passwordMismatch": "Les mots de passe ne correspondent pas",
+  "userEditCreate.error.userAlreadyExists": "Un utilisateur avec ce nom d'utilisateur existe déjà.",
+  "userEditCreate.error.emailAlreadyExists": "Un utilisateur existe déjà avec ce courriel.",
+  "userList.edit.user.button": "Éditer",
+  "userList.userName": "Nom",
+  "userList.groups.count": "Groupes",
+  "userList.device.count": "Appareils",
+  "userList.vaults.count": "Coffres",
+  "userList.user.created": "Créé le",
+  "userList.profileImage": "Image de profil",
+  "userList.create.button": "Créer un utilisateur",
+  "userList.disabled": "Désactivé",
   "userProfile.title": "Profil",
   "userProfile.actions.manageAccount": "Gérer le compte",
   "userProfile.actions.changeLanguage": "Changer la Langue",
   "userProfile.actions.changeLanguage.entry.browser": "Langue du navigateur",
   "userProfile.keycloakVersion.notAvailable": "version indisponible",
+  "unlock.noAccessVaultArchived.title": "Le coffre est archivé",
+  "unlock.noAccessVaultArchived.description": "Ce coffre a été archivé et n'est plus accessible. Veuillez contacter le propriétaire du coffre.",
   "unlockSuccess.title": "Coffre déverrouillé avec succès",
-  "unlockSuccess.description": "Vous pouvez maintenant fermer cet onglet du navigateur et retourner à Cryptomator.",
+  "unlockSuccess.description": "Vous pouvez maintenant fermer cet onglet du navigateur et retourner à Katta.",
   "unlockSuccess.accountSetup.title": "Configuration requise",
   "unlockSuccess.accountSetup.description": "Veuillez terminer la configuration de votre compte et récupérer votre Clé de Compte.",
   "unlockSuccess.accountSetup.goToSetup": "Terminer la configuration",
   "unlockSuccess.deviceSetup.title": "Nouvel Appareil",
-  "unlockSuccess.deviceSetup.description": "Veuillez entrer votre Clé de Compte dans Cryptomator pour l'autoriser.",
+  "unlockSuccess.deviceSetup.description": "Veuillez entrer votre Clé de Compte dans Katta pour l'autoriser.",
   "unlockSuccess.deviceSetup.goToProfile": "Voir la Clé de Compte dans mon profil",
   "unlockSuccess.noVaultAccess.title": "Aucun accès à ce coffre",
   "unlockSuccess.noVaultAccess.description": "Veuillez contacter le propriétaire du coffre pour vous ajouter en tant que membre du coffre.",
@@ -269,7 +382,9 @@
   "vaultDetails.actions.reactivateVault": "Réactiver le coffre",
   "vaultDetails.actions.claimOwnership": "Revendiquer la propriété",
   "vaultDetails.actions.recoverVault": "Récupérer l'accès au coffre",
-  "vaultDetails.error.licenseViolated": "Votre licence Cryptomator Hub a expiré ou vous avez dépassé le nombre de sièges sous licence. Veuillez en informer un administrateur Hub pour renouveler ou mettre à niveau la licence.",
+  "vaultDetails.emergencyAccess.setupCouncil": "Configurer le Conseil d'accès d'urgence",
+  "vaultDetails.emergencyAccess.fixCouncil": "Réparer le Conseil d'accès d'urgence",
+  "vaultDetails.error.licenseViolated": "Votre licence Katta a expiré ou vous avez dépassé le nombre de sièges sous licence. Veuillez en informer un administrateur Katta pour renouveler ou mettre à niveau la licence.",
   "vaultDetails.recoverVault.title": "Vous avez réinitialisé votre compte !",
   "vaultDetails.recoverVault.description": "Pour regagner l'accès au coffre, vous devez restaurer votre accès en utilisant la clé de récupération, ou un autre propriétaire doit mettre à jour les autorisations d'accès.",
   "vaultList.title": "Coffres",
@@ -288,5 +403,15 @@
   "vaultList.filter.result.empty.description": "Aucun résultat correspondant à ce terme ou ce filtre de recherche.",
   "vaultList.search.placeholder": "Rechercher…",
   "vaultList.badge.owner": "Propriétaire",
-  "vaultList.badge.archived": "Archivé"
+  "vaultList.badge.archived": "Archivé",
+  "userList.filter.result.empty.title": "Aucun utilisateur",
+  "userList.filter.result.empty.description": "Aucun résultat correspondant à ce terme de recherche.",
+  "groupList.empty.title": "Aucun groupe",
+  "groupList.empty.description": "Vous ne possédez aucun groupe et n'êtes membre d'aucun.",
+  "groupList.filter.result.empty.title": "Aucun groupe",
+  "groupList.filter.result.empty.description": "Aucun résultat correspondant à ce terme de recherche.",
+  "missingEntitlements.title": "Amélioration requise",
+  "missingEntitlements.description": "Cette fonctionnalité ne fait pas partie de votre licence actuelle.",
+  "trial.enterpriseFeature.title": "Fonctionnalités pour les entreprises",
+  "trial.enterpriseFeature.description": "Cette fonctionnalité n'est disponible de manière permanente qu'avec une licence Enterprise."
 }
diff --git a/frontend/src/i18n/gl-ES.json b/frontend/src/i18n/gl-ES.json
index 2f2effeac..a97d7ce53 100644
--- a/frontend/src/i18n/gl-ES.json
+++ b/frontend/src/i18n/gl-ES.json
@@ -4,12 +4,21 @@
   "common.close": "Pechar",
   "common.copied": "Copiado!",
   "common.copy": "Copiar",
+  "common.create": "Crear",
+  "common.edit": "Editar",
   "common.next": "Seguinte",
   "common.previous": "Anterior",
   "common.refresh": "Actualizar",
   "common.remove": "Eliminar",
   "common.retry": "Tentar de novo",
+  "common.save": "Gardar",
   "common.share": "Compartir",
   "admin.webOfTrust.save": "Gardar",
-  "claimVaultOwnershipDialog.error.wrongPassword": "Contrasinal incorrecto"
+  "claimVaultOwnershipDialog.error.wrongPassword": "Contrasinal incorrecto",
+  "groupList.edit.group.button": "Editar",
+  "user.detail.edit": "Editar",
+  "user.detail.username": "Nome de usuario",
+  "userEditCreate.button.save": "Gardar",
+  "userEditCreate.username": "Nome de usuario",
+  "userList.edit.user.button": "Editar"
 }
diff --git a/frontend/src/i18n/he-IL.json b/frontend/src/i18n/he-IL.json
index c95ecac53..66e3569ce 100644
--- a/frontend/src/i18n/he-IL.json
+++ b/frontend/src/i18n/he-IL.json
@@ -5,18 +5,22 @@
   "common.close": "סגור",
   "common.copied": "הועתק!",
   "common.copy": "העתק",
+  "common.create": "צור",
   "common.download": "הורד",
+  "common.edit": "ערוך",
   "common.next": "הבא",
   "common.previous": "הקודם",
   "common.refresh": "רענן",
   "common.remove": "הסר",
   "common.reset": "איפוס",
   "common.retry": "נסה שוב",
+  "common.save": "שמור",
   "common.share": "שתף",
   "common.show": "הצג",
   "admin.licenseInfo.manageSubscription": "ניהול מנוי",
   "admin.webOfTrust.information": "למידע נוסף.",
   "admin.webOfTrust.save": "שמור",
+  "admin.emergencyAccess.learnMore": "למידע נוסף.",
   "auditLog.filter": "סנן",
   "auditLog.details": "פרטים",
   "auditLog.details.vault.create": "צור כספת חדשה",
@@ -26,9 +30,23 @@
   "createVault.showRecoveryKey.submit": "צור כספת חדשה",
   "deviceList.deviceName": "שם מכשיר",
   "editVaultMetadataDialog.vaultName": "שם הכספת",
+  "group.detail.vaults": "כספות",
+  "groupList.edit.group.button": "ערוך",
+  "groupList.vaults.count": "כספות",
   "legacyDeviceList.description.information": "למידע נוסף.",
   "legacyDeviceList.deviceName": "שם מכשיר",
   "nav.vaults": "כספות",
+  "user.detail.disable": "כבה",
+  "user.detail.edit": "ערוך",
+  "user.detail.enable": "הפעל",
+  "user.detail.username": "שם משתמש",
+  "userEditCreate.button.save": "שמור",
+  "userEditCreate.username": "שם משתמש",
+  "userEditCreate.password": "סיסמה",
+  "userEditCreate.passwordStrong": "חזקה",
+  "userEditCreate.passwordWeak": "חלשה",
+  "userList.edit.user.button": "ערוך",
+  "userList.vaults.count": "כספות",
   "vaultDetails.actions.updatePermissions.reload": "ריענון",
   "vaultDetails.actions.displayRecoveryKey": "הצגת מפתח השחזור",
   "vaultList.title": "כספות",
diff --git a/frontend/src/i18n/hi-IN.json b/frontend/src/i18n/hi-IN.json
index 2d867f4d5..12088d3bd 100644
--- a/frontend/src/i18n/hi-IN.json
+++ b/frontend/src/i18n/hi-IN.json
@@ -5,16 +5,20 @@
   "common.close": "बंद करें",
   "common.copied": "कॉपी हुआ!",
   "common.copy": "कॉपी करें",
+  "common.create": "बनाएं",
   "common.download": "डाउनलोड करें",
+  "common.edit": "संपादित करें",
   "common.next": "अगला",
   "common.previous": "पिछला",
   "common.refresh": "रीफ्रेश करें",
   "common.remove": "हटाएँ",
   "common.retry": "पुन: प्रयास करें",
+  "common.save": "सहेजें",
   "common.share": "साझा करें",
   "common.show": "दिखाएँ",
   "admin.webOfTrust.information": "अधिक जानें",
   "admin.webOfTrust.save": "सहेजें",
+  "admin.emergencyAccess.learnMore": "अधिक जानें",
   "auditLog.filter": "छांटे",
   "auditLog.details.vault.create": "वॉल्ट बनाएं",
   "claimVaultOwnershipDialog.error.wrongPassword": "गलत पासवर्ड!",
@@ -23,9 +27,21 @@
   "createVault.showRecoveryKey.submit": "वॉल्ट बनाएं",
   "deviceList.deviceName": "डिवाइस का नाम",
   "editVaultMetadataDialog.vaultName": "वॉल्ट का नाम",
+  "group.detail.vaults": "कक्षों का नाम",
+  "groupList.edit.group.button": "संपादित करें",
+  "groupList.vaults.count": "कक्षों का नाम",
   "legacyDeviceList.description.information": "अधिक जानें",
   "legacyDeviceList.deviceName": "डिवाइस का नाम",
   "nav.vaults": "कक्षों का नाम",
+  "user.detail.edit": "संपादित करें",
+  "user.detail.username": "उपयोगकर्ता नाम",
+  "userEditCreate.button.save": "सहेजें",
+  "userEditCreate.username": "उपयोगकर्ता नाम",
+  "userEditCreate.password": "पासवर्ड",
+  "userEditCreate.passwordStrong": "मजबूत",
+  "userEditCreate.passwordWeak": "कमजोर",
+  "userList.edit.user.button": "संपादित करें",
+  "userList.vaults.count": "कक्षों का नाम",
   "unlockSuccess.deviceSetup.title": "नया उपकरण",
   "vaultList.title": "कक्षों का नाम",
   "vaultList.addVault": "जोड़िये",
diff --git a/frontend/src/i18n/hr-HR.json b/frontend/src/i18n/hr-HR.json
index b97c22567..341827fde 100644
--- a/frontend/src/i18n/hr-HR.json
+++ b/frontend/src/i18n/hr-HR.json
@@ -5,17 +5,21 @@
   "common.close": "Zatvori",
   "common.copied": "Kopirano!",
   "common.copy": "Kopiraj",
+  "common.create": "Izradi",
   "common.download": "Preuzmi",
+  "common.edit": "Izmjeni",
   "common.next": "Sljedeći",
   "common.previous": "Prethodno",
   "common.refresh": "Osvježi",
   "common.remove": "Ukloni",
   "common.retry": "Pokušaj ponovno",
+  "common.save": "Pohrani",
   "common.share": "Podijeli",
   "common.show": "Prikaži",
   "admin.licenseInfo.manageSubscription": "Upravljaj pretplatom",
   "admin.webOfTrust.information": "Saznaj više.",
   "admin.webOfTrust.save": "Pohrani",
+  "admin.emergencyAccess.learnMore": "Saznaj više.",
   "auditLog.details": "Detalji",
   "auditLog.details.vault.create": "Izradi trezor",
   "claimVaultOwnershipDialog.error.wrongPassword": "Pogrešna lozinka",
@@ -23,8 +27,22 @@
   "createVault.enterVaultDetails.vaultName": "Ime trezora",
   "createVault.showRecoveryKey.submit": "Izradi trezor",
   "editVaultMetadataDialog.vaultName": "Ime trezora",
+  "group.detail.vaults": "Trezori",
+  "groupList.edit.group.button": "Izmjeni",
+  "groupList.vaults.count": "Trezori",
   "legacyDeviceList.description.information": "Saznaj više.",
   "nav.vaults": "Trezori",
+  "user.detail.disable": "Onemogući",
+  "user.detail.edit": "Izmjeni",
+  "user.detail.enable": "Omogući",
+  "user.detail.username": "Korisničko ime",
+  "userEditCreate.button.save": "Pohrani",
+  "userEditCreate.username": "Korisničko ime",
+  "userEditCreate.password": "Lozinka",
+  "userEditCreate.passwordStrong": "Jaka",
+  "userEditCreate.passwordWeak": "Slaba",
+  "userList.edit.user.button": "Izmjeni",
+  "userList.vaults.count": "Trezori",
   "vaultDetails.actions.updatePermissions.reload": "Ponovno učitaj",
   "vaultList.title": "Trezori",
   "vaultList.addVault": "Dodaj"
diff --git a/frontend/src/i18n/hu-HU.json b/frontend/src/i18n/hu-HU.json
index 97a63cc39..cfec36ef8 100644
--- a/frontend/src/i18n/hu-HU.json
+++ b/frontend/src/i18n/hu-HU.json
@@ -5,7 +5,9 @@
   "common.close": "Bezár",
   "common.copied": "Másolva!",
   "common.copy": "Másolás",
+  "common.create": "Létrehozás",
   "common.download": "Letöltés",
+  "common.edit": "Szerkeszt",
   "common.hide": "Elrejtés",
   "common.loading": "Betöltés…",
   "common.next": "Következő",
@@ -17,6 +19,8 @@
   "common.remove": "Eltávolítás",
   "common.reset": "Visszaállítás",
   "common.retry": "Újra",
+  "common.save": "Mentés",
+  "common.saved": "Elmentve!",
   "common.share": "Megosztás",
   "common.show": "Megmutatás",
   "common.unexpectedError": "Váratlan hiba: {0}",
@@ -24,10 +28,10 @@
   "common.xMembers": "{0} tag(ok)",
   "admin.title": "Admin",
   "admin.serverInfo.title": "Szerver Infó",
-  "admin.serverInfo.description": "A Hub ID a Cryptomator Hub példány azonosítására szolgál a licenchez. Támogatás kérésekor mindig add meg az itt megjelenő Hub és Keycloak verziókat.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub Verzió",
-  "admin.serverInfo.hubVersion.description.upToDate": "A Hub naprakész.",
+  "admin.serverInfo.description": "A Katta ID a Katta példány azonosítására szolgál a licenchez. Támogatás kérésekor mindig add meg az itt megjelenő Katta és Keycloak verziókat.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta Verzió",
+  "admin.serverInfo.hubVersion.description.upToDate": "A Katta naprakész.",
   "admin.serverInfo.hubVersion.description.updateExists": "Elérhető a frissítés a {0} verzióra.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Nem sikerült automatikusan frissítéseket keresni. Kérlek, ellenőrizd a frissítéseket manuáliusan.",
   "admin.serverInfo.keycloakVersion.title": "Keycloak Verzió",
@@ -46,8 +50,8 @@
   "admin.licenseInfo.manageSubscription": "Előfizetés kezelése",
   "admin.licenseInfo.type.title": "Típus",
   "admin.licenseInfo.getLicense": "Licence vásárlása",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Köszönjük, hogy a Cryptomator Hub-ot használod! Hozzáférést kaptál a Közösségi Licenchez. Ha több helyre lenne szükséged, bővítheted a licenced.",
-  "admin.licenseInfo.managedNoLicense.description": "Köszönjük, hogy a Cryptomator Hub-ot használod! Nincs aktív licenced.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Köszönjük, hogy a Katta-ot használod! Hozzáférést kaptál a Közösségi Licenchez. Ha több helyre lenne szükséged, bővítheted a licenced.",
+  "admin.licenseInfo.managedNoLicense.description": "Köszönjük, hogy a Katta-ot használod! Nincs aktív licenced.",
   "admin.webOfTrust.title": "Web of Trust",
   "admin.webOfTrust.description": "Konfiguráld a Web of Trust beállításaid a rendszer felhasználó közötti biztalom kialakításának kezeléséhez. Ezek a beállítások befolyásolják a felhasználói identitások és kulcsaláírások ellenőrzését.",
   "admin.webOfTrust.information": "További információk.",
@@ -59,6 +63,7 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Egy másik felhasználó ujjlenyomatának hány számjegyét kell megadnia személyazonosságának igazolásához.",
   "admin.webOfTrust.save": "Mentés",
   "admin.webOfTrust.saved": "Elmentve!",
+  "admin.emergencyAccess.learnMore": "További információk.",
   "archiveVaultDialog.title": "Széf Archiválása",
   "archiveVaultDialog.description": "A széf archiválása után a széf inaktív lesz. Ez felszabíthat foglalt helyet. Egy archivált széfet vissza lehet állítani később.",
   "archiveVaultDialog.confirm": "Archiválás",
@@ -86,6 +91,11 @@
   "deviceList.type": "Típus",
   "deviceList.lastAccess.toolTip": "Régebbi verziót futtató eszközöknél hiányozhat.",
   "editVaultMetadataDialog.vaultName": "A széf neve",
+  "group.detail.vaults": "Széfek",
+  "group.detail.name": "Név",
+  "groupList.name": "Név",
+  "groupList.edit.group.button": "Szerkeszt",
+  "groupList.vaults.count": "Széfek",
   "initialSetup.accountKey": "Account Key",
   "legacyDeviceList.description.information": "További információk.",
   "legacyDeviceList.deviceName": "Készülék neve",
@@ -97,6 +107,20 @@
   "nav.profile.auditlog": "Ellenőrzési Napló",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Account Key",
   "resetUserAccountDialog.title": "Felhasználói fiók visszaállítása",
+  "user.detail.disable": "Letiltás",
+  "user.detail.edit": "Szerkeszt",
+  "user.detail.enable": "Engedélyezés",
+  "user.detail.name": "Név",
+  "user.detail.username": "Felhasználónév",
+  "userEditCreate.button.save": "Mentés",
+  "userEditCreate.button.saved": "Elmentve!",
+  "userEditCreate.username": "Felhasználónév",
+  "userEditCreate.password": "Jelszó",
+  "userEditCreate.passwordStrong": "Erős",
+  "userEditCreate.passwordWeak": "Gyenge",
+  "userList.edit.user.button": "Szerkeszt",
+  "userList.userName": "Név",
+  "userList.vaults.count": "Széfek",
   "unlockSuccess.deviceSetup.title": "Új eszköz",
   "vaultDetails.actions.updatePermissions.reload": "Újratöltés",
   "vaultDetails.actions.displayRecoveryKey": "Visszaállítási kulcs mutatása",
diff --git a/frontend/src/i18n/id-ID.json b/frontend/src/i18n/id-ID.json
index 6d5faf5f2..dac8df8e5 100644
--- a/frontend/src/i18n/id-ID.json
+++ b/frontend/src/i18n/id-ID.json
@@ -5,7 +5,9 @@
   "common.close": "Tutup",
   "common.copied": "Tersalin!",
   "common.copy": "Salin",
+  "common.create": "Buat",
   "common.download": "Unduh",
+  "common.edit": "Ubah",
   "common.hide": "Sembunyikan",
   "common.loading": "Memuat…",
   "common.next": "Lanjut",
@@ -16,6 +18,9 @@
   "common.remove": "Hapus",
   "common.reset": "Atur ulang",
   "common.retry": "Coba lagi",
+  "common.save": "Simpan",
+  "common.saved": "Disimpan!",
+  "common.search.placeholder": "Cari…",
   "common.share": "Bagikan",
   "common.show": "Tampilkan",
   "common.unexpectedError": "Kesalahan yang Tak Diharapkan: {0}",
@@ -23,10 +28,10 @@
   "common.xMembers": "{0} Anggota",
   "admin.title": "Admin",
   "admin.serverInfo.title": "Info Server",
-  "admin.serverInfo.description": "ID Hub dipakai untuk mengidentifikasi instansi Hub Cryptomator Anda untuk lisensi Anda. Untuk dukungan, selalu nyatakan versi Hub dan Keycloak yang ditampilkan.",
-  "admin.serverInfo.hubId.title": "ID Hub",
-  "admin.serverInfo.hubVersion.title": "Versi Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub mutakhir.",
+  "admin.serverInfo.description": "Katta ID dipakai untuk mengidentifikasi instansi Katta Anda untuk lisensi Anda. Untuk dukungan, selalu nyatakan versi Katta dan Keycloak yang ditampilkan.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Versi Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta mutakhir.",
   "admin.serverInfo.hubVersion.description.updateExists": "Pembaharuan ke versi {0} dimungkinkan.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Tidak bisa memeriksa pembaruan. Harap periksa secara manual.",
   "admin.serverInfo.keycloakVersion.title": "Versi Keycloak",
@@ -45,8 +50,8 @@
   "admin.licenseInfo.manageSubscription": "Atur Langganan",
   "admin.licenseInfo.type.title": "Tipe",
   "admin.licenseInfo.getLicense": "Dapatkan Lisensi",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Terima kasih telah memakai Hub Cryptomator! Anda telah memperoleh Lisensi Komunitas. Bila Anda perlu lebih banyak penempatan, tingkatkan lisensi Anda.",
-  "admin.licenseInfo.managedNoLicense.description": "Terima kasih telah memakai Hub Cryptomator! Anda saat ini tidak punya lisensi aktif.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Terima kasih telah memakai Katta! Anda telah memperoleh Lisensi Komunitas. Bila Anda perlu lebih banyak penempatan, tingkatkan lisensi Anda.",
+  "admin.licenseInfo.managedNoLicense.description": "Terima kasih telah memakai Katta! Anda saat ini tidak punya lisensi aktif.",
   "admin.webOfTrust.title": "Jaringan Kepercayaan",
   "admin.webOfTrust.description": "Konfigurasikan pengaturan Jaringan Kepercayaan untuk mengelola bagaimana kepercayaan dijalin antar pengguna dalam sistem. Pengaturan ini memengaruhi verifikasi identitas pengguna dan tanda tangan kunci.",
   "admin.webOfTrust.information": "Selengkapnya.",
@@ -57,6 +62,7 @@
   "admin.webOfTrust.wotIdVerifyLen.title": "Ketepatan Verifikasi Sidik Jari",
   "admin.webOfTrust.save": "Simpan",
   "admin.webOfTrust.saved": "Disimpan!",
+  "admin.emergencyAccess.learnMore": "Selengkapnya.",
   "archiveVaultDialog.title": "Arsipkan Brankas",
   "archiveVaultDialog.description": "Mengarsipkan brankas membuatnya tidak aktif. Ini mungkin membebaskan tempat yang tidak terpakai. Brankas yang diarsipkan bisa diaktifkan ulang nanti.",
   "archiveVaultDialog.confirm": "Arsipkan",
@@ -118,9 +124,16 @@
   "deviceList.type": "Tipe",
   "deviceList.thisDevice": "Perangkat Ini",
   "deviceList.ipAddress": "Alamat IP",
+  "emergencyAccess.filter.all": "Semua",
   "editVaultMetadataDialog.vaultName": "Nama Brankas",
   "editVaultMetadataDialog.vaultDescription": "Deskripsi",
   "editVaultMetadataDialog.error.vaultAlreadyExists": "Brankas dengan nama yang diberikan sudah ada.",
+  "group.detail.vaults": "Vault",
+  "group.detail.name": "Nama",
+  "groupList.name": "Nama",
+  "groupList.edit.group.button": "Ubah",
+  "groupList.search.placeholder": "Cari…",
+  "groupList.vaults.count": "Vault",
   "initialSetup.accountKey": "Kunci Akun",
   "initialSetup.submit": "Selesaikan Penyiapan",
   "licenseAlert.noRemainingSeats.title": "Lisensi terlampaui",
@@ -145,16 +158,30 @@
   "regenerateAccountKeyDialog.saveAccountKey.description": "Pastikan menyimpan kunci baru ini. Anda akan perlu itu untuk masuk ke perangkat baru. Anda dapat menghapus yang lama.",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Kunci Akun",
   "resetUserAccountDialog.title": "Atur Ulang Akun Pengguna",
+  "user.detail.disable": "Matikan",
+  "user.detail.edit": "Ubah",
+  "user.detail.enable": "Aktifkan",
+  "user.detail.name": "Nama",
+  "user.detail.username": "Nama pengguna",
+  "userEditCreate.button.save": "Simpan",
+  "userEditCreate.button.saved": "Disimpan!",
+  "userEditCreate.username": "Nama pengguna",
+  "userEditCreate.password": "Kata Sandi",
+  "userEditCreate.passwordStrong": "Kuat",
+  "userEditCreate.passwordWeak": "Lemah",
+  "userList.edit.user.button": "Ubah",
+  "userList.userName": "Nama",
+  "userList.vaults.count": "Vault",
   "userProfile.title": "Profil",
   "userProfile.actions.changeLanguage": "Ubah Bahasa",
   "userProfile.actions.changeLanguage.entry.browser": "Bahasa Peramban",
   "unlockSuccess.title": "Brankas sukses dibuka kuncinya",
-  "unlockSuccess.description": "Anda kini bisa menutup tab peramban ini dan kembali ke Cryptomator.",
+  "unlockSuccess.description": "Anda kini bisa menutup tab peramban ini dan kembali ke Katta.",
   "unlockSuccess.accountSetup.title": "Penyiapan Diperlukan",
   "unlockSuccess.accountSetup.description": "Selesaikan menyiapkan akun Anda dan ambil kunci akun Anda.",
   "unlockSuccess.accountSetup.goToSetup": "Selesaikan Penyiapan",
   "unlockSuccess.deviceSetup.title": "Perangkat Baru",
-  "unlockSuccess.deviceSetup.description": "Masukkan kunci akun Anda dalam Cryptomator untuk mengotorisasi itu.",
+  "unlockSuccess.deviceSetup.description": "Masukkan kunci akun Anda dalam Katta untuk mengotorisasi itu.",
   "unlockSuccess.deviceSetup.goToProfile": "Lihat Kunci Akun dalam Profil saya",
   "unlockSuccess.noVaultAccess.title": "Tidak ada akses ke Brankas ini",
   "unlockSuccess.noVaultAccess.description": "Harap hubungi pemilik brankas untuk menambahkan Anda sebagai anggota brankas.",
diff --git a/frontend/src/i18n/index.ts b/frontend/src/i18n/index.ts
index a93068045..4b7aeac98 100644
--- a/frontend/src/i18n/index.ts
+++ b/frontend/src/i18n/index.ts
@@ -1,4 +1,4 @@
-import { I18nOptions } from 'vue-i18n';
+import { I18nOptions, createI18n } from 'vue-i18n';
 import deDe from './de-DE.json';
 import enUs from './en-US.json';
 import frFr from './fr-FR.json';
@@ -13,8 +13,6 @@ import trTr from './tr-TR.json';
 import uaUa from './uk-UA.json';
 import zhTw from './zh-TW.json';
 
-import { createI18n } from 'vue-i18n';
-
 export enum Locale {
   EN_US = 'en-US',
   DE_DE = 'de-DE',
@@ -102,13 +100,56 @@ export const numberFormats: I18nOptions['numberFormats'] = {
   [Locale.ZH_TW]: defaultNumberFormat
 };
 
-export const mapToLocale = (local: string): Locale =>
-  (Object.values(Locale) as string[]).includes(local)
-    ? (local as Locale)
-    : Locale.EN_US;
+export const mapToLocale = (locale: string): Locale => {
+  if (!locale) {
+    return Locale.EN_US;
+  }
+
+  const normalized = locale.replace('_', '-');
+
+  if ((Object.values(Locale) as string[]).includes(normalized)) {
+    return normalized as Locale;
+  }
+
+  const base = normalized.split('-')[0];
+
+  switch (base) {
+    case 'de': return Locale.DE_DE;
+    case 'en': return Locale.EN_US;
+    case 'fr': return Locale.FR_FR;
+    case 'it': return Locale.IT_IT;
+    case 'ko': return Locale.KO_KR;
+    case 'lv': return Locale.LV_LV;
+    case 'nl': return Locale.NL_NL;
+    case 'pt': return Locale.PT_PT;
+    case 'ru': return Locale.RU_RU;
+    case 'tr': return Locale.TR_TR;
+    case 'uk': return Locale.UK_UA;
+    case 'zh': return Locale.ZH_TW;
+    default: return Locale.EN_US;
+  }
+};
+
+export const detectBrowserLocale = (): Locale => {
+  const raw = getBrowserLocale();
+
+  return mapToLocale(raw);
+};
+
+function getBrowserLocale(): string {
+  if (typeof navigator === 'undefined') {
+    return Locale.EN_US;
+  } else if (navigator.languages && navigator.languages.length > 0) {
+    return navigator.languages[0];
+  } else if (navigator.language) {
+    return navigator.language;
+  } else {
+    return Locale.EN_US;
+  }
+}
 
 const i18n = createI18n({
-  locale: navigator.language,
+  locale: detectBrowserLocale(),
   fallbackLocale: Locale.EN_US,
   messages,
   datetimeFormats,
diff --git a/frontend/src/i18n/it-IT.json b/frontend/src/i18n/it-IT.json
index 1acc10ad3..0996504b3 100644
--- a/frontend/src/i18n/it-IT.json
+++ b/frontend/src/i18n/it-IT.json
@@ -18,10 +18,16 @@
   "common.close": "Chiudi",
   "common.copied": "Copiato!",
   "common.copy": "Copia",
+  "common.create": "Crea",
+  "common.device": "Dispositivo",
   "common.download": "Download",
+  "common.edit": "Modifica",
   "common.hide": "Nascondi",
+  "common.leave": "Abbandona",
   "common.loading": "Caricamento…",
   "common.next": "Avanti",
+  "common.none": "Nessuno",
+  "common.nothingFound": "Nessun risultato",
   "common.optional": "opzionale",
   "common.pagination": "Paginazione",
   "common.previous": "Precedente",
@@ -30,6 +36,10 @@
   "common.remove": "Rimuovi",
   "common.reset": "Reimposta",
   "common.retry": "Riprova",
+  "common.save": "Salva",
+  "common.saved": "Salvato!",
+  "common.search.placeholder": "Ricerca…",
+  "common.select.placeholder": "Seleziona…",
   "common.share": "Condividi",
   "common.show": "Visualizza",
   "common.undo": "Annulla",
@@ -37,12 +47,17 @@
   "common.unsavedChanges": "Modifiche non salvate.",
   "common.update": "Aggiorna",
   "common.xMembers": "# Membri: {0}",
+  "common.actions": "Azioni",
+  "common.group": "Gruppo",
+  "common.member": "Membro",
+  "common.property": "Proprietà",
+  "common.value": "Valore",
   "admin.title": "Amministratore",
   "admin.serverInfo.title": "Informazioni Server",
-  "admin.serverInfo.description": "ID Hub viene utilizzato per identificare l'istanza di Cryptomator Hub relativa alla tua licenza. Nelle richieste di assistenza indica sempre la versione di Hub e Keycloak visualizzate.",
-  "admin.serverInfo.hubId.title": "ID Hub",
-  "admin.serverInfo.hubVersion.title": "Versione Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub è aggiornato.",
+  "admin.serverInfo.description": "ID Katta viene utilizzato per identificare l'istanza di Katta relativa alla tua licenza. Nelle richieste di assistenza indica sempre la versione di Katta e Keycloak visualizzate.",
+  "admin.serverInfo.hubId.title": "ID Katta",
+  "admin.serverInfo.hubVersion.title": "Versione Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta è aggiornato.",
   "admin.serverInfo.hubVersion.description.updateExists": "Disponibile aggiornamento alla versione {0}.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Impossibile controllare gli aggiornamenti. Si prega di controllare manualmente.",
   "admin.serverInfo.keycloakVersion.title": "Versione Keycloak",
@@ -62,8 +77,8 @@
   "admin.licenseInfo.manageSubscription": "Gestisci Abbonamento",
   "admin.licenseInfo.type.title": "Tipo",
   "admin.licenseInfo.getLicense": "Ottieni licenza",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Grazie per aver utilizzato Cryptomator Hub! Ti è stata concessa la licenza Community. Se hai bisogno di ulteriori postazioni, fai un upgrade.",
-  "admin.licenseInfo.managedNoLicense.description": "Grazie per aver utilizzato Cryptomator Hub! Al momento non hai una licenza attiva.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Grazie per aver utilizzato Katta! Ti è stata concessa la licenza Community. Se hai bisogno di ulteriori postazioni, fai un upgrade.",
+  "admin.licenseInfo.managedNoLicense.description": "Grazie per aver utilizzato Katta! Al momento non hai una licenza attiva.",
   "admin.webOfTrust.title": "Web of Trust",
   "admin.webOfTrust.description": "Configurare le impostazioni del Web of Trust per gestire come viene stabilita la fiducia tra gli utenti del sistema. Queste impostazioni influenzano la verifica delle identità utente e delle chiavi di firma.",
   "admin.webOfTrust.information": "Scopri di più.",
@@ -75,6 +90,27 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Quante cifre dell'impronta digitale degli altri utenti è necessario inserire per verificarne l'identità.",
   "admin.webOfTrust.save": "Salva",
   "admin.webOfTrust.saved": "Salvato!",
+  "admin.emergencyAccess.title": "Accesso di Emergenza",
+  "admin.emergencyAccess.description": "Configura la separazione delle chiavi per il recupero della cassaforte.",
+  "admin.emergencyAccess.learnMore": "Scopri di più.",
+  "admin.emergencyAccess.noRedundancy.title": "L'attuale separazione delle chiavi è priva di ridondanza!",
+  "admin.emergencyAccess.noRedundancy.description": "È fortemente consigliata la configurazione di un numero di portachiavi maggiore rispetto alle chiavi richieste.",
+  "admin.emergencyAccess.enabled.label": "Abilitato",
+  "admin.emergencyAccess.enabled.help": "Abilita Accesso di Emergenza",
+  "admin.emergencyAccess.requiredKeys.label": "Chiavi richieste",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Condivisioni della chiave richiesta",
+  "admin.emergencyAccess.requiredKeys.help": "Il numero di chiavi richieste per ripristinare l'accesso alla cassaforte.",
+  "admin.emergencyAccess.keyholders.label": "Portachiavi",
+  "admin.emergencyAccess.keyholders.minSelected": "Devono essere selezionati almeno {0} membri. Il numero richiesto è stato definito sopra.",
+  "admin.emergencyAccess.keyholders.help": "Chi deve recuperare una chiave di accesso di emergenza.",
+  "admin.emergencyAccess.allowChoosing.label": "Permetti ai proprietari della cassaforte di scegliere portachiavi diversi.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Almeno:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Numero minimo di membri",
+  "admin.emergencyAccess.example.help": "Esempio di chi può contribuire al recupero di una cassaforte.",
+  "admin.emergencyAccess.validation.maxValue": "Il valore massimo è {0}.",
+  "admin.emergencyAccess.validation.minValue": "Il valore massimo è {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Deve essere maggiore o uguale al numero richiesto di condivisioni della chiave.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "Le condivisioni richieste della chiave non possono superare il numero minimo di membri.",
   "archiveVaultDialog.title": "Archivia Cassaforte",
   "archiveVaultDialog.description": "L'archiviazione di una cassaforte la rende inattiva. Questo può liberare postazioni occupate. Una cassaforte archiviata può essere riattivata successivamente.",
   "archiveVaultDialog.confirm": "Archivia",
@@ -86,11 +122,18 @@
   "auditLog.filter.endDate": "Data fine",
   "auditLog.filter.selectEventFilter": "Seleziona un filtro eventi",
   "auditLog.filter.clerEventFilter": "Rimuovi il filtro eventi",
+  "auditLog.filter.removeEventType": "Rimuovi {type}",
   "auditLog.timestamp": "Marca temporale",
   "auditLog.type": "Evento",
   "auditLog.details": "Dettagli",
   "auditLog.details.device.register": "Registra dispositivo",
   "auditLog.details.device.remove": "",
+  "auditLog.details.emergencyaccess.setup": "Configurazione Accesso di Emergenza",
+  "auditLog.details.emergencyaccess.settingsUpdated": "Impostazioni aggiornate per l'Accesso di Emergenza",
+  "auditLog.details.emergencyaccess.recoveryStarted": "Inizio recupero Accesso di Emergenza",
+  "auditLog.details.emergencyaccess.recoveryApproved": "Recupero approvato dell'Accesso di Emergenza",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "Recupero completato dell'Accesso di Emergenza",
+  "auditLog.details.emergencyaccess.recoveryAborted": "Recupero fallito dell'Accesso di Emergenza",
   "auditLog.details.setting.wot.update": "Aggiorna impostazioni Wot",
   "auditLog.details.user.account.reset": "Reimposta account utente",
   "auditLog.details.user.keys.change": "Cambio chiavi utente",
@@ -123,6 +166,9 @@
   "createVault.enterVaultDetails.description": "Inserisci un nome e una descrizione per la tua nuova cassaforte. Puoi modificarli successivamente.",
   "createVault.enterVaultDetails.vaultName": "Nome della Cassaforte",
   "createVault.enterVaultDetails.vaultDescription": "Descrizione",
+  "createVault.emergencyAccessDetails.title": "Imposta le condizioni per l'Accesso di Emergenza",
+  "createVault.emergencyAccessDetails.description": "Seleziona di membri del gruppo per l'accesso di emergenza.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "Il gruppo per l'accesso di emergenza è definito dall'amministratore e non può essere modificato da qui.",
   "createVault.showRecoveryKey.title": "Chiave di recupero",
   "createVault.showRecoveryKey.description": "La seguente chiave di recupero può essere utilizzata per ripristinare l'accesso alla cassaforte.",
   "createVault.showRecoveryKey.recoveryKey": "Chiave di recupero della cassaforte",
@@ -133,13 +179,22 @@
   "createVault.error.invalidRecoveryKey": "La chiave di ripristino non è valida.",
   "createVault.error.vaultAlreadyExists": "Esiste già una cassaforte con il nome specificato.",
   "createVault.error.downloadTemplateFailed": "Download del modello di cassaforte non riuscito: {0}",
-  "createVault.error.paymentRequired": "La licenza Cryptomator Hub ha superato il numero di utenti disponibili o è scaduta. Si prega contattare un amministratore per aggiornare o rinnovare la licenza.",
+  "createVault.error.paymentRequired": "La licenza Katta ha superato il numero di utenti disponibili o è scaduta. Si prega contattare un amministratore per aggiornare o rinnovare la licenza.",
   "createVault.success.title": "Cassaforte creata",
   "createVault.success.description": "Dopo aver scaricato la cartella della cassaforte con zip, scompattarla in qualsiasi posizione condivisa con i membri del tuo team.",
   "createVault.success.download": "Scarica cartella cassaforte compressa come archivio zip",
   "createVault.success.return": "Ritorna alla lista delle casseforti",
+  "deleteGroupDialog.title": "Elimina il Gruppo",
+  "deleteGroupDialog.description": "Sei sicuro di voler eliminare definitivamente questo gruppo? Sarà rimosso da tutte le casseforti associate. Questa azione non può essere annullata.",
+  "deleteGroupDialog.confirm": "Sì, elimina il gruppo",
+  "disableUserDialog.title": "Disabilita Utente",
+  "disableUserDialog.description": "Questo utente non sarà più in grado di accedere e sarà escluso dal numero di posti. È possibile riattivarlo in qualsiasi momento.",
+  "disableUserDialog.confirm": "Disabilita Utente",
+  "deleteUserDialog.title": "Elimina l'Account Utente",
+  "deleteUserDialog.description": "Sei sicuro di voler eliminare definitivamente questo utente? Tutte le casseforti e i dispositivi associati saranno rimossi. Questa azione non può essere annullata.",
+  "deleteUserDialog.confirm": "Sì, elimina l'utente",
   "deviceList.empty.message": "Nessun dispositivo",
-  "deviceList.empty.description": "Per aggiungere un dispositivo aggiungere una cassaforte da questo Hub all'app Cryptomator del dispositivo e sbloccarlo.",
+  "deviceList.empty.description": "Per aggiungere un dispositivo aggiungere una cassaforte da Katta all'app Katta del dispositivo e sbloccarlo.",
   "deviceList.title": "Dispositivi e browser autorizzati",
   "deviceList.deviceName": "Nome Del Dispositivo",
   "deviceList.type": "Tipo",
@@ -148,8 +203,89 @@
   "deviceList.ipAddress": "Indirizzo IP",
   "deviceList.lastAccess": "Ultimo accesso alla cassaforte",
   "deviceList.lastAccess.toolTip": "Può mancare per i dispositivi a cui si accede con versioni più vecchie.",
+  "deviceType.browser": "Browser",
+  "deviceType.desktop": "Desktop",
+  "deviceType.mobile": "Mobile",
   "downloadVaultTemplateDialog.title": "Scarica modello della cassaforte",
   "downloadVaultTemplateDialog.description": "Scarica e scompatta il modello di cassaforte in qualsiasi posizione condivisa con i membri del tuo team. È necessario solo la prima volta durante la configurazione iniziale.",
+  "emergencyAccess.requiredKeyShares": "Condivisioni richieste della chiave",
+  "emergencyAccess.processCouncil": "Elabora Gruppo",
+  "emergencyAccess.status.added": "Aggiunto",
+  "emergencyAccess.status.pending": "In corso",
+  "emergencyAccess.startProcess": "Avvia il processo",
+  "emergencyAccess.notPossible": "Non possibile",
+  "emergencyAccess.vaultCouncil": "Gruppo della Cassaforte",
+  "emergencyAccess.noRedundancy": "Senza Ridondanza",
+  "emergencyAccess.label.councilMembers": "Membri del Gruppo",
+  "emergencyAccess.label.newCouncilMembers": "Nuovi Membri del Gruppo",
+  "emergencyAccess.label.owners": "Proprietari",
+  "emergencyAccess.label.members": "Membri",
+  "emergencyAccess.label.removed": "Rimosso",
+  "emergencyAccess.label.possibleScenario": "Possibile Situazione di Emergenza",
+  "emergencyAccess.label.exampleRecovery": "Esempio di Recupero",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "Seleziona almeno altri {0} membri del gruppo.",
+  "emergencyAccess.validation.minimumMembers": "Devono essere selezionati almeno {0} membri.",
+  "emergencyAccess.approval.waitingOthers": "In attesa di altre approvazioni",
+  "emergencyAccess.approval.showDetails": "Mostra dettagli",
+  "emergencyAccess.approval.completeNow": "Completa ora",
+  "emergencyAccess.approval.approveNow": "Approva ora",
+  "emergencyAccess.processType.changePermissions": "Scegli i Membri della Cassaforte",
+  "emergencyAccess.processType.changeCouncil": "Modifica il Gruppo di Accesso di Emergenza",
+  "emergencyAccess.filter.all": "Tutte",
+  "emergencyAccess.filter.approvable": "Approvabile",
+  "emergencyAccess.filter.approved": "Approvato",
+  "emergencyAccess.filter.startable": "Avviabile",
+  "emergencyAccess.empty.disabled": "L'Accesso di Emergenza è disabilitato.",
+  "emergencyAccess.empty.noneFound": "Nessuna cassaforte trovata con accesso di emergenza",
+  "emergencyAccess.licenseRequired.message": "L'Accesso di Emergenza è disponibile solo con una licenza a pagamento.",
+  "emergencyAccess.licenseRequired.adminHint": "Puoi ottenerne una nella sezione amministratore.",
+  "emergencyAccess.badge.notCouncil.title": "Non è più un Membro del Gruppo per la Cassaforte",
+  "emergencyAccess.badge.notCouncil.message": "Non fai più parte dell'attuale gruppo di emergenza della cassaforte. Ma fai ancora parte di un processo attivo per l'accesso di emergenza.",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "Accesso di Emergenza non sufficiente",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "La politica del tuo team richiede un gruppo di accesso di emergenza di almeno {0} membri. La cassaforte attualmente non rispetta questo requisito.",
+  "emergencyAccess.badge.broken.title": "Accesso di Emergenza corrotto",
+  "emergencyAccess.badge.broken.message": "L'Accesso di Emergenza non è più possibile. Uno o più membri del gruppo hanno reimpostato il proprio account ed hanno perso le loro condivisioni della chiave.",
+  "emergencyAccess.badge.noRedundancy.title": "Senza Ridondanza",
+  "emergencyAccess.badge.noRedundancy.message": "Questo Gruppo di Accesso di Emergenza non ha ridondanza. Valuta l'assegnazione di un gruppo con ridondanza.",
+  "emergencyAccessDialog.message.completed": "Operazione completata con successo.",
+  "emergencyAccessDialog.label.selectOwner": "Seleziona un utente con il ruolo di proprietario",
+  "emergencyAccessDialog.label.selectMember": "Seleziona un utente con il ruoto di membro",
+  "emergencyAccessDialog.label.councilMembersAtLeast": "Membri del Gruppo (Almeno {0})",
+  "emergencyAccessDialog.section.ownership": "Proprietà",
+  "emergencyAccessDialog.section.councilChange": "Modifica del Gruppo",
+  "emergencyAccessDialog.hint.finishProcess": "Puoi completare questa attività di accesso di emergenza aggiungendo l'ultima condivisione di chiave e portandola a termine.",
+  "emergencyAccessDialog.hint.keyShareAdded": "La tua condivisione della chiave è già stata aggiunta.",
+  "emergencyAccessDialog.hint.notInCouncil": "Non sei parte del gruppo per questa attività e non puoi aggiungere una condivisione di chiave.",
+  "emergencyAccessDialog.action.abortProcess": "Interrompi questa attività",
+  "emergencyAccessDialog.action.start": "Inizia",
+  "emergencyAccessDialog.action.approve": "Approva",
+  "emergencyAccessDialog.action.completeProcess": "Completa l'attività",
+  "emergencyAccessDialog.title.success": "Operazione riuscita",
+  "emergencyAccessDialog.title.changeCouncil": "Cambia il gruppo",
+  "emergencyAccessDialog.title.changePermissions": "Cambia le autorizzazioni della cassaforte",
+  "emergencyAccessDialog.title.processDetails": "Dettagli dell'attività",
+  "emergencyAccessDialog.title.approved": "Approvato",
+  "emergencyAccessDialog.title.approveEmergencyAccess": "Approva Accesso di Emergenza",
+  "emergencyAccessDialog.title.completeEmergencyAccess": "Completa l'Accesso di Emergenza",
+  "emergencyAccessDialog.error.insufficientCouncilMembers": "Dati incoerenti: numero insufficiente ({0}) di membri del consiglio per recuperare questa cassaforte ({1}).",
+  "emergencyAccessDialog.error.noProcessToApprove": "Nessuna attività di recupero da approvare.",
+  "emergencyAccessDialog.error.processTampered": "L'attività di recupero è stata compromessa.",
+  "emergencyAccessDialog.error.noProcessToComplete": "Nessuna attività di recupero da completare.",
+  "emergencyAccessDialog.error.unsupportedProcessType": "Stato non riconosciuto per il tipo di attività di recupero: {0}",
+  "grantEmergencyAccessDialog.title": "Permetti Accesso di Emergenza",
+  "grantEmergencyAccessDialog.description.selectCouncil": "Seleziona i membri del gruppo cui garantire l'accesso di emergenza per questa cassaforte.",
+  "grantEmergencyAccessDialog.description.default": "Permetti l'accesso di emergenza per questa cassaforte.",
+  "grantEmergencyAccessDialog.grant": "Permetti",
+  "grantEmergencyAccessDialog.error.keySharesRequired": "Sono richieste almeno 2 Condivisioni della Chiave di Emergenza.",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "Sono richiesti almeno 2 Membri del Gruppo.",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "Troppi pochi Membri del Gruppo. Aggiungi altri membri o diminuisci il numero richiesto di Condivisioni della Chiave di Emergenza.",
+  "processAbortDialog.title": "Interrompi questa attività",
+  "processAbortDialog.description": "Vuoi veramente interrompere questa attività di accesso di emergenza? Non potrai cambiare la tua decisione.",
+  "processAbortDialog.confirm": "Annulla l'Attività",
+  "recoveryDialog.error.invalidRecoveryType": "Tipo di attività di recupero non valido.",
+  "recoveryDialog.error.processAlreadyExists": "Esiste già un'attività di recupero di questo tipo.",
+  "recoveryDialog.error.noOwnerSelected": "Seleziona almeno un proprietario.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "Non sono stati selezionati abbastanza membri del gruppo.",
   "editVaultMetadataDialog.title": "Modifica i metadati della cassaforte",
   "editVaultMetadataDialog.description": "Aggiorna il nome e la descrizione della cassaforte.",
   "editVaultMetadataDialog.vaultName": "Nome della Cassaforte",
@@ -159,6 +295,47 @@
   "grantPermissionDialog.title": "Concedi autorizzazione",
   "grantPermissionDialog.description": "Condividi le chiavi del vault con i nuovi utenti aggiunti.",
   "grantPermissionDialog.submit": "Concedi autorizzazione agli utenti {0}",
+  "groups.title": "Gruppi",
+  "group.detail.info": "Dettagli del gruppo",
+  "group.detail.members": "Membri",
+  "group.detail.vaults": "Cassaforti",
+  "group.detail.edit": "Modifica il Gruppo",
+  "group.detail.add.member": "Aggiungi un membro",
+  "group.detail.name": "Nome",
+  "group.detail.createdOn": "Creato il",
+  "group.detail.roles": "Ruoli",
+  "groupList.name": "Nome",
+  "groupList.members.count": "Utenti",
+  "groupList.edit.group.button": "Modifica",
+  "groupList.search.placeholder": "Ricerca…",
+  "groupList.groupImage": "Immagine del Gruppo",
+  "groupList.vaults.count": "Cassaforti",
+  "groupList.create.button": "Crea un Gruppo",
+  "groupList.group.created": "Creato il",
+  "group.members.add": "Aggiungi Membri",
+  "group.members.search.empty": "Nessun risultato",
+  "group.addMembers.title": "Aggiungi Membri",
+  "group.addMembers.searchLabel": "Cerca per nome utente o nome completo",
+  "group.addMembers.selectedUser": "Utente/i selezionato/i",
+  "group.member.remove.title": "Rimuovi l'Utente dal Gruppo",
+  "group.member.remove.description": "Sei sicuro di voler rimuovere questo utente dal gruppo?",
+  "group.member.remove.confirm": "Sì, rimuovilo dal gruppo",
+  "groupEditCreate.title.create": "Creare un Nuovo Gruppo",
+  "groupEditCreate.title.edit": "Modifica il Gruppo",
+  "groupEditCreate.profileImage": "Immagine del Profilo",
+  "groupEditCreate.role": "Ruolo",
+  "groupEditCreate.removePicture": "Rimuovi l'Immagine",
+  "groupEditCreate.addPicture": "Aggiungi un'Immagine",
+  "groupEditCreate.name": "Nome del Gruppo",
+  "groupEditCreate.roles": "Ruoli",
+  "groupEditCreate.validation.required": "Questo campo è obbligatorio",
+  "groupEditCreate.roles.remove": "Rimuovi ruoli",
+  "groupEditCreate.roles.choose": "Scegli i ruoli",
+  "groupEditCreate.roles.addMore": "Aggiungine un altro",
+  "groupEditCreate.invalidImageUrl": "URL dell'immagine non valido",
+  "groupEditCreate.profilePictureUrl": "URL dell'Immagine del Profilo",
+  "groupEditCreate.selectRolesPlaceholder": "Seleziona il/i ruolo/i",
+  "groupEditCreate.error.groupNameAlreadyExists": "Esiste già un gruppo con questo nome.",
   "trustDetails.trustLevel": "Livello di fiducia {0}",
   "trustDetails.trustLevel.untrusted": "Non verificato",
   "trustDetails.showSignDialogBtn": "Verifica Identità...",
@@ -166,7 +343,7 @@
   "signUserKeysDialog.title": "Verifica identità di {0}",
   "signUserKeysDialog.description": "Inserisci i primi {0} caratteri dell'impronta digitale di {1} per confermare l'autenticità delle sue chiavi pubbliche. L'impronta digitale si trova nel profilo dell'utente.",
   "signUserKeysDialog.submit": "Conferma l'identità dell'utente",
-  "initialSetup.createUserKey.title": "Benvenuto in Cryptomator Hub",
+  "initialSetup.createUserKey.title": "Benvenuto in Katta",
   "initialSetup.createUserKey.description": "Al primo accesso, ogni utente riceve una chiave account unica:",
   "initialSetup.createUserKey.details.accountKey": "La tua chiave account è necessaria per accedere da altre app o browser",
   "initialSetup.createUserKey.details.devicesList": "Nella pagina del tuo profilo puoi trovare una lista della app autorizzate",
@@ -182,19 +359,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Hai perso la chiave dell'account? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Reimposta il mio account",
   "initialSetup.setupAlreadyCompleted.title": "Configurazione già completata",
-  "initialSetup.setupAlreadyCompleted.description": "Hai già completato la configurazione iniziale per Cryptomator Hub. La chiave dell'account si trova nel tuo profilo.",
+  "initialSetup.setupAlreadyCompleted.description": "Hai già completato la configurazione iniziale per Katta. La chiave dell'account si trova nel tuo profilo.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Vai al tuo profilo",
   "initialSetup.accountKey": "Chiave dell'account",
   "initialSetup.submit": "Termina la configurazione",
   "licenseAlert.noRemainingSeats.title": "Licenza utilizzata completamente",
-  "licenseAlert.noRemainingSeats.admin.description": "La tua istanza Cryptomator Hub ha superato il numero di postazioni con licenza. Fai un upgrade a {0} per gestire e sbloccare nuovamente le tue casseforti.",
-  "licenseAlert.noRemainingSeats.user.description": "La tua istanza di Cryptomator Hub ha superato il numero di postazioni con licenza. Informa un amministratore dell'Hub di fare un upgrade della licenza.",
+  "licenseAlert.noRemainingSeats.admin.description": "La tua istanza Katta ha superato il numero di postazioni con licenza. Fai un upgrade a {0} per gestire e sbloccare nuovamente le tue casseforti.",
+  "licenseAlert.noRemainingSeats.user.description": "La tua istanza di Katta ha superato il numero di postazioni con licenza. Informa un amministratore di Katta di fare un upgrade della licenza.",
   "licenseAlert.licenseExpired.title": "Licenza scaduta",
-  "licenseAlert.licenseExpired.admin.description": "La tua licenza di Cryptomator Hub è scaduta. Rinnovala in {0} per gestire e sbloccare nuovamente le tue casseforti.",
-  "licenseAlert.licenseExpired.user.description": "La tua licenza di Cryptomator Hub è scaduta. Informa un amministratore dell'Hub di rinnovarla.",
+  "licenseAlert.licenseExpired.admin.description": "La tua licenza di Katta è scaduta. Rinnovala in {0} per gestire e sbloccare nuovamente le tue casseforti.",
+  "licenseAlert.licenseExpired.user.description": "La tua licenza di Katta è scaduta. Informa un amministratore di Katta di rinnovarla.",
   "licenseAlert.button": "Sezione Amministratore",
   "legacyDeviceList.title": "Dispositivi Legacy",
-  "legacyDeviceList.description": "Questi dispositivi sono stati creati con una versione precedente di Hub e devono essere aggiornati per sbloccare le cassaforti nelle versioni successive. Se non ne hai più bisogno, rimuovili. Altrimenti, aggiorna Cryptomator su questi dispositivi. Al prossimo sblocco partirà automaticamente l'aggiornamento.",
+  "legacyDeviceList.description": "Questi dispositivi sono stati creati con una versione precedente di Katta e devono essere aggiornati per sbloccare le cassaforti nelle versioni successive. Se non ne hai più bisogno, rimuovili. Altrimenti, aggiorna Katta su questi dispositivi. Al prossimo sblocco partirà automaticamente l'aggiornamento.",
   "legacyDeviceList.description.information": "Scopri di più.",
   "legacyDeviceList.deviceName": "Nome del dispositivo",
   "legacyDeviceList.type": "Tipo",
@@ -203,15 +380,22 @@
   "legacyDeviceList.ipAddress": "Indirizzo IP",
   "legacyDeviceList.lastAccess": "Ultimo accesso alla cassaforte",
   "legacyDeviceList.lastAccess.toolTip": "Può mancare per i dispositivi a cui si accede con versioni più vecchie.",
+  "legacyDeviceBanner.title": "I Dispositivi Legacy Verranno Esclusi",
+  "legacyDeviceBanner.user.description": "I tuoi dispositivi legacy non saranno più supportati dalla prossima major release. Aggiorna Cryptomator su quei dispositivi, oppure escludili.",
+  "legacyDeviceBanner.admin.description": "Uno o più utenti hanno ancora dispositivi legacy. Il loro supporto sarà cessato nella prossima major release. Chiedi agli utenti interessati di aggiornare Cryptomator o di rimuovere i loro dispositivi legacy.",
   "manageAccountKey.title": "Chiave dell'account",
   "manageAccountKey.description": "La chiave del tuo account è necessaria per accedere da altre app o browser.",
   "manageAccountKey.regenerate": "Rigenera chiave",
   "nav.vaults": "Cassaforti",
+  "nav.emergencyAccess": "Accesso di Emergenza",
   "nav.profile.signedInAs": "Accesso effettuato come",
   "nav.profile.profile": "Il tuo profilo",
   "nav.profile.admin": "Amministratore",
   "nav.profile.auditlog": "Audit Logs",
   "nav.profile.signOut": "Disconnettiti",
+  "nav.authority": "Utenti & Gruppi",
+  "nav.groups": "Gruppi",
+  "nav.users": "Utenti",
   "nav.mobileMenu": "Apri il menu principale",
   "reactivateVaultDialog.title": "Riattiva Cassaforte",
   "reactivateVaultDialog.description": "Attenzione: riattivare una cassaforte può influire sul numero di postazioni disponibili. Se si supera il numero di postazioni disponibili, lo sblocco di tutte le casseforti sarà bloccato.",
@@ -235,18 +419,77 @@
   "resetUserAccountDialog.submit": "Ripristino account",
   "userkeyFingerprint.title": "Impronta digitale della chiave utente",
   "userkeyFingerprint.description": "L'impronta digitale della chiave utente può essere utilizzata per verificare la tua identità durante l'aggiornamento dell'autorizzazione della cassaforte.",
+  "users.title": "Utenti",
+  "user.detail.createdOn": "Creato il",
+  "user.detail.disable": "Disabilita",
+  "user.detail.disabled": "Disabilitato",
+  "user.detail.devices": "Dispositivi",
+  "user.detail.edit": "Modifica",
+  "user.detail.enable": "Abilita",
+  "user.detail.email": "Email",
+  "user.detail.groups": "Gruppi",
+  "user.detail.groups.join": "Partecipa",
+  "user.detail.info": "Dettagli dell'Utente",
+  "user.detail.legacyDeviceList.info": "Questi dispositivi sono stati creati con una versione precedente di Hub e devono essere aggiornati per sbloccare le casseforti nelle versioni successive.",
+  "user.detail.name": "Nome",
+  "user.detail.roles": "Ruoli",
+  "user.detail.username": "Nome utente",
+  "user.addGroups.title": "Aggiungi Gruppi",
+  "user.addGroups.searchLabel": "Cerca per nome gruppo",
+  "user.addGroups.selectedGroups": "Gruppo/i selezionato/i",
+  "userEditCreate.title.create": "Crea un Nuovo Utente",
+  "userEditCreate.title.edit": "Modifica un Utente",
+  "userEditCreate.button.create": "Crea un Utente",
+  "userEditCreate.button.save": "Salva",
+  "userEditCreate.button.saved": "Salvato!",
+  "userEditCreate.firstName": "Nome",
+  "userEditCreate.lastName": "Cognome",
+  "userEditCreate.username": "Nome utente",
+  "userEditCreate.email": "Email",
+  "userEditCreate.roles": "Ruoli",
+  "userEditCreate.selectRolesPlaceholder": "Seleziona il/i ruolo/i",
+  "userEditCreate.password": "Password",
+  "userEditCreate.passwordConfirm": "Conferma la Password",
+  "userEditCreate.create.passwordInfo": "Questa è una password temporanea. L'utente deve cambiarla al primo accesso.",
+  "userEditCreate.edit.passwordInfo": "Lasciare vuoti i campi password se non vuoi reimpostare la password dell'utente.",
+  "userEditCreate.removePicture": "Rimuovi l'Immagine",
+  "userEditCreate.passwordStrong": "Forte",
+  "userEditCreate.passwordMedium": "Medio",
+  "userEditCreate.passwordWeak": "Debole",
+  "userEditCreate.passwordsMatch": "Le password corrispondono",
+  "userEditCreate.passwordsDontMatch": "Le password non corrispondono",
+  "userEditCreate.profilePictureUrl": "URL dell'Immagine del Profilo",
+  "userEditCreate.showPassword": "Mostra la Password",
+  "userEditCreate.hidePassword": "Nascondi la Password",
+  "userEditCreate.invalidEmail": "Formato email non valido",
+  "userEditCreate.invalidImageUrl": "URL dell'immagine non valido",
+  "userEditCreate.validation.required": "Questo campo è obbligatorio",
+  "userEditCreate.validation.passwordMismatch": "Le password non corrispondono",
+  "userEditCreate.error.userAlreadyExists": "Esiste già un utente con questo nome.",
+  "userEditCreate.error.emailAlreadyExists": "Esiste già un'utente con questo indirizzo email.",
+  "userList.edit.user.button": "Modifica",
+  "userList.userName": "Nome",
+  "userList.groups.count": "Gruppi",
+  "userList.device.count": "Dispositivi",
+  "userList.vaults.count": "Cassaforti",
+  "userList.user.created": "Creato il",
+  "userList.profileImage": "Immagine del Profilo",
+  "userList.create.button": "Crea un Utente",
+  "userList.disabled": "Disabilitato",
   "userProfile.title": "Profilo",
   "userProfile.actions.manageAccount": "Gestisci account",
   "userProfile.actions.changeLanguage": "Cambia lingua",
   "userProfile.actions.changeLanguage.entry.browser": "Lingua del browser",
   "userProfile.keycloakVersion.notAvailable": "versione non disponibile",
+  "unlock.noAccessVaultArchived.title": "La cassaforte è archiviata",
+  "unlock.noAccessVaultArchived.description": "Questa cassaforte è stata archiviata e non è più accessibile. Contatta il proprietario della cassaforte.",
   "unlockSuccess.title": "Cassaforte sbloccato con successo",
-  "unlockSuccess.description": "Ora puoi chiudere questa scheda del browser e tornare a Cryptomator.",
+  "unlockSuccess.description": "Ora puoi chiudere questa scheda del browser e tornare a Katta.",
   "unlockSuccess.accountSetup.title": "Configurazione necessaria",
   "unlockSuccess.accountSetup.description": "Completa la configurazione del tuo account e recupera la chiave del tuo account.",
   "unlockSuccess.accountSetup.goToSetup": "Configurazione completa",
   "unlockSuccess.deviceSetup.title": "Nuovo dispositivo",
-  "unlockSuccess.deviceSetup.description": "Inserisci la chiave del tuo account in Cryptomator per autorizzare.",
+  "unlockSuccess.deviceSetup.description": "Inserisci la chiave del tuo account in Katta per autorizzare.",
   "unlockSuccess.deviceSetup.goToProfile": "Visualizza la chiave dell'account nel mio profilo",
   "unlockSuccess.noVaultAccess.title": "Nessun accesso a questa cassaforte",
   "unlockSuccess.noVaultAccess.description": "Contatta il proprietario della cassaforte per aggiungerti come membro.",
@@ -269,7 +512,9 @@
   "vaultDetails.actions.reactivateVault": "Riattiva Cassaforte",
   "vaultDetails.actions.claimOwnership": "Rivendica la proprietà",
   "vaultDetails.actions.recoverVault": "Recupera l'accesso alla cassaforte",
-  "vaultDetails.error.licenseViolated": "La licenza Cryptomator Hub è scaduta o hai superato il numero di utenti disponibili. Si prega informare un amministratore per rinnovare o aggiornare la licenza.",
+  "vaultDetails.emergencyAccess.setupCouncil": "Imposta il Gruppo per l'Accesso di Emergenza",
+  "vaultDetails.emergencyAccess.fixCouncil": "Correggi il Gruppo per l'Accesso di Emergenza",
+  "vaultDetails.error.licenseViolated": "La licenza Katta è scaduta o hai superato il numero di utenti disponibili. Si prega informare un amministratore per rinnovare o aggiornare la licenza.",
   "vaultDetails.recoverVault.title": "Hai resettato il tuo account!",
   "vaultDetails.recoverVault.description": "Per recuperare l'accesso alla cassaforte, è necessario utilizzare la chiave di ripristino, oppure un altro proprietario deve aggiornare i permessi di accesso.",
   "vaultList.title": "Cassaforti",
@@ -288,5 +533,15 @@
   "vaultList.filter.result.empty.description": "Nessun risultato usando quel termine di ricerca o filtro.",
   "vaultList.search.placeholder": "Ricerca…",
   "vaultList.badge.owner": "Proprietario",
-  "vaultList.badge.archived": "Archiviato"
+  "vaultList.badge.archived": "Archiviato",
+  "userList.filter.result.empty.title": "Nessun utente",
+  "userList.filter.result.empty.description": "Nessun risultato usando quel termine di ricerca.",
+  "groupList.empty.title": "Nessun gruppo",
+  "groupList.empty.description": "Non possiedi alcun gruppo e nemmeno ne fai parte.",
+  "groupList.filter.result.empty.title": "Nessun gruppo",
+  "groupList.filter.result.empty.description": "Nessun risultato usando quel termine di ricerca.",
+  "missingEntitlements.title": "Aggiornamento Richiesto",
+  "missingEntitlements.description": "Questa funzionalità non è compresa nella tua attuale licenza.",
+  "trial.enterpriseFeature.title": "Funzionalità Aziendali",
+  "trial.enterpriseFeature.description": "Questa funzionalità è disponibile in maniera continuativa solo con una licenza Aziendale."
 }
diff --git a/frontend/src/i18n/ja-JP.json b/frontend/src/i18n/ja-JP.json
index e62f42081..3ab11877a 100644
--- a/frontend/src/i18n/ja-JP.json
+++ b/frontend/src/i18n/ja-JP.json
@@ -18,7 +18,10 @@
   "common.close": "閉じる",
   "common.copied": "コピー完了!",
   "common.copy": "コピー",
+  "common.create": "作成",
+  "common.device": "デバイス",
   "common.download": "ダウンロード",
+  "common.edit": "編集",
   "common.hide": "隠す",
   "common.loading": "読み込み中…",
   "common.next": "次へ",
@@ -28,14 +31,20 @@
   "common.remove": "削除",
   "common.reset": "リセット",
   "common.retry": "再試行",
+  "common.save": "保存",
+  "common.saved": "保存しました！",
   "common.share": "共有",
   "common.show": "表示",
+  "common.undo": "元に戻す",
   "common.update": "更新",
   "common.xMembers": "メンバー{0}名",
+  "common.group": "グループ",
+  "common.member": "メンバー",
+  "admin.title": "管理者",
   "admin.serverInfo.title": "サーバー情報",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub バージョン",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub は最新です。",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta バージョン",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta は最新です。",
   "admin.serverInfo.keycloakVersion.title": "Keycloak バージョン",
   "admin.serverInfo.keycloakVersion.notAvailable": "利用不可",
   "admin.licenseInfo.title": "ライセンス情報",
@@ -49,6 +58,7 @@
   "admin.webOfTrust.information": "さらに詳しく",
   "admin.webOfTrust.save": "保存",
   "admin.webOfTrust.saved": "保存しました！",
+  "admin.emergencyAccess.learnMore": "さらに詳しく",
   "archiveVaultDialog.confirm": "アーカイブする",
   "auditLog.title": "監査ログ",
   "auditLog.order.ascending": "昇順",
@@ -74,7 +84,15 @@
   "deviceList.type": "種類",
   "deviceList.ipAddress": "IPアドレス",
   "deviceList.lastAccess": "金庫の最終アクセス",
+  "deviceType.browser": "ブラウザ",
+  "deviceType.desktop": "デスクトップ",
+  "deviceType.mobile": "携帯電話",
   "editVaultMetadataDialog.vaultName": "金庫の名前",
+  "group.detail.vaults": "金庫",
+  "group.detail.name": "名前",
+  "groupList.name": "名前",
+  "groupList.edit.group.button": "編集",
+  "groupList.vaults.count": "金庫",
   "initialSetup.accountKey": "アカウントキー",
   "legacyDeviceList.description.information": "さらに詳しく",
   "legacyDeviceList.deviceName": "デバイス名",
@@ -83,12 +101,27 @@
   "legacyDeviceList.lastAccess": "金庫の最終アクセス",
   "manageAccountKey.title": "アカウントキー",
   "nav.vaults": "金庫",
+  "nav.profile.admin": "管理者",
   "nav.profile.auditlog": "監査ログ",
   "recoverVaultDialog.description": "金庫へのアクセスを回復するには、金庫のリカバリキーを入力してください。",
   "recoverVaultDialog.error.formValidationFailed": "リカバリキーは空にできません",
   "recoverVaultDialog.error.invalidRecoveryKey": "無効なリカバリキー",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "アカウントキー",
   "resetUserAccountDialog.title": "ユーザーアカウントをリセット",
+  "user.detail.disable": "無効",
+  "user.detail.edit": "編集",
+  "user.detail.enable": "有効にする",
+  "user.detail.name": "名前",
+  "user.detail.username": "ユーザー名",
+  "userEditCreate.button.save": "保存",
+  "userEditCreate.button.saved": "保存しました！",
+  "userEditCreate.username": "ユーザー名",
+  "userEditCreate.password": "パスワード",
+  "userEditCreate.passwordStrong": "強い",
+  "userEditCreate.passwordWeak": "弱い",
+  "userList.edit.user.button": "編集",
+  "userList.userName": "名前",
+  "userList.vaults.count": "金庫",
   "userProfile.actions.changeLanguage.entry.browser": "ブラウザ言語",
   "userProfile.keycloakVersion.notAvailable": "利用できないバージョン",
   "unlockSuccess.deviceSetup.title": "新しいデバイス",
diff --git a/frontend/src/i18n/ko-KR.json b/frontend/src/i18n/ko-KR.json
index 973cc15bd..23b8344e3 100644
--- a/frontend/src/i18n/ko-KR.json
+++ b/frontend/src/i18n/ko-KR.json
@@ -1,57 +1,84 @@
 {
-  "locale.en-US": "",
+  "locale.en-US": "영어",
+  "locale.de-DE": "독일어",
+  "locale.fr-FR": "프랑스어",
+  "locale.it-IT": "이탈리아어",
   "locale.ko-KR": "한국어",
+  "locale.lv-LV": "라트비아어",
+  "locale.nl-NL": "네덜란드어",
+  "locale.pt-BR": "포르투갈어 (브라질)",
+  "locale.pt-PT": "포르투갈어",
+  "locale.ru-RU": "러시아어",
+  "locale.tr-TR": "튀르키예어",
+  "locale.uk-UA": "우크라이나어",
+  "locale.zh-TW": "중국어 (번체, 대만)",
   "common.add": "추가",
   "common.apply": "적용",
   "common.cancel": "취소",
   "common.close": "닫기",
-  "common.copied": "복사됨!",
+  "common.copied": "복사 완료!",
   "common.copy": "복사",
+  "common.create": "생성",
+  "common.device": "기기",
   "common.download": "다운로드",
+  "common.edit": "수정",
   "common.hide": "숨기기",
-  "common.loading": "로딩중…",
+  "common.leave": "나가기",
+  "common.loading": "로딩 중…",
   "common.next": "다음",
+  "common.none": "없음",
+  "common.nothingFound": "일치하는 항목 없음",
   "common.optional": "선택적",
   "common.pagination": "페이지 나누기",
   "common.previous": "이전",
   "common.refresh": "새로고침",
-  "common.reload": "페이지를 새로고침해 주십시오.",
+  "common.reload": "페이지를 새로고침 해주십시오.",
   "common.remove": "제거",
   "common.reset": "초기화",
   "common.retry": "재시도",
+  "common.save": "저장",
+  "common.saved": "저장 완료!",
+  "common.search.placeholder": "검색…",
+  "common.select.placeholder": "선택…",
   "common.share": "공유하기",
   "common.show": "보기",
   "common.undo": "되돌리기",
-  "common.unexpectedError": "알 수 없는 에러: {0}",
-  "common.unsavedChanges": "저장되지 않은 변경점.",
+  "common.unexpectedError": "알 수 없는 오류: {0}",
+  "common.unsavedChanges": "저장되지 않은 변경 사항.",
   "common.update": "업데이트",
-  "common.xMembers": "{0} 멤버",
+  "common.xMembers": "{0}명의 구성원",
+  "common.actions": "조치",
+  "common.group": "그룹",
+  "common.member": "구성원",
+  "common.property": "속성",
+  "common.value": "값",
   "admin.title": "관리자",
   "admin.serverInfo.title": "서버 정보",
-  "admin.serverInfo.description": "Hub ID는 라이선스를 위해 Cryptomator Hub 인스턴스를 인증하는데 쓰입니다. 지원을 위해서 표기된 Hub와 Keycloak 버전을 명시하십시오.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub 버전",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub가 최신 버전입니다.",
+  "admin.serverInfo.description": "Katta ID는 라이선스를 위해 Katta 인스턴스를 인증하는데 쓰입니다. 지원을 위해서 표기된 Katta와 Keycloak 버전을 명시하십시오.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta 버전",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta가 최신 버전입니다.",
   "admin.serverInfo.hubVersion.description.updateExists": "버전 {0}으로 업데이트가 가능합니다.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "업데이트를 확인할 수 없습니다. 수동으로 확인해주세요.",
   "admin.serverInfo.keycloakVersion.title": "Keycloak 버전",
   "admin.serverInfo.keycloakVersion.description": "Keycloak 관리",
+  "admin.serverInfo.keycloakVersion.notAvailable": "사용할 수 없음",
   "admin.licenseInfo.title": "라이선스 정보",
   "admin.licenseInfo.description": "라이선스 정보를 확인합니다. 구독 상태를 변경하거나 확인하려면 \"구독 관리\"를 누르십시오.",
   "admin.licenseInfo.email.title": "라이선스 대상",
-  "admin.licenseInfo.seats.title": "좌석의 수",
-  "admin.licenseInfo.seats.description.enoughSeats": "{0}개의 좌석이 남아있습니다.",
-  "admin.licenseInfo.seats.description.zeroSeats": "잔여 좌석이 없습니다. 필요하다면 업그레이드하십시오.",
-  "admin.licenseInfo.seats.description.undercutSeats": "사용가능한 좌석보다 {0}개가 초과되었습니다. 사용자를 삭제하거나 필요하다면 업그레이드하십시오.",
-  "admin.licenseInfo.issuedAt.title": "...에 발급됨",
-  "admin.licenseInfo.expiresAt.title": "...에 만료됨",
+  "admin.licenseInfo.seats.title": "시트의 수",
+  "admin.licenseInfo.seats.description.enoughSeats": "{0}개의 시트가 남아있습니다.",
+  "admin.licenseInfo.seats.description.zeroSeats": "잔여 시트가 없습니다. 필요하다면 업그레이드하십시오.",
+  "admin.licenseInfo.seats.description.undercutSeats": "사용 가능한 시트보다 {0}개가 초과되었습니다. 사용자를 삭제하거나 필요하다면 업그레이드하십시오.",
+  "admin.licenseInfo.issuedAt.title": "에 발급됨",
+  "admin.licenseInfo.expiresAt.title": "에 만료됨",
   "admin.licenseInfo.expiresAt.description.valid": "라이선스가 유효합니다.",
   "admin.licenseInfo.expiresAt.description.expired": "라이선스가 만료되었습니다.",
   "admin.licenseInfo.manageSubscription": "구독 관리",
   "admin.licenseInfo.type.title": "유형",
   "admin.licenseInfo.getLicense": "라이선스 얻기",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Cryptomator Hub를 이용해주셔서 감사합니다! 커뮤니티 라이선스가 발급되었습니다. 더 많은 좌석이 필요하다면, 라이선스르 업그레이드 해주십시오.",
-  "admin.licenseInfo.managedNoLicense.description": "Cryptomator Hub를 이용해주셔서 감사합니다! 현재 활성화된 라이선스가 없습니다.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Katta를 이용해주셔서 감사합니다! 커뮤니티 라이선스가 발급되었습니다. 더 많은 좌석이 필요하다면, 라이선스르 업그레이드 해주십시오.",
+  "admin.licenseInfo.managedNoLicense.description": "Katta를 이용해주셔서 감사합니다! 현재 활성화된 라이선스가 없습니다.",
   "admin.webOfTrust.title": "Web of Trust",
   "admin.webOfTrust.description": "시스템 내부에서 사용자 간 신뢰가 어떻게 구성될지를 관리하기 위해 Web of Trust 설정을 하십시오. 이 설정은 사용자 신원과 키 사인에 영향을 미칩니다.",
   "admin.webOfTrust.information": "자세히 알아보기",
@@ -60,11 +87,32 @@
   "admin.webOfTrust.wotMaxDepth.description": "간접적인 접촉이 신뢰되는 (중간 신원이 인증된) 두 사용자 간의 최대 거리입니다.",
   "admin.webOfTrust.wotIdVerifyLen.error": "지문 인증 정확도는 반드시 양수여야 합니다.",
   "admin.webOfTrust.wotIdVerifyLen.title": "지문 인증 정확도",
-  "admin.webOfTrust.wotIdVerifyLen.description": "다른 사용자가 신원을 인증하기 위해 입력해야 하는 지문의 자릿수",
+  "admin.webOfTrust.wotIdVerifyLen.description": "다른 사용자가 신원을 인증하기 위해 입력해야 하는 지문의 자릿수입니다.",
   "admin.webOfTrust.save": "저장",
-  "admin.webOfTrust.saved": "저장됨!",
+  "admin.webOfTrust.saved": "저장 완료!",
+  "admin.emergencyAccess.title": "비상 접근",
+  "admin.emergencyAccess.description": "Vault 복구를 위한 키 분할 방식을 설정합니다.",
+  "admin.emergencyAccess.learnMore": "자세히 알아보기",
+  "admin.emergencyAccess.noRedundancy.title": "현재 키 분할 설정에 예비분이 없습니다!",
+  "admin.emergencyAccess.noRedundancy.description": "필수 키 개수보다 더 많은 수의 키 소유자를 지정하는 것이 강력히 권장됩니다.",
+  "admin.emergencyAccess.enabled.label": "활성화됨",
+  "admin.emergencyAccess.enabled.help": "비상 접근 활성화",
+  "admin.emergencyAccess.requiredKeys.label": "필수 키",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "필수 키 조각 수",
+  "admin.emergencyAccess.requiredKeys.help": "Vault 접근 권한을 복원하려면 몇 개의 키가 필요한지 설정합니다.",
+  "admin.emergencyAccess.keyholders.label": "키 소유자",
+  "admin.emergencyAccess.keyholders.minSelected": "최소 {0}명의 구성원을 선택해야 합니다. 필요한 인원수는 위에서 정의되었습니다.",
+  "admin.emergencyAccess.keyholders.help": "누가 비상 접근 키를 회수할지 지정합니다.",
+  "admin.emergencyAccess.allowChoosing.label": "Vault 소유자가 서로 다른 키 소유자를 선택할 수 있도록 허용합니다.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "최소:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "최소 구성원 수",
+  "admin.emergencyAccess.example.help": "Vault 복구를 위해 협력할 수 있는 인원의 예시입니다.",
+  "admin.emergencyAccess.validation.maxValue": "최댓값은 {0}입니다.",
+  "admin.emergencyAccess.validation.minValue": "최솟값은 {0}입니다.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "필수 키 조각 수보다 크거나 같아야 합니다.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "필수 키 조각 수은 최소 구성원 수를 초과할 수 없습니다.",
   "archiveVaultDialog.title": "Vault 아카이브하기",
-  "archiveVaultDialog.description": "Vault를 아카이브 하는 것은 Vault를 비활성화합니다. 이는 점유된 자리를 확보합니다. 아카이브 된 Vault는 이후에 다시 활성화할 수 있습니다.",
+  "archiveVaultDialog.description": "Vault를 아카이브 하는 것은 Vault를 비활성화합니다. 이는 사용된 시트를 삭제하여 확보합니다. 아카이브 된 Vault는 이후에 다시 활성화할 수 있습니다.",
   "archiveVaultDialog.confirm": "아카이브",
   "auditLog.title": "감사 로그",
   "auditLog.order.ascending": "오름차순",
@@ -74,11 +122,18 @@
   "auditLog.filter.endDate": "종료 일자",
   "auditLog.filter.selectEventFilter": "이벤트 필터 선택",
   "auditLog.filter.clerEventFilter": "이벤트 필터 초기화",
+  "auditLog.filter.removeEventType": "{type} 제거",
   "auditLog.timestamp": "타임스탬프",
   "auditLog.type": "이벤트",
   "auditLog.details": "세부정보",
-  "auditLog.details.device.register": "장치 등록",
-  "auditLog.details.device.remove": "장치 제거",
+  "auditLog.details.device.register": "기기 등록",
+  "auditLog.details.device.remove": "기기 제거",
+  "auditLog.details.emergencyaccess.setup": "비상 접근 설정됨",
+  "auditLog.details.emergencyaccess.settingsUpdated": "비상 접근 설정 업데이트됨",
+  "auditLog.details.emergencyaccess.recoveryStarted": "비상 접근 복구 시작됨",
+  "auditLog.details.emergencyaccess.recoveryApproved": "비상 접근 복구 승인됨",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "비상 접근 복구 완료됨",
+  "auditLog.details.emergencyaccess.recoveryAborted": "비상 접근 복구 중단됨",
   "auditLog.details.setting.wot.update": "WoT 설정 업데이트",
   "auditLog.details.user.account.reset": "사용자 계정 리셋",
   "auditLog.details.user.keys.change": "사용자 키 변경",
@@ -101,7 +156,7 @@
   "claimVaultOwnershipDialog.password": "Vault 관리자 암호",
   "claimVaultOwnershipDialog.submit": "소유권 얻기",
   "claimVaultOwnershipDialog.error.formValidationFailed": "암호를 입력하십시오",
-  "claimVaultOwnershipDialog.error.wrongPassword": "잘못된 비밀번호입니다.",
+  "claimVaultOwnershipDialog.error.wrongPassword": "잘못된 비밀번호입니다",
   "fetchError.title": "데이터 불러오기 실패",
   "createVault.enterRecoveryKey.title": "Vault 복구",
   "createVault.enterRecoveryKey.description": "새로운 Vault 템플릿을 생성하기 위해 기존 Vault의 복구 키를 입력하십시오.",
@@ -111,6 +166,9 @@
   "createVault.enterVaultDetails.description": "새로운 Vault에 이름과 설명을 작성하십시오. 나중에 변경할 수 있습니다.",
   "createVault.enterVaultDetails.vaultName": "Vault 이름",
   "createVault.enterVaultDetails.vaultDescription": "설명",
+  "createVault.emergencyAccessDetails.title": "비상 접근 조건 정의",
+  "createVault.emergencyAccessDetails.description": "비상 접근을 위한 위원회 구성원을 선정하십시오.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "비상 접근 위원회는 관리자가 지정하며 여기에서는 변경할 수 없습니다.",
   "createVault.showRecoveryKey.title": "복구 키",
   "createVault.showRecoveryKey.description": "다음의 복구 키는 Vault에 대한 접근을 복구하는데 쓰입니다.",
   "createVault.showRecoveryKey.recoveryKey": "Vault 복구 키",
@@ -121,23 +179,113 @@
   "createVault.error.invalidRecoveryKey": "복구 키가 유효하지 않습니다.",
   "createVault.error.vaultAlreadyExists": "해당 이름의 Vault가 이미 존재합니다.",
   "createVault.error.downloadTemplateFailed": "Vault 템플릿 다운로드 실패: {0}",
-  "createVault.error.paymentRequired": "Cryptomator Hub 라이선스의 자리의 수가 초과하였습니다. Hub 관리자에게 라이선스를 갱신하도록 알리십시오.",
+  "createVault.error.paymentRequired": "Katta 라이선스의 자리의 수가 초과하였습니다. Katta 관리자에게 라이선스를 갱신하도록 알리십시오.",
   "createVault.success.title": "Vault 생성됨",
   "createVault.success.description": "압축된 Vault 폴더를 다운로드한 후, 팀 구성원과 공유된 장소에 압축을 해제하십시오.",
   "createVault.success.download": "압축된 Vault 폴더 다운로드하기",
   "createVault.success.return": "Vault 목록으로 돌아가기",
+  "deleteGroupDialog.title": "그룹 삭제",
+  "deleteGroupDialog.description": "이 그룹을 영구적으로 삭제하시겠습니까? 삭제 시 연결된 모든 Vault에서 제거되며, 이 작업은 취소할 수 없습니다.",
+  "deleteGroupDialog.confirm": "예, 그룹을 삭제합니다",
+  "disableUserDialog.title": "사용자 비활성화",
+  "disableUserDialog.description": "해당 사용자는 더 이상 로그인할 수 없으며 라이선스(사용자 수) 산정에서 제외됩니다. 해당 사용자는를 언제든지 다시 활성화할 수 있습니다.",
+  "disableUserDialog.confirm": "사용자 비활성화",
+  "deleteUserDialog.title": "계정 삭제",
+  "deleteUserDialog.description": "이 사용자를 영구적으로 삭제하시겠습니까? 연결된 모든 Vault 및 기기가 제거되며, 이 작업은 취소할 수 없습니다.",
+  "deleteUserDialog.confirm": "예, 사용자를 삭제합니다",
   "deviceList.empty.message": "장치 없음",
-  "deviceList.empty.description": "장치를 추가하기 위해, 장치의 Cryptomator 앱에 이 Hub의 Vault를 추가하여 잠금 해제하십시오.",
-  "deviceList.title": "인증된 장치와 브라우저",
+  "deviceList.empty.description": "장치를 추가하기 위해, 장치의 Katta 앱에 Katta의 Vault를 추가하여 잠금 해제하십시오.",
+  "deviceList.title": "인증된 기기와 브라우저",
   "deviceList.deviceName": "기기 이름",
   "deviceList.type": "유형",
   "deviceList.added": "추가됨",
-  "deviceList.thisDevice": "이 장치",
+  "deviceList.thisDevice": "이 기기",
   "deviceList.ipAddress": "IP 주소",
   "deviceList.lastAccess": "마지막 Vault 접근",
-  "deviceList.lastAccess.toolTip": "오래된 버전을 사용하는 장치는 없을 수 있습니다.",
+  "deviceList.lastAccess.toolTip": "오래된 버전을 사용하는 기기는 표시되지 않을 수 있습니다.",
+  "deviceType.browser": "브라우저",
+  "deviceType.desktop": "데스크톱",
+  "deviceType.mobile": "모바일",
   "downloadVaultTemplateDialog.title": "Vault 템플릿 다운로드하기",
   "downloadVaultTemplateDialog.description": "다운로드하고, 압축된 Vault 폴더를 팀 구성원과 공유된 장소에 압축을 해제하십시오. 이는 최초 설정에서 단 한번만 필요합니다.",
+  "emergencyAccess.requiredKeyShares": "필수 키 조각 수",
+  "emergencyAccess.processCouncil": "프로세스 위원회",
+  "emergencyAccess.status.added": "추가됨",
+  "emergencyAccess.status.pending": "대기 중",
+  "emergencyAccess.startProcess": "프로세스 시작",
+  "emergencyAccess.notPossible": "불가능함",
+  "emergencyAccess.vaultCouncil": "Vault 위원회",
+  "emergencyAccess.noRedundancy": "예비분 중복성 없음",
+  "emergencyAccess.label.councilMembers": "위원회 구성원",
+  "emergencyAccess.label.newCouncilMembers": "새로운 위원회 구성원",
+  "emergencyAccess.label.owners": "소유자",
+  "emergencyAccess.label.members": "구성원들",
+  "emergencyAccess.label.removed": "제거됨",
+  "emergencyAccess.label.possibleScenario": "발생 가능한 비상 상황 시나리오",
+  "emergencyAccess.label.exampleRecovery": "복구 예시",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "최소 {0}명 이상의 위원회 구성원을 선택하세요.",
+  "emergencyAccess.validation.minimumMembers": "최소 {0}명의 구성원을 선택해야 합니다.",
+  "emergencyAccess.approval.waitingOthers": "다른 사람의 승인을 기다리는 중입니다",
+  "emergencyAccess.approval.showDetails": "세부정보 보기",
+  "emergencyAccess.approval.completeNow": "지금 완료하기",
+  "emergencyAccess.approval.approveNow": "지금 승인하기",
+  "emergencyAccess.processType.changePermissions": "Vault 구성원 생성",
+  "emergencyAccess.processType.changeCouncil": "비상 접근 위원회 수정",
+  "emergencyAccess.filter.all": "전체",
+  "emergencyAccess.filter.approvable": "승인 가능",
+  "emergencyAccess.filter.approved": "승인됨",
+  "emergencyAccess.filter.startable": "시작 가능",
+  "emergencyAccess.empty.disabled": "비상 접근 기능이 비활성화되었습니다.",
+  "emergencyAccess.empty.noneFound": "비상 접근 Vault를 찾을 수 없습니다",
+  "emergencyAccess.licenseRequired.message": "비상 접근은 유료 라이선스에서만 사용할 수 있습니다.",
+  "emergencyAccess.licenseRequired.adminHint": "관리자 섹션에서 라이선스를 획득할 수 있습니다.",
+  "emergencyAccess.badge.notCouncil.title": "더 이상 Vault 위원회 구성원이 아닙니다",
+  "emergencyAccess.badge.notCouncil.message": "귀하는 더 이상 해당 Vault의 비상 위원회 소속이 아닙니다. 하지만 현재 진행 중인 비상 접근 프로세스에는 여전히 참여 중입니다.",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "비상 접근 권한 부족",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "귀하의 팀 정책에는 최소 {0}명 이상의 비상 접근 위원회가 필요합니다. 이 Vault는 현재 이 요구 사항을 충족하지 않습니다.",
+  "emergencyAccess.badge.broken.title": "손상된 비상 접근 오류",
+  "emergencyAccess.badge.broken.message": "더 이상 비상 접근이 불가능합니다. 하나 이상의 위원회 구성원이 계정을 초기화하여 키 조각을 분실했습니다.",
+  "emergencyAccess.badge.noRedundancy.title": "예비분 중복성 없음",
+  "emergencyAccess.badge.noRedundancy.message": "이 비상 접근 위원회에는 중복성이 없습니다. 예비 인원이 있는 위원회를 지정하는 것을 고려하십시오.",
+  "emergencyAccessDialog.message.completed": "프로세스가 성공적으로 완료되었습니다.",
+  "emergencyAccessDialog.label.selectOwner": "소유자 역할을 가진 사용자를 선택하세요",
+  "emergencyAccessDialog.label.selectMember": "구성원 역할을 가진 사용자를 선택하세요",
+  "emergencyAccessDialog.label.councilMembersAtLeast": "위원회 구성원 (최소: {0})",
+  "emergencyAccessDialog.section.ownership": "소유권",
+  "emergencyAccessDialog.section.councilChange": "위원회 변경",
+  "emergencyAccessDialog.hint.finishProcess": "마지막 키 조각을 추가하고 완료하면 비상 접근 프로세스를 마무리할 수 있습니다.",
+  "emergencyAccessDialog.hint.keyShareAdded": "귀하의 키 조각이 이미 추가되었습니다.",
+  "emergencyAccessDialog.hint.notInCouncil": "귀하는 이 프로세스의 위원회 구성원이 아니므로 키 조각을 추가할 수 없습니다.",
+  "emergencyAccessDialog.action.abortProcess": "이 프로세스에 관하여",
+  "emergencyAccessDialog.action.start": "시작",
+  "emergencyAccessDialog.action.approve": "승인",
+  "emergencyAccessDialog.action.completeProcess": "프로세스 마치기",
+  "emergencyAccessDialog.title.success": "성공",
+  "emergencyAccessDialog.title.changeCouncil": "위원회 변경",
+  "emergencyAccessDialog.title.changePermissions": "Vault 권한 변경",
+  "emergencyAccessDialog.title.processDetails": "프로세스 세부정보",
+  "emergencyAccessDialog.title.approved": "승인됨",
+  "emergencyAccessDialog.title.approveEmergencyAccess": "비상 접근 승인",
+  "emergencyAccessDialog.title.completeEmergencyAccess": "비상 접근 완료",
+  "emergencyAccessDialog.error.insufficientCouncilMembers": "데이터 불일치: 이 Vault({1})을(를) 복구하기에 의원회 구성원({0})이 부족합니다.",
+  "emergencyAccessDialog.error.noProcessToApprove": "승인할 복구 프로세스가 없습니다.",
+  "emergencyAccessDialog.error.processTampered": "복구 프로세스가 변조되었습니다.",
+  "emergencyAccessDialog.error.noProcessToComplete": "완료할 복구 프로세스가 없습니다.",
+  "emergencyAccessDialog.error.unsupportedProcessType": "지원되지 않는 복구 프로세스 유형 상태: {0}",
+  "grantEmergencyAccessDialog.title": "비상 접근 권한 부여",
+  "grantEmergencyAccessDialog.description.selectCouncil": "이 Vault에 대한 비상 접근 권한을 부여할 위원회 구성원들을 선택하십시오.",
+  "grantEmergencyAccessDialog.description.default": "이 Vault에 대한 비상 접근 권한을 부여하십시오.",
+  "grantEmergencyAccessDialog.grant": "권한",
+  "grantEmergencyAccessDialog.error.keySharesRequired": "최소 2개의 비상 키 조각이 필요합니다.",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "최소 2명의 위원회 구성원이 필요합니다.",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "위원회 구성원 수가 너무 적습니다. 구성원을 늘리거나 필요한 비상 키 조각 수를 줄여야 합니다.",
+  "processAbortDialog.title": "이 프로세스에 관하여",
+  "processAbortDialog.description": "비상 접근 절차를 취소하시겠습니까? 이 작업은 취소할 수 없습니다.",
+  "processAbortDialog.confirm": "프로세스 중단",
+  "recoveryDialog.error.invalidRecoveryType": "잘못된 복구 프로세스 유형입니다.",
+  "recoveryDialog.error.processAlreadyExists": "이러한 유형의 복구 프로세스가 이미 존재합니다.",
+  "recoveryDialog.error.noOwnerSelected": "소유자를 한 명 이상 선택하세요.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "선택된 위원회 구성원의 수가 부족합니다.",
   "editVaultMetadataDialog.title": "Vault 메타데이터 수정하기",
   "editVaultMetadataDialog.description": "이 Vault에 대한 이름과 설명 업데이트하기",
   "editVaultMetadataDialog.vaultName": "Vault 이름",
@@ -147,6 +295,47 @@
   "grantPermissionDialog.title": "권한 허가",
   "grantPermissionDialog.description": "새롭게 추가된 사용자와 Vault 키를 공유하십시오.",
   "grantPermissionDialog.submit": "{0}명의 사용자에게 권한 허가",
+  "groups.title": "그룹",
+  "group.detail.info": "그룹 정보",
+  "group.detail.members": "구성원들",
+  "group.detail.vaults": "Vault",
+  "group.detail.edit": "그룹 수정",
+  "group.detail.add.member": "구성원 추가",
+  "group.detail.name": "이름",
+  "group.detail.createdOn": "생성된 날짜",
+  "group.detail.roles": "역할",
+  "groupList.name": "이름",
+  "groupList.members.count": "사용자",
+  "groupList.edit.group.button": "수정",
+  "groupList.search.placeholder": "검색…",
+  "groupList.groupImage": "그룹 이미지",
+  "groupList.vaults.count": "Vault",
+  "groupList.create.button": "그룹 생성",
+  "groupList.group.created": "생성된 날짜",
+  "group.members.add": "구성원 추가",
+  "group.members.search.empty": "일치하는 항목 없음",
+  "group.addMembers.title": "구성원 추가",
+  "group.addMembers.searchLabel": "사용자 이름 또는 전체 이름으로 검색",
+  "group.addMembers.selectedUser": "사용자 선택됨",
+  "group.member.remove.title": "그룹에서 사용자 제거",
+  "group.member.remove.description": "이 사용자를 그룹에서 제거하시겠습니까?",
+  "group.member.remove.confirm": "예, 제거합니다",
+  "groupEditCreate.title.create": "새 그룹 만들기",
+  "groupEditCreate.title.edit": "그룹 수정",
+  "groupEditCreate.profileImage": "프로필 이미지",
+  "groupEditCreate.role": "역할",
+  "groupEditCreate.removePicture": "사진 제거",
+  "groupEditCreate.addPicture": "사진 추가",
+  "groupEditCreate.name": "그룹 이름",
+  "groupEditCreate.roles": "역할",
+  "groupEditCreate.validation.required": "필수 입력 항목입니다",
+  "groupEditCreate.roles.remove": "역할 제거",
+  "groupEditCreate.roles.choose": "역할 선택",
+  "groupEditCreate.roles.addMore": "추가하기",
+  "groupEditCreate.invalidImageUrl": "유효하지 않은 이미지 URL",
+  "groupEditCreate.profilePictureUrl": "프로필 사진 URL",
+  "groupEditCreate.selectRolesPlaceholder": "역할 선택",
+  "groupEditCreate.error.groupNameAlreadyExists": "이미 존재하는 그룹 이름입니다.",
   "trustDetails.trustLevel": "신뢰 단계 {0}",
   "trustDetails.trustLevel.untrusted": "미인증",
   "trustDetails.showSignDialogBtn": "신원 확인...",
@@ -154,7 +343,7 @@
   "signUserKeysDialog.title": "{0}의 신원 인증하기",
   "signUserKeysDialog.description": "공개키를 인증하기 위해 {1}의 지문 중 첫 {0}글자를 입력하십시오. 지문은 사용자 프로필에서 찾을 수 있습니다.",
   "signUserKeysDialog.submit": "이 사용자의 신원 확인하기",
-  "initialSetup.createUserKey.title": "Cryptomator Hub에 오신걸 환영합니다",
+  "initialSetup.createUserKey.title": "Katta에 오신걸 환영합니다",
   "initialSetup.createUserKey.description": "첫 로그인에, 모든 사용자는 독특한 Account Key를 발급받습니다:",
   "initialSetup.createUserKey.details.accountKey": "다른 앱과 브라우저에서 로그인하기 위해 Account Key가 필요합니다",
   "initialSetup.createUserKey.details.devicesList": "프로필 페이지에서 허가된 앱들의 목록을 볼 수 있습니다",
@@ -165,44 +354,51 @@
   "initialSetup.recoverUserKey.description": "이 브라우저에서 첫번째 로그인입니다.",
   "initialSetup.recoverUserKey.accountKey.description": "이 브라우저를 계정과 연동하기 위해 Account Key가 필요합니다.",
   "initialSetup.recoverUserKey.deviceName": "브라우저 이름",
-  "initialSetup.recoverUserKey.deviceName.description": "인증된 장치 목록에서 쉽게 찾기 위해 이 브라우저의 이름을 지으십시오.",
+  "initialSetup.recoverUserKey.deviceName.description": "인증된 기기 목록에서 쉽게 찾기 위해 이 브라우저의 이름을 지으십시오.",
   "initialSetup.recoverUserKey.error.wrongAccountKey": "Account Key 잘못됨",
   "initialSetup.recoverUserKey.lostAccountKey": "Account Key를 잃어버리셨습니까? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "계정 리셋하기",
   "initialSetup.setupAlreadyCompleted.title": "이미 설정이 완료됨",
-  "initialSetup.setupAlreadyCompleted.description": "Cryptomator Hub에 대한 최초 설정이 이미 완료되었습니다. 계정 키는 프로필에서 확인할 수 있습니다.",
+  "initialSetup.setupAlreadyCompleted.description": "Katta에 대한 최초 설정이 이미 완료되었습니다. 계정 키는 프로필에서 확인할 수 있습니다.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "프로필로 가기",
   "initialSetup.accountKey": "Account Key",
   "initialSetup.submit": "설정 완료",
   "licenseAlert.noRemainingSeats.title": "라이선스 초과됨",
-  "licenseAlert.noRemainingSeats.admin.description": "Cryptomator Hub 인스턴스의 라이선스 자리의 수가 초과하였습니다. Vault를 다시 관리하고 잠금 해제하기 위해 {0}에서 업그레이드 하십시오.",
-  "licenseAlert.noRemainingSeats.user.description": "Cryptomator Hub 인스턴스의 라이선스 자리의 수가 초과하였습니다. Hub 관리자에게 라이선스를 업그레이드 하도록 알리십시오.",
+  "licenseAlert.noRemainingSeats.admin.description": "Katta 인스턴스의 라이선스 자리의 수가 초과하였습니다. Vault를 다시 관리하고 잠금 해제하기 위해 {0}에서 업그레이드 하십시오.",
+  "licenseAlert.noRemainingSeats.user.description": "Katta 인스턴스의 라이선스 자리의 수가 초과하였습니다. Katta 관리자에게 라이선스를 업그레이드 하도록 알리십시오.",
   "licenseAlert.licenseExpired.title": "라이선스 만료됨",
-  "licenseAlert.licenseExpired.admin.description": "Cryptomator Hub 라이선스가 만료되었습니다. Vault를 다시 관리하고 잠금 해제하기 위해 {0}에서 갱신하십시오.",
-  "licenseAlert.licenseExpired.user.description": "Cryptomator Hub 라이선스가 만료되었습니다. Hub 관리자에게 라이선스를 갱신하도록 알리십시오.",
+  "licenseAlert.licenseExpired.admin.description": "Katta 라이선스가 만료되었습니다. Vault를 다시 관리하고 잠금 해제하기 위해 {0}에서 갱신하십시오.",
+  "licenseAlert.licenseExpired.user.description": "Katta 라이선스가 만료되었습니다. Katta 관리자에게 라이선스를 갱신하도록 알리십시오.",
   "licenseAlert.button": "관리자 섹션",
   "legacyDeviceList.title": "레거시 장치",
-  "legacyDeviceList.description": "이 장치는 오래된 버전의 Hub를 사용하고 있으며 이후 버전에서 Vault를 잠금 해제하기 위해선 업데이트가 필요합니다. 더 이상 그 장치가 필요하지 않다면 제거하십시오. 그렇지 않으면, 그 장치에서 Cryptomator를 업데이트 하십시오. 다음번의 잠금 해제에서 자동으로 업데이트 될 것입니다.",
+  "legacyDeviceList.description": "이 장치는 오래된 버전의 Katta를 사용하고 있으며 이후 버전에서 Vault를 잠금 해제하기 위해선 업데이트가 필요합니다. 더 이상 그 장치가 필요하지 않다면 제거하십시오. 그렇지 않으면, 그 장치에서 Katta를 업데이트 하십시오. 다음번의 잠금 해제에서 자동으로 업데이트 될 것입니다.",
   "legacyDeviceList.description.information": "자세히 알아보기",
   "legacyDeviceList.deviceName": "기기 이름",
   "legacyDeviceList.type": "유형",
   "legacyDeviceList.added": "추가됨",
-  "legacyDeviceList.thisDevice": "이 장치",
+  "legacyDeviceList.thisDevice": "이 기기",
   "legacyDeviceList.ipAddress": "IP 주소",
   "legacyDeviceList.lastAccess": "마지막 Vault 접근",
-  "legacyDeviceList.lastAccess.toolTip": "오래된 버전을 사용하는 장치는 없을 수 있습니다.",
+  "legacyDeviceList.lastAccess.toolTip": "오래된 버전을 사용하는 기기는 표시되지 않을 수 있습니다.",
+  "legacyDeviceBanner.title": "구형 기기 지원 종료 안내",
+  "legacyDeviceBanner.user.description": "다음 주요 업데이트부터 사용 중인 구형 기기가 지원되지 않습니다. 해당 기기에서 Cryptomator를 업데이트하거나 목록에서 제거해 주십시오.",
+  "legacyDeviceBanner.admin.description": "구형 기기를 사용하는 사용자가 존재합니다. 차기 주요 버전에서는 구형 기기 지원이 중단될 예정이오니, 해당 사용자에게 Cryptomator 업데이트 또는 기기 제거를 요청하시기 바랍니다.",
   "manageAccountKey.title": "Account Key",
   "manageAccountKey.description": "다른 앱과 브라우저에서 로그인하기 위해 Account Key가 필요합니다.",
   "manageAccountKey.regenerate": "키 재생성",
   "nav.vaults": "Vault",
+  "nav.emergencyAccess": "비상 접근",
   "nav.profile.signedInAs": "다음 사용자로 로그인됨",
   "nav.profile.profile": "나의 프로필",
   "nav.profile.admin": "관리자",
   "nav.profile.auditlog": "감사 로그",
   "nav.profile.signOut": "로그아웃",
+  "nav.authority": "사용자 및 그룹",
+  "nav.groups": "그룹",
+  "nav.users": "사용자",
   "nav.mobileMenu": "메인 메뉴 열기",
   "reactivateVaultDialog.title": "Vault 재활성화",
-  "reactivateVaultDialog.description": "경고: Vault를 재활성화하는 것은 남은 좌석의 수에 영향을 끼칠 것입니다. 잔여 좌석 수가 초과될 경우, 모든 Vault를 잠금 해제 하는 것이 금지될 것입니다.",
+  "reactivateVaultDialog.description": "경고: Vault를 재활성화하는 것은 남은 시트의 수에 영향을 끼칠 것입니다. 사용 가능한 시트의 수를 초과하면, 모든 Vault에 대한 잠금 해제가 차단됩니다.",
   "reactivateVaultDialog.confirm": "재활성화",
   "recoveryKeyDialog.title": "복구 키",
   "recoveryKeyDialog.description": "다음은 \"{0}\"에 대한 복구 키입니다. 안전한 곳에 두십시오, 시스템 장애의 경우에 Vault에 대한 접근을 얻을 수 있는 유일한 수단입니다.",
@@ -219,24 +415,84 @@
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Account Key",
   "regenerateAccountKeyDialog.submit": "키 재생성",
   "resetUserAccountDialog.title": "사용자 계정 리셋",
-  "resetUserAccountDialog.description": "Account Key를 잃어버렸을 때에만 계정을 리셋하십시오. 모든 Vault에 대한 접근을 잃고, Vault 소유주는 당신에게 다시 접근을 허가해야 합니다.",
+  "resetUserAccountDialog.description": "Account Key를 잃어버렸을 때에만 계정을 초기화하십시오. 초기화 시 모든 Vault에 대한 접근을 잃게 되며, Vault 소유자는 귀하에게 다시 접근을 허가해야 합니다.",
   "resetUserAccountDialog.submit": "계정 리셋",
   "userkeyFingerprint.title": "사용자 키 지문",
   "userkeyFingerprint.description": "사용자 키 지문은 Vault 권한을 업데이트 할 때, 자신의 신원을 인증하기 위해 사용됩니다.",
+  "users.title": "사용자",
+  "user.detail.createdOn": "생성된 날짜",
+  "user.detail.disable": "비활성화",
+  "user.detail.disabled": "비활성화됨",
+  "user.detail.devices": "모든 기기",
+  "user.detail.edit": "수정",
+  "user.detail.enable": "활성화",
+  "user.detail.email": "이메일",
+  "user.detail.groups": "그룹",
+  "user.detail.groups.join": "가입하기",
+  "user.detail.info": "사용자 정보",
+  "user.detail.legacyDeviceList.info": "이 기기들은 이전 버전의 Hub에서 생성되었습니다. 향후 버전에서 Vault를 사용하려면 업데이트가 필요합니다.",
+  "user.detail.name": "이름",
+  "user.detail.roles": "역할",
+  "user.detail.username": "사용자 이름",
+  "user.addGroups.title": "그룹 추가",
+  "user.addGroups.searchLabel": "그룹 이름으로 검색",
+  "user.addGroups.selectedGroups": "그룹 선택됨",
+  "userEditCreate.title.create": "새 사용자 생성",
+  "userEditCreate.title.edit": "사용자 수정",
+  "userEditCreate.button.create": "사용자 생성",
+  "userEditCreate.button.save": "저장",
+  "userEditCreate.button.saved": "저장 완료!",
+  "userEditCreate.firstName": "이름",
+  "userEditCreate.lastName": "성",
+  "userEditCreate.username": "사용자 이름",
+  "userEditCreate.email": "이메일",
+  "userEditCreate.roles": "역할",
+  "userEditCreate.selectRolesPlaceholder": "역할 선택",
+  "userEditCreate.password": "비밀번호",
+  "userEditCreate.passwordConfirm": "비밀번호 확인",
+  "userEditCreate.create.passwordInfo": "이것은 임시 비밀번호입니다. 사용자는 첫 로그인 시 비밀번호를 변경해야 합니다.",
+  "userEditCreate.edit.passwordInfo": "비밀번호를 재설정하지 않으려면 입력란을 빈칸으로 두세요.",
+  "userEditCreate.removePicture": "사진 제거",
+  "userEditCreate.passwordStrong": "강함",
+  "userEditCreate.passwordMedium": "보통",
+  "userEditCreate.passwordWeak": "취약함",
+  "userEditCreate.passwordsMatch": "비밀번호가 일치합니다",
+  "userEditCreate.passwordsDontMatch": "비밀번호가 일치하지 않습니다",
+  "userEditCreate.profilePictureUrl": "프로필 사진 URL",
+  "userEditCreate.showPassword": "비밀번호 표시하기",
+  "userEditCreate.hidePassword": "비밀번호 가리기",
+  "userEditCreate.invalidEmail": "올바르지 않은 이메일 형식",
+  "userEditCreate.invalidImageUrl": "유효하지 않은 이미지 URL",
+  "userEditCreate.validation.required": "필수 입력 항목입니다",
+  "userEditCreate.validation.passwordMismatch": "비밀번호가 일치하지 않습니다",
+  "userEditCreate.error.userAlreadyExists": "이 사용자 이름을 가진 사용자가 이미 존재합니다.",
+  "userEditCreate.error.emailAlreadyExists": "이 이메일을 가진 사용자가 이미 존재합니다.",
+  "userList.edit.user.button": "수정",
+  "userList.userName": "이름",
+  "userList.groups.count": "그룹",
+  "userList.device.count": "모든 기기",
+  "userList.vaults.count": "Vault",
+  "userList.user.created": "생성된 날짜",
+  "userList.profileImage": "프로필 이미지",
+  "userList.create.button": "사용자 생성",
+  "userList.disabled": "비활성화됨",
   "userProfile.title": "프로필",
   "userProfile.actions.manageAccount": "계정 관리",
   "userProfile.actions.changeLanguage": "언어 변경",
   "userProfile.actions.changeLanguage.entry.browser": "브라우저 언어",
+  "userProfile.keycloakVersion.notAvailable": "해당 버전 사용 불가능",
+  "unlock.noAccessVaultArchived.title": "Vault가 아카이브됨",
+  "unlock.noAccessVaultArchived.description": "이 Vault는 아카이브되어 더 이상 접근할 수 없습니다. Vault 소유자에게 문의하십시오.",
   "unlockSuccess.title": "Vault 잠금 해제됨",
-  "unlockSuccess.description": "이 브라우저 탭을 닫고 Cryptomator로 돌아가도 됩니다.",
+  "unlockSuccess.description": "이 브라우저 탭을 닫고 Katta로 돌아가도 됩니다.",
   "unlockSuccess.accountSetup.title": "설정 필요함",
   "unlockSuccess.accountSetup.description": "계정 설정을 완료하고 Account Key를 생성하십시오.",
   "unlockSuccess.accountSetup.goToSetup": "설정 완료",
   "unlockSuccess.deviceSetup.title": "새 기기",
-  "unlockSuccess.deviceSetup.description": "Cryptomator에 Account Key를 입력하여 인증하십시오.",
+  "unlockSuccess.deviceSetup.description": "Katta에 Account Key를 입력하여 인증하십시오.",
   "unlockSuccess.deviceSetup.goToProfile": "내 프로필에서 Account Key 보기",
   "unlockSuccess.noVaultAccess.title": "이 Vault에 접근할 수 없음",
-  "unlockSuccess.noVaultAccess.description": "Vault 소유주에 Vault 구성원으로 추가하도록 연락하십시오.",
+  "unlockSuccess.noVaultAccess.description": "Vault 소유자에 Vault 구성원으로 추가하도록 연락하십시오.",
   "vaultDetails.warning.archived": "이 Vault는 아카이브되어 잠금 해제할 수 없습니다.",
   "vaultDetails.description.header": "설명",
   "vaultDetails.description.empty": "설명 없음.",
@@ -256,7 +512,9 @@
   "vaultDetails.actions.reactivateVault": "Vault 재활성화",
   "vaultDetails.actions.claimOwnership": "소유권 얻기",
   "vaultDetails.actions.recoverVault": "Vault 접근 복구하기",
-  "vaultDetails.error.licenseViolated": "Cryptomator Hub 라이선스가 만료되었거나 자리의 수가 초과하였습니다. Hub 관리자에게 라이선스를 갱신하거나 업그레이드 하도록 알리십시오.",
+  "vaultDetails.emergencyAccess.setupCouncil": "비상 접근 위원회 설정하기",
+  "vaultDetails.emergencyAccess.fixCouncil": "비상 접근 위원회 수정하기",
+  "vaultDetails.error.licenseViolated": "Katta 라이선스가 만료되었거나 자리의 수가 초과하였습니다. Katta 관리자에게 라이선스를 갱신하거나 업그레이드 하도록 알리십시오.",
   "vaultDetails.recoverVault.title": "계정을 리셋하였습니다!",
   "vaultDetails.recoverVault.description": "Vault에 대한 접근을 다시 얻으려면, 복구 키를 통해 계정을 복원하거나 다른 소유자가 접근 권한을 업데이트해야 합니다.",
   "vaultList.title": "Vault",
@@ -275,5 +533,15 @@
   "vaultList.filter.result.empty.description": "검색어나 필터로 검색된 것이 없음.",
   "vaultList.search.placeholder": "검색…",
   "vaultList.badge.owner": "소유자",
-  "vaultList.badge.archived": "아카이브됨"
+  "vaultList.badge.archived": "아카이브됨",
+  "userList.filter.result.empty.title": "사용자 없음",
+  "userList.filter.result.empty.description": "입력하신 검색어에 대한 결과가 없습니다.",
+  "groupList.empty.title": "그룹 없음",
+  "groupList.empty.description": "소유 중이거나 소속된 그룹이 없습니다.",
+  "groupList.filter.result.empty.title": "그룹 없음",
+  "groupList.filter.result.empty.description": "입력하신 검색어에 대한 결과가 없습니다.",
+  "missingEntitlements.title": "업그레이드가 필요합니다.",
+  "missingEntitlements.description": "이 기능은 현재 라이선스에 포함되어 있지 않습니다.",
+  "trial.enterpriseFeature.title": "엔터프라이즈용 기능",
+  "trial.enterpriseFeature.description": "이 기능은 엔터프라이즈 라이선스를 보유한 경우에만 영구적으로 사용할 수 있습니다."
 }
diff --git a/frontend/src/i18n/lt-LT.json b/frontend/src/i18n/lt-LT.json
new file mode 100644
index 000000000..94f5a15a8
--- /dev/null
+++ b/frontend/src/i18n/lt-LT.json
@@ -0,0 +1,73 @@
+{
+  "locale.en-US": "Anglų",
+  "locale.de-DE": "Vokiečių",
+  "locale.fr-FR": "Prancūzų",
+  "locale.it-IT": "Italų",
+  "locale.ko-KR": "Korėjiečių",
+  "locale.lv-LV": "Latvių",
+  "locale.nl-NL": "Olandų",
+  "locale.pt-BR": "Portugalų (Brazilija)",
+  "locale.pt-PT": "Portugalų",
+  "locale.ru-RU": "Rusų",
+  "locale.tr-TR": "Turkų",
+  "locale.uk-UA": "Ukrainiečių",
+  "locale.zh-TW": "Kinų (Taivanas)",
+  "common.add": "Pridėti",
+  "common.apply": "Taikyti",
+  "common.cancel": "Atsisakyti",
+  "common.close": "Užverti",
+  "common.copied": "Nukopijuota!",
+  "common.copy": "Kopijuoti",
+  "common.create": "Sukurti",
+  "common.device": "Įrenginys",
+  "common.download": "Atsisiųsti",
+  "common.edit": "Taisyti",
+  "common.hide": "Slėpti",
+  "common.loading": "Įkeliama…",
+  "common.next": "Kitas",
+  "common.none": "Nėra",
+  "common.nothingFound": "Nieko nerasta",
+  "common.previous": "Ankstesnis",
+  "common.reload": "Įkelkite puslapį iš naujo.",
+  "common.remove": "Šalinti",
+  "common.reset": "Atstatyti",
+  "common.unexpectedError": "Netikėta klaida: {0}",
+  "common.actions": "Veiksmai",
+  "admin.webOfTrust.information": "Sužinokite daugiau.",
+  "admin.emergencyAccess.learnMore": "Sužinokite daugiau.",
+  "auditLog.filter.startDate": "Pradžios data",
+  "auditLog.filter.endDate": "Pabaigos data",
+  "auditLog.details": "Išsamiau",
+  "auditLog.details.device.remove": "Šalinti įrenginį",
+  "claimVaultOwnershipDialog.error.wrongPassword": "Neteisingas slaptažodis",
+  "createVault.enterVaultDetails.vaultDescription": "Aprašas",
+  "deviceList.deviceName": "Įrenginio pavadinimas",
+  "deviceList.type": "Tipas",
+  "deviceList.added": "Pridėtas",
+  "deviceList.thisDevice": "Šis įrenginys",
+  "deviceList.ipAddress": "IP adresas",
+  "emergencyAccess.status.added": "Pridėtas",
+  "editVaultMetadataDialog.vaultDescription": "Aprašas",
+  "groupList.edit.group.button": "Taisyti",
+  "group.members.search.empty": "Nieko nerasta",
+  "initialSetup.accountKey": "Paskyros raktas",
+  "legacyDeviceList.description.information": "Sužinokite daugiau.",
+  "legacyDeviceList.added": "Pridėtas",
+  "legacyDeviceList.thisDevice": "Šis įrenginys",
+  "legacyDeviceList.ipAddress": "IP adresas",
+  "manageAccountKey.title": "Paskyros raktas",
+  "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Paskyros raktas",
+  "user.detail.disable": "Išjungti",
+  "user.detail.edit": "Taisyti",
+  "user.detail.enable": "Įjungti",
+  "user.detail.username": "Naudotojo vardas",
+  "userEditCreate.username": "Naudotojo vardas",
+  "userEditCreate.password": "Slaptažodis",
+  "userEditCreate.passwordStrong": "Stiprus",
+  "userEditCreate.passwordWeak": "Silpnas",
+  "userList.edit.user.button": "Taisyti",
+  "unlockSuccess.deviceSetup.title": "Naujas įrenginys",
+  "vaultDetails.description.header": "Aprašas",
+  "vaultDetails.actions.updatePermissions.reload": "Įkelti iš naujo",
+  "vaultList.addVault": "Pridėti"
+}
diff --git a/frontend/src/i18n/lv-LV.json b/frontend/src/i18n/lv-LV.json
index 912d2e481..01f25245b 100644
--- a/frontend/src/i18n/lv-LV.json
+++ b/frontend/src/i18n/lv-LV.json
@@ -18,10 +18,16 @@
   "common.close": "Aizvērt",
   "common.copied": "Ievietots starpliktuvē",
   "common.copy": "Ievietot starpliktuvē",
+  "common.create": "Izveidot",
+  "common.device": "Ierīce",
   "common.download": "Lejupielādēt",
+  "common.edit": "Labot",
   "common.hide": "Paslēpt",
+  "common.leave": "Pamest",
   "common.loading": "Ielādē…",
   "common.next": "Tālāk",
+  "common.none": "Nekas",
+  "common.nothingFound": "Nekas nav atrasts",
   "common.optional": "izvēles",
   "common.pagination": "Lapošana",
   "common.previous": "Atpakaļ",
@@ -30,6 +36,10 @@
   "common.remove": "Noņemt",
   "common.reset": "Atiestatīt",
   "common.retry": "Mēģināt vēlreiz",
+  "common.save": "Saglabāt",
+  "common.saved": "Saglabāts.",
+  "common.search.placeholder": "Meklēt…",
+  "common.select.placeholder": "Atlasīt…",
   "common.share": "Kopīgot",
   "common.show": "Rādīt",
   "common.undo": "Atsaukt",
@@ -37,12 +47,16 @@
   "common.unsavedChanges": "Nesaglabātas izmaiņas.",
   "common.update": "Atjaunināt",
   "common.xMembers": "{0} dalībnieki",
+  "common.actions": "Darbības",
+  "common.member": "Dalībnieks",
+  "common.property": "Īpašība",
+  "common.value": "Vērtība",
   "admin.title": "Pārvaldītājs",
   "admin.serverInfo.title": "Informācija par serveri",
-  "admin.serverInfo.description": "Hub Id tiek izmantots, lai licencē identificētu CryptomatorHub. Lai iegūtu atbalstu, vienmēr ir jānorāda attēlotā Hub un Keycloak versija.",
-  "admin.serverInfo.hubId.title": "Hub Id",
-  "admin.serverInfo.hubVersion.title": "Hub versija",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub ir atjaunināts.",
+  "admin.serverInfo.description": "Katta Id tiek izmantots, lai licencē identificētu Katta. Lai iegūtu atbalstu, vienmēr ir jānorāda attēlotā Katta un Keycloak versija.",
+  "admin.serverInfo.hubId.title": "Katta Id",
+  "admin.serverInfo.hubVersion.title": "Katta versija",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta ir atjaunināts.",
   "admin.serverInfo.hubVersion.description.updateExists": "Iespējams atjauninājums uz versiju {0}.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Nebija iespējams pārbaudīt, vai ir pieejami atjauninājumi. Lūgums pārbaudīt pašrocīgi.",
   "admin.serverInfo.keycloakVersion.title": "Keycloak versija",
@@ -62,8 +76,8 @@
   "admin.licenseInfo.manageSubscription": "Pārvaldīt abonementu",
   "admin.licenseInfo.type.title": "Veids",
   "admin.licenseInfo.getLicense": "Iegūt licenci",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Paldies par Cryptomator Hub izmantošanu! Tika piešķirta kopienas licence. Ja ir nepieciešamas vairāk vietu, jāuzlabo licence.",
-  "admin.licenseInfo.managedNoLicense.description": "Paldies par Cryptomator Hub izmantošanu! Pašlaik nav spēkā esošas licences.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Paldies par Katta izmantošanu! Tika piešķirta kopienas licence. Ja ir nepieciešamas vairāk vietu, jāuzlabo licence.",
+  "admin.licenseInfo.managedNoLicense.description": "Paldies par Katta izmantošanu! Pašlaik nav spēkā esošas licences.",
   "admin.webOfTrust.title": "Uzticēšanās tīkls",
   "admin.webOfTrust.description": "Konfigurē Web of Trust iestatījumus, lai pārvaldītu, kā uzticība tiek izveidota starp sistēmas lietotājiem. Šie iestatījumi ietekmē lietotāju identitāšu un atslēgas parakstu apliecināšanu.",
   "admin.webOfTrust.information": "Uzzināt vairāk.",
@@ -75,6 +89,7 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Cik daudz ciparu no citu lietotāju pirkstu nospieduma ir nepieciešams ievadīt, lai apliecinātu viņu identitāti.",
   "admin.webOfTrust.save": "Saglabāt",
   "admin.webOfTrust.saved": "Saglabāts.",
+  "admin.emergencyAccess.learnMore": "Uzzināt vairāk.",
   "archiveVaultDialog.title": "Arhivēt glabātavu",
   "archiveVaultDialog.description": "Glabātavas arhivēšana padara to neizmantotu. Tas var atbrīvot aizņemtās vietas. Arhivētu glabātavu vēlāk var atkla padarīt izmantojamu.",
   "archiveVaultDialog.confirm": "Arhīvs",
@@ -133,13 +148,16 @@
   "createVault.error.invalidRecoveryKey": "Atkopes atslēga ir nederīga.",
   "createVault.error.vaultAlreadyExists": "Glabātava ar norādīto nosaukumu jau pastāv.",
   "createVault.error.downloadTemplateFailed": "Glabātavas sagataves lejupielāde neizdevās: {0}",
-  "createVault.error.paymentRequired": "Cryptomator Hub licencē ir pārsniegts pieejamo vietu skaits vai tā ir beigusies. Lūgums ziņot Hub pārvaldītājam, lai uzlabo vai atjauno licenci.",
+  "createVault.error.paymentRequired": "Katta licencē ir pārsniegts pieejamo vietu skaits vai tā ir beigusies. Lūgums ziņot Katta pārvaldītājam, lai uzlabo vai atjauno licenci.",
   "createVault.success.title": "Glabātava izveidota",
   "createVault.success.description": "Pēc saspiestās glabātavas mapes lejupielādēšanas tā ir jāatspiež jebkurā vietā, kas ir kopīgota ar komandas dalībniekiem.",
   "createVault.success.download": "Lejupielādēt saspiestu glabātavas mapi",
   "createVault.success.return": "Atgriezties uz glabātavu sarakstu",
+  "deleteUserDialog.title": "Izdzēst lietotāja kontu",
+  "deleteUserDialog.description": "Vai tiešām neatgriezeniski izdzēst šo lietotāju? Visas saistītās glabātavas un ierīces tiks noņemtas. Šī darbība ir neatgriezeniska.",
+  "deleteUserDialog.confirm": "Jā, izdzēst lietotāju",
   "deviceList.empty.message": "Nav ierīču",
-  "deviceList.empty.description": "Lai pievienotu ierīci, ierīces Cryptomator lietotnē jāpievieno glabātava no šī Hub un jāatslēdz tā.",
+  "deviceList.empty.description": "Lai pievienotu ierīci, ierīces Katta lietotnē jāpievieno glabātava no Katta un jāatslēdz tā.",
   "deviceList.title": "Pilnvarotās ierīces un pārlūki",
   "deviceList.deviceName": "Ierīces nosaukums",
   "deviceList.type": "Veids",
@@ -150,6 +168,13 @@
   "deviceList.lastAccess.toolTip": "Var trūkt ierīcēs, kurās ir piekļūts ar vecākām versijām.",
   "downloadVaultTemplateDialog.title": "Lejupielādēt glabātavas sagatavi",
   "downloadVaultTemplateDialog.description": "Saspiestā glabātavas sagatave ir lejupielādējama un izvēršama jebkurā ar komandas dalībniekiem koplietotā vietā. Tas ir nepieciešams tikai vienreiz sākotnējās iestatīšanas laikā.",
+  "emergencyAccess.status.added": "Pievienots",
+  "emergencyAccess.label.members": "Dalībnieki",
+  "emergencyAccess.processType.changePermissions": "Izvēlēties glabātavas dalībniekus",
+  "emergencyAccess.processType.changeCouncil": "Mainīt ārkārtas piekļuves padomi",
+  "emergencyAccess.filter.all": "Visas",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "Nepietiekama ārkārtas piekļuve",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "Komanadas pamatnostādne pieprasa ārkārtas piekļuves padomi ar v ismaz {0} dalībniekiem. Šī glabātava šobrīd neatbilst šai prasībai.",
   "editVaultMetadataDialog.title": "Labot glabātavas metadatus",
   "editVaultMetadataDialog.description": "Atjaunināt glabātavas nosaukumu un aprakstu.",
   "editVaultMetadataDialog.vaultName": "Glabātavas nosaukums",
@@ -159,6 +184,35 @@
   "grantPermissionDialog.title": "Nodrošināt atļauju",
   "grantPermissionDialog.description": "Kopīgo glabātavas atslēgas ar jaunizveidotajiem lietotājiem.",
   "grantPermissionDialog.submit": "Nodrošināt atļauju {0} lietotājiem",
+  "group.detail.members": "Dalībnieki",
+  "group.detail.vaults": "Glabātavas",
+  "group.detail.add.member": "Pievienot dalībnieku",
+  "group.detail.name": "Nosaukums",
+  "group.detail.createdOn": "Izveidota",
+  "group.detail.roles": "Lomas",
+  "groupList.name": "Nosaukums",
+  "groupList.members.count": "Lietotāji",
+  "groupList.edit.group.button": "Labot",
+  "groupList.search.placeholder": "Meklēt…",
+  "groupList.vaults.count": "Glabātavas",
+  "groupList.group.created": "Izveidota",
+  "group.members.add": "Pievienot dalībniekus",
+  "group.members.search.empty": "Nekas nav atrasts",
+  "group.addMembers.title": "Pievienot dalībniekus",
+  "group.addMembers.searchLabel": "Meklēt pēc lietotājvārda vai pilna vārda",
+  "group.addMembers.selectedUser": "Atlasīti lietotāji",
+  "groupEditCreate.profileImage": "Profila attēls",
+  "groupEditCreate.role": "Loma",
+  "groupEditCreate.removePicture": "Noņemt attēlu",
+  "groupEditCreate.addPicture": "Pievienot attēlu",
+  "groupEditCreate.roles": "Lomas",
+  "groupEditCreate.validation.required": "Šis lauks ir nepieciešams",
+  "groupEditCreate.roles.remove": "Noņemt lomas",
+  "groupEditCreate.roles.choose": "Izvēlēties lomas",
+  "groupEditCreate.roles.addMore": "Pievienot vēl",
+  "groupEditCreate.invalidImageUrl": "Nederīgs attēla URL",
+  "groupEditCreate.profilePictureUrl": "Profila attēla URL",
+  "groupEditCreate.selectRolesPlaceholder": "Atlasīt lomas",
   "trustDetails.trustLevel": "Uzticēšanās līmenis {0}",
   "trustDetails.trustLevel.untrusted": "Neapstiprināts",
   "trustDetails.showSignDialogBtn": "Pārbaudīt identitāti...",
@@ -166,7 +220,7 @@
   "signUserKeysDialog.title": "Apliecināt {0} identitāti",
   "signUserKeysDialog.description": "Jāievada pirmās {0} rakstzīmes no {1} pirkstu nospieduma, lai apliecinātu publisko atslēgu autentiskumu. Pirkstu nospiedumu var atrast lietotāja profilā.",
   "signUserKeysDialog.submit": "Apstiprināt šī lietotāja identitāti",
-  "initialSetup.createUserKey.title": "Laipni lūdzam Cryptomator hub",
+  "initialSetup.createUserKey.title": "Laipni lūdzam Katta",
   "initialSetup.createUserKey.description": "Pirmajā pieteikšanās reizē ikviens lietotājs iegūts neatkārtojamu konta atslēgu:",
   "initialSetup.createUserKey.details.accountKey": "Konta atslēga ir nepieciešama, lai pieteiktos citās lietotnēs vai pārlūkos",
   "initialSetup.createUserKey.details.devicesList": "Pilnvaroto lietotņu sarakstu var redzēt sava profila lapā",
@@ -182,19 +236,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Pazaudēta konta atslēga? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Atiestatīt manu kontu",
   "initialSetup.setupAlreadyCompleted.title": "Iestatīšana jau pabeigta",
-  "initialSetup.setupAlreadyCompleted.description": "Cryptomator Hub sākotnējā iestatīšana jau ir pabeigta. Konta atslēgu var atrast savā profilā.",
+  "initialSetup.setupAlreadyCompleted.description": "Katta sākotnējā iestatīšana jau ir pabeigta. Konta atslēgu var atrast savā profilā.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Doties uz profilu",
   "initialSetup.accountKey": "Konta atslēga",
   "initialSetup.submit": "Pabeigt iestatīšanu",
   "licenseAlert.noRemainingSeats.title": "Pārsniegta licence",
-  "licenseAlert.noRemainingSeats.admin.description": "Cryptomator Hub instancē ir pārsniegts licencēto vietu skaits. Jāuzlabo licence {0}, lai atkal varētu pārvaldīt un atslēgt savas glabātavas.",
-  "licenseAlert.noRemainingSeats.user.description": "Cryptomator hub instancē ir pārsniegts licencēto vietu skaits. Lūgums ziņot Hub pārvaldītājam, lai uzlabo licenci.",
+  "licenseAlert.noRemainingSeats.admin.description": "Katta instancē ir pārsniegts licencēto vietu skaits. Jāuzlabo licence {0}, lai atkal varētu pārvaldīt un atslēgt savas glabātavas.",
+  "licenseAlert.noRemainingSeats.user.description": "Katta instancē ir pārsniegts licencēto vietu skaits. Lūgums ziņot Katta pārvaldītājam, lai uzlabo licenci.",
   "licenseAlert.licenseExpired.title": "Licence beigusies",
-  "licenseAlert.licenseExpired.admin.description": "Cryptomator Hub licence ir beigusies. Tā ir jāatjauno {0}, lai atkal varētu pārvaldīt un atslēgt savas glabātavas.",
-  "licenseAlert.licenseExpired.user.description": "Cryptomator Hub licence ir beigusies. Lūgums ziņot Hub pārvaldītājam, lai atjauno licenci.",
+  "licenseAlert.licenseExpired.admin.description": "Katta licence ir beigusies. Tā ir jāatjauno {0}, lai atkal varētu pārvaldīt un atslēgt savas glabātavas.",
+  "licenseAlert.licenseExpired.user.description": "Katta licence ir beigusies. Lūgums ziņot Katta pārvaldītājam, lai atjauno licenci.",
   "licenseAlert.button": "Pārvaldītāju sadaļa",
   "legacyDeviceList.title": "Novecojušas ierīces",
-  "legacyDeviceList.description": "Šīs ierīces tika izveidotas ar vecāku Hub versiju, un tās ir jāatjaunina, lai glabātavas varētu atslēgt nākotnes versijās. Ja tās vairs nav nepieciešamas, lūgums tās noņemt. Pretējā gadījumā lūdzam attiecīgajās ierīcēs atjaunināt Cryptomator. Nākamā atslēgšana automātiski izraisīs atjaunināšanu.",
+  "legacyDeviceList.description": "Šīs ierīces tika izveidotas ar vecāku Katta versiju, un tās ir jāatjaunina, lai glabātavas varētu atslēgt nākotnes versijās. Ja tās vairs nav nepieciešamas, lūgums tās noņemt. Pretējā gadījumā lūdzam attiecīgajās ierīcēs atjaunināt Katta. Nākamā atslēgšana automātiski izraisīs atjaunināšanu.",
   "legacyDeviceList.description.information": "Uzzināt vairāk.",
   "legacyDeviceList.deviceName": "Ierīces nosaukums",
   "legacyDeviceList.type": "Veids",
@@ -212,6 +266,7 @@
   "nav.profile.admin": "Pārvaldītājs",
   "nav.profile.auditlog": "Audita žurnāli",
   "nav.profile.signOut": "Atteikties",
+  "nav.users": "Lietotāji",
   "nav.mobileMenu": "Atvērt galveno izvēlni",
   "reactivateVaultDialog.title": "Atkārtoti aktivēt glabātavu",
   "reactivateVaultDialog.description": "Brīdinājums: glabātavas atkārtota aktivēšana var ietekmēt pieejamo vietu skaitu. Ja tas tiks pārsniegts, tiks liegta visu glabātavu atslēgšana.",
@@ -235,18 +290,70 @@
   "resetUserAccountDialog.submit": "Atiestatīt kontu",
   "userkeyFingerprint.title": "Lietotāja atslēgas pirkstu nospiedums",
   "userkeyFingerprint.description": "Lietotāja atslēgas pirkstu nospiedumu var izmantot, lai apliecinātu savu identitāti, kad veic glabātavas atjaunināšanu.",
+  "users.title": "Lietotāji",
+  "user.detail.createdOn": "Izveidota",
+  "user.detail.disable": "Atspējot",
+  "user.detail.devices": "Ierīces",
+  "user.detail.edit": "Labot",
+  "user.detail.enable": "Iespējot",
+  "user.detail.email": "E-pasta adrese",
+  "user.detail.groups.join": "Pievienoties",
+  "user.detail.info": "Informācija par lietotāju",
+  "user.detail.legacyDeviceList.info": "Šīs ierīces tika izveidotas ar vecāku Hub versiju, un tās ir nepieciešams atjaunināt, lai atslēgtu glabātavas nākotnes versijās.",
+  "user.detail.name": "Vārds",
+  "user.detail.roles": "Lomas",
+  "user.detail.username": "Lietotājvārds",
+  "userEditCreate.title.create": "Izveidot jaunu lietotāju",
+  "userEditCreate.title.edit": "Labot lietotāju",
+  "userEditCreate.button.create": "Izveidot lietotāju",
+  "userEditCreate.button.save": "Saglabāt",
+  "userEditCreate.button.saved": "Saglabāts.",
+  "userEditCreate.firstName": "Vārds",
+  "userEditCreate.lastName": "Uzvārds",
+  "userEditCreate.username": "Lietotājvārds",
+  "userEditCreate.email": "E-pasta adrese",
+  "userEditCreate.roles": "Lomas",
+  "userEditCreate.selectRolesPlaceholder": "Atlasīt lomas",
+  "userEditCreate.password": "Parole",
+  "userEditCreate.passwordConfirm": "Apstiprināt paroli",
+  "userEditCreate.create.passwordInfo": "Šī ir pagaidu parole. Lietotājam tā ir jānomaina pirmajā pieteikšanās reizē.",
+  "userEditCreate.edit.passwordInfo": "Paroļu lauki ir jāatstāj tukši, ja nav vēlēšanās atiestatīt lietotaja paroli.",
+  "userEditCreate.removePicture": "Noņemt attēlu",
+  "userEditCreate.passwordStrong": "Stipra",
+  "userEditCreate.passwordMedium": "Vidēja",
+  "userEditCreate.passwordWeak": "Vāja",
+  "userEditCreate.passwordsMatch": "Parole sakrīt",
+  "userEditCreate.passwordsDontMatch": "Paroles nesakrīt",
+  "userEditCreate.profilePictureUrl": "Profila attēla URL",
+  "userEditCreate.showPassword": "Parādīt paroli",
+  "userEditCreate.hidePassword": "Paslēpt paroli",
+  "userEditCreate.invalidEmail": "Nederīga e-pasta adrese",
+  "userEditCreate.invalidImageUrl": "Nederīgs attēla URL",
+  "userEditCreate.validation.required": "Šis lauks ir nepieciešams",
+  "userEditCreate.validation.passwordMismatch": "Paroles nesakrīt",
+  "userEditCreate.error.userAlreadyExists": "Lietotājs ar šādu lietotājvārdu jau pastāv.",
+  "userEditCreate.error.emailAlreadyExists": "Lietotājs ar šādu e-pasta adresi jau pastāv.",
+  "userList.edit.user.button": "Labot",
+  "userList.userName": "Vārds",
+  "userList.device.count": "Ierīces",
+  "userList.vaults.count": "Glabātavas",
+  "userList.user.created": "Izveidota",
+  "userList.profileImage": "Profila attēls",
+  "userList.create.button": "Izveidot lietotāju",
   "userProfile.title": "Profils",
   "userProfile.actions.manageAccount": "Pārvaldīt kontu",
   "userProfile.actions.changeLanguage": "Mainīt valodu",
   "userProfile.actions.changeLanguage.entry.browser": "Pārlūka valoda",
   "userProfile.keycloakVersion.notAvailable": "versija nav pieejama",
+  "unlock.noAccessVaultArchived.title": "Glabātava arhivēta",
+  "unlock.noAccessVaultArchived.description": "Glabātava tika arhivēta un vairs nav pieejama. Lūgums sazināties ar glabātavas īpašnieku.",
   "unlockSuccess.title": "Glabātava sekmīgi atslēgta",
-  "unlockSuccess.description": "Tagad var aizvēr šo pārlūka cilni un atgriezties Cryptomator.",
+  "unlockSuccess.description": "Tagad var aizvēr šo pārlūka cilni un atgriezties Katta.",
   "unlockSuccess.accountSetup.title": "Nepieciešama uzstādīšana",
   "unlockSuccess.accountSetup.description": "Pabeigt iestatīt savu kontu un iegūt konta atslēgu.",
   "unlockSuccess.accountSetup.goToSetup": "Pabeigt uzstādīšanu",
   "unlockSuccess.deviceSetup.title": "Jauna ierīce",
-  "unlockSuccess.deviceSetup.description": "Lūgums ievadīt sava konta atslēgu Cryptomator, lai to pilnvarotu.",
+  "unlockSuccess.deviceSetup.description": "Lūgums ievadīt sava konta atslēgu Katta, lai to pilnvarotu.",
   "unlockSuccess.deviceSetup.goToProfile": "Apskatīt konta atslēgu manā profilā",
   "unlockSuccess.noVaultAccess.title": "Nav piekļuves šai glabātavai",
   "unlockSuccess.noVaultAccess.description": "Lūgums sazināties ar glabātavas īpašnieku, lai pievienotu Tevi kā tās dalībnieku.",
@@ -269,7 +376,7 @@
   "vaultDetails.actions.reactivateVault": "Atkārtoti aktivēt glabātavu",
   "vaultDetails.actions.claimOwnership": "Pieteikt īpašumtiesības",
   "vaultDetails.actions.recoverVault": "Atkopt piekļuvi glabātavai",
-  "vaultDetails.error.licenseViolated": "Cryptomator Hub licence ir beigusies vai ir pārsniegts iekļauto vietu skaits. Lūgums ziņot Hub pārvaldtītājam, lai atjaunotu vai uzlabotu licenci.",
+  "vaultDetails.error.licenseViolated": "Katta licence ir beigusies vai ir pārsniegts iekļauto vietu skaits. Lūgums ziņot Katta pārvaldtītājam, lai atjaunotu vai uzlabotu licenci.",
   "vaultDetails.recoverVault.title": "Tika atiestatīts konts.",
   "vaultDetails.recoverVault.description": "Lai atgūtu piekļuvi kontam, jāatjauno piekļuve ar atkopes atslēgu vai citam īpašniekam jāatjaunina piekļuves atļaujas.",
   "vaultList.title": "Glabātavas",
@@ -288,5 +395,10 @@
   "vaultList.filter.result.empty.description": "Nekas atbilstošs meklēšanas vaicājumam vai atlasei netika atrasts.",
   "vaultList.search.placeholder": "Meklēt…",
   "vaultList.badge.owner": "Īpašnieks",
-  "vaultList.badge.archived": "Arhivēta"
+  "vaultList.badge.archived": "Arhivēta",
+  "userList.filter.result.empty.title": "Nav lietotāju",
+  "userList.filter.result.empty.description": "Nekas atbilstošs meklēšanas vaicājumam netika atrasts.",
+  "groupList.filter.result.empty.description": "Nekas atbilstošs meklēšanas vaicājumam netika atrasts.",
+  "trial.enterpriseFeature.title": "Iespēja uzņēmumiem",
+  "trial.enterpriseFeature.description": "Šī iespēja ir pieejama tikai ar licenci uzņēmumiem."
 }
diff --git a/frontend/src/i18n/mk-MK.json b/frontend/src/i18n/mk-MK.json
index 9c8b28bae..001e4e9d6 100644
--- a/frontend/src/i18n/mk-MK.json
+++ b/frontend/src/i18n/mk-MK.json
@@ -7,6 +7,7 @@
   "common.next": "Продолжи",
   "common.show": "Покажи",
   "admin.webOfTrust.information": "Дознајте повеќе.",
+  "admin.emergencyAccess.learnMore": "Дознајте повеќе.",
   "createVault.enterVaultDetails.vaultName": "Име на сеф",
   "editVaultMetadataDialog.vaultName": "Име на сеф",
   "legacyDeviceList.description.information": "Дознајте повеќе."
diff --git a/frontend/src/i18n/nb-NO.json b/frontend/src/i18n/nb-NO.json
index 16ed2fcab..10dc66085 100644
--- a/frontend/src/i18n/nb-NO.json
+++ b/frontend/src/i18n/nb-NO.json
@@ -5,18 +5,22 @@
   "common.close": "Lukk",
   "common.copied": "Kopiert!",
   "common.copy": "Kopier",
+  "common.create": "Opprett",
   "common.download": "Last ned",
+  "common.edit": "Rediger",
   "common.next": "Neste",
   "common.previous": "Forrige",
   "common.refresh": "Oppdater",
   "common.remove": "Fjern",
   "common.reset": "Nullstill",
   "common.retry": "Prøv igjen",
+  "common.save": "Lagre",
   "common.share": "Del",
   "common.show": "Vis",
   "admin.licenseInfo.manageSubscription": "Administrer abonnement",
   "admin.webOfTrust.information": "Finn ut mer.",
   "admin.webOfTrust.save": "Lagre",
+  "admin.emergencyAccess.learnMore": "Finn ut mer.",
   "auditLog.filter": "Filter",
   "auditLog.details": "Detaljer",
   "auditLog.details.vault.create": "Opprett hvelv",
@@ -26,9 +30,27 @@
   "createVault.showRecoveryKey.submit": "Opprett hvelv",
   "deviceList.deviceName": "Enhetsnavn",
   "editVaultMetadataDialog.vaultName": "Navn på hvelvet",
+  "group.detail.vaults": "Hvelv",
+  "group.detail.name": "Navn",
+  "groupList.name": "Navn",
+  "groupList.edit.group.button": "Rediger",
+  "groupList.vaults.count": "Hvelv",
   "legacyDeviceList.description.information": "Finn ut mer.",
   "legacyDeviceList.deviceName": "Enhetsnavn",
   "nav.vaults": "Hvelv",
+  "user.detail.disable": "Deaktiver",
+  "user.detail.edit": "Rediger",
+  "user.detail.enable": "Aktiver",
+  "user.detail.name": "Navn",
+  "user.detail.username": "Brukernavn",
+  "userEditCreate.button.save": "Lagre",
+  "userEditCreate.username": "Brukernavn",
+  "userEditCreate.password": "Passord",
+  "userEditCreate.passwordStrong": "Sterkt",
+  "userEditCreate.passwordWeak": "Svakt",
+  "userList.edit.user.button": "Rediger",
+  "userList.userName": "Navn",
+  "userList.vaults.count": "Hvelv",
   "unlockSuccess.deviceSetup.title": "Ny Enhet",
   "vaultDetails.actions.updatePermissions.reload": "Last på nytt",
   "vaultDetails.actions.displayRecoveryKey": "Vis gjenopprettingsnøkkel",
diff --git a/frontend/src/i18n/nl-NL.json b/frontend/src/i18n/nl-NL.json
index 09173670b..6d80260e9 100644
--- a/frontend/src/i18n/nl-NL.json
+++ b/frontend/src/i18n/nl-NL.json
@@ -18,10 +18,16 @@
   "common.close": "Sluiten",
   "common.copied": "Gekopieerd!",
   "common.copy": "Kopieer",
+  "common.create": "Maak",
+  "common.device": "Toestel",
   "common.download": "Download",
+  "common.edit": "Bewerken",
   "common.hide": "Verbergen",
+  "common.leave": "Verlaten",
   "common.loading": "Bezig met laden…",
   "common.next": "Volgende",
+  "common.none": "Geen",
+  "common.nothingFound": "Geen resultaten",
   "common.optional": "optioneel",
   "common.pagination": "Paginering",
   "common.previous": "Vorige",
@@ -30,6 +36,10 @@
   "common.remove": "Verwijderen",
   "common.reset": "Resetten",
   "common.retry": "Opnieuw proberen",
+  "common.save": "Opslaan",
+  "common.saved": "Opgeslagen!",
+  "common.search.placeholder": "Zoeken…",
+  "common.select.placeholder": "Selecteer…",
   "common.share": "Delen",
   "common.show": "Toon",
   "common.undo": "Ongedaan maken",
@@ -37,12 +47,17 @@
   "common.unsavedChanges": "Onopgeslagen wijzigingen.",
   "common.update": "Bijwerken",
   "common.xMembers": "{0} Leden",
+  "common.actions": "Acties",
+  "common.group": "Groep",
+  "common.member": "Lid",
+  "common.property": "Eigenschap",
+  "common.value": "Waarde",
   "admin.title": "Beheerder",
   "admin.serverInfo.title": "Serverinfo",
-  "admin.serverInfo.description": "De Hub ID wordt gebruikt om uw Cryptomator Hub instantie voor uw licentie te identificeren. Bij ondersteuning geef altijd de weergegeven Hub en Keycloak versie door.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub versie",
-  "admin.serverInfo.hubVersion.description.upToDate": "De Hub is up-to-date.",
+  "admin.serverInfo.description": "De Katta ID wordt gebruikt om uw Katta instantie voor uw licentie te identificeren. Bij ondersteuning geef altijd de weergegeven Katta en Keycloak versie door.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta versie",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta is up-to-date.",
   "admin.serverInfo.hubVersion.description.updateExists": "Update naar versie \"{0}\" beschikbaar.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Controleren op updates niet mogelijk. Controleer handmatig.",
   "admin.serverInfo.keycloakVersion.title": "Keycloak Versie",
@@ -62,8 +77,8 @@
   "admin.licenseInfo.manageSubscription": "Abonnement beheren",
   "admin.licenseInfo.type.title": "Type",
   "admin.licenseInfo.getLicense": "Verkrijg licentie",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Bedankt voor het gebruiken van Cryptomator Hub! U heeft een Community licentie gekregen. Als u meer zetels nodig heeft, upgrade dan uw licentie.",
-  "admin.licenseInfo.managedNoLicense.description": "Bedankt voor het gebruik van Cryptomator Hub! U heeft momenteel geen actieve licentie.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Bedankt voor het gebruiken van Katta! U heeft een Community licentie gekregen. Als u meer zetels nodig heeft, upgrade dan uw licentie.",
+  "admin.licenseInfo.managedNoLicense.description": "Bedankt voor het gebruik van Katta! U heeft momenteel geen actieve licentie.",
   "admin.webOfTrust.title": "Web of Trust",
   "admin.webOfTrust.description": "De WoT-instellingen configureren om te beheren hoe vertrouwen wordt opgebouwd tussen gebruikers in het systeem. Deze instellingen hebben invloed op de verificatie van gebruikersidentiteiten en sleutelhandtekeningen.",
   "admin.webOfTrust.information": "Meer weten.",
@@ -75,6 +90,27 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Hoeveel vingers van andere gebruikers hun vingerafdruk moet je invoeren om hun identiteit te verifiëren.",
   "admin.webOfTrust.save": "Opslaan",
   "admin.webOfTrust.saved": "Opgeslagen!",
+  "admin.emergencyAccess.title": "Noodtoegang",
+  "admin.emergencyAccess.description": "Configureer sleutelsplitting voor kluis-herstel.",
+  "admin.emergencyAccess.learnMore": "Meer weten.",
+  "admin.emergencyAccess.noRedundancy.title": "Je huidige sleutel-splitsing kent geen redundantie!",
+  "admin.emergencyAccess.noRedundancy.description": "Het wordt sterk aangeraden om meer sleutelhouders te configureren dan de benodigde sleutels.",
+  "admin.emergencyAccess.enabled.label": "Ingeschakeld",
+  "admin.emergencyAccess.enabled.help": "Schakel noodtoegang in",
+  "admin.emergencyAccess.requiredKeys.label": "Vereiste sleutels",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Vereiste gedeelde sleutels",
+  "admin.emergencyAccess.requiredKeys.help": "Hoeveel sleutels er nodig zijn om toegang tot een kluis te herstellen.",
+  "admin.emergencyAccess.keyholders.label": "Sleutelhouders",
+  "admin.emergencyAccess.keyholders.minSelected": "Er moeten minstens {0} leden worden geselecteerd. Het vereiste aantal werd hierboven vastgesteld.",
+  "admin.emergencyAccess.keyholders.help": "Wie een noodtoegangssleutel zal ophalen.",
+  "admin.emergencyAccess.allowChoosing.label": "Laat kluiseigenaren verschillende sleutelhouders kiezen.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Minstens:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Minimum aantal leden",
+  "admin.emergencyAccess.example.help": "Voorbeeld van wie kan samenwerken om een kluis te herstellen.",
+  "admin.emergencyAccess.validation.maxValue": "Maximale waarde is {0}.",
+  "admin.emergencyAccess.validation.minValue": "Minimale waarde is {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Moet groter of gelijk zijn aan de vereiste gedeelde sleutels.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "Vereiste aantal gedeelde sleutels mogen het minimum aantal leden niet overschrijden.",
   "archiveVaultDialog.title": "Kluis archiveren",
   "archiveVaultDialog.description": "Het archiveren van een kluis maakt deze inactief. Dit kan bezette plaatsen vrijmaken. Een gearchiveerde kluis kan later opnieuw geactiveerd worden.",
   "archiveVaultDialog.confirm": "Archief",
@@ -86,11 +122,18 @@
   "auditLog.filter.endDate": "Einddatum",
   "auditLog.filter.selectEventFilter": "Activiteitsfilter selecteren",
   "auditLog.filter.clerEventFilter": "Activiteitsfilter wissen",
+  "auditLog.filter.removeEventType": "Verwijder {type}",
   "auditLog.timestamp": "Tijdstip",
   "auditLog.type": "Activiteit",
   "auditLog.details": "Details",
   "auditLog.details.device.register": "Apparaat registreren",
   "auditLog.details.device.remove": "Apparaat verwijderen",
+  "auditLog.details.emergencyaccess.setup": "Instellen van toegang in noodsituatie",
+  "auditLog.details.emergencyaccess.settingsUpdated": "Instellingen van toegang in noodsituaties geüpdate",
+  "auditLog.details.emergencyaccess.recoveryStarted": "Herstelprocedure voor toegang in noodsituaties gestart",
+  "auditLog.details.emergencyaccess.recoveryApproved": "Herstelprocedure voor toegang in noodsituaties goedgekeurd",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "Herstelprocedure voor toegang in noodsituaties afgerond",
+  "auditLog.details.emergencyaccess.recoveryAborted": "Herstelprocedure voor toegang in noodsituaties afgebroken",
   "auditLog.details.setting.wot.update": "Update Wot Instellingen",
   "auditLog.details.user.account.reset": "Account Resetten",
   "auditLog.details.user.keys.change": "Gebruikerssleutels wijzigen",
@@ -123,6 +166,9 @@
   "createVault.enterVaultDetails.description": "Voer een naam en beschrijving in voor je nieuwe kluis. Je kunt deze later wijzigen.",
   "createVault.enterVaultDetails.vaultName": "Kluisnaam",
   "createVault.enterVaultDetails.vaultDescription": "Beschrijving",
+  "createVault.emergencyAccessDetails.title": "Definieer de voorwaarden voor toegang in noodsituaties",
+  "createVault.emergencyAccessDetails.description": "Selecteer adviserende leden voor toegang in noodsituaties.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "De noodtoegang raad is gedefinieerd door de beheerder en kan hier niet gewijzigd worden.",
   "createVault.showRecoveryKey.title": "Herstelsleutel",
   "createVault.showRecoveryKey.description": "De volgende herstelsleutel kan worden gebruikt om toegang tot de kluis te herstellen.",
   "createVault.showRecoveryKey.recoveryKey": "Herstelsleutel van uw Kluis",
@@ -133,13 +179,22 @@
   "createVault.error.invalidRecoveryKey": "Herstelsleutel is ongeldig.",
   "createVault.error.vaultAlreadyExists": "Een kluis met deze naam bestaat al.",
   "createVault.error.downloadTemplateFailed": "Downloaden van kluis template mislukt: {0}",
-  "createVault.error.paymentRequired": "Uw Cryptomator Hub licentie heeft het aantal beschikbare plaatsen overschreden of is verlopen. Stel een Hub beheerder op de hoogte om de licentie te upgraden of te verlengen.",
+  "createVault.error.paymentRequired": "Uw Katta licentie heeft het aantal beschikbare plaatsen overschreden of is verlopen. Stel een Katta beheerder op de hoogte om de licentie te upgraden of te verlengen.",
   "createVault.success.title": "Kluis aangemaakt",
   "createVault.success.description": "Na het downloaden van de gezipte kluisfolder pak je deze uit op elke locatie gedeeld met je teamleden.",
   "createVault.success.download": "Download de gezipte kluisfolder",
   "createVault.success.return": "Keer terug naar kluis lijst",
+  "deleteGroupDialog.title": "Groep verwijderen",
+  "deleteGroupDialog.description": "Weet je zeker dat je deze groep permanent wilt verwijderen? Deze zal uit alle bijbehorende kluizen worden verwijderd. Deze actie kan niet ongedaan worden gemaakt.",
+  "deleteGroupDialog.confirm": "Ja, verwijder groep",
+  "disableUserDialog.title": "Gebruiker uitschakelen",
+  "disableUserDialog.description": "Deze gebruiker zal niet langer kunnen inloggen en uitgesloten worden van het beschikbare plaatsen. Je kunt de gebruiker op elk gewenst moment opnieuw inschakelen.",
+  "disableUserDialog.confirm": "Gebruiker uitschakelen",
+  "deleteUserDialog.title": "Gebruikersaccount verwijderen",
+  "deleteUserDialog.description": "Weet je zeker dat je deze gebruiker permanent wilt verwijderen? Alle bijbehorende kluizen en apparaten zullen worden verwijderd. Deze actie kan niet ongedaan worden gemaakt.",
+  "deleteUserDialog.confirm": "Ja, verwijder gebruiker",
   "deviceList.empty.message": "Geen apparaten",
-  "deviceList.empty.description": "Om een apparaat toe te voegen, voeg een kluis van deze Hub toe aan de Cryptomator-app van het apparaat en ontgrendel deze.",
+  "deviceList.empty.description": "Om een apparaat toe te voegen, voeg een kluis van Katta toe aan de Katta-app van het apparaat en ontgrendel deze.",
   "deviceList.title": "Geautoriseerde apparaten en browsers",
   "deviceList.deviceName": "Apparaatnaam",
   "deviceList.type": "Type",
@@ -148,8 +203,87 @@
   "deviceList.ipAddress": "IP-adres",
   "deviceList.lastAccess": "Laatste Kluis Toegang",
   "deviceList.lastAccess.toolTip": "Mogelijk ontbreekt dit voor apparaten die toegankelijk zijn met oudere versies.",
+  "deviceType.browser": "Browser",
+  "deviceType.desktop": "Computer",
+  "deviceType.mobile": "Mobiel",
   "downloadVaultTemplateDialog.title": "Kluis template downloaden",
   "downloadVaultTemplateDialog.description": "Download en open de gezipte kluis template naar elke locatie gedeeld met je teamleden. Dit is slechts eenmaal vereist tijdens de initiële configuratie.",
+  "emergencyAccess.requiredKeyShares": "Vereiste gedeelde sleutels",
+  "emergencyAccess.processCouncil": "Proces adviesraad",
+  "emergencyAccess.status.added": "Toegevoegd",
+  "emergencyAccess.status.pending": "In behandeling",
+  "emergencyAccess.startProcess": "Proces starten",
+  "emergencyAccess.notPossible": "Niet mogelijk",
+  "emergencyAccess.vaultCouncil": "Kluis adviesraad",
+  "emergencyAccess.noRedundancy": "Geen Redundantie",
+  "emergencyAccess.label.councilMembers": "Leden adviesraad",
+  "emergencyAccess.label.newCouncilMembers": "Nieuwe leden van de raad",
+  "emergencyAccess.label.owners": "Eigenaars",
+  "emergencyAccess.label.members": "Gebruikers",
+  "emergencyAccess.label.removed": "Verwijderd",
+  "emergencyAccess.label.possibleScenario": "Mogelijk Noodsituatie Scenario",
+  "emergencyAccess.label.exampleRecovery": "Voorbeeld herstel",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "Selecteer nog minstens {0} raadsleden.",
+  "emergencyAccess.validation.minimumMembers": "Tenminste {0} leden moeten worden geselecteerd.",
+  "emergencyAccess.approval.waitingOthers": "Wachten op andere goedkeuringen",
+  "emergencyAccess.approval.showDetails": "Toon details",
+  "emergencyAccess.approval.completeNow": "Nu voltooien",
+  "emergencyAccess.approval.approveNow": "Nu goedkeuren",
+  "emergencyAccess.processType.changePermissions": "Kies Kluis Leden",
+  "emergencyAccess.processType.changeCouncil": "Toegangsraad voor noodgevallen veranderen",
+  "emergencyAccess.filter.all": "Alles",
+  "emergencyAccess.filter.approvable": "Goedkeurbaar",
+  "emergencyAccess.filter.approved": "Goedgekeurd",
+  "emergencyAccess.filter.startable": "Beginbaar",
+  "emergencyAccess.empty.disabled": "Noodtoegang is uitgeschakeld.",
+  "emergencyAccess.empty.noneFound": "Geen noodtoegangskluizen gevonden",
+  "emergencyAccess.licenseRequired.message": "Noodtoegang is alleen beschikbaar met een betaalde licentie.",
+  "emergencyAccess.licenseRequired.adminHint": "Je kunt er één krijgen in de admin-sectie.",
+  "emergencyAccess.badge.notCouncil.title": "Geen Kluis Raadlid meer",
+  "emergencyAccess.badge.notCouncil.message": "U maakt niet langer deel uit van de noodraad van de kluis, maar u bent nog steeds betrokken bij een actief proces van noodtoegang.",
+  "emergencyAccess.badge.broken.title": "Noodtoegang Kapot",
+  "emergencyAccess.badge.broken.message": "Noodtoegang is niet meer mogelijk. Een of meer leden van de raad hebben hun account gereset en hun sleutel verloren.",
+  "emergencyAccess.badge.noRedundancy.title": "Geen Redundantie",
+  "emergencyAccess.badge.noRedundancy.message": "Deze Raad voor noodtoegang heeft geen redundantie. Overweeg om een raad aan te wijzen met redundantie.",
+  "emergencyAccessDialog.message.completed": "Proces succesvol voltooid.",
+  "emergencyAccessDialog.label.selectOwner": "Selecteer gebruiker met eigenaarsrol",
+  "emergencyAccessDialog.label.selectMember": "Selecteer gebruiker met lid rol",
+  "emergencyAccessDialog.label.councilMembersAtLeast": "Raadsleden (tenminste: {0})",
+  "emergencyAccessDialog.section.ownership": "Eigendom",
+  "emergencyAccessDialog.section.councilChange": "Verander Raad",
+  "emergencyAccessDialog.hint.finishProcess": "U kunt dit noodtoegangproces voltooien door de laatste sleutel te delen en te voltooien.",
+  "emergencyAccessDialog.hint.keyShareAdded": "Je sleutelverdeling is al toegevoegd.",
+  "emergencyAccessDialog.hint.notInCouncil": "U maakt geen deel uit van de Raad voor dit proces en kunt geen sleutelverdeling toevoegen.",
+  "emergencyAccessDialog.action.abortProcess": "Dit proces afbreken",
+  "emergencyAccessDialog.action.start": "Start",
+  "emergencyAccessDialog.action.approve": "Goedkeuren",
+  "emergencyAccessDialog.action.completeProcess": "Proces voltooien",
+  "emergencyAccessDialog.title.success": "Succes",
+  "emergencyAccessDialog.title.changeCouncil": "Verander Raad",
+  "emergencyAccessDialog.title.changePermissions": "Kluismachtigingen wijzigen",
+  "emergencyAccessDialog.title.processDetails": "Proces details",
+  "emergencyAccessDialog.title.approved": "Goedgekeurd",
+  "emergencyAccessDialog.title.approveEmergencyAccess": "Noodtoegang goedkeuren",
+  "emergencyAccessDialog.title.completeEmergencyAccess": "Volledige noodtoegang",
+  "emergencyAccessDialog.error.insufficientCouncilMembers": "Inconsistente gegevens: Onvoldoende Raadsleden ({0}) om deze kluis te herstellen ({1}).",
+  "emergencyAccessDialog.error.noProcessToApprove": "Geen herstelproces om goed te keuren.",
+  "emergencyAccessDialog.error.processTampered": "Er is geknoeid met het herstelproces.",
+  "emergencyAccessDialog.error.noProcessToComplete": "Geen herstelproces om te voltooien.",
+  "emergencyAccessDialog.error.unsupportedProcessType": "Niet-ondersteunde staat voor herstelproces type: {0}",
+  "grantEmergencyAccessDialog.title": "Noodtoegang toestaan",
+  "grantEmergencyAccessDialog.description.selectCouncil": "Selecteer Raadsleden om noodtoegang te verlenen voor deze kluis.",
+  "grantEmergencyAccessDialog.description.default": "Noodtoegang toestaan voor deze kluis.",
+  "grantEmergencyAccessDialog.grant": "Toestaan",
+  "grantEmergencyAccessDialog.error.keySharesRequired": "Ten minste 2 Sleutelverdelingen voor noodgevallen zijn vereist.",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "Er zijn tenminste 2 Raadsleden nodig.",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "Te weinig Raadsleden Verhoog of verlaag de benodigde Sleutelverdelingen voor Noodgevallen.",
+  "processAbortDialog.title": "Dit proces afbreken",
+  "processAbortDialog.description": "Weet u zeker dat u dit noodtoegangproces wilt afbreken? Deze actie kan niet ongedaan worden gemaakt.",
+  "processAbortDialog.confirm": "Proces afbreken",
+  "recoveryDialog.error.invalidRecoveryType": "Ongeldig herstel-procestype.",
+  "recoveryDialog.error.processAlreadyExists": "Een herstelproces van dit type bestaat al.",
+  "recoveryDialog.error.noOwnerSelected": "Selecteer ten minste één eigenaar.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "Niet genoeg raadsleden geselecteerd.",
   "editVaultMetadataDialog.title": "Kluis metadata bewerken",
   "editVaultMetadataDialog.description": "De naam en beschrijving van de kluis bijwerken.",
   "editVaultMetadataDialog.vaultName": "Kluisnaam",
@@ -159,6 +293,47 @@
   "grantPermissionDialog.title": "Toestemming geven",
   "grantPermissionDialog.description": "Kluissleutels delen met nieuw toegevoegde gebruikers.",
   "grantPermissionDialog.submit": "Geef toestemming aan {0} Gebruiker(s)",
+  "groups.title": "Groepen",
+  "group.detail.info": "Groep details",
+  "group.detail.members": "Gebruikers",
+  "group.detail.vaults": "Kluizen",
+  "group.detail.edit": "Groep bewerken",
+  "group.detail.add.member": "Gebruiker toevoegen",
+  "group.detail.name": "Naam",
+  "group.detail.createdOn": "Aangemaakt op",
+  "group.detail.roles": "Rollen",
+  "groupList.name": "Naam",
+  "groupList.members.count": "Gebruikers",
+  "groupList.edit.group.button": "Bewerken",
+  "groupList.search.placeholder": "Zoeken…",
+  "groupList.groupImage": "Groepsafbeelding",
+  "groupList.vaults.count": "Kluizen",
+  "groupList.create.button": "Groep aanmaken",
+  "groupList.group.created": "Aangemaakt op",
+  "group.members.add": "Gebruikers toevoegen",
+  "group.members.search.empty": "Geen resultaten",
+  "group.addMembers.title": "Gebruikers toevoegen",
+  "group.addMembers.searchLabel": "Zoeken op gebruikersnaam of volledige naam",
+  "group.addMembers.selectedUser": "Gebruiker(s) geselecteerd",
+  "group.member.remove.title": "Verwijder gebruiker uit groep",
+  "group.member.remove.description": "Weet je zeker dat je deze gebruiker wilt verwijderen uit de groep?",
+  "group.member.remove.confirm": "Ja, verwijderen uit groep",
+  "groupEditCreate.title.create": "Nieuwe groep aanmaken",
+  "groupEditCreate.title.edit": "Groep bewerken",
+  "groupEditCreate.profileImage": "Profielafbeelding",
+  "groupEditCreate.role": "Rol",
+  "groupEditCreate.removePicture": "Afbeelding verwijderen",
+  "groupEditCreate.addPicture": "Afbeelding toevoegen",
+  "groupEditCreate.name": "Groepsnaam",
+  "groupEditCreate.roles": "Rollen",
+  "groupEditCreate.validation.required": "Dit veld is verplicht",
+  "groupEditCreate.roles.remove": "Rollen verwijderen",
+  "groupEditCreate.roles.choose": "Rollen kiezen",
+  "groupEditCreate.roles.addMore": "Meer toevoegen",
+  "groupEditCreate.invalidImageUrl": "Ongeldige afbeeldings-URL",
+  "groupEditCreate.profilePictureUrl": "URL profielafbeelding",
+  "groupEditCreate.selectRolesPlaceholder": "Selecteer rol(len)",
+  "groupEditCreate.error.groupNameAlreadyExists": "Een groep met deze naam bestaat al.",
   "trustDetails.trustLevel": "Vertrouwensniveau {0}",
   "trustDetails.trustLevel.untrusted": "Ongeverifieerd",
   "trustDetails.showSignDialogBtn": "Identiteit controleren...",
@@ -166,7 +341,7 @@
   "signUserKeysDialog.title": "Identiteit van {0} verifiëren",
   "signUserKeysDialog.description": "Voer de eerste {0} tekens in van {1}'s vingerafdruk om de authenticiteit van hun openbare sleutels te bevestigen. De vingerafdruk kan worden gevonden in het gebruikersprofiel.",
   "signUserKeysDialog.submit": "Bevestig de identiteit van deze gebruiker",
-  "initialSetup.createUserKey.title": "Welkom bij Cryptomator Hub",
+  "initialSetup.createUserKey.title": "Welkom bij Katta",
   "initialSetup.createUserKey.description": "Bij de eerste aanmelding krijgt elke gebruiker een unieke accountsleutel:",
   "initialSetup.createUserKey.details.accountKey": "Uw Accountsleutel is vereist om in te loggen vanuit andere apps of browsers",
   "initialSetup.createUserKey.details.devicesList": "U kunt een lijst met geautoriseerde apps op uw profielpagina zien",
@@ -182,19 +357,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Accountsleutel verloren? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Account Resetten",
   "initialSetup.setupAlreadyCompleted.title": "Installatie al voltooid",
-  "initialSetup.setupAlreadyCompleted.description": "U hebt de initiële setup voor Cryptomator Hub al voltooid. Uw accountsleutel kan worden gevonden in uw profiel.",
+  "initialSetup.setupAlreadyCompleted.description": "U hebt de initiële setup voor Katta al voltooid. Uw accountsleutel kan worden gevonden in uw profiel.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Ga naar Profiel",
   "initialSetup.accountKey": "Account Key",
   "initialSetup.submit": "Installatie Voltooien",
   "licenseAlert.noRemainingSeats.title": "Licentie verlopen",
-  "licenseAlert.noRemainingSeats.admin.description": "Uw Cryptomator Hub instantie heeft het aantal toegestane plaatsen overschreden. Upgrade deze in de {0} om uw kluizen opnieuw te beheren en te ontgrendelen.",
-  "licenseAlert.noRemainingSeats.user.description": "Uw Cryptomator Hub licentie heeft het aantal beschikbare plaatsen overschreden. Stel een Hub beheerder op de hoogte om de licentie te upgraden of te verlengen.",
+  "licenseAlert.noRemainingSeats.admin.description": "Uw Katta instantie heeft het aantal toegestane plaatsen overschreden. Upgrade deze in de {0} om uw kluizen opnieuw te beheren en te ontgrendelen.",
+  "licenseAlert.noRemainingSeats.user.description": "Uw Katta licentie heeft het aantal beschikbare plaatsen overschreden. Stel een Katta beheerder op de hoogte om de licentie te upgraden of te verlengen.",
   "licenseAlert.licenseExpired.title": "Licentie verlopen",
-  "licenseAlert.licenseExpired.admin.description": "Uw Cryptomator Hub licentie is verlopen. Vernieuw deze in de {0} om uw kluizen opnieuw te beheren en te ontgrendelen.",
-  "licenseAlert.licenseExpired.user.description": "Uw Cryptomator Hub licentie is verlopen. Informeer een Hub beheerder om de licentie te verlengen.",
+  "licenseAlert.licenseExpired.admin.description": "Uw Katta licentie is verlopen. Vernieuw deze in de {0} om uw kluizen opnieuw te beheren en te ontgrendelen.",
+  "licenseAlert.licenseExpired.user.description": "Uw Katta licentie is verlopen. Informeer een Katta beheerder om de licentie te verlengen.",
   "licenseAlert.button": "Beheercentrum",
   "legacyDeviceList.title": "Oudere apparaten",
-  "legacyDeviceList.description": "Deze apparaten zijn gemaakt met een oudere versie van Hub en moeten worden bijgewerkt om kluizen in toekomstige versies te ontgrendelen. Als u ze niet meer nodig hebt, verwijder ze dan. Anders moet u Cryptomator op dat apparaat bijwerken. Uw volgende ontgrendeling activeert de update automatisch.",
+  "legacyDeviceList.description": "Deze apparaten zijn gemaakt met een oudere versie van Katta en moeten worden bijgewerkt om kluizen in toekomstige versies te ontgrendelen. Als u ze niet meer nodig hebt, verwijder ze dan. Anders moet u Katta op dat apparaat bijwerken. Uw volgende ontgrendeling activeert de update automatisch.",
   "legacyDeviceList.description.information": "Meer informatie.",
   "legacyDeviceList.deviceName": "Naam van apparaat",
   "legacyDeviceList.type": "Type",
@@ -207,11 +382,15 @@
   "manageAccountKey.description": "Uw Accountsleutel is vereist om in te loggen vanuit andere apps of browsers.",
   "manageAccountKey.regenerate": "Vernieuw Sleutel",
   "nav.vaults": "Kluizen",
+  "nav.emergencyAccess": "Noodtoegang",
   "nav.profile.signedInAs": "Aangemeld als",
   "nav.profile.profile": "Jouw profiel",
   "nav.profile.admin": "Beheerder",
   "nav.profile.auditlog": "Audit logboek",
   "nav.profile.signOut": "Uitloggen",
+  "nav.authority": "Gebruikers & groepen",
+  "nav.groups": "Groepen",
+  "nav.users": "Gebruikers",
   "nav.mobileMenu": "Hoofdmenu openen",
   "reactivateVaultDialog.title": "Kluis heractiveren",
   "reactivateVaultDialog.description": "Waarschuwing: Het opnieuw activeren van een kluis kan een invloed hebben op het aantal beschikbare plaatsen. Als het aantal beschikbare plaatsen wordt overschreden, zal het ontgrendelen van alle kluizen worden geblokkeerd.",
@@ -235,18 +414,75 @@
   "resetUserAccountDialog.submit": "Account Resetten",
   "userkeyFingerprint.title": "Vingerafdruk",
   "userkeyFingerprint.description": "Uw Vingerafdruk kan worden gebruikt om uw identiteit te verifiëren wanneer u de kluismachtigingen bijwerkt.",
+  "users.title": "Gebruikers",
+  "user.detail.createdOn": "Aangemaakt op",
+  "user.detail.disable": "Uitschakelen",
+  "user.detail.devices": "Apparaten",
+  "user.detail.edit": "Bewerken",
+  "user.detail.enable": "Inschakelen",
+  "user.detail.email": "Email",
+  "user.detail.groups": "Groepen",
+  "user.detail.groups.join": "Deelnemen",
+  "user.detail.info": "Gebruikersdetails",
+  "user.detail.legacyDeviceList.info": "Deze apparaten zijn gemaakt met een oudere versie van Hub en moeten worden bijgewerkt om kluizen in toekomstige versies te ontgrendelen.",
+  "user.detail.name": "Naam",
+  "user.detail.roles": "Rollen",
+  "user.detail.username": "Gebruikersnaam",
+  "user.addGroups.title": "Groepen Toevoegen",
+  "user.addGroups.searchLabel": "Zoeken op groepsnaam",
+  "user.addGroups.selectedGroups": "Groep(en) geselecteerd",
+  "userEditCreate.title.create": "Nieuwe gebruiker aanmaken",
+  "userEditCreate.title.edit": "Bewerk gebruiker",
+  "userEditCreate.button.create": "Gebruiker aanmaken",
+  "userEditCreate.button.save": "Opslaan",
+  "userEditCreate.button.saved": "Opgeslagen!",
+  "userEditCreate.firstName": "Voornaam",
+  "userEditCreate.lastName": "Achternaam",
+  "userEditCreate.username": "Gebruikersnaam",
+  "userEditCreate.email": "Email",
+  "userEditCreate.roles": "Rollen",
+  "userEditCreate.selectRolesPlaceholder": "Selecteer rol(len)",
+  "userEditCreate.password": "Wachtwoord",
+  "userEditCreate.passwordConfirm": "Bevestig wachtwoord",
+  "userEditCreate.create.passwordInfo": "Dit is een tijdelijk wachtwoord. De gebruiker moet het wijzigen bij de eerste aanmelding.",
+  "userEditCreate.edit.passwordInfo": "Laat de wachtwoordvelden leeg als je het wachtwoord van de gebruiker niet wilt resetten.",
+  "userEditCreate.removePicture": "Afbeelding verwijderen",
+  "userEditCreate.passwordStrong": "Sterk",
+  "userEditCreate.passwordMedium": "Gemiddeld",
+  "userEditCreate.passwordWeak": "Zwak",
+  "userEditCreate.passwordsMatch": "Wachtwoorden komen overeen",
+  "userEditCreate.passwordsDontMatch": "Wachtwoorden komen niet overeen",
+  "userEditCreate.profilePictureUrl": "URL profielafbeelding",
+  "userEditCreate.showPassword": "Wachtwoord tonen",
+  "userEditCreate.hidePassword": "Wachtwoord verbergen",
+  "userEditCreate.invalidEmail": "Ongeldig e-mailformaat",
+  "userEditCreate.invalidImageUrl": "Ongeldige afbeeldings-URL",
+  "userEditCreate.validation.required": "Dit veld is verplicht",
+  "userEditCreate.validation.passwordMismatch": "Wachtwoorden komen niet overeen",
+  "userEditCreate.error.userAlreadyExists": "Een gebruiker met deze gebruikersnaam bestaat al.",
+  "userEditCreate.error.emailAlreadyExists": "Er bestaat al een gebruiker met dit e-mailadres.",
+  "userList.edit.user.button": "Bewerken",
+  "userList.userName": "Naam",
+  "userList.groups.count": "Groepen",
+  "userList.device.count": "Apparaten",
+  "userList.vaults.count": "Kluizen",
+  "userList.user.created": "Aangemaakt op",
+  "userList.profileImage": "Profielafbeelding",
+  "userList.create.button": "Gebruiker aanmaken",
   "userProfile.title": "Profiel",
   "userProfile.actions.manageAccount": "Account beheren",
   "userProfile.actions.changeLanguage": "Taal wijzigen",
   "userProfile.actions.changeLanguage.entry.browser": "Browser taal",
   "userProfile.keycloakVersion.notAvailable": "versie niet beschikbaar",
+  "unlock.noAccessVaultArchived.title": "Kluis is gearchiveerd",
+  "unlock.noAccessVaultArchived.description": "Deze kluis is gearchiveerd en is niet meer toegankelijk. Neem contact op met de eigenaar van de kluis.",
   "unlockSuccess.title": "Kluis met succes ontgrendeld",
-  "unlockSuccess.description": "U kunt dit browsertabblad nu sluiten en terugkeren naar Cryptomator.",
+  "unlockSuccess.description": "U kunt dit browsertabblad nu sluiten en terugkeren naar Katta.",
   "unlockSuccess.accountSetup.title": "Installatie vereist",
   "unlockSuccess.accountSetup.description": "Voltooi het instellen van uw account en haal uw accountsleutel op.",
   "unlockSuccess.accountSetup.goToSetup": "Installatie voltooien",
   "unlockSuccess.deviceSetup.title": "Nieuw apparaat",
-  "unlockSuccess.deviceSetup.description": "Voer uw accountsleutel in Cryptomator in om deze te autoriseren.",
+  "unlockSuccess.deviceSetup.description": "Voer uw accountsleutel in Katta in om deze te autoriseren.",
   "unlockSuccess.deviceSetup.goToProfile": "Bekijk accountsleutel in mijn profiel",
   "unlockSuccess.noVaultAccess.title": "Geen toegang tot deze kluis",
   "unlockSuccess.noVaultAccess.description": "Neem contact op met de kluis eigenaar om u toe te voegen als lid van de kluis.",
@@ -269,7 +505,9 @@
   "vaultDetails.actions.reactivateVault": "Kluis heractiveren",
   "vaultDetails.actions.claimOwnership": "Eigendom opeisen",
   "vaultDetails.actions.recoverVault": "Kluis toegang herstellen",
-  "vaultDetails.error.licenseViolated": "Uw Cryptomator Hub licentie is verlopen of u heeft het aantal toegestane plaatsen overschreden. Informeer een Hub beheerder of upgrade de licentie.",
+  "vaultDetails.emergencyAccess.setupCouncil": "Toegangsraad voor noodgevallen instellen",
+  "vaultDetails.emergencyAccess.fixCouncil": "Repareer Toegangsraad voor noodgevallen",
+  "vaultDetails.error.licenseViolated": "Uw Katta licentie is verlopen of u heeft het aantal toegestane plaatsen overschreden. Informeer een Katta beheerder of upgrade de licentie.",
   "vaultDetails.recoverVault.title": "U heeft uw account gereset!",
   "vaultDetails.recoverVault.description": "Om de toegang tot de kluis terug te krijgen moet u uw toegang herstellen via de herstelsleutel, of een andere eigenaar moet de toegangsrechten bijwerken.",
   "vaultList.title": "Kluizen",
@@ -288,5 +526,15 @@
   "vaultList.filter.result.empty.description": "Geen resultaten met die zoekterm of filter.",
   "vaultList.search.placeholder": "Zoeken…",
   "vaultList.badge.owner": "Eigenaar",
-  "vaultList.badge.archived": "Gearchiveerd"
+  "vaultList.badge.archived": "Gearchiveerd",
+  "userList.filter.result.empty.title": "Geen gebruikers",
+  "userList.filter.result.empty.description": "Geen resultaten met die zoekterm of filter.",
+  "groupList.empty.title": "Geen groepen",
+  "groupList.empty.description": "Je hebt geen groepen en bent geen lid van een groep.",
+  "groupList.filter.result.empty.title": "Geen groepen",
+  "groupList.filter.result.empty.description": "Geen resultaten met die zoekterm of filter.",
+  "missingEntitlements.title": "Upgrade vereist",
+  "missingEntitlements.description": "Deze functie maakt geen deel uit van uw huidige licentie.",
+  "trial.enterpriseFeature.title": "Enterprise Functie",
+  "trial.enterpriseFeature.description": "Deze functie is alleen permanent beschikbaar met een Enterprise licentie."
 }
diff --git a/frontend/src/i18n/nn-NO.json b/frontend/src/i18n/nn-NO.json
index 32710d841..99d04daac 100644
--- a/frontend/src/i18n/nn-NO.json
+++ b/frontend/src/i18n/nn-NO.json
@@ -10,5 +10,8 @@
   "createVault.enterVaultDetails.title": "Opprett kvelven",
   "createVault.enterVaultDetails.vaultName": "Namn på kvelven",
   "createVault.showRecoveryKey.submit": "Opprett kvelven",
-  "editVaultMetadataDialog.vaultName": "Namn på kvelven"
+  "editVaultMetadataDialog.vaultName": "Namn på kvelven",
+  "userEditCreate.password": "Passord",
+  "userEditCreate.passwordStrong": "Sterkt",
+  "userEditCreate.passwordWeak": "Svakt"
 }
diff --git a/frontend/src/i18n/pa-IN.json b/frontend/src/i18n/pa-IN.json
index bcfd639b6..bde7886e8 100644
--- a/frontend/src/i18n/pa-IN.json
+++ b/frontend/src/i18n/pa-IN.json
@@ -5,7 +5,9 @@
   "common.close": "ਬੰਦ ਕਰੋ",
   "common.copied": "ਕਾਪੀ ਕੀਤਾ!",
   "common.copy": "ਕਾਪੀ ਕਰੋ",
+  "common.create": "ਬਣਾਓ",
   "common.download": "ਡਾਊਨਲੋਡ",
+  "common.edit": "ਸੋਧੋ",
   "common.hide": "ਓਹਲੇ",
   "common.loading": "ਲੋਡ ਹੋ ਰਿਹਾ ਹੈ…",
   "common.next": "ਅੱਗੇ",
@@ -16,14 +18,18 @@
   "common.remove": "ਹਟਾਓ",
   "common.reset": "ਰੀਸੈੱਟ ਕਰੋ",
   "common.retry": "ਮੁੜ-ਕੋਸ਼ਿਸ਼",
+  "common.save": "ਸੰਭਾਲੋ",
+  "common.saved": "ਸੰਭਾਲਿਆ!",
+  "common.search.placeholder": "ਖੋਜੋ…",
   "common.share": "ਸਾਂਝਾ ਕਰੋ",
   "common.show": "ਵੇਖਾਓ",
   "common.update": "ਅੱਪਡੇਟ",
+  "common.actions": "ਕਾਰਵਾਈਆਂ",
   "admin.title": "ਐਡਮਿਨ",
   "admin.serverInfo.title": "ਸਰਵਰ ਦੀ ਜਾਣਕਾਰੀ",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub ਵਰਜ਼ਨ",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub ਅੱਪ ਟੂ ਡੇਟ ਹੈ।",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta ਵਰਜ਼ਨ",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta ਅੱਪ ਟੂ ਡੇਟ ਹੈ।",
   "admin.serverInfo.hubVersion.description.updateExists": "{0} ਵਰਜ਼ਨ ਲਈ ਅੱਪਡੇਟ ਸੰਭਵ ਹੈ।",
   "admin.licenseInfo.title": "ਲਸੰਸ ਦੀ ਜਾਣਕਾਰੀ",
   "admin.licenseInfo.seats.title": "ਸੀਟਾਂ ਦੀ ਗਿਣਤੀ",
@@ -35,6 +41,7 @@
   "admin.webOfTrust.information": "ਹੋਰ ਜਾਣੋ।",
   "admin.webOfTrust.save": "ਸੰਭਾਲੋ",
   "admin.webOfTrust.saved": "ਸੰਭਾਲਿਆ!",
+  "admin.emergencyAccess.learnMore": "ਹੋਰ ਜਾਣੋ।",
   "auditLog.order.ascending": "ਵੱਧਦਾ ਕ੍ਰਮ",
   "auditLog.order.descending": "ਘੱਟਦਾ ਕ੍ਰਮ",
   "auditLog.filter": "ਫਿਲਟਰ",
@@ -75,15 +82,23 @@
   "deviceList.thisDevice": "ਇਸ ਡਿਵਾਈਸ",
   "deviceList.ipAddress": "IP ਸਿਰਨਾਵਾਂ",
   "downloadVaultTemplateDialog.title": "ਵਾਲਟ ਟੈਪਲੇਟ ਨੂੰ ਡਾਊਨਲੋਡ ਕਰੋ",
+  "emergencyAccess.status.added": "ਜੋੜ ਗਿਆ",
+  "emergencyAccess.filter.all": "ਸਭ",
   "editVaultMetadataDialog.vaultName": "ਵਾਲਟ ਦਾ ਨਾਂ",
   "editVaultMetadataDialog.vaultDescription": "ਵੇਰਵਾ",
   "editVaultMetadataDialog.error.formValidationFailed": "ਵਾਲਟ ਦਾ ਨਾਂ ਖਾਲੀ ਨਹੀਂ ਹੋ ਸਕਦਾ ਹੈ।",
   "editVaultMetadataDialog.error.vaultAlreadyExists": "ਦਿੱਤੇ ਗਏ ਨਾਂ ਨਾਲ ਵਾਲਟ ਪਹਿਲਾਂ ਹੀ ਮੌਜੂਦ ਹੈ।",
   "grantPermissionDialog.title": "ਇਜਾਜ਼ਤ ਨੂੰ ਮਨੂਜ਼ਰੀ",
+  "group.detail.vaults": "ਵਾਲਟ",
+  "group.detail.name": "ਨਾਂ",
+  "groupList.name": "ਨਾਂ",
+  "groupList.edit.group.button": "ਸੋਧੋ",
+  "groupList.search.placeholder": "ਖੋਜੋ…",
+  "groupList.vaults.count": "ਵਾਲਟ",
   "trustDetails.trustLevel": "ਭਰੋਸਾ ਪੱਧਰ {0}",
   "trustDetails.trustLevel.untrusted": "ਨਾ-ਪਰਮਾਣਿਤ",
   "signUserKeysDialog.title": "{0} ਦੀ ਪਛਾਣ ਨੂੰ ਤਸਦੀਕ ਕਰੋ",
-  "initialSetup.createUserKey.title": "Cryptomator Hub ਵਲੋਂ ਜੀ ਆਇਆਂ ਨੂੰ",
+  "initialSetup.createUserKey.title": "Katta ਵਲੋਂ ਜੀ ਆਇਆਂ ਨੂੰ",
   "initialSetup.createUserKey.description": "ਪਹਿਲੀ ਵਾਰ ਲਾਗਇਨ ਸਮੇਂ ਹਰ ਵਰਤੋਂਕਾਰ ਨੂੰ ਵਿਲੱਖਣ Account Key ਮਿਲੇਗੀ:",
   "initialSetup.createUserKey.details.accountKey": "ਤੁਹਾਡੀ Account Key ਹੋਰ ਐਪਾਂ ਜਾਂ ਬਰਾਊਜ਼ਰਾਂ ਵਿੱਚ ਲਾਗਇਨ ਕਰਨ ਸਮੇਂ ਚਾਹੀਦੀ ਹੈ",
   "initialSetup.createUserKey.details.devicesName": "ਇਸ ਬਰਾਊਜ਼ਰ ਨੂੰ ਇਸ ਸੂਚੀ ਵਿੱਚ ਜੋੜਿਆ ਜਾਵੇਗਾ: {deviceName}",
@@ -123,6 +138,20 @@
   "resetUserAccountDialog.title": "ਵਰਤੋਂਕਾਰ ਖਾਤੇ ਨੂੰ ਮੁੜ-ਸੈੱਟ ਕਰੋ",
   "resetUserAccountDialog.submit": "ਖਾਤੇ ਨੂੰ ਮੁੜ-ਸੈੱਟ ਕਰੋ",
   "userkeyFingerprint.title": "ਵਰਤੋਂਕਾਰ ਕੁੰਜੀ ਫਿੰਗਰ-ਪਰਿੰਟ",
+  "user.detail.disable": "ਅਸਮਰੱਥ",
+  "user.detail.edit": "ਸੋਧੋ",
+  "user.detail.enable": "ਸਮਰੱਥ",
+  "user.detail.name": "ਨਾਂ",
+  "user.detail.username": "ਵਰਤੋਂਕਾਰ ਨਾਂ",
+  "userEditCreate.button.save": "ਸੰਭਾਲੋ",
+  "userEditCreate.button.saved": "ਸੰਭਾਲਿਆ!",
+  "userEditCreate.username": "ਵਰਤੋਂਕਾਰ ਨਾਂ",
+  "userEditCreate.password": "ਪਾਸਵਰਡ",
+  "userEditCreate.passwordStrong": "ਮਜ਼ਬੂਤ",
+  "userEditCreate.passwordWeak": "ਕਮਜ਼ੋਰ",
+  "userList.edit.user.button": "ਸੋਧੋ",
+  "userList.userName": "ਨਾਂ",
+  "userList.vaults.count": "ਵਾਲਟ",
   "userProfile.title": "ਪਰੋਫ਼ਾਇਲ",
   "userProfile.actions.manageAccount": "ਖਾਤੇ ਦਾ ਇੰਤਜ਼ਾਮ",
   "userProfile.actions.changeLanguage": "ਭਾਸ਼ਾ ਨੂੰ ਬਦਲੋ",
diff --git a/frontend/src/i18n/pl-PL.json b/frontend/src/i18n/pl-PL.json
index fb274e649..1fdc95a57 100644
--- a/frontend/src/i18n/pl-PL.json
+++ b/frontend/src/i18n/pl-PL.json
@@ -18,10 +18,16 @@
   "common.close": "Zamknij",
   "common.copied": "Skopiowano!",
   "common.copy": "Skopiuj",
+  "common.create": "Utwórz",
+  "common.device": "Urządzenie",
   "common.download": "Pobierz",
+  "common.edit": "Edytuj",
   "common.hide": "Ukryj",
+  "common.leave": "Opuść",
   "common.loading": "Ładowanie…",
   "common.next": "Dalej",
+  "common.none": "Brak",
+  "common.nothingFound": "Nic nie znaleziono",
   "common.optional": "opcjonalnie",
   "common.pagination": "Stronicowanie",
   "common.previous": "Poprzedni",
@@ -30,6 +36,10 @@
   "common.remove": "Usuń",
   "common.reset": "Resetuj",
   "common.retry": "Ponów",
+  "common.save": "Zapisz",
+  "common.saved": "Zapisano!",
+  "common.search.placeholder": "Szukaj…",
+  "common.select.placeholder": "Wybierz…",
   "common.share": "Udostępnij",
   "common.show": "Wyświetl",
   "common.undo": "Cofnij",
@@ -37,16 +47,22 @@
   "common.unsavedChanges": "Niezapisane zmiany.",
   "common.update": "Aktualizacja",
   "common.xMembers": "{0} członków",
+  "common.actions": "Akcje",
+  "common.group": "Grupa",
+  "common.member": "Członek",
+  "common.property": "Właściwość",
+  "common.value": "Wartość",
   "admin.title": "Admin",
   "admin.serverInfo.title": "Informacje o serwerze",
-  "admin.serverInfo.description": "Identyfikator Hub ID jest używany do identyfikacji Twojej instancji Cryptomator Hub dla Twojej licencji. Dla wsparcia zawsze podaj wyświetloną wersję Hub i Keycloak.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Wersja Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub jest aktualny.",
+  "admin.serverInfo.description": "Identyfikator Katta ID jest używany do identyfikacji Twojej instancji Katta dla Twojej licencji. Dla wsparcia zawsze podaj wyświetloną wersję Katta i Keycloak.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Wersja Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta jest aktualny.",
   "admin.serverInfo.hubVersion.description.updateExists": "Aktualizacja do wersji {0} jest możliwa.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Nie można sprawdzić aktualizacji. Proszę sprawdzić ręcznie.",
   "admin.serverInfo.keycloakVersion.title": "Wersja Keycloak",
   "admin.serverInfo.keycloakVersion.description": "Zarządzaj Keycloak",
+  "admin.serverInfo.keycloakVersion.notAvailable": "niedostępne",
   "admin.licenseInfo.title": "Informacja o licencji",
   "admin.licenseInfo.description": "Zweryfikuj informacje o licencji. Jeśli chcesz wprowadzić zmiany lub sprawdzić status subskrypcji, naciśnij \"Zarządzaj subskrypcją\".",
   "admin.licenseInfo.email.title": "Licencja przypisana do",
@@ -61,8 +77,8 @@
   "admin.licenseInfo.manageSubscription": "Zarządzaj subskrypcją",
   "admin.licenseInfo.type.title": "Typ",
   "admin.licenseInfo.getLicense": "Uzyskaj Licencję",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Dziękujemy za korzystanie z Cryptomator Hub! Otrzymałeś licencję typu \"Community\". Jeśli potrzebujesz więcej miejsc, zaktualizuj licencję.",
-  "admin.licenseInfo.managedNoLicense.description": "Dziękujemy za korzystanie z Cryptomator Hub! Obecnie nie masz aktywnej licencji.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Dziękujemy za korzystanie z Katta! Otrzymałeś licencję typu \"Community\". Jeśli potrzebujesz więcej miejsc, zaktualizuj licencję.",
+  "admin.licenseInfo.managedNoLicense.description": "Dziękujemy za korzystanie z Katta! Obecnie nie masz aktywnej licencji.",
   "admin.webOfTrust.title": "Sieć zaufania",
   "admin.webOfTrust.description": "Skonfiguruj ustawienia sieci zaufania, aby zarządzać zaufaniem między użytkownikami w systemie. Te ustawienia wpływają na weryfikację tożsamości użytkownika i podpisów kluczowych.",
   "admin.webOfTrust.information": "Więcej informacji.",
@@ -74,6 +90,27 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Ile cyfr odcisku palca innego użytkownika trzeba wprowadzić, aby potwierdzić jego tożsamość?",
   "admin.webOfTrust.save": "Zapisz",
   "admin.webOfTrust.saved": "Zapisano!",
+  "admin.emergencyAccess.title": "Dostęp awaryjny",
+  "admin.emergencyAccess.description": "Skonfiguruj podział klawiszy do odzyskiwania sejfu.",
+  "admin.emergencyAccess.learnMore": "Więcej informacji.",
+  "admin.emergencyAccess.noRedundancy.title": "Twój obecny podział kluczy nie ma redundancji!",
+  "admin.emergencyAccess.noRedundancy.description": "Zdecydowanie zaleca się skonfigurowanie większej liczby posiadaczy kluczy niż wymagane klucze.",
+  "admin.emergencyAccess.enabled.label": "Włączone",
+  "admin.emergencyAccess.enabled.help": "Włącz dostęp awaryjny",
+  "admin.emergencyAccess.requiredKeys.label": "Wymagane klucze",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Wymagane udziały kluczy",
+  "admin.emergencyAccess.requiredKeys.help": "Ile kluczy jest wymaganych, aby przywrócić dostęp do sejfu.",
+  "admin.emergencyAccess.keyholders.label": "Posiadacze kluczy",
+  "admin.emergencyAccess.keyholders.minSelected": "Co najmniej {0} członków musi zostać wybranych. Wymagana liczba została zdefiniowana powyżej.",
+  "admin.emergencyAccess.keyholders.help": "Kto pobiera klucz dostępu awaryjnego.",
+  "admin.emergencyAccess.allowChoosing.label": "Pozwól właścicielom sejfu wybierać różnych posiadaczy kluczy.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Przynajmniej:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Minimalna liczba członków",
+  "admin.emergencyAccess.example.help": "Przykład kto może współpracować, aby odzyskać sejf.",
+  "admin.emergencyAccess.validation.maxValue": "Maksymalna wartość to {0}.",
+  "admin.emergencyAccess.validation.minValue": "Minimalna wartość to {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Musi być większa lub równa wymaganym udziałom kluczy.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "Wymagane udziały kluczy nie mogą przekraczać minimalnych członków.",
   "archiveVaultDialog.title": "Zarchiwizuj sejf",
   "archiveVaultDialog.description": "Archiwizowanie sejfu powoduje, że staje się on nieaktywny. Może to zwolnić zajęte miejsca. Zarchiwizowany skarbiec można ponownie aktywować później.",
   "archiveVaultDialog.confirm": "Archiwum",
@@ -85,11 +122,19 @@
   "auditLog.filter.endDate": "Data końcowa",
   "auditLog.filter.selectEventFilter": "Wybierz filtr wydarzeń",
   "auditLog.filter.clerEventFilter": "Wyczyść filtr wydarzeń",
+  "auditLog.filter.removeEventType": "Usuń {type}",
   "auditLog.timestamp": "Czas",
   "auditLog.type": "Wydarzenie",
   "auditLog.details": "Szczegóły",
   "auditLog.details.device.register": "Zarejestruj urządzenie",
   "auditLog.details.device.remove": "Usuń urządzenie",
+  "auditLog.details.emergencyaccess.setup": "Konfiguracja dostępu awaryjnego",
+  "auditLog.details.emergencyaccess.settingsUpdated": "Ustawienia dostępu awaryjnego zaktualizowane",
+  "auditLog.details.emergencyaccess.recoveryStarted": "Rozpoczęto odzyskiwanie dostępu awaryjnego",
+  "auditLog.details.emergencyaccess.recoveryApproved": "Zatwierdzono odzyskiwanie dostępu awaryjnego",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "Zakończono odzyskiwanie dostępu awaryjnego",
+  "auditLog.details.emergencyaccess.recoveryAborted": "Odzyskiwanie dostępu awaryjnego przerwane",
+  "auditLog.details.setting.wot.update": "Aktualizuj ustawienia Wot",
   "auditLog.details.user.account.reset": "Zresetuj konto użytkownika",
   "auditLog.details.user.keys.change": "Zmiana kluczy użytkownika",
   "auditLog.details.user.setupCode.change": "Zmiana klucza konta",
@@ -121,6 +166,9 @@
   "createVault.enterVaultDetails.description": "Wprowadź nazwę i opis nowego sejfu. Możesz je później zmienić.",
   "createVault.enterVaultDetails.vaultName": "Nazwa sejfu",
   "createVault.enterVaultDetails.vaultDescription": "Opis",
+  "createVault.emergencyAccessDetails.title": "Zdefiniuj warunki dostępu awaryjnego",
+  "createVault.emergencyAccessDetails.description": "Wybierz członków Rady do dostępu do nagłych wypadków.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "Rada dostępu awaryjnego jest zdefiniowana przez administratora i nie można jej tutaj zmienić.",
   "createVault.showRecoveryKey.title": "Klucz odzyskiwania",
   "createVault.showRecoveryKey.description": "Poniższy klucz odzyskiwania służy do przywrócenia dostępu sejfu.",
   "createVault.showRecoveryKey.recoveryKey": "Klucz odzyskiwania Twojego sejfu",
@@ -131,13 +179,19 @@
   "createVault.error.invalidRecoveryKey": "Klucz odzyskiwania jest nieprawidłowy.",
   "createVault.error.vaultAlreadyExists": "Sejf o podanej nazwie już istnieje.",
   "createVault.error.downloadTemplateFailed": "Pobieranie szablonu sejfu nie powiodło się: {0}",
-  "createVault.error.paymentRequired": "Twoja licencja Cryptomator Hub przekroczyła liczbę dostępnych stanowisk lub straciła ważność. Poinformuj administratora Huba o uaktualnieniu lub odnowieniu licencji.",
+  "createVault.error.paymentRequired": "Twoja licencja Katta przekroczyła liczbę dostępnych stanowisk lub straciła ważność. Poinformuj administratora Katta o uaktualnieniu lub odnowieniu licencji.",
   "createVault.success.title": "Sejf został utworzony",
   "createVault.success.description": "Po pobraniu spakowanego sejfu (zip), rozpakuj go w dowolnej lokalizacji udostępnionej członkom zespołu.",
   "createVault.success.download": "Pobierz spakowany sejf (zip)",
   "createVault.success.return": "Wróć do listy sejfów",
+  "deleteGroupDialog.title": "Usuń grupę",
+  "deleteGroupDialog.description": "Czy na pewno chcesz trwale usunąć tę grupę? Zostanie ona usunięta ze wszystkich powiązanych sejfów. Tej akcji nie można cofnąć.",
+  "deleteGroupDialog.confirm": "Tak, usuń grupę",
+  "deleteUserDialog.title": "Usuń konto użytkownika",
+  "deleteUserDialog.description": "Czy na pewno chcesz trwale usunąć tego użytkownika? Wszystkie powiązane sejfy i urządzenia zostaną usunięte. Tej akcji nie można cofnąć.",
+  "deleteUserDialog.confirm": "Tak, usuń użytkownika",
   "deviceList.empty.message": "Brak urządzeń",
-  "deviceList.empty.description": "Aby dodać urządzenie, dodaj sejf z tego Huba do aplikacji Cryptomator na urządzeniu i odblokuj go.",
+  "deviceList.empty.description": "Aby dodać urządzenie, dodaj sejf z tego Katta do aplikacji Katta na urządzeniu i odblokuj go.",
   "deviceList.title": "Autoryzowane urządzenia i przeglądarki",
   "deviceList.deviceName": "Nazwa urządzenia",
   "deviceList.type": "Typ",
@@ -145,8 +199,48 @@
   "deviceList.thisDevice": "To urządzenie",
   "deviceList.ipAddress": "Adres IP",
   "deviceList.lastAccess": "Ostatni dostęp do sejfu",
+  "deviceList.lastAccess.toolTip": "Może brakować dla urządzeń dostępnych ze starszymi wersjami.",
   "downloadVaultTemplateDialog.title": "Pobierz szablon sejfu",
   "downloadVaultTemplateDialog.description": "Pobierz i rozpakuj szablon spakowanego sejfu do dowolnej lokalizacji udostępnionej członkom zespołu. Jest to wymagane tylko raz podczas początkowej konfiguracji.",
+  "emergencyAccess.requiredKeyShares": "Wymagane udziały kluczy",
+  "emergencyAccess.processCouncil": "Rada procesowa",
+  "emergencyAccess.status.added": "Dodano",
+  "emergencyAccess.status.pending": "Oczekujące",
+  "emergencyAccess.startProcess": "Rozpocznij proces",
+  "emergencyAccess.notPossible": "Niemożliwe",
+  "emergencyAccess.vaultCouncil": "Rada Skarbowa",
+  "emergencyAccess.noRedundancy": "Brak nadmiarowości",
+  "emergencyAccess.label.councilMembers": "Członkowie Rady",
+  "emergencyAccess.label.newCouncilMembers": "Nowi członkowie Rady",
+  "emergencyAccess.label.owners": "Właściciele",
+  "emergencyAccess.label.members": "Członkowie",
+  "emergencyAccess.label.removed": "Usunięto",
+  "emergencyAccess.label.possibleScenario": "Ewentualny scenariusz awaryjny",
+  "emergencyAccess.label.exampleRecovery": "Przykład odzyskiwania",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "Wybierz co najmniej {0} więcej członków rady.",
+  "emergencyAccess.validation.minimumMembers": "Co najmniej {0} członków musi być wybranych.",
+  "emergencyAccess.approval.waitingOthers": "Oczekiwanie na inne zatwierdzenia",
+  "emergencyAccess.approval.showDetails": "Pokaż szczegóły",
+  "emergencyAccess.approval.completeNow": "Ukończ teraz",
+  "emergencyAccess.approval.approveNow": "Zatwierdź teraz",
+  "emergencyAccess.filter.all": "Wszystkie",
+  "emergencyAccess.filter.approvable": "Zatwierdzalne",
+  "emergencyAccess.filter.approved": "Zatwierdzone",
+  "emergencyAccess.filter.startable": "Rozpoczęte",
+  "emergencyAccess.empty.disabled": "Dostęp alarmowy jest wyłączony.",
+  "emergencyAccess.empty.noneFound": "Nie znaleziono sejfów dostępu awaryjnego",
+  "emergencyAccess.licenseRequired.message": "Dostęp alarmowy jest dostępny tylko z płatną licencją.",
+  "emergencyAccess.licenseRequired.adminHint": "Możesz otrzymać jeden w sekcji administratora.",
+  "emergencyAccess.badge.notCouncil.title": "Żaden członek Rady ds. sejfu",
+  "emergencyAccess.badge.notCouncil.message": "Nie jesteś już częścią nadzwyczajnej rady sejfu. Ale nadal jesteś częścią uruchomionego procesu dostępu do awaryjnego.",
+  "emergencyAccess.badge.broken.title": "Uszkodzony dostęp awaryjny",
+  "emergencyAccess.badge.broken.message": "Dostęp alarmowy nie jest już możliwy. Jeden lub więcej członków rady zresetowało konto i straciło swoje kluczowe udziały.",
+  "emergencyAccess.badge.noRedundancy.title": "Brak nadmiarowości",
+  "emergencyAccess.badge.noRedundancy.message": "Ta nadzwyczajna Rada ds. Dostępu nie ma żadnych zwolnień. Rozważ przydzielenie rady zwolnionej z pracy.",
+  "emergencyAccessDialog.message.completed": "Proces zakończony pomyślnie.",
+  "emergencyAccessDialog.label.selectOwner": "Wybierz użytkownika z właścicielem roli",
+  "emergencyAccessDialog.label.selectMember": "Wybierz użytkownika z członkiem roli",
+  "emergencyAccessDialog.title.approved": "Zatwierdzone",
   "editVaultMetadataDialog.title": "Edytuj metadane sejfu",
   "editVaultMetadataDialog.description": "Aktualizuj nazwę i opis sejfu.",
   "editVaultMetadataDialog.vaultName": "Nazwa sejfu",
@@ -156,13 +250,20 @@
   "grantPermissionDialog.title": "Udziel uprawnienia",
   "grantPermissionDialog.description": "Udostępnij klucze do sejfu nowym użytkownikom.",
   "grantPermissionDialog.submit": "Przyznaj uprawnienie {0} użytkownikowi/użytkownikom",
+  "group.detail.vaults": "Sejfy",
+  "group.detail.name": "Nazwa",
+  "groupList.name": "Nazwa",
+  "groupList.edit.group.button": "Edytuj",
+  "groupList.search.placeholder": "Szukaj…",
+  "groupList.vaults.count": "Sejfy",
+  "group.members.search.empty": "Nic nie znaleziono",
   "trustDetails.trustLevel": "{0} poziom zaufania",
   "trustDetails.trustLevel.untrusted": "Niezweryfikowany",
   "trustDetails.showSignDialogBtn": "Sprawdź tożsamość...",
   "trustDetails.userNotSetUp": "Użytkownik nie skonfigurował jeszcze swojego konta.",
   "signUserKeysDialog.title": "Zweryfikuj tożsamość użytkownika {0}",
   "signUserKeysDialog.submit": "Potwierdź tożsamość tego użytkownika",
-  "initialSetup.createUserKey.title": "Witaj w Cryptomator Hub",
+  "initialSetup.createUserKey.title": "Witaj w Katta",
   "initialSetup.createUserKey.details.devicesList": "Możesz zobaczyć listę autoryzowanych aplikacji na stronie profilu",
   "initialSetup.createUserKey.details.devicesName": "Ta przeglądarka zostanie dodana do tej listy jako: {deviceName}",
   "initialSetup.createUserKey.details.devicesName.label": "Nazwa przeglądarki",
@@ -174,11 +275,11 @@
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Przejdź do swojego profilu",
   "initialSetup.accountKey": "Klucz konta",
   "initialSetup.submit": "Zakończ konfigurację",
-  "licenseAlert.noRemainingSeats.admin.description": "Twoja instancja Cryptomator Hub przekroczyła liczbę licencjonowanych stanowisk. Ulepsz ją w ciągu {0}, aby ponownie zarządzać i odblokować sejfy.",
-  "licenseAlert.noRemainingSeats.user.description": "Twoja instancja Cryptomator Hub przekroczyła liczbę licencjonowanych stanowisk. Poinformuj administratora Huba, aby zaktualizował licencję.",
+  "licenseAlert.noRemainingSeats.admin.description": "Twoja instancja Katta przekroczyła liczbę licencjonowanych stanowisk. Ulepsz ją w ciągu {0}, aby ponownie zarządzać i odblokować sejfy.",
+  "licenseAlert.noRemainingSeats.user.description": "Twoja instancja Katta przekroczyła liczbę licencjonowanych stanowisk. Poinformuj administratora Katta, aby zaktualizował licencję.",
   "licenseAlert.licenseExpired.title": "Licencja wygasła",
-  "licenseAlert.licenseExpired.admin.description": "Twoja licencja Cryptomator Hub wygasła. Odnów ją w ciągu {0}, aby ponownie zarządzać i odblokować swoje sejfy.",
-  "licenseAlert.licenseExpired.user.description": "Twoja licencja Cryptomator Hub wygasła. Poproś administratora Huba o odnowienie licencji.",
+  "licenseAlert.licenseExpired.admin.description": "Twoja licencja Katta wygasła. Odnów ją w ciągu {0}, aby ponownie zarządzać i odblokować swoje sejfy.",
+  "licenseAlert.licenseExpired.user.description": "Twoja licencja Katta wygasła. Poproś administratora Katta o odnowienie licencji.",
   "licenseAlert.button": "Sekcja administratora",
   "legacyDeviceList.description.information": "Więcej informacji.",
   "legacyDeviceList.deviceName": "Nazwa urządzenia",
@@ -187,9 +288,11 @@
   "legacyDeviceList.thisDevice": "To urządzenie",
   "legacyDeviceList.ipAddress": "Adres IP",
   "legacyDeviceList.lastAccess": "Ostatni dostęp do sejfu",
+  "legacyDeviceList.lastAccess.toolTip": "Może brakować dla urządzeń dostępnych ze starszymi wersjami.",
   "manageAccountKey.title": "Klucz konta",
   "manageAccountKey.regenerate": "Wygeneruj ponownie klucz",
   "nav.vaults": "Sejfy",
+  "nav.emergencyAccess": "Dostęp awaryjny",
   "nav.profile.signedInAs": "Zalogowano jako",
   "nav.profile.profile": "Twój profil",
   "nav.profile.admin": "Admin",
@@ -212,12 +315,26 @@
   "regenerateAccountKeyDialog.submit": "Wygeneruj ponownie klucz",
   "resetUserAccountDialog.title": "Zresetuj konto użytkownika",
   "resetUserAccountDialog.submit": "Zresetuj konto",
+  "user.detail.disable": "Wyłącz",
+  "user.detail.edit": "Edytuj",
+  "user.detail.enable": "Włącz",
+  "user.detail.name": "Nazwa",
+  "user.detail.username": "Login",
+  "userEditCreate.button.save": "Zapisz",
+  "userEditCreate.button.saved": "Zapisano!",
+  "userEditCreate.username": "Login",
+  "userEditCreate.password": "Hasło",
+  "userEditCreate.passwordStrong": "Silne",
+  "userEditCreate.passwordWeak": "Słabe",
+  "userList.edit.user.button": "Edytuj",
+  "userList.userName": "Nazwa",
+  "userList.vaults.count": "Sejfy",
   "userProfile.title": "Profil",
   "userProfile.actions.manageAccount": "Zarządzaj kontem",
   "userProfile.actions.changeLanguage": "Zmień język",
   "userProfile.actions.changeLanguage.entry.browser": "Język przeglądarki",
   "unlockSuccess.title": "Sejf odblokowany pomyślnie",
-  "unlockSuccess.description": "Możesz teraz zamknąć tę kartę przeglądarki i powrócić do aplikacji Cryptomator.",
+  "unlockSuccess.description": "Możesz teraz zamknąć tę kartę przeglądarki i powrócić do aplikacji Katta.",
   "unlockSuccess.accountSetup.title": "Wymagana konfiguracja",
   "unlockSuccess.accountSetup.goToSetup": "Dokończ konfigurację",
   "unlockSuccess.deviceSetup.title": "Nowe Urządzenie",
@@ -242,7 +359,7 @@
   "vaultDetails.actions.reactivateVault": "Reaktywuj sejf",
   "vaultDetails.actions.claimOwnership": "Przejmij rolę właściciela",
   "vaultDetails.actions.recoverVault": "Odzyskaj dostęp do sejfu",
-  "vaultDetails.error.licenseViolated": "Twoja licencja Cryptomator Hub wygasła lub przekroczono liczbę dostępnych stanowisk. Poinformuj administratora Huba o odnowieniu lub uaktualnieniu licencji.",
+  "vaultDetails.error.licenseViolated": "Twoja licencja Katta wygasła lub przekroczono liczbę dostępnych stanowisk. Poinformuj administratora Katta o odnowieniu lub uaktualnieniu licencji.",
   "vaultDetails.recoverVault.description": "Aby odzyskać dostęp do sejfu, musisz przywrócić dostęp za pomocą klucza odzyskiwania lub inny właściciel musi zaktualizować uprawnienia dostępu.",
   "vaultList.title": "Sejfy",
   "vaultList.empty.title": "Brak sejfów",
diff --git a/frontend/src/i18n/pt-BR.json b/frontend/src/i18n/pt-BR.json
index fde72620c..dcc23d44e 100644
--- a/frontend/src/i18n/pt-BR.json
+++ b/frontend/src/i18n/pt-BR.json
@@ -7,7 +7,7 @@
   "locale.lv-LV": "Letão",
   "locale.nl-NL": "Holandês",
   "locale.pt-BR": "Português (Brasil)",
-  "locale.pt-PT": "Português",
+  "locale.pt-PT": "Português (Portugal)",
   "locale.ru-RU": "Russo",
   "locale.tr-TR": "Turco",
   "locale.uk-UA": "Ucraniano",
@@ -18,241 +18,486 @@
   "common.close": "Fechar",
   "common.copied": "Copiado!",
   "common.copy": "Copiar",
+  "common.create": "Criar",
+  "common.device": "Dispositivo",
   "common.download": "Baixar",
+  "common.edit": "Editar",
   "common.hide": "Ocultar",
+  "common.leave": "Sair",
   "common.loading": "Carregando…",
   "common.next": "Próximo",
+  "common.none": "Nenhum",
+  "common.nothingFound": "Nada foi encontrado",
   "common.optional": "opcional",
   "common.pagination": "Paginação",
   "common.previous": "Anterior",
   "common.refresh": "Atualizar",
-  "common.reload": "Por favor, recarregue a página.",
+  "common.reload": "Recarregue a página.",
   "common.remove": "Remover",
   "common.reset": "Redefinir",
-  "common.retry": "Tentar Novamente",
+  "common.retry": "Tentar novamente",
+  "common.save": "Salvar",
+  "common.saved": "Salvo!",
+  "common.search.placeholder": "Buscar…",
+  "common.select.placeholder": "Selecione…",
   "common.share": "Compartilhar",
-  "common.show": "Exibir",
+  "common.show": "Mostrar",
   "common.undo": "Desfazer",
   "common.unexpectedError": "Erro inesperado: {0}",
-  "common.unsavedChanges": "Mudanças não salvas.",
-  "common.update": "Atualização",
-  "common.xMembers": "{0} Membros",
+  "common.unsavedChanges": "Alterações não salvas.",
+  "common.update": "Atualizar",
+  "common.xMembers": "{0} membro(s)",
+  "common.actions": "Ações",
+  "common.group": "Grupo",
+  "common.member": "Membro",
+  "common.property": "Propriedade",
+  "common.value": "Valor",
   "admin.title": "Administrador",
   "admin.serverInfo.title": "Informação do Servidor",
-  "admin.serverInfo.description": "O ID do Hub é usado para identificar sua instância do Cryptomator Hub para sua licença. Para suporte, sempre indique a versão exibida do Hub e Keycloak.",
-  "admin.serverInfo.hubId.title": "ID do Hub",
-  "admin.serverInfo.hubVersion.title": "Versão do Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "O Hub está atualizado.",
+  "admin.serverInfo.description": "O ID do Katta é usado para identificar sua instância do Katta para sua licença. Para suporte, sempre indique a versão exibida do Katta e Keycloak.",
+  "admin.serverInfo.hubId.title": "ID do Katta",
+  "admin.serverInfo.hubVersion.title": "Versão do Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "O Katta está atualizado.",
   "admin.serverInfo.hubVersion.description.updateExists": "Atualizar para versão {0} disponível.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Não é possível verificar se há atualizações. Por favor, verifique manualmente.",
   "admin.serverInfo.keycloakVersion.title": "Versão Keycloak",
   "admin.serverInfo.keycloakVersion.description": "Gerenciar Keycloak",
-  "admin.licenseInfo.title": "Informações da Licença",
-  "admin.licenseInfo.description": "Confirme suas informações de licença. Se você quiser fazer alterações ou verificar o status da sua assinatura, pressione \"Gerenciar Assinatura\".",
+  "admin.serverInfo.keycloakVersion.notAvailable": "indisponível",
+  "admin.licenseInfo.title": "Informações da licença",
+  "admin.licenseInfo.description": "Confirme suas informações de licença. Caso deseje fazer alterações ou verificar o status da sua assinatura, clique em \"gerenciar assinatura\".",
   "admin.licenseInfo.email.title": "Licenciado para",
-  "admin.licenseInfo.seats.title": "Número de assentos",
-  "admin.licenseInfo.seats.description.enoughSeats": "Você tem {0} lugares não utilizados restantes.",
-  "admin.licenseInfo.seats.description.zeroSeats": "Você não tem lugares restantes. Compre mais, se necessário.",
-  "admin.licenseInfo.seats.description.undercutSeats": "Você usou {0} mais lugares do que os disponíveis. Remova os usuários ou adquira mais, se necessário.",
-  "admin.licenseInfo.issuedAt.title": "Emitido em",
+  "admin.licenseInfo.seats.title": "Número de licenças",
+  "admin.licenseInfo.seats.description.enoughSeats": "Você tem {0} licença(s) sem uso restante(s).",
+  "admin.licenseInfo.seats.description.zeroSeats": "Você não tem mais licenças. Compre mais, se necessário.",
+  "admin.licenseInfo.seats.description.undercutSeats": "Você usou {0} licença(s) disponível(is) a mais. Remova os usuários ou adquira mais, se necessário.",
+  "admin.licenseInfo.issuedAt.title": "Emitida em",
   "admin.licenseInfo.expiresAt.title": "Expira em",
   "admin.licenseInfo.expiresAt.description.valid": "Sua licença é válida.",
   "admin.licenseInfo.expiresAt.description.expired": "Sua licença expirou.",
   "admin.licenseInfo.manageSubscription": "Gerenciar assinatura",
   "admin.licenseInfo.type.title": "Tipo",
-  "admin.licenseInfo.getLicense": "Obter Licença",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Obrigado por usar o Cryptomator Hub! Foi concedida a você a licença da comunidade. Se você precisar de mais lugares, atualize sua licença.",
-  "admin.licenseInfo.managedNoLicense.description": "Obrigado por usar o Cryptomator Hub! Atualmente você não tem uma licença ativa.",
+  "admin.licenseInfo.getLicense": "Obter licença",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Obrigado por usar o Katta! Foi concedida a você a licença da comunidade. Se você precisar de mais lugares, atualize sua licença.",
+  "admin.licenseInfo.managedNoLicense.description": "Obrigado por usar o Katta! Atualmente você não tem uma licença ativa.",
   "admin.webOfTrust.title": "Teia de Confiança",
   "admin.webOfTrust.description": "Configure a Teia de Confiança para gerenciar como a confiança é estabelecida entre os usuários no sistema. Essas configurações afetam a verificação de identidades de usuário e assinaturas-chave.",
   "admin.webOfTrust.information": "Saiba mais.",
-  "admin.webOfTrust.wotMaxDepth.error": "Profundidade máxima da Teia de Confiança deve estar entre 0 e 9.",
-  "admin.webOfTrust.wotMaxDepth.title": "Profundidade máxima da Teia de Confiança",
-  "admin.webOfTrust.wotMaxDepth.description": "Distância máxima entre dois usuários, então um conhecido indireto ainda é considerado confiável (supondo que as identidades intermediárias tenham sido verificadas).",
-  "admin.webOfTrust.wotIdVerifyLen.error": "A precisão da verificação biométrica deve ser positiva.",
-  "admin.webOfTrust.wotIdVerifyLen.title": "Precisão da Verificação Biométrica",
-  "admin.webOfTrust.wotIdVerifyLen.description": "Quantos dígitos de impressões digitais de outros que um usuário precisa inserir para verificar a sua identidade.",
+  "admin.webOfTrust.wotMaxDepth.error": "A profundidade máxima da rede de confiança deve estar entre 0 e 9.",
+  "admin.webOfTrust.wotMaxDepth.title": "Profundidade máxima da rede de confiança",
+  "admin.webOfTrust.wotMaxDepth.description": "Distância máxima entre dois usuários para que uma convivência indireta ainda seja considerada confiável (assumindo que as identidades intermediárias foram verificadas).",
+  "admin.webOfTrust.wotIdVerifyLen.error": "A precisão da verificação de impressão digital deve ser positiva.",
+  "admin.webOfTrust.wotIdVerifyLen.title": "Precisão da verificação de impressão digital",
+  "admin.webOfTrust.wotIdVerifyLen.description": "Quantos dígitos da impressão digital de outro usuário devem ser inseridos para verificar sua identidade.",
   "admin.webOfTrust.save": "Salvar",
   "admin.webOfTrust.saved": "Salvo!",
-  "archiveVaultDialog.title": "Arquivar Cofre",
-  "archiveVaultDialog.description": "Arquivar um cofre o torna inativo. Isso pode liberar lugares ocupados. Um cofre arquivado pode ser reativado mais tarde.",
+  "admin.emergencyAccess.title": "Acesso de Emergência",
+  "admin.emergencyAccess.description": "Configure a divisão de chave para a recuperação do cofre.",
+  "admin.emergencyAccess.learnMore": "Saiba mais.",
+  "admin.emergencyAccess.noRedundancy.title": "A divisão de chave atual não tem redundância!",
+  "admin.emergencyAccess.noRedundancy.description": "É altamente recomendado configurar mais porta-chaves do que as chaves obrigatórias.",
+  "admin.emergencyAccess.enabled.label": "Ativado",
+  "admin.emergencyAccess.enabled.help": "Ativar Acesso de Emergência",
+  "admin.emergencyAccess.requiredKeys.label": "Chaves requeridas",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Compartilhamentos de chaves obrigatórios",
+  "admin.emergencyAccess.requiredKeys.help": "Quantas chaves são necessárias para restaurar o acesso a um cofre.",
+  "admin.emergencyAccess.keyholders.label": "Porta-chaves",
+  "admin.emergencyAccess.keyholders.minSelected": "Pelo menos {0} membro(s) deve(m) ser selecionado(s). O valor necessário foi definido acima.",
+  "admin.emergencyAccess.keyholders.help": "Quem deve recuperar uma chave de acesso de emergência.",
+  "admin.emergencyAccess.allowChoosing.label": "Deixe os proprietários do cofre escolherem diferentes porta-chaves.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Pelo menos:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Mínimo de membros",
+  "admin.emergencyAccess.example.help": "Exemplo de quem pode colaborar para recuperar um cofre.",
+  "admin.emergencyAccess.validation.maxValue": "O valor máximo é {0}.",
+  "admin.emergencyAccess.validation.minValue": "O valor mínimo é {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Deve ser maior ou igual às ações-chave exigidas.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "Compartilhamentos de chave exigidos não podem exceder o número mínimo de membros.",
+  "archiveVaultDialog.title": "Arquivar cofre",
+  "archiveVaultDialog.description": "Arquivar um cofre o torna inativo. Isso pode liberar licenças ocupadas. Um cofre arquivado pode ser reativado depois.",
   "archiveVaultDialog.confirm": "Arquivar",
-  "auditLog.title": "Registro de Auditoria",
+  "auditLog.title": "Registros de auditoria",
   "auditLog.order.ascending": "Crescente",
   "auditLog.order.descending": "Decrescente",
   "auditLog.filter": "Filtro",
-  "auditLog.filter.startDate": "Data Inicial",
+  "auditLog.filter.startDate": "Data inicial",
   "auditLog.filter.endDate": "Data final",
   "auditLog.filter.selectEventFilter": "Selecionar filtro de eventos",
   "auditLog.filter.clerEventFilter": "Limpar filtro de eventos",
+  "auditLog.filter.removeEventType": "Remover {type}",
   "auditLog.timestamp": "Marca Temporal",
   "auditLog.type": "Evento",
   "auditLog.details": "Detalhes",
-  "auditLog.details.device.register": "Registro de dispositivo",
-  "auditLog.details.device.remove": "Remover o dispositivo",
-  "auditLog.details.setting.wot.update": "Atualizar configurações da Teia de Confiança",
+  "auditLog.details.device.register": "Registrar dispositivo",
+  "auditLog.details.device.remove": "Remover dispositivo",
+  "auditLog.details.emergencyaccess.setup": "Configuração do Acesso de Emergência",
+  "auditLog.details.emergencyaccess.settingsUpdated": "Configurações do Acesso de Emergência atualizadas",
+  "auditLog.details.emergencyaccess.recoveryStarted": "Recuperação do Acesso de Emergência iniciada",
+  "auditLog.details.emergencyaccess.recoveryApproved": "Recuperação do Acesso de Emergência aprovada",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "Recuperação do Acesso de Emergência concluída",
+  "auditLog.details.emergencyaccess.recoveryAborted": "Recuperação do Acesso de Emergência cancelada",
+  "auditLog.details.setting.wot.update": "Atualizar configurações da rede de confiança",
   "auditLog.details.user.account.reset": "Redefinir conta de usuário",
-  "auditLog.details.user.keys.change": "Mudança de Chaves de Usuário",
-  "auditLog.details.user.setupCode.change": "Alteração de Chave da Conta",
-  "auditLog.details.vault.create": "Criar Cofre",
+  "auditLog.details.user.keys.change": "Alteração de chaves de usuário",
+  "auditLog.details.user.setupCode.change": "Alteração de chave da conta",
+  "auditLog.details.vault.create": "Criar cofre",
   "auditLog.details.vault.update": "Atualizar cofre",
   "auditLog.details.vaultAccess.grant": "Conceder acesso ao cofre",
   "auditLog.details.vaultKey.retrieve": "Recuperar chave do cofre",
   "auditLog.details.vaultMember.add": "Adicionar membro ao cofre",
   "auditLog.details.vaultMember.remove": "Remover membro do cofre",
-  "auditLog.details.vaultMember.update": "Atualizar membro do Cofre",
-  "auditLog.details.vaultOwnership.claim": "Reivindicar propriedade do Cofre",
+  "auditLog.details.vaultMember.update": "Atualizar membro do cofre",
+  "auditLog.details.vaultOwnership.claim": "Reivindicar propriedade do cofre",
   "auditLog.details.wot.signedIdentity": "Identidade assinada",
-  "auditLog.pagination.showing": "Exibindo entradas {0} para {1}",
+  "auditLog.pagination.showing": "Mostrando entradas {0} para {1}",
   "auditLog.paymentRequired.message": "Licença requerida",
-  "auditLog.paymentRequired.description": "Logs de auditoria só estão disponíveis com uma licença paga. Você pode obter uma na seção de administração.",
-  "auditLog.paymentRequired.openAdminSection": "Abrir seção de Administrador",
-  "claimVaultOwnershipDialog.title": "Reivindicar propriedade do Cofre",
-  "claimVaultOwnershipDialog.description": "Digite a senha de administrador do cofre para provar que você tem permissões para gerenciar este cofre.",
+  "auditLog.paymentRequired.description": "Os registros de auditoria estão disponíveis apenas com uma licença paga. Você pode adquirir uma na seção de administrador.",
+  "auditLog.paymentRequired.openAdminSection": "Abrir seção de administrador",
+  "claimVaultOwnershipDialog.title": "Reivindicar propriedade do cofre",
+  "claimVaultOwnershipDialog.description": "Digite a senha de administrador do cofre para confirmar que você tem permissões para gerenciá-lo.",
   "claimVaultOwnershipDialog.password": "Senha de administração do cofre",
   "claimVaultOwnershipDialog.submit": "Reivindicar propriedade",
-  "claimVaultOwnershipDialog.error.formValidationFailed": "A Senha não pode ser vazia",
+  "claimVaultOwnershipDialog.error.formValidationFailed": "A Senha não pode estar vazia",
   "claimVaultOwnershipDialog.error.wrongPassword": "Senha incorreta",
-  "fetchError.title": "Falha ao buscar dados",
-  "createVault.enterRecoveryKey.title": "Recuperar Cofre",
+  "fetchError.title": "Falha ao buscar os dados",
+  "createVault.enterRecoveryKey.title": "Recuperar cofre",
   "createVault.enterRecoveryKey.description": "Digite a chave de recuperação do seu cofre existente para criar um novo modelo de cofre a partir dele.",
   "createVault.enterRecoveryKey.recoveryKey": "Chave de recuperação do seu cofre",
-  "createVault.enterRecoveryKey.submit": "Recuperar Cofre",
-  "createVault.enterVaultDetails.title": "Criar Cofre",
-  "createVault.enterVaultDetails.description": "Digite um nome e uma descrição para o seu novo cofre. Você pode alterá-los mais tarde.",
-  "createVault.enterVaultDetails.vaultName": "Nome do Cofre",
+  "createVault.enterRecoveryKey.submit": "Recuperar cofre",
+  "createVault.enterVaultDetails.title": "Criar cofre",
+  "createVault.enterVaultDetails.description": "Digite um nome e uma descrição para o seu novo cofre. Você pode alterá-los depois.",
+  "createVault.enterVaultDetails.vaultName": "Nome do cofre",
   "createVault.enterVaultDetails.vaultDescription": "Descrição",
+  "createVault.emergencyAccessDetails.title": "Definir as condições do Acesso de Emergência",
+  "createVault.emergencyAccessDetails.description": "Selecionar membros do conselho para o acesso de emergência.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "O conselho do acesso de emergência é definido pelo administrador e não pode ser alterado aqui.",
   "createVault.showRecoveryKey.title": "Chave de recuperação",
   "createVault.showRecoveryKey.description": "A seguinte chave de recuperação pode ser usada para restaurar o acesso ao cofre.",
   "createVault.showRecoveryKey.recoveryKey": "Chave de recuperação do seu cofre",
-  "createVault.showRecoveryKey.confirmRecoveryKey": "Eu sei que vou perder acesso ao cofre no caso de uma emergência se não tiver a chave de recuperação.",
-  "createVault.showRecoveryKey.submit": "Criar Cofre",
+  "createVault.showRecoveryKey.confirmRecoveryKey": "Estou ciente que perderei o acesso ao cofre em caso de emergência caso eu não tiver a chave de recuperação.",
+  "createVault.showRecoveryKey.submit": "Criar cofre",
   "createVault.error.illegalVaultName": "O nome do cofre não pode conter nenhum dos seguintes caracteres:",
-  "createVault.error.formValidationFailed": "Por favor, verifique o formulário e tente novamente.",
-  "createVault.error.invalidRecoveryKey": "Chave de recuperação é inválida.",
-  "createVault.error.vaultAlreadyExists": "Um cofre com o nome fornecido já existe.",
+  "createVault.error.formValidationFailed": "Verifique o formulário e tente novamente.",
+  "createVault.error.invalidRecoveryKey": "Chave de recuperação inválida.",
+  "createVault.error.vaultAlreadyExists": "Já existe um cofre com esse nome.",
   "createVault.error.downloadTemplateFailed": "Falha ao baixar o modelo do cofre: {0}",
-  "createVault.error.paymentRequired": "Sua licença do Cryptomator Hub excedeu o número de assentos disponíveis ou expirou. Por favor, informe ao administrador do Hub para atualizar ou renovar a licença.",
+  "createVault.error.paymentRequired": "Sua licença do Katta excedeu o número de assentos disponíveis ou expirou. Informe ao administrador do Katta para atualizar ou renovar a licença.",
   "createVault.success.title": "Cofre criado",
-  "createVault.success.description": "Depois de baixar a pasta de cofre compactada, descompacte-a para qualquer localização compartilhada com os membros da sua equipe.",
+  "createVault.success.description": "Após baixar a pasta de cofre compactada, descompacte-a para qualquer local compartilhado com os membros da sua equipe.",
   "createVault.success.download": "Baixar pasta de cofre compactada",
   "createVault.success.return": "Retornar à lista de cofres",
+  "deleteGroupDialog.title": "Apagar grupo",
+  "deleteGroupDialog.description": "Deseja mesmo apagar este grupo permanentemente? Será removido de todos os cofres associados. Esta ação não pode ser desfeita.",
+  "deleteGroupDialog.confirm": "Sim, apagar grupo",
+  "disableUserDialog.title": "Desativar usuário",
+  "disableUserDialog.description": "Este usuário não poderá mais entrar e será apagado da contagem de lugares. Você pode reativá-lo a qualquer momento.",
+  "disableUserDialog.confirm": "Desativar usuário",
+  "deleteUserDialog.title": "Apagar conta de usuário",
+  "deleteUserDialog.description": "Deseja mesmo apagar este usuário permanentemente? Todos os cofres e dispositivos associados serão removidos. Esta ação não pode ser desfeita.",
+  "deleteUserDialog.confirm": "Sim, apagar usuário",
   "deviceList.empty.message": "Nenhum dispositivo",
-  "deviceList.empty.description": "Para adicionar um dispositivo, adicione um cofre deste Hub ao aplicativo Cryptomator do dispositivo e desbloqueie-o.",
+  "deviceList.empty.description": "Para adicionar um dispositivo, adicione um cofre do Katta ao aplicativo Katta do dispositivo e o desbloqueie.",
   "deviceList.title": "Dispositivos e navegadores autorizados",
   "deviceList.deviceName": "Nome do dispositivo",
   "deviceList.type": "Tipo",
   "deviceList.added": "Adicionado",
-  "deviceList.thisDevice": "Este Dispositivo",
+  "deviceList.thisDevice": "Este dispositivo",
   "deviceList.ipAddress": "Endereço IP",
-  "deviceList.lastAccess": "Último Acesso ao Cofre",
-  "deviceList.lastAccess.toolTip": "Podem estar faltando para dispositivos acessados com versões mais antigas.",
-  "downloadVaultTemplateDialog.title": "Baixar Modelo do Cofre",
-  "downloadVaultTemplateDialog.description": "Baixe e descompacte o modelo de cofre compactado para qualquer localização compartilhada com os membros da sua equipe. Isso é necessário somente uma vez durante a configuração inicial.",
-  "editVaultMetadataDialog.title": "Editar Metadados do Cofre",
+  "deviceList.lastAccess": "Último acesso ao cofre",
+  "deviceList.lastAccess.toolTip": "Pode estar faltando em dispositivos acessados com versões anteriores.",
+  "deviceType.browser": "Navegador",
+  "deviceType.desktop": "Computador",
+  "deviceType.mobile": "Celular",
+  "downloadVaultTemplateDialog.title": "Baixar modelo do cofre",
+  "downloadVaultTemplateDialog.description": "Baixe e descompacte o modelo de cofre compactado para qualquer local compartilhado com os membros da sua equipe. Isso é necessário somente uma vez durante a configuração inicial.",
+  "emergencyAccess.requiredKeyShares": "Compartilhamentos de chaves obrigatórios",
+  "emergencyAccess.processCouncil": "Conselho de processos",
+  "emergencyAccess.status.added": "Adicionado",
+  "emergencyAccess.status.pending": "Pendente",
+  "emergencyAccess.startProcess": "Iniciar processo",
+  "emergencyAccess.notPossible": "Não é possível",
+  "emergencyAccess.vaultCouncil": "Conselho do Cofre",
+  "emergencyAccess.noRedundancy": "Nenhuma redundância",
+  "emergencyAccess.label.councilMembers": "Membros do Conselho",
+  "emergencyAccess.label.newCouncilMembers": "Novos membros do Conselho",
+  "emergencyAccess.label.owners": "Proprietários",
+  "emergencyAccess.label.members": "Membros",
+  "emergencyAccess.label.removed": "Removido",
+  "emergencyAccess.label.possibleScenario": "Possível cenário de emergência",
+  "emergencyAccess.label.exampleRecovery": "Exemplo de recuperação",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "Selecione pelo menos mais {0} membro(s) do conselho.",
+  "emergencyAccess.validation.minimumMembers": "Pelo menos {0} membro(s) deve(m) ser selecionado(s).",
+  "emergencyAccess.approval.waitingOthers": "Aguardando outras aprovações",
+  "emergencyAccess.approval.showDetails": "Mostrar detalhes",
+  "emergencyAccess.approval.completeNow": "Completar agora",
+  "emergencyAccess.approval.approveNow": "Aprovar",
+  "emergencyAccess.processType.changePermissions": "Escolha os membros do cofre",
+  "emergencyAccess.processType.changeCouncil": "Alterar Conselho do Acesso de Emergência",
+  "emergencyAccess.filter.all": "Todos",
+  "emergencyAccess.filter.approvable": "Aprovável",
+  "emergencyAccess.filter.approved": "Aprovado",
+  "emergencyAccess.filter.startable": "Iniciável",
+  "emergencyAccess.empty.disabled": "O Acesso de Emergência está desativado.",
+  "emergencyAccess.empty.noneFound": "Nenhum cofre de emergência encontrado.",
+  "emergencyAccess.licenseRequired.message": "O Acesso de Emergência está disponível apenas com uma licença paga.",
+  "emergencyAccess.licenseRequired.adminHint": "Você pode obter uma na seção de administrador.",
+  "emergencyAccess.badge.notCouncil.title": "Não há mais nenhum membro no Conselho do Cofre.",
+  "emergencyAccess.badge.notCouncil.message": "Você não faz mais parte do conselho de emergência do cofre. Entretanto, você ainda faz parte de um processo de acesso de emergência em andamento.",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "Acesso de emergência insuficiente",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "A política da sua equipe requer um conselho de acesso de emergência com pelo menos {0} membro(s). Este cofre ainda não atende aos requisitos.",
+  "emergencyAccess.badge.broken.title": "Acesso de Emergência quebrado",
+  "emergencyAccess.badge.broken.message": "O Acesso de Emergência não está mais disponível. Um ou mais membros do conselho redefiniram suas contas e perderam o acesso às suas chaves.",
+  "emergencyAccess.badge.noRedundancy.title": "Nenhuma redundância",
+  "emergencyAccess.badge.noRedundancy.message": "Este Conselho de Acesso de Emergência não tem membros redundantes. Redesigne um conselho que tenha membros redundantes.",
+  "emergencyAccessDialog.message.completed": "Processo concluído com sucesso.",
+  "emergencyAccessDialog.label.selectOwner": "Selecione o usuário com a função de proprietário",
+  "emergencyAccessDialog.label.selectMember": "Selecione o usuário com a função de membro",
+  "emergencyAccessDialog.label.councilMembersAtLeast": "Membros do Conselho (pelo menos: {0})",
+  "emergencyAccessDialog.section.ownership": "Propriedade",
+  "emergencyAccessDialog.section.councilChange": "Alteração no Conselho",
+  "emergencyAccessDialog.hint.finishProcess": "Você pode concluir esse processo de acesso de emergência adicionando o último compartilhamento de chave e o concluindo.",
+  "emergencyAccessDialog.hint.keyShareAdded": "Seu compartilhamento de chave já foi adicionado.",
+  "emergencyAccessDialog.hint.notInCouncil": "Você não faz parte do conselho para este processo e não pode adicionar um compartilhamento de chave.",
+  "emergencyAccessDialog.action.abortProcess": "Cancelar este processo",
+  "emergencyAccessDialog.action.start": "Iniciar",
+  "emergencyAccessDialog.action.approve": "Aprovar",
+  "emergencyAccessDialog.action.completeProcess": "Completar processo",
+  "emergencyAccessDialog.title.success": "Sucesso",
+  "emergencyAccessDialog.title.changeCouncil": "Alterar conselho",
+  "emergencyAccessDialog.title.changePermissions": "Alterar permissões do cofre",
+  "emergencyAccessDialog.title.processDetails": "Detalhes do processo",
+  "emergencyAccessDialog.title.approved": "Aprovado",
+  "emergencyAccessDialog.title.approveEmergencyAccess": "Aprovar acesso de emergência",
+  "emergencyAccessDialog.title.completeEmergencyAccess": "Completar acesso de emergência",
+  "emergencyAccessDialog.error.insufficientCouncilMembers": "Dados inconsistentes: membros insuficientes ({0}) para recuperar este cofre ({1}).",
+  "emergencyAccessDialog.error.noProcessToApprove": "Nenhum processo de recuperação para ser aprovado.",
+  "emergencyAccessDialog.error.processTampered": "O processo de recuperação foi alterado.",
+  "emergencyAccessDialog.error.noProcessToComplete": "Nenhum processo de recuperação para ser concluído.",
+  "emergencyAccessDialog.error.unsupportedProcessType": "Estado incompatível para o tipo de processo de recuperação: {0}",
+  "grantEmergencyAccessDialog.title": "Conceder acesso de emergência",
+  "grantEmergencyAccessDialog.description.selectCouncil": "Selecione os membros do conselho para conceder acesso de emergência a este cofre.",
+  "grantEmergencyAccessDialog.description.default": "Conceder acesso de emergência para este cofre.",
+  "grantEmergencyAccessDialog.grant": "Conceder",
+  "grantEmergencyAccessDialog.error.keySharesRequired": "São necessários pelo menos 2 compartilhamentos de chave de emergência.",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "São necessários pelo menos 2 membros do Conselho.",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "Número insuficiente de membros no Conselho. Aumente ou diminua o número de compartilhamentos de chave de emergência.",
+  "processAbortDialog.title": "Cancelar este processo",
+  "processAbortDialog.description": "Deseja mesmo cancelar este processo de acesso de emergência? Esta ação não pode ser desfeita.",
+  "processAbortDialog.confirm": "Cancelar processo",
+  "recoveryDialog.error.invalidRecoveryType": "Tipo de processo de recuperação inválido.",
+  "recoveryDialog.error.processAlreadyExists": "Já existe um processo de recuperação desse tipo.",
+  "recoveryDialog.error.noOwnerSelected": "Selecione pelo menos um proprietário.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "Não foram selecionados membros suficientes para o conselho.",
+  "editVaultMetadataDialog.title": "Editar metadados do cofre",
   "editVaultMetadataDialog.description": "Atualize o nome e a descrição do cofre.",
-  "editVaultMetadataDialog.vaultName": "Nome do Cofre",
+  "editVaultMetadataDialog.vaultName": "Nome do cofre",
   "editVaultMetadataDialog.vaultDescription": "Descrição",
   "editVaultMetadataDialog.error.formValidationFailed": "O nome do cofre não pode estar vazio.",
-  "editVaultMetadataDialog.error.vaultAlreadyExists": "Um cofre com o nome fornecido já existe.",
+  "editVaultMetadataDialog.error.vaultAlreadyExists": "Já existe um cofre com esse nome.",
   "grantPermissionDialog.title": "Conceder permissão",
-  "grantPermissionDialog.description": "Compartilhe a chave de cofre com usuários recém-adicionados.",
-  "grantPermissionDialog.submit": "Conceder permissão para Usuário(s)s {0}",
-  "trustDetails.trustLevel": "Nível de Confiança {0}",
+  "grantPermissionDialog.description": "Compartilhe a chave de cofre com usuários adicionados recentemente.",
+  "grantPermissionDialog.submit": "Conceder permissão para {0} usuário(s)",
+  "groups.title": "Grupos",
+  "group.detail.info": "Detalhes do grupo",
+  "group.detail.members": "Membros",
+  "group.detail.vaults": "Cofres",
+  "group.detail.edit": "Editar grupo",
+  "group.detail.add.member": "Adicionar membro",
+  "group.detail.name": "Nome",
+  "group.detail.createdOn": "Criado em",
+  "group.detail.roles": "Funções",
+  "groupList.name": "Nome",
+  "groupList.members.count": "Usuários",
+  "groupList.edit.group.button": "Editar",
+  "groupList.search.placeholder": "Buscar…",
+  "groupList.groupImage": "Imagem do grupo",
+  "groupList.vaults.count": "Cofres",
+  "groupList.create.button": "Criar grupo",
+  "groupList.group.created": "Criado em",
+  "group.members.add": "Adicionar membros",
+  "group.members.search.empty": "Nada foi encontrado",
+  "group.addMembers.title": "Adicionar membros",
+  "group.addMembers.searchLabel": "Buscar por nome de usuário ou nome completo",
+  "group.addMembers.selectedUser": "Usuário(s) selecionado(s)",
+  "group.member.remove.title": "Remover usuário do grupo",
+  "group.member.remove.description": "Deseja mesmo remover este usuário do grupo?",
+  "group.member.remove.confirm": "Sim, remover do grupo",
+  "groupEditCreate.title.create": "Criar novo grupo",
+  "groupEditCreate.title.edit": "Editar grupo",
+  "groupEditCreate.profileImage": "Imagem do perfil",
+  "groupEditCreate.role": "Função",
+  "groupEditCreate.removePicture": "Remover foto",
+  "groupEditCreate.addPicture": "Adicionar foto",
+  "groupEditCreate.name": "Nome do grupo",
+  "groupEditCreate.roles": "Funções",
+  "groupEditCreate.validation.required": "Este campo é obrigatório",
+  "groupEditCreate.roles.remove": "Remover funções",
+  "groupEditCreate.roles.choose": "Escolher funções",
+  "groupEditCreate.roles.addMore": "Adicionar mais",
+  "groupEditCreate.invalidImageUrl": "A URL da imagem é inválida!",
+  "groupEditCreate.profilePictureUrl": "URL da foto do perfil",
+  "groupEditCreate.selectRolesPlaceholder": "Selecionar função(ões)",
+  "groupEditCreate.error.groupNameAlreadyExists": "Já existe um grupo com esse nome.",
+  "trustDetails.trustLevel": "Nível de confiança: {0}",
   "trustDetails.trustLevel.untrusted": "Não verificado",
   "trustDetails.showSignDialogBtn": "Verificar identidade...",
-  "trustDetails.userNotSetUp": "O usuário ainda não configurou sua conta.",
+  "trustDetails.userNotSetUp": "O usuário ainda não configurou a conta dele.",
   "signUserKeysDialog.title": "Verificar identidade de {0}",
-  "signUserKeysDialog.description": "Digite os primeiros {0} caracteres da impressão digital de {1} para confirmar a autenticidade de suas chaves públicas. A impressão digital pode ser encontrada no perfil do usuário.",
+  "signUserKeysDialog.description": "Digite os primeiros {0} caractere(s) da impressão digital de {1} para confirmar a autenticidade de suas chaves públicas. A impressão digital pode ser encontrada no perfil do usuário.",
   "signUserKeysDialog.submit": "Confirmar a identidade deste usuário",
-  "initialSetup.createUserKey.title": "Bem-vindo ao Cryptomator Hub",
-  "initialSetup.createUserKey.description": "No primeiro login, cada usuário recebe uma chave única de conta:",
-  "initialSetup.createUserKey.details.accountKey": "Sua chave de conta é necessária para o login de outros aplicativos ou navegadores",
-  "initialSetup.createUserKey.details.devicesList": "Você pode ver uma lista de aplicativos autorizados na sua página de perfil",
-  "initialSetup.createUserKey.details.devicesName": "Este navegador será adicionado a esta lista como: {deviceName}",
-  "initialSetup.createUserKey.details.devicesName.label": "Nome do Navegador",
-  "initialSetup.createUserKey.confirmAccountKey": "Eu armazenei minha chave de conta com segurança.",
-  "initialSetup.recoverUserKey.title": "Autorização Necessária",
+  "initialSetup.createUserKey.title": "Bem-vindo(a) ao Katta",
+  "initialSetup.createUserKey.description": "No primeiro acesso, cada usuário recebe uma chave única de conta:",
+  "initialSetup.createUserKey.details.accountKey": "Sua Chave de Conta é necessária para fazer login em outros aplicativos ou navegadores",
+  "initialSetup.createUserKey.details.devicesList": "Você pode ver uma lista de aplicativos autorizados na sua página do perfil",
+  "initialSetup.createUserKey.details.devicesName": "Esse navegador será adicionado a esta lista como: {deviceName}",
+  "initialSetup.createUserKey.details.devicesName.label": "Nome do navegador",
+  "initialSetup.createUserKey.confirmAccountKey": "Eu armazenei minha Chave de Conta com segurança.",
+  "initialSetup.recoverUserKey.title": "Autorização necessária",
   "initialSetup.recoverUserKey.description": "Este é o seu primeiro login neste navegador.",
-  "initialSetup.recoverUserKey.accountKey.description": "Sua chave de conta é necessária para vincular esse navegador à sua conta.",
-  "initialSetup.recoverUserKey.deviceName": "Nome do Navegador",
-  "initialSetup.recoverUserKey.deviceName.description": "Nomeie este navegador para facilitar a identificação na sua lista de dispositivos autorizados.",
+  "initialSetup.recoverUserKey.accountKey.description": "Sua Chave de Conta é necessária para vincular este navegador à sua conta.",
+  "initialSetup.recoverUserKey.deviceName": "Nome do navegador",
+  "initialSetup.recoverUserKey.deviceName.description": "Dê um nome este navegador para facilitar a sua identificação na lista de dispositivos autorizados.",
   "initialSetup.recoverUserKey.error.wrongAccountKey": "Chave de conta errada",
   "initialSetup.recoverUserKey.lostAccountKey": "Perdeu sua chave de conta? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Redefinir a minha conta",
   "initialSetup.setupAlreadyCompleted.title": "Configuração já concluída",
-  "initialSetup.setupAlreadyCompleted.description": "Você já completou a configuração inicial do Cryptomator Hub. Sua chave de conta pode ser encontrada no seu perfil.",
-  "initialSetup.setupAlreadyCompleted.goToYourProfile": "Ir para o seu perfil",
+  "initialSetup.setupAlreadyCompleted.description": "Você já concluiu a configuração inicial do Katta. Sua Chave de Conta pode ser encontrada em seu perfil.",
+  "initialSetup.setupAlreadyCompleted.goToYourProfile": "Acessar meu perfil",
   "initialSetup.accountKey": "Chave da Conta",
-  "initialSetup.submit": "Finalizar a configuração",
+  "initialSetup.submit": "Finalizar configuração",
   "licenseAlert.noRemainingSeats.title": "Licença excedida",
-  "licenseAlert.noRemainingSeats.admin.description": "Sua instância do Cryptomator Hub excedeu o número de assentos licenciados. Faça o upgrade no {0} para gerenciar e desbloquear seus cofres novamente.",
-  "licenseAlert.noRemainingSeats.user.description": "Sua instância do Cryptomator Hub excedeu o número de assentos licenciados. Por favor, informe ao administrador do Hub para atualizar a licença.",
+  "licenseAlert.noRemainingSeats.admin.description": "Sua instância do Katta excedeu o número de licenças permitidas. Atualize-a em {0} para conseguir gerenciar e desbloquear seus cofres novamente.",
+  "licenseAlert.noRemainingSeats.user.description": "Sua instância do Katta excedeu o número de licenças permitidas. Informe um administrador do Katta para que a licença seja atualizada.",
   "licenseAlert.licenseExpired.title": "Licença expirada",
-  "licenseAlert.licenseExpired.admin.description": "Sua licença do Cryptomator Hub expirou. Renove-a no {0} para gerenciar e desbloquear seus cofres novamente.",
-  "licenseAlert.licenseExpired.user.description": "Sua licença do Cryptomator Hub expirou. Por favor, informe ao administrador do Hub para renovar a licença.",
-  "licenseAlert.button": "Seção de Administração",
-  "legacyDeviceList.title": "Dispositivos Antigos",
-  "legacyDeviceList.description": "Estes dispositivos foram criados com uma versão mais antiga do Hub e precisam ser atualizados para desbloquear cofres em versões futuras. Se você não precisa mais deles, por favor, remova-os. Caso contrário, atualize o Cryptomator nesse dispositivo. Seu próximo desbloqueio acionará a atualização automaticamente.",
+  "licenseAlert.licenseExpired.admin.description": "Sua licença do Cryptomator Katta expirou. Renove-a em {0} para gerenciar e desbloquear seus cofres novamente.",
+  "licenseAlert.licenseExpired.user.description": "Sua licença do Cryptomator Katta expirou. Informe um administrador do Hub para renovar a licença.",
+  "licenseAlert.button": "Seção de Administrador",
+  "legacyDeviceList.title": "Dispositivos antigos",
+  "legacyDeviceList.description": "Estes dispositivos foram criados com uma versão mais antiga do Katta e precisam ser atualizados para desbloquear cofres em versões futuras. Se você não precisa mais deles, por favor, remova-os. Caso contrário, atualize o Katta nesse dispositivo. Seu próximo desbloqueio acionará a atualização automaticamente.",
   "legacyDeviceList.description.information": "Saiba mais.",
   "legacyDeviceList.deviceName": "Nome do dispositivo",
   "legacyDeviceList.type": "Tipo",
   "legacyDeviceList.added": "Adicionado",
-  "legacyDeviceList.thisDevice": "Este Dispositivo",
+  "legacyDeviceList.thisDevice": "Este dispositivo",
   "legacyDeviceList.ipAddress": "Endereço IP",
-  "legacyDeviceList.lastAccess": "Último Acesso ao Cofre",
-  "legacyDeviceList.lastAccess.toolTip": "Podem estar faltando para dispositivos acessados com versões mais antigas.",
+  "legacyDeviceList.lastAccess": "Último acesso ao cofre",
+  "legacyDeviceList.lastAccess.toolTip": "Pode estar ausente em dispositivos acessados ​​com versões mais antigas.",
+  "legacyDeviceBanner.title": "Dispositivos antigos serão interrompidos",
+  "legacyDeviceBanner.user.description": "Seus dispositivos antigos não receberão mais suporte na próxima versão principal. Atualize o Cryptomator neles ou remova-os.",
+  "legacyDeviceBanner.admin.description": "Um ou mais usuários ainda estão usando dispositivos antigos. O suporte a dispositivos antigos será interrompido na próxima versão principal. Solicite ao(s) usuário(s) afetado(s) para atualizar o Cryptomator ou remover os seus dispositivos antigos.",
   "manageAccountKey.title": "Chave da Conta",
-  "manageAccountKey.description": "Sua chave de conta é necessária para o login de outros aplicativos ou navegadores.",
+  "manageAccountKey.description": "Sua Chave de Conta é necessária para o fazer login em outros aplicativos ou navegadores.",
   "manageAccountKey.regenerate": "Regenerar chave",
   "nav.vaults": "Cofres",
-  "nav.profile.signedInAs": "Sessão iniciada como",
+  "nav.emergencyAccess": "Acesso de Emergência",
+  "nav.profile.signedInAs": "Iniciado sessão como",
   "nav.profile.profile": "Seu perfil",
   "nav.profile.admin": "Administrador",
-  "nav.profile.auditlog": "Registro de Auditoria",
-  "nav.profile.signOut": "Finalizar sessão",
+  "nav.profile.auditlog": "Registros de auditoria",
+  "nav.profile.signOut": "Sair",
+  "nav.authority": "Usuário e grupos",
+  "nav.groups": "Grupos",
+  "nav.users": "Usuários",
   "nav.mobileMenu": "Abrir menu principal",
-  "reactivateVaultDialog.title": "Reativar Cofre",
-  "reactivateVaultDialog.description": "Aviso: Reativar um cofre pode afetar o número de lugares disponíveis. Se o número de lugares disponíveis for excedido, o desbloqueio de todos os cofres será bloqueado.",
+  "reactivateVaultDialog.title": "Reativar cofre",
+  "reactivateVaultDialog.description": "Aviso: reativar um cofre pode afetar o número de vagas disponíveis. Se o número de vagas disponíveis for excedido, o desbloqueio de todos os cofres serão bloqueados.",
   "reactivateVaultDialog.confirm": "Reativar",
-  "recoveryKeyDialog.title": "Chave de recuperação",
+  "recoveryKeyDialog.title": "Chave de Recuperação",
   "recoveryKeyDialog.description": "Esta é sua chave de recuperação para \"{0}\". Mantenha-a segura, é a sua única oportunidade de recuperar o acesso a um cofre em caso de interrupção do sistema.",
-  "recoveryKeyDialog.recoveryKey": "Chave de recuperação do seu cofre",
+  "recoveryKeyDialog.recoveryKey": "Chave de Recuperação do seu cofre",
   "recoverVaultDialog.title": "Recuperação de cofre",
   "recoverVaultDialog.description": "Digite a Chave de Recuperação deste cofre para recuperar o acesso a ele.",
-  "recoverVaultDialog.submit": "Recuperar Cofre",
-  "recoverVaultDialog.error.formValidationFailed": "A chave de recuperação não pode ser vazia",
-  "recoverVaultDialog.error.invalidRecoveryKey": "Chave de Recuperação Inválida",
-  "regenerateAccountKeyDialog.confirmRegenerateAccountKey.title": "Regenerar a chave da conta",
-  "regenerateAccountKeyDialog.confirmRegenerateAccountKey.description": "Se você suspeitar que sua chave de conta antiga foi comprometida, você pode regenerá-la. Você só poderá adicionar novos dispositivos com a nova Chave de Conta. Seus dispositivos existentes permanecerão intactos.",
-  "regenerateAccountKeyDialog.saveAccountKey.title": "Salvar chave da conta",
-  "regenerateAccountKeyDialog.saveAccountKey.description": "Não se esqueça de salvar esta nova chave. Você precisará dela para fazer “login” em novos dispositivos. Você pode excluir a antiga com segurança.",
+  "recoverVaultDialog.submit": "Recuperar cofre",
+  "recoverVaultDialog.error.formValidationFailed": "A Chave de Recuperação não pode ser vazia",
+  "recoverVaultDialog.error.invalidRecoveryKey": "Chave de Recuperação inválida",
+  "regenerateAccountKeyDialog.confirmRegenerateAccountKey.title": "Regenerar Chave da Conta",
+  "regenerateAccountKeyDialog.confirmRegenerateAccountKey.description": "Se suspeitar que a sua Chave de Conta antiga foi comprometida, pode regenerá-la. Só poderá adicionar novos dispositivos com a nova Chave de Conta. Os seus dispositivos existentes permanecerão intactos.",
+  "regenerateAccountKeyDialog.saveAccountKey.title": "Salvar Chave da Conta",
+  "regenerateAccountKeyDialog.saveAccountKey.description": "Não se esqueça de guardar esta nova chave. Você precisará dela para fazer login em novos dispositivos. A chave antiga pode ser apagada com segurança.",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Chave da Conta",
   "regenerateAccountKeyDialog.submit": "Regenerar chave",
   "resetUserAccountDialog.title": "Redefinir conta de usuário",
-  "resetUserAccountDialog.description": "Apenas redefina sua conta se você tiver perdido a sua chave de conta. Você perderá o acesso a todos os seus cofres e o(s) proprietário(s) do cofre terá(ão) que te conceder o acesso novamente.",
+  "resetUserAccountDialog.description": "Só redefina sua conta se você tiver perdido sua Chave de Conta. O acesso a todos os seus cofres será perdido e o(s) proprietário(s) do(s) cofre(s) terá(ão) que conceder acesso novamente.",
   "resetUserAccountDialog.submit": "Redefinir conta",
   "userkeyFingerprint.title": "Impressão digital da chave do usuário",
-  "userkeyFingerprint.description": "Sua impressão digital chave de usuário pode ser usada para verificar sua identidade ao atualizar a permissão de cofre.",
+  "userkeyFingerprint.description": "A Impressão Digital da sua Chave de Usuário pode ser usada para verificar sua identidade ao atualizar as permissões do cofre.",
+  "users.title": "Usuários",
+  "user.detail.createdOn": "Criado em",
+  "user.detail.disable": "Desativar",
+  "user.detail.disabled": "Desativado",
+  "user.detail.devices": "Dispositivos",
+  "user.detail.edit": "Editar",
+  "user.detail.enable": "Ativar",
+  "user.detail.email": "E-mail",
+  "user.detail.groups": "Grupos",
+  "user.detail.groups.join": "Entrar",
+  "user.detail.info": "Detalhes do usuário",
+  "user.detail.legacyDeviceList.info": "Esses dispositivos foram criados com uma versão antiga do Hub e precisam ser atualizados para desbloquear os cofres em versões futuras.",
+  "user.detail.name": "Nome",
+  "user.detail.roles": "Funções",
+  "user.detail.username": "Nome de usuário",
+  "user.addGroups.title": "Adicionar grupos",
+  "user.addGroups.searchLabel": "Buscar por nome do grupo",
+  "user.addGroups.selectedGroups": "Grupo(s) selecionado(s)",
+  "userEditCreate.title.create": "Criar novo usuário",
+  "userEditCreate.title.edit": "Editar usuário",
+  "userEditCreate.button.create": "Criar usuário",
+  "userEditCreate.button.save": "Salvar",
+  "userEditCreate.button.saved": "Salvo!",
+  "userEditCreate.firstName": "Nome",
+  "userEditCreate.lastName": "Sobrenome",
+  "userEditCreate.username": "Nome de usuário",
+  "userEditCreate.email": "E-mail",
+  "userEditCreate.roles": "Funções",
+  "userEditCreate.selectRolesPlaceholder": "Selecionar função(ões)",
+  "userEditCreate.password": "Senha",
+  "userEditCreate.passwordConfirm": "Confirmar senha",
+  "userEditCreate.create.passwordInfo": "Esta é uma senha temporária. O usuário deve alterá-la ao fazer login pela primeira vez.",
+  "userEditCreate.edit.passwordInfo": "Deixe o campo de senha vazio caso não queira redefinir a senha do usuário.",
+  "userEditCreate.removePicture": "Remover foto",
+  "userEditCreate.passwordStrong": "Forte",
+  "userEditCreate.passwordMedium": "Média",
+  "userEditCreate.passwordWeak": "Fraca",
+  "userEditCreate.passwordsMatch": "Senhas iguais",
+  "userEditCreate.passwordsDontMatch": "As senhas são diferentes",
+  "userEditCreate.profilePictureUrl": "URL da foto do perfil",
+  "userEditCreate.showPassword": "Mostrar senha",
+  "userEditCreate.hidePassword": "Ocultar senha",
+  "userEditCreate.invalidEmail": "Formato de e-mail inválido",
+  "userEditCreate.invalidImageUrl": "A URL da imagem é inválida!",
+  "userEditCreate.validation.required": "Este campo é obrigatório",
+  "userEditCreate.validation.passwordMismatch": "As senhas são diferentes",
+  "userEditCreate.error.userAlreadyExists": "Já existe um usuário com este nome.",
+  "userEditCreate.error.emailAlreadyExists": "Já existe um usuário com este e-mail.",
+  "userList.edit.user.button": "Editar",
+  "userList.userName": "Nome",
+  "userList.groups.count": "Grupos",
+  "userList.device.count": "Dispositivos",
+  "userList.vaults.count": "Cofres",
+  "userList.user.created": "Criado em",
+  "userList.profileImage": "Imagem do perfil",
+  "userList.create.button": "Criar usuário",
+  "userList.disabled": "Desativado",
   "userProfile.title": "Perfil",
-  "userProfile.actions.manageAccount": "Gerenciar Conta",
-  "userProfile.actions.changeLanguage": "Alterar Idioma",
-  "userProfile.actions.changeLanguage.entry.browser": "Idioma do Navegador",
+  "userProfile.actions.manageAccount": "Gerenciar conta",
+  "userProfile.actions.changeLanguage": "Alterar idioma",
+  "userProfile.actions.changeLanguage.entry.browser": "Idioma do navegador",
+  "userProfile.keycloakVersion.notAvailable": "versão indisponível",
+  "unlock.noAccessVaultArchived.title": "Cofre arquivado",
+  "unlock.noAccessVaultArchived.description": "Este cofre foi arquivo e está inacessível. Contate o proprietário dele.",
   "unlockSuccess.title": "Cofre desbloqueado com sucesso",
-  "unlockSuccess.description": "Agora você pode fechar essa guia do navegador e retornar ao Cryptomator.",
+  "unlockSuccess.description": "Agora você pode fechar esta guia do navegador e retornar ao Katta.",
   "unlockSuccess.accountSetup.title": "Configuração necessária",
-  "unlockSuccess.accountSetup.description": "Finalize a configuração da sua conta e recupere a chave da sua conta.",
+  "unlockSuccess.accountSetup.description": "Conclua a configuração da sua conta e recupere a sua chave de conta.",
   "unlockSuccess.accountSetup.goToSetup": "Concluir configuração",
-  "unlockSuccess.deviceSetup.title": "Novo Dispositivo",
-  "unlockSuccess.deviceSetup.description": "Por favor, insira a chave de conta no Cryptomator para autorizá-la.",
-  "unlockSuccess.deviceSetup.goToProfile": "Visualizar chave da conta em meu perfil",
-  "unlockSuccess.noVaultAccess.title": "Sem acesso a este Cofre",
-  "unlockSuccess.noVaultAccess.description": "Entre em contato com o proprietário do cofre para adicioná-lo como um membro do cofre.",
+  "unlockSuccess.deviceSetup.title": "Novo dispositivo",
+  "unlockSuccess.deviceSetup.description": "Digite a chave da conta no Katta para autorizá-la.",
+  "unlockSuccess.deviceSetup.goToProfile": "Ver a chave da conta no meu perfil",
+  "unlockSuccess.noVaultAccess.title": "Sem acesso a este cofre",
+  "unlockSuccess.noVaultAccess.description": "Entre em contato com o proprietário para adicioná-lo como um membro do cofre.",
   "vaultDetails.warning.archived": "Este cofre está arquivado e não pode ser desbloqueado.",
   "vaultDetails.description.header": "Descrição",
   "vaultDetails.description.empty": "Nenhuma descrição fornecida.",
   "vaultDetails.information.header": "Informação",
-  "vaultDetails.information.created": "Criado em",
+  "vaultDetails.information.created": "Criado",
   "vaultDetails.sharedWith.title": "Compartilhado com",
   "vaultDetails.sharedWith.badge.owner": "Proprietário",
   "vaultDetails.sharedWith.grantOwnership": "Conceder propriedade",
@@ -260,31 +505,43 @@
   "vaultDetails.actions.title": "Ações",
   "vaultDetails.actions.updatePermissions": "Atualizar permissões",
   "vaultDetails.actions.updatePermissions.reload": "Recarregar",
-  "vaultDetails.actions.editVaultMetadata": "Editar Metadados do Cofre",
-  "vaultDetails.actions.downloadVaultTemplate": "Baixar Modelo do Cofre",
+  "vaultDetails.actions.editVaultMetadata": "Editar metadados do cofre",
+  "vaultDetails.actions.downloadVaultTemplate": "Baixar modelo do cofre",
   "vaultDetails.actions.displayRecoveryKey": "Mostrar Chave de Recuperação",
-  "vaultDetails.actions.archiveVault": "Arquivar Cofre",
-  "vaultDetails.actions.reactivateVault": "Reativar Cofre",
+  "vaultDetails.actions.archiveVault": "Arquivar cofre",
+  "vaultDetails.actions.reactivateVault": "Reativar cofre",
   "vaultDetails.actions.claimOwnership": "Reivindicar propriedade",
-  "vaultDetails.actions.recoverVault": "Recuperar Acesso ao Cofre",
-  "vaultDetails.error.licenseViolated": "Sua licença do Cryptomator Hub expirou ou você excedeu o número de lugares licenciados. Por favor, informe a renovação de um administrador do Hub ou atualize a licença.",
-  "vaultDetails.recoverVault.title": "Você redefiniu sua conta!",
+  "vaultDetails.actions.recoverVault": "Recuperar acesso ao cofre",
+  "vaultDetails.emergencyAccess.setupCouncil": "Configurar Conselho do Acesso de Emergência",
+  "vaultDetails.emergencyAccess.fixCouncil": "Corrigir Conselho do Acesso de Emergência",
+  "vaultDetails.error.licenseViolated": "Sua licença do Katta expirou ou você excedeu o número de licenças válidas. Informe a renovação a um administrador do Katta ou atualize-a.",
+  "vaultDetails.recoverVault.title": "Você redefiniu a sua conta!",
   "vaultDetails.recoverVault.description": "Para recuperar o acesso ao cofre, você deve restaurar seu acesso usando a chave de recuperação ou outro proprietário deve atualizar as permissões de acesso.",
   "vaultList.title": "Cofres",
-  "vaultList.empty.title": "Sem cofres",
+  "vaultList.empty.title": "Nenhum cofre",
   "vaultList.empty.description": "Comece criando um novo cofre.",
   "vaultList.addVault": "Adicionar",
   "vaultList.addVault.disabled.licenseViolation": "Licença excedida.",
   "vaultList.addVault.disabled.missingPermission": "Você não tem permissão para criar um cofre.",
   "vaultList.addVault.create": "Criar novo",
-  "vaultList.addVault.recover": "Recuperar Existente",
+  "vaultList.addVault.recover": "Recuperar cofre existente",
   "vaultList.filter": "Filtro",
   "vaultList.filter.entry.accessibleVaults": "Acessível",
-  "vaultList.filter.entry.ownedVaults": "Minha propriedade",
+  "vaultList.filter.entry.ownedVaults": "Meus",
   "vaultList.filter.entry.allVaults": "Todos",
-  "vaultList.filter.result.empty.title": "Sem cofres",
-  "vaultList.filter.result.empty.description": "Nenhum resultado usando esse termo de pesquisa ou filtro.",
-  "vaultList.search.placeholder": "Pesquisar…",
+  "vaultList.filter.result.empty.title": "Nenhum cofre",
+  "vaultList.filter.result.empty.description": "Nenhum resultado usando esse termo de busca ou filtro.",
+  "vaultList.search.placeholder": "Buscar…",
   "vaultList.badge.owner": "Proprietário",
-  "vaultList.badge.archived": "Arquivado"
+  "vaultList.badge.archived": "Arquivado",
+  "userList.filter.result.empty.title": "Nenhum usuário",
+  "userList.filter.result.empty.description": "Nenhum resultado usando este termo de busca.",
+  "groupList.empty.title": "Nenhum grupo",
+  "groupList.empty.description": "Você não tem nenhum grupo e não é membro de nenhum.",
+  "groupList.filter.result.empty.title": "Nenhum grupo",
+  "groupList.filter.result.empty.description": "Nenhum resultado usando este termo de busca.",
+  "missingEntitlements.title": "Atualização obrigatória",
+  "missingEntitlements.description": "Esse recurso não faz parte da sua licença atual.",
+  "trial.enterpriseFeature.title": "Funcionalidades empresariais",
+  "trial.enterpriseFeature.description": "Esta funcionalidade apenas está permanentemente disponível com uma licença empresarial."
 }
diff --git a/frontend/src/i18n/pt-PT.json b/frontend/src/i18n/pt-PT.json
index 726185f52..5cd99c77d 100644
--- a/frontend/src/i18n/pt-PT.json
+++ b/frontend/src/i18n/pt-PT.json
@@ -18,10 +18,16 @@
   "common.close": "Fechar",
   "common.copied": "Copiado!",
   "common.copy": "Copiar",
+  "common.create": "Criar",
+  "common.device": "Dispositivo",
   "common.download": "Descarregar",
+  "common.edit": "Editar",
   "common.hide": "Esconder",
+  "common.leave": "Sair",
   "common.loading": "Carregando…",
   "common.next": "Seguinte",
+  "common.none": "Nenhum",
+  "common.nothingFound": "Sem resultados",
   "common.optional": "opcional",
   "common.pagination": "Paginação",
   "common.previous": "Anterior",
@@ -30,6 +36,10 @@
   "common.remove": "Remover",
   "common.reset": "Repor",
   "common.retry": "Tentar novamente",
+  "common.save": "Salvar",
+  "common.saved": "Guardado!",
+  "common.search.placeholder": "Pesquisa…",
+  "common.select.placeholder": "Selecionar…",
   "common.share": "Compartilhar",
   "common.show": "Mostrar",
   "common.undo": "Desfazer",
@@ -37,17 +47,22 @@
   "common.unsavedChanges": "Alterações não gravadas.",
   "common.update": "Atualizar",
   "common.xMembers": "{0} Membros",
+  "common.actions": "Ações",
+  "common.group": "Grupo",
+  "common.member": "Membro",
+  "common.property": "Propriedade",
+  "common.value": "Valor",
   "admin.title": "Admin",
   "admin.serverInfo.title": "Informação do servidor",
-  "admin.serverInfo.description": "O ID do Hub é usado para identificar a sua instância do Cryptomator Hub para sua licença. Para suporte, sempre indique a versão exibida do Hub e Keycloak.",
-  "admin.serverInfo.hubId.title": "ID do Hub",
-  "admin.serverInfo.hubVersion.title": "Versão do Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "O Hub está atualizado.",
+  "admin.serverInfo.description": "O ID do Katta é usado para identificar a sua instância do Katta para sua licença. Para suporte, sempre indique a versão exibida do Katta e Keycloak.",
+  "admin.serverInfo.hubId.title": "ID do Katta",
+  "admin.serverInfo.hubVersion.title": "Versão do Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "O Katta está atualizado.",
   "admin.serverInfo.hubVersion.description.updateExists": "Atualização para a versão {0} disponível.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Não é possível verificar por atualizações. Por favor, verifique manualmente.",
   "admin.serverInfo.keycloakVersion.title": "Versão do Keycloak",
   "admin.serverInfo.keycloakVersion.description": "Gerir Keycloak",
-  "admin.serverInfo.keycloakVersion.notAvailable": "não disponível",
+  "admin.serverInfo.keycloakVersion.notAvailable": "não disponivel",
   "admin.licenseInfo.title": "Info da licença",
   "admin.licenseInfo.description": "Verifique a informação da sua licença. Se desejar fazer alterações ou verificar o estado da subscrição, pressione \"Gerir subscrição\".",
   "admin.licenseInfo.email.title": "Licenciado para",
@@ -62,8 +77,8 @@
   "admin.licenseInfo.manageSubscription": "Gerir subscrição",
   "admin.licenseInfo.type.title": "Tipo",
   "admin.licenseInfo.getLicense": "Obter licença",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Obrigado por usar o Cryptomator Hub! Foi-lhe concedida uma licença da comunidade. Se você precisar de mais lugares, atualize a sua licença.",
-  "admin.licenseInfo.managedNoLicense.description": "Obrigado por usar o Cryptomator Hub! Atualmente você não possui uma licença ativa.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Obrigado por usar o Katta! Foi-lhe concedida uma licença da comunidade. Se você precisar de mais lugares, atualize a sua licença.",
+  "admin.licenseInfo.managedNoLicense.description": "Obrigado por usar o Katta! Atualmente você não possui uma licença ativa.",
   "admin.webOfTrust.title": "Cadeia de confiança",
   "admin.webOfTrust.description": "Configure as opções da cadeia de confiança para gerir como a confiança é estabelecida entre utilizadores no sistema. Essas configurações afetam a verificação da identidade dos utilizadores é chaves de assinatura.",
   "admin.webOfTrust.information": "Saiba mais.",
@@ -75,6 +90,27 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Quantos dígitos da impressão digital de outro utilizador são necessários para verificar a sua identidade.",
   "admin.webOfTrust.save": "Salvar",
   "admin.webOfTrust.saved": "Guardado!",
+  "admin.emergencyAccess.title": "Acesso de emergência",
+  "admin.emergencyAccess.description": "Configurar divisão de chaves para recuperação do cofre.",
+  "admin.emergencyAccess.learnMore": "Saiba mais.",
+  "admin.emergencyAccess.noRedundancy.title": "O seu sistema atual de divisão de chaves não possui redundância!",
+  "admin.emergencyAccess.noRedundancy.description": "É altamente recomendável configurar mais detentores de chaves do que o número de chaves necessárias.",
+  "admin.emergencyAccess.enabled.label": "Ativado",
+  "admin.emergencyAccess.enabled.help": "Ativar acesso de emergência",
+  "admin.emergencyAccess.requiredKeys.label": "Chaves requeridas",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Ações-chave necessárias",
+  "admin.emergencyAccess.requiredKeys.help": "Quantas chaves são necessárias para restaurar o acesso a um cofre.",
+  "admin.emergencyAccess.keyholders.label": "Portadores de chaves",
+  "admin.emergencyAccess.keyholders.minSelected": "Pelo menos {0} membros devem ser selecionados. A quantidade necessária foi definida acima.",
+  "admin.emergencyAccess.keyholders.help": "Quem deverá recuperar a chave de acesso de emergência.",
+  "admin.emergencyAccess.allowChoosing.label": "Permitir que os proprietários dos cofres escolham diferentes detentores das chaves.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Pelo menos:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Membros mínimos",
+  "admin.emergencyAccess.example.help": "Exemplo de quem pode colaborar para recuperar um cofre.",
+  "admin.emergencyAccess.validation.maxValue": "Valor máximo é {0}.",
+  "admin.emergencyAccess.validation.minValue": "Valor mínimo é {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Deve ser maior ou igual ao número de ações-chave necessárias.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "O número de ações obrigatórias não deve exceder o número mínimo de membros.",
   "archiveVaultDialog.title": "Arquivar cofre",
   "archiveVaultDialog.description": "Arquivar um cofre torna-o inativo. Isto pode libertar lugares ocupados. Um cofre arquivado pode ser reativado posteriormente.",
   "archiveVaultDialog.confirm": "Arquivar",
@@ -86,11 +122,18 @@
   "auditLog.filter.endDate": "Data de fim",
   "auditLog.filter.selectEventFilter": "Selecionar filtro de eventos",
   "auditLog.filter.clerEventFilter": "Limpar filtro de eventos",
+  "auditLog.filter.removeEventType": "Remover {type}",
   "auditLog.timestamp": "Data e hora",
   "auditLog.type": "Evento",
   "auditLog.details": "Detalhes",
   "auditLog.details.device.register": "Registar dispositivo",
   "auditLog.details.device.remove": "Remover dispositivo",
+  "auditLog.details.emergencyaccess.setup": "Configuração do acesso de emergência",
+  "auditLog.details.emergencyaccess.settingsUpdated": "Configurações de acesso de emergência atualizadas",
+  "auditLog.details.emergencyaccess.recoveryStarted": "Recuperação de acesso de emergência iniciada",
+  "auditLog.details.emergencyaccess.recoveryApproved": "Recuperação de acesso de emergência aprovada",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "Recuperação de acesso de emergência concluída",
+  "auditLog.details.emergencyaccess.recoveryAborted": "Recuperação de acesso de emergência abortada",
   "auditLog.details.setting.wot.update": "Atualizar configurações Wot",
   "auditLog.details.user.account.reset": "Redefinir conta de utilizador",
   "auditLog.details.user.keys.change": "Alteração das chaves do utilizador",
@@ -123,6 +166,9 @@
   "createVault.enterVaultDetails.description": "Introduza um nome e uma descrição para o seu novo cofre. Pode alterá-los mais tarde.",
   "createVault.enterVaultDetails.vaultName": "Nome do Cofre",
   "createVault.enterVaultDetails.vaultDescription": "Descrição",
+  "createVault.emergencyAccessDetails.title": "Definir as condições de acesso de emergência",
+  "createVault.emergencyAccessDetails.description": "Selecionar os membros da direção para acesso em caso de emergência.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "O conselho de acesso de emergência é definido pelo administrador e não pode ser alterado aqui.",
   "createVault.showRecoveryKey.title": "Chave de recuperação",
   "createVault.showRecoveryKey.description": "A seguinte chave de recuperação pode ser utilizada para restaurar o acesso ao cofre.",
   "createVault.showRecoveryKey.recoveryKey": "Chave de recuperação do seu cofre",
@@ -133,13 +179,22 @@
   "createVault.error.invalidRecoveryKey": "Chave de recuperação é inválida.",
   "createVault.error.vaultAlreadyExists": "Um cofre com o nome fornecido já existe.",
   "createVault.error.downloadTemplateFailed": "Falha no download do modelo do cofre: {0}",
-  "createVault.error.paymentRequired": "A sua licença do Cryptomator Hub excedeu o número de licenças disponíveis ou expirou. Informe um administrador do Hub para atualizar ou renovar a licença.",
+  "createVault.error.paymentRequired": "A sua licença do Katta excedeu o número de licenças disponíveis ou expirou. Informe um administrador do Katta para atualizar ou renovar a licença.",
   "createVault.success.title": "Cofre criado",
   "createVault.success.description": "Depois de descarregar a pasta comprimida do cofre, descomprima-a em qualquer local partilhado com os membros da sua equipa.",
   "createVault.success.download": "Descarregue a pasta zipada do cofre",
   "createVault.success.return": "Regressar à lista do cofre",
+  "deleteGroupDialog.title": "Eliminar grupo",
+  "deleteGroupDialog.description": "Tem a certeza de que pretende eliminar este grupo permanentemente? Será removido de todos os cofres associados. Esta ação não pode ser anulada.",
+  "deleteGroupDialog.confirm": "Sim, remover grupo",
+  "disableUserDialog.title": "Desativar utilizador",
+  "disableUserDialog.description": "Este utilizador deixará de poder iniciar sessão e será excluído da contagem de licenças. Pode reativar o utilizador a qualquer momento.",
+  "disableUserDialog.confirm": "Desativar utilizador",
+  "deleteUserDialog.title": "Eliminar conta de utilizador",
+  "deleteUserDialog.description": "Tem a certeza de que deseja eliminar este utilizador permanentemente? Todos os cofres e dispositivos associados serão removidos. Esta ação não pode ser anulada.",
+  "deleteUserDialog.confirm": "Sim, remover utilizador",
   "deviceList.empty.message": "Nenhum dispositivo",
-  "deviceList.empty.description": "Para adicionar um dispositivo, adicione um cofre deste Hub à aplicação Cryptomator do dispositivo e desbloqueie-o.",
+  "deviceList.empty.description": "Para adicionar um dispositivo, adicione um cofre do Katta à aplicação Katta do dispositivo e desbloqueie-o.",
   "deviceList.title": "Dispositivos e navegadores autorizados",
   "deviceList.deviceName": "Nome do dispositivo",
   "deviceList.type": "Tipo",
@@ -148,8 +203,89 @@
   "deviceList.ipAddress": "Endereço de IP",
   "deviceList.lastAccess": "Último acesso ao cofre",
   "deviceList.lastAccess.toolTip": "Pode estar em falta para dispositivos acedidos com versões mais antigas.",
+  "deviceType.browser": "Navegador",
+  "deviceType.desktop": "Computador",
+  "deviceType.mobile": "Telemóvel",
   "downloadVaultTemplateDialog.title": "Descarregue o modelo do cofre",
   "downloadVaultTemplateDialog.description": "Transfira e descomprima o modelo de cofre comprimido em qualquer local partilhado com os membros da sua equipa. Isto é necessário apenas uma vez durante a configuração inicial.",
+  "emergencyAccess.requiredKeyShares": "Ações-chave necessárias",
+  "emergencyAccess.processCouncil": "Conselho de processos",
+  "emergencyAccess.status.added": "Adicionado",
+  "emergencyAccess.status.pending": "Pendente",
+  "emergencyAccess.startProcess": "Iniciar processo",
+  "emergencyAccess.notPossible": "Não é possivel",
+  "emergencyAccess.vaultCouncil": "Conselho do cofre",
+  "emergencyAccess.noRedundancy": "Sem redundância",
+  "emergencyAccess.label.councilMembers": "Membros do conselho",
+  "emergencyAccess.label.newCouncilMembers": "Novos membros do conselho",
+  "emergencyAccess.label.owners": "Proprietários",
+  "emergencyAccess.label.members": "Membros",
+  "emergencyAccess.label.removed": "Removido",
+  "emergencyAccess.label.possibleScenario": "Possível cenário de emergência",
+  "emergencyAccess.label.exampleRecovery": "Exemplo de recuperação",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "Selecione pelo menos mais {0} membros do conselho.",
+  "emergencyAccess.validation.minimumMembers": "Pelo menos {0} membros devem ser selecionados.",
+  "emergencyAccess.approval.waitingOthers": "Aguarda-se outras aprovações",
+  "emergencyAccess.approval.showDetails": "Mostrar detalhes",
+  "emergencyAccess.approval.completeNow": "Completar agora",
+  "emergencyAccess.approval.approveNow": "Aprovar agora",
+  "emergencyAccess.processType.changePermissions": "Selecione os membros do cofre",
+  "emergencyAccess.processType.changeCouncil": "Mudar o conselho de acesso de emergência",
+  "emergencyAccess.filter.all": "Todos",
+  "emergencyAccess.filter.approvable": "Aprovável",
+  "emergencyAccess.filter.approved": "Aprovado",
+  "emergencyAccess.filter.startable": "Iniciável",
+  "emergencyAccess.empty.disabled": "Acesso de emergência está desativado.",
+  "emergencyAccess.empty.noneFound": "Nenhum cofre de emergência encontrado",
+  "emergencyAccess.licenseRequired.message": "O acesso de emergência só está disponível com uma licença paga.",
+  "emergencyAccess.licenseRequired.adminHint": "Pode obter um na seção de administração.",
+  "emergencyAccess.badge.notCouncil.title": "Não há mais nenhum membro do conselho",
+  "emergencyAccess.badge.notCouncil.message": "Já não faz parte do conselho de emergência do cofre. Mas ainda faz parte de um processo de acesso de emergência em curso.",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "Acesso de emergência insuficiente",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "A política da sua equipa exige um conselho de acesso de emergência com pelo menos {0} membro(s). Este cofre não cumpre este requisito no momento.",
+  "emergencyAccess.badge.broken.title": "Acesso de emergência danificado",
+  "emergencyAccess.badge.broken.message": "O acesso de emergência já não está disponível. Um ou mais membros do conselho redefiniram as suas contas e perderam o acesso às suas chaves.",
+  "emergencyAccess.badge.noRedundancy.title": "Sem redundância",
+  "emergencyAccess.badge.noRedundancy.message": "Este conselho de acesso de emergência não tem membros redundantes. Considere a possibilidade de designar um conselho que possua membros redundantes.",
+  "emergencyAccessDialog.message.completed": "Processo concluído com sucesso.",
+  "emergencyAccessDialog.label.selectOwner": "Selecione o utilizador com a função de proprietário",
+  "emergencyAccessDialog.label.selectMember": "Selecione o utilizador com a função de membro",
+  "emergencyAccessDialog.label.councilMembersAtLeast": "Membros do conselho (no mínimo: {0})",
+  "emergencyAccessDialog.section.ownership": "Proprietário",
+  "emergencyAccessDialog.section.councilChange": "Mudança de conselho",
+  "emergencyAccessDialog.hint.finishProcess": "Pode finalizar este processo de acesso de emergência adicionando a última chave partilhada e concluindo-o.",
+  "emergencyAccessDialog.hint.keyShareAdded": "A sua participação na chave já foi adicionada.",
+  "emergencyAccessDialog.hint.notInCouncil": "Não faz parte do conselho para este processo e não pode adicionar uma ação principal.",
+  "emergencyAccessDialog.action.abortProcess": "Cancelar este processo",
+  "emergencyAccessDialog.action.start": "Iniciar",
+  "emergencyAccessDialog.action.approve": "Aprovar",
+  "emergencyAccessDialog.action.completeProcess": "Completar processo",
+  "emergencyAccessDialog.title.success": "Sucesso",
+  "emergencyAccessDialog.title.changeCouncil": "Alterar conselho",
+  "emergencyAccessDialog.title.changePermissions": "Alterar permissões de cofre",
+  "emergencyAccessDialog.title.processDetails": "Detalhes do processo",
+  "emergencyAccessDialog.title.approved": "Aprovado",
+  "emergencyAccessDialog.title.approveEmergencyAccess": "Aprovar acesso de emergência",
+  "emergencyAccessDialog.title.completeEmergencyAccess": "Completar acesso de emergência",
+  "emergencyAccessDialog.error.insufficientCouncilMembers": "Dados inconsistentes: Membros do conselho insuficientes ({0}) para recuperar este cofre ({1}).",
+  "emergencyAccessDialog.error.noProcessToApprove": "Nenhum processo de recuperação por aprovar.",
+  "emergencyAccessDialog.error.processTampered": "O processo de recuperação foi adulterado.",
+  "emergencyAccessDialog.error.noProcessToComplete": "Sem processo de recuperação a ser concluído.",
+  "emergencyAccessDialog.error.unsupportedProcessType": "Estado não suportado para o tipo de processo de recuperação: {0}",
+  "grantEmergencyAccessDialog.title": "Conceder acesso de emergência",
+  "grantEmergencyAccessDialog.description.selectCouncil": "Selecionar membros do conselho para conceder acesso de emergência para este cofre.",
+  "grantEmergencyAccessDialog.description.default": "Conceder acesso de emergência para este cofre.",
+  "grantEmergencyAccessDialog.grant": "Conceder",
+  "grantEmergencyAccessDialog.error.keySharesRequired": "São necessárias pelo menos 2 chaves de emergência.",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "É necessário um mínimo de 2 membros do conselho.",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "Número insuficiente de membros do conselho. Adicione mais ou diminuir o número necessário de ações-chave de emergência.",
+  "processAbortDialog.title": "Cancelar este processo",
+  "processAbortDialog.description": "Tem a certeza de que pretende interromper este processo de acesso de emergência? Esta ação não pode ser anulada.",
+  "processAbortDialog.confirm": "Abortar processo",
+  "recoveryDialog.error.invalidRecoveryType": "Tipo de processo de recuperação inválido.",
+  "recoveryDialog.error.processAlreadyExists": "Um processo de recuperação deste tipo já existe.",
+  "recoveryDialog.error.noOwnerSelected": "Selecione pelo menos um proprietário.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "Não há membros do conselho suficientes selecionados.",
   "editVaultMetadataDialog.title": "Editar metadados do cofre",
   "editVaultMetadataDialog.description": "Atualize o nome e a descrição do cofre.",
   "editVaultMetadataDialog.vaultName": "Nome do Cofre",
@@ -159,6 +295,47 @@
   "grantPermissionDialog.title": "Conceder permissão",
   "grantPermissionDialog.description": "Partilhe as chaves do cofre com os utilizadores recém-adicionados.",
   "grantPermissionDialog.submit": "Conceder permissão a {0} utilizador(s)",
+  "groups.title": "Grupos",
+  "group.detail.info": "Detalhes do grupo",
+  "group.detail.members": "Membros",
+  "group.detail.vaults": "Cofres",
+  "group.detail.edit": "Editar grupo",
+  "group.detail.add.member": "Adicionar membro",
+  "group.detail.name": "Nome:",
+  "group.detail.createdOn": "Criado em",
+  "group.detail.roles": "Funções",
+  "groupList.name": "Nome:",
+  "groupList.members.count": "Utilizadores",
+  "groupList.edit.group.button": "Editar",
+  "groupList.search.placeholder": "Pesquisa…",
+  "groupList.groupImage": "Imagem do grupo",
+  "groupList.vaults.count": "Cofres",
+  "groupList.create.button": "Criar grupo",
+  "groupList.group.created": "Criado em",
+  "group.members.add": "Adicionar membros",
+  "group.members.search.empty": "Sem resultados",
+  "group.addMembers.title": "Adicionar membros",
+  "group.addMembers.searchLabel": "Pesquisar por nome de utilizador ou nome completo",
+  "group.addMembers.selectedUser": "Utilizador(es) selecionado(s)",
+  "group.member.remove.title": "Remover utilizador do grupo",
+  "group.member.remove.description": "Tem a certeza que pretende remover este utilizador do grupo?",
+  "group.member.remove.confirm": "Sim, remover do grupo",
+  "groupEditCreate.title.create": "Criar novo grupo",
+  "groupEditCreate.title.edit": "Editar grupo",
+  "groupEditCreate.profileImage": "Imagem de perfil",
+  "groupEditCreate.role": "Função",
+  "groupEditCreate.removePicture": "Remover imagem",
+  "groupEditCreate.addPicture": "Adicionar imagem",
+  "groupEditCreate.name": "Nome do grupo",
+  "groupEditCreate.roles": "Funções",
+  "groupEditCreate.validation.required": "Este campo é obrigatório",
+  "groupEditCreate.roles.remove": "Remover funções",
+  "groupEditCreate.roles.choose": "Escolher função",
+  "groupEditCreate.roles.addMore": "Adicionar mais",
+  "groupEditCreate.invalidImageUrl": "URL da imagem inválido",
+  "groupEditCreate.profilePictureUrl": "URL da imagem de perfil",
+  "groupEditCreate.selectRolesPlaceholder": "Selecione a(s) função(ões)",
+  "groupEditCreate.error.groupNameAlreadyExists": "Já existe um grupo com esse nome.",
   "trustDetails.trustLevel": "Nível de confiança {0}",
   "trustDetails.trustLevel.untrusted": "Não verificado",
   "trustDetails.showSignDialogBtn": "Verificar identidade...",
@@ -166,7 +343,7 @@
   "signUserKeysDialog.title": "Verificar identidade de {0}",
   "signUserKeysDialog.description": "Introduza os primeiros {0} caracteres da impressão digital de {1} para confirmar a autenticidade das suas chaves públicas. A impressão digital pode ser encontrada no perfil do utilizador.",
   "signUserKeysDialog.submit": "Confirmar a identidade deste utilizador",
-  "initialSetup.createUserKey.title": "Bem-vindo ao Cryptomator Hub",
+  "initialSetup.createUserKey.title": "Bem-vindo ao Katta",
   "initialSetup.createUserKey.description": "No primeiro início de sessão, cada utilizador recebe uma chave de conta única:",
   "initialSetup.createUserKey.details.accountKey": "A sua chave de conta é necessária para iniciar sessão noutras aplicações ou navegadores",
   "initialSetup.createUserKey.details.devicesList": "Pode ver uma lista de aplicações autorizadas na sua página de perfil",
@@ -182,19 +359,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Perdeu a sua chave da conta? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Redefinir a minha conta",
   "initialSetup.setupAlreadyCompleted.title": "Configuração já foi concluída",
-  "initialSetup.setupAlreadyCompleted.description": "Já concluiu a configuração inicial do Cryptomator Hub. A chave da sua conta pode ser encontrada no seu perfil.",
+  "initialSetup.setupAlreadyCompleted.description": "Já concluiu a configuração inicial do Katta. A chave da sua conta pode ser encontrada no seu perfil.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Ir para o seu perfil",
   "initialSetup.accountKey": "Chave da Conta",
   "initialSetup.submit": "Concluir configuração",
   "licenseAlert.noRemainingSeats.title": "Licença excedida",
-  "licenseAlert.noRemainingSeats.admin.description": "A sua instância do Cryptomator Hub excedeu o número de licenças. Atualize-o no {0} para gerir e desbloquear novamente os seus cofres.",
-  "licenseAlert.noRemainingSeats.user.description": "A sua instância do Cryptomator Hub excedeu o número de licenças. Informe um administrador do Hub para atualizar a licença.",
+  "licenseAlert.noRemainingSeats.admin.description": "A sua instância do Katta excedeu o número de licenças. Atualize-o no {0} para gerir e desbloquear novamente os seus cofres.",
+  "licenseAlert.noRemainingSeats.user.description": "A sua instância do Katta excedeu o número de licenças. Informe um administrador do Katta para atualizar a licença.",
   "licenseAlert.licenseExpired.title": "Licença expirada",
-  "licenseAlert.licenseExpired.admin.description": "A sua licença do Cryptomator Hub expirou. Renove-a em {0} para gerir e desbloquear novamente os seus cofres.",
-  "licenseAlert.licenseExpired.user.description": "A sua licença do Cryptomator Hub expirou. Informe um administrador do Hub para renovar a licença.",
+  "licenseAlert.licenseExpired.admin.description": "A sua licença do Katta expirou. Renove-a em {0} para gerir e desbloquear novamente os seus cofres.",
+  "licenseAlert.licenseExpired.user.description": "A sua licença do Katta expirou. Informe um administrador do Katta para renovar a licença.",
   "licenseAlert.button": "Secção de administração",
   "legacyDeviceList.title": "Dispositivos antigos",
-  "legacyDeviceList.description": "Estes dispositivos foram criados com uma versão mais antiga do Hub e precisam ser atualizados para desbloquear cofres em versões futuras. Se você não precisa mais deles, por favor, remova-os. Caso contrário, atualize o Cryptomator nesse dispositivo. Seu próximo desbloqueio acionará a atualização automaticamente.",
+  "legacyDeviceList.description": "Estes dispositivos foram criados com uma versão mais antiga do Katta e precisam ser atualizados para desbloquear cofres em versões futuras. Se você não precisa mais deles, por favor, remova-os. Caso contrário, atualize o Katta nesse dispositivo. Seu próximo desbloqueio acionará a atualização automaticamente.",
   "legacyDeviceList.description.information": "Saiba mais.",
   "legacyDeviceList.deviceName": "Nome do dispositivo",
   "legacyDeviceList.type": "Tipo",
@@ -203,15 +380,22 @@
   "legacyDeviceList.ipAddress": "Endereço IP",
   "legacyDeviceList.lastAccess": "Último acesso ao cofre",
   "legacyDeviceList.lastAccess.toolTip": "Pode estar em falta para dispositivos acedidos com versões mais antigas.",
+  "legacyDeviceBanner.title": "Dispositivos antigos serão descontinuados",
+  "legacyDeviceBanner.user.description": "Os seus dispositivos antigos já não serão compatíveis com a próxima versão principal. Atualize o Cryptomator nesses dispositivos ou remova-os.",
+  "legacyDeviceBanner.admin.description": "Um ou mais utilizadores ainda possuem dispositivos antigos. O suporte para dispositivos antigos será descontinuado na próxima versão principal. Solicite aos utilizadores afetados que atualizem o Cryptomator ou removam os seus dispositivos antigos.",
   "manageAccountKey.title": "Chave da Conta",
   "manageAccountKey.description": "A sua chave de conta é necessária para iniciar sessão noutras aplicações ou navegadores.",
   "manageAccountKey.regenerate": "Gerar nova chave",
   "nav.vaults": "Cofres",
+  "nav.emergencyAccess": "Acesso de emergência",
   "nav.profile.signedInAs": "Ligado como",
   "nav.profile.profile": "O seu perfil",
   "nav.profile.admin": "Admin",
   "nav.profile.auditlog": "Registos de auditoria",
   "nav.profile.signOut": "Terminar sessão",
+  "nav.authority": "Utilizadores e grupos",
+  "nav.groups": "Grupos",
+  "nav.users": "Utilizadores",
   "nav.mobileMenu": "Abrir menu principal",
   "reactivateVaultDialog.title": "Reativar cofre",
   "reactivateVaultDialog.description": "Aviso: a reativação de um cofre pode afetar o número de lugares disponíveis. Se o número de lugares disponíveis for excedido, o desbloqueio de todos os cofres será bloqueado.",
@@ -235,18 +419,77 @@
   "resetUserAccountDialog.submit": "Redefinir conta",
   "userkeyFingerprint.title": "Impressão digital da chave do utilizador",
   "userkeyFingerprint.description": "A sua impressão digital da chave do utilizador pode ser utilizada para verificar a sua identidade ao atualizar a permissão do cofre.",
+  "users.title": "Utilizadores",
+  "user.detail.createdOn": "Criado em",
+  "user.detail.disable": "Desativar",
+  "user.detail.disabled": "Desativado",
+  "user.detail.devices": "Dispositivos",
+  "user.detail.edit": "Editar",
+  "user.detail.enable": "Ativar",
+  "user.detail.email": "E-mail",
+  "user.detail.groups": "Grupos",
+  "user.detail.groups.join": "Aderir",
+  "user.detail.info": "Detalhes do utilizador",
+  "user.detail.legacyDeviceList.info": "Estes dispositivos foram criados com uma versão antiga do Hub e precisam de ser atualizados para desbloquear os cofres em versões futuras.",
+  "user.detail.name": "Nome:",
+  "user.detail.roles": "Funções",
+  "user.detail.username": "Nome de utilizador",
+  "user.addGroups.title": "Adicionar grupos",
+  "user.addGroups.searchLabel": "Pesquisar pelo nome do grupo",
+  "user.addGroups.selectedGroups": "Grupo(s) selecionado(s)",
+  "userEditCreate.title.create": "Criar um novo utilizador",
+  "userEditCreate.title.edit": "Editar utilizador",
+  "userEditCreate.button.create": "Criar utilizador",
+  "userEditCreate.button.save": "Salvar",
+  "userEditCreate.button.saved": "Guardado!",
+  "userEditCreate.firstName": "Primeiro nome",
+  "userEditCreate.lastName": "Sobrenome",
+  "userEditCreate.username": "Nome de utilizador",
+  "userEditCreate.email": "E-mail",
+  "userEditCreate.roles": "Funções",
+  "userEditCreate.selectRolesPlaceholder": "Selecione a(s) função(ões)",
+  "userEditCreate.password": "Senha",
+  "userEditCreate.passwordConfirm": "Confirmar palavra-passe",
+  "userEditCreate.create.passwordInfo": "Esta é uma palavra-passe temporária. O utilizador deve alterá-la no primeiro acesso.",
+  "userEditCreate.edit.passwordInfo": "Deixe os campos da palavra-passe em branco se não quiser redefinir a palavra-passe do utilizador.",
+  "userEditCreate.removePicture": "Remover imagem",
+  "userEditCreate.passwordStrong": "Forte",
+  "userEditCreate.passwordMedium": "Médio",
+  "userEditCreate.passwordWeak": "Fraca",
+  "userEditCreate.passwordsMatch": "As palavras-passe correspondem",
+  "userEditCreate.passwordsDontMatch": "As palavras-passe não correspondem",
+  "userEditCreate.profilePictureUrl": "URL da imagem de perfil",
+  "userEditCreate.showPassword": "Mostrar palavra-passe",
+  "userEditCreate.hidePassword": "Esconder palavra-passe",
+  "userEditCreate.invalidEmail": "Formato de e-mail inválido",
+  "userEditCreate.invalidImageUrl": "URL da imagem inválido",
+  "userEditCreate.validation.required": "Este campo é obrigatório",
+  "userEditCreate.validation.passwordMismatch": "As palavras-passe não correspondem",
+  "userEditCreate.error.userAlreadyExists": "Já existe um utilizador com esse nome.",
+  "userEditCreate.error.emailAlreadyExists": "Já existe um utilizador com este endereço de e-mail.",
+  "userList.edit.user.button": "Editar",
+  "userList.userName": "Nome:",
+  "userList.groups.count": "Grupos",
+  "userList.device.count": "Dispositivos",
+  "userList.vaults.count": "Cofres",
+  "userList.user.created": "Criado em",
+  "userList.profileImage": "Imagem de perfil",
+  "userList.create.button": "Criar utilizador",
+  "userList.disabled": "Desativado",
   "userProfile.title": "Perfil",
   "userProfile.actions.manageAccount": "Gerir conta",
   "userProfile.actions.changeLanguage": "Alterar idioma",
   "userProfile.actions.changeLanguage.entry.browser": "Idioma do navegador",
   "userProfile.keycloakVersion.notAvailable": "versão não disponível",
+  "unlock.noAccessVaultArchived.title": "O cofre está arquivado",
+  "unlock.noAccessVaultArchived.description": "Este cofre foi arquivado e não está mais acessível. Por favor, contacte o proprietário do cofre.",
   "unlockSuccess.title": "Cofre desbloqueado com sucesso",
-  "unlockSuccess.description": "Agora pode fechar este separador do navegador e voltar ao Cryptomator.",
+  "unlockSuccess.description": "Agora pode fechar este separador do navegador e voltar ao Katta.",
   "unlockSuccess.accountSetup.title": "Configuração necessária",
   "unlockSuccess.accountSetup.description": "Conclua a configuração da sua conta e recupere a chave da sua conta.",
   "unlockSuccess.accountSetup.goToSetup": "Concluir configuração",
   "unlockSuccess.deviceSetup.title": "Novo dispositivo",
-  "unlockSuccess.deviceSetup.description": "Por favor, introduza a chave da sua conta no Cryptomator para a autorizar.",
+  "unlockSuccess.deviceSetup.description": "Por favor, introduza a chave da sua conta no Katta para a autorizar.",
   "unlockSuccess.deviceSetup.goToProfile": "Ver a chave da conta no meu perfil",
   "unlockSuccess.noVaultAccess.title": "Sem acesso a este cofre",
   "unlockSuccess.noVaultAccess.description": "Entre em contacto com o proprietário do cofre para o adicionar como membro do cofre.",
@@ -269,7 +512,9 @@
   "vaultDetails.actions.reactivateVault": "Reativar cofre",
   "vaultDetails.actions.claimOwnership": "Reivindicar a propriedade",
   "vaultDetails.actions.recoverVault": "Recuperar acesso ao cofre",
-  "vaultDetails.error.licenseViolated": "A sua licença do Cryptomator Hub expirou ou excedeu o número de licenças. Informe um administrador do Hub para renovar ou atualizar a licença.",
+  "vaultDetails.emergencyAccess.setupCouncil": "Configurar conselho para acesso de emergência",
+  "vaultDetails.emergencyAccess.fixCouncil": "Corrigir conselho de acesso de emergência",
+  "vaultDetails.error.licenseViolated": "A sua licença do Katta expirou ou excedeu o número de licenças. Informe um administrador do Katta para renovar ou atualizar a licença.",
   "vaultDetails.recoverVault.title": "Redefiniu a sua conta!",
   "vaultDetails.recoverVault.description": "Para recuperar o acesso ao cofre, deve restaurar o seu acesso utilizando a chave de recuperação ou outro proprietário deve atualizar as permissões de acesso.",
   "vaultList.title": "Cofres",
@@ -288,5 +533,15 @@
   "vaultList.filter.result.empty.description": "Nenhum resultado utilizando este termo de pesquisa ou filtro.",
   "vaultList.search.placeholder": "Pesquisa…",
   "vaultList.badge.owner": "Proprietário",
-  "vaultList.badge.archived": "Arquivado"
+  "vaultList.badge.archived": "Arquivado",
+  "userList.filter.result.empty.title": "Sem utilizadores",
+  "userList.filter.result.empty.description": "Nenhum resultado utilizando este termo de pesquisa.",
+  "groupList.empty.title": "Sem grupos",
+  "groupList.empty.description": "Não possui nenhum grupo e não é membro de nenhum.",
+  "groupList.filter.result.empty.title": "Sem grupos",
+  "groupList.filter.result.empty.description": "Nenhum resultado utilizando este termo de pesquisa.",
+  "missingEntitlements.title": "Atualização necessária",
+  "missingEntitlements.description": "Este recurso não faz parte da sua licença atual.",
+  "trial.enterpriseFeature.title": "Funcionalidade empresarial",
+  "trial.enterpriseFeature.description": "Esta funcionalidade está disponível permanentemente apenas com uma licença empresarial."
 }
diff --git a/frontend/src/i18n/ro-RO.json b/frontend/src/i18n/ro-RO.json
index fff16f82f..79d1693f7 100644
--- a/frontend/src/i18n/ro-RO.json
+++ b/frontend/src/i18n/ro-RO.json
@@ -5,18 +5,22 @@
   "common.close": "Închide",
   "common.copied": "Copiat!",
   "common.copy": "Copiază",
+  "common.create": "Creează",
   "common.download": "Descarcă",
+  "common.edit": "Editează",
   "common.next": "Următorul",
   "common.previous": "Precedentul",
   "common.refresh": "Împrospătează",
   "common.remove": "Șterge",
   "common.reset": "Resetează",
   "common.retry": "Încercați din nou",
+  "common.save": "Salvează",
   "common.share": "Distribuie",
   "common.show": "Afișează",
   "admin.licenseInfo.manageSubscription": "Administrați-vă abonamentul",
   "admin.webOfTrust.information": "Aflați mai multe.",
   "admin.webOfTrust.save": "Salvează",
+  "admin.emergencyAccess.learnMore": "Aflați mai multe.",
   "auditLog.filter": "Filtru",
   "auditLog.details": "Detalii",
   "auditLog.details.vault.create": "Crează seif",
@@ -26,9 +30,27 @@
   "createVault.showRecoveryKey.submit": "Crează seif",
   "deviceList.deviceName": "Numele dispozitivului",
   "editVaultMetadataDialog.vaultName": "Nume seif",
+  "group.detail.vaults": "Seifuri",
+  "group.detail.name": "Nume",
+  "groupList.name": "Nume",
+  "groupList.edit.group.button": "Editează",
+  "groupList.vaults.count": "Seifuri",
   "legacyDeviceList.description.information": "Aflați mai multe.",
   "legacyDeviceList.deviceName": "Numele dispozitivului",
   "nav.vaults": "Seifuri",
+  "user.detail.disable": "Dezactivează",
+  "user.detail.edit": "Editează",
+  "user.detail.enable": "Activează",
+  "user.detail.name": "Nume",
+  "user.detail.username": "Nume de utilizator",
+  "userEditCreate.button.save": "Salvează",
+  "userEditCreate.username": "Nume de utilizator",
+  "userEditCreate.password": "Parolă",
+  "userEditCreate.passwordStrong": "Puternică",
+  "userEditCreate.passwordWeak": "Slabă",
+  "userList.edit.user.button": "Editează",
+  "userList.userName": "Nume",
+  "userList.vaults.count": "Seifuri",
   "unlockSuccess.deviceSetup.title": "Dispozitiv nou",
   "vaultDetails.actions.updatePermissions.reload": "Reîncărcare",
   "vaultDetails.actions.displayRecoveryKey": "Arată cheia de recuperare",
diff --git a/frontend/src/i18n/ru-RU.json b/frontend/src/i18n/ru-RU.json
index 0c546051a..52ef726d5 100644
--- a/frontend/src/i18n/ru-RU.json
+++ b/frontend/src/i18n/ru-RU.json
@@ -18,10 +18,16 @@
   "common.close": "Закрыть",
   "common.copied": "Скопировано!",
   "common.copy": "Скопировать",
+  "common.create": "Создать",
+  "common.device": "Устройство",
   "common.download": "Скачать",
+  "common.edit": "Изменить",
   "common.hide": "Скрыть",
+  "common.leave": "Выйти",
   "common.loading": "Загрузка…",
   "common.next": "Далее",
+  "common.none": "Нет",
+  "common.nothingFound": "Ничего не найдено",
   "common.optional": "опционально",
   "common.pagination": "Разбивка на страницы",
   "common.previous": "Назад",
@@ -30,6 +36,10 @@
   "common.remove": "Удалить",
   "common.reset": "Сброс",
   "common.retry": "Повторить",
+  "common.save": "Сохранить",
+  "common.saved": "Сохранено!",
+  "common.search.placeholder": "Поиск…",
+  "common.select.placeholder": "Выбрать…",
   "common.share": "Поделиться",
   "common.show": "Показать",
   "common.undo": "Отменить",
@@ -37,12 +47,17 @@
   "common.unsavedChanges": "Несохранённые изменения.",
   "common.update": "Обновить",
   "common.xMembers": "Участников: {0}",
+  "common.actions": "Действия",
+  "common.group": "Группа",
+  "common.member": "Участник",
+  "common.property": "Свойство",
+  "common.value": "Значение",
   "admin.title": "Администратор",
   "admin.serverInfo.title": "Информация о сервере",
-  "admin.serverInfo.description": "ID хаба используется для идентификации вашего экземпляра хаба Cryptomator для вашей лицензии. Для поддержки всегда указывайте отображаемую версию хаба и маскировки ключей.",
-  "admin.serverInfo.hubId.title": "ID хаба",
-  "admin.serverInfo.hubVersion.title": "Версия хаба",
-  "admin.serverInfo.hubVersion.description.upToDate": "Хаб обновлён.",
+  "admin.serverInfo.description": "Katta ID используется для идентификации вашего экземпляра Katta для вашей лицензии. Для поддержки всегда указывайте отображаемую версию Katta и маскировки ключей.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Версия Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta обновлён.",
   "admin.serverInfo.hubVersion.description.updateExists": "Доступно обновление до версии {0}.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Не удается проверить наличие обновления. Сделайте это сами.",
   "admin.serverInfo.keycloakVersion.title": "Версия маскировки ключей",
@@ -62,8 +77,8 @@
   "admin.licenseInfo.manageSubscription": "Управление подпиской",
   "admin.licenseInfo.type.title": "Тип",
   "admin.licenseInfo.getLicense": "Получить лицензию",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Благодарим за использование хаба Cryptomator! Вам предоставлена лицензия Сообщества. Если требуетмя больше мест, обновите лицензию.",
-  "admin.licenseInfo.managedNoLicense.description": "Благодарим за использование хаба Cryptomator! Сейчас у вас нет активной лицензии.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Благодарим за использование Katta! Вам предоставлена лицензия Сообщества. Если требуетмя больше мест, обновите лицензию.",
+  "admin.licenseInfo.managedNoLicense.description": "Благодарим за использование Katta! Сейчас у вас нет активной лицензии.",
   "admin.webOfTrust.title": "Web of Trust (Интернет доверия)",
   "admin.webOfTrust.description": "Настройка параметров Web of Trust для управления тем, как устанавливается доверие между пользователями в системе. Эти настройки влияют на проверку личности пользователя и подписей ключей.",
   "admin.webOfTrust.information": "Подробнее.",
@@ -75,6 +90,27 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Количество цифр отпечатка пальца другого пользователя необходимо ввести для подтверждения его личности.",
   "admin.webOfTrust.save": "Сохранить",
   "admin.webOfTrust.saved": "Сохранено!",
+  "admin.emergencyAccess.title": "Экстренный доступ",
+  "admin.emergencyAccess.description": "Настроить разделение ключей для восстановления хранилища.",
+  "admin.emergencyAccess.learnMore": "Подробнее.",
+  "admin.emergencyAccess.noRedundancy.title": "У текущего разделения ключа нет избыточности!",
+  "admin.emergencyAccess.noRedundancy.description": "Настоятельно рекомендуется настраивать больше связок ключей, чем требуется ключей.",
+  "admin.emergencyAccess.enabled.label": "Включено",
+  "admin.emergencyAccess.enabled.help": "Включить экстренный доступ",
+  "admin.emergencyAccess.requiredKeys.label": "Необходимые ключи",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Необходимые совместные ключи",
+  "admin.emergencyAccess.requiredKeys.help": "Сколько ключей требуется для восстановления доступа к хранилищу.",
+  "admin.emergencyAccess.keyholders.label": "Связки ключей",
+  "admin.emergencyAccess.keyholders.minSelected": "Необходимый минимум выбранных участников: {0}. Требуемое количество было определено выше.",
+  "admin.emergencyAccess.keyholders.help": "Кто должен получить ключ экстренного доступа.",
+  "admin.emergencyAccess.allowChoosing.label": "Позволить владельцам хранилища выбрать разные связки ключей.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Не менее:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Минимум участников",
+  "admin.emergencyAccess.example.help": "Пример, кто может сотрудничать для восстановления хранилища.",
+  "admin.emergencyAccess.validation.maxValue": "Макс. значение {0}.",
+  "admin.emergencyAccess.validation.minValue": "Мин. значение {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Должно быть больше или равно требуемым ресурсам ключей.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "Требуемое количество ключевых долей не должно превышать минимум участников.",
   "archiveVaultDialog.title": "Архивное хранилище",
   "archiveVaultDialog.description": "Архивирование хранилища делает его неактивным. Это может высвободить занятые места. Архивированное хранилище потом можно снова активировать.",
   "archiveVaultDialog.confirm": "Архивировать",
@@ -86,11 +122,18 @@
   "auditLog.filter.endDate": "Дата окончания",
   "auditLog.filter.selectEventFilter": "Выбрать фильтр событий",
   "auditLog.filter.clerEventFilter": "Очистить фильтр событий",
+  "auditLog.filter.removeEventType": "Удалить {type}",
   "auditLog.timestamp": "Время",
   "auditLog.type": "Событие",
   "auditLog.details": "Подробно",
   "auditLog.details.device.register": "Регистрация устройства",
   "auditLog.details.device.remove": "Удалить устройство",
+  "auditLog.details.emergencyaccess.setup": "Экстренный доступ",
+  "auditLog.details.emergencyaccess.settingsUpdated": "Настройки экстренного доступа обновлены",
+  "auditLog.details.emergencyaccess.recoveryStarted": "Восстановление экстренного доступа начато",
+  "auditLog.details.emergencyaccess.recoveryApproved": "Восстановление экстренного доступа одобрено",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "Восстановление экстренного доступа завершено",
+  "auditLog.details.emergencyaccess.recoveryAborted": "Восстановление экстренного доступа отменено",
   "auditLog.details.setting.wot.update": "Обновить настройки Wot",
   "auditLog.details.user.account.reset": "Сбросить аккаунт",
   "auditLog.details.user.keys.change": "Изменение пользовательских ключей",
@@ -123,6 +166,9 @@
   "createVault.enterVaultDetails.description": "Введите имя и описание для нового хранилища. Позже их можно будет изменить.",
   "createVault.enterVaultDetails.vaultName": "Имя хранилища",
   "createVault.enterVaultDetails.vaultDescription": "Описание",
+  "createVault.emergencyAccessDetails.title": "Определить условия экстренного доступа",
+  "createVault.emergencyAccessDetails.description": "Выберите членов для экстренного доступа.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "Состав членов экстренного доступа определяется администратором и не может быть изменён здесь.",
   "createVault.showRecoveryKey.title": "Ключ восстановления",
   "createVault.showRecoveryKey.description": "Для восстановления доступа к хранилищу используйте следующий ключ.",
   "createVault.showRecoveryKey.recoveryKey": "Ключ восстановления вашего хранилища",
@@ -133,13 +179,22 @@
   "createVault.error.invalidRecoveryKey": "Неверный ключ восстановления.",
   "createVault.error.vaultAlreadyExists": "Хранилище с таким именем уже существует.",
   "createVault.error.downloadTemplateFailed": "Ошибка загрузки шаблона хранилища: {0}",
-  "createVault.error.paymentRequired": "Ваша лицензия на хаб Cryptomator превысила количество доступных мест, либо истёк срок её действия. Сообщите администратору хаба о необходимости обновить или продлить лицензию.",
+  "createVault.error.paymentRequired": "Ваша лицензия на Katta превысила количество доступных мест, либо истёк срок её действия. Сообщите администратору Katta о необходимости обновить или продлить лицензию.",
   "createVault.success.title": "Хранилище создано",
   "createVault.success.description": "После загрузки архива папки хранилища распакуйте её в любое место, доступное членам вашей команды.",
   "createVault.success.download": "Скачать папку с хранилищем",
   "createVault.success.return": "Вернуться к списку хранилищ",
+  "deleteGroupDialog.title": "Удалить группу",
+  "deleteGroupDialog.description": "Вы действительно хотите удалить эту группу? Она будет удалена из всех связанных хранилищ. Это действие не может быть отменено.",
+  "deleteGroupDialog.confirm": "Да, удалить группу",
+  "disableUserDialog.title": "Отключить пользователя",
+  "disableUserDialog.description": "Этот пользователь больше не сможет войти и будет исключён из количества мест. Вы можете повторно включить пользователя в любое время.",
+  "disableUserDialog.confirm": "Отключить пользователя",
+  "deleteUserDialog.title": "Удалить учетную запись",
+  "deleteUserDialog.description": "Вы дейтствительно хотите удалить этого пользователя? Все связанные хранилища и устройства будут удалены. Это действие нельзя отменить.",
+  "deleteUserDialog.confirm": "Да, удалить пользователя",
   "deviceList.empty.message": "Нет устройств",
-  "deviceList.empty.description": "Чтобы добавить устройство, добавьте хранилище из этого хаба в приложение Cryptomator на устройстве и разблокируйте его.",
+  "deviceList.empty.description": "Чтобы добавить устройство, добавьте хранилище из Katta в приложение Katta на устройстве и разблокируйте его.",
   "deviceList.title": "Авторизованные устройства и браузеры",
   "deviceList.deviceName": "Имя устройства",
   "deviceList.type": "Тип",
@@ -148,8 +203,89 @@
   "deviceList.ipAddress": "IP-адрес",
   "deviceList.lastAccess": "Доступ к последнему хранилищу",
   "deviceList.lastAccess.toolTip": "Может отсутствовать для устройств с более старыми версиями.",
+  "deviceType.browser": "Браузер",
+  "deviceType.desktop": "Рабочий стол",
+  "deviceType.mobile": "Смартфон",
   "downloadVaultTemplateDialog.title": "Скачать шаблон хранилища",
   "downloadVaultTemplateDialog.description": "Загрузите и распакуйте сжатый шаблон хранилища в любое место, совместно используемое членами вашей команды. Это требуется только один раз при начальной установке.",
+  "emergencyAccess.requiredKeyShares": "Необходимые совместные ключи",
+  "emergencyAccess.processCouncil": "Совет по процессу",
+  "emergencyAccess.status.added": "Добавлено",
+  "emergencyAccess.status.pending": "Ожидание",
+  "emergencyAccess.startProcess": "Старт процесса",
+  "emergencyAccess.notPossible": "Невозможно",
+  "emergencyAccess.vaultCouncil": "Совет по хранилищу",
+  "emergencyAccess.noRedundancy": "Без избыточности",
+  "emergencyAccess.label.councilMembers": "Члены совета",
+  "emergencyAccess.label.newCouncilMembers": "Новые члены совета",
+  "emergencyAccess.label.owners": "Владельцы",
+  "emergencyAccess.label.members": "Участники",
+  "emergencyAccess.label.removed": "Удалено",
+  "emergencyAccess.label.possibleScenario": "Возможный сценарий чрезвычайных ситуаций",
+  "emergencyAccess.label.exampleRecovery": "Пример восстановления",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "Выберите больше членов совета хотя бы на {0}.",
+  "emergencyAccess.validation.minimumMembers": "Должно быть выбрано участников не менее {0}.",
+  "emergencyAccess.approval.waitingOthers": "Ожидание других одобрений",
+  "emergencyAccess.approval.showDetails": "Подробнее",
+  "emergencyAccess.approval.completeNow": "Завершить",
+  "emergencyAccess.approval.approveNow": "Одобрить",
+  "emergencyAccess.processType.changePermissions": "Выбрать участников хранилища",
+  "emergencyAccess.processType.changeCouncil": "Изменить совет чрезвычайного доступа",
+  "emergencyAccess.filter.all": "Все",
+  "emergencyAccess.filter.approvable": "Одобряемый",
+  "emergencyAccess.filter.approved": "Одобрено",
+  "emergencyAccess.filter.startable": "Стартовый",
+  "emergencyAccess.empty.disabled": "Экстренный доступ отключён.",
+  "emergencyAccess.empty.noneFound": "Хранилищ экстренного доступа не найдено",
+  "emergencyAccess.licenseRequired.message": "Экстренный доступ поддерживается только в платной лицензии.",
+  "emergencyAccess.licenseRequired.adminHint": "Вы можете получить его в административном разделе.",
+  "emergencyAccess.badge.notCouncil.title": "Больше нет членов совета по хранилищу",
+  "emergencyAccess.badge.notCouncil.message": "Вы больше не принимаете участия в аварийном совете хранилища. Но вы всё ещё являетесь частью процесса экстренного доступа.",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "Недостаточный экстренный доступ",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "Политика вашей команды требует совета экстренного доступа, минимум участников: {0}. Хранилище сейчас не отвечает этому требованию.",
+  "emergencyAccess.badge.broken.title": "Экстренный доступ повреждён",
+  "emergencyAccess.badge.broken.message": "Экстренный доступ невозможен. Один или несколько членов совета выполнили сброс учётной записи и потеряли свои общие ключи.",
+  "emergencyAccess.badge.noRedundancy.title": "Без избыточности",
+  "emergencyAccess.badge.noRedundancy.message": "У этого совета по чрезвычайному доступу нет избыточности. Следует назначить совет с избыточностью.",
+  "emergencyAccessDialog.message.completed": "Процесс успешно завершён.",
+  "emergencyAccessDialog.label.selectOwner": "Выберите пользователя с ролью владельца",
+  "emergencyAccessDialog.label.selectMember": "Выберите пользователя с ролью участника",
+  "emergencyAccessDialog.label.councilMembersAtLeast": "Члены совета (не менее {0})",
+  "emergencyAccessDialog.section.ownership": "Владелец",
+  "emergencyAccessDialog.section.councilChange": "Смена совета",
+  "emergencyAccessDialog.hint.finishProcess": "Вы можете закончить процесс экстренного доступа, добавив последний ресурс и заполнив его.",
+  "emergencyAccessDialog.hint.keyShareAdded": "Ваш общий ключ уже добавлен.",
+  "emergencyAccessDialog.hint.notInCouncil": "Вы не входите в совет для этого процесса и не можете добавить ключевой ресурс.",
+  "emergencyAccessDialog.action.abortProcess": "Прервать этот процесс",
+  "emergencyAccessDialog.action.start": "Пуск",
+  "emergencyAccessDialog.action.approve": "Утвердить",
+  "emergencyAccessDialog.action.completeProcess": "Завершить процесс",
+  "emergencyAccessDialog.title.success": "Готово",
+  "emergencyAccessDialog.title.changeCouncil": "Изменить совет",
+  "emergencyAccessDialog.title.changePermissions": "Изменить права доступа к хранилищу",
+  "emergencyAccessDialog.title.processDetails": "Подробности процесса",
+  "emergencyAccessDialog.title.approved": "Одобрено",
+  "emergencyAccessDialog.title.approveEmergencyAccess": "Одобрить экстренный доступ",
+  "emergencyAccessDialog.title.completeEmergencyAccess": "Завершить экстренный доступ",
+  "emergencyAccessDialog.error.insufficientCouncilMembers": "Несовместимые данные: недостаточно членов совета ({0}) для восстановления этого хранилища ({1}).",
+  "emergencyAccessDialog.error.noProcessToApprove": "Нет процесса восстановления для утверждения.",
+  "emergencyAccessDialog.error.processTampered": "Процесс восстановления был подделан.",
+  "emergencyAccessDialog.error.noProcessToComplete": "Нет процесса восстановления для завершения.",
+  "emergencyAccessDialog.error.unsupportedProcessType": "Неподдерживаемое состояние для типа процесса восстановления: {0}",
+  "grantEmergencyAccessDialog.title": "Предоставить экстренный доступ",
+  "grantEmergencyAccessDialog.description.selectCouncil": "Выберите членов совета для предоставления экстренного доступа к этому хранилищу.",
+  "grantEmergencyAccessDialog.description.default": "Предоставить экстренный доступ для этого хранилища.",
+  "grantEmergencyAccessDialog.grant": "Предоставить",
+  "grantEmergencyAccessDialog.error.keySharesRequired": "Требуется не менее двух экстренных ключей.",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "Требуется не менее двух членов совета.",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "Слишком мало членов совета. Добавьте больше или меньше необходимых частей экстренных ключей.",
+  "processAbortDialog.title": "Прервать этот процесс",
+  "processAbortDialog.description": "Вы действительно хотите прервать экстренный доступ? Это действие нельзя отменить.",
+  "processAbortDialog.confirm": "Прервать процесс",
+  "recoveryDialog.error.invalidRecoveryType": "Недопустимый тип процесса восстановления.",
+  "recoveryDialog.error.processAlreadyExists": "Процесс восстановления этого типа уже существует.",
+  "recoveryDialog.error.noOwnerSelected": "Выберите хотя бы одного владельца.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "Выбрано недостаточно членов совета.",
   "editVaultMetadataDialog.title": "Редактировать метаданные хранилища",
   "editVaultMetadataDialog.description": "Обновить имя и описание хранилища.",
   "editVaultMetadataDialog.vaultName": "Имя хранилища",
@@ -159,6 +295,47 @@
   "grantPermissionDialog.title": "Предоставить разрешение",
   "grantPermissionDialog.description": "Поделиться ключами с недавно добавленными пользователями.",
   "grantPermissionDialog.submit": "Предоставить разрешение пользователям ({0})",
+  "groups.title": "Группы",
+  "group.detail.info": "Детали группы",
+  "group.detail.members": "Участники",
+  "group.detail.vaults": "Хранилища",
+  "group.detail.edit": "Изменить группу",
+  "group.detail.add.member": "Добавить участника",
+  "group.detail.name": "Имя",
+  "group.detail.createdOn": "Создано",
+  "group.detail.roles": "Роли",
+  "groupList.name": "Имя",
+  "groupList.members.count": "Пользователи",
+  "groupList.edit.group.button": "Изменить",
+  "groupList.search.placeholder": "Поиск…",
+  "groupList.groupImage": "Изображение группы",
+  "groupList.vaults.count": "Хранилища",
+  "groupList.create.button": "Создать группу",
+  "groupList.group.created": "Создано",
+  "group.members.add": "Добавить участников",
+  "group.members.search.empty": "Ничего не найдено",
+  "group.addMembers.title": "Добавить участников",
+  "group.addMembers.searchLabel": "Поиск по имени пользователя или полному имени",
+  "group.addMembers.selectedUser": "Выбранные пользователи",
+  "group.member.remove.title": "Удалить из группы",
+  "group.member.remove.description": "Вы действительно хотите удалить этого пользователя из группы?",
+  "group.member.remove.confirm": "Да, удалить из группы",
+  "groupEditCreate.title.create": "Создать новую группу",
+  "groupEditCreate.title.edit": "Редактирование группы",
+  "groupEditCreate.profileImage": "Изображение профиля",
+  "groupEditCreate.role": "Роль",
+  "groupEditCreate.removePicture": "Удалить картинку",
+  "groupEditCreate.addPicture": "Добавить картинку",
+  "groupEditCreate.name": "Имя группы",
+  "groupEditCreate.roles": "Роли",
+  "groupEditCreate.validation.required": "Это поле обязательно",
+  "groupEditCreate.roles.remove": "Удалить роли",
+  "groupEditCreate.roles.choose": "Выбрать роли",
+  "groupEditCreate.roles.addMore": "Добавить ещё",
+  "groupEditCreate.invalidImageUrl": "Неверный URL изображения",
+  "groupEditCreate.profilePictureUrl": "URL изображения профиля",
+  "groupEditCreate.selectRolesPlaceholder": "Выберите роли",
+  "groupEditCreate.error.groupNameAlreadyExists": "Группа с таким именем уже существует.",
   "trustDetails.trustLevel": "Уровень доверия {0}",
   "trustDetails.trustLevel.untrusted": "Непроверенный",
   "trustDetails.showSignDialogBtn": "Проверить личность...",
@@ -166,7 +343,7 @@
   "signUserKeysDialog.title": "Проверка личности {0}",
   "signUserKeysDialog.description": "Введите первые {0} симв. отпечатка пальца {1} для подтверждения подлинности их открытых ключей. Отпечаток пальца находится в профиле пользователя.",
   "signUserKeysDialog.submit": "Подтвердите личность пользователя",
-  "initialSetup.createUserKey.title": "Вас приветствует хаб Cryptomator",
+  "initialSetup.createUserKey.title": "Вас приветствует Katta",
   "initialSetup.createUserKey.description": "При первом входе каждый пользователь получает уникальный ключ аккаунта:",
   "initialSetup.createUserKey.details.accountKey": "Ключ вашего аккаунта необходим для входа из других приложений или браузеров",
   "initialSetup.createUserKey.details.devicesList": "Список авторизованных приложений находится на странице вашего профиля",
@@ -182,19 +359,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Потеряли ключ учётной записи? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Сбросить мой аккаунт",
   "initialSetup.setupAlreadyCompleted.title": "Настройка уже завершена",
-  "initialSetup.setupAlreadyCompleted.description": "Вы уже завершили первоначальную настройку хаба Cryptomator. Ключ аккаунта находится в вашем профиле.",
+  "initialSetup.setupAlreadyCompleted.description": "Вы уже завершили первоначальную настройку Katta. Ключ аккаунта находится в вашем профиле.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Перейти в профиль",
   "initialSetup.accountKey": "Ключ аккаунта",
   "initialSetup.submit": "Завершить настройку",
   "licenseAlert.noRemainingSeats.title": "Срок действия лицензии истёк",
-  "licenseAlert.noRemainingSeats.admin.description": "Экземпляр вашего хаба Cryptomator превысил количество лицензированных мест. Обновите его на {0} для управления и разблокировки хранилищ.",
-  "licenseAlert.noRemainingSeats.user.description": "Ваш экземпляр Cryptomator превысил количество лицензированных мест. Сообщите администратору хаба о необходимости обновить лицензию.",
+  "licenseAlert.noRemainingSeats.admin.description": "Экземпляр вашей Katta превысил количество лицензированных мест. Обновите его на {0} для управления и разблокировки хранилищ.",
+  "licenseAlert.noRemainingSeats.user.description": "Ваш экземпляр Katta превысил количество лицензированных мест. Сообщите администратору Katta о необходимости обновить лицензию.",
   "licenseAlert.licenseExpired.title": "Срок действия лицензии истёк",
-  "licenseAlert.licenseExpired.admin.description": "Срок действия вашей лицензии на хаб Cryptomator истёк. Обновите её в {0} , чтобы снова управлять и разблокировать хранилища.",
-  "licenseAlert.licenseExpired.user.description": "Срок действия вашей лицензии на хаб Cryptomator истёк. Сообщите администратору хаба о необходимости продлить лицензию.",
+  "licenseAlert.licenseExpired.admin.description": "Срок действия вашей лицензии на Katta истёк. Обновите её в {0} , чтобы снова управлять и разблокировать хранилища.",
+  "licenseAlert.licenseExpired.user.description": "Срок действия вашей лицензии на Katta истёк. Сообщите администратору Katta о необходимости продлить лицензию.",
   "licenseAlert.button": "Раздел администрирования",
   "legacyDeviceList.title": "Устаревшие устройства",
-  "legacyDeviceList.description": "Эти устройства были созданы с более старой версией хаба и нуждаются в обновлении, чтобы хранилища можно было разблокировать в будущих версиях. Если они вам больше не нужны, то удалите их. Иначе обновите Cryptomator на этом устройстве. При следующей разблокировке обновление запустится автоматически.",
+  "legacyDeviceList.description": "Эти устройства были созданы с более старой версией Katta и нуждаются в обновлении, чтобы хранилища можно было разблокировать в будущих версиях. Если они вам больше не нужны, то удалите их. Иначе обновите Katta на этом устройстве. При следующей разблокировке обновление запустится автоматически.",
   "legacyDeviceList.description.information": "Подробнее.",
   "legacyDeviceList.deviceName": "Имя устройства",
   "legacyDeviceList.type": "Тип",
@@ -203,15 +380,22 @@
   "legacyDeviceList.ipAddress": "IP-адрес",
   "legacyDeviceList.lastAccess": "Доступ к последнему хранилищу",
   "legacyDeviceList.lastAccess.toolTip": "Может отсутствовать для устройств с более старыми версиями.",
+  "legacyDeviceBanner.title": "Устаревшие устройства будут удалены",
+  "legacyDeviceBanner.user.description": "Ваши устаревшие устройства больше не будут поддерживаться в следующей основной версии. Обновите Cryptomator на этих устройствах или удалите их.",
+  "legacyDeviceBanner.admin.description": "У некоторых пользователей до сих пор устаревшие устройства. Такие устройства в следующей основной версии не будут поддерживаться. Попросите этих пользователей обновить Cryptomator или удалить их устаревшие устройства.",
   "manageAccountKey.title": "Ключ аккаунта",
   "manageAccountKey.description": "Ключ вашего аккаунта необходим для входа из других приложений или браузеров.",
   "manageAccountKey.regenerate": "Создать ключ заново",
   "nav.vaults": "Хранилища",
+  "nav.emergencyAccess": "Экстренный доступ",
   "nav.profile.signedInAs": "Выполнен вход как",
   "nav.profile.profile": "Ваш профиль",
   "nav.profile.admin": "Администратор",
   "nav.profile.auditlog": "Журналы аудита",
   "nav.profile.signOut": "Выйти",
+  "nav.authority": "Пользователи и группы",
+  "nav.groups": "Группы",
+  "nav.users": "Пользователи",
   "nav.mobileMenu": "Открыть главное меню",
   "reactivateVaultDialog.title": "Реактивировать хранилище",
   "reactivateVaultDialog.description": "ВНИМАНИЕ: Повторная активация хранилища может повлиять на количество имеющихся мест. Если это количество превышено, разблокировка всех хранилищ будет невозможна.",
@@ -235,18 +419,77 @@
   "resetUserAccountDialog.submit": "Сбросить аккаунт",
   "userkeyFingerprint.title": "Отпечаток пользовательского ключа",
   "userkeyFingerprint.description": "Отпечаток пользовательского ключа может быть использован для подтверждения вашей личности при обновлении разрешения хранилища.",
+  "users.title": "Пользователи",
+  "user.detail.createdOn": "Создано",
+  "user.detail.disable": "Выкл.",
+  "user.detail.disabled": "Отключён",
+  "user.detail.devices": "Устройства",
+  "user.detail.edit": "Изменить",
+  "user.detail.enable": "Вкл.",
+  "user.detail.email": "Почта",
+  "user.detail.groups": "Группы",
+  "user.detail.groups.join": "Присоединиться",
+  "user.detail.info": "Данные пользователя",
+  "user.detail.legacyDeviceList.info": "Эти устройства были созданы с более старой версией хаба и нуждаются в обновлении, чтобы разблокировать хранилища в будущих версиях.",
+  "user.detail.name": "Имя",
+  "user.detail.roles": "Роли",
+  "user.detail.username": "Логин",
+  "user.addGroups.title": "Добавить группы",
+  "user.addGroups.searchLabel": "Поиск по имени группы",
+  "user.addGroups.selectedGroups": "Выбранные группы",
+  "userEditCreate.title.create": "Создать нового пользователя",
+  "userEditCreate.title.edit": "Изменить пользователя",
+  "userEditCreate.button.create": "Создать пользователя",
+  "userEditCreate.button.save": "Сохранить",
+  "userEditCreate.button.saved": "Сохранено!",
+  "userEditCreate.firstName": "Имя",
+  "userEditCreate.lastName": "Фамилия",
+  "userEditCreate.username": "Логин",
+  "userEditCreate.email": "Почта",
+  "userEditCreate.roles": "Роли",
+  "userEditCreate.selectRolesPlaceholder": "Выберите роли",
+  "userEditCreate.password": "Пароль",
+  "userEditCreate.passwordConfirm": "Подтвердите пароль",
+  "userEditCreate.create.passwordInfo": "Это временный пароль. Пользователь должен изменить его при первом входе в систему.",
+  "userEditCreate.edit.passwordInfo": "Если вы не хотите сбросить пароль пользователя, оставьте поля пароля пустыми.",
+  "userEditCreate.removePicture": "Удалить картинку",
+  "userEditCreate.passwordStrong": "Сильный",
+  "userEditCreate.passwordMedium": "Средний",
+  "userEditCreate.passwordWeak": "Слабый",
+  "userEditCreate.passwordsMatch": "Пароли совпадают",
+  "userEditCreate.passwordsDontMatch": "Пароли не совпадают",
+  "userEditCreate.profilePictureUrl": "URL изображения профиля",
+  "userEditCreate.showPassword": "Показать пароль",
+  "userEditCreate.hidePassword": "Скрыть пароль",
+  "userEditCreate.invalidEmail": "Неверный формат адреса электронной почты",
+  "userEditCreate.invalidImageUrl": "Неверный URL изображения",
+  "userEditCreate.validation.required": "Это поле обязательно",
+  "userEditCreate.validation.passwordMismatch": "Пароли не совпадают",
+  "userEditCreate.error.userAlreadyExists": "Пользователь с таким именем уже существует.",
+  "userEditCreate.error.emailAlreadyExists": "Пользователь с такой почтой уже существует.",
+  "userList.edit.user.button": "Изменить",
+  "userList.userName": "Имя",
+  "userList.groups.count": "Группы",
+  "userList.device.count": "Устройства",
+  "userList.vaults.count": "Хранилища",
+  "userList.user.created": "Создано",
+  "userList.profileImage": "Изображение профиля",
+  "userList.create.button": "Создать пользователя",
+  "userList.disabled": "Отключён",
   "userProfile.title": "Профиль",
   "userProfile.actions.manageAccount": "Управление аккаунтом",
   "userProfile.actions.changeLanguage": "Изменить язык",
   "userProfile.actions.changeLanguage.entry.browser": "Язык браузера",
   "userProfile.keycloakVersion.notAvailable": "версия недоступна",
+  "unlock.noAccessVaultArchived.title": "Хранилище заархивировано",
+  "unlock.noAccessVaultArchived.description": "Это хранилище было заархивировано и больше недоступно. Свяжитесь с владельцем хранилища.",
   "unlockSuccess.title": "Хранилище разблокировано",
-  "unlockSuccess.description": "Теперь можно закрыть вкладку браузера и вернуться в Cryptomator.",
+  "unlockSuccess.description": "Теперь можно закрыть вкладку браузера и вернуться в Katta.",
   "unlockSuccess.accountSetup.title": "Требуется настройка",
   "unlockSuccess.accountSetup.description": "Завершите настройку аккаунта и получите ключ для него.",
   "unlockSuccess.accountSetup.goToSetup": "Завершить настройку",
   "unlockSuccess.deviceSetup.title": "Новое устройство",
-  "unlockSuccess.deviceSetup.description": "Введите ключ аккаунта в Cryptomator для авторизации.",
+  "unlockSuccess.deviceSetup.description": "Введите ключ аккаунта в Katta для авторизации.",
   "unlockSuccess.deviceSetup.goToProfile": "Показать ключ аккаунта в моём профиле",
   "unlockSuccess.noVaultAccess.title": "Нет доступа к этому хранилищу",
   "unlockSuccess.noVaultAccess.description": "Свяжитесь с владельцем хранилища, чтобы он добавил вас как его участника.",
@@ -269,7 +512,9 @@
   "vaultDetails.actions.reactivateVault": "Реактивировать хранилище",
   "vaultDetails.actions.claimOwnership": "Заявить о собственности",
   "vaultDetails.actions.recoverVault": "Восстановить доступ к хранилищу",
-  "vaultDetails.error.licenseViolated": "Срок действия лицензии на использование хаба Cryptomator истёк, либо превышено количество лицензионных мест. Сообщите администратору хаба о необходимости продлить или обновить лицензию.",
+  "vaultDetails.emergencyAccess.setupCouncil": "Настроить совет чрезвычайного доступа",
+  "vaultDetails.emergencyAccess.fixCouncil": "Исправить совет чрезвычайного доступа",
+  "vaultDetails.error.licenseViolated": "Срок действия лицензии на использование Katta истёк, либо превышено количество лицензионных мест. Сообщите администратору Katta о необходимости продлить или обновить лицензию.",
   "vaultDetails.recoverVault.title": "Вы сбросили свой аккаунт!",
   "vaultDetails.recoverVault.description": "Чтобы восстановить доступ к хранилищу, необходимо использовать ключ восстановления, либо другой владелец должен обновить права доступа.",
   "vaultList.title": "Хранилища",
@@ -288,5 +533,15 @@
   "vaultList.filter.result.empty.description": "Нет результатов с использованием этого слова или фильтра поиска.",
   "vaultList.search.placeholder": "Поиск…",
   "vaultList.badge.owner": "Владелец",
-  "vaultList.badge.archived": "В архиве"
+  "vaultList.badge.archived": "В архиве",
+  "userList.filter.result.empty.title": "Нет пользователей",
+  "userList.filter.result.empty.description": "Ничего не найдено.",
+  "groupList.empty.title": "Нет групп",
+  "groupList.empty.description": "Вы не владеете никакими группами и не состоите ни в какой группе.",
+  "groupList.filter.result.empty.title": "Нет групп",
+  "groupList.filter.result.empty.description": "Ничего не найдено.",
+  "missingEntitlements.title": "Необходимо обновление",
+  "missingEntitlements.description": "Эта функция не входит в вашу лицензию.",
+  "trial.enterpriseFeature.title": "Enterprise-функция",
+  "trial.enterpriseFeature.description": "Эта функция доступна только на постоянной основе с корпоративной лицензией."
 }
diff --git a/frontend/src/i18n/sk-SK.json b/frontend/src/i18n/sk-SK.json
index 1ce2b5f1a..62d00e742 100644
--- a/frontend/src/i18n/sk-SK.json
+++ b/frontend/src/i18n/sk-SK.json
@@ -18,10 +18,16 @@
   "common.close": "Zavrieť",
   "common.copied": "Skopírované!",
   "common.copy": "Kopírovať",
+  "common.create": "Vytvoriť",
+  "common.device": "Zariadenie",
   "common.download": "Stiahnuť",
+  "common.edit": "Upraviť",
   "common.hide": "Skryť",
+  "common.leave": "Odísť",
   "common.loading": "Načítavam…",
   "common.next": "Ďalej",
+  "common.none": "Žiadny",
+  "common.nothingFound": "Nič sa nenašlo",
   "common.optional": "voliteľné",
   "common.pagination": "Stránkovanie",
   "common.previous": "Predošlý",
@@ -30,6 +36,10 @@
   "common.remove": "Odstrániť",
   "common.reset": "Resetovať",
   "common.retry": "Skúsiť znovu",
+  "common.save": "Uložiť",
+  "common.saved": "Uložené!",
+  "common.search.placeholder": "Hľadať...",
+  "common.select.placeholder": "Vybrať...",
   "common.share": "Zdieľať",
   "common.show": "Zobraziť",
   "common.undo": "Vrátiť späť",
@@ -37,10 +47,15 @@
   "common.unsavedChanges": "Neuložené zmeny.",
   "common.update": "Aktualizácia",
   "common.xMembers": "{0} Členov",
+  "common.actions": "Akcie",
+  "common.group": "Skupina",
+  "common.member": "Člen",
+  "common.property": "Majetok",
+  "common.value": "Hodnota",
   "admin.title": "Administrátor",
   "admin.serverInfo.title": "Informácie o serveri",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub je aktuálny.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta je aktuálny.",
   "admin.serverInfo.keycloakVersion.notAvailable": "nie je k dispozícii",
   "admin.licenseInfo.title": "Informácie o licencii",
   "admin.licenseInfo.email.title": "Licencované na",
@@ -53,6 +68,9 @@
   "admin.webOfTrust.information": "Dozvedieť sa viac.",
   "admin.webOfTrust.save": "Uložiť",
   "admin.webOfTrust.saved": "Uložené!",
+  "admin.emergencyAccess.title": "Núdzový prístup",
+  "admin.emergencyAccess.learnMore": "Dozvedieť sa viac.",
+  "admin.emergencyAccess.enabled.label": "Povolené",
   "archiveVaultDialog.confirm": "Archivovať",
   "auditLog.order.ascending": "Vzostupne",
   "auditLog.order.descending": "Zostupne",
@@ -66,9 +84,11 @@
   "auditLog.details": "Podrobnosti",
   "auditLog.details.device.register": "Zaregistrovať zariadenie",
   "auditLog.details.device.remove": "Odstrániť zariadenie",
+  "auditLog.details.user.account.reset": "Inicializovať užívateľský účet",
   "auditLog.details.vault.create": "Vytvoriť trezor",
   "auditLog.details.vault.update": "Aktualizovať trezor",
   "auditLog.paymentRequired.message": "Licencia je povinná",
+  "claimVaultOwnershipDialog.submit": "Potvrdiť vlastníctvo",
   "claimVaultOwnershipDialog.error.wrongPassword": "Nesprávne heslo",
   "createVault.enterRecoveryKey.title": "Obnoviť trezor",
   "createVault.enterRecoveryKey.submit": "Obnoviť trezor",
@@ -77,16 +97,35 @@
   "createVault.enterVaultDetails.vaultDescription": "Popis",
   "createVault.showRecoveryKey.title": "Kľúč pre obnovenie",
   "createVault.showRecoveryKey.submit": "Vytvoriť trezor",
+  "deleteGroupDialog.title": "Odstrániť skupinu",
+  "deleteGroupDialog.confirm": "Áno, odstrániť skupinu",
+  "deleteUserDialog.confirm": "Áno, odstrániť používateľa",
   "deviceList.deviceName": "Názov zariadenia",
   "deviceList.type": "Typ",
+  "deviceList.thisDevice": "Toto zariadenie",
   "deviceList.ipAddress": "IP adresa",
   "deviceList.lastAccess": "Posledný prístup do trezoru",
   "deviceList.lastAccess.toolTip": "Môže chýbať pre zariadenia so staršími verziami.",
+  "emergencyAccess.label.owners": "Vlastníci",
+  "emergencyAccess.label.members": "Členovia",
+  "emergencyAccess.label.removed": "Odstránené",
+  "emergencyAccess.approval.showDetails": "Zobraziť detaily",
   "editVaultMetadataDialog.vaultName": "Názov trezoru",
   "editVaultMetadataDialog.vaultDescription": "Popis",
+  "groups.title": "Skupiny",
+  "group.detail.members": "Členovia",
+  "group.detail.vaults": "Trezory",
+  "group.detail.name": "Meno",
+  "groupList.name": "Meno",
+  "groupList.edit.group.button": "Upraviť",
+  "groupList.vaults.count": "Trezory",
+  "group.members.search.empty": "Nič sa nenašlo",
+  "trustDetails.trustLevel.untrusted": "Neoverené",
+  "trustDetails.showSignDialogBtn": "Skontrolovať identitu...",
+  "initialSetup.createUserKey.title": "Vitajte v Cryptomator Hube",
   "initialSetup.accountKey": "Kľúč účtu",
   "legacyDeviceList.title": "Staršie zariadenia",
-  "legacyDeviceList.description": "Tieto zariadenia boli vytvorené pomocou staršej verzie Hub a je potrebné ich aktualizovať, aby sa v budúcich verziách odomkli trezory. Ak ich už nepotrebujete, odstráňte ich. V opačnom prípade aktualizujte Cryptomator na tomto zariadení. Vaše ďalšie odomknutie spustí aktualizáciu automaticky.",
+  "legacyDeviceList.description": "Tieto zariadenia boli vytvorené pomocou staršej verzie Katta a je potrebné ich aktualizovať, aby sa v budúcich verziách odomkli trezory. Ak ich už nepotrebujete, odstráňte ich. V opačnom prípade aktualizujte Katta na tomto zariadení. Vaše ďalšie odomknutie spustí aktualizáciu automaticky.",
   "legacyDeviceList.description.information": "Dozvedieť sa viac.",
   "legacyDeviceList.deviceName": "Názov zariadenia",
   "legacyDeviceList.type": "Typ",
@@ -97,20 +136,44 @@
   "legacyDeviceList.lastAccess.toolTip": "Môže chýbať pre zariadenia so staršími verziami.",
   "manageAccountKey.title": "Kľúč účtu",
   "nav.vaults": "Trezory",
+  "nav.emergencyAccess": "Núdzový prístup",
   "nav.profile.admin": "Administrátor",
+  "nav.groups": "Skupiny",
   "recoveryKeyDialog.title": "Kľúč pre obnovenie",
   "recoverVaultDialog.description": "Vpíšte kľúč obnovy do trezoru pre znovuzískanie prístupu doň.",
   "recoverVaultDialog.submit": "Obnoviť trezor",
   "recoverVaultDialog.error.formValidationFailed": "Kľúč obnovy nesmie byť prázdny",
   "recoverVaultDialog.error.invalidRecoveryKey": "Neplatný kľúč obnovy",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Kľúč účtu",
+  "resetUserAccountDialog.title": "Inicializovať užívateľský účet",
+  "user.detail.disable": "Zakázať",
+  "user.detail.edit": "Upraviť",
+  "user.detail.enable": "Povoliť",
+  "user.detail.groups": "Skupiny",
+  "user.detail.name": "Meno",
+  "user.detail.username": "Uživateľské meno",
+  "userEditCreate.button.save": "Uložiť",
+  "userEditCreate.button.saved": "Uložené!",
+  "userEditCreate.username": "Uživateľské meno",
+  "userEditCreate.password": "Heslo",
+  "userEditCreate.passwordStrong": "Silné",
+  "userEditCreate.passwordWeak": "Slabé",
+  "userList.edit.user.button": "Upraviť",
+  "userList.userName": "Meno",
+  "userList.groups.count": "Skupiny",
+  "userList.vaults.count": "Trezory",
   "userProfile.actions.changeLanguage.entry.browser": "Jazyk prehliadača",
   "userProfile.keycloakVersion.notAvailable": "verzia nie je k dispozícii",
+  "unlock.noAccessVaultArchived.title": "Trezor je archivovaný",
+  "unlock.noAccessVaultArchived.description": "Tento trezor bol archivovaný a nie je viac dostupný. Prosím kontaktujte jeho vlastníka.",
   "unlockSuccess.deviceSetup.title": "Nové zariadenie",
   "vaultDetails.description.header": "Popis",
   "vaultDetails.actions.updatePermissions.reload": "Znovu načítať",
   "vaultDetails.actions.displayRecoveryKey": "Ukázať kľúč obnovenia",
+  "vaultDetails.actions.claimOwnership": "Potvrdiť vlastníctvo",
   "vaultList.title": "Trezory",
   "vaultList.addVault": "Pridať",
-  "vaultList.filter": "Filter"
+  "vaultList.filter": "Filter",
+  "trial.enterpriseFeature.title": "Podniková funkcia",
+  "trial.enterpriseFeature.description": "Táto funkcia je trvalo dostupná iba s licenciou Enterprise."
 }
diff --git a/frontend/src/i18n/sl-SI.json b/frontend/src/i18n/sl-SI.json
index 41bcba78f..6cd562429 100644
--- a/frontend/src/i18n/sl-SI.json
+++ b/frontend/src/i18n/sl-SI.json
@@ -5,16 +5,20 @@
   "common.close": "Zapri",
   "common.copied": "Kopirano!",
   "common.copy": "Kopiraj",
+  "common.create": "Ustvari",
   "common.download": "Prenesi",
+  "common.edit": "Uredi",
   "common.next": "Naslednji",
   "common.previous": "Prejšnji",
   "common.refresh": "Osveži",
   "common.remove": "Odstrani",
   "common.retry": "Poizkusi znova",
+  "common.save": "Shrani",
   "common.share": "Deli",
   "common.show": "Prikaži",
   "admin.webOfTrust.information": "Preberite več.",
   "admin.webOfTrust.save": "Shrani",
+  "admin.emergencyAccess.learnMore": "Preberite več.",
   "auditLog.details": "Podrobnosti",
   "auditLog.details.vault.create": "Ustvari trezor",
   "claimVaultOwnershipDialog.error.wrongPassword": "Napačno geslo",
@@ -22,8 +26,18 @@
   "createVault.enterVaultDetails.vaultName": "Ime trezorja",
   "createVault.showRecoveryKey.submit": "Ustvari trezor",
   "editVaultMetadataDialog.vaultName": "Ime trezorja",
+  "group.detail.vaults": "Trezorji",
+  "groupList.edit.group.button": "Uredi",
+  "groupList.vaults.count": "Trezorji",
   "legacyDeviceList.description.information": "Preberite več.",
   "nav.vaults": "Trezorji",
+  "user.detail.edit": "Uredi",
+  "user.detail.enable": "Omogoči",
+  "user.detail.username": "Uporabniško ime",
+  "userEditCreate.button.save": "Shrani",
+  "userEditCreate.username": "Uporabniško ime",
+  "userList.edit.user.button": "Uredi",
+  "userList.vaults.count": "Trezorji",
   "vaultList.title": "Trezorji",
   "vaultList.addVault": "Dodaj"
 }
diff --git a/frontend/src/i18n/sr-SP.json b/frontend/src/i18n/sr-SP.json
index 93d8de54c..4c0052e27 100644
--- a/frontend/src/i18n/sr-SP.json
+++ b/frontend/src/i18n/sr-SP.json
@@ -11,5 +11,8 @@
   "createVault.enterVaultDetails.title": "Napravi sef",
   "createVault.enterVaultDetails.vaultName": "Naziv sefa",
   "createVault.showRecoveryKey.submit": "Napravi sef",
-  "editVaultMetadataDialog.vaultName": "Naziv sefa"
+  "editVaultMetadataDialog.vaultName": "Naziv sefa",
+  "userEditCreate.password": "Лозинка",
+  "userEditCreate.passwordStrong": "Jakа",
+  "userEditCreate.passwordWeak": "Слаба"
 }
diff --git a/frontend/src/i18n/sv-SE.json b/frontend/src/i18n/sv-SE.json
index a943dc7fc..aa37200ac 100644
--- a/frontend/src/i18n/sv-SE.json
+++ b/frontend/src/i18n/sv-SE.json
@@ -18,10 +18,16 @@
   "common.close": "Stäng",
   "common.copied": "Kopierad!",
   "common.copy": "Kopiera",
+  "common.create": "Skapa",
+  "common.device": "Enhet",
   "common.download": "Ladda ner",
+  "common.edit": "Redigera",
   "common.hide": "Dölj",
+  "common.leave": "Lämna",
   "common.loading": "Laddar…",
   "common.next": "Nästa",
+  "common.none": "Inget",
+  "common.nothingFound": "Inget hittades",
   "common.optional": "valfri",
   "common.pagination": "Sidnumrering",
   "common.previous": "Föregående",
@@ -30,6 +36,10 @@
   "common.remove": "Ta bort",
   "common.reset": "Återställ",
   "common.retry": "Försök igen",
+  "common.save": "Spara",
+  "common.saved": "Sparat!",
+  "common.search.placeholder": "Sök…",
+  "common.select.placeholder": "Välj…",
   "common.share": "Dela",
   "common.show": "Visa",
   "common.undo": "Ångra",
@@ -37,16 +47,22 @@
   "common.unsavedChanges": "Osparade ändringar.",
   "common.update": "Uppdatera",
   "common.xMembers": "{0} medlemmar",
+  "common.actions": "Åtgärder",
+  "common.group": "Grupp",
+  "common.member": "Medlem",
+  "common.property": "Egenskap",
+  "common.value": "Värde",
   "admin.title": "Admin",
   "admin.serverInfo.title": "Serverinformation",
-  "admin.serverInfo.description": "Nav-IDt används för att identifiera din Cryptomator Hub instans för din licens. Ange den visade Nav- och Keycloakversionen när du söker hjälp.",
-  "admin.serverInfo.hubId.title": "Nav-ID",
-  "admin.serverInfo.hubVersion.title": "Navversion",
-  "admin.serverInfo.hubVersion.description.upToDate": "Navet är uppdaterat.",
+  "admin.serverInfo.description": "Katta-ID:t används för att identifiera din Katta instans för din licens. Ange den visade Katta- och Keycloakversionen när du söker hjälp.",
+  "admin.serverInfo.hubId.title": "Katta-ID",
+  "admin.serverInfo.hubVersion.title": "Katta-version",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta är uppdaterat.",
   "admin.serverInfo.hubVersion.description.updateExists": "Uppdatering till version {0} är möjlig.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Det gick inte att söka efter uppdateringar. Vänligen kontrollera manuellt.",
   "admin.serverInfo.keycloakVersion.title": "Keycloak-version",
   "admin.serverInfo.keycloakVersion.description": "Hantera Keycloak",
+  "admin.serverInfo.keycloakVersion.notAvailable": "inte tillgänglig",
   "admin.licenseInfo.title": "Licensinformation",
   "admin.licenseInfo.description": "Verifiera din licensinformation. Om du vill göra ändringar eller kontrollera din prenumerationsstatus trycker du på \"Hantera prenumeration\".",
   "admin.licenseInfo.email.title": "Licensierad till",
@@ -61,8 +77,8 @@
   "admin.licenseInfo.manageSubscription": "Hantera prenumeration",
   "admin.licenseInfo.type.title": "Typ",
   "admin.licenseInfo.getLicense": "Köp licens",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Tack för att du använder Cryptomator Navet! Du har beviljats en gemenskapslicens. Om du behöver fler platser, uppgradera din licens.",
-  "admin.licenseInfo.managedNoLicense.description": "Tack för att du använder Cryptomator Navet! Du har för närvarande ingen aktiv licens.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Tack för att du använder Katta! Du har beviljats en gemenskapslicens. Om du behöver fler platser, uppgradera din licens.",
+  "admin.licenseInfo.managedNoLicense.description": "Tack för att du använder Katta! Du har för närvarande ingen aktiv licens.",
   "admin.webOfTrust.title": "Tillitsnätet",
   "admin.webOfTrust.description": "Konfigurera tillitsnätinställningar för att hantera hur förtroende skapas mellan användare i systemet. Dessa inställningar påverkar verifieringen av användaridentiteter och nyckelsignaturer.",
   "admin.webOfTrust.information": "Läs mer.",
@@ -74,6 +90,26 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Hur många siffror i en annan användare fingeravtryck man måste ange för att verifiera sin identitet.",
   "admin.webOfTrust.save": "Spara",
   "admin.webOfTrust.saved": "Sparat!",
+  "admin.emergencyAccess.title": "Nödåtkomst",
+  "admin.emergencyAccess.description": "Konfigurera nyckeldelning för valvåterställning.",
+  "admin.emergencyAccess.learnMore": "Läs mer.",
+  "admin.emergencyAccess.noRedundancy.title": "Din nuvarande nyckeldelning har ingen redundans!",
+  "admin.emergencyAccess.noRedundancy.description": "Det rekommenderas starkt att konfigurera fler nyckelhållare än nödvändiga nycklar.",
+  "admin.emergencyAccess.enabled.label": "Aktiverad",
+  "admin.emergencyAccess.enabled.help": "Aktivera nödåtkomst",
+  "admin.emergencyAccess.requiredKeys.label": "Nödvändiga nycklar",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Nödvändiga nyckeldelar",
+  "admin.emergencyAccess.requiredKeys.help": "Hur många nycklar krävs för att återställa tillgången till ett valv.",
+  "admin.emergencyAccess.keyholders.label": "Nyckelinnehavare",
+  "admin.emergencyAccess.keyholders.minSelected": "Minst {0} medlemmar måste väljas. Det nödvändiga antalet definieras ovan.",
+  "admin.emergencyAccess.keyholders.help": "Vilka ska hämta en nyckel för nödåtkomst.",
+  "admin.emergencyAccess.allowChoosing.label": "Låt valvägare välja olika nyckelinnehavare.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Åtminstone:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Minsta antalet medlemmar",
+  "admin.emergencyAccess.example.help": "Exempel på vem som kan samarbeta för att återställa ett valv.",
+  "admin.emergencyAccess.validation.maxValue": "Maxvärdet är {0}.",
+  "admin.emergencyAccess.validation.minValue": "Minsta värdet är {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Måste vara större än eller lika med nödvändiga nyckeldelar.",
   "archiveVaultDialog.title": "Arkivera valv",
   "archiveVaultDialog.description": "Arkivering av valv gör det inaktivt. Detta kan frigöra ockuperade platser. Ett arkiverat valv kan återaktiveras senare.",
   "archiveVaultDialog.confirm": "Arkiv",
@@ -132,13 +168,19 @@
   "createVault.error.invalidRecoveryKey": "Återställningsnyckeln är ogiltig.",
   "createVault.error.vaultAlreadyExists": "Ett valv med det givna namnet finns redan.",
   "createVault.error.downloadTemplateFailed": "Hämtning av valvmall misslyckades: {0}",
-  "createVault.error.paymentRequired": "Din Cryptomator Hub-licens har överskridit antalet lediga platser eller har löpt ut. Vänligen informera en Hub-administratör om att uppgradera eller förnya licensen.",
+  "createVault.error.paymentRequired": "Din Katta-licens har överskridit antalet lediga platser eller har löpt ut. Vänligen informera en Katta-administratör om att uppgradera eller förnya licensen.",
   "createVault.success.title": "Valv skapat",
   "createVault.success.description": "Efter nedladdning av zippad valvmapp, packa upp den till vilken plats som helst som delas med dina teammedlemmar.",
   "createVault.success.download": "Ladda ner zippad valvmapp",
   "createVault.success.return": "Tillbaka till valvlistan",
+  "deleteGroupDialog.title": "Ta bort grupp",
+  "deleteGroupDialog.description": "Är du säker på att du vill ta bort denna grupp permanent? Den kommer att tas bort från alla valv där den används. Denna åtgärd kan inte ångras.",
+  "deleteGroupDialog.confirm": "Ja, ta bort grupp",
+  "deleteUserDialog.title": "Ta bort användarkonto",
+  "deleteUserDialog.description": "Är du säker på att du vill ta bort användaren permanent? Alla länkade valv och enheter kommer att tas bort. Denna åtgärd kan inte ångras.",
+  "deleteUserDialog.confirm": "Ja, ta bort användare",
   "deviceList.empty.message": "Inga enheter",
-  "deviceList.empty.description": "För att lägga till en enhet, lägg till ett valv från denna Hub till Cryptomator-appen på enheten och lås upp den.",
+  "deviceList.empty.description": "För att lägga till en enhet, lägg till ett valv från denna Katta till Katta-appen på enheten och lås upp den.",
   "deviceList.title": "Auktoriserade enheter och webbläsare",
   "deviceList.deviceName": "Enhetsnamn",
   "deviceList.type": "Typ",
@@ -149,6 +191,8 @@
   "deviceList.lastAccess.toolTip": "Kan saknas för enheter med äldre versioner.",
   "downloadVaultTemplateDialog.title": "Ladda ner valvmall",
   "downloadVaultTemplateDialog.description": "Ladda ner och packa upp den zippade valvmallen till vilken plats som helst som delas med dina teammedlemmar. Detta krävs endast en gång under den första installationen.",
+  "emergencyAccess.status.added": "Har lagts till",
+  "emergencyAccess.label.members": "Medlemmar",
   "editVaultMetadataDialog.title": "Redigera valvmetadata",
   "editVaultMetadataDialog.description": "Uppdatera namn och beskrivning av valvet.",
   "editVaultMetadataDialog.vaultName": "Valvnamn",
@@ -158,6 +202,44 @@
   "grantPermissionDialog.title": "Bevilja behörighet",
   "grantPermissionDialog.description": "Dela valvnycklar med nytillagda användare.",
   "grantPermissionDialog.submit": "Bevilja tillstånd till {0} användare",
+  "groups.title": "Grupper",
+  "group.detail.info": "Gruppinformation",
+  "group.detail.members": "Medlemmar",
+  "group.detail.vaults": "Valv",
+  "group.detail.edit": "Ändra grupp",
+  "group.detail.add.member": "Lägg till medlem",
+  "group.detail.name": "Namn",
+  "group.detail.createdOn": "Skapad den",
+  "group.detail.roles": "Roller",
+  "groupList.name": "Namn",
+  "groupList.members.count": "Användare",
+  "groupList.edit.group.button": "Redigera",
+  "groupList.search.placeholder": "Sök…",
+  "groupList.groupImage": "Gruppbild",
+  "groupList.vaults.count": "Valv",
+  "groupList.create.button": "Skapa grupp",
+  "groupList.group.created": "Skapad den",
+  "group.members.add": "Lägg till medlemmar",
+  "group.members.search.empty": "Inget hittades",
+  "group.addMembers.title": "Lägg till medlemmar",
+  "group.addMembers.searchLabel": "Sök på användarnamn eller fullständigt namn",
+  "group.addMembers.selectedUser": "Valda användare",
+  "group.member.remove.title": "Ta bort användare från gruppen",
+  "group.member.remove.description": "Är du säker på att du vill ta bort denna användare från gruppen?",
+  "group.member.remove.confirm": "Ja, ta bort från gruppen",
+  "groupEditCreate.title.create": "Skapa ny grupp",
+  "groupEditCreate.title.edit": "Redigera grupp",
+  "groupEditCreate.profileImage": "Profilbild",
+  "groupEditCreate.role": "Roll",
+  "groupEditCreate.removePicture": "Ta bort bild",
+  "groupEditCreate.addPicture": "Lägg till bild",
+  "groupEditCreate.name": "Gruppnamn",
+  "groupEditCreate.roles": "Roller",
+  "groupEditCreate.validation.required": "Detta fält är tvingande",
+  "groupEditCreate.roles.remove": "Ta bort roller",
+  "groupEditCreate.roles.choose": "Välj roller",
+  "groupEditCreate.roles.addMore": "Lägg till fler",
+  "groupEditCreate.invalidImageUrl": "Ogiltig bild-URL",
   "trustDetails.trustLevel": "Tillitsnivå {0}",
   "trustDetails.trustLevel.untrusted": "Ej verifierad",
   "trustDetails.showSignDialogBtn": "Kontrollera identitet...",
@@ -165,7 +247,7 @@
   "signUserKeysDialog.title": "Verifiera {0}s identitet",
   "initialSetup.accountKey": "Konto nyckel",
   "legacyDeviceList.title": "Äldre enheter",
-  "legacyDeviceList.description": "Dessa enheter kör en äldre version av Navet och måste uppdateras för att låsa upp valv i framtida versioner. Om du inte längre behöver dem, vänligen ta bort dem. Annars vänligen uppdatera Cryptomator på enheten. Nästa upplåsning kommer att utlösa uppdateringen automatiskt.",
+  "legacyDeviceList.description": "Dessa enheter kör en äldre version av Katta och måste uppdateras för att låsa upp valv i framtida versioner. Om du inte längre behöver dem, vänligen ta bort dem. Annars vänligen uppdatera Katta på enheten. Nästa upplåsning kommer att utlösa uppdateringen automatiskt.",
   "legacyDeviceList.description.information": "Läs mer.",
   "legacyDeviceList.deviceName": "Enhetsnamn",
   "legacyDeviceList.type": "Typ",
@@ -176,8 +258,11 @@
   "legacyDeviceList.lastAccess.toolTip": "Kan saknas för enheter med äldre versioner.",
   "manageAccountKey.title": "Konto nyckel",
   "nav.vaults": "Valv",
+  "nav.emergencyAccess": "Nödåtkomst",
   "nav.profile.admin": "Admin",
   "nav.profile.auditlog": "Revisionslogg",
+  "nav.groups": "Grupper",
+  "nav.users": "Användare",
   "recoveryKeyDialog.title": "Återställningsnyckel",
   "recoveryKeyDialog.recoveryKey": "Återställningsnyckel för ditt valv",
   "recoverVaultDialog.description": "Skriv in återställningsnyckeln för detta valv för att återfå åtkomst till det.",
@@ -186,7 +271,35 @@
   "recoverVaultDialog.error.invalidRecoveryKey": "Ogiltig återställningsnyckel",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "Konto nyckel",
   "resetUserAccountDialog.title": "Återställ användarkonto",
+  "users.title": "Användare",
+  "user.detail.createdOn": "Skapad den",
+  "user.detail.disable": "Inaktivera",
+  "user.detail.edit": "Redigera",
+  "user.detail.enable": "Aktivera",
+  "user.detail.groups": "Grupper",
+  "user.detail.name": "Namn",
+  "user.detail.roles": "Roller",
+  "user.detail.username": "Användarnamn",
+  "userEditCreate.button.save": "Spara",
+  "userEditCreate.button.saved": "Sparat!",
+  "userEditCreate.username": "Användarnamn",
+  "userEditCreate.roles": "Roller",
+  "userEditCreate.password": "Lösenord",
+  "userEditCreate.removePicture": "Ta bort bild",
+  "userEditCreate.passwordStrong": "Starkt",
+  "userEditCreate.passwordWeak": "Svagt",
+  "userEditCreate.invalidImageUrl": "Ogiltig bild-URL",
+  "userEditCreate.validation.required": "Detta fält är tvingande",
+  "userList.edit.user.button": "Redigera",
+  "userList.userName": "Namn",
+  "userList.groups.count": "Grupper",
+  "userList.vaults.count": "Valv",
+  "userList.user.created": "Skapad den",
+  "userList.profileImage": "Profilbild",
   "userProfile.actions.changeLanguage.entry.browser": "Webbläsarens språk",
+  "userProfile.keycloakVersion.notAvailable": "versionen är inte tillgänglig",
+  "unlock.noAccessVaultArchived.title": "Valvet arkiverades",
+  "unlock.noAccessVaultArchived.description": "Detta valv har arkiverats och är inte längre tillgängligt. Kontakta valvägaren.",
   "unlockSuccess.deviceSetup.title": "Ny enhet",
   "vaultDetails.description.header": "Beskrivning",
   "vaultDetails.actions.updatePermissions.reload": "Ladda om",
@@ -197,5 +310,7 @@
   "vaultDetails.actions.claimOwnership": "Begär Ägarskap",
   "vaultList.title": "Valv",
   "vaultList.addVault": "Lägg till",
-  "vaultList.filter": "Filter"
+  "vaultList.filter": "Filter",
+  "trial.enterpriseFeature.title": "Företagsfunktion",
+  "trial.enterpriseFeature.description": "Denna funktion är endast permanent tillgänglig med en Enterprise licens."
 }
diff --git a/frontend/src/i18n/sw-TZ.json b/frontend/src/i18n/sw-TZ.json
index d65d74891..4363a32a9 100644
--- a/frontend/src/i18n/sw-TZ.json
+++ b/frontend/src/i18n/sw-TZ.json
@@ -5,18 +5,22 @@
   "common.close": "Futa",
   "common.copied": "Nakiliwa!",
   "common.copy": "Nakili",
+  "common.create": "Unda",
   "common.download": "Kupakua",
+  "common.edit": "Hariri",
   "common.next": "Nyingine",
   "common.previous": "Iliyotangulia",
   "common.refresh": "Onesha upya",
   "common.remove": "Ondoa",
   "common.reset": "Weka upya",
   "common.retry": "Jaribu tena",
+  "common.save": "Hifadhi",
   "common.share": "Kushiriki",
   "common.show": "Onyesha",
   "admin.licenseInfo.manageSubscription": "Simamia Usajili",
   "admin.webOfTrust.information": "Jifunze zaidi.",
   "admin.webOfTrust.save": "Hifadhi",
+  "admin.emergencyAccess.learnMore": "Jifunze zaidi.",
   "auditLog.filter": "Chuja",
   "auditLog.details": "Maelezo",
   "auditLog.details.vault.create": "Unda Kuba",
@@ -26,9 +30,23 @@
   "createVault.showRecoveryKey.submit": "Unda Kuba",
   "deviceList.deviceName": "Jina la Kifaa",
   "editVaultMetadataDialog.vaultName": "Jina la kuba",
+  "group.detail.vaults": "Kuba",
+  "groupList.edit.group.button": "Hariri",
+  "groupList.vaults.count": "Kuba",
   "legacyDeviceList.description.information": "Jifunze zaidi.",
   "legacyDeviceList.deviceName": "Jina la Kifaa",
   "nav.vaults": "Kuba",
+  "user.detail.disable": "Lemaza",
+  "user.detail.edit": "Hariri",
+  "user.detail.enable": "Wezesha",
+  "user.detail.username": "Jina la mtumiaji",
+  "userEditCreate.button.save": "Hifadhi",
+  "userEditCreate.username": "Jina la mtumiaji",
+  "userEditCreate.password": "Neno la siri",
+  "userEditCreate.passwordStrong": "Imara",
+  "userEditCreate.passwordWeak": "Dhaifu",
+  "userList.edit.user.button": "Hariri",
+  "userList.vaults.count": "Kuba",
   "vaultDetails.actions.updatePermissions.reload": "Upya",
   "vaultDetails.actions.displayRecoveryKey": "Onyesha Ufunguo wa Kufufua",
   "vaultList.title": "Kuba",
diff --git a/frontend/src/i18n/ta-IN.json b/frontend/src/i18n/ta-IN.json
index c603df6db..a9f90c9ce 100644
--- a/frontend/src/i18n/ta-IN.json
+++ b/frontend/src/i18n/ta-IN.json
@@ -4,11 +4,13 @@
   "common.close": "மூடு",
   "common.copied": "நகலெடுக்கப்பட்டது!",
   "common.copy": "நகலெடு",
+  "common.edit": "திருத்து",
   "common.next": "அடுத்து",
   "common.previous": "முந்தைய",
   "common.refresh": "புதுப்பி",
   "common.remove": "நீக்கு",
   "common.retry": "மீண்டும் முயற்சிக்கவும்",
+  "common.save": "சேமி",
   "common.share": "பகிர்",
   "common.show": "காட்டு",
   "admin.webOfTrust.save": "சேமி",
@@ -17,5 +19,15 @@
   "createVault.enterVaultDetails.title": "பெட்டகத்தை உருவாக்கவும்",
   "createVault.enterVaultDetails.vaultName": "பெட்டகத்தின் பெயர்",
   "createVault.showRecoveryKey.submit": "பெட்டகத்தை உருவாக்கவும்",
-  "editVaultMetadataDialog.vaultName": "பெட்டகத்தின் பெயர்"
+  "editVaultMetadataDialog.vaultName": "பெட்டகத்தின் பெயர்",
+  "groupList.edit.group.button": "திருத்து",
+  "user.detail.disable": "முடக்கு",
+  "user.detail.edit": "திருத்து",
+  "user.detail.enable": "இயக்கு",
+  "user.detail.username": "பயனர்பெயர்",
+  "userEditCreate.button.save": "சேமி",
+  "userEditCreate.username": "பயனர்பெயர்",
+  "userEditCreate.passwordStrong": "வலுவான",
+  "userEditCreate.passwordWeak": "பலவீனமானது",
+  "userList.edit.user.button": "திருத்து"
 }
diff --git a/frontend/src/i18n/te-IN.json b/frontend/src/i18n/te-IN.json
index dc5b309df..df14d9895 100644
--- a/frontend/src/i18n/te-IN.json
+++ b/frontend/src/i18n/te-IN.json
@@ -1,10 +1,21 @@
 {
+  "common.create": "సృష్టించు",
+  "common.edit": "మార్పు",
   "common.previous": "మునుపటి",
   "common.refresh": "రిఫ్రెష్ చేయండి",
   "common.remove": "తొలగించు",
   "common.retry": "మళ్ళీ చేయండి",
+  "common.save": "సేవ్ చేయండి",
   "common.share": "తో పంచు",
   "admin.webOfTrust.save": "సేవ్ చేయండి",
   "auditLog.details": "వివరాలు",
-  "claimVaultOwnershipDialog.error.wrongPassword": "సరియినది కాని రహస్య పదము"
+  "claimVaultOwnershipDialog.error.wrongPassword": "సరియినది కాని రహస్య పదము",
+  "groupList.edit.group.button": "మార్పు",
+  "user.detail.disable": "డిసేబుల్",
+  "user.detail.edit": "మార్పు",
+  "user.detail.enable": "ప్రారంభించు",
+  "user.detail.username": "వినియోగదారు పేరు",
+  "userEditCreate.button.save": "సేవ్ చేయండి",
+  "userEditCreate.username": "వినియోగదారు పేరు",
+  "userList.edit.user.button": "మార్పు"
 }
diff --git a/frontend/src/i18n/th-TH.json b/frontend/src/i18n/th-TH.json
index 2438de913..bdd010775 100644
--- a/frontend/src/i18n/th-TH.json
+++ b/frontend/src/i18n/th-TH.json
@@ -5,18 +5,22 @@
   "common.close": "ปิด",
   "common.copied": "คัดลอกแล้ว!",
   "common.copy": "คัดลอก",
+  "common.create": "สร้าง",
   "common.download": "ดาวน์โหลด",
+  "common.edit": "แก้ไข",
   "common.next": "ถัดไป",
   "common.previous": "ก่อนหน้า",
   "common.refresh": "รีเฟรช",
   "common.remove": "ลบ",
   "common.reset": "รีเซ็ต",
   "common.retry": "ลอง​ใหม่",
+  "common.save": "บันทึก",
   "common.share": "แชร์",
   "common.show": "แสดง",
   "admin.licenseInfo.manageSubscription": "จัดการการสมัครสมาชิก",
   "admin.webOfTrust.information": "เรียนรู้เพิ่มเติม",
   "admin.webOfTrust.save": "บันทึก",
+  "admin.emergencyAccess.learnMore": "เรียนรู้เพิ่มเติม",
   "auditLog.filter": "กรอง",
   "auditLog.details": "ราย​ละเอียด",
   "auditLog.details.vault.create": "สร้าง Vault",
@@ -26,9 +30,23 @@
   "createVault.showRecoveryKey.submit": "สร้าง Vault",
   "deviceList.deviceName": "ชื่ออุปกรณ์",
   "editVaultMetadataDialog.vaultName": "ชื่อ Vault",
+  "group.detail.vaults": "Vaults",
+  "groupList.edit.group.button": "แก้ไข",
+  "groupList.vaults.count": "Vaults",
   "legacyDeviceList.description.information": "เรียนรู้เพิ่มเติม",
   "legacyDeviceList.deviceName": "ชื่ออุปกรณ์",
   "nav.vaults": "Vaults",
+  "user.detail.disable": "ปิดการใช้งาน",
+  "user.detail.edit": "แก้ไข",
+  "user.detail.enable": "เปิดใช้งาน",
+  "user.detail.username": "ชื่อผู้ใช้",
+  "userEditCreate.button.save": "บันทึก",
+  "userEditCreate.username": "ชื่อผู้ใช้",
+  "userEditCreate.password": "รหัสผ่าน",
+  "userEditCreate.passwordStrong": "แข็งแรง",
+  "userEditCreate.passwordWeak": "อ่อน",
+  "userList.edit.user.button": "แก้ไข",
+  "userList.vaults.count": "Vaults",
   "unlockSuccess.deviceSetup.title": "อุปกรณ์ใหม่",
   "vaultDetails.actions.updatePermissions.reload": "รีโหลด",
   "vaultDetails.actions.displayRecoveryKey": "แสดงรหัสกู้คืน",
diff --git a/frontend/src/i18n/tr-TR.json b/frontend/src/i18n/tr-TR.json
index 1bbf82ce6..3f10ed7ca 100644
--- a/frontend/src/i18n/tr-TR.json
+++ b/frontend/src/i18n/tr-TR.json
@@ -1,14 +1,33 @@
 {
+  "locale.en-US": "İngilizce",
+  "locale.de-DE": "Almanca",
+  "locale.fr-FR": "Fransızca",
+  "locale.it-IT": "İtalyanca",
+  "locale.ko-KR": "Korece",
+  "locale.lv-LV": "Letonca",
+  "locale.nl-NL": "Flemenkçe",
+  "locale.pt-BR": "Portekizce (Brezilya)",
+  "locale.pt-PT": "Portekizce",
+  "locale.ru-RU": "Rusça",
+  "locale.tr-TR": "Türkçe",
+  "locale.uk-UA": "Ukraynaca",
+  "locale.zh-TW": "Çince (Tayvan)",
   "common.add": "Ekle",
   "common.apply": "Uygula",
   "common.cancel": "İptal",
   "common.close": "Kapat",
   "common.copied": "Kopyalandı!",
   "common.copy": "Kopyala",
+  "common.create": "Oluştur",
+  "common.device": "Aygıt",
   "common.download": "İndir",
+  "common.edit": "Düzenle",
   "common.hide": "Gizle",
+  "common.leave": "Ayrıl",
   "common.loading": "Yükleniyor…",
   "common.next": "İleri",
+  "common.none": "Yok",
+  "common.nothingFound": "Eşleşme bulunamadı",
   "common.optional": "opsiyonel",
   "common.pagination": "Sayfalama",
   "common.previous": "Önceki",
@@ -17,16 +36,27 @@
   "common.remove": "Kaldır",
   "common.reset": "Sıfırla",
   "common.retry": "Yeniden dene",
+  "common.save": "Kaydet",
+  "common.saved": "Kaydedildi!",
+  "common.search.placeholder": "Arama…",
+  "common.select.placeholder": "Seç…",
   "common.share": "Paylaş",
   "common.show": "Göster",
+  "common.undo": "Geri",
   "common.unexpectedError": "Beklenmeyen Hata: {0}",
+  "common.unsavedChanges": "Kaydedilmemiş değişiklikler.",
   "common.update": "Güncelle",
+  "common.xMembers": "{0} üye",
+  "common.actions": "Eylemler",
+  "common.group": "Grup",
+  "common.member": "Üye",
+  "common.value": "Değer",
   "admin.title": "Yönetici",
   "admin.serverInfo.title": "Sunucu Bilgisi",
-  "admin.serverInfo.description": "Hub ID, lisansınız için Cryptomator Hub örneğinizi tanımlamak için kullanılır. Destek için her zaman görüntülenen Hub ve Keycloak sürümünü belirtin.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub Versiyonu",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub güncel.",
+  "admin.serverInfo.description": "Katta ID, lisansınız için Katta örneğinizi tanımlamak için kullanılır. Destek için her zaman görüntülenen Katta ve Keycloak sürümünü belirtin.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta Versiyonu",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta güncel.",
   "admin.serverInfo.hubVersion.description.updateExists": "{0} sürümüne güncelleme mümkün.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Güncellemeler kontrol edilemiyor. Lütfen manuel olarak kontrol edin.",
   "admin.serverInfo.keycloakVersion.title": "Keycloack Versiyonu",
@@ -46,8 +76,8 @@
   "admin.licenseInfo.manageSubscription": "Aboneliği Yönet",
   "admin.licenseInfo.type.title": "Tip",
   "admin.licenseInfo.getLicense": "Lisans Al",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Cryptomator Hub'ı kullandığınız için teşekkür ederiz! Size Topluluk Lisansı verilmiştir. Daha fazla koltuğa ihtiyacınız varsa, lisansınızı yükseltin.",
-  "admin.licenseInfo.managedNoLicense.description": "Cryptomator Hub'ı kullandığınız için teşekkür ederiz! Şu anda aktif bir lisansınız yok.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Katta'ı kullandığınız için teşekkür ederiz! Size Topluluk Lisansı verilmiştir. Daha fazla koltuğa ihtiyacınız varsa, lisansınızı yükseltin.",
+  "admin.licenseInfo.managedNoLicense.description": "Katta'ı kullandığınız için teşekkür ederiz! Şu anda aktif bir lisansınız yok.",
   "admin.webOfTrust.title": "Güven Ağı",
   "admin.webOfTrust.description": "Sistemdeki kullanıcılar arasında güvenin nasıl kurulduğunu yönetmek için Güven Ağı ayarlarını yapılandırın. Bu ayarlar kullanıcı kimliklerinin ve anahtar imzalarının doğrulanmasını etkiler.",
   "admin.webOfTrust.information": "Daha fazla bilgi edin.",
@@ -59,6 +89,7 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Bir kullanıcının kimliğini doğrulamak için başka bir kullanıcının parmak izinin kaç hanesini girmesi gerektiği.",
   "admin.webOfTrust.save": "Kaydet",
   "admin.webOfTrust.saved": "Kaydedildi!",
+  "admin.emergencyAccess.learnMore": "Daha fazla bilgi edin.",
   "archiveVaultDialog.title": "Arşiv Kasası",
   "archiveVaultDialog.description": "Bir kasayı arşivlemek onu pasif hale getirir. Bu, dolu koltukları boşaltabilir. Arşivlenen bir kasa daha sonra yeniden etkinleştirilebilir.",
   "archiveVaultDialog.confirm": "Arşiv",
@@ -117,13 +148,17 @@
   "createVault.error.invalidRecoveryKey": "Kurtarma anahtarı geçersiz.",
   "createVault.error.vaultAlreadyExists": "Verilen ada sahip kasa zaten mevcut.",
   "createVault.error.downloadTemplateFailed": "Kasa şablonunun indirilmesi başarısız oldu: {0}",
-  "createVault.error.paymentRequired": "Cryptomator Hub lisansınız mevcut koltuk sayısını aştı veya süresi doldu. Lisansı yükseltmek veya yenilemek için lütfen bir Hub yöneticisini bilgilendirin.",
+  "createVault.error.paymentRequired": "Katta lisansınız mevcut koltuk sayısını aştı veya süresi doldu. Lisansı yükseltmek veya yenilemek için lütfen bir Katta yöneticisini bilgilendirin.",
   "createVault.success.title": "Kasa oluşturuldu",
   "createVault.success.description": "Sıkıştırılmış kasa klasörünü indirdikten sonra, ekip üyelerinizle paylaşılan herhangi bir konuma açın.",
   "createVault.success.download": "Sıkıştırılmış kasa klasörünü indir",
   "createVault.success.return": "Kasa listesine dön",
+  "deleteGroupDialog.title": "Grubu sil",
+  "deleteGroupDialog.confirm": "Evet, grubu sil",
+  "deleteUserDialog.title": "Kullanıcı hesabını sil",
+  "deleteUserDialog.confirm": "Evet, kullanıcıyı sil",
   "deviceList.empty.message": "Cihaz yok",
-  "deviceList.empty.description": "Bir cihaz eklemek için, bu Hub'dan cihazın Cryptomator uygulamasına bir kasa ekleyin ve kilidini açın.",
+  "deviceList.empty.description": "Bir cihaz eklemek için, bu Katta'dan cihazın Katta uygulamasına bir kasa ekleyin ve kilidini açın.",
   "deviceList.title": "Yetkili Cihazlar ve Tarayıcılar",
   "deviceList.deviceName": "Cihaz Adı",
   "deviceList.type": "Tip",
@@ -131,8 +166,14 @@
   "deviceList.thisDevice": "Bu Cihaz",
   "deviceList.ipAddress": "IP Adres",
   "deviceList.lastAccess": "Son Kasa Erişimi",
+  "deviceType.browser": "Tarayıcı",
+  "deviceType.desktop": "Masaüstü",
+  "deviceType.mobile": "Cep",
   "downloadVaultTemplateDialog.title": "Kasa Şablonunu İndir",
   "downloadVaultTemplateDialog.description": "Sıkıştırılmış kasa şablonunu indirin ve ekip üyelerinizle paylaşılan herhangi bir konuma açın. Bu, ilk kurulum sırasında yalnızca bir kez gereklidir.",
+  "emergencyAccess.status.added": "Eklendi",
+  "emergencyAccess.label.members": "Üyeler",
+  "emergencyAccess.filter.all": "Tümü",
   "editVaultMetadataDialog.title": "Kasa Meta Verilerini Düzenle",
   "editVaultMetadataDialog.description": "Kasanın adını ve açıklamasını güncelleyin.",
   "editVaultMetadataDialog.vaultName": "Kasa Adı",
@@ -142,6 +183,39 @@
   "grantPermissionDialog.title": "İzin Ver",
   "grantPermissionDialog.description": "Kasa anahtarlarını yeni eklenen kullanıcılarla paylaşın.",
   "grantPermissionDialog.submit": "{0} Kullanıcıy(a) İzin Ver",
+  "groups.title": "Gruplar",
+  "group.detail.info": "Grup ayrıntıları",
+  "group.detail.members": "Üyeler",
+  "group.detail.vaults": "Kasalar",
+  "group.detail.edit": "Grubu düzenle",
+  "group.detail.add.member": "Üye ekle",
+  "group.detail.name": "Ad",
+  "group.detail.createdOn": "Oluşturuldu",
+  "group.detail.roles": "Roller",
+  "groupList.name": "Ad",
+  "groupList.members.count": "Kullanıcılar",
+  "groupList.edit.group.button": "Düzenle",
+  "groupList.search.placeholder": "Arama…",
+  "groupList.groupImage": "Grup görseli",
+  "groupList.vaults.count": "Kasalar",
+  "groupList.create.button": "Grup oluştur",
+  "groupList.group.created": "Oluşturuldu",
+  "group.members.add": "Üye ekle",
+  "group.members.search.empty": "Eşleşme bulunamadı",
+  "group.addMembers.title": "Üye ekle",
+  "groupEditCreate.title.create": "Yeni grup oluştur",
+  "groupEditCreate.profileImage": "Profil görseli",
+  "groupEditCreate.role": "Rol",
+  "groupEditCreate.removePicture": "Görseli kaldır",
+  "groupEditCreate.addPicture": "Görsel ekle",
+  "groupEditCreate.name": "Grup adı",
+  "groupEditCreate.roles": "Roller",
+  "groupEditCreate.validation.required": "Bu alan gereklidir",
+  "groupEditCreate.roles.remove": "Rolü kaldır",
+  "groupEditCreate.roles.choose": "Rol seç",
+  "groupEditCreate.roles.addMore": "Daha fazla ekle",
+  "groupEditCreate.invalidImageUrl": "Geçersiz görsel adresi",
+  "groupEditCreate.profilePictureUrl": "Profil görsel adresi",
   "trustDetails.trustLevel": "Güven Seviyesi {0}",
   "trustDetails.trustLevel.untrusted": "Doğrulanmamış",
   "trustDetails.showSignDialogBtn": "Kimlik Kontrolü...",
@@ -149,7 +223,7 @@
   "signUserKeysDialog.title": "{0}'ın Kimliğini Doğrula",
   "signUserKeysDialog.description": "Açık anahtarlarının gerçekliğini doğrulamak için {1}'in parmak izinin ilk {0} karakterini girin. Parmak izi kullanıcının profilinde bulunabilir.",
   "signUserKeysDialog.submit": "Bu Kullanıcının Kimliğini Onayla",
-  "initialSetup.createUserKey.title": "Cryptomator Hub'a Hoş Geldiniz",
+  "initialSetup.createUserKey.title": "Katta'a Hoş Geldiniz",
   "initialSetup.createUserKey.description": "İlk girişte, her kullanıcı benzersiz bir hesap anahtarı alır:",
   "initialSetup.createUserKey.details.accountKey": "Diğer uygulamalardan veya tarayıcılardan giriş yapmak için Hesap Anahtarınız gereklidir",
   "initialSetup.createUserKey.details.devicesList": "Profil sayfanızda yetkili uygulamaların bir listesini görebilirsiniz",
@@ -165,16 +239,16 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Hesap Anahtarınızı mı kaybettiniz? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Hesabımı sıfırla",
   "initialSetup.setupAlreadyCompleted.title": "Kurulum Önceden Tamamlandı",
-  "initialSetup.setupAlreadyCompleted.description": "Cryptomator Hub için ilk kurulumu zaten tamamladınız. Hesap Anahtarınızı profilinizde bulabilirsiniz.",
+  "initialSetup.setupAlreadyCompleted.description": "Katta için ilk kurulumu zaten tamamladınız. Hesap Anahtarınızı profilinizde bulabilirsiniz.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Profile Git",
   "initialSetup.accountKey": "Hesap Anahtarı",
   "initialSetup.submit": "Kurulumu Bitir",
   "licenseAlert.noRemainingSeats.title": "Lisans aşıldı",
-  "licenseAlert.noRemainingSeats.admin.description": "Cryptomator Hub örneğiniz lisanslı koltuk sayısını aştı. Kasalarınızı tekrar yönetmek ve kilidini açmak için {0}'da yükseltin.",
-  "licenseAlert.noRemainingSeats.user.description": "Cryptomator Hub örneğiniz lisanslı koltuk sayısını aştı. Lisansı yükseltmek için lütfen bir Hub yöneticisini bilgilendirin.",
+  "licenseAlert.noRemainingSeats.admin.description": "Katta örneğiniz lisanslı koltuk sayısını aştı. Kasalarınızı tekrar yönetmek ve kilidini açmak için {0}'da yükseltin.",
+  "licenseAlert.noRemainingSeats.user.description": "Katta örneğiniz lisanslı koltuk sayısını aştı. Lisansı yükseltmek için lütfen bir Katta yöneticisini bilgilendirin.",
   "licenseAlert.licenseExpired.title": "Lisan süresi doldu",
-  "licenseAlert.licenseExpired.admin.description": "Cryptomator Hub lisansınızın süresi doldu. Kasalarınızı tekrar yönetmek ve kilidini açmak için {0}'dan yenileyin.",
-  "licenseAlert.licenseExpired.user.description": "Cryptomator Hub lisansınızın süresi doldu. Lisansı yenilemek için lütfen bir Hub yöneticisini bilgilendirin.",
+  "licenseAlert.licenseExpired.admin.description": "Katta lisansınızın süresi doldu. Kasalarınızı tekrar yönetmek ve kilidini açmak için {0}'dan yenileyin.",
+  "licenseAlert.licenseExpired.user.description": "Katta lisansınızın süresi doldu. Lisansı yenilemek için lütfen bir Katta yöneticisini bilgilendirin.",
   "licenseAlert.button": "Yönetici Bölümü",
   "legacyDeviceList.description.information": "Daha fazla bilgi edin.",
   "legacyDeviceList.deviceName": "Cihaz Adı",
@@ -192,6 +266,9 @@
   "nav.profile.admin": "Yönetici",
   "nav.profile.auditlog": "Denetim Günlüğü",
   "nav.profile.signOut": "Çıkış yap",
+  "nav.authority": "Kullanıcılar ve gruplar",
+  "nav.groups": "Gruplar",
+  "nav.users": "Kullanıcılar",
   "nav.mobileMenu": "Ana menüyü aç",
   "reactivateVaultDialog.title": "Kasayı Yeniden Etkinleştir",
   "reactivateVaultDialog.description": "Uyarı: Bir kasanın yeniden etkinleştirilmesi mevcut koltuk sayısını etkileyebilir. Mevcut koltuk sayısı aşılırsa, tüm kasaların kilidinin açılması engellenecektir.",
@@ -215,17 +292,66 @@
   "resetUserAccountDialog.submit": "Hesabı Sıfırla",
   "userkeyFingerprint.title": "Kullanıcı Anahtarı Parmak İzi",
   "userkeyFingerprint.description": "Kullanıcı Anahtarı Parmak İziniz, kasa iznini güncellerken kimliğinizi doğrulamak için kullanılabilir.",
+  "users.title": "Kullanıcılar",
+  "user.detail.createdOn": "Oluşturuldu",
+  "user.detail.disable": "Devre dışı bırak",
+  "user.detail.devices": "Aygıtlar",
+  "user.detail.edit": "Düzenle",
+  "user.detail.enable": "Etkinleştir",
+  "user.detail.email": "Eposta",
+  "user.detail.groups": "Gruplar",
+  "user.detail.groups.join": "Katıl",
+  "user.detail.info": "Kullanıcı ayrıntıları",
+  "user.detail.name": "Ad",
+  "user.detail.roles": "Roller",
+  "user.detail.username": "Kullanıcı adı",
+  "user.addGroups.title": "Grup ekle",
+  "userEditCreate.title.create": "Yeni kullanıcı oluştur",
+  "userEditCreate.title.edit": "Kullanıcıyı düzenle",
+  "userEditCreate.button.create": "Kullanıcı oluştur",
+  "userEditCreate.button.save": "Kaydet",
+  "userEditCreate.button.saved": "Kaydedildi!",
+  "userEditCreate.firstName": "Adı",
+  "userEditCreate.lastName": "Soyadı",
+  "userEditCreate.username": "Kullanıcı adı",
+  "userEditCreate.email": "Eposta",
+  "userEditCreate.roles": "Roller",
+  "userEditCreate.password": "Parola",
+  "userEditCreate.passwordConfirm": "Şifreyi doğrula",
+  "userEditCreate.removePicture": "Görseli kaldır",
+  "userEditCreate.passwordStrong": "Güçlü",
+  "userEditCreate.passwordMedium": "Orta",
+  "userEditCreate.passwordWeak": "Zayıf",
+  "userEditCreate.passwordsMatch": "Şifreler uyuşuyor",
+  "userEditCreate.passwordsDontMatch": "Parolalar uyuşmuyor",
+  "userEditCreate.profilePictureUrl": "Profil görsel adresi",
+  "userEditCreate.showPassword": "Parolayı göster",
+  "userEditCreate.hidePassword": "Parolayı gizle",
+  "userEditCreate.invalidEmail": "Geçersiz e-posta biçimi",
+  "userEditCreate.invalidImageUrl": "Geçersiz görsel adresi",
+  "userEditCreate.validation.required": "Bu alan gereklidir",
+  "userEditCreate.validation.passwordMismatch": "Parolalar uyuşmuyor",
+  "userList.edit.user.button": "Düzenle",
+  "userList.userName": "Ad",
+  "userList.groups.count": "Gruplar",
+  "userList.device.count": "Aygıtlar",
+  "userList.vaults.count": "Kasalar",
+  "userList.user.created": "Oluşturuldu",
+  "userList.profileImage": "Profil görseli",
+  "userList.create.button": "Kullanıcı oluştur",
   "userProfile.title": "Profil",
   "userProfile.actions.manageAccount": "Hesabı Yönet",
   "userProfile.actions.changeLanguage": "Dili değiştir",
+  "userProfile.actions.changeLanguage.entry.browser": "Tarayıcı dili",
   "userProfile.keycloakVersion.notAvailable": "versiyon mevcut değil",
+  "unlock.noAccessVaultArchived.title": "Kasa arşivlendi",
   "unlockSuccess.title": "Kasa kilidi başarıyla açıldı",
-  "unlockSuccess.description": "Şimdi bu tarayıcı sekmesini kapatabilir ve Cryptomator'a dönebilirsiniz.",
+  "unlockSuccess.description": "Şimdi bu tarayıcı sekmesini kapatabilir ve Katta'a dönebilirsiniz.",
   "unlockSuccess.accountSetup.title": "Kurulum Gerekli",
   "unlockSuccess.accountSetup.description": "Hesabınızın kurulumunu tamamlayın ve hesap anahtarınızı alın.",
   "unlockSuccess.accountSetup.goToSetup": "Kurulumu Tamamla",
   "unlockSuccess.deviceSetup.title": "Yeni Cihaz",
-  "unlockSuccess.deviceSetup.description": "Yetkilendirmek için lütfen Cryptomator'a hesap anahtarınızı girin.",
+  "unlockSuccess.deviceSetup.description": "Yetkilendirmek için lütfen Katta'a hesap anahtarınızı girin.",
   "unlockSuccess.deviceSetup.goToProfile": "Hesap Anahtarını Profilimde Görüntüle",
   "unlockSuccess.noVaultAccess.title": "Bu Kasaya erişim yok",
   "unlockSuccess.noVaultAccess.description": "Sizi kasa üyesi olarak eklemek için lütfen kasa sahibiyle iletişime geçin.",
@@ -248,7 +374,7 @@
   "vaultDetails.actions.reactivateVault": "Kasayı Yeniden Etkinleştir",
   "vaultDetails.actions.claimOwnership": "Sahiplik Talep Et",
   "vaultDetails.actions.recoverVault": "Kasa Erişimini Kurtar",
-  "vaultDetails.error.licenseViolated": "Cryptomator Hub lisansınızın süresi doldu veya lisanslı koltuk sayısını aştınız. Lütfen bir Hub yöneticisine lisansı yenilemesini veya yükseltmesini bildirin.",
+  "vaultDetails.error.licenseViolated": "Katta lisansınızın süresi doldu veya lisanslı koltuk sayısını aştınız. Lütfen bir Katta yöneticisine lisansı yenilemesini veya yükseltmesini bildirin.",
   "vaultDetails.recoverVault.title": "Hesabınızı Sıfırladınız!",
   "vaultDetails.recoverVault.description": "Kasaya yeniden erişim kazanmak için kurtarma anahtarını kullanarak erişiminizi geri yüklemeniz veya başka bir sahibin erişim izinlerini güncellemesi gerekir.",
   "vaultList.title": "Kasalar",
@@ -267,5 +393,8 @@
   "vaultList.filter.result.empty.description": "Bu arama terimini veya filtreyi kullanan sonuç yok.",
   "vaultList.search.placeholder": "Arama…",
   "vaultList.badge.owner": "Sahip",
-  "vaultList.badge.archived": "Arşivlenmiş"
+  "vaultList.badge.archived": "Arşivlenmiş",
+  "userList.filter.result.empty.title": "Kullanıcı yok",
+  "groupList.empty.title": "Grup yok",
+  "groupList.filter.result.empty.title": "Grup yok"
 }
diff --git a/frontend/src/i18n/ug-CN.json b/frontend/src/i18n/ug-CN.json
index a89fc2913..61f40dfc2 100644
--- a/frontend/src/i18n/ug-CN.json
+++ b/frontend/src/i18n/ug-CN.json
@@ -16,6 +16,9 @@
   "deviceList.deviceName": "ئۈسكۈنە ئىسمى",
   "editVaultMetadataDialog.vaultName": "ئامبار ئىسمى",
   "legacyDeviceList.deviceName": "ئۈسكۈنە ئىسمى",
+  "userEditCreate.password": "پارول",
+  "userEditCreate.passwordStrong": "بىخەتەر",
+  "userEditCreate.passwordWeak": "ئاجىز",
   "unlockSuccess.deviceSetup.title": "يېڭى ئۈسكۈنە",
   "vaultDetails.actions.updatePermissions.reload": "قايتا يۈكلەش",
   "vaultDetails.actions.displayRecoveryKey": "ئەسلىگە كەلتۈرۈش ئاچقۇچىنى كۆرۈش",
diff --git a/frontend/src/i18n/uk-UA.json b/frontend/src/i18n/uk-UA.json
index 99f50b679..8f6b2e592 100644
--- a/frontend/src/i18n/uk-UA.json
+++ b/frontend/src/i18n/uk-UA.json
@@ -18,10 +18,16 @@
   "common.close": "Закрити",
   "common.copied": "Скопійовано!",
   "common.copy": "Копіювати",
+  "common.create": "Створити",
+  "common.device": "Пристрій",
   "common.download": "Завантажити",
+  "common.edit": "Редагувати",
   "common.hide": "Сховати",
+  "common.leave": "Вийти",
   "common.loading": "Завантаження…",
   "common.next": "Далі",
+  "common.none": "Немає",
+  "common.nothingFound": "Нічого не знайдено",
   "common.optional": "необов'язково",
   "common.pagination": "Навігація за сторінками",
   "common.previous": "Попередній",
@@ -30,6 +36,10 @@
   "common.remove": "Вилучити",
   "common.reset": "Скинути",
   "common.retry": "Повторити",
+  "common.save": "Зберегти",
+  "common.saved": "Збережено!",
+  "common.search.placeholder": "Пошук…",
+  "common.select.placeholder": "Вибрати…",
   "common.share": "Поділитися",
   "common.show": "Показати",
   "common.undo": "Скасувати",
@@ -37,16 +47,22 @@
   "common.unsavedChanges": "Незбережені зміни.",
   "common.update": "Оновити",
   "common.xMembers": "{0} Учасників",
+  "common.actions": "Дії",
+  "common.group": "Група",
+  "common.member": "Учасник",
+  "common.property": "Властивість",
+  "common.value": "Значення",
   "admin.title": "Адміністратор",
   "admin.serverInfo.title": "Інформація про сервер",
-  "admin.serverInfo.description": "Ідентифікатор Hub використовується для прив'язки вашого Cryptomator Hub до вашої ліцензії. Для отримання підтримки завжди вказуйте показані версії Hub та Keycloak.",
-  "admin.serverInfo.hubId.title": "Ідентифікатор Hub",
-  "admin.serverInfo.hubVersion.title": "Версія Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub оновлений.",
+  "admin.serverInfo.description": "Ідентифікатор Katta використовується для прив'язки вашого Katta до вашої ліцензії. Для отримання підтримки завжди вказуйте показані версії Katta та Keycloak.",
+  "admin.serverInfo.hubId.title": "Ідентифікатор Katta",
+  "admin.serverInfo.hubVersion.title": "Версія Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta оновлений.",
   "admin.serverInfo.hubVersion.description.updateExists": "Можливе оновлення до версії {0}.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Не вдається перевірити наявність оновлень. Будь ласка, перевірте вручну.",
   "admin.serverInfo.keycloakVersion.title": "Версія Keycloak",
   "admin.serverInfo.keycloakVersion.description": "Керувати Keycloak",
+  "admin.serverInfo.keycloakVersion.notAvailable": "недоступно",
   "admin.licenseInfo.title": "Інформація про ліцензію",
   "admin.licenseInfo.description": "Перевірте інформацію про вашу ліцензію. Якщо ви хочете внести зміни або перевірити статус вашої підписки, натисніть кнопку «Керувати підпискою».",
   "admin.licenseInfo.email.title": "Ліцензія належить",
@@ -61,8 +77,8 @@
   "admin.licenseInfo.manageSubscription": "Керувати підпискою",
   "admin.licenseInfo.type.title": "Тип",
   "admin.licenseInfo.getLicense": "Отримати ліцензію",
-  "admin.licenseInfo.selfHostedNoLicense.description": "Дякуємо за використання Cryptomator Hub! Вам надано ліцензію для спільноти. Якщо вам потрібно більше місць, оновіть свою ліцензію.",
-  "admin.licenseInfo.managedNoLicense.description": "Дякуємо за використання Cryptomator Hub! Наразі у вас немає активної ліцензії.",
+  "admin.licenseInfo.selfHostedNoLicense.description": "Дякуємо за використання Katta! Вам надано ліцензію для спільноти. Якщо вам потрібно більше місць, оновіть свою ліцензію.",
+  "admin.licenseInfo.managedNoLicense.description": "Дякуємо за використання Katta! Наразі у вас немає активної ліцензії.",
   "admin.webOfTrust.title": "Мережа довіри",
   "admin.webOfTrust.description": "Налаштуйте параметри Мережі довіри, щоб керувати тим, як встановлюється довіра між користувачами в системі. Ці налаштування впливають на перевірку ідентичності користувачів і підписів ключів.",
   "admin.webOfTrust.information": "Дізнатися більше.",
@@ -74,6 +90,27 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "Скільки цифр відбитка іншого користувача потрібно ввести, щоб підтвердити його особу.",
   "admin.webOfTrust.save": "Зберегти",
   "admin.webOfTrust.saved": "Збережено!",
+  "admin.emergencyAccess.title": "Екстрений доступ",
+  "admin.emergencyAccess.description": "Налаштуйте розділення ключів для відновлення сховища.",
+  "admin.emergencyAccess.learnMore": "Дізнатися більше.",
+  "admin.emergencyAccess.noRedundancy.title": "Ваш поточний розподіл ключів не має надлишковості!",
+  "admin.emergencyAccess.noRedundancy.description": "Наполегливо рекомендуємо призначити більше власників ключів, ніж мінімально необхідна кількість ключів.",
+  "admin.emergencyAccess.enabled.label": "Увімкнено",
+  "admin.emergencyAccess.enabled.help": "Увімкнути екстрений доступ",
+  "admin.emergencyAccess.requiredKeys.label": "Необхідні ключі",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "Необхідна кількість часток ключа",
+  "admin.emergencyAccess.requiredKeys.help": "Скільки ключів потрібно для відновлення доступу до сховища.",
+  "admin.emergencyAccess.keyholders.label": "Власники ключів",
+  "admin.emergencyAccess.keyholders.minSelected": "Необхідно вибрати щонайменше {0} користувачів. Необхідна кількість була визначена вище.",
+  "admin.emergencyAccess.keyholders.help": "Хто повинен отримати ключ для екстреного доступу.",
+  "admin.emergencyAccess.allowChoosing.label": "Дозволити власникам сховищ вибирати різних власників ключів.",
+  "admin.emergencyAccess.allowChoosing.atLeast": "Щонайменше:",
+  "admin.emergencyAccess.minMembers.ariaLabel": "Мінімальна кількість користувачів",
+  "admin.emergencyAccess.example.help": "Приклад того, хто може спільно відновити сховище.",
+  "admin.emergencyAccess.validation.maxValue": "Максимальне значення: {0}.",
+  "admin.emergencyAccess.validation.minValue": "Мінімальне значення: {0}.",
+  "admin.emergencyAccess.validation.minMembersAtLeastRequiredShares": "Повинно бути більшим або дорівнювати необхідним часткам ключа.",
+  "admin.emergencyAccess.errors.sharesMustNotExceedMembers": "Необхідні частки ключа не повинні перевищувати мінімальну кількість користувачів.",
   "archiveVaultDialog.title": "Архівувати сховище",
   "archiveVaultDialog.description": "Архівування сховища робить його неактивним. Це може звільнити зайняте місце. Архівне сховище можна буде знову активувати пізніше.",
   "archiveVaultDialog.confirm": "Архівувати",
@@ -85,11 +122,18 @@
   "auditLog.filter.endDate": "Дата кінця",
   "auditLog.filter.selectEventFilter": "Вибрати фільтр подій",
   "auditLog.filter.clerEventFilter": "Очистити фільтр подій",
+  "auditLog.filter.removeEventType": "Вилучено {type}",
   "auditLog.timestamp": "Час",
   "auditLog.type": "Подія",
   "auditLog.details": "Докладно",
   "auditLog.details.device.register": "Зареєструвати пристрій",
   "auditLog.details.device.remove": "Вилучити пристрій",
+  "auditLog.details.emergencyaccess.setup": "Налаштовано екстрений доступ",
+  "auditLog.details.emergencyaccess.settingsUpdated": "Змінено параметри екстреного доступу",
+  "auditLog.details.emergencyaccess.recoveryStarted": "Розпочато відновлення екстреного доступу",
+  "auditLog.details.emergencyaccess.recoveryApproved": "Підтверджено відновлення екстреного доступу",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "Завершено відновлення екстреного доступу",
+  "auditLog.details.emergencyaccess.recoveryAborted": "Скасовано відновлення екстреного доступу",
   "auditLog.details.setting.wot.update": "Оновити налаштування WoT",
   "auditLog.details.user.account.reset": "Скинути обліковий запис користувача",
   "auditLog.details.user.keys.change": "Зміна ключів користувача",
@@ -122,6 +166,9 @@
   "createVault.enterVaultDetails.description": "Введіть назву та опис для нового сховища. Ви зможете змінити їх пізніше.",
   "createVault.enterVaultDetails.vaultName": "Назва сховища",
   "createVault.enterVaultDetails.vaultDescription": "Опис",
+  "createVault.emergencyAccessDetails.title": "Визначте умови екстреного доступу",
+  "createVault.emergencyAccessDetails.description": "Виберіть членів ради для екстреного доступу.",
+  "createVault.emergencyAccessDetails.description.adminDefined": "Рада екстреного доступу визначена адміністратором і не може бути змінена тут.",
   "createVault.showRecoveryKey.title": "Ключ відновлення",
   "createVault.showRecoveryKey.description": "Зазначений ключ відновлення можна використати для відновлення доступу до сховища.",
   "createVault.showRecoveryKey.recoveryKey": "Ключ відновлення вашого сховища",
@@ -132,13 +179,22 @@
   "createVault.error.invalidRecoveryKey": "Ключ відновлення неправильний.",
   "createVault.error.vaultAlreadyExists": "Сховище з вказаною назвою вже існує.",
   "createVault.error.downloadTemplateFailed": "Завантаження шаблону сховища не вдалося: {0}",
-  "createVault.error.paymentRequired": "Ваша ліцензія Cryptomator Hub перевищила кількість доступних місць або термін її дії закінчився. Будь ласка, повідомте адміністратора Hub для оновлення або поновлення ліцензії.",
+  "createVault.error.paymentRequired": "Ваша ліцензія Katta перевищила кількість доступних місць або термін її дії закінчився. Будь ласка, повідомте адміністратора Katta для оновлення або поновлення ліцензії.",
   "createVault.success.title": "Сховище створено",
   "createVault.success.description": "Після завантаження заархівованого каталогу сховища розпакуйте її в будь-яке місце, яке є спільним для членів вашої команди.",
   "createVault.success.download": "Завантажити стиснену папку сховища",
   "createVault.success.return": "Повернутися до списку сховищ",
+  "deleteGroupDialog.title": "Видалити групу",
+  "deleteGroupDialog.description": "Ви впевнені, що хочете назавжди видалити цю групу? Вона буде видалена з усіх пов'язаних сховищ. Цю дію неможливо скасувати.",
+  "deleteGroupDialog.confirm": "Так, видалити групу",
+  "disableUserDialog.title": "Деактивувати користувача",
+  "disableUserDialog.description": "Цей користувач більше не зможе увійти в систему та не враховуватиметься в кількості зайнятих місць. Ви зможете знову активувати користувача в будь-який момент.",
+  "disableUserDialog.confirm": "Деактивувати користувача",
+  "deleteUserDialog.title": "Видалити обліковий запис",
+  "deleteUserDialog.description": "Ви впевнені, що хочете назавжди видалити цього користувача? Усі пов'язані сховища та пристрої будуть видалені. Цю дію неможливо скасувати.",
+  "deleteUserDialog.confirm": "Так, видалити користувача",
   "deviceList.empty.message": "Немає пристроїв",
-  "deviceList.empty.description": "Щоб додати пристрій, додайте сховище з цього Hub до програми Cryptomator на пристрої та розблокуйте його.",
+  "deviceList.empty.description": "Щоб додати пристрій, додайте сховище з цього Katta до програми Katta на пристрої та розблокуйте його.",
   "deviceList.title": "Дозволені пристрої та браузери",
   "deviceList.deviceName": "Назва пристрою",
   "deviceList.type": "Тип",
@@ -147,8 +203,89 @@
   "deviceList.ipAddress": "IP-адреса",
   "deviceList.lastAccess": "Останній доступ до сховища",
   "deviceList.lastAccess.toolTip": "Може бути відсутнім для пристроїв, до яких здійснюється доступ за допомогою старіших версій.",
+  "deviceType.browser": "Браузер",
+  "deviceType.desktop": "Комп'ютер",
+  "deviceType.mobile": "Мобільний пристрій",
   "downloadVaultTemplateDialog.title": "Завантажити шаблон сховища",
   "downloadVaultTemplateDialog.description": "Завантажте та розпакуйте заархівований шаблон сховища в будь-яке місце, яке є спільним для членів вашої команди. Це потрібно зробити лише один раз під час початкового налаштування.",
+  "emergencyAccess.requiredKeyShares": "Необхідна кількість часток ключа",
+  "emergencyAccess.processCouncil": "Обробити раду",
+  "emergencyAccess.status.added": "Додано",
+  "emergencyAccess.status.pending": "Очікується",
+  "emergencyAccess.startProcess": "Розпочати процес",
+  "emergencyAccess.notPossible": "Неможливо",
+  "emergencyAccess.vaultCouncil": "Рада сховища",
+  "emergencyAccess.noRedundancy": "Без надлишковості",
+  "emergencyAccess.label.councilMembers": "Члени ради",
+  "emergencyAccess.label.newCouncilMembers": "Нові члени ради",
+  "emergencyAccess.label.owners": "Власники",
+  "emergencyAccess.label.members": "Учасники",
+  "emergencyAccess.label.removed": "Вилучено",
+  "emergencyAccess.label.possibleScenario": "Можливий екстрений сценарій",
+  "emergencyAccess.label.exampleRecovery": "Приклад відновлення",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "Виберіть ще принаймні {0} членів ради.",
+  "emergencyAccess.validation.minimumMembers": "Необхідно вибрати щонайменше {0} членів.",
+  "emergencyAccess.approval.waitingOthers": "Очікування інших підтверджень",
+  "emergencyAccess.approval.showDetails": "Показати подробиці",
+  "emergencyAccess.approval.completeNow": "Завершити зараз",
+  "emergencyAccess.approval.approveNow": "Затвердити зараз",
+  "emergencyAccess.processType.changePermissions": "Виберіть учасників сховища",
+  "emergencyAccess.processType.changeCouncil": "Змінити раду екстреного доступу",
+  "emergencyAccess.filter.all": "Усі",
+  "emergencyAccess.filter.approvable": "Можна підтвердити",
+  "emergencyAccess.filter.approved": "Підтверджені",
+  "emergencyAccess.filter.startable": "Можна розпочати",
+  "emergencyAccess.empty.disabled": "Екстрений доступ вимкнено.",
+  "emergencyAccess.empty.noneFound": "Не знайдено сховищ з екстреним доступом",
+  "emergencyAccess.licenseRequired.message": "Екстрений доступ доступний лише з платною ліцензією.",
+  "emergencyAccess.licenseRequired.adminHint": "Ви можете отримати її в розділі адміністратора.",
+  "emergencyAccess.badge.notCouncil.title": "Більше не є членом ради сховища",
+  "emergencyAccess.badge.notCouncil.message": "Ви більше не входите до складу чинної ради екстреного доступу до сховища. Проте ви все ще берете участь у запущеному процесі екстреного відновлення.",
+  "emergencyAccess.badge.insufficientCouncilMembers.title": "Недостатньо прав для екстреного доступу",
+  "emergencyAccess.badge.insufficientCouncilMembers.message": "Політика вашої команди вимагає наявності ради екстреного доступу щонайменше з {0} учасників. Наразі це сховище не відповідає цій вимозі.",
+  "emergencyAccess.badge.broken.title": "Екстрений доступ пошкоджено",
+  "emergencyAccess.badge.broken.message": "Екстрений доступ більше неможливий. Один або кілька членів ради скинули налаштування свого облікового запису та втратили свої частки ключа.",
+  "emergencyAccess.badge.noRedundancy.title": "Без надлишковості",
+  "emergencyAccess.badge.noRedundancy.message": "Ця рада екстреного доступу не має надлишковості. Радимо призначити склад ради з надлишковістю.",
+  "emergencyAccessDialog.message.completed": "Процес успішно завершено.",
+  "emergencyAccessDialog.label.selectOwner": "Виберіть користувача з роллю власника",
+  "emergencyAccessDialog.label.selectMember": "Виберіть користувача з роллю користувача",
+  "emergencyAccessDialog.label.councilMembersAtLeast": "Члени ради (Щонайменше: {0})",
+  "emergencyAccessDialog.section.ownership": "Власність",
+  "emergencyAccessDialog.section.councilChange": "Зміна ради",
+  "emergencyAccessDialog.hint.finishProcess": "Ви можете завершити цей процес екстреного доступу, додавши останню частину ключа та завершивши його.",
+  "emergencyAccessDialog.hint.keyShareAdded": "Вашу частку ключа вже додано.",
+  "emergencyAccessDialog.hint.notInCouncil": "Ви не є членом ради для цього процесу і не можете додати частку ключа.",
+  "emergencyAccessDialog.action.abortProcess": "Скасувати цей процес",
+  "emergencyAccessDialog.action.start": "Розпочати",
+  "emergencyAccessDialog.action.approve": "Затвердити",
+  "emergencyAccessDialog.action.completeProcess": "Завершити процес",
+  "emergencyAccessDialog.title.success": "Успішно",
+  "emergencyAccessDialog.title.changeCouncil": "Змінити раду",
+  "emergencyAccessDialog.title.changePermissions": "Змінити дозволи сховища",
+  "emergencyAccessDialog.title.processDetails": "Подробиці процесу",
+  "emergencyAccessDialog.title.approved": "Підтверджені",
+  "emergencyAccessDialog.title.approveEmergencyAccess": "Підтвердити екстрений доступ",
+  "emergencyAccessDialog.title.completeEmergencyAccess": "Завершити екстрений доступ",
+  "emergencyAccessDialog.error.insufficientCouncilMembers": "Невідповідність даних: Недостатня кількість членів ради ({0}) для відновлення цього сховища ({1}).",
+  "emergencyAccessDialog.error.noProcessToApprove": "Немає процесу відновлення для підтвердження.",
+  "emergencyAccessDialog.error.processTampered": "Процес відновлення був порушений.",
+  "emergencyAccessDialog.error.noProcessToComplete": "Немає процесу відновлення для завершення.",
+  "emergencyAccessDialog.error.unsupportedProcessType": "Непідтримуваний стан для типу процесу відновлення: {0}",
+  "grantEmergencyAccessDialog.title": "Надати екстрений доступ",
+  "grantEmergencyAccessDialog.description.selectCouncil": "Виберіть членів ради, яким буде надано екстрений доступ до цього сховища.",
+  "grantEmergencyAccessDialog.description.default": "Надати екстрений доступ до цього сховища.",
+  "grantEmergencyAccessDialog.grant": "Надати",
+  "grantEmergencyAccessDialog.error.keySharesRequired": "Необхідно принаймні 2 екстрені частки ключа.",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "Необхідно принаймні 2 члени ради.",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "Занадто мало членів ради. Додайте більше або зменште необхідну кількість часток ключів екстреного доступу.",
+  "processAbortDialog.title": "Скасувати цей процес",
+  "processAbortDialog.description": "Ви впевнені, що хочете скасувати цей процес екстреного доступу? Цю дію неможливо скасувати.",
+  "processAbortDialog.confirm": "Скасувати процес",
+  "recoveryDialog.error.invalidRecoveryType": "Недійсний тип процесу відновлення.",
+  "recoveryDialog.error.processAlreadyExists": "Процес відновлення такого типу вже існує.",
+  "recoveryDialog.error.noOwnerSelected": "Виберіть щонайменше одного власника.",
+  "recoveryDialog.error.notEnoughCouncilMembers": "Не вибрано достатню кількість членів ради.",
   "editVaultMetadataDialog.title": "Редагувати метадані сховища",
   "editVaultMetadataDialog.description": "Оновити назву та опис сховища.",
   "editVaultMetadataDialog.vaultName": "Назва сховища",
@@ -158,6 +295,47 @@
   "grantPermissionDialog.title": "Надати дозвіл",
   "grantPermissionDialog.description": "Поділіться ключами сховища з нещодавно доданими користувачами.",
   "grantPermissionDialog.submit": "Надати дозвіл {0} користувачам",
+  "groups.title": "Групи",
+  "group.detail.info": "Подробиці групи",
+  "group.detail.members": "Учасники",
+  "group.detail.vaults": "Сховища",
+  "group.detail.edit": "Редагувати групу",
+  "group.detail.add.member": "Додати учасника",
+  "group.detail.name": "Назва",
+  "group.detail.createdOn": "Створено",
+  "group.detail.roles": "Ролі",
+  "groupList.name": "Назва",
+  "groupList.members.count": "Користувачі",
+  "groupList.edit.group.button": "Редагувати",
+  "groupList.search.placeholder": "Пошук…",
+  "groupList.groupImage": "Зображення групи",
+  "groupList.vaults.count": "Сховища",
+  "groupList.create.button": "Створити групу",
+  "groupList.group.created": "Створено",
+  "group.members.add": "Додати учасників",
+  "group.members.search.empty": "Нічого не знайдено",
+  "group.addMembers.title": "Додати учасників",
+  "group.addMembers.searchLabel": "Шукати за іменем користувача або повним ім'ям",
+  "group.addMembers.selectedUser": "Користувачів вибрано",
+  "group.member.remove.title": "Вилучити користувача з групи",
+  "group.member.remove.description": "Ви впевнені, що хочете вилучити цього користувача з групи?",
+  "group.member.remove.confirm": "Так, вилучити з групи",
+  "groupEditCreate.title.create": "Створити нову групу",
+  "groupEditCreate.title.edit": "Редагування групи",
+  "groupEditCreate.profileImage": "Зображення профілю",
+  "groupEditCreate.role": "Роль",
+  "groupEditCreate.removePicture": "Видалити зображення",
+  "groupEditCreate.addPicture": "Додати зображення",
+  "groupEditCreate.name": "Назва групи",
+  "groupEditCreate.roles": "Ролі",
+  "groupEditCreate.validation.required": "Це поле обов'язкове",
+  "groupEditCreate.roles.remove": "Вилучити ролі",
+  "groupEditCreate.roles.choose": "Виберіть ролі",
+  "groupEditCreate.roles.addMore": "Додати більше",
+  "groupEditCreate.invalidImageUrl": "Недійсна URL-адреса зображення",
+  "groupEditCreate.profilePictureUrl": "URL-адреса зображення профілю",
+  "groupEditCreate.selectRolesPlaceholder": "Виберіть ролі",
+  "groupEditCreate.error.groupNameAlreadyExists": "Група з такою назвою вже існує.",
   "trustDetails.trustLevel": "Рівень довіри {0}",
   "trustDetails.trustLevel.untrusted": "Не підтверджено",
   "trustDetails.showSignDialogBtn": "Перевірити особу...",
@@ -165,7 +343,7 @@
   "signUserKeysDialog.title": "Підтвердити особу {0}",
   "signUserKeysDialog.description": "Введіть перші {0} символи відбитка {1}, щоб підтвердити автентичність їхніх відкритих ключів. Відбиток можна знайти в профілі користувача.",
   "signUserKeysDialog.submit": "Підтвердити особу цього користувача",
-  "initialSetup.createUserKey.title": "Ласкаво просимо до Cryptomator Hub",
+  "initialSetup.createUserKey.title": "Ласкаво просимо до Katta",
   "initialSetup.createUserKey.description": "При першому вході в систему кожен користувач отримує унікальний ключ облікового запису:",
   "initialSetup.createUserKey.details.accountKey": "Ваш ключ облікового запису необхідний для входу з інших додатків або браузерів",
   "initialSetup.createUserKey.details.devicesList": "Ви можете переглянути список дозволених додатків на сторінці свого профілю",
@@ -181,19 +359,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Загубили ключ облікового запису? {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "Скинути мій обліковий запис",
   "initialSetup.setupAlreadyCompleted.title": "Налаштування вже завершено",
-  "initialSetup.setupAlreadyCompleted.description": "Ви вже завершили початкове налаштування Cryptomator Hub. Ваш ключ облікового запису можна знайти у профілі.",
+  "initialSetup.setupAlreadyCompleted.description": "Ви вже завершили початкове налаштування Katta. Ваш ключ облікового запису можна знайти у профілі.",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "Перейти до профілю",
   "initialSetup.accountKey": "Ключ облікового запису",
   "initialSetup.submit": "Завершити налаштування",
   "licenseAlert.noRemainingSeats.title": "Перевищено ліміт ліцензії",
-  "licenseAlert.noRemainingSeats.admin.description": "Ваш екземпляр Cryptomator Hub перевищив кількість ліцензованих місць. Оновіть його в {0}, щоб знову керувати та розблоковувати свої сховища.",
-  "licenseAlert.noRemainingSeats.user.description": "Ваш екземпляр Cryptomator Hub перевищив кількість ліцензованих місць. Будь ласка, повідомте адміністратора Hub про необхідність оновлення ліцензії.",
+  "licenseAlert.noRemainingSeats.admin.description": "Ваш екземпляр Katta перевищив кількість ліцензованих місць. Оновіть його в {0}, щоб знову керувати та розблоковувати свої сховища.",
+  "licenseAlert.noRemainingSeats.user.description": "Ваш екземпляр Katta перевищив кількість ліцензованих місць. Будь ласка, повідомте адміністратора Katta про необхідність оновлення ліцензії.",
   "licenseAlert.licenseExpired.title": "Термін дії ліцензії закінчився",
-  "licenseAlert.licenseExpired.admin.description": "Термін дії вашої ліцензії Cryptomator Hub минув. Поновіть її в {0}, щоб знову керувати та розблоковувати свої сховища.",
-  "licenseAlert.licenseExpired.user.description": "Термін дії вашої ліцензії Cryptomator Hub минув. Будь ласка, повідомте адміністратора Hub про необхідність поновлення ліцензії.",
+  "licenseAlert.licenseExpired.admin.description": "Термін дії вашої ліцензії Katta минув. Поновіть її в {0}, щоб знову керувати та розблоковувати свої сховища.",
+  "licenseAlert.licenseExpired.user.description": "Термін дії вашої ліцензії Katta минув. Будь ласка, повідомте адміністратора Katta про необхідність поновлення ліцензії.",
   "licenseAlert.button": "Розділ адміністратора",
   "legacyDeviceList.title": "Застарілі пристрої",
-  "legacyDeviceList.description": "Ці пристрої були створені за допомогою старішої версії Hub і потребують оновлення для розблокування сховищ у майбутніх версіях. Якщо вони вам більше не потрібні, будь ласка, видаліть їх. В іншому випадку, оновіть Cryptomator на відповідному пристрої. Наступне розблокування автоматично запустить оновлення.",
+  "legacyDeviceList.description": "Ці пристрої були створені за допомогою старішої версії Katta і потребують оновлення для розблокування сховищ у майбутніх версіях. Якщо вони вам більше не потрібні, будь ласка, видаліть їх. В іншому випадку, оновіть Katta на відповідному пристрої. Наступне розблокування автоматично запустить оновлення.",
   "legacyDeviceList.description.information": "Дізнатися більше.",
   "legacyDeviceList.deviceName": "Назва пристрою",
   "legacyDeviceList.type": "Тип",
@@ -202,15 +380,22 @@
   "legacyDeviceList.ipAddress": "IP-адреса",
   "legacyDeviceList.lastAccess": "Останній доступ до сховища",
   "legacyDeviceList.lastAccess.toolTip": "Може бути відсутнім для пристроїв, до яких здійснюється доступ за допомогою старіших версій.",
+  "legacyDeviceBanner.title": "Підтримку застарілих пристроїв буде припинено",
+  "legacyDeviceBanner.user.description": "Ваші застарілі пристрої більше не підтримуватимуться в наступному великому оновленні. Будь ласка, оновіть Cryptomator на цих пристроях або вилучіть їх.",
+  "legacyDeviceBanner.admin.description": "Один або кілька користувачів усе ще використовують застарілі пристрої. Підтримку застарілих пристроїв буде припинено в наступному великому оновленні. Будь ласка, попросіть відповідних користувачів оновити Cryptomator або вилучити їхні застарілі пристрої.",
   "manageAccountKey.title": "Ключ облікового запису",
   "manageAccountKey.description": "Ваш ключ облікового запису необхідний для входу з інших додатків або браузерів.",
   "manageAccountKey.regenerate": "Створити ключ заново",
   "nav.vaults": "Сховища",
+  "nav.emergencyAccess": "Екстрений доступ",
   "nav.profile.signedInAs": "Увійшли як",
   "nav.profile.profile": "Ваш профіль",
   "nav.profile.admin": "Адміністратор",
   "nav.profile.auditlog": "Журнали аудиту",
   "nav.profile.signOut": "Вийти",
+  "nav.authority": "Користувачі та групи",
+  "nav.groups": "Групи",
+  "nav.users": "Користувачі",
   "nav.mobileMenu": "Відкрити головне меню",
   "reactivateVaultDialog.title": "Повторно активувати сховище",
   "reactivateVaultDialog.description": "Увага: повторна активація сховища може вплинути на кількість доступних місць. Якщо кількість доступних місць буде перевищено, розблокування всіх сховищ буде заблоковано.",
@@ -234,17 +419,77 @@
   "resetUserAccountDialog.submit": "Скинути обліковий запис",
   "userkeyFingerprint.title": "Відбиток ключа користувача",
   "userkeyFingerprint.description": "Відбиток ключа користувача можна використовувати для підтвердження вашої особи під час оновлення дозволів сховища.",
+  "users.title": "Користувачі",
+  "user.detail.createdOn": "Створено",
+  "user.detail.disable": "Вимкнути",
+  "user.detail.disabled": "Деактивовано",
+  "user.detail.devices": "Пристрої",
+  "user.detail.edit": "Редагувати",
+  "user.detail.enable": "Увімкнути",
+  "user.detail.email": "Електронна пошта",
+  "user.detail.groups": "Групи",
+  "user.detail.groups.join": "Приєднатися",
+  "user.detail.info": "Подробиці користувача",
+  "user.detail.legacyDeviceList.info": "Ці пристрої були створені за допомогою старішої версії Hub і потребують оновлення, щоб розблокувати сховища в майбутніх версіях.",
+  "user.detail.name": "Назва",
+  "user.detail.roles": "Ролі",
+  "user.detail.username": "Ім'я користувача",
+  "user.addGroups.title": "Додати групи",
+  "user.addGroups.searchLabel": "Шукати за назвою групи",
+  "user.addGroups.selectedGroups": "Груп вибрано",
+  "userEditCreate.title.create": "Створити нового користувача",
+  "userEditCreate.title.edit": "Редагувати користувача",
+  "userEditCreate.button.create": "Створити користувача",
+  "userEditCreate.button.save": "Зберегти",
+  "userEditCreate.button.saved": "Збережено!",
+  "userEditCreate.firstName": "Ім’я",
+  "userEditCreate.lastName": "Прізвище",
+  "userEditCreate.username": "Ім'я користувача",
+  "userEditCreate.email": "Електронна пошта",
+  "userEditCreate.roles": "Ролі",
+  "userEditCreate.selectRolesPlaceholder": "Виберіть ролі",
+  "userEditCreate.password": "Пароль",
+  "userEditCreate.passwordConfirm": "Підтвердіть пароль",
+  "userEditCreate.create.passwordInfo": "Це тимчасовий пароль. Користувач повинен змінити його при першому вході.",
+  "userEditCreate.edit.passwordInfo": "Залиште поля для пароля порожніми, якщо не хочете скидати пароль користувача.",
+  "userEditCreate.removePicture": "Видалити зображення",
+  "userEditCreate.passwordStrong": "Надійний",
+  "userEditCreate.passwordMedium": "Помірний",
+  "userEditCreate.passwordWeak": "Слабкий",
+  "userEditCreate.passwordsMatch": "Паролі збігаються",
+  "userEditCreate.passwordsDontMatch": "Паролі не збігаються",
+  "userEditCreate.profilePictureUrl": "URL-адреса зображення профілю",
+  "userEditCreate.showPassword": "Показати пароль",
+  "userEditCreate.hidePassword": "Приховати пароль",
+  "userEditCreate.invalidEmail": "Неправильний формат електронної пошти",
+  "userEditCreate.invalidImageUrl": "Недійсна URL-адреса зображення",
+  "userEditCreate.validation.required": "Це поле обов'язкове",
+  "userEditCreate.validation.passwordMismatch": "Паролі не збігаються",
+  "userEditCreate.error.userAlreadyExists": "Користувач з таким іменем вже існує.",
+  "userEditCreate.error.emailAlreadyExists": "Користувач з цією електронною поштою вже існує.",
+  "userList.edit.user.button": "Редагувати",
+  "userList.userName": "Назва",
+  "userList.groups.count": "Групи",
+  "userList.device.count": "Пристрої",
+  "userList.vaults.count": "Сховища",
+  "userList.user.created": "Створено",
+  "userList.profileImage": "Зображення профілю",
+  "userList.create.button": "Створити користувача",
+  "userList.disabled": "Деактивовано",
   "userProfile.title": "Профіль",
   "userProfile.actions.manageAccount": "Керувати обліковим записом",
   "userProfile.actions.changeLanguage": "Змінити мову",
   "userProfile.actions.changeLanguage.entry.browser": "Мова браузера",
+  "userProfile.keycloakVersion.notAvailable": "версія недоступна",
+  "unlock.noAccessVaultArchived.title": "Сховище заархівовано",
+  "unlock.noAccessVaultArchived.description": "Це сховище було заархівовано і більше не доступне. Зверніться до власника сховища.",
   "unlockSuccess.title": "Сховище успішно розблоковано",
-  "unlockSuccess.description": "Тепер ви можете закрити цю вкладку браузера і повернутися до Cryptomator.",
+  "unlockSuccess.description": "Тепер ви можете закрити цю вкладку браузера і повернутися до Katta.",
   "unlockSuccess.accountSetup.title": "Необхідне налаштування",
   "unlockSuccess.accountSetup.description": "Завершіть налаштування свого облікового запису та отримайте ключ облікового запису.",
   "unlockSuccess.accountSetup.goToSetup": "Завершити налаштування",
   "unlockSuccess.deviceSetup.title": "Новий пристрій",
-  "unlockSuccess.deviceSetup.description": "Будь ласка, введіть ключ облікового запису в Cryptomator, щоб авторизувати його.",
+  "unlockSuccess.deviceSetup.description": "Будь ласка, введіть ключ облікового запису в Katta, щоб авторизувати його.",
   "unlockSuccess.deviceSetup.goToProfile": "Переглянути ключ облікового запису у моєму профілі",
   "unlockSuccess.noVaultAccess.title": "Немає доступу до цього сховища",
   "unlockSuccess.noVaultAccess.description": "Будь ласка, зв’яжіться з власником сховища, щоб він додав вас як учасника.",
@@ -267,7 +512,9 @@
   "vaultDetails.actions.reactivateVault": "Повторно активувати сховище",
   "vaultDetails.actions.claimOwnership": "Заявити право власності",
   "vaultDetails.actions.recoverVault": "Відновити доступ до сховища",
-  "vaultDetails.error.licenseViolated": "Термін дії вашої ліцензії Cryptomator Hub минув або ви перевищили кількість ліцензованих місць. Будь ласка, повідомте адміністратора Hub для поновлення або оновлення ліцензії.",
+  "vaultDetails.emergencyAccess.setupCouncil": "Налаштувати раду екстреного доступу",
+  "vaultDetails.emergencyAccess.fixCouncil": "Виправити раду екстреного доступу",
+  "vaultDetails.error.licenseViolated": "Термін дії вашої ліцензії Katta минув або ви перевищили кількість ліцензованих місць. Будь ласка, повідомте адміністратора Katta для поновлення або оновлення ліцензії.",
   "vaultDetails.recoverVault.title": "Ви скинули свій обліковий запис!",
   "vaultDetails.recoverVault.description": "Щоб відновити доступ до сховища, ви повинні використати ключ відновлення або ж інший власник має оновити дозволи на доступ.",
   "vaultList.title": "Сховища",
@@ -286,5 +533,15 @@
   "vaultList.filter.result.empty.description": "Не знайдено результатів за цим пошуковим запитом або фільтром.",
   "vaultList.search.placeholder": "Пошук…",
   "vaultList.badge.owner": "Власник",
-  "vaultList.badge.archived": "Заархівовано"
+  "vaultList.badge.archived": "Заархівовано",
+  "userList.filter.result.empty.title": "Немає користувачів",
+  "userList.filter.result.empty.description": "Не знайдено результатів за цим пошуковим запитом.",
+  "groupList.empty.title": "Немає груп",
+  "groupList.empty.description": "Ви не володієте і не є учасником жодної групи.",
+  "groupList.filter.result.empty.title": "Немає груп",
+  "groupList.filter.result.empty.description": "Не знайдено результатів за цим пошуковим запитом.",
+  "missingEntitlements.title": "Необхідне оновлення",
+  "missingEntitlements.description": "Ця функція не входить до вашої поточної ліцензії.",
+  "trial.enterpriseFeature.title": "Корпоративні особливості",
+  "trial.enterpriseFeature.description": "Ця функція доступна на постійній основі тільки з Корпоративною ліцензією."
 }
diff --git a/frontend/src/i18n/vi-VN.json b/frontend/src/i18n/vi-VN.json
index 5db186971..a402c1963 100644
--- a/frontend/src/i18n/vi-VN.json
+++ b/frontend/src/i18n/vi-VN.json
@@ -5,7 +5,9 @@
   "common.close": "Đóng",
   "common.copied": "Đã sao chép!",
   "common.copy": "Sao chép",
+  "common.create": "Tạo",
   "common.download": "Tải xuống",
+  "common.edit": "Chỉnh sửa",
   "common.hide": "Ẩn",
   "common.loading": "Đang tải…",
   "common.next": "Tiếp",
@@ -17,6 +19,7 @@
   "common.remove": "Xóa",
   "common.reset": "Đặt lại",
   "common.retry": "Thử lại",
+  "common.save": "Lưu",
   "common.share": "Chia sẻ",
   "common.show": "Hiện",
   "common.unexpectedError": "Lỗi không mong đợi: {0}",
@@ -24,14 +27,15 @@
   "common.xMembers": "{0} thành viên",
   "admin.title": "Quản trị viên",
   "admin.serverInfo.title": "Thông tin máy chủ",
-  "admin.serverInfo.description": "Hub ID được sử dụng để nhận diện phiên bản Cryptomator Hub của bạn cho mục đích cấp phép. Khi cần hỗ trợ, vui lòng luôn cung cấp thông tin phiên bản Hub và Keycloak đang hiển thị.",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Phiên bản Hub",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub đã ở phiên bản mới nhất.",
+  "admin.serverInfo.description": "Katta ID được sử dụng để nhận diện phiên bản Katta của bạn cho mục đích cấp phép. Khi cần hỗ trợ, vui lòng luôn cung cấp thông tin phiên bản Katta và Keycloak đang hiển thị.",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Phiên bản Katta",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta đã ở phiên bản mới nhất.",
   "admin.serverInfo.hubVersion.description.updateExists": "Có thể cập nhật lên phiên bản {0}.",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "Không thể kiểm tra cập nhật. Vui lòng kiểm tra thủ công.",
   "admin.webOfTrust.information": "Tìm hiểu thêm.",
   "admin.webOfTrust.save": "Lưu",
+  "admin.emergencyAccess.learnMore": "Tìm hiểu thêm.",
   "auditLog.filter": "Lọc",
   "auditLog.details": "Chi tiết",
   "auditLog.details.vault.create": "Tạo Vault",
@@ -41,10 +45,24 @@
   "createVault.showRecoveryKey.submit": "Tạo Vault",
   "deviceList.deviceName": "Tên thiết bị",
   "editVaultMetadataDialog.vaultName": "Tên Vault",
+  "group.detail.vaults": "Danh sách Vault",
+  "groupList.edit.group.button": "Chỉnh sửa",
+  "groupList.vaults.count": "Danh sách Vault",
   "legacyDeviceList.description.information": "Tìm hiểu thêm.",
   "legacyDeviceList.deviceName": "Tên thiết bị",
   "nav.vaults": "Danh sách Vault",
   "nav.profile.admin": "Quản trị viên",
+  "user.detail.disable": "Tắt",
+  "user.detail.edit": "Chỉnh sửa",
+  "user.detail.enable": "Bật",
+  "user.detail.username": "Tên đăng nhập",
+  "userEditCreate.button.save": "Lưu",
+  "userEditCreate.username": "Tên đăng nhập",
+  "userEditCreate.password": "Mật khẩu",
+  "userEditCreate.passwordStrong": "Mạnh",
+  "userEditCreate.passwordWeak": "Yếu",
+  "userList.edit.user.button": "Chỉnh sửa",
+  "userList.vaults.count": "Danh sách Vault",
   "unlockSuccess.deviceSetup.title": "Thiết bị mới",
   "vaultDetails.actions.updatePermissions.reload": "Tải lại",
   "vaultDetails.actions.displayRecoveryKey": "Hiển thị Khóa Khôi Phục",
diff --git a/frontend/src/i18n/zh-CN.json b/frontend/src/i18n/zh-CN.json
index 42ead04b3..4cd4c9031 100644
--- a/frontend/src/i18n/zh-CN.json
+++ b/frontend/src/i18n/zh-CN.json
@@ -1,31 +1,67 @@
 {
   "locale.en-US": "英语",
+  "locale.de-DE": "德语",
+  "locale.fr-FR": "法语",
+  "locale.it-IT": "意大利语",
+  "locale.ko-KR": "韩语",
+  "locale.lv-LV": "拉脱维亚语",
+  "locale.nl-NL": "荷兰语",
+  "locale.pt-BR": "葡萄牙语 (巴西)",
+  "locale.pt-PT": "葡萄牙语",
+  "locale.ru-RU": "俄语",
+  "locale.tr-TR": "土耳其语",
+  "locale.uk-UA": "乌克兰语",
+  "locale.zh-TW": "繁体中文",
   "common.add": "添加",
   "common.apply": "应用",
   "common.cancel": "取消",
   "common.close": "关闭",
   "common.copied": "已复制！",
   "common.copy": "复制",
+  "common.create": "新建",
+  "common.device": "设备",
   "common.download": "下载",
+  "common.edit": "编辑",
   "common.hide": "隐藏",
+  "common.leave": "离开",
   "common.loading": "正在加载…",
   "common.next": "下一步",
+  "common.none": "无",
+  "common.nothingFound": "未找到任何内容",
   "common.optional": "可选",
+  "common.pagination": "分页",
   "common.previous": "上一个",
   "common.refresh": "刷新",
   "common.reload": "请刷新页面",
   "common.remove": "删除",
   "common.reset": "重置",
   "common.retry": "重试",
+  "common.save": "保存",
+  "common.saved": "已保存！",
+  "common.search.placeholder": "搜索…",
+  "common.select.placeholder": "选择…",
   "common.share": "分享",
   "common.show": "显示",
+  "common.undo": "撤销",
   "common.unexpectedError": "意外错误：{0}",
+  "common.unsavedChanges": "未保存的更改。",
   "common.update": "更新",
+  "common.xMembers": "{0} 个成员",
+  "common.actions": "操作",
+  "common.group": "群组",
+  "common.member": "成员",
+  "common.property": "属性",
+  "common.value": "数值",
+  "admin.title": "管理员",
   "admin.serverInfo.title": "服务器信息",
-  "admin.serverInfo.hubVersion.title": "Hub 版本",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub 已是最新版",
+  "admin.serverInfo.hubVersion.title": "Katta 版本",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta 已是最新版",
   "admin.serverInfo.hubVersion.description.updateExists": "可更新到版本 {0}",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "无法检查更新。请手动检查。",
+  "admin.serverInfo.keycloakVersion.title": "Keycloak 版本",
+  "admin.serverInfo.keycloakVersion.description": "管理 Keycloak",
+  "admin.serverInfo.keycloakVersion.notAvailable": "不可用",
+  "admin.licenseInfo.title": "许可证信息",
   "admin.licenseInfo.seats.title": "席位数量",
   "admin.licenseInfo.expiresAt.description.valid": "许可证有效。",
   "admin.licenseInfo.expiresAt.description.expired": "许可证已被弃用。",
@@ -38,6 +74,7 @@
   "admin.webOfTrust.wotIdVerifyLen.description": "需要输入对方指纹的多少位数字来验证其身份。",
   "admin.webOfTrust.save": "保存",
   "admin.webOfTrust.saved": "已保存！",
+  "admin.emergencyAccess.learnMore": "了解更多。",
   "auditLog.filter": "筛选",
   "auditLog.filter.clerEventFilter": "清除事件筛选器",
   "auditLog.details": "详情",
@@ -49,14 +86,35 @@
   "deviceList.deviceName": "设备名称",
   "deviceList.type": "类型",
   "editVaultMetadataDialog.vaultName": "保险库名称",
+  "group.detail.vaults": "保险库",
+  "group.detail.name": "名称",
+  "groupList.name": "名称",
+  "groupList.edit.group.button": "编辑",
+  "groupList.vaults.count": "保险库",
+  "group.members.search.empty": "未找到任何内容",
   "initialSetup.accountKey": "账户密钥",
   "legacyDeviceList.description.information": "了解更多。",
   "legacyDeviceList.deviceName": "设备名称",
   "legacyDeviceList.type": "类型",
   "manageAccountKey.title": "账户密钥",
   "nav.vaults": "保险库",
+  "nav.profile.admin": "管理员",
   "recoverVaultDialog.error.invalidRecoveryKey": "无效的恢复密钥",
   "regenerateAccountKeyDialog.saveAccountKey.accountKey": "账户密钥",
+  "user.detail.disable": "关闭",
+  "user.detail.edit": "编辑",
+  "user.detail.enable": "启用",
+  "user.detail.name": "名称",
+  "user.detail.username": "用户名",
+  "userEditCreate.button.save": "保存",
+  "userEditCreate.button.saved": "已保存！",
+  "userEditCreate.username": "用户名",
+  "userEditCreate.password": "密码",
+  "userEditCreate.passwordStrong": "强",
+  "userEditCreate.passwordWeak": "弱",
+  "userList.edit.user.button": "编辑",
+  "userList.userName": "名称",
+  "userList.vaults.count": "保险库",
   "unlockSuccess.deviceSetup.title": "新设备",
   "vaultDetails.actions.updatePermissions.reload": "重新加载",
   "vaultDetails.actions.displayRecoveryKey": "显示恢复密钥",
diff --git a/frontend/src/i18n/zh-HK.json b/frontend/src/i18n/zh-HK.json
index 7aa1c3c1e..d158efef5 100644
--- a/frontend/src/i18n/zh-HK.json
+++ b/frontend/src/i18n/zh-HK.json
@@ -5,18 +5,22 @@
   "common.close": "關閉",
   "common.copied": "已複製！",
   "common.copy": "複製",
+  "common.create": "新增",
   "common.download": "下載",
+  "common.edit": "編輯",
   "common.next": "繼續",
   "common.previous": "返回",
   "common.refresh": "重新整理",
   "common.remove": "移除",
   "common.reset": "重設",
   "common.retry": "重試",
+  "common.save": "儲存",
   "common.share": "分享",
   "common.show": "顯示",
   "admin.licenseInfo.manageSubscription": "管理訂閱",
   "admin.webOfTrust.information": "了解更多。",
   "admin.webOfTrust.save": "儲存",
+  "admin.emergencyAccess.learnMore": "了解更多。",
   "auditLog.filter": "過濾",
   "auditLog.details": "詳情",
   "auditLog.details.vault.create": "建立加密庫",
@@ -26,9 +30,23 @@
   "createVault.showRecoveryKey.submit": "建立加密庫",
   "deviceList.deviceName": "設備名稱",
   "editVaultMetadataDialog.vaultName": "加密庫名稱",
+  "group.detail.vaults": "加密庫",
+  "groupList.edit.group.button": "編輯",
+  "groupList.vaults.count": "加密庫",
   "legacyDeviceList.description.information": "了解更多。",
   "legacyDeviceList.deviceName": "設備名稱",
   "nav.vaults": "加密庫",
+  "user.detail.disable": "停用",
+  "user.detail.edit": "編輯",
+  "user.detail.enable": "啟用",
+  "user.detail.username": "使用者名稱",
+  "userEditCreate.button.save": "儲存",
+  "userEditCreate.username": "使用者名稱",
+  "userEditCreate.password": "密碼",
+  "userEditCreate.passwordStrong": "強",
+  "userEditCreate.passwordWeak": "弱",
+  "userList.edit.user.button": "編輯",
+  "userList.vaults.count": "加密庫",
   "unlockSuccess.deviceSetup.title": "新裝置",
   "vaultDetails.actions.updatePermissions.reload": "重新載入",
   "vaultDetails.actions.displayRecoveryKey": "顯示恢復金鑰",
diff --git a/frontend/src/i18n/zh-TW.json b/frontend/src/i18n/zh-TW.json
index 4abacf598..7d8b3c49e 100644
--- a/frontend/src/i18n/zh-TW.json
+++ b/frontend/src/i18n/zh-TW.json
@@ -18,10 +18,16 @@
   "common.close": "關閉",
   "common.copied": "已複製！",
   "common.copy": "複製",
+  "common.create": "建立",
+  "common.device": "設備",
   "common.download": "下載",
+  "common.edit": "編輯",
   "common.hide": "隱藏",
+  "common.leave": "離開",
   "common.loading": "載入中…",
   "common.next": "繼續",
+  "common.none": "無",
+  "common.nothingFound": "沒有找到任何東西",
   "common.optional": "選擇性的",
   "common.pagination": "分頁",
   "common.previous": "上一個",
@@ -30,6 +36,10 @@
   "common.remove": "移除",
   "common.reset": "重設",
   "common.retry": "重試",
+  "common.save": "儲存",
+  "common.saved": "已儲存！",
+  "common.search.placeholder": "搜尋...",
+  "common.select.placeholder": "選擇…",
   "common.share": "分享",
   "common.show": "顯示",
   "common.undo": "復原",
@@ -37,16 +47,22 @@
   "common.unsavedChanges": "有尚未儲存的變更。",
   "common.update": "更新",
   "common.xMembers": "{0} 位成員",
+  "common.actions": "操作",
+  "common.group": "群組",
+  "common.member": "成員",
+  "common.property": "屬性",
+  "common.value": "值",
   "admin.title": "管理員",
   "admin.serverInfo.title": "伺服器資訊",
-  "admin.serverInfo.description": "Hub ID 用來辨識您的 Cryptomator Hub 授權實例。如需支援，請務必說明顯示的 Hub 和 Keycloak 版本。",
-  "admin.serverInfo.hubId.title": "Hub ID",
-  "admin.serverInfo.hubVersion.title": "Hub 版本",
-  "admin.serverInfo.hubVersion.description.upToDate": "Hub 是最新版本。",
+  "admin.serverInfo.description": "Katta ID 用來辨識您的 Katta 授權實例。如需支援，請務必說明顯示的 Katta 和 Keycloak 版本。",
+  "admin.serverInfo.hubId.title": "Katta ID",
+  "admin.serverInfo.hubVersion.title": "Katta 版本",
+  "admin.serverInfo.hubVersion.description.upToDate": "Katta 是最新版本。",
   "admin.serverInfo.hubVersion.description.updateExists": "可更新到版本 {0}。",
   "admin.serverInfo.hubVersion.description.fetchingUpdatesFailed": "無法檢查更新。請手動檢查。",
   "admin.serverInfo.keycloakVersion.title": "Keycloak 版本",
   "admin.serverInfo.keycloakVersion.description": "管理 Keycloak",
+  "admin.serverInfo.keycloakVersion.notAvailable": "不可用",
   "admin.licenseInfo.title": "授權訊息",
   "admin.licenseInfo.description": "驗證您的授權資訊。如果您需要更改或查看訂閱資訊，請點擊「管理訂閱」。",
   "admin.licenseInfo.email.title": "授權給",
@@ -61,15 +77,40 @@
   "admin.licenseInfo.manageSubscription": "管理訂閱",
   "admin.licenseInfo.type.title": "類別",
   "admin.licenseInfo.getLicense": "取得授權",
-  "admin.licenseInfo.selfHostedNoLicense.description": "感謝您使用 Cryptomator Hub！ 您已獲得社群版授權。如果您需要更多授權數量，請升級您的授權。",
-  "admin.licenseInfo.managedNoLicense.description": "感謝您使用 Cryptomator Hub！ 您目前沒有已啟用的授權。",
+  "admin.licenseInfo.selfHostedNoLicense.description": "感謝您使用 Katta！ 您已獲得社群版授權。如果您需要更多授權數量，請升級您的授權。",
+  "admin.licenseInfo.managedNoLicense.description": "感謝您使用 Katta！ 您目前沒有已啟用的授權。",
   "admin.webOfTrust.title": "信任網絡",
+  "admin.webOfTrust.description": "調整信任網路 (WoT) 設定，以管理系統中使用者之間信任關係的建立方式。這些設定將影響使用者身份驗證與金鑰簽署的驗證流程。",
   "admin.webOfTrust.information": "了解更多。",
+  "admin.webOfTrust.wotMaxDepth.error": "最大 WoT 深度必須介於 0 與 9 之間。",
+  "admin.webOfTrust.wotMaxDepth.title": "最大 WoT 深度",
+  "admin.webOfTrust.wotMaxDepth.description": "兩位使用者之間的最大距離，因此間接的相識關係仍被視為可信賴（假設中間身份已通過驗證）。",
   "admin.webOfTrust.wotIdVerifyLen.error": "指紋驗證的精確度必須是正面的。",
   "admin.webOfTrust.wotIdVerifyLen.title": "指紋驗證精確度",
+  "admin.webOfTrust.wotIdVerifyLen.description": "驗證其他用戶身份時，需要輸入多少位數的指紋。",
   "admin.webOfTrust.save": "儲存",
   "admin.webOfTrust.saved": "已儲存！",
+  "admin.emergencyAccess.title": "緊急存取",
+  "admin.emergencyAccess.description": "設定加密檔案庫復原的金鑰分割功能。",
+  "admin.emergencyAccess.learnMore": "了解更多。",
+  "admin.emergencyAccess.noRedundancy.title": "您目前的金鑰分割沒有冗餘性！",
+  "admin.emergencyAccess.noRedundancy.description": "強烈建議設定的鑰匙持有者數量應多於所需鑰匙數量。",
+  "admin.emergencyAccess.enabled.label": "已啟用",
+  "admin.emergencyAccess.enabled.help": "啟用緊急存取",
+  "admin.emergencyAccess.requiredKeys.label": "所需密鑰",
+  "admin.emergencyAccess.requiredKeys.ariaLabel": "必需的密鑰份數",
+  "admin.emergencyAccess.requiredKeys.help": "需要多少把鑰匙才能恢復對加密檔案庫的存取權限。",
+  "admin.emergencyAccess.keyholders.label": "鑰匙保管人",
+  "admin.emergencyAccess.keyholders.minSelected": "至少需選擇 {0} 位成員。需要的成員數量定義在上方。",
+  "admin.emergencyAccess.keyholders.help": "誰可以取得緊急存取金鑰。",
+  "admin.emergencyAccess.allowChoosing.label": "讓加密檔案庫擁有者選擇不同的鑰匙保管人。",
+  "admin.emergencyAccess.allowChoosing.atLeast": "至少：",
+  "admin.emergencyAccess.minMembers.ariaLabel": "最小成員數量",
+  "admin.emergencyAccess.example.help": "可共同復原加密檔案庫的對象範例。",
+  "admin.emergencyAccess.validation.maxValue": "最大值是 {0} 。",
+  "admin.emergencyAccess.validation.minValue": "最小值是 {0} 。",
   "archiveVaultDialog.title": "封存加密檔案庫",
+  "archiveVaultDialog.description": "將加密檔案庫歸檔會使其處於非活動狀態。此操作可能釋放已佔用的授權數量。歸檔後的加密檔案庫可於日後重新啟用。",
   "archiveVaultDialog.confirm": "封存",
   "auditLog.title": "稽核日誌",
   "auditLog.order.ascending": "升冪排列",
@@ -84,6 +125,12 @@
   "auditLog.details": "詳情",
   "auditLog.details.device.register": "註冊設備",
   "auditLog.details.device.remove": "移除設備",
+  "auditLog.details.emergencyaccess.setup": "設定緊急存取",
+  "auditLog.details.emergencyaccess.settingsUpdated": "緊急存取設定已更新",
+  "auditLog.details.emergencyaccess.recoveryStarted": "緊急存取復原開始",
+  "auditLog.details.emergencyaccess.recoveryApproved": "緊急存取復原已核准",
+  "auditLog.details.emergencyaccess.recoveryCompleted": "緊急存取復原完成",
+  "auditLog.details.emergencyaccess.recoveryAborted": "緊急存取復原取消",
   "auditLog.details.setting.wot.update": "更改信任網絡設定",
   "auditLog.details.user.account.reset": "重設使用者帳號",
   "auditLog.details.user.keys.change": "更改使用者金鑰",
@@ -96,10 +143,13 @@
   "auditLog.details.vaultMember.remove": "移除加密檔案庫成員",
   "auditLog.details.vaultMember.update": "管理加密檔案庫成員",
   "auditLog.details.vaultOwnership.claim": "主張加密檔案庫的所有權",
+  "auditLog.details.wot.signedIdentity": "簽署身份",
   "auditLog.pagination.showing": "顯示項目{0}至{1}",
   "auditLog.paymentRequired.message": "需要授權",
+  "auditLog.paymentRequired.description": "稽核記錄僅限付費授權版本使用。您可在管理員區段取得授權。",
   "auditLog.paymentRequired.openAdminSection": "開啟管理區塊",
   "claimVaultOwnershipDialog.title": "主張加密檔案庫的所有權",
+  "claimVaultOwnershipDialog.description": "請輸入加密檔案庫管理員密碼，以證明您具備權限。",
   "claimVaultOwnershipDialog.password": "加密檔案庫管理員密碼",
   "claimVaultOwnershipDialog.submit": "主張所有權",
   "claimVaultOwnershipDialog.error.formValidationFailed": "密碼不可留空",
@@ -113,6 +163,9 @@
   "createVault.enterVaultDetails.description": "輸入您新的加密檔案庫的名稱與描述。您之後可以更改。",
   "createVault.enterVaultDetails.vaultName": "加密檔案庫名稱",
   "createVault.enterVaultDetails.vaultDescription": "詳細資訊",
+  "createVault.emergencyAccessDetails.title": "定義緊急存取情況",
+  "createVault.emergencyAccessDetails.description": "為緊急存取指定可進入的人員。",
+  "createVault.emergencyAccessDetails.description.adminDefined": "緊急存取指定人員由管理者定義，沒有辦法在這裡變更。",
   "createVault.showRecoveryKey.title": "復原金鑰",
   "createVault.showRecoveryKey.description": "下列復原金鑰可用於恢復加密檔案庫的存取權限。",
   "createVault.showRecoveryKey.recoveryKey": "您的加密檔案庫的復原金鑰",
@@ -123,13 +176,19 @@
   "createVault.error.invalidRecoveryKey": "復原金鑰無效。",
   "createVault.error.vaultAlreadyExists": "加密檔案庫名稱已經存在。",
   "createVault.error.downloadTemplateFailed": "下載加密檔案庫範本失敗：{0}",
-  "createVault.error.paymentRequired": "您的 Cryptomator Hub 實例已經超出許可的授權數量或已經過期。請通知 Hub 管理員升級或續訂授權。",
+  "createVault.error.paymentRequired": "您的 Katta 實例已經超出許可的授權數量或已經過期。請通知 Katta 管理員升級或續訂授權。",
   "createVault.success.title": "加密檔案庫已建立",
   "createVault.success.description": "下載壓縮的加密檔案庫資料夾後，將其解壓縮至與團隊成員共用的任何位置。",
   "createVault.success.download": "下載壓縮的加密檔案庫資料夾",
   "createVault.success.return": "回到加密檔案庫列表",
+  "deleteGroupDialog.title": "刪除群組",
+  "deleteGroupDialog.description": "您確定要永久刪除這個群組嗎？這麼做將會移除所有相關的加密檔案庫，這個動作無法還原。",
+  "deleteGroupDialog.confirm": "是，刪除群組",
+  "deleteUserDialog.title": "刪除使用者帳號",
+  "deleteUserDialog.description": "您確定要永久刪除這個使用者嗎？這麼做將會移除所有相關的加密檔案庫和裝置，這個動作無法還原。",
+  "deleteUserDialog.confirm": "是的，刪除使用者",
   "deviceList.empty.message": "沒有裝置",
-  "deviceList.empty.description": "若要新增裝置，請從此 Hub 新增加密檔案庫至裝置的 Cryptomator 應用程式，並解除鎖定。",
+  "deviceList.empty.description": "若要新增裝置，請從此 Katta 新增加密檔案庫至裝置的 Katta 應用程式，並解除鎖定。",
   "deviceList.title": "已授權的裝置和瀏覽器",
   "deviceList.deviceName": "設備名稱",
   "deviceList.type": "類別",
@@ -138,8 +197,49 @@
   "deviceList.ipAddress": "IP 位址",
   "deviceList.lastAccess": "上次檔案庫存取",
   "deviceList.lastAccess.toolTip": "以舊版本存取的裝置可能會遺失。",
+  "deviceType.browser": "瀏覽器",
+  "deviceType.desktop": "桌上型電腦",
+  "deviceType.mobile": "手機",
   "downloadVaultTemplateDialog.title": "下載檔案庫範本",
   "downloadVaultTemplateDialog.description": "下載並解壓縮的檔案庫範本到與團隊成員共用的任何位置。這只需要在初始設定時進行一次。",
+  "emergencyAccess.requiredKeyShares": "必需的密鑰份數",
+  "emergencyAccess.processCouncil": "程序委員會",
+  "emergencyAccess.status.added": "已加入",
+  "emergencyAccess.status.pending": "等待中",
+  "emergencyAccess.startProcess": "開始處理",
+  "emergencyAccess.notPossible": "不可能",
+  "emergencyAccess.vaultCouncil": "加密檔案庫委員會",
+  "emergencyAccess.noRedundancy": "無冗餘",
+  "emergencyAccess.label.councilMembers": "委員會成員",
+  "emergencyAccess.label.newCouncilMembers": "新委員會成員",
+  "emergencyAccess.label.owners": "擁有者",
+  "emergencyAccess.label.members": "成員",
+  "emergencyAccess.label.removed": "已移除",
+  "emergencyAccess.label.possibleScenario": "可能的緊急情況",
+  "emergencyAccess.label.exampleRecovery": "復原範例",
+  "emergencyAccess.validation.selectMoreCouncilMembers": "再選擇至少 {0} 位委員會成員。",
+  "emergencyAccess.validation.minimumMembers": "至少需要選擇 {0} 位成員。",
+  "emergencyAccess.approval.waitingOthers": "等待其他人審核",
+  "emergencyAccess.approval.showDetails": "顯示詳細資料",
+  "emergencyAccess.approval.completeNow": "立即完成",
+  "emergencyAccess.filter.all": "全部",
+  "emergencyAccess.badge.noRedundancy.title": "無冗餘",
+  "emergencyAccessDialog.action.abortProcess": "中止這個處理程序",
+  "emergencyAccessDialog.action.start": "開始",
+  "emergencyAccessDialog.action.approve": "核准",
+  "emergencyAccessDialog.action.completeProcess": "完成程序",
+  "emergencyAccessDialog.title.success": "成功",
+  "emergencyAccessDialog.title.changeCouncil": "變更委員會",
+  "emergencyAccessDialog.title.changePermissions": "變更加密檔案庫權限",
+  "grantEmergencyAccessDialog.error.councilMembersRequired": "至少需要 2 名委員會成員。",
+  "grantEmergencyAccessDialog.error.tooFewCouncilMembers": "委員會成員太少。新增更多成員或降低緊急鑰匙的數量。",
+  "processAbortDialog.title": "中止這個處理程序",
+  "processAbortDialog.description": "您確定要中止緊急存取程序嗎？這個動作無法復原。",
+  "processAbortDialog.confirm": "中止程序",
+  "recoveryDialog.error.invalidRecoveryType": "無效的復原程序類型。",
+  "recoveryDialog.error.processAlreadyExists": "這個類型的復原程序已經存在。",
+  "recoveryDialog.error.noOwnerSelected": "至少選擇一位擁有者。",
+  "recoveryDialog.error.notEnoughCouncilMembers": "沒有選擇足夠數量的委員會成員。",
   "editVaultMetadataDialog.title": "編輯檔案庫後設資料",
   "editVaultMetadataDialog.description": "更新檔案庫名稱和描述。",
   "editVaultMetadataDialog.vaultName": "加密檔案庫名稱",
@@ -149,6 +249,13 @@
   "grantPermissionDialog.title": "授予權限",
   "grantPermissionDialog.description": "與新加入的使用者共享檔案庫金鑰。",
   "grantPermissionDialog.submit": "授予權限給 {0} 位使用者",
+  "group.detail.vaults": "加密檔案庫",
+  "group.detail.name": "名稱",
+  "groupList.name": "名稱",
+  "groupList.edit.group.button": "編輯",
+  "groupList.search.placeholder": "搜尋...",
+  "groupList.vaults.count": "加密檔案庫",
+  "group.members.search.empty": "沒有找到任何東西",
   "trustDetails.trustLevel": "信任等級 {0}",
   "trustDetails.trustLevel.untrusted": "未驗證",
   "trustDetails.showSignDialogBtn": "檢查身份...",
@@ -156,7 +263,7 @@
   "signUserKeysDialog.title": "確認 {0} 的身份",
   "signUserKeysDialog.description": "輸入 {1} 指紋的前 {0} 個字元，以便確認其公開金鑰的真實性。指紋可以在使用者的個人資料中找到。",
   "signUserKeysDialog.submit": "確認這個使用者的身份",
-  "initialSetup.createUserKey.title": "歡迎來到 Cryptomator Hub",
+  "initialSetup.createUserKey.title": "歡迎來到 Katta",
   "initialSetup.createUserKey.description": "首次登入時，每位使用者都會得到一個唯一的 Account Key：",
   "initialSetup.createUserKey.details.accountKey": "從其它應用程式或瀏覽器登入時會需要您的 Account Key",
   "initialSetup.createUserKey.details.devicesList": "您可以從個人檔案頁面確認已授權應用程式的清單",
@@ -172,19 +279,19 @@
   "initialSetup.recoverUserKey.lostAccountKey": "Account Key 遺失了嗎？ {0}",
   "initialSetup.recoverUserKey.lostAccountKey.resetUserAccount": "重設我的帳號",
   "initialSetup.setupAlreadyCompleted.title": "設定已完成",
-  "initialSetup.setupAlreadyCompleted.description": "您已經完成了 Cryptomator Hub 的初始設定。您可以從個人資料中找到您的 Account Key。",
+  "initialSetup.setupAlreadyCompleted.description": "您已經完成了 Katta 的初始設定。您可以從個人資料中找到您的 Account Key。",
   "initialSetup.setupAlreadyCompleted.goToYourProfile": "前往個人檔案",
   "initialSetup.accountKey": "帳戶金鑰",
   "initialSetup.submit": "完成設定",
   "licenseAlert.noRemainingSeats.title": "超出授權",
-  "licenseAlert.noRemainingSeats.admin.description": "您的 Cryptomator Hub 實例已經超出許可的授權數量。請在 {0} 中升級，以便再次管理和解鎖您的加密檔案庫。",
-  "licenseAlert.noRemainingSeats.user.description": "您的 Cryptomator Hub 實例已經超出許可的授權數量。請通知 Hub 管理員升級授權。",
+  "licenseAlert.noRemainingSeats.admin.description": "您的 Katta 實例已經超出許可的授權數量。請在 {0} 中升級，以便再次管理和解鎖您的加密檔案庫。",
+  "licenseAlert.noRemainingSeats.user.description": "您的 Katta 實例已經超出許可的授權數量。請通知 Katta 管理員升級授權。",
   "licenseAlert.licenseExpired.title": "授權已到期",
-  "licenseAlert.licenseExpired.admin.description": "您的 Cryptomator Hub 授權已到期。請在 {0} 中升級，以便再次管理和解鎖您的加密檔案庫。",
-  "licenseAlert.licenseExpired.user.description": "您的 Cryptomator Hub 授權已到期。請通知 Hub 管理員續訂授權。",
+  "licenseAlert.licenseExpired.admin.description": "您的 Katta 授權已到期。請在 {0} 中升級，以便再次管理和解鎖您的加密檔案庫。",
+  "licenseAlert.licenseExpired.user.description": "您的 Katta 授權已到期。請通知 Katta 管理員續訂授權。",
   "licenseAlert.button": "管理區塊",
   "legacyDeviceList.title": "老舊裝置",
-  "legacyDeviceList.description": "這些裝置是使用舊版 Hub 建立的，需要更新才能在未來的版本中解鎖加密檔案庫。如果您不再需要它們，請移除它們。否則，請在該裝置上更新 Cryptomator。您的下一次解鎖將會自動啟動更新。",
+  "legacyDeviceList.description": "這些裝置是使用舊版 Katta 建立的，需要更新才能在未來的版本中解鎖加密檔案庫。如果您不再需要它們，請移除它們。否則，請在該裝置上更新 Katta。您的下一次解鎖將會自動啟動更新。",
   "legacyDeviceList.description.information": "了解更多。",
   "legacyDeviceList.deviceName": "設備名稱",
   "legacyDeviceList.type": "類別",
@@ -197,6 +304,7 @@
   "manageAccountKey.description": "從其它應用程式或瀏覽器登入時會需要您的 Account Key。",
   "manageAccountKey.regenerate": "重新產生金鑰",
   "nav.vaults": "加密檔案庫",
+  "nav.emergencyAccess": "緊急存取",
   "nav.profile.signedInAs": "已登入為",
   "nav.profile.profile": "您的個人資料",
   "nav.profile.admin": "管理員",
@@ -225,17 +333,34 @@
   "resetUserAccountDialog.submit": "重設帳號",
   "userkeyFingerprint.title": "使用者金鑰指紋",
   "userkeyFingerprint.description": "更新加密檔案庫權限時，您的使用者金鑰指紋可用來驗證您的身份。",
+  "user.detail.disable": "停用",
+  "user.detail.edit": "編輯",
+  "user.detail.enable": "啟用",
+  "user.detail.name": "名稱",
+  "user.detail.username": "使用者名稱",
+  "userEditCreate.button.save": "儲存",
+  "userEditCreate.button.saved": "已儲存！",
+  "userEditCreate.username": "使用者名稱",
+  "userEditCreate.password": "密碼",
+  "userEditCreate.passwordStrong": "強",
+  "userEditCreate.passwordWeak": "弱",
+  "userList.edit.user.button": "編輯",
+  "userList.userName": "名稱",
+  "userList.vaults.count": "加密檔案庫",
   "userProfile.title": "個人資料",
   "userProfile.actions.manageAccount": "帳號管理",
   "userProfile.actions.changeLanguage": "變更語言",
   "userProfile.actions.changeLanguage.entry.browser": "瀏覽器語言",
+  "userProfile.keycloakVersion.notAvailable": "無法取得版本",
+  "unlock.noAccessVaultArchived.title": "加密檔案庫已封存",
+  "unlock.noAccessVaultArchived.description": "這個加密檔案庫已封存且無法再被存取。請聯絡加密檔案庫的主人。",
   "unlockSuccess.title": "加密檔案庫解鎖成功",
-  "unlockSuccess.description": "您可以關閉瀏覽器分頁並回到 Cryptomator。",
+  "unlockSuccess.description": "您可以關閉瀏覽器分頁並回到 Katta。",
   "unlockSuccess.accountSetup.title": "需要設定",
   "unlockSuccess.accountSetup.description": "完成帳號設定並取得您的 Account Key。",
   "unlockSuccess.accountSetup.goToSetup": "完成設定",
   "unlockSuccess.deviceSetup.title": "新裝置",
-  "unlockSuccess.deviceSetup.description": "請輸入您的 Account Key 以在 Cryptomator 進行授權。",
+  "unlockSuccess.deviceSetup.description": "請輸入您的 Account Key 以在 Katta 進行授權。",
   "unlockSuccess.deviceSetup.goToProfile": "在個人資料中查看 Account Key",
   "unlockSuccess.noVaultAccess.title": "無法存取此加密檔案庫",
   "unlockSuccess.noVaultAccess.description": "請聯絡加密檔案庫擁有者以將您加入加密檔案庫成員。",
@@ -258,7 +383,7 @@
   "vaultDetails.actions.reactivateVault": "重新啟用加密檔案庫",
   "vaultDetails.actions.claimOwnership": "主張所有權",
   "vaultDetails.actions.recoverVault": "恢復存取加密檔案庫",
-  "vaultDetails.error.licenseViolated": "您的 Cryptomator Hub 實例已經超出許可的授權數量。請通知 Hub 管理員續訂或升級授權。",
+  "vaultDetails.error.licenseViolated": "您的 Katta 實例已經超出許可的授權數量。請通知 Katta 管理員續訂或升級授權。",
   "vaultDetails.recoverVault.title": "您已經重置您的帳號！",
   "vaultDetails.recoverVault.description": "若要重新取得加密檔案庫的存取權限，您必須使用復原金鑰恢復您的存取權限，或由其他擁有者更新存取權限。",
   "vaultList.title": "加密檔案庫",
diff --git a/frontend/src/index.css b/frontend/src/index.css
index 8d4000e77..e78d50796 100644
--- a/frontend/src/index.css
+++ b/frontend/src/index.css
@@ -5,21 +5,32 @@
 
 @theme {
   --font-*: initial;
-  --font-headline: Quicksand, sans-serif;
-  --font-body: Open Sans, sans-serif;
+  --font-headline: 'Roboto Slab', ui-serif, Georgia, Cambria, 'Times New Roman', Times, serif;
+  --font-body: 'Open Sans', ui-sans-serif, system-ui, sans-serif;
   --font-mono: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, 'Liberation Mono', 'Courier New', monospace;
 
   --color-current: currentColor;
-  --color-primary: #49b04a;
-  --color-primary2: #009f69;
-  --color-primary-l1: #66cc68;
-  --color-primary-l2: #ebf5eb;
-  --color-primary-d1: #407f41;
-  --color-primary-d2: #2d4d2e;
-  --color-secondary: #008a7b;
-  --color-secondary2: #00747e;
-  --color-tertiary: #005e71;
-  --color-tertiary2: #2f4858;
+  --color-iris-50: oklch(96.7% 0.006 278.8);
+  --color-iris-100: oklch(93.5% 0.011 279.3);
+  --color-iris-200: oklch(88.2% 0.022 279.8);
+  --color-iris-300: oklch(80.2% 0.040 280.3);
+  --color-iris-400: oklch(69.4% 0.063 281.3);
+  --color-iris-500: oklch(60.5% 0.083 281.8);
+  --color-iris-600: oklch(53.3% 0.094 282.3);
+  --color-iris-700: oklch(47.9% 0.091 282.8);
+  --color-iris-800: oklch(41.8% 0.075 283.3);
+  --color-iris-900: oklch(37.3% 0.058 283.8);
+  --color-iris-950: oklch(27.4% 0.039 284.8);
+  --color-primary: var(--color-iris-600);
+  --color-primary2: var(--color-iris-500);
+  --color-primary-l1: var(--color-iris-400);
+  --color-primary-l2: var(--color-iris-50);
+  --color-primary-d1: var(--color-iris-700);
+  --color-primary-d2: var(--color-iris-800);
+  --color-secondary: #5c4033;
+  --color-secondary2: #6b4423;
+  --color-tertiary: #3d3d3d;
+  --color-tertiary2: #2a2a2a;
   --color-dark: #1f2122;
   --color-gray_0: #222222;
   --color-gray_1: #3b3b3b;
@@ -31,6 +42,10 @@
   --color-gray_7: #cfcfcf;
   --color-gray_8: #e1e1e1;
   --color-gray_9: #f7f7f7;
+
+  /* Warm accent colors */
+  --color-warm-card: #fffffe;
+  --color-warm-border: #e8e4e0;
 }
 
 /*
@@ -49,4 +64,66 @@
   ::file-selector-button {
     border-color: var(--color-gray-200, currentColor);
   }
+
+  /* Global paper background */
+  body {
+    background-image: url('/bg-paper.png');
+    background-size: 100% auto;
+    background-repeat: repeat-y;
+    min-height: 100vh;
+  }
+
+  /* Enhanced headings */
+  h1, h2, h3 {
+    font-family: var(--font-headline);
+    letter-spacing: -0.01em;
+  }
+
+  h1 {
+    color: var(--color-tertiary2);
+  }
+}
+
+/* Enhanced card styling */
+@layer components {
+  .bg-white {
+    background-color: var(--color-warm-card);
+    border: 1px solid var(--color-warm-border);
+  }
+
+  /* Refined shadow for cards */
+  .shadow-sm {
+    box-shadow:
+      0 1px 2px rgba(0, 0, 0, 0.04),
+      0 4px 12px oklch(53.3% 0.094 282.3 / 0.03);
+  }
+
+  /* Enhanced primary button styles */
+  .bg-primary {
+    background: linear-gradient(180deg, var(--color-iris-500) 0%, var(--color-iris-600) 100%);
+    box-shadow:
+      0 1px 2px rgba(0, 0, 0, 0.1),
+      inset 0 1px 0 rgba(255, 255, 255, 0.1);
+    transition: all 0.2s ease;
+  }
+
+  .bg-primary:hover:not(:disabled) {
+    background: linear-gradient(180deg, var(--color-iris-600) 0%, var(--color-iris-700) 100%);
+    box-shadow:
+      0 2px 4px rgba(0, 0, 0, 0.15),
+      inset 0 1px 0 rgba(255, 255, 255, 0.1);
+    transform: translateY(-1px);
+  }
+
+  .bg-primary:active:not(:disabled) {
+    transform: translateY(0);
+    box-shadow:
+      0 1px 2px rgba(0, 0, 0, 0.1),
+      inset 0 1px 2px rgba(0, 0, 0, 0.1);
+  }
+
+  /* Focus ring styling */
+  .focus\:ring-primary:focus {
+    --tw-ring-color: oklch(53.3% 0.094 282.3 / 0.3);
+  }
 }
diff --git a/frontend/src/openapi/index.ts b/frontend/src/openapi/index.ts
new file mode 100644
index 000000000..a8236f99e
--- /dev/null
+++ b/frontend/src/openapi/index.ts
@@ -0,0 +1,20 @@
+import o from './openapi.json';
+export const openapi = o;
+
+export type OpenapiType = {
+  description?: string;
+  type?: string;
+  example?: string;
+  nullable?: boolean;
+  allOf?: OpenapiRef[];
+}
+
+export type OpenapiRef = {
+  "$ref": string;
+}
+
+export type OpenapiSchema = {
+  pattern?: string;
+  enum?: any;
+}
+export type OpenapiSchemas = Record<string,any>;
diff --git a/frontend/src/openapi/openapi.json b/frontend/src/openapi/openapi.json
new file mode 100644
index 000000000..2c8967a63
--- /dev/null
+++ b/frontend/src/openapi/openapi.json
@@ -0,0 +1,3228 @@
+{
+  "openapi": "3.1.0",
+  "components": {
+    "schemas": {
+      "AccessTokenResponse": {
+        "type": "object",
+        "properties": {
+          "access_token": {
+            "type": "string"
+          },
+          "issued_token_type": {
+            "type": "string"
+          },
+          "token_type": {
+            "type": "string"
+          },
+          "expires_in": {
+            "type": "integer",
+            "format": "int64"
+          },
+          "scope": {
+            "type": "string"
+          },
+          "refresh_token": {
+            "type": "string"
+          }
+        }
+      },
+      "AuditEventDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "integer",
+            "format": "int64"
+          },
+          "timestamp": {
+            "$ref": "#/components/schemas/Instant"
+          }
+        }
+      },
+      "AuthorityDto": {
+        "oneOf": [
+          {
+            "$ref": "#/components/schemas/UserDto"
+          },
+          {
+            "$ref": "#/components/schemas/GroupDto"
+          },
+          {
+            "$ref": "#/components/schemas/MemberDto"
+          }
+        ],
+        "title": "Authority",
+        "discriminator": {
+          "propertyName": "type",
+          "mapping": {
+            "USER": "#/components/schemas/UserDto",
+            "GROUP": "#/components/schemas/GroupDto",
+            "MEMBER": "#/components/schemas/MemberDto"
+          }
+        },
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string"
+          },
+          "type": {
+            "$ref": "#/components/schemas/Type"
+          },
+          "name": {
+            "type": "string"
+          },
+          "pictureUrl": {
+            "type": "string"
+          }
+        }
+      },
+      "BillingDto": {
+        "type": "object",
+        "properties": {
+          "hubId": {
+            "type": "string"
+          },
+          "hasLicense": {
+            "type": "boolean"
+          },
+          "email": {
+            "type": "string"
+          },
+          "licensedSeats": {
+            "type": "integer",
+            "format": "int32"
+          },
+          "usedSeats": {
+            "type": "integer",
+            "format": "int32"
+          },
+          "issuedAt": {
+            "$ref": "#/components/schemas/Instant"
+          },
+          "expiresAt": {
+            "$ref": "#/components/schemas/Instant"
+          },
+          "managedInstance": {
+            "type": "boolean"
+          }
+        }
+      },
+      "ConfigDto": {
+        "type": "object",
+        "properties": {
+          "keycloakUrl": {
+            "type": "string"
+          },
+          "keycloakRealm": {
+            "type": "string"
+          },
+          "keycloakClientIdHub": {
+            "type": "string"
+          },
+          "keycloakClientIdCryptomator": {
+            "type": "string"
+          },
+          "keycloakAuthEndpoint": {
+            "type": "string"
+          },
+          "keycloakTokenEndpoint": {
+            "type": "string"
+          },
+          "serverTime": {
+            "$ref": "#/components/schemas/Instant"
+          },
+          "apiLevel": {
+            "type": "integer",
+            "format": "int32"
+          },
+          "keycloakClientIdCryptomatorVaults": {
+            "type": "string"
+          },
+          "uuid": {
+            "type": "string"
+          }
+        }
+      },
+      "CreateS3STSBucketDto": {
+        "type": "object",
+        "properties": {
+          "vaultId": {
+            "type": "string"
+          },
+          "storageConfigId": {
+            "$ref": "#/components/schemas/UUID"
+          },
+          "vaultUvf": {
+            "type": "string"
+          },
+          "dirUvf": {
+            "type": "string"
+          },
+          "rootDirHash": {
+            "type": "string"
+          },
+          "awsAccessKey": {
+            "type": "string"
+          },
+          "awsSecretKey": {
+            "type": "string"
+          },
+          "sessionToken": {
+            "type": "string"
+          },
+          "region": {
+            "type": "string"
+          }
+        }
+      },
+      "DeviceDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "pattern": "[-_.a-zA-Z0-9]*"
+          },
+          "name": {
+            "type": "string",
+            "pattern": "[^*<>\"]*"
+          },
+          "type": {
+            "$ref": "#/components/schemas/Type1"
+          },
+          "publicKey": {
+            "type": "string",
+            "pattern": "[+/A-Za-z0-9]+=*"
+          },
+          "userPrivateKey": {
+            "type": "string",
+            "pattern": "[-_A-Za-z0-9]+=*\\.[-_A-Za-z0-9]*=*\\.[-_A-Za-z0-9]*=*\\.[-_A-Za-z0-9]+=*\\.[-_A-Za-z0-9]*=*"
+          },
+          "owner": {
+            "type": "string",
+            "pattern": "[-_.a-zA-Z0-9]*"
+          },
+          "creationTime": {
+            "$ref": "#/components/schemas/Instant"
+          },
+          "lastIpAddress": {
+            "type": "string"
+          },
+          "lastAccessTime": {
+            "$ref": "#/components/schemas/Instant"
+          },
+          "legacyDevice": {
+            "type": "boolean"
+          }
+        },
+        "required": [
+          "name",
+          "publicKey",
+          "userPrivateKey"
+        ]
+      },
+      "GroupDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string"
+          },
+          "type": {
+            "$ref": "#/components/schemas/Type"
+          },
+          "name": {
+            "type": "string"
+          },
+          "pictureUrl": {
+            "type": "string"
+          },
+          "memberSize": {
+            "type": "integer",
+            "format": "int32"
+          }
+        }
+      },
+      "Instant": {
+        "type": "string",
+        "format": "date-time",
+        "examples": [
+          "2022-03-10T16:15:50Z"
+        ]
+      },
+      "LicenseUserInfoDto": {
+        "type": "object",
+        "properties": {
+          "licensedSeats": {
+            "type": "integer",
+            "format": "int32"
+          },
+          "usedSeats": {
+            "type": "integer",
+            "format": "int32"
+          },
+          "expiresAt": {
+            "$ref": "#/components/schemas/Instant"
+          }
+        }
+      },
+      "MemberDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string"
+          },
+          "type": {
+            "$ref": "#/components/schemas/Type"
+          },
+          "name": {
+            "type": "string"
+          },
+          "pictureUrl": {
+            "type": "string"
+          },
+          "ecdhPublicKey": {
+            "type": "string"
+          },
+          "ecdsaPublicKey": {
+            "type": "string"
+          },
+          "role": {
+            "$ref": "#/components/schemas/Role"
+          },
+          "memberSize": {
+            "type": "integer",
+            "format": "int32"
+          }
+        }
+      },
+      "Protocol": {
+        "type": "string",
+        "enum": [
+          "S3STATIC",
+          "S3STS"
+        ]
+      },
+      "Role": {
+        "type": "string",
+        "enum": [
+          "MEMBER",
+          "OWNER"
+        ]
+      },
+      "S3_SERVERSIDE_ENCRYPTION": {
+        "type": "string",
+        "enum": [
+          "NONE",
+          "SSE_AES256",
+          "SSE_KMS_DEFAULT"
+        ]
+      },
+      "S3_STORAGE_CLASSES": {
+        "type": "string",
+        "enum": [
+          "STANDARD",
+          "INTELLIGENT_TIERING",
+          "STANDARD_IA",
+          "ONEZONE_IA",
+          "REDUCED_REDUNDANCY",
+          "GLACIER",
+          "GLACIER_IR",
+          "DEEP_ARCHIVE"
+        ]
+      },
+      "SettingsDto": {
+        "type": "object",
+        "properties": {
+          "hubId": {
+            "type": "string"
+          },
+          "wotMaxDepth": {
+            "type": "integer",
+            "format": "int32",
+            "maximum": 9,
+            "minimum": 0
+          },
+          "wotIdVerifyLen": {
+            "type": "integer",
+            "format": "int32",
+            "minimum": 0
+          }
+        }
+      },
+      "StorageProfileDto": {
+        "oneOf": [
+          {
+            "$ref": "#/components/schemas/StorageProfileS3StaticDto"
+          },
+          {
+            "$ref": "#/components/schemas/StorageProfileS3STSDto"
+          }
+        ],
+        "title": "StorageProfile",
+        "discriminator": {
+          "propertyName": "protocol",
+          "mapping": {
+            "S3STATIC": "#/components/schemas/StorageProfileS3StaticDto",
+            "S3STS": "#/components/schemas/StorageProfileS3STSDto"
+          }
+        },
+        "type": "object",
+        "required": [
+          "id",
+          "name",
+          "protocol",
+          "archived"
+        ],
+        "properties": {
+          "id": {
+            "description": "Technical identifier for a storage profile. Must be unique UUID. Clients will use this as vendor in profile and provider in vault bookmark",
+            "type": "string",
+            "$ref": "#/components/schemas/UUID"
+          },
+          "name": {
+            "type": "string",
+            "description": "Displayed when choosing type of a new vault in dropdown."
+          },
+          "protocol": {
+            "description": "Storage protocol: S3 (permanent credentials) or S3STS (STS).",
+            "type": "string",
+            "$ref": "#/components/schemas/Protocol"
+          },
+          "archived": {
+            "type": "boolean",
+            "description": "For archived storage profiles, no vaults can be created any more."
+          }
+        }
+      },
+      "StorageProfileS3STSDto": {
+        "title": "StorageProfileS3STSDto",
+        "type": "object",
+        "required": [
+          "id",
+          "name",
+          "protocol",
+          "archived",
+          "storageClass",
+          "region",
+          "regions",
+          "bucketPrefix",
+          "stsRoleCreateBucketClient",
+          "stsRoleCreateBucketHub",
+          "bucketVersioning",
+          "bucketEncryption",
+          "stsRoleAccessBucketAssumeRoleWithWebIdentity",
+          "stsSessionTag"
+        ],
+        "properties": {
+          "id": {
+            "description": "Technical identifier for a storage profile. Must be unique UUID. Clients will use this as vendor in profile and provider in vault bookmark",
+            "type": "string",
+            "$ref": "#/components/schemas/UUID"
+          },
+          "name": {
+            "type": "string",
+            "description": "Displayed when choosing type of a new vault in dropdown."
+          },
+          "protocol": {
+            "description": "Storage protocol: S3 (permanent credentials) or S3STS (STS).",
+            "type": "string",
+            "$ref": "#/components/schemas/Protocol"
+          },
+          "archived": {
+            "type": "boolean",
+            "description": "For archived storage profiles, no vaults can be created any more."
+          },
+          "scheme": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Scheme of S3 endpoint for template upload/bucket creation. Defaults to default for protocol, i.e. https in most cases.",
+            "example": "https"
+          },
+          "hostname": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Hostname S3 endpoint for template upload/bucket creation. Defaults to AWS SDK default.",
+            "example": "s3-us-gov-west-1.amazonaws.com"
+          },
+          "port": {
+            "type": [
+              "integer",
+              "null"
+            ],
+            "format": "int32",
+            "description": "Port S3 endpoint for template upload/bucket creation. Defaults to default port for scheme.",
+            "example": 443
+          },
+          "withPathStyleAccessEnabled": {
+            "type": "boolean",
+            "description": "Whether to use path style for S3 endpoint for template upload/bucket creation.",
+            "example": false,
+            "default": false
+          },
+          "storageClass": {
+            "description": "Storage class for upload. Defaults to STANDARD",
+            "type": "string",
+            "example": "STANDARD",
+            "$ref": "#/components/schemas/S3_STORAGE_CLASSES"
+          },
+          "region": {
+            "type": "string",
+            "description": "Default region selected in the frontend/client to create bucket in.",
+            "example": "443",
+            "default": "us-east-1"
+          },
+          "regions": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "description": "List of selectable regions in the frontend/client to create bucket in. Defaults to full list from AWS SDK."
+          },
+          "bucketPrefix": {
+            "type": "string",
+            "description": "Buckets are create with name <bucket prefix><vault UUID>.",
+            "example": "katta"
+          },
+          "stsRoleCreateBucketClient": {
+            "type": "string",
+            "description": "STS role for clients to assume to create buckets. Will be the same as stsRoleCreateBucketHub for AWS, different for MinIO.",
+            "example": "arn:aws:iam::<ACCOUNT ID>:role/katta-createbucket"
+          },
+          "stsRoleCreateBucketHub": {
+            "type": "string",
+            "description": "STS role for frontend to assume to create buckets (used with inline policy and passed to hub storage). Will be the same as stsRoleCreateBucketClient for AWS, different for MinIO.",
+            "example": "arn:aws:iam::<ACCOUNT ID>:role/katta-createbucket"
+          },
+          "stsEndpoint": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "STS endpoint to use for AssumeRoleWithWebIdentity and AssumeRole for getting a temporary access token passed to the storage. Defaults to AWS SDK default."
+          },
+          "bucketVersioning": {
+            "type": "boolean",
+            "description": "Enable bucket versioning upon bucket creation",
+            "default": true
+          },
+          "bucketAcceleration": {
+            "type": [
+              "boolean",
+              "null"
+            ],
+            "description": "Enable bucket versioning upon bucket creation (null for MinIO)"
+          },
+          "bucketEncryption": {
+            "description": "Enable bucket versioning upon bucket creation",
+            "type": "string",
+            "$ref": "#/components/schemas/S3_SERVERSIDE_ENCRYPTION"
+          },
+          "stsRoleAccessBucketAssumeRoleWithWebIdentity": {
+            "type": "string",
+            "description": "roleArn to for STS AssumeRoleWithWebIdentity (AWS and MinIO)",
+            "example": "arn:aws:iam::930717317329:role/katta_chain_01"
+          },
+          "stsRoleAccessBucketAssumeRoleTaggedSession": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "roleArn to assume for STS AssumeRole in role chaining (AWS only, not MinIO)",
+            "example": "arn:aws:iam::930717317329:role/katta_chain_02"
+          },
+          "stsDurationSeconds": {
+            "type": [
+              "integer",
+              "null"
+            ],
+            "format": "int32",
+            "description": "Token lifetime for STS tokens assumed. Defaults to AWS/MinIO defaults"
+          },
+          "stsSessionTag": {
+            "type": "string",
+            "description": "Session tag to use for role chaining (AWS only, not MinIO). Defaults to \"Vault\"",
+            "default": "Vault"
+          }
+        }
+      },
+      "StorageProfileS3StaticDto": {
+        "title": "StorageProfileS3Dto",
+        "type": "object",
+        "required": [
+          "id",
+          "name",
+          "protocol",
+          "archived",
+          "storageClass",
+          "region",
+          "regions",
+          "bucketPrefix",
+          "stsRoleCreateBucketClient",
+          "stsRoleCreateBucketHub",
+          "bucketVersioning",
+          "bucketEncryption"
+        ],
+        "properties": {
+          "id": {
+            "description": "Technical identifier for a storage profile. Must be unique UUID. Clients will use this as vendor in profile and provider in vault bookmark",
+            "type": "string",
+            "$ref": "#/components/schemas/UUID"
+          },
+          "name": {
+            "type": "string",
+            "description": "Displayed when choosing type of a new vault in dropdown."
+          },
+          "protocol": {
+            "description": "Storage protocol: S3 (permanent credentials) or S3STS (STS).",
+            "type": "string",
+            "$ref": "#/components/schemas/Protocol"
+          },
+          "archived": {
+            "type": "boolean",
+            "description": "For archived storage profiles, no vaults can be created any more."
+          },
+          "scheme": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Scheme of S3 endpoint for template upload/bucket creation. Defaults to default for protocol, i.e. https in most cases.",
+            "example": "https"
+          },
+          "hostname": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "Hostname S3 endpoint for template upload/bucket creation. Defaults to AWS SDK default.",
+            "example": "s3-us-gov-west-1.amazonaws.com"
+          },
+          "port": {
+            "type": [
+              "integer",
+              "null"
+            ],
+            "format": "int32",
+            "description": "Port S3 endpoint for template upload/bucket creation. Defaults to default port for scheme.",
+            "example": 443
+          },
+          "withPathStyleAccessEnabled": {
+            "type": "boolean",
+            "description": "Whether to use path style for S3 endpoint for template upload/bucket creation.",
+            "example": false,
+            "default": false
+          },
+          "storageClass": {
+            "description": "Storage class for upload. Defaults to STANDARD",
+            "type": "string",
+            "example": "STANDARD",
+            "$ref": "#/components/schemas/S3_STORAGE_CLASSES"
+          },
+          "region": {
+            "type": "string",
+            "description": "Default region selected in the frontend/client to create bucket in.",
+            "example": "443",
+            "default": "us-east-1"
+          },
+          "regions": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "description": "List of selectable regions in the frontend/client to create bucket in. Defaults to full list from AWS SDK."
+          },
+          "bucketPrefix": {
+            "type": "string",
+            "description": "Buckets are create with name <bucket prefix><vault UUID>.",
+            "example": "katta"
+          },
+          "stsRoleCreateBucketClient": {
+            "type": "string",
+            "description": "STS role for clients to assume to create buckets. Will be the same as stsRoleCreateBucketHub for AWS, different for MinIO.",
+            "example": "arn:aws:iam::<ACCOUNT ID>:role/katta-createbucket"
+          },
+          "stsRoleCreateBucketHub": {
+            "type": "string",
+            "description": "STS role for frontend to assume to create buckets (used with inline policy and passed to hub storage). Will be the same as stsRoleCreateBucketClient for AWS, different for MinIO.",
+            "example": "arn:aws:iam::<ACCOUNT ID>:role/katta-createbucket"
+          },
+          "stsEndpoint": {
+            "type": [
+              "string",
+              "null"
+            ],
+            "description": "STS endpoint to use for AssumeRoleWithWebIdentity and AssumeRole for getting a temporary access token passed to the storage. Defaults to AWS SDK default."
+          },
+          "bucketVersioning": {
+            "type": "boolean",
+            "description": "Enable bucket versioning upon bucket creation",
+            "default": true
+          },
+          "bucketAcceleration": {
+            "type": [
+              "boolean",
+              "null"
+            ],
+            "description": "Enable bucket versioning upon bucket creation (null for MinIO)"
+          },
+          "bucketEncryption": {
+            "description": "Enable bucket versioning upon bucket creation",
+            "type": "string",
+            "$ref": "#/components/schemas/S3_SERVERSIDE_ENCRYPTION"
+          }
+        }
+      },
+      "TrustedUserDto": {
+        "type": "object",
+        "properties": {
+          "trustedUserId": {
+            "type": "string"
+          },
+          "signatureChain": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          }
+        }
+      },
+      "Type": {
+        "type": "string",
+        "enum": [
+          "USER",
+          "GROUP"
+        ]
+      },
+      "Type1": {
+        "type": "string",
+        "enum": [
+          "BROWSER",
+          "DESKTOP",
+          "MOBILE"
+        ]
+      },
+      "UUID": {
+        "type": "string",
+        "format": "uuid",
+        "pattern": "[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}"
+      },
+      "UserDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string"
+          },
+          "type": {
+            "$ref": "#/components/schemas/Type"
+          },
+          "name": {
+            "type": "string"
+          },
+          "pictureUrl": {
+            "type": "string"
+          },
+          "email": {
+            "type": "string"
+          },
+          "language": {
+            "type": "string"
+          },
+          "devices": {
+            "type": "array",
+            "uniqueItems": true,
+            "items": {
+              "$ref": "#/components/schemas/DeviceDto"
+            }
+          },
+          "ecdhPublicKey": {
+            "type": "string"
+          },
+          "ecdsaPublicKey": {
+            "type": "string"
+          },
+          "privateKeys": {
+            "type": "string"
+          },
+          "setupCode": {
+            "type": "string"
+          },
+          "publicKey": {
+            "type": "string",
+            "deprecated": true
+          },
+          "privateKey": {
+            "type": "string",
+            "deprecated": true
+          }
+        }
+      },
+      "VaultDto": {
+        "type": "object",
+        "required": [
+          "id",
+          "name"
+        ],
+        "properties": {
+          "id": {
+            "$ref": "#/components/schemas/UUID"
+          },
+          "name": {
+            "type": "string",
+            "pattern": "[^*<>\"]*"
+          },
+          "description": {
+            "type": "string",
+            "pattern": "[^*<>\"]*"
+          },
+          "archived": {
+            "type": "boolean"
+          },
+          "creationTime": {
+            "$ref": "#/components/schemas/Instant"
+          },
+          "uvfMetadataFile": {
+            "type": "string"
+          },
+          "uvfKeySet": {
+            "type": "string"
+          },
+          "masterkey": {
+            "type": "string",
+            "pattern": "[+/A-Za-z0-9]+=*"
+          },
+          "iterations": {
+            "type": "integer",
+            "format": "int32"
+          },
+          "salt": {
+            "type": "string",
+            "pattern": "[+/A-Za-z0-9]+=*"
+          },
+          "authPublicKey": {
+            "type": "string",
+            "pattern": "[+/A-Za-z0-9]+=*"
+          },
+          "authPrivateKey": {
+            "type": "string",
+            "pattern": "[+/A-Za-z0-9]+=*"
+          }
+        }
+      },
+      "VersionDto": {
+        "type": "object",
+        "properties": {
+          "hubVersion": {
+            "type": "string"
+          },
+          "keycloakVersion": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "securitySchemes": {
+      "SecurityScheme": {
+        "type": "openIdConnect",
+        "description": "Authentication"
+      }
+    }
+  },
+  "paths": {
+    "/api/auditlog": {
+      "get": {
+        "summary": "list all auditlog entries within a period",
+        "description": "list all auditlog entries from a period specified by a start and end date",
+        "parameters": [
+          {
+            "description": "the start date of the period as ISO 8601 datetime string, inclusive",
+            "in": "query",
+            "name": "startDate",
+            "schema": {
+              "$ref": "#/components/schemas/Instant"
+            }
+          },
+          {
+            "description": "the end date of the period as ISO 8601 datetime string, exclusive",
+            "in": "query",
+            "name": "endDate",
+            "schema": {
+              "$ref": "#/components/schemas/Instant"
+            }
+          },
+          {
+            "description": "The smallest (asc ordering) or highest (desc ordering) audit entry id, not included in results. Used for pagination. ",
+            "in": "query",
+            "name": "paginationId",
+            "schema": {
+              "type": "integer",
+              "format": "int64"
+            }
+          },
+          {
+            "description": "The order of the queried table. Determines if most recent (desc) or oldest entries (asc) are considered first. Allowed Values are 'desc' (default) or 'asc'. Used for pagination.",
+            "in": "query",
+            "name": "order",
+            "schema": {
+              "type": "string",
+              "default": "desc"
+            }
+          },
+          {
+            "description": "the maximum number of entries to return. Must be between 1 and 100.",
+            "in": "query",
+            "name": "pageSize",
+            "schema": {
+              "type": "integer",
+              "format": "int32",
+              "default": 20
+            }
+          },
+          {
+            "description": "the list of type of events to return. Empty list is all events.",
+            "in": "query",
+            "name": "type",
+            "schema": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Body contains list of events in the specified time interval",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/AuditEventDto"
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "startDate or endDate not specified, startDate > endDate, order specified and not in ['asc','desc'], pageSize not in [1 .. 100] or type is not valid"
+          },
+          "402": {
+            "description": "Community license used or license expired"
+          },
+          "403": {
+            "description": "requesting user does not have admin role"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Audit Log Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/authorities": {
+      "get": {
+        "summary": "lists all authorities matching the given ids",
+        "description": "lists for each id in the list its corresponding authority. Ignores all id's where an authority cannot be found",
+        "parameters": [
+          {
+            "name": "ids",
+            "in": "query",
+            "schema": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/AuthorityDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Authority Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/authorities/search": {
+      "get": {
+        "summary": "search authority by name",
+        "parameters": [
+          {
+            "name": "query",
+            "in": "query",
+            "schema": {
+              "type": "string",
+              "pattern": "\\S"
+            },
+            "required": true
+          },
+          {
+            "name": "withMemberSize",
+            "in": "query",
+            "schema": {
+              "type": "boolean"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/AuthorityDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Authority Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/billing": {
+      "get": {
+        "summary": "get the billing information",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/BillingDto"
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "only admins are allowed to get the billing information"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Billing Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/billing/token": {
+      "put": {
+        "summary": "set the token",
+        "requestBody": {
+          "content": {
+            "text/plain": {
+              "schema": {
+                "type": "string",
+                "pattern": "[-_A-Za-z0-9]+=*\\.[-_A-Za-z0-9]*=*\\.[-_A-Za-z0-9]*=*"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "204": {
+            "description": "token set"
+          },
+          "400": {
+            "description": "token is invalid (e.g., expired or invalid signature)"
+          },
+          "403": {
+            "description": "only admins are allowed to set the token"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Billing Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/config": {
+      "get": {
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ConfigDto"
+                }
+              }
+            }
+          }
+        },
+        "summary": "Get Config",
+        "tags": [
+          "Config Resource"
+        ]
+      }
+    },
+    "/api/devices": {
+      "get": {
+        "summary": "lists all devices matching the given ids",
+        "description": "lists for each id in the list its corresponding device. Ignores all id's where a device cannot be found",
+        "parameters": [
+          {
+            "name": "ids",
+            "in": "query",
+            "schema": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/DeviceDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Device Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/devices/legacy-devices": {
+      "get": {
+        "summary": "lists all legacy devices matching the given ids",
+        "description": "lists for each id in the list its corresponding legacy device. Ignores all id's where a device cannot be found",
+        "deprecated": true,
+        "parameters": [
+          {
+            "name": "ids",
+            "in": "query",
+            "schema": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/DeviceDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Device Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/devices/{deviceId}": {
+      "delete": {
+        "summary": "removes a device",
+        "description": "the device will be only be removed if the current user is the owner",
+        "parameters": [
+          {
+            "name": "deviceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "device removed"
+          },
+          "404": {
+            "description": "device not found with current user"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Device Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      },
+      "get": {
+        "summary": "get the device",
+        "description": "the device must be owned by the currently logged-in user",
+        "parameters": [
+          {
+            "name": "deviceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Device found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/DeviceDto"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Device not found or owned by a different user"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Device Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      },
+      "put": {
+        "summary": "creates or updates a device",
+        "description": "the device will be owned by the currently logged-in user",
+        "parameters": [
+          {
+            "name": "deviceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/DeviceDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "201": {
+            "description": "Device created or updated"
+          },
+          "409": {
+            "description": "Device with this key already exists"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          },
+          "400": {
+            "description": "Bad Request"
+          }
+        },
+        "tags": [
+          "Device Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/devices/{deviceId}/legacy-access-tokens": {
+      "get": {
+        "summary": "list legacy access tokens",
+        "description": "get all legacy access tokens for this device ({vault1: token1, vault1: token2, ...}). The device must be owned by the currently logged-in user",
+        "deprecated": true,
+        "parameters": [
+          {
+            "name": "deviceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "additionalProperties": {
+                    "type": "string"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Device Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/devices/{deviceId}/legacy-device": {
+      "delete": {
+        "summary": "removes a legacy device",
+        "description": "the legacy device will be only be removed if the current user is the owner",
+        "deprecated": true,
+        "parameters": [
+          {
+            "name": "deviceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "legacy device removed"
+          },
+          "404": {
+            "description": "legacy device not found with current user"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Device Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/groups": {
+      "get": {
+        "summary": "list all groups",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/GroupDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Groups Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/groups/{groupId}/effective-members": {
+      "get": {
+        "summary": "list all effective group members",
+        "parameters": [
+          {
+            "name": "groupId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/UserDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Groups Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/license/user-info": {
+      "get": {
+        "summary": "Get license information for regular users",
+        "description": "Information includes the licensed seats, the already used seats and if defined, the license expiration date.",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/LicenseUserInfoDto"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "License Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/settings": {
+      "put": {
+        "summary": "update settings",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/SettingsDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "204": {
+            "description": "token set"
+          },
+          "400": {
+            "description": "invalid settings"
+          },
+          "403": {
+            "description": "only admins are allowed to update settings"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Settings Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      },
+      "get": {
+        "summary": "get the billing information",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/SettingsDto"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Settings Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/storage/s3-token": {
+      "post": {
+        "summary": "token exchange",
+        "description": "retrieves a downscoped access token for S3.",
+        "parameters": [
+          {
+            "name": "vault",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "success",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/AccessTokenResponse"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "bad request"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Storage Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/storage/{vaultId}": {
+      "put": {
+        "summary": "creates bucket and policy",
+        "description": "creates an S3 bucket and uploads policy for it for call from Web Client (CORS).",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateS3STSBucketDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "Bucket and Keycloak config created"
+          },
+          "400": {
+            "description": "Could not create bucket"
+          },
+          "409": {
+            "description": "Bucket with this name already exists"
+          },
+          "410": {
+            "description": "Storage profile is archived"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Storage Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/storageprofile": {
+      "get": {
+        "summary": "get configs for storage backends",
+        "description": "get list of configs for storage backends",
+        "parameters": [
+          {
+            "name": "archived",
+            "in": "query",
+            "schema": {
+              "type": "boolean"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "list of storage configuration",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/StorageProfileDto"
+                  }
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "not a user"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Storage Profile Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user",
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/storageprofile/s3static": {
+      "post": {
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/StorageProfileS3StaticDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "201": {
+            "description": "uploaded storage configuration"
+          },
+          "400": {
+            "description": "Constraint violation"
+          },
+          "403": {
+            "description": "not an admin"
+          },
+          "409": {
+            "description": "Storage profile with ID already exists"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "summary": "Upload Storage Profile",
+        "tags": [
+          "Storage Profile Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/storageprofile/s3sts": {
+      "post": {
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/StorageProfileS3STSDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "201": {
+            "description": "uploaded storage configuration"
+          },
+          "400": {
+            "description": "Constraint violation"
+          },
+          "403": {
+            "description": "not an admin"
+          },
+          "409": {
+            "description": "Storage profile with ID already exists"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "summary": "Upload Storage Profile",
+        "tags": [
+          "Storage Profile Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/storageprofile/{profileId}": {
+      "get": {
+        "summary": "gets a storage profile",
+        "parameters": [
+          {
+            "name": "profileId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/StorageProfileDto"
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "not a user"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Storage Profile Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user",
+              "admin"
+            ]
+          }
+        ]
+      },
+      "put": {
+        "summary": "archive a storage profile",
+        "parameters": [
+          {
+            "name": "profileId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/x-www-form-urlencoded": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "archived": {
+                    "type": "boolean"
+                  }
+                }
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "204": {
+            "description": "storage profile archived"
+          },
+          "403": {
+            "description": "not an admin"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "400": {
+            "description": "Bad Request"
+          }
+        },
+        "tags": [
+          "Storage Profile Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/users": {
+      "get": {
+        "summary": "list all users",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/UserDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/users/me": {
+      "put": {
+        "summary": "update the logged-in user",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UserDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "201": {
+            "description": "user created or updated"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          },
+          "400": {
+            "description": "Bad Request"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      },
+      "get": {
+        "summary": "get the logged-in user",
+        "parameters": [
+          {
+            "name": "withDevices",
+            "in": "query",
+            "schema": {
+              "type": "boolean"
+            }
+          },
+          {
+            "description": "adds last access values to the devices (if present)",
+            "in": "query",
+            "name": "withLastAccess",
+            "schema": {
+              "type": "boolean"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "returns the current user",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/UserDto"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "no user matching the subject of the JWT passed as Bearer Token"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/users/me-with-legacy-devices-and-access": {
+      "get": {
+        "summary": "get the logged-in user",
+        "deprecated": true,
+        "responses": {
+          "200": {
+            "description": "returns the current user",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/UserDto"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "no user matching the subject of the JWT passed as Bearer Token"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/users/me/access-tokens": {
+      "post": {
+        "summary": "adds/updates user-specific vault keys",
+        "description": "Stores one or more vaultid-vaultkey-tuples for the currently logged-in user, as defined in the request body ({vault1: token1, vault2: token2, ...}).",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "additionalProperties": {
+                  "type": "string"
+                }
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "all keys stored"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          },
+          "400": {
+            "description": "Bad Request"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/users/me/reset": {
+      "post": {
+        "summary": "resets the user account",
+        "responses": {
+          "204": {
+            "description": "deleted keys, devices and access permissions"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/users/trusted": {
+      "get": {
+        "summary": "get trusted users",
+        "description": "returns a list of users trusted by the currently logged-in user",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/TrustedUserDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/users/trusted/{userId}": {
+      "put": {
+        "summary": "adds/updates trust",
+        "description": "Stores a signature for the given user.",
+        "parameters": [
+          {
+            "name": "userId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "text/plain": {
+              "schema": {
+                "type": "string"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "204": {
+            "description": "signature stored"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      },
+      "get": {
+        "summary": "get trust detail for given user",
+        "description": "returns the shortest found signature chain for the given user",
+        "parameters": [
+          {
+            "name": "userId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/TrustedUserDto"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "if no sufficiently short trust chain between the invoking user and the user with the given id has been found"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Users Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/accessible": {
+      "get": {
+        "summary": "list all accessible vaults",
+        "description": "list all vaults that have been shared with the currently logged in user or a group in wich this user is",
+        "parameters": [
+          {
+            "name": "role",
+            "in": "query",
+            "schema": {
+              "$ref": "#/components/schemas/Role"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/VaultDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/all": {
+      "get": {
+        "summary": "list all vaults",
+        "description": "list all vaults in the system",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/VaultDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/some": {
+      "get": {
+        "summary": "list all vaults corresponding to the given ids",
+        "description": "list for each id in the list its corresponding vault. Ignores all id's where a vault does not exist, ",
+        "parameters": [
+          {
+            "name": "ids",
+            "in": "query",
+            "schema": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "format": "uuid",
+                "pattern": "[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}"
+              }
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/VaultDto"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "admin"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}": {
+      "get": {
+        "summary": "gets a vault",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/VaultDto"
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "requesting user is neither a vault member nor has the admin role"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      },
+      "put": {
+        "summary": "creates or updates a vault",
+        "description": "Creates or updates a vault with the given vault id. The creationTime in the vaultDto is always ignored. On creation, the current server time is used and the archived field is ignored. On update, only the name, description, and archived fields are considered.",
+        "parameters": [
+          {
+            "description": "whether configuration for STS MinIO needs to be synched to Keycloak (defaults to false)",
+            "in": "query",
+            "name": "minio",
+            "schema": {
+              "type": "boolean",
+              "default": false
+            }
+          },
+          {
+            "description": "whether configuration for STS MinIO needs to be synched to AWS (defaults to false)",
+            "in": "query",
+            "name": "aws",
+            "schema": {
+              "type": "boolean",
+              "default": false
+            }
+          },
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/VaultDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "existing vault updated"
+          },
+          "201": {
+            "description": "new vault created"
+          },
+          "402": {
+            "description": "number of licensed seats is exceeded"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          },
+          "400": {
+            "description": "Bad Request"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/access-token": {
+      "get": {
+        "summary": "get the user-specific vault key",
+        "description": "retrieves a jwe containing the vault key, encrypted for the current user",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          },
+          {
+            "name": "evenIfArchived",
+            "in": "query",
+            "schema": {
+              "type": "boolean",
+              "default": false
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "text/plain": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          },
+          "402": {
+            "description": "license expired or number of effective vault users that have a token exceeds available license seats"
+          },
+          "403": {
+            "description": "not a vault member"
+          },
+          "404": {
+            "description": "unknown vault"
+          },
+          "410": {
+            "description": "Vault is archived. Only returned if evenIfArchived query param is false or not set, otherwise the archived flag is ignored"
+          },
+          "449": {
+            "description": "User account not yet initialized. Retry after setting up user"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/access-tokens": {
+      "post": {
+        "summary": "adds user-specific vault keys",
+        "description": "Stores one or more user-vaultkey-tuples, as defined in the request body ({user1: token1, user2: token2, ...}).",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "additionalProperties": {
+                  "type": "string"
+                },
+                "minProperties": 1
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "all keys stored"
+          },
+          "402": {
+            "description": "number of users granted access exceeds available license seats"
+          },
+          "403": {
+            "description": "not a vault owner"
+          },
+          "404": {
+            "description": "at least one user has not been found"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "400": {
+            "description": "Bad Request"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/authority/{authorityId}": {
+      "delete": {
+        "summary": "remove a user or group from this vault",
+        "description": "revokes the given authority's access rights from this vault. If the given authority is no member, the request is a no-op.",
+        "parameters": [
+          {
+            "name": "authorityId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          },
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "authority removed"
+          },
+          "403": {
+            "description": "not a vault owner"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/claim-ownership": {
+      "post": {
+        "summary": "claims ownership of a vault",
+        "description": "Assigns the OWNER role to the currently logged in user, who proofs this claim by sending a JWT signed with a private key held by users knowing the Vault Admin Password",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/x-www-form-urlencoded": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "proof": {
+                    "type": "string",
+                    "pattern": "[-_A-Za-z0-9]+=*\\.[-_A-Za-z0-9]*=*\\.[-_A-Za-z0-9]*=*"
+                  }
+                }
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "ownership claimed successfully"
+          },
+          "400": {
+            "description": "incorrect proof"
+          },
+          "404": {
+            "description": "no such vault"
+          },
+          "409": {
+            "description": "owned by another user"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/groups/{groupId}": {
+      "put": {
+        "summary": "adds a group to this vault or updates its role",
+        "parameters": [
+          {
+            "name": "groupId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          },
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          },
+          {
+            "description": "the role to grant to this group (defaults to MEMBER)",
+            "in": "query",
+            "name": "role",
+            "schema": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/Role"
+                },
+                {
+                  "default": "MEMBER"
+                }
+              ]
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "group's role updated"
+          },
+          "201": {
+            "description": "group added"
+          },
+          "402": {
+            "description": "license is expired or licensed seats would be exceeded after the operation"
+          },
+          "403": {
+            "description": "not a vault owner"
+          },
+          "404": {
+            "description": "group not found"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/keys/{deviceId}": {
+      "get": {
+        "summary": "get the device-specific masterkey of a non-archived vault",
+        "deprecated": true,
+        "parameters": [
+          {
+            "name": "deviceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          },
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          },
+          "402": {
+            "description": "number of effective vault users exceeds available license seats"
+          },
+          "403": {
+            "description": "not authorized to access this vault"
+          },
+          "410": {
+            "description": "Vault is archived"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/members": {
+      "get": {
+        "summary": "list vault members",
+        "description": "list all users or groups that this vault has been shared with directly (not inherited via group membership)",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/MemberDto"
+                  }
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "not a vault owner"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/users-requiring-access-grant": {
+      "get": {
+        "summary": "list members requiring access tokens",
+        "description": "lists all members, that have permissions but lack an access token",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/MemberDto"
+                  }
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "not a vault owner"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/users/{userId}": {
+      "put": {
+        "summary": "adds a user to this vault or updates her role",
+        "parameters": [
+          {
+            "name": "userId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "pattern": "[-_.a-zA-Z0-9]*"
+            }
+          },
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          },
+          {
+            "description": "the role to grant to this user (defaults to MEMBER)",
+            "in": "query",
+            "name": "role",
+            "schema": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/Role"
+                },
+                {
+                  "default": "MEMBER"
+                }
+              ]
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "user's role updated"
+          },
+          "201": {
+            "description": "user added"
+          },
+          "402": {
+            "description": "license is expired or licensed seats would be exceeded after the operation"
+          },
+          "403": {
+            "description": "not a vault owner"
+          },
+          "404": {
+            "description": "user not found"
+          },
+          "401": {
+            "description": "Not Authorized"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/uvf/jwks.json": {
+      "get": {
+        "summary": "get public vault keys",
+        "description": "retrieves a JWK Set containing public keys related to this vault",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "unknown vault"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/vaults/{vaultId}/uvf/vault.uvf": {
+      "get": {
+        "summary": "get the vault.uvf file",
+        "parameters": [
+          {
+            "name": "vaultId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "$ref": "#/components/schemas/UUID"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "unknown vault"
+          },
+          "401": {
+            "description": "Not Authorized"
+          },
+          "403": {
+            "description": "Not Allowed"
+          }
+        },
+        "tags": [
+          "Vault Resource"
+        ],
+        "security": [
+          {
+            "SecurityScheme": [
+              "user"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/version": {
+      "get": {
+        "summary": "get version of hub and keycloak",
+        "responses": {
+          "200": {
+            "description": "OK",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/VersionDto"
+                }
+              }
+            }
+          }
+        },
+        "tags": [
+          "Version Resource"
+        ]
+      }
+    }
+  },
+  "info": {
+    "title": "hub-backend API",
+    "version": "1.5.0-SNAPSHOT"
+  },
+  "servers": [
+    {
+      "url": "http://localhost:8080",
+      "description": "Auto generated value"
+    },
+    {
+      "url": "http://0.0.0.0:8080",
+      "description": "Auto generated value"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/frontend/src/router/index.ts b/frontend/src/router/index.ts
index 22183c3b0..a9787d483 100644
--- a/frontend/src/router/index.ts
+++ b/frontend/src/router/index.ts
@@ -6,7 +6,14 @@ import userdata from '../common/userdata';
 import AdminSettings from '../components/AdminSettings.vue';
 import AuditLog from '../components/AuditLog.vue';
 import AuthenticatedMain from '../components/AuthenticatedMain.vue';
+import GroupDetail from '../components/authority/GroupDetail.vue';
+import GroupEditCreate from '../components/authority/GroupEditCreate.vue';
+import GroupList from '../components/authority/GroupList.vue';
+import UserDetail from '../components/authority/UserDetail.vue';
+import UserEditCreate from '../components/authority/UserEditCreate.vue';
+import UserList from '../components/authority/UserList.vue';
 import CreateVault from '../components/CreateVault.vue';
+import EmergencyAccessVaultList from '../components/emergencyaccess/EmergencyAccessVaultList.vue';
 import Forbidden from '../components/Forbidden.vue';
 import InitialSetup from '../components/InitialSetup.vue';
 import NotFound from '../components/NotFound.vue';
@@ -29,6 +36,9 @@ function checkRole(role: string): NavigationGuardWithThis<undefined> {
     }
   };
 }
+// / start katta extension
+import StorageProfiles from '../components/katta/StorageProfiles.vue';
+// \ end katta extension
 
 const routes: RouteRecordRaw[] = [
   {
@@ -43,23 +53,75 @@ const routes: RouteRecordRaw[] = [
     path: '/app/logout',
     component: AuthenticatedMain, // any component will do
     meta: { skipAuth: true, skipSetup: true },
-    beforeEnter: (to, from, next) => {
-      authPromise.then(async auth => {
-        if (auth.isAuthenticated()) {
-          const loggedOutUri = `${location.origin}${router.resolve('/').href}`;
-          await auth.logout(loggedOutUri);
-        } else {
-          next();
-        }
-      }).catch(error => {
-        next(error);
-      });
+    beforeEnter: async () => {
+      const auth = await authPromise;
+      if (auth.isAuthenticated()) {
+        const loggedOutUri = `${location.origin}${router.resolve('/').href}`;
+        await auth.logout(loggedOutUri);
+        return false; // prevent navigation, as logout will cause a full page reload
+      } else {
+        return true;
+      }
     }
   },
   {
     path: '/app', /* required but unused */
     component: AuthenticatedMain,
     children: [
+      {
+        path: 'emergency-access',
+        component: EmergencyAccessVaultList
+      },
+      {
+        path: 'users',
+        beforeEnter: checkRole('admin'),
+        children: [
+          {
+            path: '',
+            component: UserList
+          },
+          {
+            path: 'create',
+            component: UserEditCreate,
+            props: { id: undefined, mode: 'CREATE' },
+          },
+          {
+            path: ':id',
+            component: UserDetail,
+            props: (route) => ({ id: route.params.id as string }),
+          },
+          {
+            path: ':id/edit',
+            component: UserEditCreate,
+            props: (route) => ({ id: route.params.id as string, mode: 'EDIT' }),
+          },
+        ]
+      },
+      {
+        path: 'groups',
+        beforeEnter: checkRole('admin'),
+        children: [
+          {
+            path: '',
+            component: GroupList
+          },
+          {
+            path: 'create',
+            component: GroupEditCreate,
+            props: { id: undefined, mode: 'CREATE' },
+          },
+          {
+            path: ':id',
+            component: GroupDetail,
+            props: (route) => ({ id: route.params.id as string }),
+          },
+          {
+            path: ':id/edit',
+            component: GroupEditCreate,
+            props: (route) => ({ id: route.params.id as string, mode: 'EDIT' }),
+          },
+        ]
+      },
       {
         path: 'vaults',
         component: VaultList
@@ -103,6 +165,12 @@ const routes: RouteRecordRaw[] = [
             path: 'auditlog',
             component: AuditLog,
           },
+          // / start katta extension
+          {
+            path: 'storageprofiles',
+            component: StorageProfiles,
+          },
+          // \ end katta extension
         ]
       },
     ]
@@ -141,35 +209,34 @@ const router = createRouter({
 });
 
 // FIRST check auth
-router.beforeEach((to, from, next) => {
+router.beforeEach(async (to) => {
   if (to.meta.skipAuth) {
-    next();
+    return true;
+  }
+
+  const auth = await authPromise;
+  if (auth.isAuthenticated()) {
+    return true;
   } else {
-    authPromise.then(async auth => {
-      if (auth.isAuthenticated()) {
-        next();
-      } else {
-        const redirectUri = buildRedirectSyncMeUri(to);
-        auth.login(redirectUri);
-      }
-    });
+    const redirectUri = buildRedirectSyncMeUri(to);
+    auth.login(redirectUri);
+    return false;
   }
 });
 
 // SECOND update user data (requires auth)
-router.beforeEach((to, from, next) => {
-  if ('sync_me' in to.query) {
-    authPromise.then(async auth => {
-      if (auth.isAuthenticated()) {
-        await backend.users.putMe();
-      }
-    }).finally(() => {
-      const { sync_me: _, ...remainingQuery } = to.query; // remove sync_me query parameter to avoid endless recursion
-      next({ path: to.path, query: remainingQuery, replace: true });
-    });
-  } else {
-    next();
+router.beforeEach(async (to) => {
+  if (!('sync_me' in to.query)) {
+    return true;
   }
+
+  const auth = await authPromise;
+  if (auth.isAuthenticated()) {
+    await backend.users.putMe();
+  }
+
+  const { sync_me: _, ...remainingQuery } = to.query; // remove sync_me query parameter to avoid endless recursion
+  return { path: to.path, query: remainingQuery, replace: true };
 });
 
 // THIRD check user/browser keys (requires auth)
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index 1ef37ba4f..dda97a82f 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -1,4 +1,4 @@
-import { base64, base64url } from 'rfc4648';
+import { base64, base64urlnopad } from '@scure/base';
 import { beforeAll, beforeEach, describe, expect, it } from 'vitest';
 import { UnwrapKeyError, UserKeys, getJwkThumbprint, getJwkThumbprintStr } from '../../src/common/crypto';
 
@@ -125,25 +125,25 @@ describe('crypto', () => {
   describe('Test Key Pairs', () => {
     it('alice private key (PKCS8)', async () => {
       const bytes = new Uint8Array(await crypto.subtle.exportKey('pkcs8', aliceEcdh.privateKey));
-      const encoded = base64.stringify(bytes);
+      const encoded = base64.encode(bytes);
       expect(encoded).toBe('MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDCi4K1Ts3DgTz/ufkLX7EGMHjGpJv+WJmFgyzLwwaDFSfLpDw0Kgf3FKK+LAsV8r+hZANiAARLOtFebIjxVYUmDV09Q1sVxz2Nm+NkR8fu6UojVSRcCW13tEZatx8XGrIY9zC7oBCEdRqDc68PMSvS5RA0Pg9cdBNc/kgMZ1iEmEv5YsqOcaNADDSs0bLlXb35pX7Kx5Y=');
     });
 
     it('alice public key (SPKI)', async () => {
       const bytes = new Uint8Array(await crypto.subtle.exportKey('spki', aliceEcdh.publicKey));
-      const encoded = base64.stringify(bytes);
+      const encoded = base64.encode(bytes);
       expect(encoded).toBe('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQhHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL+WLKjnGjQAw0rNGy5V29+aV+yseW');
     });
 
     it('bob private key (PKCS8)', async () => {
       const bytes = new Uint8Array(await crypto.subtle.exportKey('pkcs8', bobEcdh.privateKey));
-      const encoded = base64.stringify(bytes);
+      const encoded = base64.encode(bytes);
       expect(encoded).toBe('MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB2bmFCWy2p+EbAn8NWS5Om+GA7c5LHhRZb8g2pSMSf0fsd7k7dZDVrnyHFiLdd/YGhZANiAAR6bsjTEdXKWIuu1Bvj6Y8wySlIROy7YpmVZTY128ItovCD8pcR4PnFljvAIb2MshCdr1alX4g6cgDOqcTeREiObcSfucOU9Ry1pJ/GnX6KA0eSljrk6rxjSDos8aiZ6Mg=');
     });
 
     it('bob public key (SPKI)', async () => {
       const bytes = new Uint8Array(await crypto.subtle.exportKey('spki', bobEcdh.publicKey));
-      const encoded = base64.stringify(bytes);
+      const encoded = base64.encode(bytes);
       expect(encoded).to.eq('MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEem7I0xHVyliLrtQb4+mPMMkpSETsu2KZlWU2NdvCLaLwg/KXEeD5xZY7wCG9jLIQna9WpV+IOnIAzqnE3kRIjm3En7nDlPUctaSfxp1+igNHkpY65Oq8Y0g6LPGomejI');
     });
   });
@@ -161,7 +161,7 @@ describe('crypto', () => {
     it('compute example thumbprint from RFC 7638, Section 3.1', async () => {
       const thumbprint = await getJwkThumbprint(input);
 
-      expect(base64url.stringify(thumbprint, { pad: false })).toBe('NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs');
+      expect(base64urlnopad.encode(thumbprint)).toBe('NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs');
     });
 
     it('compute example thumbprint from RFC 7638, Section 3.1', async () => {
diff --git a/frontend/test/common/emergencyaccess.spec.ts b/frontend/test/common/emergencyaccess.spec.ts
new file mode 100644
index 000000000..0adbc8d7e
--- /dev/null
+++ b/frontend/test/common/emergencyaccess.spec.ts
@@ -0,0 +1,119 @@
+import { base64 } from '@scure/base';
+import { beforeAll, beforeEach, describe, expect, it } from 'vitest';
+import { ActivatedUser } from '../../src/common/backend';
+import { EmergencyAccess, RecoveryProcess } from '../../src/common/emergencyaccess';
+import { UTF8 } from '../../src/common/util';
+
+describe('Emergency Access', () => {
+  const originalSecret = UTF8.encode('Hello World!');
+
+  let alice: CryptoKeyPair, bob: CryptoKeyPair, carol: CryptoKeyPair, dave: CryptoKeyPair;
+  let aliceDto: ActivatedUser, bobDto: ActivatedUser, carolDto: ActivatedUser, daveDto: ActivatedUser;
+
+  beforeAll(async () => {
+    // prepare some test key pairs:
+    alice = await crypto.subtle.generateKey({ name: 'ECDH', namedCurve: 'P-384' }, false, ['deriveBits']);
+    bob = await crypto.subtle.generateKey({ name: 'ECDH', namedCurve: 'P-384' }, false, ['deriveBits']);
+    carol = await crypto.subtle.generateKey({ name: 'ECDH', namedCurve: 'P-384' }, false, ['deriveBits']);
+    dave = await crypto.subtle.generateKey({ name: 'ECDH', namedCurve: 'P-384' }, false, ['deriveBits']);
+    aliceDto = await createUserDto('alice', alice.publicKey);
+    bobDto = await createUserDto('bob', bob.publicKey);
+    carolDto = await createUserDto('carol', carol.publicKey);
+    daveDto = await createUserDto('dave', dave.publicKey);
+  });
+
+  it('Split Secret, requiring any 3 of [alice, bob, carol, dave]', async () => {
+    const shares = await EmergencyAccess.split(originalSecret, 3, aliceDto, bobDto, carolDto, daveDto);
+
+    expect(shares).to.have.property('alice');
+    expect(shares).to.have.property('bob');
+    expect(shares).to.have.property('carol');
+    expect(shares).to.have.property('dave');
+  });
+
+  it('Start Recovery Process', async () => {
+    const councilMembers = [aliceDto, bobDto, carolDto, daveDto];
+    const recoveryProcess = await EmergencyAccess.startRecovery(councilMembers);
+
+    expect(recoveryProcess).to.have.property('recoveryPublicKey');
+    expect(recoveryProcess).to.have.property('recoveryPrivateKeys');
+    expect(recoveryProcess.recoveryPrivateKeys).to.have.property('alice');
+    expect(recoveryProcess.recoveryPrivateKeys).to.have.property('bob');
+    expect(recoveryProcess.recoveryPrivateKeys).to.have.property('carol');
+    expect(recoveryProcess.recoveryPrivateKeys).to.have.property('dave');
+  });
+
+  describe('Finish Recovery', () => {
+    let keyShares: Record<string, string>;
+    let recoveryProcess: RecoveryProcess;
+
+    beforeEach(async () => {
+      // split some secret:
+      const secret = 'Hello World!';
+      const secretBytes = UTF8.encode(secret);
+      keyShares = await EmergencyAccess.split(secretBytes, 3, aliceDto, bobDto, carolDto, daveDto);
+
+      // start recovery:
+      const councilMembers = [aliceDto, bobDto, carolDto, daveDto];
+      recoveryProcess = await EmergencyAccess.startRecovery(councilMembers);
+    });
+
+    it('recover fails as Alice + Bob', async () => {
+      const recoveredAlice = await EmergencyAccess.recoverShare(keyShares['alice'], alice.privateKey, recoveryProcess.recoveryPublicKey);
+      const recoveredBob = await EmergencyAccess.recoverShare(keyShares['bob'], bob.privateKey, recoveryProcess.recoveryPublicKey);
+
+      const recovered = await EmergencyAccess.combineRecoveredShares([recoveredAlice, recoveredBob], recoveryProcess.recoveryPrivateKeys.alice, alice.privateKey);
+
+      expect(recovered).not.to.deep.eq(originalSecret);
+    });
+
+    it('recover as Alice + Bob + Carol', async () => {
+      const recoveredAlice = await EmergencyAccess.recoverShare(keyShares['alice'], alice.privateKey, recoveryProcess.recoveryPublicKey);
+      const recoveredBob = await EmergencyAccess.recoverShare(keyShares['bob'], bob.privateKey, recoveryProcess.recoveryPublicKey);
+      const recoveredCarol = await EmergencyAccess.recoverShare(keyShares['carol'], carol.privateKey, recoveryProcess.recoveryPublicKey);
+
+      const recovered = await EmergencyAccess.combineRecoveredShares([recoveredAlice, recoveredBob, recoveredCarol], recoveryProcess.recoveryPrivateKeys.alice, alice.privateKey);
+
+      expect(recovered).to.deep.eq(originalSecret);
+    });
+
+    it('recover as Alice + Carol + Dave', async () => {
+      const recoveredAlice = await EmergencyAccess.recoverShare(keyShares['alice'], alice.privateKey, recoveryProcess.recoveryPublicKey);
+      const recoveredCarol = await EmergencyAccess.recoverShare(keyShares['carol'], carol.privateKey, recoveryProcess.recoveryPublicKey);
+      const recoveredDave = await EmergencyAccess.recoverShare(keyShares['dave'], dave.privateKey, recoveryProcess.recoveryPublicKey);
+
+      const recovered = await EmergencyAccess.combineRecoveredShares([recoveredAlice, recoveredCarol, recoveredDave], recoveryProcess.recoveryPrivateKeys.carol, carol.privateKey);
+
+      expect(recovered).to.deep.eq(originalSecret);
+    });
+
+    it('recover as Alice + Bob + Carol + Dave', async () => {
+      const recoveredAlice = await EmergencyAccess.recoverShare(keyShares['alice'], alice.privateKey, recoveryProcess.recoveryPublicKey);
+      const recoveredBob = await EmergencyAccess.recoverShare(keyShares['bob'], bob.privateKey, recoveryProcess.recoveryPublicKey);
+      const recoveredCarol = await EmergencyAccess.recoverShare(keyShares['carol'], carol.privateKey, recoveryProcess.recoveryPublicKey);
+      const recoveredDave = await EmergencyAccess.recoverShare(keyShares['dave'], dave.privateKey, recoveryProcess.recoveryPublicKey);
+
+      const recovered = await EmergencyAccess.combineRecoveredShares([recoveredAlice, recoveredBob, recoveredCarol, recoveredDave], recoveryProcess.recoveryPrivateKeys.dave, dave.privateKey);
+
+      expect(recovered).to.deep.eq(originalSecret);
+    });
+  });
+});
+
+/* ---------- MOCKS ---------- */
+
+async function createUserDto(id: string, publicKey: CryptoKey): Promise<ActivatedUser> {
+  const keyBytes = new Uint8Array(await crypto.subtle.exportKey('spki', publicKey));
+  return {
+    type: 'USER',
+    id: id,
+    name: `User ${id}`,
+    email: '',
+    realmRoles: [],
+    enabled: true,
+    devices: [],
+    accessibleVaults: [],
+    ecdhPublicKey: base64.encode(keyBytes),
+    ecdsaPublicKey: ''
+  };
+}
diff --git a/frontend/test/common/jwe.spec.ts b/frontend/test/common/jwe.spec.ts
index e2de1260c..ee7135fbe 100644
--- a/frontend/test/common/jwe.spec.ts
+++ b/frontend/test/common/jwe.spec.ts
@@ -1,4 +1,4 @@
-import { base64, base64url } from 'rfc4648';
+import { base64, base64urlnopad } from '@scure/base';
 import { beforeEach, describe, expect, it } from 'vitest';
 import { ConcatKDF, ECDH_ES, ECDH_P384, EncryptedJWE, JWE, JWEHeader, PBES2, Recipient } from '../../src/common/jwe';
 
@@ -90,7 +90,7 @@ describe('JWE', () => {
     it('decrypt ECDH-ES', async () => {
       // JWE generated by https://dinochiesa.github.io/jwt/
       const jwe = 'eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6InpMYlRUN3M5d3lZeGpHdGZxeHVDQk81TTNTMTlNRzJHUGJzTlJhMFEwT2MiLCJ5IjoiTGpmVG9jLXpIcWRqcHA4VURPSl9aS1JLQ0FoSGpSSmFGS0FJbjdTR1RXdyJ9fQ..30WmoR8Qp1VA5NMr.TBRC30hVRwi_W_HIe03JWNY.zvfl5wQuG8vhUjhr1-f8jQ';
-      const rawRecipientPrivateKey = base64.parse('MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgzMoA2cm0rNRLA3zZa2VzYxd1QLFTdOxsMQ+6V6faoLmhRANCAAR4M7kZS/VdkdOQG56ELvL2/3L8ti+yQeQBv0BuyUJqWHMOv13VLZOKTnvtFrAZbjM6lONayft9qSr43thfj1Pb', { loose: true });
+      const rawRecipientPrivateKey = base64.decode('MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgzMoA2cm0rNRLA3zZa2VzYxd1QLFTdOxsMQ+6V6faoLmhRANCAAR4M7kZS/VdkdOQG56ELvL2/3L8ti+yQeQBv0BuyUJqWHMOv13VLZOKTnvtFrAZbjM6lONayft9qSr43thfj1Pb') as Uint8Array<ArrayBuffer>;
       const recipientPrivateKey = await crypto.subtle.importKey('pkcs8', rawRecipientPrivateKey, { name: 'ECDH', namedCurve: 'P-256' }, false, ['deriveBits']);
       const orig = { hello: 'world' };
       const recipient = Recipient.ecdhEs('alice', recipientPrivateKey);
@@ -102,7 +102,7 @@ describe('JWE', () => {
     it('decrypt ECDH-ES+A256KW 1', async () => {
       // JWE generated by https://dinochiesa.github.io/jwt/
       const jwe = 'eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJGX3lIQWlEQkNMajdVdW43NXZtTGpsSkRnSFRmVnFPUW51X0g0cGhNbjVZIiwieSI6IlFMRThtd1V2M0tDU3pjNmtqT0R2QnhEQjFqRFdUVnE1N052UlpUcFZNZFUifSwiZW5jIjoiQTI1NkdDTSIsImFsZyI6IkVDREgtRVMrQTI1NktXIn0.ziLX2llBDAO0Ha_EV2QyLVGo47qN0c2QpSt-tu35yn8t6Q-elpVG3A.QXT0c27wNHVbvcQN.z82EXvOQ_IWaCGcSmlizzFY.JkrlVlJin8E4uH4WEjPs0w';
-      const rawRecipientPrivateKey = base64.parse('MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8w/B3QWfLRwtt+pCYScLE8CzqWOYGYl/t2gwmb89AA2hRANCAAR/S7NvYpmAinsrGaDaFNmN8eQFRpwc5alP4Clu8hV//hcrN9DMHGbO2lsKk//ktpUNXt4Fj4UIsBw3ABUchbxI', { loose: true });
+      const rawRecipientPrivateKey = base64.decode('MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg8w/B3QWfLRwtt+pCYScLE8CzqWOYGYl/t2gwmb89AA2hRANCAAR/S7NvYpmAinsrGaDaFNmN8eQFRpwc5alP4Clu8hV//hcrN9DMHGbO2lsKk//ktpUNXt4Fj4UIsBw3ABUchbxI') as Uint8Array<ArrayBuffer>;
       const recipientPrivateKey = await crypto.subtle.importKey('pkcs8', rawRecipientPrivateKey, { name: 'ECDH', namedCurve: 'P-256' }, false, ['deriveBits']);
       const orig = { hello: 'world' };
       const recipient = Recipient.ecdhEs('alice', recipientPrivateKey);
@@ -174,7 +174,7 @@ describe('JWE', () => {
     it('decrypt', async () => {
       // JWE generated by https://dinochiesa.github.io/jwt/
       const jwe = 'eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIn0.JTSrGbw4XEKXYFTC7siTT7DIZUX2SogThcLKXgxe0FPK3Fi8ckjr9A.zQx0t4qoTVIc-h5f.cmqzZ-md3cvdTNH9FWbKOsw.DCdGhmdwjoYKIuNC5zgQJQ';
-      const rawKek = base64url.parse('y_uxz8iAtcOXlqMYpm2jASvDWokpCYMtwkthFSK6IF0', { loose: true });
+      const rawKek = base64urlnopad.decode('y_uxz8iAtcOXlqMYpm2jASvDWokpCYMtwkthFSK6IF0') as Uint8Array<ArrayBuffer>;
       const kek = await crypto.subtle.importKey('raw', rawKek, 'AES-KW', false, ['unwrapKey']);
       const orig = { hello: 'world' };
       const recipient = Recipient.a256kw('kw', kek);
@@ -237,8 +237,8 @@ describe('JWE', () => {
         alg: 'ECDH-ES', // not relevant for this test
         enc: 'A128GCM',
         epk: alicePub,
-        apu: base64url.stringify(apu, { pad: false }),
-        apv: base64url.stringify(apv, { pad: false })
+        apu: base64urlnopad.encode(apu),
+        apv: base64urlnopad.encode(apv)
       };
       const derived = await ECDH_ES.deriveContentKey(bob, alice, 256, 16, header, true);
       const derivedBytes = await crypto.subtle.exportKey('raw', derived);
diff --git a/frontend/test/common/universalVaultFormat.spec.ts b/frontend/test/common/universalVaultFormat.spec.ts
index 0498d965c..dfe49fbbd 100644
--- a/frontend/test/common/universalVaultFormat.spec.ts
+++ b/frontend/test/common/universalVaultFormat.spec.ts
@@ -1,4 +1,4 @@
-import { base64, base64url } from 'rfc4648';
+import { base64, base64urlnopad } from '@scure/base';
 import { beforeAll, beforeEach, describe, expect, it } from 'vitest';
 import { VaultDto } from '../../src/common/backend';
 import { UserKeys } from '../../src/common/crypto';
@@ -55,7 +55,7 @@ describe('UVF', () => {
 
   describe('VaultMetadata', () => {
     it('create()', async () => {
-      const orig = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 });
+      const orig = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 }, { provider: '', defaultPath: '', nickname: '', region: ''});
       expect(orig).to.be.not.null;
       expect(orig.seeds.get(orig.initialSeedId)).to.not.be.undefined;
       expect(orig.seeds.get(orig.initialSeedId)!.length).to.eq(32);
@@ -68,11 +68,11 @@ describe('UVF', () => {
 
       beforeEach(async () => {
         // prepare some test metadata:
-        original = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 });
+        original = await VaultMetadata.create({ enabled: true, maxWotDepth: -1 }, { provider: 'provider', defaultPath: 'defaultPath', nickname: 'nickname', region: 'region'});
       });
 
       it('decrypt(encrypt(orig)) == orig', async () => {
-        const dto: VaultDto = { id: '123', name: 'test', archived: false, creationTime: new Date() };
+        const dto: VaultDto = { id: '123', name: 'test', archived: false, creationTime: new Date(), requiredEmergencyKeyShares: 0, emergencyKeyShares: {} };
         const vaultMemberKey = await MemberKey.create();
         const recoveryKey = await RecoveryKey.create();
 
@@ -90,6 +90,7 @@ describe('UVF', () => {
         expect(decrypted.initialSeedId).to.eq(original.initialSeedId);
         expect(decrypted.latestSeedId).to.eq(original.latestSeedId);
         expect(decrypted.automaticAccessGrant).to.deep.eq(original.automaticAccessGrant);
+        expect(decrypted.backend).to.deep.eq(original.backend);
         expect(decrypted.payload().fileFormat).to.eq('AES-256-GCM-32k');
         expect(decrypted.payload().nameFormat).to.eq('AES-SIV-512-B64URL');
         expect(decrypted.payload().kdf).to.eq('HKDF-SHA512');
@@ -167,7 +168,7 @@ describe('UVF', () => {
 
   describe('UniversalVaultFormat', () => {
     it('create()', async () => {
-      const uvf = await UniversalVaultFormat.create({ enabled: true, maxWotDepth: -1 });
+      const uvf = await UniversalVaultFormat.create({ enabled: true, maxWotDepth: -1 }, { provider: '', defaultPath: '', nickname: '', region: ''});
       expect(uvf).to.be.not.null;
       expect(uvf.metadata).to.be.not.null;
       expect(uvf.memberKey).to.be.not.null;
@@ -180,6 +181,8 @@ describe('UVF', () => {
         name: 'test',
         archived: false,
         creationTime: new Date(),
+        requiredEmergencyKeyShares: 0,
+        emergencyKeyShares: {},
         uvfMetadataFile: '{"protected":"eyJvcmlnaW4iOiJodHRwcy4vL2V4YW1wbGUuY29tL2FwaS8vdmF1bHRzLzEyMy91dmYvdmF1bHQudXZmIiwiamt1Ijoiandrcy5qc29uIiwiZW5jIjoiQTI1NkdDTSJ9","recipients":[{"header":{"kid":"org.cryptomator.hub.memberkey","alg":"A256KW"},"encrypted_key":"vJ16vGF2Z3NcA7nXPnVrgDLzgxZ8RFtySgf0FsckcrTBfKDg4hAK0w"},{"header":{"kid":"org.cryptomator.hub.recoverykey.J7-F_hjMaygRKdqIoZrbxSqVSRFJ5aF8BXuOCoBBGjw","alg":"ECDH-ES+A256KW","epk":{"key_ops":[],"ext":true,"kty":"EC","x":"oQZ8e-e9UIOtbN50ySx5Xwik9ET3uu38Bzl6HdDR8uipOzdXIO8OUhVQMJWqEHjs","y":"cTP6OI_YfdCVPVWpGOA1SjQ6-4vUpE4a6QJx3JSw29DkOL70Rjl4GAcDc4Iw-VHY","crv":"P-384"},"apu":"","apv":""},"encrypted_key":"m_tSjpBcNQK42pgqLA9YDZYa3WQwJZ94HhGIpwOcKDoJQ8lP8IKbFw"}],"iv":"XPY9W-TE__Hu2m53","ciphertext":"uoukmSAuFTq-20gD9Ayum8iH6ERrld6cNV_ZTyfHBcWeIIZKOdp3RWWEtzNagVnRy5ix0yAafJIa14aSLnsxFv-NhzW1BirU5YypIkvFIO4cPnjI54vzd8nEtPdpp6z2JOqKUvZQYN89Y2EGoXb33FmQAwVMNJt_xDn2Bcb1dvI0q0uKLUidsvFL87NHSA8KUVWjXmmFdjibfqhWuO9YtFVoYD2Oqso9TzQIRMnDt3aIcVAouTTE7bR9O8kj5nseNID2gQ2osKlJVVcUn-4Cn0bI2w_-SeAfAvnePWLmolF8q79_aOsMkow3zMGsQHFoVU3PWCHR374Z02Lnt0Mj5_aUu_k8R5L11xNZQ0EYY7XWWGoUjRif7HmRfTZoHbJwvnHWk5q6IuEEjd_zSa4_im7PpoEofZR2EcH7Zz_Llq00wPWT05ZD82aRo3VCRNs6A2s6Jd8hspnaYA","tag":"j-xKxc2aZ2EDHDm8CzNf8Tj4QIkruZauF0LeUwrhq6c"}',
         uvfKeySet: '{"keys": [{"kid":"org.cryptomator.hub.recoverykey.J7-F_hjMaygRKdqIoZrbxSqVSRFJ5aF8BXuOCoBBGjw","kty":"EC","crv":"P-384","x":"3ydUf9ZwzYc9RAT2X4nMnJIU2nGbwRbvLj0ve7-C6_i6LaBpy2EbUrfrOBYbEoAN","y":"CQ77rXdI5tg0pyPpTLWzke2l_dMt6k9FquZpilf-_35XlK6weIEdh-ialC-Tw8P0"}]}'
       };
@@ -190,9 +193,9 @@ describe('UVF', () => {
       expect(uvf.metadata).to.be.not.null;
       expect(uvf.metadata.initialSeedId).to.eq(473544690);
       expect(uvf.metadata.latestSeedId).to.eq(1075513622);
-      expect(base64url.stringify(uvf.metadata.kdfSalt, { pad: false })).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8');
-      expect(base64url.stringify(uvf.metadata.initialSeed, { pad: false })).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs');
-      expect(base64url.stringify(uvf.metadata.latestSeed, { pad: false })).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y');
+      expect(base64urlnopad.encode(uvf.metadata.kdfSalt)).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8');
+      expect(base64urlnopad.encode(uvf.metadata.initialSeed)).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs');
+      expect(base64urlnopad.encode(uvf.metadata.latestSeed)).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.undefined;
@@ -208,9 +211,9 @@ describe('UVF', () => {
       expect(uvf.metadata).to.be.not.null;
       expect(uvf.metadata.initialSeedId).to.eq(473544690);
       expect(uvf.metadata.latestSeedId).to.eq(1075513622);
-      expect(base64url.stringify(uvf.metadata.kdfSalt, { pad: false })).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8');
-      expect(base64url.stringify(uvf.metadata.initialSeed, { pad: false })).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs');
-      expect(base64url.stringify(uvf.metadata.latestSeed, { pad: false })).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y');
+      expect(base64urlnopad.encode(uvf.metadata.kdfSalt)).to.eq('NIlr89R7FhochyP4yuXZmDqCnQ0dBB3UZ2D-6oiIjr8');
+      expect(base64urlnopad.encode(uvf.metadata.initialSeed)).to.eq('ypeBEsobvcr6wjGzmiPcTaeG7_gUfE5yuYB3ha_uSLs');
+      expect(base64urlnopad.encode(uvf.metadata.latestSeed)).to.eq('Ln0sA6lQeuJl7PW1NWiFpTOTogKdJBOUmXJloaJa78Y');
       expect(uvf.memberKey).to.be.not.null;
       expect(uvf.recoveryKey).to.be.not.null;
       expect(uvf.recoveryKey.privateKey).to.be.not.null;
@@ -250,7 +253,7 @@ describe('UVF', () => {
       });
 
       it('createMetadataFile() creates a vault.uvf file', async () => {
-        const json = await uvf.createMetadataFile('https.//example.com/api/', { id: '123', name: 'test', archived: false, creationTime: new Date() });
+        const json = await uvf.createMetadataFile('https.//example.com/api/', { id: '123', name: 'test', archived: false, creationTime: new Date(), requiredEmergencyKeyShares: 0, emergencyKeyShares: {} });
         expect(json).to.be.not.null;
         const jwe = JSON.parse(json) as JsonJWE;
         expect(jwe.protected).to.not.be.empty;
@@ -275,18 +278,18 @@ describe('UVF', () => {
       it('computeRootDirId() deterministically creates a dir ID', async () => {
         const dirId = await uvf.computeRootDirId();
         expect(dirId).to.have.a.lengthOf(32);
-        expect(base64.stringify(dirId)).to.eq('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=');
+        expect(base64.encode(dirId)).to.eq('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=');
       });
 
       it('computeRootDirIdHash() creates a truncated hmac', async () => {
-        const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=').slice();
+        const rootDirId = base64.decode('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=') as Uint8Array<ArrayBuffer>;
         const hash = await uvf.computeRootDirIdHash(rootDirId);
         expect(hash).to.have.a.lengthOf(32);
         expect(hash).to.eq('RZK7ZH7KBXULNEKBMGX3CU42PGUIAIX4');
       });
 
       it('encryptFile() creates some ciphertext', async () => {
-        const rootDirId = base64.parse('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=').slice();
+        const rootDirId = base64.decode('5WEGzwKkAHPwVSjT2Brr3P3zLz7oMiNpMn/qBvht7eM=') as Uint8Array<ArrayBuffer>;
         const fileContent = await uvf.encryptFile(rootDirId, uvf.metadata.initialSeedId);
         expect(fileContent).to.have.a.lengthOf(128);
         expect(fileContent.slice(0, 4)).to.eql(new Uint8Array([0x75, 0x76, 0x66, 0x01])); // magic bytes
diff --git a/frontend/tsconfig.json b/frontend/tsconfig.json
index 11d884964..496158cb5 100644
--- a/frontend/tsconfig.json
+++ b/frontend/tsconfig.json
@@ -2,7 +2,7 @@
   "compilerOptions": {
     "target": "ES2023",
     "lib": ["ES2023", "dom"],
-    "module": "ES2022",
+    "module": "esnext",
 
     /* Bundler mode */
     "moduleResolution": "bundler",
@@ -12,10 +12,10 @@
 
     /* Linting */
     "strict": true,
+    "skipLibCheck": true,
     "resolveJsonModule": true,
     "noUnusedLocals": false,
-    "noFallthroughCasesInSwitch": true,
-    "useUnknownInCatchVariables": false, // Workaround for `node_modules/miscreant/src/providers/webcrypto.ts:21:11 - error TS18046: 'e' is of type 'unknown'.`
+    "noFallthroughCasesInSwitch": true
   },
   "ts-node": {
     "esm": true,
diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
index aef7e40bc..d1a8eb4f7 100644
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -21,10 +21,16 @@ export default defineConfig({
     rollupOptions: {
       output: {
         manualChunks: (id: string) => {
-          if (id.includes('node_modules')) {
-            return 'vendor';
-          } else {
-            return 'main';
+          if (id.includes('/node_modules/@heroicons/')) {
+            return 'heroicons';
+          } else if (id.includes('/node_modules/vue')) {
+            return 'vue';
+          } else if (id.includes('/node_modules/')) {
+            return 'libs';
+          } else if (id.includes('/src/i18n/')) {
+            return 'locales';
+          } else if (id.includes('/src/components/emergencyaccess/')) {
+            return 'emergency-access';
           }
         }
       }
diff --git a/keycloak/Dockerfile b/keycloak/Dockerfile
index 6103a57d3..05ac5148b 100644
--- a/keycloak/Dockerfile
+++ b/keycloak/Dockerfile
@@ -1,7 +1,6 @@
-FROM quay.io/keycloak/keycloak:26.4.5 as builder
+FROM quay.io/keycloak/keycloak:26.5.6 as builder
 ENV KC_HEALTH_ENABLED=true
 ENV KC_METRICS_ENABLED=true
-ENV KC_HTTP_RELATIVE_PATH=/kc
 ENV KC_FEATURES=web-authn
 ENV KC_DB=postgres
 RUN /opt/keycloak/bin/kc.sh build
@@ -11,10 +10,12 @@ FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
 RUN mkdir -p /mnt/rootfs
 RUN dnf install --installroot /mnt/rootfs curl --releasever 9 --setopt install_weak_deps=false --nodocs -y; dnf --installroot /mnt/rootfs clean all
 
-FROM quay.io/keycloak/keycloak:26.4.5
-LABEL maintainer="info@skymatic.de"
+FROM quay.io/keycloak/keycloak:26.5.6
+# / katta start addition
+LABEL maintainer="info@shift7.ch"
+# \ katta start addition
 COPY --from=builder /opt/keycloak/ /opt/keycloak/
 COPY --from=ubi-micro-build /mnt/rootfs /
-COPY /themes/cryptomator /opt/keycloak/themes/cryptomator
+COPY /themes/katta /opt/keycloak/themes/katta
 WORKDIR /opt/keycloak
 ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
diff --git a/keycloak/README.md b/keycloak/README.md
index 9d752263d..5f64be52c 100644
--- a/keycloak/README.md
+++ b/keycloak/README.md
@@ -1,13 +1,13 @@
 # Custom Keycloak Image
 
-This custom keycloak image adds a Cryptomator theme and sets some build-time configuration values.
+This custom keycloak image adds a Katta theme and sets some build-time configuration values.
 
 ## Theme Development
 
 For local testing, build the changed theme
 
 ```shell script
-cd themes/cryptomator/common/resources
+cd themes/katta/common/resources
 npm install
 npm run build
 ```
@@ -19,21 +19,21 @@ and then create the docker image.
 For live coding, start Keycloak in dev mode (to disable theme caching) and mounting the theme folder as a volume:
 
 ```shell script
-docker run --rm -it -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -v $(pwd)/themes/cryptomator:/opt/keycloak/themes/cryptomator:ro quay.io/keycloak/keycloak:19.0 start-dev
+docker run --rm -it -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -v $(pwd)/themes/katta:/opt/keycloak/themes/katta:ro quay.io/keycloak/keycloak:26.3.5 start-dev
 ```
 
 Using a different shell, build the web components:
 
 ```shell script
-cd themes/cryptomator/common/resources
+cd themes/katta/common/resources
 npm install
 npm run dev
 ```
 
-The Cryptomator Theme is [based on the Base theme](https://github.com/keycloak/keycloak/tree/main/themes/src/main/resources/theme/base). Use it as a reference.
+The Katta Theme is [based on the Base theme](https://github.com/keycloak/keycloak/tree/main/themes/src/main/resources/theme/base). Use it as a reference.
 
 ## Release Builds
 
-Release builds are created for amd64 and arm64 by triggering [this GitHub Workflow](https://github.com/cryptomator/hub/actions/workflows/keycloak.yml).
+Release builds are created for amd64 and arm64 by triggering [this GitHub Workflow](https://github.com/shift7-ch/katta-server/actions/workflows/keycloak.yml).
 
-Please use a tag based on the base image, so we can easily know that e.g. `ghcr.io/cryptomator/keycloak:19.0.1.4` is based on `quay.io/keycloak/keycloak:19.0.1`.
\ No newline at end of file
+Please use a tag based on the base image, so we can easily know that e.g. `ghcr.io/shift7-ch/keycloak:19.0.1.4` is based on `quay.io/keycloak/keycloak:19.0.1`.
diff --git a/keycloak/pom.xml b/keycloak/pom.xml
new file mode 100755
index 000000000..9c41aa0cf
--- /dev/null
+++ b/keycloak/pom.xml
@@ -0,0 +1,167 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <name>Katta Token Exchange Service Provider</name>
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>cloud.katta</groupId>
+    <artifactId>katta-token-exchange-service-provider</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <packaging>jar</packaging>
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.jdk.version>21</project.jdk.version>
+        <compiler-plugin.version>3.13.0</compiler-plugin.version>
+        <failsafe-plugin.version>3.2.5</failsafe-plugin.version>
+
+        <keycloak.version>26.5.5</keycloak.version>
+        <junit-jupiter.version>5.8.2</junit-jupiter.version>
+
+        <slf4j-version>1.7.36</slf4j-version>
+        <log4j-version>2.24.3</log4j-version>
+    </properties>
+
+    <build>
+        <finalName>${project.artifactId}</finalName>
+        <plugins>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${compiler-plugin.version}</version>
+                <configuration>
+                    <release>${project.jdk.version}</release>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-resources-plugin</artifactId>
+                <version>3.3.1</version>
+                <executions>
+                    <execution>
+                        <id>copy-resources</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/target/classes</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>../backend/src/main/resources/</directory>
+                                    <includes>
+                                        <include>cryptomator-realm.json</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <version>${failsafe-plugin.version}</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>integration-test</goal>
+                            <goal>verify</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-core</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-model-infinispan</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-spi</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-server-spi-private</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-services</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-saml-core</artifactId>
+            <version>${keycloak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.json</groupId>
+            <artifactId>json</artifactId>
+            <version>20240303</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>${junit-jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>${junit-jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
+            <version>${junit-jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.rest-assured</groupId>
+            <artifactId>rest-assured</artifactId>
+            <version>5.4.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.github.dasniko</groupId>
+            <artifactId>testcontainers-keycloak</artifactId>
+            <version>3.9.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <version>${log4j-version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>${log4j-version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j-impl</artifactId>
+            <version>${log4j-version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>${slf4j-version}</version>
+        </dependency>
+    </dependencies>
+</project>
diff --git a/keycloak/src/test/java/cloud/katta/JWTDecoder.java b/keycloak/src/test/java/cloud/katta/JWTDecoder.java
new file mode 100644
index 000000000..aae54022f
--- /dev/null
+++ b/keycloak/src/test/java/cloud/katta/JWTDecoder.java
@@ -0,0 +1,16 @@
+package cloud.katta;
+
+import org.json.JSONException;
+import org.json.JSONObject;
+
+import java.util.Base64;
+
+public class JWTDecoder {
+	static JSONObject deocdeJWT(String token) throws JSONException {
+		String[] chunks = token.split("\\.");
+		Base64.Decoder decoder = Base64.getUrlDecoder();
+
+		String payload = new String(decoder.decode(chunks[1]));
+		return new JSONObject(payload);
+	}
+}
diff --git a/keycloak/src/test/java/cloud/katta/KattaTokenExchangeIT.java b/keycloak/src/test/java/cloud/katta/KattaTokenExchangeIT.java
new file mode 100644
index 000000000..5177e7719
--- /dev/null
+++ b/keycloak/src/test/java/cloud/katta/KattaTokenExchangeIT.java
@@ -0,0 +1,687 @@
+package cloud.katta;
+
+import static cloud.katta.JWTDecoder.deocdeJWT;
+import dasniko.testcontainers.keycloak.KeycloakContainer;
+import io.restassured.RestAssured;
+import static io.restassured.RestAssured.given;
+import io.restassured.response.ValidatableResponse;
+import jakarta.ws.rs.core.Response;
+import org.json.JSONException;
+import org.json.JSONObject;
+import static org.junit.jupiter.api.Assertions.*;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.ClientScopeResource;
+import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.representations.idm.*;
+import org.testcontainers.shaded.com.trilead.ssh2.crypto.Base64;
+
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+/**
+ * In katta, we want to use vault-specific tokens for
+ * <ul>
+ *     <li>fine-grained access management for S3 storage access</li>
+ *     <li>token size restriction (leading to <a href="https://repost.aws/knowledge-center/iam-role-aws-sts-error">PackedPolicyTooLarge</a>)</li>
+ * </ul>
+ * Therefore, we use <a href="https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange">Standard token exchange: version 2 (V2)</a> to exchange an initial token (requiring user interaction for authentication) for vault-specific target tokens we use for STS/S3 calls.
+ * <p>
+ * We implement <a href="https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange-flow">Standard Token Exchange Flow</a>:
+ * <ul>
+ *   <li><code>initial-client</code>=<code>cryptomator</code></li>
+ *   <li><code>requester-client</code>=<code>target-client</code>=<code>cryptomatorvaults</code></li>
+ * </ul>
+ * </p>
+ * <p>
+ * The reason for this setup is as follows: As <a href="https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange-enable><code>requester-client</code> needs to be a confidential client</a>,
+ * we cannot use <code>cryptomator</code>, which must be a public client, see <a href"https://maheshnotes.com/2024/09/20/understanding-public-and-confidential-clients-in-keycloak/">Understanding Public and Confidential Clients in Keycloak</a>.
+ * Hence, we re-use our <code>target-client</code>=<code>cryptomatorvaults</code> as <code>requester-client</code>.
+ * On the other hand, in order to make the token exchange call on the <code>requester-client</code>, the intial token must already contain <code>requester-client</code> in its audiences,
+ * as <a href="https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange-scope>audience allows only for downscoping</a>.
+ * As <a href="https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange-scope>scopes allow for upscoping</a>, we request vault-specific scopes in the target client and client roles to check whether a user is allowed to request access to that specific vault.
+ * <blockquote cite="https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange-enable">
+ * The audience parameter can be used to filter the audiences that are coming from the used client scopes.
+ * However, this parameter will not add more audiences. When the audience parameter is omitted, no filtering occurs.
+ * As a result, the audience parameter is effectively used for "downscoping" the token to make sure that it contains only the requested audiences.
+ * However, the scope parameter is used to add optional client scopes and hence it can be used for "upscoping" and adding more scopes.
+ * </blockquote>
+ * </p>
+ * <p>
+ * In summary, we need to verify the following properties:
+ * <ul>
+ *  <li>(P1) <code>cryptomator</code> client is public, <code>cryptomatorvaults</code> is confidential and has standard token exchange enabled.</li>
+ * 	<li>(P2) the initial token contains audiences <code>cryptomator</code> and <code>cryptomatorvaults</code> and <code>azp</code>=<code>cryptomator</code></li>
+ * 	<li>(P3) the initial token contains realm roles</li>
+ * 	<li>(P4) the exchanged token contains audience <code>cryptomatorvaults</code> and <code>azp</code>=<code>cryptomatorvaults</code> </li>
+ * 	<li>(P5) the exchanged token contains the claims from the requested client roles only (if allowed)</li>
+ * 	<li>(P6) the exchanged token does not contain neither realm roles nor client roles</li>
+ *
+ * </ul>
+ * </p>
+ * <p>
+ * Note: Keycloak 25 introduces mapper for sub claim in scope "basic", the scope needs to added explicitly to the default scopes list as we override the list (in order to remove the "roles" scope):
+ * <ul>
+ *   <li>{@see https://www.keycloak.org/docs/latest/upgrading/index.html#new-default-client-scope-basic}</li>
+ *   <li>{@see https://www.keycloak.org/docs/latest/release_notes/#keycloak-25-0-0}</li>
+ * </ul>
+ * </p>
+ * <p>
+ * Note: access management for vault creation is handled differently.
+ * </p>
+ */
+public class KattaTokenExchangeIT {
+
+    private static final String currentKeycloakImage = "quay.io/keycloak/keycloak:26.5.5";
+
+    /**
+     * Test (P2) and (P3) on the initial token before token-exchange with our dev realm. Serves as regression test.
+     */
+    @Test
+    public void testDevRealm() throws JSONException {
+        RestAssured.useRelaxedHTTPSValidation();
+        try (final KeycloakContainer container = new KeycloakContainer(currentKeycloakImage)
+                // comment in for local debugging:
+                //				.withDebugFixedPort(5005, false)
+                //				.withCustomCommand("--log-level=DEBUG")
+                .withRealmImportFile("/cryptomator-realm.json")
+                .useTls()
+        ) {
+            container.start();
+            System.out.println(container.getAuthServerUrl());
+
+            final Keycloak keycloak = container.getKeycloakAdminClient();
+
+            // enable direct access grant for client cryptomator
+            final ClientRepresentation cryptomatorClient = keycloak.realm("cryptomator").clients().findByClientId("cryptomator").getFirst();
+            cryptomatorClient.setDirectAccessGrantsEnabled(true);
+            keycloak.realm("cryptomator").clients().get(cryptomatorClient.getId()).update(cryptomatorClient);
+
+            // create client-level role "blup"
+            final ClientRepresentation cryptomatorvaultsClient = keycloak.realm("cryptomator").clients().findByClientId("cryptomatorvaults").getFirst();
+            keycloak.realm("cryptomator").clients().get(cryptomatorvaultsClient.getId()).roles().create(new RoleRepresentation("blup", "", false));
+
+            // assign client-level role "blup" to user "alice"
+            final UserRepresentation alice = keycloak.realm("cryptomator").users().searchByFirstName("alice", true).getFirst();
+            alice.setClientRoles(Map.of("cryptomatorvaults", List.of("blup")));
+            keycloak.realm("cryptomator").users().get(alice.getId()).roles().clientLevel(cryptomatorvaultsClient.getId()).add(List.of(keycloak.realm("cryptomator").clients().get(cryptomatorvaultsClient.getId()).roles().get("blup").toRepresentation()));
+
+            {
+                // serviceAccountsEnabled=true for cryptomatorhub-cli allows to fetch tokens with client_secret only:
+                given()
+                        .header("Content-Type", "application/x-www-form-urlencoded")
+                        .header("Authorization", "Basic: " + new String(Base64.encode("cryptomatorhub-cli:top-secret".getBytes(StandardCharsets.UTF_8))))
+                        .formParam("client_id", "cryptomatorhub-cli")
+                        .formParam("grant_type", "client_credentials")
+                        .when()
+                        .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                        .then()
+                        .statusCode(200);
+
+                // serviceAccountsEnabled=true allows to fetch tokens with client_secret only:
+                cryptomatorvaultsClient.setServiceAccountsEnabled(true);
+                keycloak.realm("cryptomator").clients().get(cryptomatorvaultsClient.getId()).update(cryptomatorvaultsClient);
+
+                given()
+                        .header("Content-Type", "application/x-www-form-urlencoded")
+                        .header("Authorization", "Basic: " + new String(Base64.encode("cryptomatorvaults:top-secret".getBytes(StandardCharsets.UTF_8))))
+                        .formParam("client_id", "cryptomatorvaults")
+                        .formParam("grant_type", "client_credentials")
+                        .when()
+                        .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                        .then()
+                        .statusCode(200);
+
+
+                // serviceAccountsEnabled=false disallows to fetch tokens with client_secret only:
+                cryptomatorvaultsClient.setServiceAccountsEnabled(false);
+                keycloak.realm("cryptomator").clients().get(cryptomatorvaultsClient.getId()).update(cryptomatorvaultsClient);
+
+                given()
+                        .header("Content-Type", "application/x-www-form-urlencoded")
+                        .header("Authorization", "Basic: " + new String(Base64.encode("cryptomatorvaults:top-secret".getBytes(StandardCharsets.UTF_8))))
+                        .formParam("client_id", "cryptomatorvaults")
+                        .formParam("grant_type", "client_credentials")
+                        .when()
+                        .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                        .then()
+                        .statusCode(401);
+            }
+
+            final String aliceId = alice.getId();
+            {
+                final String accessTokenWithoutRoles =
+                        given()
+                                .header("Content-Type", "application/x-www-form-urlencoded")
+                                .formParam("client_id", "cryptomator")
+                                .formParam("grant_type", "password")
+                                .formParam("username", "alice")
+                                .formParam("password", "asd")
+                                .when()
+                                .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                                .then()
+                                .statusCode(200)
+                                .extract().path("access_token");
+                final JSONObject jwt = deocdeJWT(accessTokenWithoutRoles);
+
+                // (P2) audiences
+                assertTrue(jwt.getJSONArray("aud").toList().contains("cryptomator"));
+                assertTrue(jwt.getJSONArray("aud").toList().contains("cryptomatorvaults"));
+                assertEquals(2, jwt.getJSONArray("aud").length());
+
+                // (P3) realm roles
+                assertTrue(jwt.getJSONObject("realm_access").getJSONArray("roles").toList().contains("user"));
+                assertTrue(jwt.getJSONObject("realm_access").getJSONArray("roles").toList().contains("create-vaults"));
+
+                assertFalse(jwt.has("resource_access"));
+
+                assertEquals(aliceId, jwt.getString("sub"));
+
+                // strangely, the "basic" scope is not added to the "scope" claim...
+                assertTrue(jwt.getString("scope").contains("phone"));
+                assertTrue(jwt.getString("scope").contains("email"));
+                assertTrue(jwt.getString("scope").contains("profile"));
+                assertEquals(3, jwt.getString("scope").split(" ").length);
+            }
+            {
+                final String accessTokenWithRoles =
+                        given()
+                                .header("Content-Type", "application/x-www-form-urlencoded")
+                                .formParam("client_id", "cryptomator")
+                                .formParam("grant_type", "password")
+                                .formParam("username", "alice")
+                                .formParam("password", "asd")
+                                .formParam("scope", "roles")
+                                .when()
+                                .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                                .then()
+                                .statusCode(200)
+                                .extract().path("access_token");
+                final JSONObject jwt = deocdeJWT(accessTokenWithRoles);
+
+                // (P2) audiences
+                // "roles" scope adds additional value "account" to "aud" claim
+                assertTrue(jwt.getJSONArray("aud").toList().contains("cryptomator"));
+                assertTrue(jwt.getJSONArray("aud").toList().contains("account"));
+                assertTrue(jwt.getJSONArray("aud").toList().contains("cryptomatorvaults"));
+                assertEquals(3, jwt.getJSONArray("aud").length());
+
+                // (P3) realm roles
+                assertTrue(jwt.getJSONObject("realm_access").getJSONArray("roles").toList().contains("user"));
+                assertTrue(jwt.getJSONObject("realm_access").getJSONArray("roles").toList().contains("create-vaults"));
+
+                assertNotNull(jwt.get("resource_access"));
+                // "roles" scope adds client scopes to "resource_access.<clientId>.roles"
+                assertTrue(jwt.getJSONObject("resource_access").getJSONObject("cryptomatorvaults").getJSONArray("roles").toList().contains("blup"));
+
+                assertEquals(aliceId, jwt.getString("sub"));
+
+                assertTrue(jwt.getString("scope").contains("phone"));
+                assertTrue(jwt.getString("scope").contains("email"));
+                assertTrue(jwt.getString("scope").contains("profile"));
+                // strangely, neither the "basic" nor the "roles" scope is not added to the "scope" claim, although the latter is requested explicitly....
+                assertEquals(3, jwt.getString("scope").split(" ").length);
+            }
+        }
+    }
+
+    /**
+     * Test behaviour of token exchange with additional scope.
+     * Serves as regression test.
+     */
+    @ParameterizedTest
+    @CsvSource({"26.5.5,true"})
+    public void inspectTokenExchangeWithAdditionalScope(final String keycloakVersion) throws JSONException {
+        RestAssured.useRelaxedHTTPSValidation();
+        try (final KeycloakContainer container = new KeycloakContainer(String.format("quay.io/keycloak/keycloak:%s", keycloakVersion))
+                // comment in for local debugging:
+                //              .withDebugFixedPort(5005, false)
+                //              .withCustomCommand("--log-level=DEBUG")
+                .withRealmImportFile("/cryptomator-realm.json")
+                .useTls()
+        ) {
+            container.start();
+            System.out.println(container.getAuthServerUrl());
+
+            final Keycloak keycloak = container.getKeycloakAdminClient();
+
+            // enable direct access grant for client cryptomator
+            final ClientRepresentation cryptomatorClient = keycloak.realm("cryptomator").clients().findByClientId("cryptomator").getFirst();
+            cryptomatorClient.setDirectAccessGrantsEnabled(true);
+            keycloak.realm("cryptomator").clients().get(cryptomatorClient.getId()).update(cryptomatorClient);
+
+            final String accessTokenClient1 =
+                    given()
+                            .header("Content-Type", "application/x-www-form-urlencoded")
+                            // https://datatracker.ietf.org/doc/html/rfc6749 OAuth 2.0 authorization, see https://datatracker.ietf.org/doc/html/rfc8693#name-request
+                            .formParam("client_id", "cryptomator")
+                            .formParam("grant_type", "password")
+                            .formParam("username", "alice")
+                            .formParam("password", "asd")
+                            .when()
+                            .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                            .then()
+                            .log().everything()
+                            .statusCode(200)
+                            .extract().path("access_token");
+            final JSONObject jwtClient1 = deocdeJWT(accessTokenClient1);
+            List<Object> auds = jwtClient1.getJSONArray("aud").toList();
+            final String scopes = jwtClient1.getString("scope");
+            // default client scopes
+            assertTrue(scopes.contains("profile"));
+            assertTrue(scopes.contains("email"));
+            assertTrue(scopes.contains("phone"));
+            // openid is non-default scope -> not returned if not requested
+            assertFalse(scopes.contains("openid"));
+            assertFalse(scopes.contains("address"));
+            // (P2) audiences
+            // mapped in by protocol mapper
+            assertTrue(auds.contains("cryptomator"));
+            assertTrue(auds.contains("cryptomatorvaults"));
+            assertEquals("cryptomator", jwtClient1.getString("azp"));
+
+            // accessToken from cryptomator client containing cryptomatorvaults in aud claim allows to exchange token with additional scope
+            {
+                final String exchangedAccessTokenClient = given()
+                        // https://datatracker.ietf.org/doc/html/rfc6749 OAuth 2.0 authorization, see https://datatracker.ietf.org/doc/html/rfc8693#name-request
+                        .formParam("client_id", "cryptomatorvaults") // accessToken containing cryptomatorvaults in aud claim allows this
+                        .formParam("client_secret", "top-secret")
+                        // https://datatracker.ietf.org/doc/html/rfc8693#name-request / https://www.keycloak.org/securing-apps/token-exchange#_standard-token-exchange-request token-exchange
+                        .formParam("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+                        .formParam("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
+                        .formParam("subject_token", accessTokenClient1)
+                        // we now request address scope of cryptomator!
+                        .formParam("scope", "address")
+                        .when()
+                        .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                        .then()
+                        .log().everything()
+                        .statusCode(200)
+                        .extract().path("access_token");
+                final JSONObject jwtClient2 = deocdeJWT(exchangedAccessTokenClient);
+
+                // (P4) audience and azp
+                assertEquals("cryptomatorvaults", jwtClient2.getString("aud"));
+                assertEquals("cryptomatorvaults", jwtClient2.getString("azp"));
+
+                //exchange with additional scope, the non-default scope address will be contained in the list of scopes; there are no other default scopes
+                assertEquals("address", jwtClient2.getString("scope"));
+            }
+        }
+    }
+
+    /**
+     * Test (P4), (P5), (P6) after token exchange with our dev realm.  Serves as regression test.
+     */
+    @ParameterizedTest
+    @CsvSource({"true,true,true", "false,true,true", "true,false,true", "true,true,false"})
+    public void testKattaTokenExchange(final boolean sharedWithAlice, final boolean addMinioMapper, final boolean addAwsMapper) throws JSONException {
+        RestAssured.useRelaxedHTTPSValidation();
+        try (final KeycloakContainer container = new KeycloakContainer(currentKeycloakImage)
+                // comment in for local debugging:
+                //				.withDebugFixedPort(5005, false)
+                //				.withCustomCommand("--log-level=DEBUG")
+                .withRealmImportFile("/cryptomator-realm.json")
+                .useTls()
+        ) {
+            container.start();
+            System.out.println(container.getAuthServerUrl());
+
+            final Keycloak keycloak = container.getKeycloakAdminClient();
+            final String vaultId = UUID.randomUUID().toString();
+
+            // enable direct access grant for client cryptomator
+            final ClientRepresentation cryptomatorClient = keycloak.realm("cryptomator").clients().findByClientId("cryptomator").getFirst();
+            cryptomatorClient.setDirectAccessGrantsEnabled(true);
+            keycloak.realm("cryptomator").clients().get(cryptomatorClient.getId()).update(cryptomatorClient);
+
+            final String alice = keycloak.realm("cryptomator").users().searchByFirstName("alice", true).getFirst().getId();
+            keycloakGrantAccessToVault(vaultId, alice, "cryptomatorvaults", keycloak, "cryptomator", false);
+            keycloakPrepareVault(vaultId, keycloak, "cryptomator", addMinioMapper, addAwsMapper);
+            if (!sharedWithAlice) {
+                keycloakRemoveAccessToVault(vaultId, alice, "cryptomatorvaults", keycloak, "cryptomator", false);
+            }
+            final String accessToken =
+                    given()
+                            .header("Content-Type", "application/x-www-form-urlencoded")
+                            .formParam("client_id", "cryptomator")
+                            .formParam("grant_type", "password")
+                            .formParam("username", "alice")
+                            .formParam("password", "asd")
+                            .when()
+                            .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                            .then()
+                            .log().everything()
+                            .statusCode(200)
+                            .extract().path("access_token");
+            // test katta behaviour
+            {
+                final String exchangedAccessToken = given()
+                        .formParam("client_id", "cryptomatorvaults")
+                        .formParam("client_secret", "top-secret")
+                        .formParam("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+                        .formParam("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
+                        .formParam("subject_token", accessToken)
+                        .formParam("scope", vaultId)
+                        .when()
+                        .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                        .then()
+                        .log().everything()
+                        .statusCode(200)
+                        .extract().path("access_token");
+                final JSONObject jwtExchanged = deocdeJWT(exchangedAccessToken);
+
+                // (P4) audience and azp
+                assertEquals("cryptomatorvaults", jwtExchanged.getString("azp"));
+                assertEquals("cryptomatorvaults", jwtExchanged.getString("aud"));
+
+                // (P5) scopes and claims
+                final String scopes = jwtExchanged.getString("scope");
+                assertEquals(sharedWithAlice, scopes.contains(vaultId));
+                assertEquals(sharedWithAlice && addAwsMapper, jwtExchanged.has("https://aws.amazon.com/tags"));
+                if (sharedWithAlice && addAwsMapper) {
+                    // {"sub":"91e714c5-9293-4be2-baff-8d789bd9cc12","azp":"cryptomatorvaults","scope":"b2a8dbc4-eaa0-4887-ad55-9bfb4641801a","https://aws.amazon.com/tags":{"transitive_tag_keys":["b2a8dbc4-eaa0-4887-ad55-9bfb4641801a"],"principal_tags":{"b2a8dbc4-eaa0-4887-ad55-9bfb4641801a":[""]}},"iss":"http://localhost:64618/realms/cryptomator","typ":"Bearer","exp":1747919626,"iat":1747919326,"jti":"ntrtte:b73fc934-4e0f-4f74-993f-8baf605940f4","client_id":"b2a8dbc4-eaa0-4887-ad55-9bfb4641801a","sid":"e7409b3f-a13a-441a-b0ce-aa66c39b1ebc"}
+                    assertEquals(1, jwtExchanged.getJSONObject("https://aws.amazon.com/tags").getJSONArray("transitive_tag_keys").length());
+                    assertEquals(vaultId, jwtExchanged.getJSONObject("https://aws.amazon.com/tags").getJSONArray("transitive_tag_keys").getString(0));
+                    assertEquals(1, jwtExchanged.getJSONObject("https://aws.amazon.com/tags").getJSONObject("principal_tags").length());
+                    assertEquals(1, jwtExchanged.getJSONObject("https://aws.amazon.com/tags").getJSONObject("principal_tags").getJSONArray(vaultId).length());
+                    assertEquals("", jwtExchanged.getJSONObject("https://aws.amazon.com/tags").getJSONObject("principal_tags").getJSONArray(vaultId).getString(0));
+                }
+                assertEquals(sharedWithAlice && addMinioMapper, jwtExchanged.has("client_id"));
+                if (sharedWithAlice && addMinioMapper) {
+                    assertEquals(vaultId, jwtExchanged.getString("client_id"));
+                }
+
+                // (P6)
+                assertFalse(jwtExchanged.has("realm_access"));
+                assertFalse(jwtExchanged.has("resource_access"));
+            }
+
+            // test for fallback to default behaviour if no scope provided
+            {
+                final String exchangedAccessToken = given()
+                        .formParam("client_id", "cryptomatorvaults")
+                        .formParam("client_secret", "top-secret")
+                        .formParam("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+                        .formParam("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
+                        .formParam("subject_token", accessToken)
+                        // no scope
+                        .when()
+                        .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                        .then()
+                        .log().everything()
+                        .statusCode(200)
+                        .extract().path("access_token");
+                final JSONObject jwt = deocdeJWT(exchangedAccessToken);
+                // (P4) audience and azp
+                assertEquals("cryptomatorvaults", jwt.getString("aud"));
+                assertEquals("cryptomatorvaults", jwt.getString("azp"));
+                final String scopes = jwt.getString("scope");
+                assertFalse(scopes.contains(vaultId));
+                assertFalse(jwt.has("https://aws.amazon.com/tags"));
+                assertFalse(jwt.has("client_id"));
+            }
+
+            // test for stats 400 if duplicate scope param
+            {
+                given()
+                        .formParam("client_id", "cryptomator")
+                        .formParam("audience", "cryptomatorvaults")
+                        .formParam("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+                        .formParam("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
+                        .formParam("subject_token", accessToken)
+                        .formParam("scope", vaultId)
+                        // duplicate scope
+                        .formParam("scope", vaultId)
+                        .when()
+                        .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                        .then()
+                        .log().everything()
+                        .statusCode(400);
+            }
+        }
+    }
+
+    /**
+     * The following test shows that Keycloak does not down-scope upon token refresh,
+     * i.e. it seems to ignore the optional scope param defined in Sec. 6 of <a ahref="https://www.rfc-editor.org/rfc/rfc6749#page-47">RFC 6749: The OAuth 2.0 Authorization Framework</a>
+     * Furthermore, it shows that up-scoping fails.
+     */
+    @Test
+    public void testNoDownScopingTokenRefresh() throws JSONException {
+        RestAssured.useRelaxedHTTPSValidation();
+        try (final KeycloakContainer container = new KeycloakContainer(currentKeycloakImage)
+                // comment in for local debugging:
+                //				.withDebugFixedPort(5005, false)
+                //				.withCustomCommand("--log-level=DEBUG")
+                .withRealmImportFile("/cryptomator-realm.json")
+                .useTls()
+        ) {
+            container.start();
+            System.out.println(container.getAuthServerUrl());
+
+            final Keycloak keycloak = container.getKeycloakAdminClient();
+            final String vaultId = UUID.randomUUID().toString();
+
+            // enable direct access grant for client cryptomator
+            final ClientRepresentation cryptomatorClient = keycloak.realm("cryptomator").clients().findByClientId("cryptomator").getFirst();
+            cryptomatorClient.setDirectAccessGrantsEnabled(true);
+            keycloak.realm("cryptomator").clients().get(cryptomatorClient.getId()).update(cryptomatorClient);
+
+
+            final ValidatableResponse passwordGrant = given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "password")
+                    .formParam("username", "alice")
+                    .formParam("password", "asd")
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .log().everything()
+                    .statusCode(200);
+            final String accessToken = passwordGrant.extract().path("access_token");
+            final String refreshToken = passwordGrant.extract().path("refresh_token");
+            final JSONObject jwt = deocdeJWT(accessToken);
+            assertTrue(jwt.getString("scope").contains("phone"));
+            assertTrue(jwt.getString("scope").contains("email"));
+            assertTrue(jwt.getString("scope").contains("profile"));
+            assertEquals(jwt.getString("scope").split(" ").length, 3);
+            final JSONObject jwtRefresh = deocdeJWT(refreshToken);
+            assertTrue(jwtRefresh.getString("scope").contains("phone"));
+            assertTrue(jwtRefresh.getString("scope").contains("email"));
+            assertTrue(jwtRefresh.getString("scope").contains("profile"));
+            assertTrue(jwtRefresh.getString("scope").contains("basic"));
+            assertTrue(jwtRefresh.getString("scope").contains("web-origins"));
+            assertEquals(jwtRefresh.getString("scope").split(" ").length, 5);
+
+            ValidatableResponse refreshTokenGrant = given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "refresh_token")
+                    .formParam("refresh_token", refreshToken)
+                    .formParam("scope", "phone")
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .log().everything()
+                    .statusCode(200);
+            final String refreshedAccessToken =
+                    refreshTokenGrant
+                            .extract().path("access_token");
+
+            final JSONObject jwtRefreshed = deocdeJWT(refreshedAccessToken);
+            assertTrue(jwtRefreshed.getString("scope").contains("phone"));
+            assertTrue(jwtRefreshed.getString("scope").contains("email"));
+            assertTrue(jwtRefreshed.getString("scope").contains("profile"));
+            assertEquals(jwtRefreshed.getString("scope").split(" ").length, 3);
+            final JSONObject jwtRefreshedRefresh = deocdeJWT(refreshToken);
+            assertTrue(jwtRefreshedRefresh.getString("scope").contains("phone"));
+            assertTrue(jwtRefreshedRefresh.getString("scope").contains("email"));
+            assertTrue(jwtRefreshedRefresh.getString("scope").contains("profile"));
+            assertTrue(jwtRefreshedRefresh.getString("scope").contains("basic"));
+            assertTrue(jwtRefreshedRefresh.getString("scope").contains("web-origins"));
+            assertEquals(jwtRefreshedRefresh.getString("scope").split(" ").length, 5);
+
+            // up-scoping is not possible
+            given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "refresh_token")
+                    .formParam("refresh_token", refreshToken)
+                    .formParam("scope", "snoopy")
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .log().everything()
+                    .statusCode(400);
+        }
+    }
+
+    // ============================================================
+    // methods below copied from KeycloakCryptomatorVaultsHelper
+    // ============================================================
+    private static void keycloakPrepareVault(String vaultId, Keycloak keycloak, String keycloakRealm, boolean minio, boolean aws) {
+        // https://www.keycloak.org/docs-api/21.1.1/rest-api
+        final RealmResource realm = keycloak.realm(keycloakRealm);
+
+        final ClientScopeResource clientScopeResource = realm.clientScopes().get(vaultId);
+        if (minio) {
+            final ProtocolMapperRepresentation minioProtocolMapper = minioProtocolMapper(vaultId);
+            clientScopeResource.getProtocolMappers().createMapper(List.of(minioProtocolMapper));
+        }
+        if (aws) {
+            final ProtocolMapperRepresentation awsProtocolMapper = awsProtocolMapper(vaultId);
+            clientScopeResource.getProtocolMappers().createMapper(List.of(awsProtocolMapper));
+        }
+    }
+
+    private static ProtocolMapperRepresentation awsProtocolMapper(String vaultId) {
+        final ProtocolMapperRepresentation awsProtocolMapper = new ProtocolMapperRepresentation();
+        awsProtocolMapper.setName(String.format("Hard-coded mapper for vault %s (AWS)", vaultId));
+        awsProtocolMapper.setProtocolMapper("oidc-hardcoded-claim-mapper");
+        awsProtocolMapper.setProtocol("openid-connect");
+
+        Map<String, String> awsConfig = new HashMap<>();
+        awsConfig.put("jsonType.label", "JSON");
+
+        awsConfig.put("userinfo.token.claim", "false");
+        awsConfig.put("id.token.claim", "false");
+        awsConfig.put("access.token.claim", "true");
+        awsConfig.put("access.tokenResponse.claim", "false");
+
+        awsConfig.put("claim.name", "https://aws\\.amazon\\.com/tags");
+        awsConfig.put("claim.value", String.format("{\"principal_tags\":{\"%s\":[\"\"]},\"transitive_tag_keys\":[\"%s\"]}", vaultId, vaultId));
+
+        awsProtocolMapper.setConfig(awsConfig);
+        return awsProtocolMapper;
+    }
+
+    private static ProtocolMapperRepresentation minioProtocolMapper(String vaultId) {
+        final ProtocolMapperRepresentation minioProtocolMapper = new ProtocolMapperRepresentation();
+        minioProtocolMapper.setName(String.format("Hard-coded mapper for vault %s (MinIO)", vaultId));
+        minioProtocolMapper.setProtocolMapper("oidc-hardcoded-claim-mapper");
+        minioProtocolMapper.setProtocol("openid-connect");
+
+        Map<String, String> minioConfig = new HashMap<>();
+        minioConfig.put("jsonType.label", "String");
+
+        minioConfig.put("userinfo.token.claim", "false");
+        minioConfig.put("id.token.claim", "false");
+        minioConfig.put("access.token.claim", "true");
+        minioConfig.put("access.tokenResponse.claim", "false");
+
+        // exhaustive list of jwt claims evaluated in MinIO: https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-variables
+        // let's use client_id, as aud etc. are already use by standard mappers
+        minioConfig.put("claim.name", "client_id");
+        minioConfig.put("claim.value", vaultId);
+
+        minioProtocolMapper.setConfig(minioConfig);
+        return minioProtocolMapper;
+    }
+
+    private static void keycloakGrantAccessToVault(final String vaultId, final String userOrGroupId, final String clientId, final Keycloak keycloak,
+                                                   final String keycloakRealm, final boolean isGroup) {
+        // https://www.keycloak.org/docs-api/21.1.1/rest-api
+        final RealmResource realm = keycloak.realm(keycloakRealm);
+
+        final List<ClientRepresentation> byClientId = realm.clients().findByClientId(clientId);
+        if (byClientId.size() != 1) {
+            throw new RuntimeException(String.format("There are %s clients with clientId %s, expected to found exactly one.", byClientId.size(), clientId));
+        }
+        final ClientRepresentation cryptomatorVaultsClientRepresentation = byClientId.getFirst();
+        final ClientResource cryptomatorVaultsClientResource = realm.clients().get(cryptomatorVaultsClientRepresentation.getId());
+
+        // create client scope <vaultId> (if necessary)
+        if (realm.clientScopes().findAll().stream().map(ClientScopeRepresentation::getId).noneMatch(vaultId::equals)) {
+            ClientScopeRepresentation vaultClientScope = new ClientScopeRepresentation();
+            vaultClientScope.setId(vaultId);
+            vaultClientScope.setName(vaultId);
+            vaultClientScope.setDescription(String.format("Client scope for vault %s", vaultId));
+            vaultClientScope.setAttributes(new HashMap<>());
+            vaultClientScope.setProtocol("openid-connect");
+
+            try (Response response = realm.clientScopes().create(vaultClientScope)) {
+                if (response.getStatus() != 201) {
+                    throw new RuntimeException(String.format("Failed to create client for vault %s. %s", vaultId, response.getStatusInfo().getReasonPhrase()));
+                }
+            }
+        }
+
+        // add client scope to "cryptomatorvaults" client
+        // -> requires role_manage-clients
+        cryptomatorVaultsClientResource.addOptionalClientScope(vaultId);
+
+        // create client role <vaultId> (if necessary)
+        // -> requires role_manage-clients
+        if (cryptomatorVaultsClientResource.roles().list().stream().map(RoleRepresentation::getName).noneMatch(vaultId::equals)) {
+            RoleRepresentation vaultRole = new RoleRepresentation();
+            vaultRole.setName(vaultId);
+            vaultRole.setDescription(String.format("Role for vault %s", vaultId));
+            vaultRole.setClientRole(true);
+
+            cryptomatorVaultsClientResource.roles().create(vaultRole);
+        }
+
+        // scope the client scope to the client role for the vault
+        realm.clientScopes().get(vaultId).getScopeMappings().clientLevel(cryptomatorVaultsClientRepresentation.getId()).add(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+
+        // add client role to user/group
+        // -> requires role_manage-users
+        if (!isGroup) {
+            realm.users().get(userOrGroupId).roles().clientLevel(cryptomatorVaultsClientRepresentation.getId()).add(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+        } else {
+            realm.groups().group(userOrGroupId).roles().clientLevel(cryptomatorVaultsClientRepresentation.getId()).add(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+        }
+    }
+
+    private static void keycloakRemoveAccessToVault(final String vaultId, final String userOrGroupId, final String clientId, final Keycloak keycloak,
+                                                    final String keycloakRealm, boolean isGroup) {
+        // https://www.keycloak.org/docs-api/21.1.1/rest-api
+        final RealmResource realm = keycloak.realm(keycloakRealm);
+
+        // add client scope to "cryptomatorvaults" client
+        // -> requires role_manage-clients
+        final List<ClientRepresentation> byClientId = realm.clients().findByClientId(clientId);
+        if (byClientId.size() != 1) {
+            throw new RuntimeException(String.format("There are %s clients with clientId %s, expected to found exactly one.", byClientId.size(), clientId));
+        }
+        final ClientRepresentation cryptomatorVaultsClientRepresentation = byClientId.getFirst();
+        final ClientResource cryptomatorVaultsClientResource = realm.clients().get(cryptomatorVaultsClientRepresentation.getId());
+        cryptomatorVaultsClientResource.addOptionalClientScope(vaultId);
+
+        // remove client role from user/group
+        // -> requires role_manage-users
+        if (!isGroup) {
+            realm.users().get(userOrGroupId).roles().clientLevel(cryptomatorVaultsClientRepresentation.getId()).remove(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+        } else {
+            realm.groups().group(userOrGroupId).roles().clientLevel(cryptomatorVaultsClientRepresentation.getId()).remove(List.of(cryptomatorVaultsClientResource.roles().get(vaultId).toRepresentation()));
+        }
+    }
+}
\ No newline at end of file
diff --git a/keycloak/src/test/java/cloud/katta/KeycloakSessionAndTokenTimeoutsSandboxIT.java b/keycloak/src/test/java/cloud/katta/KeycloakSessionAndTokenTimeoutsSandboxIT.java
new file mode 100644
index 000000000..978cb7347
--- /dev/null
+++ b/keycloak/src/test/java/cloud/katta/KeycloakSessionAndTokenTimeoutsSandboxIT.java
@@ -0,0 +1,289 @@
+package cloud.katta;
+
+import static cloud.katta.JWTDecoder.deocdeJWT;
+import dasniko.testcontainers.keycloak.KeycloakContainer;
+import io.restassured.RestAssured;
+import static io.restassured.RestAssured.given;
+import io.restassured.response.ExtractableResponse;
+import org.json.JSONException;
+import org.json.JSONObject;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.RealmRepresentation;
+
+import java.time.LocalDateTime;
+import java.time.OffsetDateTime;
+import java.time.temporal.ChronoUnit;
+
+
+public class KeycloakSessionAndTokenTimeoutsSandboxIT {
+
+    /**
+     * Document <a href="https://www.keycloak.org/docs/latest/server_admin/#_timeouts">Keycloak session and token timeouts</a>.
+     * <p>
+     * <a href="https://medium.com/@elamarane90/keycloak-session-configuration-best-practices-and-principles-cdff9348f936">Two fundamental principles for effective session management in Keycloak</a>:
+     * <ul>
+     * 	<li>Access tokens must not outlast their corresponding refresh tokens, ensuring controlled access within the refresh token’s lifespan.</li>
+     * 	<li>Refresh tokens must align with the duration of the Keycloak session, maintaining session integrity and security.<li>
+     * </ul>
+     *
+     * @see <a href="https://stackoverflow.com/questions/52040265/how-to-specify-refresh-tokens-lifespan-in-keycloak/54679852#54679852">How to specify refresh tokens lifespan in Keycloak</a>
+     */
+    @ParameterizedTest
+    @CsvSource({"26.3.3,5", "26.4.1,5"})
+    public void inspectRefreshWithRespectToSsoSessionMaxLifespan(final String keycloakVersion, final int ssoSessionMaxLifespanSeconds) throws JSONException, InterruptedException {
+        RestAssured.useRelaxedHTTPSValidation();
+        try (final KeycloakContainer container = new KeycloakContainer(String.format("quay.io/keycloak/keycloak:%s", keycloakVersion))
+                // comment in for local debugging:
+                //              .withDebugFixedPort(5005, false)
+                //              .withCustomCommand("--log-level=DEBUG")
+                // see https://github.com/dasniko/testcontainers-keycloak/blob/main/README.md
+                //     https://github.com/dasniko/keycloak-extensions-demo/blob/1523b9c153f4325373c8d6787bfeb6c95d3dfed8/docker-compose.yml#L25
+                .withRealmImportFile("/cryptomator-realm.json")
+                .useTls()
+        ) {
+            container.start();
+            System.out.println(container.getAuthServerUrl());
+
+            final Keycloak keycloakAdminClient = container.getKeycloakAdminClient();
+
+            // enable direct access grant for client cryptomator
+            final RealmResource realm = keycloakAdminClient.realm("cryptomator");
+            final ClientRepresentation cryptomatorClient = realm.clients().findByClientId("cryptomator").getFirst();
+
+            cryptomatorClient.setDirectAccessGrantsEnabled(true);
+            keycloakAdminClient.realm("cryptomator").clients().get(cryptomatorClient.getId()).update(cryptomatorClient);
+
+            // set ssoSessionMaxLifespan
+            final RealmRepresentation realmRepresentation = realm.toRepresentation();
+            realmRepresentation.setSsoSessionMaxLifespan(ssoSessionMaxLifespanSeconds); // seconds, see https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/models/RealmModel.html
+            realm.update(realmRepresentation);
+
+            // get access token and verify its expiry is smaller than ssoSessionMaxLifespan
+            final ExtractableResponse<io.restassured.response.Response> tokenResponse = given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "password")
+                    .formParam("username", "alice")
+                    .formParam("password", "asd")
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(200).extract();
+
+            final JSONObject accessToken = deocdeJWT(tokenResponse.path("access_token"));
+            final String refreshToken = tokenResponse.path("refresh_token");
+            final LocalDateTime expiry = LocalDateTime.ofEpochSecond(accessToken.getInt("exp"), 0, OffsetDateTime.now().getOffset());
+            final LocalDateTime now = LocalDateTime.now();
+
+            final long delta = ChronoUnit.SECONDS.between(now, expiry);
+            assert delta >= 0;
+            assert delta < ssoSessionMaxLifespanSeconds;
+
+            // do a refresh within session lifetime
+            given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "refresh_token")
+                    .formParam("refresh_token", refreshToken)
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(200).extract();
+
+            // let session expire
+            Thread.sleep(ssoSessionMaxLifespanSeconds * 1000L);
+
+            // after session expiry, refresh should not be possible anymore
+            given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "refresh_token")
+                    .formParam("refresh_token", refreshToken)
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(400).extract();
+        }
+    }
+
+    /**
+     * Document <a href="https://www.keycloak.org/docs/latest/server_admin/#_offline-access">Keycloak Offline Access</a>.
+     * <p>
+     * <a href="https://medium.com/@elamarane90/keycloak-session-configuration-best-practices-and-principles-cdff9348f936">Two fundamental principles for effective session management in Keycloak</a>:
+     * <ul>
+     * 	<li>The difference between a refresh token and an offline token is that an offline token never expires and is not subject to the SSO Session Idle timeout and SSO Session Max lifespan. The offline token is valid after a user logout.
+     * 	You must use the offline token for a refresh token action at least once per thirty days or for the value of the Offline Session Idle.
+     * If you enable Offline Session Max Limited, offline tokens expire after 60 days even if you use the offline token for a refresh token action. You can change this value, Offline Session Max, in the Admin Console.
+     * </li>
+     * 	<li>To issue an offline token, users must have the role mapping for the realm-level offline_access role. Clients must also have that role in their scope. Clients must add an offline_access client scope as an Optional client scope to the role, which is done by default.<li>
+     * </ul>
+     */
+    @ParameterizedTest
+    @CsvSource({"26.3.3,5,5", "26.4.1,5,5"})
+    public void inspectRefreshWithOfflineAccess(final String keycloakVersion, final int ssoSessionMaxLifespanSeconds) throws JSONException, InterruptedException {
+        RestAssured.useRelaxedHTTPSValidation();
+        try (final KeycloakContainer container = new KeycloakContainer(String.format("quay.io/keycloak/keycloak:%s", keycloakVersion))
+                // comment in for local debugging:
+                //              .withDebugFixedPort(5005, false)
+                //              .withCustomCommand("--log-level=DEBUG")
+                // see https://github.com/dasniko/testcontainers-keycloak/blob/main/README.md
+                //     https://github.com/dasniko/keycloak-extensions-demo/blob/1523b9c153f4325373c8d6787bfeb6c95d3dfed8/docker-compose.yml#L25
+                .withRealmImportFile("/cryptomator-realm.json")
+                .useTls()
+        ) {
+            container.start();
+            System.out.println(container.getAuthServerUrl());
+
+            final Keycloak keycloakAdminClient = container.getKeycloakAdminClient();
+
+            // enable direct access grant for client cryptomator
+            final RealmResource realm = keycloakAdminClient.realm("cryptomator");
+            final ClientRepresentation cryptomatorClient = realm.clients().findByClientId("cryptomator").getFirst();
+
+            cryptomatorClient.setDirectAccessGrantsEnabled(true);
+            keycloakAdminClient.realm("cryptomator").clients().get(cryptomatorClient.getId()).update(cryptomatorClient);
+
+            // set ssoSessionMaxLifespan
+            final RealmRepresentation realmRepresentation = realm.toRepresentation();
+            realmRepresentation.setSsoSessionMaxLifespan(ssoSessionMaxLifespanSeconds); // seconds, see https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/models/RealmModel.html
+            realm.update(realmRepresentation);
+
+            // get access token and verify its expiry is smaller than ssoSessionMaxLifespan
+            final ExtractableResponse<io.restassured.response.Response> tokenResponse = given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "password")
+                    .formParam("username", "alice")
+                    .formParam("password", "asd")
+                    .formParam("scope", "offline_access")
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(200).extract();
+
+            final JSONObject accessToken = deocdeJWT(tokenResponse.path("access_token"));
+            final String refreshToken = tokenResponse.path("refresh_token");
+            final LocalDateTime expiry = LocalDateTime.ofEpochSecond(accessToken.getInt("exp"), 0, OffsetDateTime.now().getOffset());
+            final LocalDateTime now = LocalDateTime.now();
+
+            final long delta = ChronoUnit.SECONDS.between(now, expiry);
+            assert delta >= 0;
+            // TODO with offline access, access token has now validity of ~5 minutes, is this a bug?
+            assert delta > ssoSessionMaxLifespanSeconds;
+
+            // do a refresh within session lifetime
+            given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "refresh_token")
+                    .formParam("refresh_token", refreshToken)
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(200).extract();
+
+            // let session expire
+            Thread.sleep(ssoSessionMaxLifespanSeconds * 1000L);
+
+            // after session expiry, refresh with offline token is still possible
+            given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "refresh_token")
+                    .formParam("refresh_token", refreshToken)
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(200).extract();
+        }
+    }
+
+    /**
+     * Document <a href="https://www.keycloak.org/docs/latest/server_admin/#_offline-access">Keycloak Offline Access</a> with offlineSessionMaxLifespan.
+     */
+    @ParameterizedTest
+    @CsvSource({"26.3.3,5,5", "26.4.1,5,5"})
+    public void inspectRefreshWithOfflineAccessMaxOffline(final String keycloakVersion, final int ssoSessionMaxLifespanSeconds, final int offlineSessionMaxLifespan) throws JSONException, InterruptedException {
+        RestAssured.useRelaxedHTTPSValidation();
+        try (final KeycloakContainer container = new KeycloakContainer(String.format("quay.io/keycloak/keycloak:%s", keycloakVersion))
+                // comment in for local debugging:
+                //              .withDebugFixedPort(5005, false)
+                //              .withCustomCommand("--log-level=DEBUG")
+                // see https://github.com/dasniko/testcontainers-keycloak/blob/main/README.md
+                //     https://github.com/dasniko/keycloak-extensions-demo/blob/1523b9c153f4325373c8d6787bfeb6c95d3dfed8/docker-compose.yml#L25
+                .withRealmImportFile("/cryptomator-realm.json")
+                .useTls()
+        ) {
+            container.start();
+            System.out.println(container.getAuthServerUrl());
+
+            final Keycloak keycloakAdminClient = container.getKeycloakAdminClient();
+
+            // enable direct access grant for client cryptomator
+            final RealmResource realm = keycloakAdminClient.realm("cryptomator");
+            final ClientRepresentation cryptomatorClient = realm.clients().findByClientId("cryptomator").getFirst();
+
+            cryptomatorClient.setDirectAccessGrantsEnabled(true);
+            keycloakAdminClient.realm("cryptomator").clients().get(cryptomatorClient.getId()).update(cryptomatorClient);
+
+            // set ssoSessionMaxLifespan
+            final RealmRepresentation realmRepresentation = realm.toRepresentation();
+            realmRepresentation.setSsoSessionMaxLifespan(ssoSessionMaxLifespanSeconds); // seconds, see https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/models/RealmModel.html
+            realmRepresentation.setOfflineSessionMaxLifespanEnabled(true);
+            realmRepresentation.setOfflineSessionMaxLifespan(offlineSessionMaxLifespan); // seconds, see https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/models/RealmModel.html
+            realm.update(realmRepresentation);
+
+            // get access token and verify its expiry is smaller than ssoSessionMaxLifespan
+            final ExtractableResponse<io.restassured.response.Response> tokenResponse = given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "password")
+                    .formParam("username", "alice")
+                    .formParam("password", "asd")
+                    .formParam("scope", "offline_access")
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(200).extract();
+
+            final JSONObject accessToken = deocdeJWT(tokenResponse.path("access_token"));
+            final String refreshToken = tokenResponse.path("refresh_token");
+            final LocalDateTime expiry = LocalDateTime.ofEpochSecond(accessToken.getInt("exp"), 0, OffsetDateTime.now().getOffset());
+            final LocalDateTime now = LocalDateTime.now();
+
+            final long delta = ChronoUnit.SECONDS.between(now, expiry);
+            assert delta >= 0;
+            // TODO as expected vs. above.
+            assert delta < ssoSessionMaxLifespanSeconds;
+
+            // do a refresh within session lifetime
+            given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "refresh_token")
+                    .formParam("refresh_token", refreshToken)
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(200).extract();
+
+            // let offline access lifespan expire
+            Thread.sleep(offlineSessionMaxLifespan * 1000L);
+
+            // after offline access lifespan expire, refresh with offline token is not possible any more
+            given()
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .formParam("client_id", "cryptomator")
+                    .formParam("grant_type", "refresh_token")
+                    .formParam("refresh_token", refreshToken)
+                    .when()
+                    .post(container.getAuthServerUrl() + "/realms/cryptomator/protocol/openid-connect/token")
+                    .then()
+                    .statusCode(400).extract();
+        }
+    }
+}
\ No newline at end of file
diff --git a/keycloak/src/test/resources/log4j2.xml b/keycloak/src/test/resources/log4j2.xml
new file mode 100644
index 000000000..833893ea1
--- /dev/null
+++ b/keycloak/src/test/resources/log4j2.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<!--
+  ~ Copyright (c) 2025 shift7 GmbH. All rights reserved.
+  -->
+<Configuration>
+    <Appenders>
+        <Console name="console" target="SYSTEM_OUT">
+            <PatternLayout pattern="%d [%t] %-5p %c - %m%n"/>
+        </Console>
+        <RollingFile
+            name="rollingFile"
+            fileName="wire.log"
+            filePattern="wire.%d{dd-MMM}.log.gz"
+            ignoreExceptions="false">
+            <PatternLayout>
+                <Pattern>%d{yyyy-MM-dd HH:mm:ss} %-5p %m%n</Pattern>
+            </PatternLayout>
+            <Policies>
+                <SizeBasedTriggeringPolicy size="10MB" />
+            </Policies>
+            <Policies>
+                <TimeBasedTriggeringPolicy interval="1"/>
+            </Policies>
+            <DefaultRolloverStrategy max="5" />
+        </RollingFile>
+    </Appenders>
+    <Loggers>
+        <Logger name="io.opencensus.trace" additivity="false" level="error"/>
+        <Logger name="io.grpc" additivity="false" level="error"/>
+        <Logger name="testrunner" level="info"/>
+        <Logger name="ch.cyberduck" level="warn"/>
+        <Logger name="ch.cyberduck.transcript" level="info"/>
+        <Logger name="org.apache.http.wire" additivity="true" level="debug">
+            <AppenderRef ref="rollingFile"/>
+        </Logger>
+
+        <Root>
+            <AppenderRef ref="console"/>
+        </Root>
+    </Loggers>
+</Configuration>
diff --git a/keycloak/themes/cryptomator/common/resources/css/fonts.css b/keycloak/themes/cryptomator/common/resources/css/fonts.css
deleted file mode 100644
index 336425d10..000000000
--- a/keycloak/themes/cryptomator/common/resources/css/fonts.css
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * For Font reduction use:
- * `pip install fonttools brotli`
- */
-
-/*
- * For text bodies [ASCII + ÄäÖöÜü߀]:
- * pyftsubset opensans-regular.woff2 --unicodes=U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC --verbose --flavor=woff2 --output-file=opensans-regular.reduced.woff2
- */
-
-@font-face {
-  font-family: 'Open Sans';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Open Sans Regular'), local('OpenSans-Regular'), url('../fonts/opensans-regular.reduced.woff2') format('woff2');
-  unicode-range: U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC;
-}
-
-
-/*
- * For h3 headings [ASCII + ÄäÖöÜü߀]:
- * pyftsubset quicksand-regular.woff2 --unicodes=U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC --verbose --flavor=woff2 --output-file=quicksand-regular.reduced.woff2
- */
-@font-face {
-  font-family: 'Quicksand';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: url('../fonts/quicksand-regular.reduced.woff2') format('woff2');
-  unicode-range: U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC;
-}
-
-/*
- * For h1/h2 headings [ASCII + ÄäÖöÜü߀]:
- * pyftsubset quicksand-medium.woff2 --unicodes=U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC --verbose --flavor=woff2 --output-file=quicksand-medium.reduced.woff2
- */
-@font-face {
-  font-family: 'Quicksand';
-  font-style: normal;
-  font-weight: 500;
-  font-display: swap;
-  src: url('../fonts/quicksand-medium.reduced.woff2') format('woff2');
-  unicode-range: U+0020-007F,U+00C4,U+00E4,U+00D6,U+00F6,U+00DC,U+00FC,U+00DF,U+20AC;
-}
-
-/*
- * Only for "CRYPTOMATOR" title:
- * pyftsubset quicksand-bold.woff2 --text="CRYPTOMATOR HUB" --verbose --flavor=woff2 --output-file=quicksand-bold.reduced.woff2
- */
-@font-face {
-  font-family: 'Quicksand';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: url('../fonts/quicksand-bold.reduced.woff2') format('woff2');
-  unicode-range: U+0043,U+0052,U+0059,U+0050,U+0054,U+004F,U+004D,U+0041,U+0020,U+0048,U+0055,U+0042;
-}
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/opensans-regular.reduced.woff2 b/keycloak/themes/cryptomator/common/resources/fonts/opensans-regular.reduced.woff2
deleted file mode 100644
index 3432d70d4..000000000
Binary files a/keycloak/themes/cryptomator/common/resources/fonts/opensans-regular.reduced.woff2 and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/opensans-regular.woff2 b/keycloak/themes/cryptomator/common/resources/fonts/opensans-regular.woff2
deleted file mode 100644
index 97338d628..000000000
Binary files a/keycloak/themes/cryptomator/common/resources/fonts/opensans-regular.woff2 and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-bold.reduced.woff2 b/keycloak/themes/cryptomator/common/resources/fonts/quicksand-bold.reduced.woff2
deleted file mode 100644
index 8f9fd2ecc..000000000
Binary files a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-bold.reduced.woff2 and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-bold.woff2 b/keycloak/themes/cryptomator/common/resources/fonts/quicksand-bold.woff2
deleted file mode 100644
index 3e4a9f76f..000000000
Binary files a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-bold.woff2 and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-medium.reduced.woff2 b/keycloak/themes/cryptomator/common/resources/fonts/quicksand-medium.reduced.woff2
deleted file mode 100644
index 4d388ea1b..000000000
Binary files a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-medium.reduced.woff2 and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-medium.woff2 b/keycloak/themes/cryptomator/common/resources/fonts/quicksand-medium.woff2
deleted file mode 100644
index 3e4a9f76f..000000000
Binary files a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-medium.woff2 and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-regular.reduced.woff2 b/keycloak/themes/cryptomator/common/resources/fonts/quicksand-regular.reduced.woff2
deleted file mode 100644
index 4d388ea1b..000000000
Binary files a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-regular.reduced.woff2 and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-regular.woff2 b/keycloak/themes/cryptomator/common/resources/fonts/quicksand-regular.woff2
deleted file mode 100644
index 3e4a9f76f..000000000
Binary files a/keycloak/themes/cryptomator/common/resources/fonts/quicksand-regular.woff2 and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/img/logo.svg b/keycloak/themes/cryptomator/common/resources/img/logo.svg
deleted file mode 100644
index 53e7c879a..000000000
--- a/keycloak/themes/cryptomator/common/resources/img/logo.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg width="1110" height="942" viewBox="0 0 1108.12 940.2" preserveAspectRatio="xMidYMid meet" xmlns="http://www.w3.org/2000/svg"><path d="m552.69 0c-169.1 0-262.45 143.46-262.45 283.52h524.9c0-140.06-105.33-283.52-262.45-283.52z" fill="#cfcfcf"/><path d="m552.69 53.2c-137.37 0-213.21 116.54-213.21 230.32l213.21 24.18 213.21-24.18c0-113.78-85.57-230.32-213.21-230.32z" fill="#585e62"/><path d="m89.8 739.52a20 20 0 0 1 -2.23-39.88 42.8 42.8 0 1 0 -42.22-21.82 20 20 0 0 1 -35 19.31 82.79 82.79 0 1 1 81.76 42.26 21.78 21.78 0 0 1 -2.31.13z" fill="#585e62"/><rect fill="#cfcfcf" height="144.19" rx="49.42" transform="matrix(.8902923 .45538953 -.45538953 .8902923 261.57 -5.69)" width="104.68" x="90.27" y="467.98"/><path d="m149.47 401.27h62.8a0 0 0 0 1 0 0v94.55a31.4 31.4 0 0 1 -31.4 31.4 31.4 31.4 0 0 1 -31.4-31.4v-94.55a0 0 0 0 1 0 0z" fill="#585e62" transform="matrix(.8902923 .45538953 -.45538953 .8902923 231.23 -31.44)"/><circle cx="222.59" cy="387.53" fill="#cfcfcf" r="75.05"/><path d="m258.09 321.8a75.09 75.09 0 0 0 -91.23 14.64 75.06 75.06 0 0 1 51.58 126.06 75.06 75.06 0 0 0 39.65-140.7z" fill="#b1b1b1"/><path d="m1018.31 739.52a22.09 22.09 0 0 1 -2.28-.13 82.8 82.8 0 1 1 81.77-42.26 20 20 0 1 1 -35-19.31 42.8 42.8 0 1 0 -42.23 21.82 20 20 0 0 1 -2.23 39.88z" fill="#585e62"/><rect fill="#cfcfcf" height="144.19" rx="49.42" transform="matrix(-.8902923 .45538953 -.45538953 -.8902923 2071.05 581.27)" width="104.68" x="913.18" y="467.98"/><path d="m927.25 401.27a31.4 31.4 0 0 1 31.4 31.4v94.55a0 0 0 0 1 0 0h-62.8a0 0 0 0 1 0 0v-94.55a31.4 31.4 0 0 1 31.4-31.4z" fill="#585e62" transform="matrix(-.8902923 .45538953 -.45538953 -.8902923 1964.18 455.35)"/><circle cx="885.53" cy="387.53" fill="#cfcfcf" r="75.05"/><path d="m850 321.8a75.08 75.08 0 0 1 91.22 14.64 75.06 75.06 0 0 0 -51.54 126.06 75.05 75.05 0 0 1 -39.68-140.7z" fill="#b1b1b1"/><path d="m248.78 940.2c-36.67 0-67-39.85-75.51-99.15-4.56-31.83-2.26-65.19 6.48-94 9.41-31 25.51-53.59 45.32-63.72a51.72 51.72 0 0 1 23.69-5.84h103.52v262.71z" fill="#585e62"/><path d="m351.43 940.2c-21.26 0-38.85-39.85-43.78-99.15-2.64-31.83-1.31-65.19 3.76-94 5.45-31 14.78-53.59 26.27-63.72 4.39-3.87 9-5.84 13.73-5.84s9.34 2 13.75 5.8l49.7 43.83c17.37 15.32 23.39 64 20.23 102-2.43 29.28-10 52.18-20.19 61.28l-49.69 43.82c-4.44 3.99-9.08 5.98-13.78 5.98z" fill="#585e62"/><path d="m360.57 699 49.65 43.79c11.18 9.9 17.78 47.45 14.78 83.91-2 24.27-7.83 41.95-14.77 48.13l-49.65 43.79c-18.58 16.38-37.79-19.43-42.83-80.07s6-123.1 24.58-139.51c6.15-5.42 12.5-5.04 18.24-.04z" fill="#35393b"/><path d="m850.73 940.2c36.66 0 67-39.85 75.51-99.15 4.56-31.83 2.26-65.19-6.48-94-9.41-31-25.51-53.59-45.32-63.72a51.72 51.72 0 0 0 -23.69-5.84h-103.53v262.71z" fill="#585e62"/><path d="m748.08 940.2c21.26 0 38.85-39.85 43.78-99.15 2.64-31.83 1.31-65.19-3.76-94-5.45-31-14.79-53.59-26.27-63.72-4.4-3.87-9-5.84-13.73-5.84s-9.34 2-13.76 5.8l-49.69 43.83c-17.38 15.32-23.39 64-20.23 102 2.43 29.28 10 52.18 20.19 61.28l49.68 43.82c4.45 3.99 9.09 5.98 13.79 5.98z" fill="#585e62"/><path d="m738.94 699-49.65 43.79c-11.19 9.86-17.8 47.41-14.77 83.87 2 24.27 7.83 41.95 14.77 48.13l49.65 43.79c18.61 16.41 37.78-19.43 42.82-80.07s-6-123.1-24.58-139.51c-6.18-5.38-12.5-5-18.24 0z" fill="#35393b"/><path d="m848.63 451.38a83.62 83.62 0 0 1 -.56-45.6c14.74-53.13 5.06-111.78 5.06-111.78-185.07-57.77-300.13-.48-300.13-.48s-114.79-57.64-300-.45c0 0-9.86 58.64 4.72 111.83a83.69 83.69 0 0 1 -.69 45.59c-5.14 17.57-10.72 44.5-10.77 78.8-.37 249 306 326.08 306 326.08s306.58-76.15 306.95-325.16c0-34.3-5.49-61.21-10.58-78.83z" fill="#cfcfcf"/><path d="m552.34 808.87c-50.72-15.87-261.7-93.25-261.42-279.51 0-29.65 4.89-52.42 9-66.31a128.3 128.3 0 0 0 .91-70c-6.2-22.58-6.9-47.13-6.17-65.29 40.48-10.23 80.2-15.37 118.41-15.32 75.66.12 119.86 21 120.3 21.17l20.39 10.23 19.24-10.32c.11 0 44.36-20.75 120-20.64 38.21.06 77.91 5.32 118.37 15.68.67 18.14-.1 42.71-6.37 65.27a128.33 128.33 0 0 0 .69 70c4 13.91 8.82 36.69 8.77 66.35-.28 187.06-211.26 263.09-262.12 278.69z" fill="#49b04a"/><path d="m610.15 478.76a57.46 57.46 0 1 0 -70.15 55.92l-32.29 135.47 44.67 12.85 44.71-12.71-31.84-135.57a57.46 57.46 0 0 0 44.9-55.96z" fill="#35393b"/><g fill="#49b04a"><path d="m454.94 131.08a60.64 60.64 0 0 0 -60.64 60.64h121.28a60.64 60.64 0 0 0 -60.64-60.64z"/><path d="m642.38 131.08a60.64 60.64 0 0 0 -60.64 60.64h121.26a60.64 60.64 0 0 0 -60.62-60.64z"/><circle cx="483.23" cy="229.43" r="11.52"/><circle cx="528.52" cy="229.43" r="11.52"/><circle cx="573.8" cy="229.43" r="11.52"/><circle cx="619.09" cy="229.43" r="11.52"/></g></svg>
\ No newline at end of file
diff --git a/keycloak/themes/cryptomator/login/resources/img/header-background.png b/keycloak/themes/cryptomator/login/resources/img/header-background.png
deleted file mode 100644
index 9369ef533..000000000
Binary files a/keycloak/themes/cryptomator/login/resources/img/header-background.png and /dev/null differ
diff --git a/keycloak/themes/cryptomator/common/resources/.gitignore b/keycloak/themes/katta/common/resources/.gitignore
similarity index 100%
rename from keycloak/themes/cryptomator/common/resources/.gitignore
rename to keycloak/themes/katta/common/resources/.gitignore
diff --git a/keycloak/themes/katta/common/resources/css/fonts.css b/keycloak/themes/katta/common/resources/css/fonts.css
new file mode 100644
index 000000000..5eb41d31a
--- /dev/null
+++ b/keycloak/themes/katta/common/resources/css/fonts.css
@@ -0,0 +1,23 @@
+@font-face {
+  font-family: 'Open Sans';
+  font-style: normal;
+  font-weight: 300 800;
+  font-display: swap;
+  src: url('../fonts/OpenSans-VariableFont_wdth,wght.ttf') format('truetype');
+}
+
+@font-face {
+  font-family: 'Open Sans';
+  font-style: italic;
+  font-weight: 300 800;
+  font-display: swap;
+  src: url('../fonts/OpenSans-Italic-VariableFont_wdth,wght.ttf') format('truetype');
+}
+
+@font-face {
+  font-family: 'Roboto Slab';
+  font-style: normal;
+  font-weight: 100 900;
+  font-display: swap;
+  src: url('../fonts/RobotoSlab-VariableFont_wght.ttf') format('truetype');
+}
diff --git a/keycloak/themes/cryptomator/common/resources/css/tailwind.css b/keycloak/themes/katta/common/resources/css/tailwind.css
similarity index 67%
rename from keycloak/themes/cryptomator/common/resources/css/tailwind.css
rename to keycloak/themes/katta/common/resources/css/tailwind.css
index e47200369..0aa3bd665 100644
--- a/keycloak/themes/cryptomator/common/resources/css/tailwind.css
+++ b/keycloak/themes/katta/common/resources/css/tailwind.css
@@ -6,37 +6,15 @@
 
 @theme {
   --font-*: initial;
-  --font-headline: Quicksand, sans-serif;
-  --font-body: Open Sans, sans-serif;
+  --font-headline: 'Roboto Slab', ui-serif, Georgia, Cambria, 'Times New Roman', Times, serif;
+  --font-body: 'Open Sans', ui-sans-serif, system-ui, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';
 
   --color-current: currentColor;
-  --color-primary: #49b04a;
-  --color-primary2: #009f69;
-  --color-primary-l1: #66cc68;
-  --color-primary-l2: #ebf5eb;
-  --color-primary-d1: #407f41;
-  --color-primary-d2: #2d4d2e;
-  --color-secondary: #008a7b;
-  --color-secondary2: #00747e;
-  --color-tertiary: #005e71;
-  --color-tertiary2: #2f4858;
-  --color-dark: #1f2122;
-  --color-gray_0: #222222;
-  --color-gray_1: #3b3b3b;
-  --color-gray_2: #515151;
-  --color-gray_3: #626262;
-  --color-gray_4: #7e7e7e;
-  --color-gray_5: #9e9e9e;
-  --color-gray_6: #b1b1b1;
-  --color-gray_7: #cfcfcf;
-  --color-gray_8: #e1e1e1;
-  --color-gray_9: #f7f7f7;
-  --color-sky-dark: #0b0f17;
-  --color-sky-medium: #3f8bd9;
-  --color-sky-light: #9ac7f5;
-
-  --background-image-hills: url('../img/header-background.png');
-  --background-image-cryptobot: url('../img/logo.svg');
+  --color-primary: oklch(53.3% 0.094 282.3);
+  --color-primary-light: oklch(60.5% 0.083 281.8);
+
+  --background-image-paper: url('../img/bg-paper.png');
+  --background-image-logo: url('../img/logo.png');
 }
 
 /*
diff --git a/keycloak/themes/katta/common/resources/fonts/LICENSE.txt b/keycloak/themes/katta/common/resources/fonts/LICENSE.txt
new file mode 100644
index 000000000..75b52484e
--- /dev/null
+++ b/keycloak/themes/katta/common/resources/fonts/LICENSE.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/keycloak/themes/cryptomator/common/resources/fonts/OFL.txt b/keycloak/themes/katta/common/resources/fonts/OFL.txt
similarity index 95%
rename from keycloak/themes/cryptomator/common/resources/fonts/OFL.txt
rename to keycloak/themes/katta/common/resources/fonts/OFL.txt
index 5186b46ab..4fc617027 100644
--- a/keycloak/themes/cryptomator/common/resources/fonts/OFL.txt
+++ b/keycloak/themes/katta/common/resources/fonts/OFL.txt
@@ -1,93 +1,93 @@
-Copyright 2011 The Quicksand Project Authors (https://github.com/andrew-paglinawan/QuicksandFamily), with Reserved Font Name “Quicksand”.
-
-This Font Software is licensed under the SIL Open Font License, Version 1.1.
-This license is copied below, and is also available with a FAQ at:
-http://scripts.sil.org/OFL
-
-
------------------------------------------------------------
-SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
------------------------------------------------------------
-
-PREAMBLE
-The goals of the Open Font License (OFL) are to stimulate worldwide
-development of collaborative font projects, to support the font creation
-efforts of academic and linguistic communities, and to provide a free and
-open framework in which fonts may be shared and improved in partnership
-with others.
-
-The OFL allows the licensed fonts to be used, studied, modified and
-redistributed freely as long as they are not sold by themselves. The
-fonts, including any derivative works, can be bundled, embedded, 
-redistributed and/or sold with any software provided that any reserved
-names are not used by derivative works. The fonts and derivatives,
-however, cannot be released under any other type of license. The
-requirement for fonts to remain under this license does not apply
-to any document created using the fonts or their derivatives.
-
-DEFINITIONS
-"Font Software" refers to the set of files released by the Copyright
-Holder(s) under this license and clearly marked as such. This may
-include source files, build scripts and documentation.
-
-"Reserved Font Name" refers to any names specified as such after the
-copyright statement(s).
-
-"Original Version" refers to the collection of Font Software components as
-distributed by the Copyright Holder(s).
-
-"Modified Version" refers to any derivative made by adding to, deleting,
-or substituting -- in part or in whole -- any of the components of the
-Original Version, by changing formats or by porting the Font Software to a
-new environment.
-
-"Author" refers to any designer, engineer, programmer, technical
-writer or other person who contributed to the Font Software.
-
-PERMISSION & CONDITIONS
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of the Font Software, to use, study, copy, merge, embed, modify,
-redistribute, and sell modified and unmodified copies of the Font
-Software, subject to the following conditions:
-
-1) Neither the Font Software nor any of its individual components,
-in Original or Modified Versions, may be sold by itself.
-
-2) Original or Modified Versions of the Font Software may be bundled,
-redistributed and/or sold with any software, provided that each copy
-contains the above copyright notice and this license. These can be
-included either as stand-alone text files, human-readable headers or
-in the appropriate machine-readable metadata fields within text or
-binary files as long as those fields can be easily viewed by the user.
-
-3) No Modified Version of the Font Software may use the Reserved Font
-Name(s) unless explicit written permission is granted by the corresponding
-Copyright Holder. This restriction only applies to the primary font name as
-presented to the users.
-
-4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
-Software shall not be used to promote, endorse or advertise any
-Modified Version, except to acknowledge the contribution(s) of the
-Copyright Holder(s) and the Author(s) or with their explicit written
-permission.
-
-5) The Font Software, modified or unmodified, in part or in whole,
-must be distributed entirely under this license, and must not be
-distributed under any other license. The requirement for fonts to
-remain under this license does not apply to any document created
-using the Font Software.
-
-TERMINATION
-This license becomes null and void if any of the above conditions are
-not met.
-
-DISCLAIMER
-THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
-OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
-COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
-DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
-OTHER DEALINGS IN THE FONT SOFTWARE.
+Copyright 2020 The Open Sans Project Authors (https://github.com/googlefonts/opensans)
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+This license is copied below, and is also available with a FAQ at:
+https://openfontlicense.org
+
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded, 
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.
diff --git a/keycloak/themes/katta/common/resources/fonts/OpenSans-Italic-VariableFont_wdth,wght.ttf b/keycloak/themes/katta/common/resources/fonts/OpenSans-Italic-VariableFont_wdth,wght.ttf
new file mode 100644
index 000000000..8a2c9d9ae
Binary files /dev/null and b/keycloak/themes/katta/common/resources/fonts/OpenSans-Italic-VariableFont_wdth,wght.ttf differ
diff --git a/keycloak/themes/katta/common/resources/fonts/OpenSans-VariableFont_wdth,wght.ttf b/keycloak/themes/katta/common/resources/fonts/OpenSans-VariableFont_wdth,wght.ttf
new file mode 100644
index 000000000..9c57fbdb0
Binary files /dev/null and b/keycloak/themes/katta/common/resources/fonts/OpenSans-VariableFont_wdth,wght.ttf differ
diff --git a/keycloak/themes/katta/common/resources/fonts/RobotoSlab-VariableFont_wght.ttf b/keycloak/themes/katta/common/resources/fonts/RobotoSlab-VariableFont_wght.ttf
new file mode 100644
index 000000000..934c67107
Binary files /dev/null and b/keycloak/themes/katta/common/resources/fonts/RobotoSlab-VariableFont_wght.ttf differ
diff --git a/keycloak/themes/katta/common/resources/img/bg-paper.png b/keycloak/themes/katta/common/resources/img/bg-paper.png
new file mode 100644
index 000000000..fdd2e8431
Binary files /dev/null and b/keycloak/themes/katta/common/resources/img/bg-paper.png differ
diff --git a/keycloak/themes/cryptomator/common/resources/img/favicon.ico b/keycloak/themes/katta/common/resources/img/favicon.ico
similarity index 100%
rename from keycloak/themes/cryptomator/common/resources/img/favicon.ico
rename to keycloak/themes/katta/common/resources/img/favicon.ico
diff --git a/keycloak/themes/katta/common/resources/img/logo.png b/keycloak/themes/katta/common/resources/img/logo.png
new file mode 100644
index 000000000..7f3804c81
Binary files /dev/null and b/keycloak/themes/katta/common/resources/img/logo.png differ
diff --git a/keycloak/themes/cryptomator/common/resources/package-lock.json b/keycloak/themes/katta/common/resources/package-lock.json
similarity index 100%
rename from keycloak/themes/cryptomator/common/resources/package-lock.json
rename to keycloak/themes/katta/common/resources/package-lock.json
diff --git a/keycloak/themes/cryptomator/common/resources/package.json b/keycloak/themes/katta/common/resources/package.json
similarity index 100%
rename from keycloak/themes/cryptomator/common/resources/package.json
rename to keycloak/themes/katta/common/resources/package.json
diff --git a/keycloak/themes/cryptomator/login/theme.properties b/keycloak/themes/katta/login/theme.properties
similarity index 93%
rename from keycloak/themes/cryptomator/login/theme.properties
rename to keycloak/themes/katta/login/theme.properties
index 87335d3ba..70d165f35 100644
--- a/keycloak/themes/cryptomator/login/theme.properties
+++ b/keycloak/themes/katta/login/theme.properties
@@ -1,6 +1,6 @@
 # based on https://github.com/keycloak/keycloak/blob/19.0.1/themes/src/main/resources/theme/keycloak/login/theme.properties
 parent=keycloak
-import=common/cryptomator
+import=common/katta
 
 styles=css/tailwind.min.css css/fonts.css node_modules/@fortawesome/fontawesome-free/css/all.min.css
 stylesCommon=
@@ -8,12 +8,12 @@ stylesCommon=
 meta=viewport==width=device-width,initial-scale=1
 
 ## Body & Wrapper
-kcHtmlClass=h-full bg-linear-to-b from-sky-dark via-sky-medium to-sky-light bg-fixed text-base text-gray-900
-kcBodyClass=min-h-full bg-transparent bg-none md:bg-hills bg-repeat-y bg-center bg-cover bg-fixed font-body
+kcHtmlClass=h-full bg-paper bg-cover bg-repeat-y text-base text-zinc-950
+kcBodyClass=min-h-full font-body
 kcLoginClass=min-h-screen flex flex-col justify-center sm:px-6 lg:px-8 py-24 -translate-y-24
 
 ## Header
-kcHeaderClass=bg-cryptobot bg-no-repeat bg-center bg-contain text-transparent h-24 sr-hidden my-8
+kcHeaderClass=bg-logo bg-no-repeat bg-center bg-contain text-transparent h-24 sr-hidden my-8
 
 ## Locale
 kcLocaleMainClass=flex justify-end
@@ -25,7 +25,7 @@ kcLocaleItemClass=block hover:bg-gray-50 !text-gray-500 !no-underline px-4 py-2
 
 ## Form
 kcFormClass=not-last:mb-6
-kcFormCardClass=sm:mx-auto sm:w-full sm:max-w-md bg-white py-8 px-4 shadow sm:rounded-lg sm:p-8 shadow-md shadow-tertiary
+kcFormCardClass=sm:mx-auto sm:w-full sm:max-w-md bg-white py-8 px-4 shadow sm:rounded-lg sm:p-8 shadow-md
 kcFormHeaderClass=text-center text-xl tracking-tight font-medium text-gray-500 font-headline mb-6
 kcFormGroupClass=not-last:mb-6
 kcFormGroupErrorClass=
@@ -55,7 +55,7 @@ kcFormGroupHeader=
 ### main class used for all buttons
 kcButtonClass=w-full inline-flex justify-center px-4 py-2 border border-gray-300 rounded-md shadow-sm text-sm text-gray-500 bg-white hover:bg-gray-50 focus:outline-hidden focus:ring-2 focus:ring-offset-2 focus:ring-primary not-last:mb-3
 ### classes defining priority of the button - primary or default (there is typically only one priority button for the form)
-kcButtonPrimaryClass=border-transparent text-white !bg-primary hover:!bg-primary-l1
+kcButtonPrimaryClass=border-transparent text-white !bg-primary hover:!bg-primary-light
 kcButtonDefaultClass=btn-default
 ### classes defining size of the button
 kcButtonLargeClass=!px-6 !py-3 text-lg